[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
OVERSIGHT OF THE CYBERSECURITY ACT OF 2015
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
JUNE 15, 2016
__________
Serial No. 114-76
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
24-379 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
Katie Rashid, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 4
Prepared Statement............................................. 6
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 7
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 7
Witnesses
Mr. Matthew J. Eggers, Executive Director, Cybersecurity Policy,
National Security and Emergency Preparedness, U.S. Chamber of
Commerce:
Oral Statement................................................. 9
Prepared Statement............................................. 11
Mr. Robert H. Mayer, Vice President, Industry and State Affairs,
United States Telecom Association:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Mark G. Clancy, Chief Executive Officer, Soltra:
Oral Statement................................................. 20
Prepared Statement............................................. 22
Mr. Mordecai Rosen, General Manager, Security Business Unit, CA
Technologies:
Oral Statement................................................. 28
Prepared Statement............................................. 30
Ms. Ola Sage, Founder and Chief Executive Officer, E-Management:
Oral Statement................................................. 36
Prepared Statement............................................. 38
For the Record
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas
Letter......................................................... 52
Appendix
Questions From Chairman John L. Ratcliffe for Matthew J. Eggers.. 57
Questions From Ranking Member Cedric L. Richmond for Matthew J.
Eggers......................................................... 58
Questions From Ranking Member Cedric L. Richmond for Robert Mayer 61
Questions From Ranking Member Cedric L. Richmond for Mark G.
Clancy......................................................... 63
Questions From Chairman John L. Ratcliffe for Mordecai Rosen..... 65
Questions From Ranking Member Cedric L. Richmond for Mordecai
Rosen.......................................................... 66
Questions From Ranking Member Cedric L. Richmond for Ola Sage.... 68
OVERSIGHT OF THE CYBERSECURITY ACT OF 2015
----------
Wednesday, June 15, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:12 a.m., in
Room 311, Cannon House Office Building, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, McCaul, Perry, Clawson,
Donovan, Richmond, Thompson, Sanchez, Jackson Lee, and
Langevin.
Mr. Ratcliffe. Pursuant to committee rule 5(a), I now
convene the Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies with the concurrence of
the Ranking Member.
Before we begin this morning, I would be remiss if I didn't
again mention the Orlando terrorist attack that killed 49
innocent victims, the largest attack in the United States since
9/11. I would ask that we would open with a moment of silence
in remembrance of the victims and their families. Thank you.
The subcommittee meets today to fulfill its obligation and
oversight responsibility of examining the implementation of the
Cybersecurity Act of 2015 since its passage last year, and to
look at the necessary steps going forward to strengthen our
Nation's cyber defenses.
Congress' job doesn't end when a piece of legislation is
signed into law, and that is especially true when it comes to
cybersecurity legislation. Continued oversight is essential to
making sure that the bill is implemented in a manner that
actually improves our cyber defenses. If agency guidance isn't
clear, if tweaks need to be made, we want to hear that feedback
and we want to address those concerns.
For that reason, we are pleased to be joined today by a
distinguished panel of industry experts to discuss this very
important issue.
Pushing the Cybersecurity Act of 2015 across the finish
line last year was a significant accomplishment that was years
in the making. During that time, these witnesses that are here
today and others representing critical sectors devoted
substantial energy to collaborate with policy makers like me on
the best path forward. Hundreds of hours of stakeholder
outreach were conducted across literally every relevant
industry group: Energy, health care, financial services,
technology, telecom, retail, you name it. In the end, this bill
recognized many of the practices that were already being
deployed by these industry groups and codified them into law,
while providing important rules for the road, as well.
My objective is to maintain that same posture as we assess
the implementation of the Cybersecurity Act of 2015. This law
recognizes the role of DHS's National Cybersecurity and
Communications Integration Center, the NCCIC, as the civilian
portal for the sharing of cyber threat indicators. The key aim
was to see that our cyber threat indicators containing critical
information about the nature, methodology, source, and scope of
cyber attacks would be shared with other parties, so they, in
turn, could fortify their own networks against future
intrusions.
In response to the devastating attack on the Office of
Personnel Management, this law also bolsters DHS's ability to
deploy intrusion detection and prevention capabilities across
the Federal Government. I think we can all agree that the need
for stronger cybersecurity posture is clear. Every day, our
country is facing digital intrusions from criminals and
hacktivists, terrorists, nation-states. Cybersecurity is
National security. The impacts of those intrusions are being
felt everywhere, from kitchen tables to boardroom tables across
American companies.
We can't tolerate acts of cyber threat and cyber warfare,
especially when they result in the theft of intellectual
property and innovation, and put our Nation's critical
infrastructure at risk. We can't sit idly by while escalating
ransomware attacks on our hospitals and our health care
providers threaten our citizens by locking out access to their
medical records.
Cybersecurity breaches and data manipulation can undermine
consumer confidence and they can damage a company's hard-earned
reputation in just a matter of seconds. While we have yet to
see a major corporation completely collapse due to a cyber
attack, the possibility is no longer science fiction. One can
only imagine the turmoil that would be caused if Americans
suddenly found out that their checking accounts had all been
drained. The loss of trust in our financial system would cause
an economic meltdown.
Nearly a third of CEOs surveyed recently identified
cybersecurity as the largest issue impacting their companies
today, and only half of those say they are fully prepared for a
cyber event.
We have learned that there are only two types of companies:
Those who have been hacked and those who don't know yet that
they have been hacked. Information sharing between companies,
the Government, and critical sectors improves our ability to
defend against all of these attacks.
Beyond the impact on the private sector, safeguarding cyber
space is also one of the great National security challenges of
our time. The American people recognize this. In fact, in a
recent Pew Research poll, Americans named cybersecurity as
their second-biggest perceived threat only to ISIS. Imagine a
catastrophic cyber attack on our gas pipelines or the power
grid. Such an assault on our critical infrastructure could
cripple our economy and weaken our ability to defend the United
States.
Our adversaries are right now hard at work developing and
refining cyber attack capabilities and they are using them to
intimidate our Government and to threaten our people. But the
threat extends beyond the industrial engines that drive our
economy, right into the homes of the American people
themselves. Criminals and countries alike can now use cyber
attacks to raid American savings accounts or steal their
personal health records. The recent breach at Anthem last year
demonstrated the very real capability and intent of bad actors
to prey upon Americans' most sensitive information.
We can't leave the American people, the American economy,
and our critical infrastructure to fend for itself. This is why
Congress passed the Cybersecurity Act of 2015. Information is
the currency of today's age, and we have to constantly work
together across all sectors if we expect to stay one step ahead
of our adversaries on this new battlefield.
Congress must utilize rigorous oversight to ensure that DHS
is fulfilling its mission to better protect our networks, and
that's why we are all here today.
I want to thank all the witnesses for testifying before our
subcommittee, and I look forward to your testimony.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
The subcommittee meets today to fulfill its oversight
responsibility of examining implementation of the Cybersecurity Act of
2015 since its passage last year, and to look at necessary steps going
forward to strengthen our Nation's cyber defenses.
Congress' job doesn't end when a piece of legislation is signed
into law, and that is especially true when it comes to cybersecurity
legislation. Continued oversight is essential to making sure the bill
is implemented in a manner that actually improves our cyber defenses.
If agency guidance isn't clear, if tweaks need to be made, we want to
hear that feedback and address those concerns.
For that reason, we are pleased to be joined by a distinguished
panel of industry experts to discuss this very important issue.
Pushing the Cybersecurity Act of 2015 across the finish line last
year was a significant accomplishment that was years in the making.
During that time, these witnesses and others representing critical
sectors devoted substantial energy to collaborate with policy makers on
the best path forward.
Hundreds of hours of stakeholder outreach were conducted across
every relevant industry group--energy, health care, financial services,
technology, telecom, defense, retail, you name it.
In the end, the bill recognized many of the practices already
deployed by these groups and codified them into law, while providing
important rules of the road.
My objective is to maintain that posture as we assess the
implementation of the Cybersecurity Act of 2015.
The bill recognized the role of DHS's National Cybersecurity &
Communications Integration Center, or NCCIC, as the civilian portal for
the sharing of cyber threat indicators. The key aim was to see cyber
threat indicators--which contain critical information about the nature,
methodology, source, and scope of cyber attacks--shared with other
parties so they can, in turn, fortify their own networks against future
intrusion.
In response to the devastating attack on OPM, the law also
bolstered DHS's ability to deploy intrusion detection and prevention
capabilities across the Federal Government.
The need for a stronger cybersecurity posture is clear. Every day
our country faces digital intrusions from criminals, hacktivists,
terrorists, and nation-States like Russia, China, and Iran.
Cybersecurity is National security, and the impacts of those intrusions
are felt everywhere--from kitchen tables to American businesses.
We cannot tolerate acts of cyber theft and cyber warfare,
especially when they result in the theft of intellectual property and
innovation, and put our Nation's critical infrastructure at risk.
We cannot sit idly by while escalating ransomware attacks on
hospitals and health care providers threaten our citizens by locking
out access to medical records.
Cybersecurity breaches and data manipulation can undermine consumer
confidence and damage a company's hard-earned reputation in a matter of
seconds. And while we have yet to see a major corporation completely
collapse due to a cyber attack, the possibility is no longer science
fiction. One can only imagine the turmoil that would be caused should
suddenly Americans' checking accounts be drained. Loss of trust in our
financial system would cause an economic meltdown.
Nearly a third of CEOs surveyed identify cybersecurity as the
largest issue impacting their companies today, and only half say they
are fully prepared for a cyber event. There are two types of companies:
Those who have been hacked and those who don't know they have been
hacked. This is why Congress passed the Cybersecurity Act last year.
Information sharing between companies, the Government, and critical
sectors improves our ability to defend against these attacks.
Beyond the impact on the private sector, safeguarding cyber space
is also one of the great National security challenges of our time--and
the American people recognize this. In fact, in a recent Pew Research
Poll, Americans named cybersecurity as their second biggest perceived
threat only to ISIS.
Imagine a catastrophic cyber attack on our gas pipelines or the
power grid. Such assaults on our critical infrastructure could cripple
our economy and weaken our ability to defend the United States. Our
adversaries are hard at work developing and refining cyber attack
capabilities, and they are using them to intimidate our Government and
threaten our people.
But the threat extends beyond the industrial engines that drive our
economy, to the homes of Americans themselves. Criminals and countries
alike can use cyber attacks to raid Americans' savings accounts or
steal their personal health records. The recent breach of Anthem
demonstrated the very real capability and intent of bad actors to prey
upon Americans' most sensitive information.
We cannot leave the American people, the American economy, and our
critical infrastructure to fend for itself.
That's why Congress passed the Cybersecurity Act of 2015. This new
law strengthens DHS's ability to more effectively secure Government
networks and incentivizes the sharing of cyber threat indicators among
critical sectors and with the Government to bolster protections from
future attacks.
Information is the currency of today's age, and we must constantly
work together across all sectors if we expect to stay one step ahead of
the adversaries on this new battlefield.
Congress must utilize rigorous oversight to ensure that DHS is
fulfilling its mission to better protect our networks, and that's why
we're here today.
I want to thank the witnesses for testifying before this
subcommittee and I look forward to your testimony.
Mr. Ratcliffe. The Chair now recognizes the Chairman of the
full committee, the gentleman from Texas, Mr. McCaul, for his
opening statement.
Chairman McCaul. I thank the Chairman for holding this
important hearing today.
Before I start, I would like to say a few words about the
tragic events Sunday in Orlando. Our thoughts and prayers go
out to the victims and their families. Our deepest gratitude
goes out to the first responders who helped save so many lives.
It was the deadliest attack on the United States homeland
since 9/11. But our response has shown that Americans are
resilient and will not be intimidated by extremists.
Yesterday, I moderated a Classified briefing on the
investigation with the Secretary of Homeland Security, the
director of the FBI, and the National Counter Terrorism Center.
In the coming months, we will continue to seek answers and have
an oversight hearing on this very important issue. We will also
take action to protect our country and prevent such an attack
from ever happening again.
The events in Orlando are a reminder that our Nation is
being targeted by those who want to undermine our freedom and
diminish our prosperity.
But the threat is not just from kinetic terrorists. Today
we will discuss how our Nation is also being targeted and
attacked in real time by faceless intruders across the web. As
we speak, a war is being waged against us in cyber space.
Criminals, hacktivists, violent extremists and nation-states
are infiltrating our networks and infecting our systems.
Their motives are to deceive, steal, and destroy, and the
impacts of their attacks are felt everywhere, from our kitchen
tables to our corporate boardrooms. This committee has made our
Nation's cybersecurity a top priority. In recent years we
passed a number of landmark cybersecurity bills.
First, we established a Federal civilian interface at the
National Cybersecurity and Communications Immigration Center,
or NCCIC, to facilitate cyber threat information sharing. This
allows the Government to communicate more effectively across
the 16 critical infrastructure sectors and with the private
sector, with liability protection.
Second, we laid down the rules of the road regarding how
information is shared, making sure these data exchanges are
efficient, timely, and secure.
Third, we put in place measures to keep Americans' rights
and personal information protected.
Fourth, we made sure that DHS was able to hire and retain
top cybersecurity talent, because we cannot protect our
networks without a cyber work force that is smart and
aggressive.
And fifth, we enhanced the Department's ability to prevent,
respond to, and recover from cyber incidents on Federal
networks.
Those measures went a long way in helping us secure our
systems. But even with the fundamentals in place, we still have
major vulnerabilities, especially lack of information sharing.
After 9/11, we learned that if our agencies did not connect the
dots, we could not stop attacks.
The same principle applies to cyber threats. If no one
shares data, everyone is less secure and intrusions go
undetected.
We realized that companies were very hesitant to share this
sensitive data, so last year we drafted and passed the
Cybersecurity Act to get the information flowing. The law now
provides liability protection so that companies and other
organizations can more freely exchange threat indicators.
This includes Government-to-private information sharing,
but also, importantly, private-to-private sharing. The
legislation was a major win for security and privacy, allowing
companies to secure their networks and keep hackers away from
our bank accounts, health records, and other sensitive
information.
But we cannot be satisfied with this progress. We have got
to be aggressive, as our adversaries are. We should aim to stay
a step ahead of them at every turn.
So I hope our witnesses, and I want to thank our witnesses
for being here today, but I hope you will help us understand
how we can do exactly that, how can we effectively implement
this law to enhance America's digital defenses. I am very
interested as well to see how this program is working at the
Department and what this committee can do to enhance and
strengthen their efforts.
So with that, Mr. Chairman, I yield back.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
Before I start today, I would like to say a few words about the
tragic events in Orlando. Our thoughts and prayers go out to the
victims and their families, and our deepest gratitude goes out to the
first responders who helped save lives.
It was the deadliest terrorist attack on the U.S. homeland since 9/
11, but our response has shown that Americans are resilient and will
not be intimidated by extremists.
Yesterday I moderated a Classified briefing on the investigation
with the heads of DHS, the FBI, and the National Counterterrorism
Center, and in the coming months we will continue to seek answers. We
will also take action to protect our country and prevent such an attack
from happening again.
The events in Orlando are a reminder that our Nation is being
targeted by those who want to undermine our freedom and diminish our
prosperity.
But the threat is not just from terrorists. Today we will discuss
how our Nation is also being targeted and attacked--in real time--by
faceless intruders across the web.
As we speak, a war is being waged against us in cyber space.
Criminals, hacktivists, violent extremists, and nation-states are
infiltrating our networks and infecting our systems. Their motives are
to deceive, steal, and destroy, and the impacts of their attacks are
felt everywhere--from our kitchen tables to corporate board rooms.
This committee has made our Nation's cybersecurity a top priority,
and in recent years we have passed a number of landmark cybersecurity
bills.
First, we established a Federal civilian interface at the National
Cybersecurity and Communications Integration Center, or NCCIC, to
facilitate cyber-threat information sharing.
This allows the Government to communicate more effectively across
16 critical infrastructure sectors and with the private sector.
Second, we laid down the rules of the road regarding how
information is shared--making sure data exchanges are efficient,
timely, and secure.
Third, we put in place measures to keep Americans' rights and
personal information protected.
Fourth, we made sure DHS was able to hire and retain top
cybersecurity talent, because we cannot protect our networks without a
cyber workforce that is smart and aggressive.
And fifth, we enhanced the Department's ability to prevent, respond
to, and recover from cyber incidents on Federal networks.
Those measures went a long way in helping us secure our systems.
But even with the fundamentals in place, we still saw major
vulnerabilities, especially the lack of information sharing.
After 9/11, we learned that if our agencies did not connect the
dots, we could not stop attacks.
The same principle applies to cyber threats. If no one shares data,
everyone is less secure and intrusions go undetected.
We realized that companies were very hesitant to share their
sensitive data, so last year we drafted and passed the Cybersecurity
Act of 2015 to get the information flowing.
The law now provides liability protections so that companies and
other organizations can more freely exchange threat indicators. This
includes ``Government-to-private'' information sharing and ``private-
to-private'' sharing.
The legislation was a major win for security and privacy, allowing
companies to secure their networks and keep hackers away from our bank
accounts, health records, and other sensitive information.
But we cannot be satisfied with this progress. We've got to be as
aggressive as our adversaries--and we should aim to stay a step ahead
of them.
I hope today our witnesses will help us understand how we can do
exactly that--and how we can effectively implement this law to enhance
America's digital defenses.
Thank you.
Mr. Ratcliffe. Thank you, Mr. Chairman, and thank you for
your leadership on this issue.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statements of Ranking Member Thompson and Hon. Jackson
Lee follow:]
Statement of Ranking Member Bennie G. Thompson
June 15, 2016
Today, the subcommittee turns its attention to another pressing
issue: Securing our cyber networks. Cyber threats are constantly
evolving. While a few years ago, critical infrastructure operators were
primarily concerned about spear-phishing and DDOS attacks, today, the
threat of ransomware attacks are front-of-mind. Over the past year, the
proliferation of ransomware attacks, where networks of a hospital
system, Government agency, or utility are held hostage for electronic
payments, has reached epidemic proportions.
In March, DHS reported that over the past year, there have been 321
incidents of ``ransomware-related activity'' affecting 29 Federal
networks. The FBI Internet Crime Complaint Center, for its part, has
acknowledged that over the last decade, of the $58 million in financial
damage attributable to such attacks, attacks in just the last year
account for $24 million in damage.
With more Americans coming to embrace the Internet of Things, the
disruptive and damaging effects of ransomware and other innovative
modes of attack deployed by hackers have the potential to inflict
significant damage to our Nation.
To counter this threat, we must redouble our efforts to promote
cyber hygiene practices, encryption, and information sharing. The
enactment of the ``Cybersecurity Act'' in December provides for the
sharing of information on cybersecurity threats and defensive measures
between the Government and the private sector and within the private
sector.
Privacy, liability, and anti-trust provisions that are universally
understood as essential to the timely sharing of cyber threat
information are part of this law. Under the Act, the epicenter for such
activity is, of course, the National Cybersecurity and Communications
Integration Center.
I am interested in exploring two key mandates in the Act. First, I
want to hear from industry stakeholders how they see the launch of the
``Automated Indicator Sharing'' capability, as required under the Act,
impacting information sharing.
Second, I would like to hear the witnesses' perspective on how well
DHS is carrying out the requirement to periodically share, through
publication and targeted outreach, cybersecurity best practices in a
manner that gives ``attention to accessibility and implementation
challenges faced by small businesses.''
Before I close, I would like to note that, this past week, I was
heartened to see how the United States stacks up to other nations when
it comes to vulnerability to hacking.
The United States was ranked fourteenth on the ``National Exposure
Index,'' a worldwide comparative analysis of vulnerability to cyber
attacks and cyber crime that is based on the scanning of millions of
internet channels for vulnerabilities such as unencrypted and plain
text services.
While it is good to see that the United States is less vulnerable
than Brussels, Australia, France, and China--countries on the list
found to have weak authentication and encryption practices--now is not
the time to rest on our laurels.
______
Statement of Honorable Sheila Jackson Lee
Chairman Ratcliffe and Ranking Member Richmond, thank you for
holding this morning's hearing entitled ``Oversight of the
Cybersecurity Act of 2015.''
This hearing is an opportunity to receive testimony regarding
implementation of the Cybersecurity Act of 2015, enacted on December
18, 2015, which was intended to resolve long-standing issues that
prevented private-sector participants from sharing information on cyber
threats with the Federal Government or with each other.
I look forward to hearing from today's witnesses: Mr. Matthew J.
Eggers--senior director, National Security and Emergency Preparedness,
U.S. Chamber of Commerce; Mr. Robert H. Mayer--vice president, Industry
and State Affairs, U.S. Telecom Association; Mr. Mark Clancy--chief
executive officer, Soltra; Mr. Mordecai Rosen--general manager,
Security Business Unit, CA Technologies; and Ms. Ola Sage--founder and
chief executive officer, eManagement.
As Ranking Member of the Judiciary Subcommittee on Crime,
Terrorism, Homeland Security and Investigations and a senior member of
the Committee on Homeland Security, I am a strong believer in the
legislative process as the best path for addressing the most complex
issues of the digital communication age.
The Cybersecurity Act of 2015 did not follow regular order to
become law--it was included in the Omnibus Appropriations bill passed
at the end of last year.
The bill encourages private companies to voluntarily share
information about cyber threats with each other as well as the
Government and includes the authorization of information sharing and
its impacts on privacy and civil liberties; risks of misuse by the
Federal Government or the private sector; and effects of proposed
liability protections for companies and entities who participate in
cybersecurity information sharing.
The law requires the U.S. Attorney General and Secretary of
Homeland Security to publish guidelines, and jointly submit to Congress
interim CISA policies and procedures by February 16, 2016, and publish
final policies and procedures by June 15, 2016, to assist businesses in
identifying information that would qualify as a cyber threat indicator
and eliminating personal information from shared cyber threat
information.
These guidelines will seek to: (1) Identify cyber threat indicators
that contain personal information and are unlikely to directly relate
to a cybersecurity threat, and, (2) identify types of information that
is protected under privacy laws and are unlikely to directly relate to
a cybersecurity threat.
the cybersecurity and information-sharing legislation
The law broadly authorizes the Federal Government to share
Unclassified ``cyber threat indicators'' and ``defensive measures''
technical data that indicates how networks have been attacked, and how
such attacks have been successfully detected, prevented, or mitigated.
The law authorizes the sharing of Unclassified information among
Federal agencies, as well as with businesses and the public.
Classified cyber threat information, in contrast, may be shared
outside the Government only with entities that have appropriate
security clearances.
Vulnerabilities in computing products are the chief method used by
data thieves and terrorists to breach computing systems.
Since 2005 to the present, the Privacy Rights Clearinghouse,
reports that 895,886,345 records have been breached.
Entities and their customers that have fallen victim to data
breaches range in size from small businesses to major corporations and
Federal Government agencies, including:
The IRS--101,000 the agency block payments to data thieves
who used stolen identity information from elsewhere to generate
pins using stolen Social Security Numbers (date reported 2/10/
2016).
Scottrade--lost over 4 million records (October 1, 2015).
Excellus Blue Cross Blue Shield--lost over 10 million
patient records (September 10, 2015).
Office of Personnel Management (OPM)--lost over 21.5 million
Government employee or former employee records (June 4, 2015).
Most data breach reports include no details on the number of
records breached or stolen.
There is no law that requires companies to report breaches, but
there are laws that require reports to consumers when their personal
information may have been lost or stolen.
Identifying and closing vulnerabilities in software and firmware IS
one important means of securing systems from threats.
The link between commercially available computing devices and our
Nation's critical infrastructure lies in the role of products in
ensuring the proper maintenance and operation of critical
infrastructure.
ransomware and hacking activity
The latest threat from cyber hackers is ransomware.
Bad actors find vulnerabilities in a computer or computing network
and use it to introduce an encryption application that locks the data
so the owner or user of a computer system cannot access it until a
ransom is paid to the hackers who then unlock the data.
Government agencies, businesses, and consumers are struggling to
protect themselves from cyber threats large and small.
Innovation in the form of stronger encryption has to move at
unprecedented speed to try to catch up to the attacks currently being
used.
In this fast-paced environment, businesses are offering some of the
most important cybersecurity protections for digital communications.
The lessons that can be learned and the protections that could be
developed is dependent on how well the private and public sectors
cooperate.
I look forward to hearing from our witnesses on the issue of
overstays.
Thank you.
Mr. Ratcliffe. As I mentioned earlier, we are pleased to
have with us a distinguished panel of witnesses today on this
very important topic.
Mr. Matthew Eggers is the executive director of national
security and preparedness at the U.S. Chamber of Commerce.
Good to have you back before our subcommittee, Matt.
Mr. Robert Mayer is the vice president of industry and
State affairs at the U.S. Telecom Association.
We are glad to have you as well, Mr. Mayer.
Mr. Mark Clancy is the chief executive officer at Soltra.
Welcome, Mr. Clancy.
Mr. Mordecai Rosen is the general manager of the Security
Business Unit at CA Technologies.
Thank you for being here today.
Finally, Ms. Ola Sage is the president and chief executive
officer of e-Management.
Welcome, and again, welcome to you all. I would now like to
ask the witnesses to stand and raise your right hand, so I can
swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
answered in the affirmative. You all may be seated.
The witnesses' full statements will appear in the record.
The Chair now recognizes Mr. Eggers, for 5 minutes, for his
opening statement.
STATEMENT OF MATTHEW J. EGGERS, EXECUTIVE DIRECTOR,
CYBERSECURITY POLICY, NATIONAL SECURITY AND EMERGENCY
PREPAREDNESS, U.S. CHAMBER OF COMMERCE
Mr. Eggers. Thank you, sir. Good morning, Chairman McCaul,
Chairman Ratcliffe, Ranking Member Richmond, and other
distinguished Members of the House Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies.
My name is Matthew Eggers, and I am the executive director
of cybersecurity policy with the U.S. Chamber. The chamber and
I welcome the opportunity to testify.
I will confine my statements to CISA, or the Cybersecurity
Information Sharing Act of 2015, which is Title I of the act
that we are discussing today.
Last year, information-sharing legislation was the
chamber's top cyber priority. We led the Protecting America's
Cyber Networks Coalition, a partnership of more than 50 leading
business associations representing nearly every sector of the
U.S. economy.
CISA, a voluntary program, gives businesses legal certainty
that they have safe harbor against frivolous lawsuits when
freely sharing and receiving cyber threat data in real time.
CISA also offers protections related to public disclosure,
regulatory and antitrust matters. The law safeguards
individual's privacy and civil liberties. The chamber is
championing CISA as part of our National cybersecurity
campaign.
Businesses' use of CISA falls into roughly 4 categories. I
am generalizing. One, earlier information-sharing leaders.
Companies in this category are eager to see a sea change in the
real-time sharing of threat indicators.
According to a chamber member who addressed the
administration's cyber commission in May, our adversaries
should only use an attack or technique once. If our business
spots an attack today, all businesses should be protected
against it by day's end.
This company and ones just like it is an active member of
the sharing community. It wants public-private sharing capacity
expanded right away. The chamber agrees.
No. 2, ISAO and ISAC members. Rank-and-file organizations
in this group typically share cyber threat data with other
businesses and with the Government through information-sharing
bodies known as ISAOs and ISACs. This category is expected to
swell as confidence in the CISA program grows and new
information-sharing organizations are stood up. The
administration's promotion of ISAOs is expected to have a
positive influence, too.
No. 3, be intrigued, but cautious. I attended DHS's C3
program on June 1 in Indianapolis, and one individual's remark
comes to mind. He said, ``I have heard about CISA, but we are
not ready as a company to participate. It will take a cultural
shift.'' This person's apprehension tells us how central it is
that trust in CISA's protection be earned and maintained.
No. 4, small businesses and under-resourced organizations.
A goal of information-sharing legislation is to foster
economies of scale in real-time sharing. The chamber believes
that the market will eventually provide inexpensive and easy-
to-use technologies that conform to CISA's rules and generate
and swap indicators at internet speeds. Such an outcome is
important for small and under-resourced organizations.
The chamber is a strong supporter of CISA, but it's not a
silver-bullet solution. CISA is part of a mix of policies that
need to advance together.
Some select examples. First, the joint-industry NIST cyber
framework is a sound baseline for businesses' cybersecurity
practices. The chamber urges policymakers to help agencies
streamline existing regulations with the framework. We oppose
the creation of new mandates.
Second, the chamber is engaging issues that are linked to
information sharing. The chamber supports a piloting, a CIDAR,
which is shorthand for a Cyber Incident Data and Analysis
Repository. Also, we appreciate Congress' efforts to press the
administration to renegotiate the Wassenaar Agreement control
language governing so-called intrusion software. Industry is
urging Wassenaar officials to eliminate the controls on
technology software and hardware. Discussions are underway, but
we still have much work to do.
The CISA program is off to a good start. CISA procedures
and guidance were finalized yesterday, and chamber members will
review them.
While oversight by Congress is crucial, it is too soon to
make changes to the legislation. CISA does not need to be
reauthorized for several years. The chamber's public message is
two-fold. No. 1, to policymakers we say thank you for getting
CISA done, and we urge lawmakers and the administration to be
industry's ally as they use the program. No. 2, to businesses
we say that you should use the framework, join an ISAO or an
ISAC and take advantage of the CISA AIS system as appropriate.
The chamber believes that CISA will enable private
organizations to be more secure and resilient against America's
cyber adversaries.
Thank you for giving me the opportunity to convey the
chamber's views. I am happy to answer any questions.
[The prepared statement of Mr. Eggers follows:]
Prepared Statement of Matthew J. Eggers
June 15, 2016
Good morning, Chairman McCaul, Ranking Member Thompson, and other
distinguished Members of the House Homeland Security Committee
(committee). My name is Matthew Eggers, and I am the executive director
of cybersecurity policy with the U.S. Chamber's National Security and
Emergency Preparedness Department. On behalf of the chamber, I welcome
the opportunity to testify before the committee regarding industry's
perspectives on the Cybersecurity Act of 2015.
The chamber's National Security and Emergency Preparedness
Department was established in 2003 to develop and implement the
chamber's homeland and National security policies. The Department's
Cybersecurity Working Group, which I lead, identifies current and
emerging issues, crafts policies and positions, and provides analysis
and direct advocacy to Government and business leaders.
The chamber applauds the committee and its staff members for their
dedication to getting cybersecurity information-sharing legislation
enacted. Recent cyber incidents in the public and private sectors
underscore the need for legislation to help businesses improve their
awareness of cyber threats and to enhance their protection and response
capabilities in collaboration with Government entities. Cyber attacks
aimed at businesses and Government bodies are increasingly being
launched from sophisticated hackers, organized crime, and state-
sponsored groups. These attacks are advancing in scope and complexity.
Industry and Government have a mutual interest in bolstering the
economic security of the U.S. business community.
cybersecurity information sharing act of 2015 (cisa): the basics
I will largely confine my written statement to the Cybersecurity
Information Sharing Act of 2015 (CISA), which is title I of the
Cybersecurity Act of 2015.\1\ President Obama signed this legislation
into law in December 2015. The House passed two cybersecurity
information-sharing bills in April 2015 with robust majorities from
both parties and with broad industry backing. Indeed, the House's
action prodded the full Senate to take up cybersecurity information-
sharing legislation in the fall.
---------------------------------------------------------------------------
\1\ The cyber legislation was included in the Consolidated
Appropriations Act, 2016 (Pub. L. No. 114-113). www.congress.gov/bill/
114th-congress/house-bill/2029.
---------------------------------------------------------------------------
Passing cybersecurity information-sharing legislation was the top
cyber policy priority of the chamber. We led the Protecting America's
Cyber Networks Coalition (the coalition), a partnership of more than 50
leading business associations representing nearly every sector of the
U.S. economy. It took a dedicated team working with Capitol Hill and
the administration to get CISA done.
CISA establishes a voluntary information-sharing program, intended
to strengthen businesses' protection and resilience against cyber
attacks. The law gives businesses legal certainty that they have safe
harbor against frivolous lawsuits when freely sharing and receiving
cyber-threat indicators (CTIs) and defensive measures (DMs) in real
time and taking actions to mitigate cyber attacks. CISA also offers
protections related to public disclosure, regulatory, and antitrust
matters in order to increase the timely exchange of information among
public and private entities.
The law safeguards individuals' privacy and civil liberties and
establishes appropriate roles for Government agencies and departments.
CISA reflects sound compromises among many parties on these issues.\2\
---------------------------------------------------------------------------
\2\ See Automated Indicator Sharing (AIS) resources, including the
Cybersecurity Information Sharing Act of 2015 (CISA) implementation
procedures and guidance, available at www.us-cert.gov/ais. Also see
pro-CISA advocacy papers: ``It's About Protecting America's Cyber
Networks, Not Surveilling You'' (August 10, 2015) [http://
www.uschamber.com/sites/default/files/
cisa_myth_v_fact_cyber_protection_not_surveillance_final_0.pdf];
``Sharing Cyber Threat Indicators (CTIs)--Separating Fact From
Fiction'' (August 19, 2015) [http://www.uschamber.com/sites/default/
files/cisa_ctis_separating_fact_from_fiction_aug_19- _final.pdf]; ``
`Voluntary' Means Voluntary--Separating Fact From Fiction'' (August 26,
2015); and ``Going on the `Defensive'--Separating Fact From Fiction''
(October 5, 2015) [http://www.uschamber.com/sites/default/files/
cisa_going_on_the_defensive_separating_fact_-
from_fiction_oct_5_final.pdf]. http://insidecybersecurity.com/daily-
news/info-sharing-debate-shifts-implementation-privacy-advocates-now-
back-cyber-law.
---------------------------------------------------------------------------
CISA called for the Department of Homeland Security (DHS) to
establish a ``capability and process'' (aka a portal) in the Department
to receive CTIs and DMs shared by businesses with the Federal
Government in an electronic format--i.e., through email or media, an
interactive form on an internet website, or a real-time, automated
process. In March 2016, DHS launched an Automated Indicator Sharing
(AIS) platform that enables the Government and the private sector to
exchange cybersecurity threat information with one another.\3\ The AIS
initiative reportedly has more than 100 participants--spanning the
banking, energy, and technology sectors, as well as both small and
large companies--up from 6 participants this past spring.
---------------------------------------------------------------------------
\3\ www.us-cert.gov/ais.
---------------------------------------------------------------------------
Groups have begun testing their ability to share and receive
indicators, but there is not yet sharing on a massive scale. The
platform uses technical specifications, including the Trusted Automated
eXchange of Indicator Information (TAXII), which defines a set of
services and message exchanges that, when implemented, enable sharing
of actionable cyber threat information. It also uses Structured Threat
Information eXpression (STIX), a collaborative effort to develop a
structured language to represent threat information.\4\
---------------------------------------------------------------------------
\4\ http://blogs.wsj.com/cio/2016/03/21/homeland-security-
department-launches-cyber-threat-sharing-platform.
---------------------------------------------------------------------------
An industry participant at last week's (June 9) CISA implementation
workshop captured the thinking of many when he said, ``Our adversaries
are employing automated techniques against us. Machine-to-machine
sharing is a key element needed to help solve our cybersecurity
problems.'' He added that the United States cannot succeed if we pit
cyber professionals--which are a significantly limited workforce
asset--against machines.
chamber promoting cisa as part of our national cyber campaign
The chamber is championing CISA as part of our National
cybersecurity campaign. The chamber will develop a document in concert
with industry groups and other parties, including DHS and the
Department of Justice (DOJ), that summarizes the CISA/AIS program,
describes participants' protections and obligations, and urges the
private sector to get involved in the AIS network. Appropriate, real-
time automated sharing will strengthen the security and resilience of
industry and Government, thus heightening the costs of executing
malicious attacks by U.S. adversaries. Many experts contend that the
timely sharing of cyber indicators among various information-sharing
and analysis organizations (ISAOs), information-sharing and analysis
centers (ISACs), and private- and public-sector entities can reduce
both the probability and the severity of cybersecurity incidents.
(ISACs are considered to be ISAOs.)
The chamber launched our cybersecurity roundtable series in 2014.
This National initiative recommends that businesses of all sizes and
sectors adopt fundamental internet security practices, including using
the framework and similar risk management tools, engaging cybersecurity
providers, and partnering with law enforcement before cyber incidents
occur. Nine regional roundtables and two summits in Washington, DC,
have been held since 2014. More events are planned this year, including
in San Antonio, Texas, on June 28 and in Chicago (Schaumburg, Illinois)
on July 12. The chamber's Fifth Annual Cybersecurity Summit will be
held on September 27.
Each regional event includes approximately 200 attendees and
typically features cybersecurity principals from the White House, DHS,
the National Institute of Standards and Technology (NIST), and local
FBI and Secret Service officials.
cisa implementation guidance and proceduers: a good start
The enactment of CISA triggered an array of Government guidelines
and procedures. The chamber has tracked implementation dates and
monitored agencies' progress toward meeting the deadlines--and DHS and
the DOJ delivered.
In particular, DHS and DOJ released interim guidance in February
2016 to assist ``non-Federal entities''--including organizations in the
private sector and State and local governments--to share CTIs with the
Federal Government. The departments also released interim procedures
relating to the receipt and use of CTIs by the Federal Government,
interim guidelines relating to privacy and civil liberties in
connection with the exchange of these indicators, and guidance to
Federal agencies on sharing information in the Government's possession.
At the time of this writing, the chamber expects that DHS and DOJ
officials will release by June 15 final procedures and guidance, which
we generally agree with. We anticipate that the departments will
accommodate the chamber's request to clarifying the protections
afforded to a non-Federal entity when it shares cyber threat
information with another non-Federal entity. The chamber and public
authorities have a mutual interest in ensuring that the important
protections authorized under CISA are clearly stated and utilized.
looking ahead: promoting cisa, building and maintaing trust
Looking forward to the next several months, the chamber believes
that businesses' use of the CISA program arguably falls into roughly 4
categories. I want to emphasize that these groups are generalizations--
shorthand for where private entities are in the information-sharing
ecosystem.
Early Information-Sharing Leaders: Increasing the Quality
and Volume of Sharing Under CISA.--Private organizations in
this category are actively engaged in sharing threat data. They
were in the vanguard of businesses establishing and funding
ISAOs and ISACs several years ago. Companies in this grouping
have long-established information-sharing relationships among
multiple industry peers and Government partners, and several of
them are already directly connected to sharing programs like
AIS.\5\
---------------------------------------------------------------------------
\5\ www.dhs.gov/topic/cybersecurity-information-sharing.
---------------------------------------------------------------------------
CISA should give the lawyers and risk management professionals in
these top organizations added certainty to receive CTIs and DMs
and to share them with business and the Government. A core
purpose of the new law is to extend liability protections to
companies to encourage them to share cyber threat
information.\6\
---------------------------------------------------------------------------
\6\ http://insidecybersecurity.com/daily-news/mccaul-evaluate-
effectiveness-cyber-info-sharing-law-including-liability-protections.
---------------------------------------------------------------------------
Companies in this category are eager to see a sea change in the
real-time sharing of threat indicators within and across
sectors, as well as between Government and businesses.
According to a chamber member who addressed on May 16 the
Commission on Enhancing National Cybersecurity, ``Our
adversaries should only use an attack or technique once. If our
business spots an attack today, all businesses should be
protected against it by day's end.'' Clearly, this company is
an active member of the sharing community and wants public-
private capacity to expand their capability to exchange threat
data immediately. The chamber agrees.
ISAOs/ISACs Members: Leveraging the Expanding Network of
Sharing Conduits.--Many members in this dispersed network of
ISAOs/ISACs do not share cybersecurity threat data directly
with the Government. Instead, rank-and-file members in this
category typically share CTIs and DMs with other businesses and
with the Government through the channels that information
bodies (e.g., the Financial Services-ISAC, the Oil and Natural
Gas-ISAC) provide. This category is expected to swell as
confidence in the CISA program grows and new information-
sharing organizations are stood up over the coming months and
years.
The comparatively new ISAO standards organization is a key
component of the Obama administration's cybersecurity strategy,
launched in early 2015.\7\ The administration's promotion of
ISAOs is designed to encourage the protected sharing of
information based on emerging and evolving threats that
transcend industry sectors and geographic regions.\8\ CISA is
expected to have a positive influence on the expansion of the
community of ISAOs and ISACs.
---------------------------------------------------------------------------
\7\ In February 2015, President Obama signed an Executive Order
(EO) to promote cybersecurity information sharing among multiple
business and Government entities. The EO urges the private sector to
develop information sharing and analysis organizations (ISAOs) to serve
as focal points for cybersecurity information sharing and collaboration
within the private sector and between the private sector and
Government. www.whitehouse.gov/the-press-office/2015/02/13/executive-
order-promoting-private-sector-cybersecurity-information-shari.
\8\ http://insidecybersecurity.com/daily-news/isao-standards-body-
issue-next-round-draft-plans-info-sharing-july.
---------------------------------------------------------------------------
The Intrigued But Cautious: Sharing Should Pick Up as Both
Education and Confidence Increase.--Businesses in this category
have probably heard something about CISA through social media,
cybersecurity events, and colleagues. Business leaders are
interested in protected sharing arrangements, yet they are not
ready to commit to routine sharing and receiving. Perhaps they
do not know how to begin. The former view is due to misgivings
about CISA's protections. The latter situation can be addressed
through outreach and education.
Many cautious businesses have pictures in their heads of
bureaucrats lying in wait with regulations and privacy groups
readying law suits. The chamber does not agree completely with
these perspectives, but we hear them expressed frequently. I
attended a DHS-led C3 Voluntary Program in early June in
Indianapolis and one individual's remark comes to mind. He
said, ``I have heard about CISA. But we are not ready as a
company to participate--it will take a cultural shift.'' This
person's apprehension tells us how central it is that trust in
CISA's protections be earned and maintained. The chamber and
most Government leaders appreciate that business attitudes
change over time and participation in CISA/AIS will be gradual.
One change that may accelerate the use of CISA is business
contracting arrangements. The chamber foresees situations where
large firms require their supply chain partners to belong to an
ISAO/ISAC and to utilize AIS or some other automated means of
timely indicator sharing.
Small Businesses and Underresourced Organizations: Indirect
Beneficiaries of Innovations in Sharing.--Many small and
midsize businesses, especially underresourced enterprises, will
be able to benefit from an innovative, automated sharing
ecosystem. A key long-term goal of information-sharing
legislation is to foster economies of scale in real-time
sharing. The chamber anticipates that the marketplace will
eventually provide inexpensive and easy-to-deploy technologies
that conform to CISA's rules (e.g., scrubbing privacy
information from CTIs) and generate and swap threat signatures
at internet speeds. Systems like AIS will be able to block
attacks sooner and more regularly, compared with the relatively
human-intensive sharing schemes in use today.
cisa fits within a collection of policy issues that need attention
The chamber is a strong supporter of CISA and its potential to
clear away real or perceived hurdles to information sharing. CISA is
not a silver-bullet solution to our Nation's cybersecurity challenges.
However, chamber members say that increasing the speed and quality of
bilateral information flows of CTIs and DMs is essential for developing
a holistic approach to cyber defense. CISA is part of a mix of
cybersecurity policies that need to advance together.
Here are some select issues that are worth highlighting for the
committee:
First, the joint industry-NIST Framework for Improving Critical
Infrastructure Cybersecurity (the framework) is a sound baseline for
businesses' cybersecurity practices. The CISA program and the framework
are highly complementary. Businesses implement a cybersecurity risk
management program before investing in information-sharing programs. In
February 2016, the chamber sent a letter to NIST, commenting on the
framework.
Key points that the chamber made in the letter include the
following:
The chamber has been actively promoting the framework.
Chamber members are using the framework and urging business
partners to manage cybersecurity risks to their information
networks and systems.
The chamber urges policymakers to help agencies and
departments with streamlining existing regulations with the
framework and maintaining the framework's voluntary nature.
Industry opposes the creation of new or quasi-cybersecurity
regulations, particularly when Government authorities have not
taken affected entities' perspectives into account.\9\
---------------------------------------------------------------------------
\9\ http://csrc.nist.gov/cyberframework/rfi_comments_02_2016/
20160209_US_Chamber_- of_Commerce.pdf.
---------------------------------------------------------------------------
The bottom line: The chamber values the Obama administration's
leadership on the non-regulatory framework and urges the next
administration to actively support it. NIST did an admirable job
working with industry to development the tool. As framework
stakeholders begin the year-long transition from the Obama
administration to its successor, the chamber wants to sustain the view
held by most businesses and policymakers that the framework is a policy
and political cornerstone for managing enterprise cybersecurity risks
and threats.
To sustain the momentum behind the framework, the chamber believes
that both industry and government have jobs to do. On the one hand, the
chamber has been actively promoting the framework since it was released
in 2014. Our national cybersecurity campaign is funded through members'
sponsorships and through the contributions of State and local chambers
of commerce, other business organizations, and academic institutions.
Further, chamber members are using the framework and urging business
partners to manage cybersecurity risks to their data and devices.
Industry is working with government entities, including DHS, to
strengthen their information networks and systems against malicious
actors.
On the other hand, the chamber urges policymakers to help agencies
and departments with harmonizing existing regulations with the
framework and maintaining the framework's voluntary nature. Our
organization opposes the creation of new or quasi-cybersecurity
regulations, especially when government authorities have not taken
affected entities' perspectives into account.
Second, the chamber is engaging policy issues that ultimately
relate to cybersecurity information sharing.
The chamber supports piloting a CIDAR, shorthand for a cyber
incident data and analysis repository. In May 2016, we sent a
letter to DHS saying that (1) data submitted to a CIDAR need to
be made anonymous, (2) additional sharing protections may be
needed, and (3) an experimental CIDAR could offer tangible
upsides to public- and private-sector cybersecurity.
Comprehensive information about cyber events could assist
insurers in expanding cyber coverage and in identifying
cybersecurity best practices for their customers.
The chamber appreciates the efforts of the Congressional
Cybersecurity Caucus, particularly co-chairs McCaul and
Langevin, to press the administration to renegotiate the
Wassenaar Agreement (WA) control language governing so-called
intrusion software and surveillance items aspects of a
controversial international agreement to prevent the export of
sophisticated hacking tools to repressive governments and
criminal organizations.
Industry and democratic governments have a mutual interest in
keeping malicious software out of the hands of bad actors. But
the 2013 WA control language governing so-called intrusion
software and surveillance items takes a seriously wrong
approach to cybersecurity.\10\
---------------------------------------------------------------------------
\10\ https://www.uschamber.com/sites/default/files/documents/files/
final_group_letter_- bis_proposed_rule_intrusion_software-
surveillance_items_july_20_2015.pdf.
---------------------------------------------------------------------------
WA officials are gathering from June 20 to 24 in Vienna, Austria,
at the working-group level. Industry is urging officials to
completely eliminate the controls on technology, software, and
hardware. If deleting the controls is not possible, the chamber
and many others recommend that WA officials substantially
narrow the scope of the control language and dramatically
simplify the language in order to bring clarity and enable
compliance.\11\ If the WA control language is not eliminated or
at least adequately amended, it could have a powerfully
(unintended) negative effect on the CISA program. Creating
cybersecurity policies and laws in the WA environment lacks
sufficient transparency and does not advance public-private
partnerships at home and abroad.
---------------------------------------------------------------------------
\11\ http://insidecybersecurity.com/daily-news/obama-
administration-agrees-renegotiate-cyber-export-controls.
---------------------------------------------------------------------------
On June 8, the chamber's board of directors approved a
policy statement on cybersecurity norms and deterrence. The
paper argues that despite the existence of written blueprints,
such as ones related to global prosperity and defense, the U.S.
cybersecurity strategy is seemingly uncertain--both to many in
the private sector and our adversaries alike. The chamber
believes that policymakers need to refocus National and global
efforts to heighten the costs on sophisticated attackers that
would willfully hack America's private sector for illicit
purposes.
Public-private policymaking needs to spotlight increasing adherence
to international norms and deterrence to reduce the benefits of
conducting harmful cyber activity against the U.S. business
community and the Nation. The statement makes several policy
endorsements. For instance, the chamber contends that the
United States and its allies should enhance businesses'
situational awareness through protected information sharing.
recommendations on congressional oversight
The chamber believes that the CISA program is off to a good start.
The CISA/AIS implementation guidance documents will likely be finalized
today. We look forward to reviewing them with our members. The chamber
appreciates the open and constructive discussions that we have had with
DHS and DOJ officials. While oversight by Congress is crucial, it is
too soon to make changes to the legislation. CISA does not need to be
reauthorized for several years (i.e., September 2025).
The chamber's public message is two-fold:
To policymakers we say thank you for getting the
cybersecurity information-sharing legislation across the finish
line. And we urge lawmakers and the administration to be
industry's ally as they use the program. Companies need to feel
that policymakers have their backs. It is important that
businesses see that the protections granted by the law-
including matters tied to limited liability, regulation,
antitrust, and public disclosure-become real.
To businesses we say that you should use the framework, join
an ISAO/ISAC, and take advantage of the CISA/AIS system as
appropriate. The chamber urges the senior leaders of industry
groups to promote these initiatives among their peers and
constituencies.
The chamber and many stakeholders worked diligently over several
years to craft policy that would serve multiple interests--namely
individuals' security and privacy. We believe that CISA will enable
private organizations of all sizes and sectors to be more secure and
resilient against America's cyber adversaries.
Mr. Ratcliffe. Thank you, Mr. Eggers.
The Chair now recognizes Mr. Mayer, for 5 minutes, for his
opening statement.
STATEMENT OF ROBERT H. MAYER, VICE PRESIDENT, INDUSTRY AND
STATE AFFAIRS, UNITED STATES TELECOM ASSOCIATION
Mr. Mayer. Thank you. Good morning, Chairman McCaul,
Chairman Ratcliffe, Ranking Member Richmond, and distinguished
Members of the committee.
My name is Robert Mayer, and I serve as vice president of
industry and State affairs at the United States Telecom
Association. Thank you for giving the communications sector and
me personally the opportunity to appear before you today for
this important oversight hearing.
Today, our Nation faces unrelenting assaults from a variety
of bad actors, including, among others, nation-states, criminal
enterprises, terror organizations and individual and group
hackers. As new interconnected platforms, technologies, and
applications grow exponentially, so does the attack surface
expand, placing every U.S. citizen and organization in harm's
way.
In this setting, information sharing represents a
fundamental building block in protecting the vital interests of
all well-intended stakeholders in the cyber ecosystem. The U.S.
Congress and this committee in particular are to be applauded
for passing bipartisan legislation that now serves as a
cornerstone in protecting our Nation's economic and National
security from the perils of cyber attack.
The Cybersecurity Act of 2015 is a complex bill that
represents a careful balance of interests across a broad
spectrum of stakeholders. The act was founded on the voluntary
sharing of information and provides authority for preventing,
detecting, analyzing, and mitigating cybersecurity threats.
On the privacy front, great care was taken to safeguard
individuals from having their personal information shared with
the Government in a manner not directly related to specifically
authorized activities. Of great importance to our industry were
the assurances that information shared with our Government
partners would not be directly used to regulate lawful
activity, to monitor or operate defensive measures, or share
cybersecurity threat indicators.
Similarly, protections from Federal and State disclosure
laws provide the appropriate balance between interest and
transparency, and vital information sharing. Furthermore, by
authorizing the EINSTEIN 3 Accelerated and Enhanced
Cybersecurity Service programs and eliminating statutory
obstacles to their implementation, the Act took important steps
to make the network of Federal civilian agencies, State
governments, critical infrastructure providers and other
entities safer, especially from advanced, persistent threats.
Perhaps of greatest significance on the impact of future
information sharing were the protections from liability
incorporated into the act. While there may remain some
lingering questions in this area that will be the subject of
further clarification, the lack of such protections was one of
the most serious impediments to sharing information.
The communication sector has been actively engaged in
information sharing, operational and planning activities at DHS
and elsewhere both before and subsequent to the passage of the
act. Today at the operational level, over 50 private companies
and 24 Federal agencies share critical communications
information in the DHS National Coordination Center which also
operates as our communications ISAC.
Another noteworthy undertaking in this area involves
activity in the Communications Sector Coordinating Council
where a new committee was created following the passage of the
act to evaluate current information-sharing activities and what
the sector can do to support new and evolving initiatives.
That committee is also planning to conduct a preliminary
assessment of how the current, more narrowly circumscribed
information sharing has been effectively and appropriately
expanded as a consequence of the legislation adopted by
Congress.
While the act is only 6 months old, it is already evident
that the new law is having an impact on both industry and
Government efforts to facilitate greater information sharing.
We want to take this opportunity to acknowledge the
significant and largely successful efforts by DHS to meet their
aggressive implementation and guidance deadlines. Both DHS and
the DOJ have been extremely forthcoming with respect to
explaining and clarifying administrative, operational,
technical, and legal aspects associated with implementing
information-sharing mechanisms, including those associated with
a newly modified, automated information-sharing capability.
While there are still some operational improvements needed
to facilitate the efficient sharing of both automated and non-
automated processes, and Government guidelines remain to be
finalized, there is clear evidence of a strong commitment on
the part of industry and government to address any remaining
barriers.
Several major companies in our sector are already enrolled
in the program and others are in process of completing their
evaluations.
One note of concern that we would like to share with this
committee involves the implications of potential privacy rules
that the FCC recently announced. Under the act, an entity can
share information on a specific person if at the time of the
sharing that entity did not knowingly reveal personal
information unrelated to a cybersecurity threat.
Unlike the language in the act, the FCC proposal would
grant the protection only when the sharing is shown to be,
``reasonably necessary.'' This language creates ambiguity and
uncertainty and is likely to spur reticence on the part of the
companies, who could fear enforcement action based on an after-
the-fact FCC determination of reasonableness. We will work hard
to secure the appropriate clarity, and we continue to engage
the FCC in this rulemaking proceeding.
In closing, let me once again thank the committee for their
on-going work to oversee the implementation of this landmark
legislation. Given the magnitude of the threat and the promise
of this legislation, periodic oversight by this committee will
only bring us closer to making the cyber world much safer.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Mayer follows:]
Prepared Statement of Robert H. Mayer
June 15, 2016
Chairman McCaul, Ranking Member Thompson, and distinguished Members
of the committee, thank you for giving the Communications Sector and me
personally the opportunity to appear before you today for this
important oversight hearing.
My name is Robert Mayer, and I serve as vice president of industry
and state affairs at the United States Telecom Association. USTelecom
represents companies ranging from some of the smallest rural broadband
providers to some of the largest companies in the U.S. economy. I am a
past chair and current cybersecurity committee chair of the
Communications Sector Coordinating Council (CSCC) which represents the
Broadcasting, Cable, Satellite, Wireless, and Wireline segments. The
CSCC is one of the 16 critical infrastructure sectors under the
Critical Infrastructure Partnership Advisory Council (CIPAC) through
which the Department of Homeland Security (DHS) facilitates physical
and cyber coordination and planning activities among the private sector
and Federal, State, local, territorial, and Tribal governments.
Today, our Nation faces unrelenting assaults from a variety of bad
actors including, among others, nation-states, criminal enterprises,
terror organizations and individual and group hackers. And as new
interconnected platforms, technologies and applications grow
exponentially, so does the attack surface expand placing every U.S.
citizen and organization in harm's way. In this setting, information
sharing represents a fundamental building block in protecting the vital
interests of all well-intended stakeholders in the cyber ecosystem.
The United States Congress and this committee in particular are to
be applauded for passing bipartisan legislation that now serves as a
cornerstone in protecting our Nation's economic and National security
from the perils of a cyber attack. The Cybersecurity Act of 2015 is a
complex bill that represents a careful balance of interests across a
broad spectrum of stakeholders.\1\ The Act is founded on the voluntary
sharing of information and provides authority for preventing,
detecting, analyzing, and mitigating cybersecurity threats and includes
fundamental protections important to our industry including those
related to privacy; exposure to regulation; State, Tribal, or local
disclosure laws; and general legal liabilities.
---------------------------------------------------------------------------
\1\ Cybersecurity Act of 2015 was passed as part of the
Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, 129 Stat.
2242 (available at https://www.congress.gov/114/plaws/publ113/PLAW-
114publ113.pdf).
---------------------------------------------------------------------------
On the privacy front, great care was taken to safeguard individuals
from having their personal information shared with the Government in a
manner not directly related to specifically authorized activities
associated with cyber threat indicators and defensive measures. Of
great importance to our industry were the assurances that information
shared with our Government partners would not be directly used to
regulate--including enforcement actions--lawful activity to monitor,
operate defensive measures or share cyber threat indicators. Similarly,
protections from Federal and State disclosure laws provide the
appropriate balance between interests in transparency while not
impeding vital information sharing.
Finally, by authorizing the EINSTEIN 3 Accelerated (E3A) and
Enhanced Cybersecurity Service (ECS) programs, and eliminating
statutory obstacles to their implementation, the Act took important
steps to make the networks of Federal civilian agencies, State
governments, critical infrastructure providers and other entities
safer, especially from advanced persistent threats.
Perhaps of greatest significance on the impact of future
information sharing were the protections from liability incorporated
into the Act. While there may remain some lingering questions in this
area that are now the subject of further clarification, the lack of
such protections was one of the most serious impediments to sharing
information. The law establishes an appropriate standard by applying an
exemption to liability protection only in such instances where there
was a knowing sharing of personal information or information that
identifies a specific person not directly related to a cybersecurity
threat or where there exists evidence of gross negligence or willful
misconduct in the course of conducting the authorized activities.
The Communications Sector has been actively engaged in information
sharing operational and planning activities at DHS and elsewhere, both
before and subsequent to the passage of the Act. Today at the
operational level, over 50 private-sector communications and
information technology companies and 24 Federal Government agencies
share critical communications information and advice in the DHS
National Coordination Center (NCC) which also operates as the
Communications Information Sharing and Analysis Center (ISAC) in
accordance with a 2000 Presidential Directive.\2\ In this trusted NCC/
Comms ISAC environment, information on cyber vulnerabilities, threats,
intrusion, and anomalies is routinely exchanged among Government and
industry participants.\3\
---------------------------------------------------------------------------
\2\ Presidential Policy Directive 63, (available at http://fas.org/
irp/offdocs/pdd/pdd-63.htm).
\3\ See, DHS description of the NCC/Comms ISAC (available at
www.dhs.gov/national-coordinating-center-communications).
---------------------------------------------------------------------------
Another noteworthy undertaking is this area involves activity in a
newly-established information sharing committee under the CSCC. This
committee was created following the passage the Act to evaluate current
information-sharing activities and what the sector can do to support
new and evolving initiatives. The committee has identified a variety of
mechanisms and venues for information sharing including those with
trusted peers and commercial partners, Government agencies under
contract, law enforcement, industry peers as part of the sector policy
and planning process, DHS via the National Cybersecurity and
Communications Integration Center (NCCIC) and other affiliated
organizations like US-CERT, other public and private partners and
finally by ISPs for their own internal use to protect their networks
and customers. The committee is also planning to conduct a preliminary
assessment of how the current, more narrowly circumscribed information
sharing has been effectively and appropriately expanded as a
consequence of the legislation adopted by Congress.
While the Act is only 6 months old, it is already evident that this
new law is having an impact on both industry and Government efforts to
facilitate greater information sharing. We want to take this
opportunity to acknowledge the significant and largely successful
efforts by DHS to meet their aggressive implementation and guidance
deadlines. Both DHS and the Department of Justice have been extremely
forthcoming with respect to explaining and clarifying administrative,
operational, technical, and legal aspects associated with implementing
information sharing mechanisms including those associated with a newly
modified, Automated Information Sharing (AIS) capability.\4\ While
there are still some operational improvements needed to facilitate the
efficient sharing of both automated and non-automated processes, and
Government guidelines remain to be finalized, there is clear evidence
of a strong commitment on the part of industry and Government to
address any remaining barriers. Several major companies in our sector
are already enrolled in the program and others are in the process of
completing their initial evaluations.
---------------------------------------------------------------------------
\4\ See DHS information on Automated Information Sharing Program
(available at https://www.dhs.gov/ais).
---------------------------------------------------------------------------
One note of concern that we would like to share with this committee
involves the implications of potential privacy rules that the FCC
announced in their recent Notice of Proposed Rulemaking.\5\ Under the
Act, an entity can share information on a specific person if at the
time of the sharing that entity did not knowingly reveal personal
information unrelated to a cybersecurity threat.\6\ Unlike the language
in the Act that would allow for liability protection in such instances,
the FCC proposal would grant the protection only when the sharing is
shown to be ``reasonably necessary.''\7\ This language creates
ambiguity and uncertainty and is likely to spur reticence on the part
of companies who could fear enforcement action based on an after-the-
fact FCC determination of reasonableness. We will work hard to secure
the appropriate clarity as we continue to engage the FCC in this
rulemaking proceeding.
---------------------------------------------------------------------------
\5\ Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106, Notice of Proposed
Rulemaking, FCC 16-39 (rel. Apr. 1, 2016) (FCC NPRM).
\6\ See, Cybersecurity Act of 2015 Section 104(d)(2)(A).
\7\ See, FCC NPRM at para. 117.
---------------------------------------------------------------------------
In closing, let me once again thank this committee for their on-
going work to oversee the implementation of this landmark legislation.
Given the magnitude of the threat and the promise of this legislation,
periodic oversight by this committee will only bring us closer to
making the cyber world much safer.
Mr. Ratcliffe. Thank you, Mr. Mayer.
The Chair now recognizes Mr. Clancy, for 5 minutes, for his
opening statement.
STATEMENT OF MARK G. CLANCY, CHIEF EXECUTIVE OFFICER, SOLTRA
Mr. Clancy. Chairman McCaul, Chairman Ratcliffe and Ranking
Member Richmond, and Members of this committee, thank you for
scheduling today's hearing.
My name is Mark Clancy, and I am the chief executive
officer of Soltra.
I want to thank you for your efforts and long-standing
dedication to addressing cybersecurity concerns in this
committee, including the passage of the cyber information-
sharing legislation. CISA's passage was a critical step toward
improving the collective resiliency of our Nation's critical
infrastructure.
It has only been 6 months since CISA was signed into law,
but its implementation is moving forward quickly. As an early
participant in the DHS Automated Indicator Sharing System, I
believe that Soltra can offer a unique window into AIS's
progress, key lessons learned and suggested improvements as
this implementation continues.
Formed in 2014, as a joint venture between DTCC and the FS-
ISAC Act, Soltra and its automation software, Soltra Edge, are
bringing cutting-edge innovation and technical capabilities to
the cybersecurity information-sharing process. DTCC is a
participant-owned and -governed cooperative that serves as
critical infrastructure of the U.S. capital markets, as well as
financial markets globally.
In 2015, DTCC subsidiaries processed securities
transactions valued at $1.5 quadrillion. The FS-ISAC is a not-
for-profit organization formed in 1999 to address cyber threats
in the Nation's critical infrastructure. The FS-ISAC has grown
rapidly in recent years, and today the FS-ISAC has nearly 7,000
member organizations across 37 countries.
Soltra leverages the unique expertise of both these
entities in our solutions to shorten the time from awareness,
to decision, to action in addressing cyber threats. Soltra
began as a cross-industry initiative that provides a no-cost
platform that users can access to share cyber threat
intelligence, or CTI, within or across communities. After less
than 18 months, Soltra Edge has been downloaded by over 2,600
organizations in 75 countries across 25 industries.
Our threat-sharing ecosystem relies on 3 open standards
first developed by DHS and MITRE and now managed by OASIS.
These are known as STIX, TAXII, and CYBEX. By using these
standards, Soltra enables users to communicate CTI in a format
that a human can understand and a machine can process, thereby
cutting down hundreds of hours of effort that are currently
needed to distill this information.
These open standards also allow Soltra users to exchange
CTI from community sources like ISACs and ISAOs, commercial
sources, Government sources such as DHS, Treasury, FBI, and
utilize that information in a variety of commercial and open-
source tools.
As I mentioned earlier, Soltra is one of the handful of
companies that has already enrolled in AIS. DHS has been a
helpful partner in this process, and as is normal in the case
of any program there are a few areas that would benefit from
clarification.
First and foremost, it has been our observation that
additional guidance is needed from DHS and DOJ that the
liability of protections under CISA cover private-to-private
sharing. The initial guidance was silent on that point and
created much confusion in the industry as a result.
Just as of today, it looks like that was addressed in the
updated guidance that DHS had published, and we look forward to
reviewing that in the fall.
As you know, privacy is and always will be a top priority
for the financial services sector. As we move forward with
CISA, additional guidance is also needed from DHS to provide
clarity on the definition of personally identifiable
information, or PII. Thus far, the definition of PII in the AIS
guidance differs from the definition of PII in other DHS
programs. It is critical that clarity be provided quickly by
DHS to ensure top protections by all who participate in the
program.
While it is still early on in the AIS program, I would like
to focus on 5 recommendations for improving the AIS system.
First, to maximize the potential of AIS, it would be beneficial
to streamline the process for signing up and to simplify the
process for obtaining digital certificates from Federal Bridge
providers.
Second, various aspects of the law as well as the
implementation have caused DHS to add extensions into the STIX
standard. AIS also includes a series of required fields in STIX
data submitted to the Department, which if not included will
reject any attempted submission from a company. It would be
helpful for DHS to specify those things up-front in order to
help implementers understand what needs to be done in advance
of connecting to the AIS system.
Third, DHS should issue guidance on how the CISCP program
fits under CISA to provide greater verification.
Fourth, for greater participation and ease of use in the
future, it would be beneficial to add a test environment where
companies can ensure its AIS interface works effectively.
Finally, there are 3 main data points that the private
sector would like to see added to the AIS system to help
increase the effectiveness of the platform. These include
additional information about the types of threat actors
associated with threat intelligence, recommended defensive
measures, and a feedback loop to refine the context of CTI
data.
I want to thank you once again for providing me with the
opportunity to share my insight today, and I look forward to
working with the committee, Congress and the Executive branch
as well as with our private-sector partners to achieve the
collective goals of CISA. I would be happy to answer any
questions that you may have.
[The prepared statement of Mr. Clancy follows:]
Prepared Statement of Mark G. Clancy
June 15, 2016
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, thank you for scheduling today's hearing on industry
perspectives on the Cybersecurity Act of 2015 (CISA). My name is Mark
Clancy, and I am the chief executive officer of Soltra. Soltra's
mission is to design and deliver solutions that shorten the time from
awareness, to decision to action, in addressing cyber threats.
First, thank you for all of your efforts and dedication to
addressing key cybersecurity concerns and for successfully passing
cybersecurity information-sharing legislation. As our Nation continues
to confront serious cybersecurity threats to our critical
infrastructure, cybersecurity information sharing is one critical way
to address these challenges.
cybersecurity information sharing
Cybersecurity information sharing has been a cornerstone of various
aspects of my career, beginning in 2004. At that time, I was running
Citigroup's global Security Incident Response Team. Twelve years ago,
we worked to combat the menace of phishing attacks targeting our
customers. We quickly learned that the criminals were using the same
approaches to target customers of other financial institutions; and by
bi-directional sharing of the technical observations of those attacks
with our competitors, we all were better able to minimize the impacts
of these incidents. That first generation model of sharing was born out
of personal trust between individual practitioners who met face-to-face
frequently.
By 2008, a new sharing model was needed as the Financial Services
Information Sharing and Analysis Center (FS-ISAC) started to grow
significantly. This second generation trust model had widened to a
larger number of institutions and individuals who still meet face-to-
face on occasion, but now had moved to using electronic mail lists as
the primary method of exchanging information between face-to-face
meetings.
By 2010, when I was the chief information security office at The
Depository Trust and Clearing Corporation (DTCC), we realized the scale
of the community and the tonnage of information being shared grew to
the point we could not utilize all the information, and that a third
generation approach to sharing was required to use standardization and
automation. This lead to us exploring standards that described a cyber
threat in such a way that a human could understand it, but a machine
could process it.
soltra creation: dtcc and the fs-isac collaboration
Soltra is the financial industry's answer to the third-generation
information-sharing model. Soltra is a joint venture created by DTCC
and the FS-ISAC that leverages the unique expertise of both entities,
bringing together the best and brightest of the industry.
DTCC is a participant-owned and governed cooperative that serves as
the critical infrastructure for the U.S. capital markets as well as
financial markets globally. At its core, it develops and harnesses
technology to provide a variety of risk management and data services to
the financial services industry. More than 40 years ago the firm was
created largely out of the need to leverage technology and automation
in order to ensure securities transactions were more efficiently
settled, thereby reducing risk of loss in the event of a counterparty
default. In this respect, DTCC presently is among the most
sophisticated financial technology or ``FinTech'' companies.
Today, DTCC continues to deploy evolving and improving technology
in service to its mission as the primary financial market
infrastructure for the securities industry. DTCC simplifies the
complexities of clearing, settlement, asset servicing, data management
and information services across multiple asset classes. In 2014, DTCC's
subsidiaries processed securities transactions valued at approximately
US$1.6 quadrillion.
The FS-ISAC is a 501(c)6 nonprofit organization and is funded
entirely by its nearly 7,000 member firms and sponsors. It was formed
in 1999 in response to 1998 Presidential Decision Directive 63 (PDD
63), which called for the public and private sectors to work together
to address cyber threats to the Nation's critical infrastructures. The
FS-ISAC expanded its role to encompass physical threats after the
attacks on 9/11/2001, and in response to Homeland Security Presidential
Directive (HSPD) 7 (and its 2013 successor, Presidential Policy
Directive (PPD) 21) and the Homeland Security Act.
The FS-ISAC has grown rapidly in recent years. In 2004, there were
only 68 members which were mostly large financial services firms.
Today, FS-ISAC has nearly 7,000 member organizations, including
commercial banks and credit unions of all sizes; markets and equities
firms; brokerage firms; insurance companies; payments processors; and
40 trade associations representing all of the U.S. financial services
sector. Because today's cyber-criminal activities transcend country
borders, the FS-ISAC has expanded globally and has active members in
over 37 countries.
soltra
Soltra advances cybersecurity capabilities and increases resilience
of critical infrastructure organizations by collecting and distilling
cybersecurity threat intelligence from a myriad of sources to help
safeguard against cyber attacks and deliver automated services at
``computer speed,'' cutting down the hundreds of human hours that are
currently needed to distill cyber threat information.
Soltra began as a true cross-industry initiative that included a
live prototype involving over 125 security practitioners that included
FS-ISAC members, private-sector representatives from other critical
sectors, and Government entities to refine the requirements,
architecture, and design of Soltra's automation software, which is
known as Soltra Edge.TM Soltra Edge provides for a free
platform that users can access, and after less than a year-and-a-half,
Soltra Edge has been downloaded by over 2,600 organizations in 75
countries spanning 25 industries to consume, utilize, and share cyber
threat intelligence using open standards.
The Soltra Edge platform sends, receives, and stores messages of
Cyber Threat Intelligence (CTI) in a standardized way. It hides the
complexity of the underlying technical specification so that end users
can setup and start receiving threat information in under 15 minutes in
most cases, changing the paradigm where it could take months or
millions of dollars to change internal systems if companies wanted to
do it on its own. The information that is received can be used to push
instructions to other security tools to perform detection and
mitigation of those threats. To support the widest possible adoption,
we also made a highly functional version of the platform available at
no cost to end-user organizations to defend themselves. We also offer a
low-cost or no-cost solution to ISAC and ISAO community organizations
to act as the community hub for machine-to-machine threat sharing if
they lack an existing operational capability. For organizations with
additional needs, we also offer a paid membership which includes system
integrations for platforms that have not adopted standards, enterprise
grade operational features, and technical support.
soltra creates the first-ever interoperable information sharing
platform: provides cross-sector sharing to better combat threats
Soltra has built a threat-sharing ecosystem using 3 open standards
first developed by DHS and MITRE called the Structured Threat
Information eXpression (STIX) and the Trusted Automated eXchange of
Indicator Information (TAXII), and the Cyber Observable eXpression
(CybOX). STIX, TAXII, and CybOX have been transitioned into an
international standards body, OASIS. These open standards are
foundational for the interoperability and machine processing that are
key to addressing complexity, and acting on information quickly. The
OASIS CTI Technical Committee, which maintain these standards, has the
largest amount of corporate and individual members of any technical
committee in the standards body.
Soltra utilizes these open standards and has the unique ability to
be the ``glue'' between different sectors and to provide connectivity
for those who do not have the time or infrastructure to manage the
transition to STIX/TAXII. This common standard also allows a defender
of networks to use CTI from community sources like ISACs and ISAOs;
Government sources such as the U.S. Departments of Homeland Security
(DHS) and Treasury, along with the Federal Bureau of Investigation
(FBI); and utilize that information in a variety of commercial and
open-source security tools. It also addresses the problems companies
currently have when using multiple vendors whose bundling of CTIs may
only work with that same vendor's tools. Soltra fixes this problem and
allows for the use and scalability of information from multiple sources
to be utilized in multiple tools that detect or defend the network.
Soltra also helps break down barriers between and amongst key
sectors of the economy, providing the bridge from financial services to
key sectors like health, energy, retail, as well as State, local,
Tribal, and territorial (SLTT) governments. Historically, sectors only
shared information within that sector. While important and effective to
do, it also stovepipes the fact that the attackers are using the same
Tactics, Techniques, and Procedures (TTPs) against all sectors and
allows them to effectively use the same tool to attack all sectors.
Soltra breaks down the barriers to sharing by ultimately providing the
``utility platform'' and enabling interchange of, information already
in the STIX/TAXII format. We see this today with firms that are members
of multiple ISAC/ISAO organizations and with ISACs that have sharing
relationships with each other. Both of these act as cross-sector
bridges since it is simple to share information. Friction is greatly
reduced when using Soltra to connect organizations--the same standard
format, communications method, and access controls are used to respond
to the data-handling instructions driven from the Traffic Light
Protocol markings of content.
soltra and information sharing bring greater security
Sharing information about threats remains essential as Mandiant
reports\1\ that for 2015 the median number of days from compromise to
discovery was 146 days. This improved from a median of 229 days from
the 2014 Mandiant report,\2\ but is still an extensive window. The 47%
of firms that detected a breach themselves took 56 days to discover the
breach, but the 53% of firms notified by an external party had a median
of 320 days from compromise to detection.
---------------------------------------------------------------------------
\1\ https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf.
\2\ http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf.
---------------------------------------------------------------------------
This is directly relevant to information sharing in two ways.
First, the delta between the time of an internal and external
notification are likely a symptom of poor access to information about
threats or ability to act on that information. Second, information
shared about threats may represent intrusion sets recently identified
that had been in situ for a long time. We need to both increase the
percentage of internally discovered breaches and shorten the time to
detect them. Sharing CTI data is one such way these discoveries are
made and timely sharing leads to timely discovery. Soltra is working to
solve this problem by widening the access to CTI data and shortening
the time to act on it over manual methods. It is hard to know with
certainty why the industry improved the lag in compromise to discovery,
but it is highly likely information sharing tipping defenders on what
to look for was a part of the improvement.
Third, there are some important lessons learned about the benefits
of sharing information that, quite simply, will vary based upon the
maturity of the institution participating in the program. However, a
few things are universal:
First, initially when a company receives CTI data, it is purely a
consumer of that information. It might find that it has limited
technical or operational capabilities to utilize some or all of the
information in an effective way. For example, it may receive indicator
information about malware on endpoint, but not have a capability to
scan end points for such files. At that juncture, the company will
begin to realize that it needs to better understand what is in the data
to actually be able to utilize it. For example, understanding how to
use information when the temporal context is of an intrusion 300 days
ago is important. If it then looks for that activity from the moment
the CTI is received, it could miss the event that precipitated the
intrusion several hundred days earlier. If it was just recently
reported, the original victim may have just identified it and that
data, even if it is a year old, might be the clue needed to ascertain
if the same incident had occurred in your infrastructure. As a company
moves up the maturity curve, it also moves from primarily utilizing the
telemetry which is represented by the CTIs and starts to utilize
insights and contextual information to anticipate hazards down the
road. Even in mature sectors the bulk of the activity is around the
telemetry CTI data.
As a company matures into using CTI data that was shared, it starts
to realize that some data lacks sufficient context and may appear to be
a false positive. This comes about between the very natural tension
between sharing quickly when information is fresh, but could still be
incomplete. This also occurs by the very nature of the investigative
process that produces information and observations of activity that may
have occurred during an attack but could be unrelated to the attacker's
actions and are an artifact of normal IT system behavior. In order to
address this, a company will want to have a method to ask the producing
source to confirm details, or perhaps after its own research it will
understand the context was lost or the CTI data is, in fact,
inaccurate. A company will need to have a mechanism to share these
results back to the producing source so they can adjust the content and
send out a revision to the community.
This is important to note because as a company builds information-
sharing products it will need to support a range of needs and maturity
levels. It will also need to have the capability to receive feedback on
existing products in addition to the ability to consume new submissions
from the community. Finally, a company will also need to create methods
to address the level of trust needed between members of a community as
that community scales and the parties become more remote to each other.
cisa implementation
It has only been 6 months since CISA was signed into law, and while
there has been a rapid fire of activity in that time, more work
certainly remains to be done. Guidance issued on how to submit
information under CISA by DHS/DOJ adhered to the letter of the law and
described private-to-Government sharing, but was silent on private-to-
private sharing. This created some confusion concerning the scope of
liability or when protections might apply. As an example, the FS-ISAC
had to send a memo to all its members to clarify that the protection in
the law did apply to private-to-private communications within the FS-
ISAC membership. As recently as Thursday, June 9, 2016, DHS advised
that CISA covers private-to-private sharing and that it would be
included in the revised guidance required by Congress on June 15, 2016.
Soltra is one of the handful of companies that already has enrolled
to DHS's Automated Indicator Sharing (AIS) program. As required by law,
in March 2016 DHS opened access to its AIS platform along with the
procedural documents of how to submit data to comply with the
requirement in the law related to personal information. DHS has been a
helpful partner in this process, and as is normally the case in any
program, there are a number of areas that would benefit from
clarification at this juncture. They include:
1. Additional guidance is needed from DHS on the definition of
Personally Identifiable Information (PII).--Thus far, the
definition of PII in the AIS submission guidance differs from
the definition of PII in other DHS programs and was not defined
in the Act. The vast majority of information sharing about
cyber threats does not involve any personal information, but
the lack of clarity as to which definition would be used for
personal information across DHS programs needs to be made
clear. The financial sector sent a letter on May 11, 2016 to
DHS and the U.S. Department of Justice (DOJ) asking for
clarification on this matter.
2. Current ``Lessons Learned'' Using the AIS System: Streamline the
process for signing up for AIS.--To enroll in the AIS program
participants need to execute two agreements with DHS, enroll to
get an authentication certificate from an approved FedBRIDGE
provider, submit network address information, and technical
details of the sharing platform to be used.
Digital Certificates.--The AIS process requires all users
to obtain a digital certificate from 1 of the 3 FedBRIDGE
providers which has become a cumbersome process. As
background, these certificates are traditionally issued to
individuals to support strong authentication and email
encryption whereas the use case for AIS is to authenticate
a machine used for sharing within a company. At this
juncture, the AIS system requires a single person within
the company to obtain the certificate which then has to be
loaded into the server to communicate with the AIS system.
That automated process actually requires paper
documentation that has to be sent to DHS via the U.S. mail
system. While the need for the authentication is critical,
there is an inherent disconnect between the ultimate goal
of the AIS system which is machine-to-machine. Going
forward, it would be more helpful for a system to be
created that allows for an organization level credential to
be issued to the server used by the company to participate
in the program. Other submission methods such as the web
form and fax do not have the same authentication
requirements.
AIS Changes to STIX/TAXII Fields.--Various aspects of the
law as well as implementation have caused DHS to modify
aspects of the STIX/TAXII fields. AIS also includes a
series of ``required'' fields in STIX data submitted to the
department which if not included, will reject any attempted
submission from a company. It would be helpful for DHS to
specify those up-front in order to help companies
understand what needs to be done in advance of connecting
to the AIS system.
Clarify how CISA protections apply to CISCP.--The AIS
program does not support submissions of Proprietary
Information (PROPIN) nor Protected Critical Infrastructure
Information (PCII) although DHS does indicate information
submitted under the CISCP program can receive protections
for PROPIN or PCII. Many companies are used to submitting
both PROPIN and PCII related information and it would be
critical to ensure that companies can continue to do so,
hopefully using the AIS system for sake of ease. DHS should
also issue guidance on how the CISCP program fits under
CISA to provide for greater clarifications.
Add a Test Environment Where Companies Can Ensure Its AIS
Interface Works Effectively.--As is the case with many
systems, it is preferable to be able to test whether or not
a company's systems are interoperable with the AIS
platform. Short deadlines in the law required the AIS
system to be stood up quickly, and at this point, DHS does
not have a system integration or test environment
available. As a result, a company must attempt to work out
the various issues in a live production environment. Moving
forward, a test environment would be helpful for other
companies and may allow for greater participation and ease
of use in the future.
new data points to add to ais
There are 3 main data points that the private sector would like to
see added to the AIS system to help increase the effectiveness of the
AIS system:
1. Types of Threat Actors.--It would be exceptionally helpful if
the AIS data could include an assessment of the type of threat
actor behind the activity when that is known. It is clear that
there are practical challenges of ``naming names'' in an
Unclassified context. However, examples exist, including in the
2013 Defense Science Board report, ``Resilient Military Systems
and the Advanced Cyber Threat,''\3\ that includes a 6-tier
scale that would provide sufficient context to companies
without naming specific actors.
---------------------------------------------------------------------------
\3\ http://www.acq.osd.mil/dsb/reports/
ResilientMilitarySystems.CyberThreat.pdf.
---------------------------------------------------------------------------
2. Defensive Measures.--One of CISA's objectives was to support the
development of ``defensive measures.'' While more work will be
needed to get to that point, AIS could add in recommendations
to how recipients might use the AIS data sets. For example if a
set of AIS information was to include the suggested defensive
measure of ``block, mitigate, or monitor'' it would inform
consumers the best type of ``defensive measure'' to employee
even if detailed recommendations are unavailable. This would be
an important benefit to the AIS system that could bring a
greater number of participants into the system.
3. Feedback Loop and Context to Data
Context is important for all companies who participate in the AIS
program. As the AIS system continues to be fine-tuned, there are a
number of issues that would be helpful to review and clarify which may
increase greater connectivity and participation overall. As we know,
the spectrum of possible participants will bring with them different
skills, capabilities, and maturities so for those submitting to AIS the
downstream recipients want to understand the context and credibility of
the information from AIS. These types of questions are foundational
issues that have come from the variety of sectors Soltra supports,
including those that are participating in the AIS program or those who
have indicated they intend to participate in the near future. In the
near future, industry participants will want to be able to select the
type of data they want to receive from AIS which could include sector-
specific or even cross-sector information. Levels of ``trust''
associated with the data will be important and industry participants
will want to understand what process DHS will use if AIS members ask
for more specific information from the AIS system, including the
ability for DHS to reach back out to the original submitter of the
data. Ultimately, DHS will need to be able to communicate how its
internal process is set up to identify and vet the data submitted, a
challenge that many ISACs have gone through themselves. The DHS
guidance does mention a process that will be put in place to deal with
false positives and mechanisms to address updating data and it will be
critical that DHS provide clarity on that quickly.
cybersecurity information sharing and collaboration program (ciscp) and
private-sector security clearances under ciscp
Many of Soltra's customers and community members participate in the
CISCP program, which is widely viewed as a beneficial program that
facilitates cross-sector engagement with government. It brings private-
sector and government analysts together at quarterly in-person
meetings, the Advanced Technical Threat Exchanges (ATTE). CISCP also
allows the private sector to work on the National Cybersecurity and
Communications Integration Center (NCCIC) floor, giving participants
access to DHS, LE, and IC analysts. We are seeing an increase in
production around CISCP analysts turning FS-ISAC reports into CISCP
Indicator Bulletins.
changes to security clearances needed
Challenges continue to exist in obtaining security clearances for
companies. First, post the cybersecurity attack on the Office of
Personnel Management (OPM), clearance times are much longer.
Second, it would be helpful if there was more transparency into the
process with key performance metrics being available to Critical
Infrastructure and Key Resources (CIKR) members or their ISACs. It
should include monthly breakdowns by sector and clearance types of the
number of new clearances requested, the number of investigation
completed, the aging of applications by stage, the number of
reinvestigations initiated/completed per month, as well as median times
for each stage.
Third, there have been a number of changes to the security
clearance program that has caused a number of challenges to many
companies, including those who have historically had individuals on the
NCCIC floor. As background, private-sector companies have 2 routes to
have essential personnel cleared for access to Classified Information.
The first is the Private-Sector Clearance Program (PSCP) initiated via
the sector-specific agency and sponsored/operated by DHS, and which
holds clearances to the Secret level. The second route is by executing
a Cooperative Research and Development Agreement (CRADA) with DHS. With
a CRADA in place the firm needs to have a Facilities Clearance (FCL),
which allows it to hold staff clearances up to Top Secret and have
access to the NCCIC floor.
A recent change that greatly impacted a number of ISACs was the
requirement to have the FCL in place for their company. This was not a
previously requirement of the CRADA process for CISCP as DHS rolled it
out and was added at later date by the Defense Security Service (DSS.)
A number of ISACs did not have FCLs current and therefore were removed
from the NCCIC floor leaving no representation in the coordination
process for those sectors. These ISACs do not have Classified work
areas in their offices and were using the NCCIC floor for any handling
of Classified materials. The requirements for obtaining the FCL are
determined by the DSS. One attribute of this process is a requirement
to clear top executives or board directors for companies. This program
requirement made a lot of sense in the Defense Sector when the main
objective of the FCL was managing contractors working on defense system
projects. With the cybersecurity threat, the majority of the attack
surface is in the private sector and many of the companies are
multinationals with non-U.S. citizens on corporate boards or executive
management, rendering the existing scheme less tailored for successful
application to today's environment.
The CISCP program with DHS requires a CRADA be in place for the
receipt of Unclassified information such as Cyber Threat Indicators. As
a direct result of the change requiring the FCL for the CISCP CRADA a
number of financial sector firms are in the process of ending their
CRADA with DHS and going back to using the PSCP program to avoid the
entanglement of having top executives or board members without
cybersecurity responsibilities having to hold clearances which are
orthogonal to their duties for the company. Again this is to receive
Unclassified information from the DHS CISCP program.
The ISAC's that have an FCL will participate in CISCP via the CRADA
and then be able to share Unclassified information from CISCP with
their members. As a practical matter, when Classified information is
shared with the private sector, this is done in a U.S. Government
Facility with the appropriate FCL in place. It is unclear how ISACs
that do not have the FCL will participate in the CISCP program going
forward.
In addition to the problems with the CRADA and FCL, the problems
and frustration with the clearance processes remain.
next steps
Implementation of the Cybersecurity Information Sharing Act is
moving forward quickly and DHS, DOJ, and the Congress are to be
commended for how quickly the AIS system has been stood up, and the
various guidance documents issued on time. As with every system, there
are lessons learned and items that can be improved, and we look forward
to working closely with DHS and others to achieve our collective goal.
Soltra and Soltra Edge are bringing cutting-edge innovation and
technical capabilities to the cybersecurity information-sharing
process. Soltra Edge is providing a simple and easy solution by
providing the core backbone and technical processes that have
previously prohibited many companies from sharing, thinking that the
process is too cumbersome or difficult just to get started. Soltra is
helping companies in all sectors to increase the ability and likelihood
that information sharing can help provide vastly improved cybersecurity
defenses and ultimately make it harder and more expensive for
attackers. We look forward to working with this committee, Congress,
and the Executive branch, as well as with all of our private-sector
partners to achieve our collective goals.
Mr. Ratcliffe. Thank you, Mr. Clancy.
The Chair now recognizes Mr. Rosen, for 5 minutes.
STATEMENT OF MORDECAI ROSEN, GENERAL MANAGER, SECURITY BUSINESS
UNIT, CA TECHNOLOGIES
Mr. Rosen. Good morning, Chairman McCaul, Chairman
Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee. Thank you for the opportunity to appear before
you today.
My name is Mordecai Rosen and I serve as the senior vice
president and general manager of the Cybersecurity Business
Unit at CA Technologies. CA is one of the largest enterprise
software companies in the world. We serve a global customer
base in nearly every major commercial and industrial sector. CA
software helps our customers develop, manage and secure the
systems and services that form the basis for the new
application economy.
I want to thank the committee for getting the cybersecurity
act of 2015 over the finish line last year. CA was a strong
supporter of the legislation and is encouraged by DHS's
implementation thus far.
I want to focus on two topics today. First, I plan to
highlight why identity and access management are so important
in protecting our infrastructure and establishing trust in the
cybersecurity ecosystem. Second, I will provide our overall
perspective on the act and its implementation.
Applications have become the central way businesses connect
with their customers. Identity is the new security perimeter
for the application economy. In virtually every large network
breach in recent memory, compromised identities were the common
threat.
CA believes that robust identity solutions covering both
human-to-machine and machine-to-machine connections will be
vital to protecting Government and commercial networks and
applications. Identity solutions ensure that users, devices,
and applications are who and what they say they are.
I want to congratulate DHS for the job they have done to
date on implementation. The legislation had very aggressive
time lines to get the program up and running. DHS has met those
deadlines and has worked collaboratively with their Government
and industry partners to provide clarity around the overall
program, and this should be commended.
At the same time, there are specific areas where further
clarification will help accelerate adoption. CA, like many
organizations, is actively exploring participation in the DHS
Automated Indicator Sharing program. While we have strong
interest, we and others still have outstanding questions.
First, organizations will need even greater clarity on
targeted liability protection for the database, shared or
received. Our hope is that the updated guidance, which I know
has been released this morning, that DHS releases will answer
outstanding questions. DHS will need to remain actively engaged
with industry to help them fully understand these protections.
Second, ensuring trust in the system and providing robust
privacy protections will remain central to successful
implementation and adoption. DHS must be able to effectively
authenticate users that share or receive information under the
program. For example, DHS must be able to confirm that a
participant sharing information is a real entity, not a front
for hackers.
We are concerned that confidence in the program will lessen
if participants cannot be authenticated and the data being
shared cannot be trusted. Maintaining confidence in the act's
privacy protections remain critical. DHS's initial guidance
made strong privacy commitments, but participants will need
even greater clarity. Stakeholder outreach and engagement
through implementation will ensure that privacy considerations
remain at the forefront.
Third, we have to make it as easy as possible for
organizations to participate. The uptake of automated, real-
time information exchanges that protect user privacy will
define whether the act is a success, and the data received must
be timely and actionable for the program to have maximum
impact.
We look forward to reviewing DHS's updated guidance and
hope it will give us the certainty needed to become an active
partner in the program.
You asked CA to also address the Federal agency cyber
provisions contained in Title II of the act. The EINSTEIN and
Continuous Diagnostics and Mitigation, CDM, programs, when
fully deployed will help Government agencies be more secure. CA
has been an active participant in Phase 2 of CDM, which
addresses identity and access issues with a significant focus
on privileged users.
Managing the rights of privileged users remains one of the
most important areas of IT risk for organizations today.
Improper actions by privileged users can have disastrous
effects on IT operations and security. Privileged axis
management solutions provide the visibility, monitoring, and
control needed for users and accounts that have the keys to the
kingdom.
Deployment of CDM is at a critical stage. We have growing
concerns that this deployment will be delayed, however, because
agencies do not have the adequate contracting personnel to
acquire the services from DHS. We recommend the committee keep
a watchful eye on this issue as part of your oversight.
Thank you for your focus on cyber threat information
sharing. CA stands ready to continue our partnership with you,
with DHS and with our industry colleagues to enhance trust and
make it as easy as possible for organizations to participate.
Thank you again for the opportunity to be here. I look
forward to answering any of your questions.
[The prepared statement of Mr. Rosen follows:]
Prepared Statement of Mordecai Rosen
June 15, 2016
Chairman McCaul, Ranking Member Thompson and Members of the
committee: Thank you for the opportunity to appear before you today. My
name is Mordecai Rosen and I serve as senior vice president and general
manager of the Security Business Unit at CA Technologies, where I
manage global development of CA's cybersecurity products and solutions.
CA is one of the largest enterprise software companies in the
world, serving global customers in nearly every major commercial and
industrial sector. We are headquartered in New York, and have 11,000
employees across the globe, including many in districts represented on
this committee. CA delivers software that is mission critical to the
development, management, and security of technologies, which optimize
business operations and enable digital transformation in what is being
referred to as the ``application economy.''
I intend to focus my remarks today on two important and related
topics. First, I want to highlight some of the emergent and serious
cybersecurity threats we see in the application economy. Second, I'll
plan to provide CA's specific perspective on the Cybersecurity Act of
2015--how it can be effectively implemented, and how we ultimately feel
it can serve as a guidepost for reducing cyber risk in both Government
and commercial systems.
introduction
CA Technologies was a strong supporter of the Cybersecurity Act of
2015 and is encouraged by the implementation thus far. Cyber threat
information sharing helps us improve our collective cyber defenses by
enabling us to prioritize and deploy resources against current and
anticipated attacks. Improving Federal agency cybersecurity helps
defend National security and protect citizen data. We want to thank the
committee for your driving this legislation over the finish line last
year.
The application economy is transforming the way organizations do
business. From entertainment to communications to finance, applications
are rewriting the world in which we live, and are enabling
organizations and governments to provide services to customers and
citizens in new ways that reduce costs, enhance efficiencies, and
improve outcomes. Software has become the principal means through which
organizations deliver these new services. Examples of these
technologies include mobile banking applications, the smart grid to
reduce energy costs, and connected vehicle communications to improve
safety and efficiency.
Applications have become the critical point of engagement for
organizations of all sizes, optimizing experiences and providing a
direct and constant connection from organizations to their end-users.
CA software transforms businesses' ability to thrive in this new
reality, delivering the means to deploy, monitor, and secure their
technology investments.
However, the increasing volume and sophistication of cyber attacks
threatens to undermine this progress through the illegal transfer of
intellectual property, the theft of personally identifiable information
(PII) and other sensitive data, and the undermining or destruction of
critical infrastructure systems.
Cyber attacks that disable systems, such as the electric grid,
water utilities, financial markets, or even mass transit systems, could
have a potentially catastrophic effect, putting the health and safety
of large populations at risk. Federal agency breaches that result in
the loss of sensitive data can lead to massive identify theft and
fraud, and can put National security at risk.
The Federal Government has suffered significant and harmful
breaches over the past few years, most notably the Office of Personnel
Management (OPM) breach that compromised the data of more than 20
million current and former Government employees and contractors. Yet,
the Government doesn't stand alone as a target for attack. The critical
infrastructure community of the United States includes public and
private operators of critical systems and assets, and they are all
experiencing sophisticated attacks that carry with them the possibility
of catastrophic outcomes. The German government recently said in a
report that hackers successfully broke into the control systems of a
domestic steel plant and caused massive damage to the blast furnace.
Here in the United States, the Wall Street Journal recently reported
that 2 years ago hackers infiltrated the control system of a small dam
less than 20 miles from New York City.
As the Federal Government and critical infrastructure owners and
operators look to create efficiencies through automation and
modernization, they must build security in to their systems on the
front end and abandon the model of bolting security on afterwards.
the role of identity protections in robust cybersecurity
In this new threat environment, CA believes that identity and
access management technologies are central to protecting systems,
networks, devices, and data and to enabling secure interactions with
customers and citizens. The traditional network perimeter can no longer
provide a control mechanism for this access. Identities now constitute
the new perimeter and are the single unifying control point across all
apps, devices, data, and users. As such, identities and application
programming interfaces (APIs) serve as the foundations of the
application economy because they enable easier deployment of secure
apps and help simplify control of access to those apps. They are how
you protect access to apps and data, whether that be by human-to-
machine or machine-to-machine. APIs provide a way to connect computer
software components and data. Broadly speaking, APIs make it possible
for organizations to open their backend data and functionality for
reuse in new application services (think hotel websites using Google or
Bing for their maps and directions).
An API achieves this by facilitating interactions between code
modules, applications, and backend IT systems. The API specifies the
way in which these different software components can interact with each
other and enables content and data to be shared between components.
Given these new realities, identity is now the attack vector of
choice for cyber criminals. In virtually every large network breach in
recent memory, compromised identities were the common thread.
Protecting identities is foundational to robust security in the
application economy.
CA Technologies has made a strategic commitment to addressing
identity-centric cybersecurity challenges in today's dynamic threat
environment by developing effective identity management solutions
through our in-house development process. CA software manages millions
of user identities in most major countries around the world. We provide
identity-centric security solutions to multiple Federal agencies. Our
API Management tools are used within the Federal Government and the
commercial sector to protect network and application interfaces, to
facilitate the secure exchange of information, and to ensure that any
data shared protects personal privacy. We believe all of these
capabilities will further enable robust cyber threat information
sharing. I'll touch more on this below.
dhs implementation of cyber threat information sharing provisions in
the cybersecurity act
Congress passed the Cybersecurity Act of 2015 to help businesses
and governments better protect themselves against cyber attacks. The
Act promotes cybersecurity information sharing between the private
sector and the Government, and across the private sector. In addition,
the Act includes provisions to strengthen Federal agency cybersecurity
through a Federal intrusion and detection system, through capabilities
to continuously diagnose and mitigate cybersecurity risks, and through
other measures.
CA Technologies supported the passage of the Cybersecurity Act of
2015 because it includes key provisions for which CA has been an active
advocate: The bill includes targeted liability protections for program
participants; it includes measures to protect the privacy of
individuals; and it promotes the further development of automated
mechanisms for sharing cyber threat indicators.
CA Technologies believes the Cybersecurity Act will enhance
security and provide businesses with the assurances needed to securely
share with trusted partners the security threats they are seeing on
their own networks, and to receive threat indicators from the wider
ecosystem, which will help them optimize defenses. We believe the
automated capabilities provided through the DHS Automated Indicator
Sharing (AIS) program will make it easier to accept and exchange cyber
threat data in real time. CA Technologies welcomes the opportunity to
provide our insight on implementation to date, and to make
recommendations to encourage greater participation in the information
sharing program and to improve Federal agency cybersecurity.
At the outset, I want to congratulate DHS for the job they've done
thus far on implementation. The Cybersecurity Act of 2015 contained
very aggressive time lines for DHS to release initial and final
guidance to implement the program and to designate the primary system
that would be used to exchange threat data between participants. DHS
has met those deadlines thus far, and has worked collaboratively with
their Government and industry partners to provide clarity around the
overall requirements for sharing, the privacy protections and processes
required to participate, and the process required to take full
advantage of the program's benefits. We know how challenging it is to
balance competing interests and meet very aggressive deadlines. While
the initial guidance documents that DHS issued have raised some
questions that we will address below, by and large we feel they provide
good clarity on the technical, legal, and practical considerations
entities need to weigh when determining whether to participate in the
program.
We are encouraged by DHS's openness to the feedback they have
received from industry, civil society, and other actors in the
cybersecurity ecosystem, and by DHS's consultative approach. DHS has
indicated that they intend to address the majority of these questions
in their final guidance documents. We look forward to reviewing those
in detail when they are released later today.
We are committed to working with DHS to move implementation forward
with active and constructive industry dialogue. Among other
organizations, CA Technologies is a member of the Information
Technology Information Sharing and Analysis Center and sits on the
Executive Committee of the IT Sector Coordinating Council, which helps
advise DHS and other Federal agencies on information-sharing policies
and public-private partnerships.
I'd now like to turn to our views on specific provisions of the
legislation and the issues we see at play and where some further
clarity is needed in implementation.
Liability Protection
Organizations should have targeted liability protection for the
data they share or receive. This protection will encourage greater
participation in the program, leading to better cyber defense.
Liability and regulatory concerns are powerful inhibitors of
participation in information sharing agreements. Reducing these
barriers through targeted protections helps organizations feel more
secure in sharing, receiving, and acting upon cyber threat indicators.
The Cybersecurity Act included targeted liability protections, and
DHS today is releasing updated guidance providing greater clarification
on these protections and the requisite responsibilities of
participating companies.
Cybersecurity information sharing is based on trust, and this trust
needs to be underpinned by strong certainty for participating
companies. While the preliminary guidance released by DHS in February
began to provide greater clarity around processes and procedures to
gain protections, it also left a great deal of uncertainty. Our
understanding is that the updated guidance should provide more clarity
and we look forward to exploring this in greater depth. Beyond the
release of the updated guidance, we encourage DHS to actively engage
with industry and legal groups to help them better understand the
information-sharing program, the responsibilities of participating
organizations, and the liability protections that will be afforded
participants.
Preserving Privacy
The Cybersecurity Act of 2015 requires organizations to take
reasonable steps to remove PII of individuals not related to the threat
from any cyber threat information they share through the program. It
also requires the Government to further scrub this information to
ensure that PII is removed. This is vital to protect the privacy of
customers and citizens.
The global IT industry is very sensitive to issues of protecting
customer privacy and enhancing trust in the solutions we deliver.
Therefore, we believe it will be helpful for DHS and the administration
to reassert that the purpose of cyber threat indicator information
sharing is to protect networks.
Any Government exceptions to this purpose must be clearly defined
and limited. In addition, CA and others advocated strongly that
cybersecurity threat indicator information should be shared through a
civilian portal under the legislation. We want to thank the committee
for pushing the National Cybersecurity and Communications Integration
Center (NCCIC) at DHS as the portal for information sharing, and we
encourage the administration to continue to promote this portal as the
principal mechanism through which to share.
While requirements to remove PII are important to protect privacy,
it's also important to help organizations better understand how they
can remove PII automatically. DHS's STIX/TAXII effort can help
organizations understand what data to share, and how to share it, but
companies will need further help to take the guesswork out of this
process and automate the removal of PII before sharing. Myriad tools
and capabilities exist in the commercial sector to enable automated PII
removal. To the extent that organizations are able to effectively
utilize these tools, it will lessen their concerns about liability and
will heighten user confidence in the program.
We feel that the initial guidance released by DHS made strong
commitments towards preserving privacy under this program, though
participants will need greater clarity. We look forward to reviewing
the updated DHS guidance in this space. Again, active stakeholder
outreach and engagement throughout the policy implementation process
can help lead to effective outcomes that address both security and
privacy needs. DHS can work with sector-specific agencies to convene
workshops and other engagement activities where organizations can learn
best practices on privacy protection as part of information-sharing
programs. Ideally, these workshops and programs can target different
types of industries and can take place in different regions of the
country.
DHS can also work to encourage greater participation in the
information-sharing standards development process, established under
the President's Executive Order from February 2015. The Standards
Development Organization, led by the University of Texas at San Antonio
in partnership with LMI, is currently developing draft standards for
Information Sharing and Analysis Organizations (ISAOs). This work
should be as open and inclusive as possible, enabling multiple types of
organizations, including both nonprofit and for-profit organizations to
establish ISAOs.
Automated Indicator Sharing
Ultimately, in order to truly move the needle on improving cyber
defenses in a significant way, organizations will need to leverage
automated, real-time, actionable information exchanges. Cyber attacks
happen rapidly and without up-front notice. Once cyber threat
indicators are discovered, this information must also be disseminated
rapidly to allow organizations that are the subject of attacks to
mitigate their impacts, and to help other organizations target their
defenses against the newly-discovered threat.
DHS has been working to promote its Automated Information Sharing
(AIS) program, which leverages explicit protocols to identify and
structure information on cyber threat indicators and to provide for a
secure manner of exchanging this information. CA Technologies has been
working with DHS and other industry partners to help enable this
secure, automated exchange of information across a wide range of
different organizations.
CA provides API management software that helps authenticate,
authorize, validate, transform, and filter near-real-time cyber-threat
messaging. We believe that any successful information sharing program
must depend heavily on the authentication of the individuals and
organizations that participate, and on the validity and integrity of
the information and the data that is shared under the program.
CA would like to thank the committee for promoting further
development of automated information sharing mechanisms in the final
legislation. While DHS's activity on automated sharing programs pre-
dates the passage of the Cybersecurity Act, the inclusion of this
program in the Act should boost confidence and encourage greater
participation.
We recommend that DHS continue to leverage key outreach and
partnership programs, such as the Critical Infrastructure Cyber
Community or C3 program, and partnerships with Sector Coordinating
Councils to build greater awareness around automated information
sharing, and to help organizations understand what technical and
procedural steps they will need to take to participate. Industry can
also play a significant role to build awareness. Sector groups can
develop user guidance and promote this with their members.
In addition, we recommend that DHS and the Federal Government
continue to promote the STIX/TAXII protocols with global standards
development organizations. Ultimately, cybersecurity is a global
challenge that doesn't recognize National borders. Global security
solutions providers, including CA Technologies, seek to develop
products that can scale for the global marketplace. The STIX/TAXII
protocols are already commonly used to enable cyber threat information
sharing across the Federal Government and in the private sector, and we
hope that this progress can be leveraged to improve cybersecurity
internationally. DHS's recent decision to transition continued
development of the STIX standard to OASIS is a positive development
that will build international engagement and consensus around the
protocol.
CA Technologies is not a current participant in the AIS system. Our
internal security team currently utilizes multiple private-sector tools
to identify, analyze, and prioritize cyber threat indicators. However,
CA recognizes the significant benefits that we can derive from
participation in information-sharing partnership programs in order to
defend against cyber attacks. Therefore, we are actively exploring
participation. We welcomed the passage of the Cybersecurity Act of 2015
because of its authorization of activities and its calls for
protections for participants. However, while we have strong interest,
we are being very deliberate in making a determination on participation
because we have outstanding questions associated with the program.
First, will the information we receive through this program be
timely, accessible, and actionable? Our security analysts must review
and act on threat information from myriad sources in real time.
Information shared through this program must help organizations to
prevent, detect, or mitigate attacks. Therefore, information needs to
be shared in an expedited fashion. Information has to be understandable
for participants in the program. And participants need to be able to
act on the information, whether that be mitigating against specific on-
going threats, or re-deploying defenses for anticipated attacks. We
continue to examine how we would need integrate AIS threat indicators
into our overall threat management processes.
Second, how will DHS authenticate users who are receiving or
sharing information in the program? Trust is vital to the success of
information sharing and users must have confidence that the information
they are sharing or receiving will not fall into the hands of
adversaries and enable further attacks. Participants will want to know
that the information they share will not be leveraged in a way that
harms them. They will also want to know that the cyber threat indicator
data they are acting on is valid. And, citizens and customers will want
to know that participating businesses and the Government are doing
everything they can to protect their privacy under this program.
Therefore, identity and access management will play a crucial role in
protecting the underlying information-sharing systems.
And third, will there be greater clarification and guidance around
liability and privacy protections in the program? This includes
clarification around liability protections for the sharing of
information with other private-sector organizations and for acting or
not acting upon the receipt of indicators. It also includes greater
clarification on privacy protection requirements.
To reiterate, CA Technologies believes that DHS has done an
admirable job of early-stage implementation of the information-sharing
provisions of the Cybersecurity Act. CA looks forward to reviewing the
updated guidance released by DHS today, which we hope will give us the
certainty needed to become an active partner in AIS. We also encourage
DHS to continue to conduct industry outreach, to help raise industry
awareness of the programs, and to further provide clarification on
associated liability and privacy protections.
We look forward to working with DHS and the committee on continued
successful implementation of these programs.
protecting federal information systems
A significant number of recent Federal breaches resulted from
compromised identities, including those of privileged users. Title II
of the Cybersecurity Act recognized this issue and authorized solutions
to more fully address the vulnerabilities in Government systems.
The EINSTEIN and Continuous Diagnostics and Mitigation (CDM)
programs, when fully deployed will help Government agencies acquire
vital security capabilities and tools to better secure Government
networks and systems.
The EINSTEIN program is designed to detect and block cyber attacks
from compromising Federal agencies, and to use threat information
detected in one agency to help other Government agencies and the
private sector to protect themselves.
The CDM program provides Federal departments and agencies with
capabilities and tools that identify cybersecurity risks on an on-going
basis, prioritize these risks based upon potential impacts, and enable
cybersecurity personnel to mitigate the most significant problems
first. CA has been an active participant in the CDM implementation.
While CDM Phase 1 focused on asset discovery and management, Phase
2 is titled ``Least Privilege and Infrastructure Integrity'' and has
prioritized both identity management and privileged access management.
One of the most important areas of IT risk relates to privileged users.
Whether inadvertent or malicious, improper actions by privileged users
can have disastrous effects on IT operations and on the overall
security and privacy of organizational assets and information.
Therefore, it is essential that administrators be allowed to perform
only those actions that are essential for their role-enabling ``least
privileged access'' for reduced risk. Privileged Access Management
solutions provide the visibility, monitoring, and control needed for
those users and accounts that have the ``keys to the kingdom.'' This
visibility provides insight on activity and works to prevent or flag
anything unusual that indicates security risk.
Both identity management and privileged access management
positively affect operations, putting security activity in the
background to make sure security is not seen as a barrier, but instead
as an enabler to more secure business operations.
CA would like to thank the committee for authorizing these programs
under the Cybersecurity Act. In particular, we believe that legislative
language calling on the head of each agency to assess access controls
to sensitive and mission critical data will help protect against the
threat of improper use of privileged credentials.
Finally, on behalf of our IT industry partners, we would like to
thank the committee for its help in conference negotiations to ensure
that the EINSTEIN program would be designed to promote the security of
Federal networks without jeopardizing multi-tenant cloud environments.
In addition, we welcome continued committee oversight of DHS
implementation to improve effectiveness and accountability.
Overall, our primary recommendations in this space are the need for
procurement flexibility and improvements in the workforce development
process. Currently, Federal agencies recognize the value in deploying
CDM solutions. However, they recognize that these deployments could be
paid for by DHS in the following appropriations cycle. Agility and
speed are very important in this context. Ultimately, a plan and a
strategy are worthless without deployment. There is a distinct risk of
a moral hazard where agencies will not prioritize cyber funding in the
short term, leaving them susceptible to risk of a significant breach in
the interim.
Further, DHS partners with GSA on the development of contract
vehicles for these programs, and there is a need for more trained
contracting personnel to accelerate deployment of these new contract
vehicles. We think this should be a key focus for implementation of
Title III of the Cybersecurity Act.
In the wake of the OPM breach, we saw Government officials working
around the clock to improve systems. These are committed individuals,
and the sense of urgency following the breach resulted in quick and
decisive action to resolve significant challenges that became
immediately apparent. However, the long-term success in implementing
those decisions may be hamstrung by backlogs in the procurement
process.
Reacting to specific events to shore up defenses is different than
proactive planning. As we look forward, we believe there is opportunity
for DHS and its partner agencies to leverage the lessons learned in the
cyber sprint and apply them proactively to enhance overall cyber
posture across the Federal Government.
I would mention two things in particular that we think warrant
further consideration by this committee. First, we believe it is
critical for the Federal Government to align its own cybersecurity
practices with the NIST Cybersecurity Framework that is quickly
becoming the standard for private-sector information security
management efforts. Ensuring that the same approach is being used
across the public and private sectors will standardize terminology and
ensure that the Government is walking the walk when it comes to the
approach evangelized in the Cybersecurity framework. We want to commend
the committee for favorably reporting the ``Improving Small Business
Cybersecurity Act of 2016'' last week. As this legislation moves
forward in the House and ultimately, we hope, to enactment, we would
recommend that an explicit requirement be included directing DHS and
the Small Business Development Centers to also leverage the NIST
Framework in maturing their cybersecurity programs.
Second, we recommend the committee maintain focus on the unique
cyber threats emanating from the compromise of digital identities. As
we note above, the attack vector of choice in today's threat
environment remains identity. CA believes that any conversations about
cybersecurity threats and solutions must keep a strong focus on shoring
up identity protections and enabling organizations to protect
themselves from sophisticated identity-based attacks.
conclusion
Cybersecurity represents a significant challenge for industry
officials, and for State, National, and global policy makers. At the
same time, the application economy is unlocking a multitude of
opportunities to provide new services and value to customers and
citizens. State, National, and global governments must work with
private sector, academic, and public stakeholders to develop and
implement cybersecurity policies that improve security, enable
innovation, and build public trust.
The Cybersecurity Act of 2015 recognizes the crucial role of
public-private partnerships in enhancing cybersecurity by authorizing
and promoting active cyber threat indicator information sharing across
the private and public sectors. It also recognizes the National
imperative to protect Federal information networks and systems.
Ultimately, the success of this legislation will depend on
stakeholder engagement, agility and inter-agency cooperation and buy-
in. CA believes that DHS has made great strides in partnering
effectively with the private sector on the implementation of
information-sharing provisions and we encourage DHS to continue to
improve in this regard. The Title II provisions of this Act, in
combination with last year's updates to the Federal Information
Security Management Act, further enhance DHS's position to play the
lead operational role in protecting Federal information civilian
systems.
CA Technologies applauds the efforts the committee has taken in
tackling these key issues. We stand ready to continue partnering with
the committee, DHS, and our industry colleagues in the effective
implementation of the Cybersecurity Act of 2015.
Thank you very much for the opportunity to testify today, and I
look forward to answering any questions you may have.
Mr. Ratcliffe. Thank you, Mr. Rosen.
The Chair now recognizes Ms. Sage, for 5 minutes for her
opening Statement.
STATEMENT OF OLA SAGE, FOUNDER AND CHIEF EXECUTIVE OFFICER, E-
MANAGEMENT
Ms. Sage. Good morning, Chairman Ratcliffe, Ranking Member
Richmond, and distinguished Members of the committee. Thank you
for the opportunity to testify this morning as a small-business
owner of a 17-year-old tech firm on the Cybersecurity
Information Sharing Act, CISA, and other information-sharing
initiatives.
Today I will discuss my company's experience, some
perspectives on CISA and some final thoughts.
In 2013, through our own research, we became aware of the
DHS Enhanced Cybersecurity Services initiative, known as ECS,
which is a voluntary information-sharing program that augments
capabilities of critical infrastructure owners and operators by
providing Classified cyber threat indicators to improve
protection of their systems and customers.
Following the execution of a memorandum of agreement with
DHS, we experienced a significant hurdle. We knew ECS was a
Classified program, and while we had a facility clearance, it
was not at the level required to gain access to information
needed to determine if we could participate in ECS. We spent
weeks trying to locate a SCIF, or a Sensitive Compartmented
Information Facility, that we could use just for a few hours to
review the requirements to be an ECS partner. We eventually
found a solution, but to our disappointment the financial
barrier to entry was so high we determined that it would be
cost-prohibitive.
A year later, we entered into a Cooperative Research and
Development Agreement, a CRADA, with DHS for an Unclassified
program that allowed us to receive actionable Government-
developed cybersecurity threat information and maintain access
to or have an on-site presence within the National
Cybersecurity and Communications Integration Center.
Our experience to date has been mixed. We do receive
regular updates on threat information through the portal, which
is very accessible. However, much of the Unclassified
information is already widely available on the internet or is
dated. We have ended up building our own TAXII server which
provides communication specifications for exchanging cyber
threat information through open sources.
In 2015, DHS informed us of another new program called the
Automated Indicator Sharing dissemination capability. While we
are interested in participating, establishing the necessary
operational capabilities has been constrained by our own
limited resources.
I would like to share 4 observations and a few thoughts on
CISA and other information-sharing initiatives as it relates to
small businesses like ours.
No. 1, small businesses are unaware of CISA. We recognize
the law is new, and though it applies to any size organization,
today it is largely an interest of larger companies with
greater infrastructure and resources.
There is an opportunity for the Government to increase the
visibility of the law through its existing outreach and
awareness programs to the SMB community through, for example,
SBA programs or by working with chambers of commerce, small-
business associations and trade groups.
Second, small businesses need to understand how CISA helps
them. In the law itself, there are only two references to small
business, which highlights that this law is not directly
focused on small businesses. How does CISA apply to SMBs in
general? How does an SMB use CISA to help them better protect
their business? What protocols would help facilitate and
promote the sharing of cyber threat indicators within the SMB
community?
Answers to these and other questions would help clarify the
law's applicability SMBs.
Third, small businesses are confused by the myriad of
information-sharing initiatives. The number and variety of
information-sharing initiatives is overwhelming to many small
businesses, if they are even aware they exist.
For example, Enhanced Cybersecurity Services, the
Cooperative Research and Development Agreement, the National
Cybersecurity Communications Integration Center, Automated
Indicator Sharing, the Information Sharing and Analysis Centers
and the Information Sharing and Analysis Organizations are just
a few that we can participate in. It would be very helpful if
these initiatives could be streamlined and tailored to our
community.
Last, cybersecurity is costly for small businesses. Some
industry estimates suggest costs of up to $60,000 a year for a
50-employee company, and it is not clear to many what the
concrete benefits are of investing those kind of dollars in
cybersecurity. As information-sharing is voluntary under CISA,
the key driver for a small-business CEO like myself to consider
participation is the cost to implement.
A significant percentage of small-business owners still do
not believe that they have anything that criminals want. It
would be helpful if there could be an estimate of what it would
cost a small business to participate in various information-
sharing forums, similar to the time estimates that are provided
for completing Government forms.
In closing, CISA is in its early stages and we recognize
that over time the implementation of the law will mature,
providing more clarity for its application, in particular for
small businesses. I remain committed to working with Government
and industry partners to identify and promote affordable
solutions that enable small businesses like ours to strengthen
their cybersecurity readiness and posture.
Thank you again for the opportunity to testify and I am
ready to answer any questions you may have.
[The prepared statement of Ms. Sage follows:]
Prepared Statement of Ola Sage
June 15, 2016
opening remarks
Good morning Chairman Ratcliffe, Ranking Member Richmond, and
distinguished Members of the committee. It is an honor for me to be
here today.
My name is Ola Sage and I am the founder and CEO of two technology
small businesses, e-Management and CyberRx, located in Silver Spring,
Maryland. e-Management was founded in 1999 and employs nearly 70
information technology (IT) and cybersecurity professionals who deliver
services in our core areas of IT Planning, Engineering, Application
Development, and Cybersecurity. In 2013 e-Management was honored to
receive the Department of Energy's Cybersecurity Innovative Technical
Achievement Award, highlighting the capabilities of our cybersecurity
experts in designing and implementing advanced cybersecurity detection
and risk management capabilities. Earlier this year the U.S. Chamber of
Commerce selected e-Management as one of the top 100 small businesses
in America in 2016.
CyberRx, my second company, was launched in 2015 and offers a
software platform that private-sector companies, and small businesses
in particular, use to help them measure, manage, and improve their
cybersecurity readiness. Our software allows companies to quickly
assess their cyber readiness and resilience using a unique application
of the Cybersecurity Framework (CSF), which was developed
collaboratively with the National Institute of Standards and Technology
(NIST), academia, and industry. CyberRx is both vendor-agnostic and
affordable, as we believe cybersecurity should be manageable and
accessible to all organizations, particularly the most vulnerable
small- and medium-sized businesses (SMBs).
In April of this year, I was elected to serve as the chair of the
IT Sector Coordinating Council (IT SCC). The IT SCC comprises the
Nation's top IT companies, professional services firms, and trade
associations, and works in partnership with the Department of Homeland
Security (DHS) to address strategies for mitigating cybersecurity
threats and risks to our Nation's critical infrastructure, especially
for organizations and businesses that are particularly vulnerable, such
as SMBs. One of the joint priorities this year with the IT SCC and DHS
is to provide the SMB community with best practices and products for
implementing the CSF to better protect businesses and manage risk.
I am also a 9-year member of Vistage, an international organization
of more than 20,000 CEOs who control businesses that have annual sales
ranging from $1 million to more than $1 billion. I regularly meet with
and speak to small business CEOs in Vistage and other small business
forums about why cybersecurity should matter to them and how it can
affect their ability to keep business, stay in business, or get new
business. Over the last 12 months alone, I have spoken to more than 200
SMB CEOs in a diverse mix of industries. I am a champion and advocate
for SMB cybersecurity readiness.
Thank you for the opportunity to testify today as a small business
owner.
In my testimony today, I will discuss:
My company's experience with various Government information-
sharing initiatives
Perspectives on the Cybersecurity Information Sharing Act
(CISA), and opportunities for the SMB community
Concluding thoughts.
experience with government information-sharing initiatives
As an IT and cybersecurity small business provider, maintaining our
competitiveness requires us to constantly add value to our clients by
offering them the best combination of new products and services. In
2013, through our own research we became aware of the Enhanced
Cybersecurity Services (ECS) program at DHS. ECS is a voluntary
information-sharing program that augments capabilities of critical
infrastructure owners and operators by providing Classified cyber
threat ``indicators'' to improve protection of their systems and their
customers. We reached out to learn more and were invited to establish a
Memorandum of Agreement (MOA) to govern the Government's provision and
e-Management's receipt and use of information and ECS-related
activities.
Following the execution of the MOA, we experienced our first
hurdle. We knew ECS was a Classified program and while we had a
facility clearance, it was not at the level required to gain access to
information needed to determine if we could participate in ECS. We
spent weeks trying to locate a Sensitive Compartmented Information
Facility (SCIF) that we could use just for a few hours to review the
requirements to be an ECS partner. We reached out to various Government
contractors whom we knew either had a SCIF or access to one, but were
turned down time after time. We eventually found a solution that
enabled us to review the requirements, but to our disappointment, the
financial barrier to entry was so high, we determined that it would be
cost-prohibitive for us to participate.
A year later, in 2014, we entered into a Cooperative Research and
Development Agreement (CRADA) with DHS for an Unclassified program that
allowed DHS and e-Management to engage in data flow and analytical
collaboration activities, including receiving relevant, Unclassified,
and actionable Government-developed cybersecurity threat information.
Through the CRADA, e-Management was also permitted to maintain access
to or have an on-site presence within the National Cybersecurity and
Communications Integration Center (NCCIC).
Our experience with the CRADA has been mixed. We do receive regular
updates on threat information through the portal, which is very
accessible; However, much of the Unclassified information received is
already widely available on the internet or is dated, and therefore has
limited use for our cybersecurity analysts or our clients. We ended up
building our own Trusted Automated eXchange of Indicator Information
(TAXII) server, pulling from open sources to collect threat information
that we could use to better protect our company.
In 2015, we were informed of a new initiative called the Automated
Indicator Sharing Initiative Dissemination Capability, which could
enable us to participate in the dissemination of cyber threat
indicators under the DHS Automated Indicator Sharing (AIS) Initiative
TAXII server, in addition to the existing portal means provided through
our CRADA. While we have an in interest in participating, establishing
the necessary operational capabilities is constrained by limited
resources.
an smb ceo's perspective on opportunities for the cisa and information-
sharing initiatives for small businesses
The Cybersecurity Act of 2015 provides a way for the Government and
the private sector to collaborate on cybersecurity while providing the
necessary protections to alleviate the concerns of many companies,
large or small, that they may be exposed to civil or criminal
liability, reputational damage, or competitive threats. Some
observations about the law, other information sharing initiatives, and
some recommendations for how CISA can be more relevant to the SMB
community, are as follows.
1. Small businesses are unaware of CISA.--CISA is new and though it
applies to any size organization, today it is largely an
interest of larger companies that have the infrastructure and
resources to act. There is an opportunity for the Government to
increase the visibility of the law through its existing
outreach and awareness programs to the SMB community through,
for example, Small Business Administration (SBA) programs, or
by working with Chambers of Commerce, small business
associations, and trade groups.
2. Small businesses need to understand how CISA helps them.--In the
law itself, there are only 2 references to small business,
which highlights that this law is not directly focused on small
businesses. How does CISA apply to SMBs in general? How does an
SMB use CISA to help them better protect their business? Is
CISA more applicable to certain types of small businesses? What
protocols would help facilitate and promote the sharing of
cyber threat indicators with the SBM community? Answers to
these and other questions would help clarify the law's
applicability to SMBs.
3. Small businesses are confused by the myriad of information-
sharing initiatives.--The number and variety of information-
sharing initiatives is overwhelming to many small businesses,
if they are even aware they exist. For example, Enhanced
Cybersecurity Services, the Cooperative Research and
Development Agreement, the National Cybersecurity and
Communications Integration Center, Automated Indicator Sharing,
the Information Sharing and Analysis Centers, and/or the
Information Sharing and Analysis Organizations, are just a few
of the information-sharing initiatives companies can
participate in. It would be helpful to the SMB community if
these initiatives could be streamlined and tailored for the SMB
community.
4. Cybersecurity is costly for small businesses.--Implementing
cybersecurity best practices and solutions is costly for many
small businesses. Some industry estimates suggest costs of up
to $60,000 a year for a 50-employee company, and it is not
clear to many what the concrete benefits are of investing those
kinds of dollars in cybersecurity. As information sharing is
voluntary under the law, the key driver for a small business
CEO to consider participation will be the cost to implement.
There is still a significant percentage of small businesses
owners who do not believe that they have anything that
criminals would want. It would be helpful if there could be an
estimate, on average, of what it would cost a small business to
participate in the information-sharing forum (e.g., similar to
the time estimates that are provided for completing Government
forms).
conclusion
CISA is in its early stages and we recognize that over time the
implementation of the law will mature providing more clarity for its
application, particularly for SMBs. We at e-Management and CyberRx are
committed to working with Government and industry to identify and
promote affordable solutions that enable small businesses to strengthen
their cybersecurity readiness and posture.
Thank you again for the opportunity to testify. I am ready to
answer any questions you may have.
Mr. Ratcliffe. Thank you, Ms. Sage.
Thanks to all the witness for your testimony.
I now recognize myself, for 5 minutes, for questions.
I will start by saying that after receiving today's hearing
testimony, I want to try and make one thing clear, and that is
that this subcommittee will try to do everything that we can to
ensure that the final DHS and DOJ information-sharing guidance
explicitly states and clarifies that the Cybersecurity Act's
liability protections are in fact extended for sharing between
non-Federal entities.
I would in fact like it noted for the record that it was
Congress' full intent to grant private-to-private liability
protections when such sharing was conducted in accordance with
the law.
Having said that, I know that the Department of Homeland
Security and Department of Justice this morning issued final
guidance. I don't know if our witnesses have had an opportunity
to review that, so I am not going to put any of you on the
spot. But I would like to give you the opportunity to address
this issue and how a lack of clarity in liability protection
might cause general counsels in some private companies to
prohibit their cyber operators from sharing information.
I will start with you, Mr. Eggers.
Mr. Eggers. Thank you, Mr. Chairman.
I think, at least in terms of the interim guidance and
procedures documents that we have been reviewing since
February, our members view them as very good. I haven't had a
chance to look through the latest documents that were just
released, I think, over the evening. We'll do that. My
impression, but we'll wait to see what the language states, is
DHS and DOJ have tried to clarify, per the law, that the
protections attach when non-Federal entities or private
organizations or even State and local governments share between
themselves and among themselves.
I think just kind of taking a step back, organizations are
able to enter into the CISA and the AIS program when they are
sharing threat data for a cybersecurity purpose, right, and
they are doing other things, such as monitoring, sharing,
receiving indicators and defensive measures.
Irrespective of the size of an organization, those
protections and I should say the authorizations and the
protections should attach.
Mr. Ratcliffe. Thank you, Mr. Eggers.
Mr. Mayer, I want to give you an opportunity.
Mr. Mayer. Sure. Sure. Thank you.
Real quickly, I also haven't had an opportunity to read the
guidance. I think this has its roots in perhaps some comments
that came out of DHS at one point suggesting that there was
some uncertainty or ambiguity around this issue. We had always
felt that reading the statute that private-to-private sharing
was permitted.
So I would say that, since some uncertainty was introduced,
resolving that explicitly, as you did just now and as I am sure
the guidance states, will only be helpful in terms of us being
able to take advantage of the program. Thank you.
Mr. Ratcliffe. Great. Thank you, Mr. Mayer.
Mr. Clancy, anything you would like to comment on?
Mr. Clancy. Just to add, I think to, you know, build on the
comments of the earlier panelists, I would just say that the
place where the confusion was the greatest was in the ISAC
community when sharing between a member to the ISAC to a
member.
The ISACs themselves went and did their own legal reviews,
got legal opinions and started to clarify that issue on their
own. I think just reinforcing it by your statements and the
additional clarified guidance from DHS and DOJ can help us move
past this issue.
Mr. Ratcliffe. Thank you, Mr. Clancy.
Mr. Rosen.
Mr. Rosen. Yes, I think we primarily agree with what has
been said down the line. We understand the existing liability
we have today with sharing threat information, sharing breach
information. We just want to make sure, and we will hopefully
find it in the additional guidance, that we are not increasing
our liability for either good-faith acts or lack of action
based on some cybersecurity indicator.
So I think that kind-of is the most important clarity for
us.
Mr. Ratcliffe. Terrific. Thank you.
Ms. Sage, anything you would like to add?
Ms. Sage. I haven't read it. Sorry, Mr. Chairman.
Mr. Ratcliffe. No, that's fine.
Ms. Sage. Happy to get back to you.
Mr. Ratcliffe. On March 17, I was at the NCCIC to witness
the certification to Congress that the Automated Information
Sharing program, or AIS, was operational.
Mr. Clancy, you are the CEO of Soltra, which I understand
is currently going through the process of connecting with DHS's
AIS system, could you talk a little bit about how that process
is going so far? What are the next big milestones for the AIS
program going forward, as you see it?
Mr. Clancy. Thanks for the question.
So yes, we have been enrolled in the program. We have been
doing I will call it the technical integration side of the
story. As with any new technical capability, there are those
normal, you know, bumps in the road as you get going. We have
been working through them and the Department's been pretty
responsive in addressing them.
As I mentioned in my testimony, there are some challenges
in the on-boarding, the process by which you get credentialed.
To go to Mr. Rosen's comment, I think the challenge is
establishing identity of the participants and the process that
was used, vis-a-vis how it interacts with machine-to-machine
sharing.
We believe that the other challenge was the customizations
that were made and quite necessary for submitters of
information to mark how they wanted their identity to be
handled. So did they want comments attributed to them, to
everyone in the program, to only U.S. Government or to no one
outside of the NCCIC? That just takes time for the platforms
and the implementers to absorb. So I think that's moving
forward, I think it is in the right direction, but it had a
little bit of latency for everyone getting started.
Mr. Ratcliffe. Thank you, Mr. Clancy.
The Chair now recognizes the Ranking Minority Member of the
subcommittee, the gentleman from Louisiana, Mr. Richmond, for
any statement that he may offer or any questions he may have.
Mr. Richmond. Mr. Chairman. I would ask unanimous consent
to submit for the record the DHS and Department of Justice
document released this morning entitled Guidance to Assist Non-
Federal Entities to Share Cyber Threat Indicators and Defensive
Measures with Federal Entities Under the Cybersecurity
Information Sharing Act.
Mr. Ratcliffe. Without objection.*
---------------------------------------------------------------------------
* The document has been retained in committee files.
---------------------------------------------------------------------------
Mr. Richmond. Thank you.
Let me start, I think, Ms. Sage, where you kind-of touched.
The act requires periodic circulation of cybersecurity best
practices, paying special attention to the needs of small
businesses. When this guidance is published, presumably
probably early next year, what would you like to see in it? I
would take from your testimony that you mentioned, like, cost
estimates and others, but anything else you would like
specifically to see in it?
Ms. Sage. Some degree of prioritization. Where should we
start? Where are the areas that have the most impact to a small
business like ours would also be helpful.
Mr. Richmond. Thank you.
Well, to Mr. Clancy, do you see potential conflicts between
the FCC's proposed privacy rules for ISPs and the monitoring
and information sharing authorized under the Cybersecurity Act?
Mr. Clancy. I think that question might be better for Mr.
Mayer, but I can certainly see any ambiguity in what the
definition will add uncertainty and will chill the ability for
people to share information.
Mr. Richmond. Mr. Mayer.
Mr. Mayer. Thank you, sir.
As I indicated in my opening remarks, I think that any time
you introduce a level of uncertainty into this process, the
lawyers are going to be inclined to want to be very prudent and
careful.
What the FCC has done, well, let me correct that, what the
FCC may do, because it is a proposed rulemaking, is they may
have a standard in there that talks about being reasonably
necessary versus the standard that is in the Act, which is that
there has to be knowing that the information was not consistent
with a cybersecurity purpose.
So what that means for us is that we understand what the
bar is for knowing, we can understand what it is for gross
negligence and willful misconduct. But when you are talking
whenever it is reasonable, reasonably necessarily, we don't
know if that means you should have known if you didn't know. We
don't know where the determination is going to be made after
the fact as to what our instructions are, what the rules will
require.
That is going to require probably another layer of legal
scanning and review on the part of our attorneys. That really
is very much inconsistent with what you are trying to
accomplish with respect to real-time information sharing. So I
am confident that we can work with the FCC and explain how that
provision could complicate what was intended through this
legislation.
Mr. Richmond. Thank you.
Well, in the lead-up to the Cybersecurity Act we passed,
industry told us consistently over and over again that
information sharing, the fear for participating was exposing
oneself to legal liability.
In fact, Mr. Eggers, you specifically testified about a
year ago to urge legislation granting businesses a safe harbor
from frivolous lawsuits, public disclosure, regulatory and
antitrust actions.
Ultimately, we passed that law. However, we talked with DHS
this morning, and only about 30 entities are actually
participating on a day-to-day basis. Some say a hundred have
signed up, but only 30 have skin in the game. Would you say
that the private sector is holding up its end of the bargain?
Mr. Eggers. No, sir, I think that we've seen, as I noted in
my opening testimony, we've kind of got two bookends. We've got
companies that can't share enough and get enough cyber threat
data. There are a lot of leading companies in this space that
have been sharing and receiving data without protections for
several years.
In that middle, I think, and the final guidelines just came
out, so I think it is too soon to make a definitive judgment,
but we are very optimistic.
On the other hand, we still have companies, as I noted I
was at a DHS C3 event in Indianapolis, we still got companies
who have, I think, pictures in their head of regulators lying
in wait or consumer privacy groups writing lawsuits. That is
the picture in their head. We don't think that that is
completely accurate.
What we think is going to happen is the new protections,
whether they are liability, regulatory, antitrust or public
disclosure, are going to help those leading companies, right,
and those folks who are part of ISAOs and ISACs now, or soon
will be, do more confidently. Then I think over time and to the
point about small businesses, I hope that what we will see is
that we won't necessarily have to put a large burden on the
smaller and under-resourced organizations.
There will be some kind of technologies, and I think they
already exist, that can be put on networks and systems that can
generate and swap threat indicators at real time. Those
companies and that companies that help those organizations will
enjoy those protections, too.
I also understand that there are about 30 companies that
are directly plugged into the AIS system with about a hundred
companies signed up. I expect that that number will grow as
folks interpret the guidance and he ISAOs are created as we go
forward.
Mr. Richmond. Thank you, Mr. Chairman. I yield back.
Mr. Ratcliffe. Thank the Ranking Member.
The Chair now recognizes the gentlemen from Pennsylvania,
Mr. Perry.
Mr. Perry. Thank you, Mr. Chairman.
Ms. Sage, over here. In your opinion if you can, do you see
the Federal Government's responsibility regarding vulnerability
disclosure as a component of information-sharing process? Do
you see the current level of vulnerability disclosures are
strengthening your defensive posture, if that makes sense to
you, if I have stated that correctly?
Ms. Sage. If I understand the question, do I believe that
the level of vulnerability information that we are receiving
from the Federal Government is helping our companies?
Mr. Perry. Essentially, correct.
Ms. Sage. I would say probably, but there are just so many
places to get it and it's overwhelming. We are not sure if we
are getting the right information.
I welcome, you know, Matt Eggers' comment over there. If at
some point this kind of information could be built into tools
that we already use so that we are not having to go to all
these different places to get it, that would be a very welcome
development.
Mr. Perry. OK. So somewhat of a consolidation and indexing
if it so you know what is current and that you have the
complete panoply of everything available at one place, you are
not wondering if you are missing something.
Ms. Sage. Correct.
Mr. Perry. All right.
Ms. Sage. To the comment of the AIS program, I mean, we
were as I mentioned in my testimony, interested in
participating, but in order to participate you have to have
your own TAXII server.
Mr. Perry. Right.
Ms. Sage. So for a small business to invest in that, you
know, it just adds to the cost.
Mr. Perry. Right. Yes, I am not sure as to how you get
there quite honestly.
Ms. Sage. Right.
Mr. Perry. But I appreciate the comment. Yes, I think it
highlights an interesting aspect that maybe was not considered
fully for sure.
Mr. Eggers. Congressman Perry, if I may just offer up a
thought?
Mr. Perry. Sure.
Mr. Eggers. I think what we are going to here is, I think
we are going to have a situation where kind-of the vanguard of
companies in ISACs and ISAOs are going to start moving out a
lot more confidently and swiftly.
We've had really good discussions with policy makers and
DHS, other Government bodies. I think we are really working
together better than ever, at least in this space. But I do
think that it is really tough for a small business who doesn't
have paid professionals necessarily to do these kinds of things
to expect them to have either the capital or the----
Mr. Perry. Technical.
Mr. Eggers [continuing]. The technical talent. So what we
want to end up doing is we are going to innovate our way to
where technology will help those small businesses keep doing
what they are doing, whether they are inventing new drugs or
what have you. That technology will let them generate and
receive threat data, and perhaps even kind-of heal, if you
will, their networks and systems at real-time speeds. We are
not there, but I think we will get there at some point.
Mr. Perry. Yes, I appreciate that. As a former small-
business owner myself, when I listen to this, I don't see how
you get from point A to point B at the current position that we
are. I think it is just exceptionally difficult.
Mr. Rosen. Can I add one comment to the discussion?
Mr. Perry. Sure.
Mr. Rosen. So, we are a large business, $4 billion a year,
11,000 employees. Part of our analysis of AIS is the
operational side.
So our organization is analyzing how it fits into our
threat intelligence analytics engine, whether it is duplicate,
whether it adds value, whether we can handle the feed, whether
it adds . . . So that's us at $4 billion a year, 11,000 people,
so I think that will give you some nature of what----
Mr. Perry. Yes, so it is not just small business. I was
going to ask you a question, Mr. Rosen, regarding the requisite
tech refresh needed to ensure Federal networks. Do you think
that they have the hardware or the software in network defense?
I mean, do you get that sense now or do you think that they are
lacking there?
Mr. Rosen. I think they have made great progress since the
cyber sprint last year, but it wasn't starting from a fantastic
place to begin with.
Mr. Perry. There is a new term right there, cyber sprint, I
like that as well, at least new to me.
Mr. Rosen. But the one thing I can suggest, is that in this
Act and what DHS is doing, you have described the strategy and
you have come up with the plan and you have come up with the
metrics to measure it, but there is no security without
deployment. That is where I think the focus has to wind up
being.
We saw under emergency situations post-OPM breach, and CA
was involved in the DHS cyber sprint where we were aggressively
implementing PIV authentication and privilege access management
throughout all the components, we operate very well when
friction is reduced, and then you wind up having deployment and
you have made genuine progress to securing the Nation. It's
that gap, it's operationalizing the plan that I think has to
wind up being the focus of whatever stumbling blocks there are
in the way. You know, if they are acquisition-related, if they
are technology-related.
I think the one thing you did a very good job of in the Act
is not dictating technology. I think that was a really good
thing. But I think that any focus that can help reduce the
friction to deployment, how do we take that unbelievably
effective sprint, and everybody pays attention to a sprint, the
100-yard dash, and how do we apply that to the marathon, which
is our job, and divide it up in a way so people pay attention,
friction is reduced and we can actually deploy? That's my
recommendation.
Mr. Perry. Thank you, Mr. Chairman. I yield.
Mr. Ratcliffe. Thank the gentleman.
The Chair now recognizes the gentlelady from California,
Ms. Sanchez.
Ms. Sanchez. Thank you, Mr. Chairman.
Well, as usual, we are at a spot where it's just all so
overwhelming. I know so many of us on this committee have been
working on this for such a long time.
I am worried about every aspect of business, large
businesses, medium-sized businesses, technology companies, you
know, we have only to look at the whole issue of Estonia a few
years ago to understand that every business that uses IT can be
hit. Whether it is just a threat of just taking your business
off-line for a week while you are trying to figure it all out,
or whether it's an imminent threat of taking all moneys out of
everything, we are all concerned.
So I want to go back to the small-business issue because I
think there is a lot of help with the larger companies. We deal
with them all the time. We look at the banking industry, we
have robustness et cetera.
Ms. Sage, I was very discouraged, quite frankly, after your
frank and to-the-point testimony that you put forward. For a
small business that is actually plugged in and aware in trying
to work with the Department of Homeland Security programs, but
can't leverage so many of those offerings unless you go through
an established ISAC or a Sector Coordinating Council or any of
the other layers that you mentioned in your testimony.
So a small-business owner who also happens to be the
sitting chair of the IT-ISAC and to not meaningfully get access
to how we are trying to help from the Department, I can't
imagine what other smaller business are facing. I mean, they
are throwing their hands up and saying I can't do this.
So is a small business best served by going through an
ISAC? Is there a value proposition being offered from DHS to
help small businesses? Can you from your interaction tell me
what are the benefits of what we put in place under the cyber
act and what are the biggest hurdles from your perspective for
a small business?
Ms. Sage. Thank you, Congresswoman. I didn't intend to make
you depressed, so my apologies for that.
Ms. Sanchez. You know, I used to own a small business. So
the biggest thing people need to understand about small-
business owners is that they get some letter from the
Government or something through the mail and fear strikes you,
right? You didn't put somebody's tax moneys in the right way,
you messed up on some IRA for your employees and there are
penalties and the nasty letters. So, you know, in an effort to
try to help people to actually secure their businesses and
their information, it's really disappointing to have seen your
testimony.
I love that you are frank, but what can we do?
Ms. Sage. Well, you know, in our world it is all about
simplification. Keep it simple.
So while it's great to have all of these choices, you know,
cybersecurity, and I am speaking as a small business, you know,
I have run my company for 17 years, we're about customers and
growing our businesses, but we have so many different
challenges that cybersecurity right now is just the latest one.
Right? So whether, you know, we are worrying about payroll, we
are worrying about employees as you know, and so we have now
this huge thing, cybersecurity, that we are being told is going
to wipe us out.
You know, Chairman Ratcliffe mentioned in his opening
statements, there are two kinds of companies, the ones that
have been hacked, the ones that don't know that they have. So
there are lot of small businesses that I interact with who
basically say if that is the case, why do I need to spend any
more money? Because if we are already hacked and we just don't
know it, why do I need to spend?
So I just think that, you know, I applaud what, you know,
DHS and NIST, for example, did with the cybersecurity
framework, the C3 program which I participated in some of their
session and found the information very valuable. But I think,
you know, and as you mentioned, I am one who is actually trying
to get ahead of this. A lot of it is time. We just don't have
the time to attend all of these different----
Ms. Sanchez. The resources, you don't have the personnel to
put----
Ms. Sage. Exactly. So I just go back to my point at the
top, if there is a way to streamline, simplify, and prioritize
these initiatives, I think that would be helpful.
Ms. Sanchez. Mr. Chairman, I didn't get to my second
question, but maybe the panel can submit to this. Small
businesses don't have the latest up-to-date software and the
latest up-to-date hardware, and so is Department of Homeland
Security working with programs of small businesses who have
more dated equipment and technology? Or are we just moving to
the forefront of what is the latest cutting edge? That would be
my second question.
Mr. Eggers. Congresswoman, if I may?
Let me maybe set a little bit, frame things. I think you
are asking some very practical, good questions. Let me see if I
can maybe frame things a little bit more----
Ms. Sanchez. Optimistic?
Mr. Eggers [continuing]. Optimistically. So I think you are
right. I think on a lot of levels you have got to cut small
businesses some slack. I think that is the underlying kind of
notion behind your concern. I think that is right.
On the other hand, I think small business obviously produce
some of the most innovative products and services out there. So
small doesn't necessarily mean not capable, but clearly our
experience is, is that they are obviously the bulk of our
membership.
We've got a campaign that we have been waiting for several
years to get out to State and local chambers. We've hit 9 big
cities in the last several years to promote the framework and
really the solutions for all companies. Right? Then we also do,
I mean, for example, we are going to be in San Antonio at the
end of this month, we do smaller meetings with places like
Beaumont, Texas, Longview, Texas. I will be in Green Bay in
August. What we try to do is get out to our State and local
chambers, just talk about some of the basic things that they
need to do because they need help. Right? Some of the small
businesses are actually ready to go and provide solutions.
I think one of the things that we can think about is trying
to continue the education effort. Resources are an issue. I
will note that there are a couple, if not more, businesses
focused on small businesses in cyber, both here in the House
and in the Senate, that will try to leverage entities like
small business development centers. That looks like that could
be pretty good.
The other thing I would note is in terms of, what do we
tell businesses? I think we want to orient small business and
companies and organizations of all sizes around the
cybersecurity framework. If anything, I kind-of think of it as
a written tool, maybe something companies can use to ask
questions up and down from the CEO to the first hire. It is
something that is really, I think, in a lot of ways, a mindset
and it is also something that we want to focus on promoting
here at home and globally.
Ms. Sanchez. Thank you, Mr. Chairman.
If the rest of the panel will submit that issue of, you
know, what are your ideas for small business? I would really
appreciate it.
Thank you for the indulgence.
Mr. Ratcliffe. I thank the gentlelady.
For the record and for the benefit of some in the audience
and for a point of optimism on this question and issue, last
week this committee did mark up and pass legislation to support
small businesses. H.R. 5064 is the Improving Small Business
Cybersecurity Act, and the bill, if it became law, would
require DHS to work with the Small Business Administration to
jointly develop a strategy to aid small businesses. So
hopefully that will, to address some of the issues that have
been raised here, move forward for consideration by the full
House.
With that, I will recognize the gentleman from Rhode
Island, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
I want to thank our panel for our testimony today and Mr.
Chairman, especially I want to thank you and the Ranking Member
for holding this hearing.
As you know many of us, Chairman McCaul and I and many
others, have been trying for years to get information-sharing
legislation passed. Thankfully, the leadership of this Congress
and last year, we finally passed that legislation. Now comes
the implementation and holding hearings like this and making
sure that we are implementing it the right ways is vitally
important.
Before I begin my questions, I just wanted to mention, Mr.
Eggers, I want to thank you for mentioning the work that
Chairman McCaul and I have been doing on the Wassenaar
Arrangement. I think we are moving in a good direction on that.
I also want to say, you know, how much I appreciate the
chamber being so proactive on Wassenaar. It has been very
helpful in getting it to a good place.
But to my questions, if I could, following up on Mr.
Richmond's question, I think you all touched on this issue in
your written testimony, but as directly as possible, again why
is the uptake of AIS so low given Mr. Clancy's testimony that
one can be up and running with a Soltra install in as few as 15
minutes? So, you know, I find it hard to understand why more
mature companies wouldn't at least be experimenting with the
threat stream.
Again, I understand the guidance for sharing with DHS is
just being finalized, but why wouldn't they at least be
receiving data from the Government when there is known threat
indicators and applying those to their cyber defenses?
Mr. Eggers. Is that for me, sir?
Mr. Langevin. For the panel.
Mr. Eggers. I will jump in. Thanks for your comments about
Wassenaar.
I would say discussions are progressing on that front. We
have been encouraging our colleagues in Europe to engage
European and Wassenaar officials that handle cyber and export-
control issues. I think we have made progress thanks to you all
here, but we are not out of the woods yet.
A nod to the administration for saying that the cyber
controls in that space need considerable work, if not, our
preference, elimination.
Now, in terms of sign-up, you know, I might say, gosh, the
AIS system was turned on, if you will, formally in March. The
final guidance just came out. We are pretty optimistic that
things will keep moving.
In my mind, what I think we're trying to do is to make sure
that we're moving and grooving with our largest and most
sophisticated organizations that can tap in, if they are not
already tapped in, tomorrow and then make sure that we are
boosting the confidence of companies that are on the sidelines
waiting to see how policymakers handle this issue. I think the
key word is trust.
I think, as I noted in my opening remarks, we've got a,
let's say, a representative company that says, hey, we have
heard about CISA, but it is not exactly clear yet if this
program will work for us or against us. I think they have got
still, I would say, somewhat legitimate fears about liability,
but I think the program is such that that should minimize those
fears.
The other thing is, is we want to make sure that regulators
are kept at bay in terms of the data that they receive. But I
think on balance, we would say jump in, get involved as
appropriate.
Mr. Langevin. Yes, and just on that, I understand that on
the business side of building the trust on sharing the
information with the Government. That I get, even though it is
voluntary, but I am talking about actually receiving from the
information, from the Government, not what private sector would
share with Government, yet. I understand that trust will be
come in time and hopefully soon. But at least accepting
information from the Government where there are known threat
indicators, why not at least accept it?
Mr. Eggers. Yes, I think most companies are probably more
than happy to receive, rather than share. Right? Because when
you share, then you are putting yourself out there and your
data out there. But I will finish there and see if others here
on the panel have thoughts.
Mr. Clancy. So a few thoughts for you. I think there is a
technical dimension and operational dimension. On the technical
dimension, platforms like mine need to complete our
certification that we can fully support bidirectional
communication with AIS. Because of those adjustments that were
made, we had to make some code changes and we are going through
that process.
I think one of the barriers and I mentioned it in my
testimony is there is no actual test system to use with DHS. So
in their rush to produce the platform and make it live, they
didn't have, you know, an extra system, if you would, where you
can go test things out, and so you want to be very sure before
you turn things on in production. I think that's one piece.
On the operational side, I think there are just some
mechanical issues that need to get worked through with signing
up. I mentioned earlier the credentialing process. That process
that is being leveraged was really set up to get individuals
encryption certificates so they can send secure email or
authenticate as individual humans to websites. That
provisioning process wasn't designed for machine-to-machine
sharing. A simple example is, all of the issuance processes
assumes you are using Windows desktop. Our service platform is
a Linux workstation, it is a completely different technical
environment. So we have to add wizards and helpers to help
people import those credentials to get them to work. So there
are those kind of pieces.
Then there is a tiny bit of thing on the agreement side
where you sign one agreement, you get some paperwork back, you
have to sign a second agreement and put it through. If I can
take that to my general counsel once, it will take weeks out of
the process because I need to get back in their queue to review
agreement No. 2. So it is little things like that I think will
help.
We are early. I mean, the law is 6 months old. The program
is only 3 months old. So I think it is just, you know, if we
have this problem again in 12 months then we are in a very
different place.
Mr. Mayer. I would like to offer some comments on that.
Building on what's been said previously, I think the fact that
we have 30 companies that are operational right now, frankly,
given the scope of engagement that is required at the financial
level, at the operational level, at the technical level, at the
legal review level, is not a bad situation. In fact, Mr. Clancy
talks about not having the test bed environment. The live
environment has, in a sense, become part of the test bed
process right now. So for example, I can speak to a company in
our sector where they did try to work through the AIS
engagement. I think Mr. Clancy can substantiate this, and DHS
has acknowledged this, that there is legacy data in the systems
that has triggered some reaction that was not anticipated. It's
delaying the process of AIS. That is something that can be
overcome. They are talking about 6.2.0. We have guidance that
is still coming out as recently as this morning.
So I think that the prudent thing for a lot of companies
right now is to see these issues get resolved, to understand
what the value proposition is for them, to work with DHS and
other sectors to see what we can do to expedite and facilitate
a more streamlined process. I think that will happen, but
expecting that all to be resolved in 6 months is probably a
little bit, I don't know what the word is, overly optimistic or
whatever. But progress is being made.
Mr. Langevin. Thank you. I know my time is expired, so I
don't know if--OK.
Mr. Eggers. Mr. Ratcliffe----
Mr. Rosen. I thought I would just give a brief response
from our perspective. So I think other than the issues that we
have discussed on clarification of liability and even what do
we mean by PII data and privacy, and especially for a global
company where, you know, we have, you know, general data
protection regulation coming out of the European Union, so we
have to look at it from a lot of aspects. But other than that,
we are looking at it very similar to what just got described
from an operational point of view and a priority point of view.
So we have a broad threat intelligence feed and analytics
engine inside of our company to protect it, to protect our
company. We are in the process of exploring what this looks
like, how do we add that to the feed, does it generate
additional work for our operations, how do we tune it? So that
will be our next step in exploring it once the clarifications
on the privacy and liability issues get put by the wayside.
Again, bringing it to general counsel once is better than
bringing it multiple times.
I do think this idea of having a test bed for folks like us
to try it, get the data feed, do the analytics, see what the
impact is, it is really an operational and priority issue for
us. But we believe, if the data feeds aren't what we are
getting today, meaning if it is not duplicative data, you know,
the more intel feeds for us, the better.
Mr. Langevin. Sure. Very good. Thank you. I will mention,
too, that one of the things that I am not clear on yet, too, is
that the ISACs have not signed up for this yet either, so it is
not just a problem with businesses not yet signing up, it is
also the ISACs, which are designed for information sharing,
have not yet signed up. I find that troubling and hopefully we
will move it to a better place in the very near future. So,
thank you, Mr. Chairman. I yield back.
Mr. Ratcliffe. Thank the gentleman.
The Chair now recognizes my colleague from the great State
of Texas, Ms. Jackson Lee.
Ms. Jackson Lee. I thank the Chairman very much.
Chairman Ratcliffe, let me thank you and Ranking Member
Richmond for being so diligent on these issues.
I am going to stay narrowly focused and say somewhat of the
obvious. I am glad that we passed the Oversight of the
Cybersecurity Act of 2015 and included privacy elements in that
bill as well, and now that we are having an oversight of the
Oversight bill to find ways to improve our service to the
American people.
But I want to be the one that poses or at least puts in the
record that we are dealing with fire here. We are dealing with
something that probably is not evidenced in the calmness of our
conversation. But I hope you will view this committee as being
very serious about this issue.
So I am going to ask to put into the record, Mr. Chairman,
the ``Crime Pays: Ransomware Bosses Make $90K Annually.'' It
speaks to the Russian ransomware boss making $90,000 a year, or
13 times the average income for citizens in the country who
stick to the straight and narrow. Of course, their job is to
maintain, update it so that the antivirus systems won't
recognize the software that they are maintaining as malware. So
I ask unanimous consent to place that into the record.
Mr. Ratcliffe. Without objection.
[The information follows:]
Article Submitted For the Record by Honorable Sheila Jackson Lee
SPOTLIGHT ON SECURITY.--Crime Pays: Ransomware Bosses Make $90K
Annually
By John P. Mello Jr., June 14, 2016, 5 o'clock AM PT
http://www.technewsworld.com/story/83603.html
If crime doesn't pay, Russian ransomware bosses wouldn't know it.
The average Russian ransomware boss makes US$90,000 a year--or 13
times the average income for citizens in the country who stick to the
``straight and narrow,'' according to a recent Flashpoint study.
What does a ransomware honcho do for those rubles? Basically, the
job calls for supporting and maintaining the malware.
``The software has to be constantly updated so that antivirus
systems won't recognize it as malware,'' explained Vitali Kremez, a
cybercrime intelligence analyst with Flashpoint.
``It's not a situation where you provide the malware and sit back
on a couch waiting for your payments. You have to work on it on a daily
basis,'' he told TechNewsWorld. ``The boss controls the source code for
the malware.''
ransomware as a service
The malware model is evolving, according to the Flashpoint study,
which focuses on the Russian ransomware scene.
``A new form of ransomware has been developed that is in effect
`Ransomware as a Service' (RaaS),'' notes the report. It ``enables
`affiliates' to obtain a piece of ransomware from a crime boss and
distribute it to victims as these affiliates wish.''
That's a departure from the past, when ransomware was available
only to criminals willing to make a hefty upfront payment for the
malware--$2,000 to rent or $5,000 to buy. That began to change last
November, Kremez noted.
``We started to see developers considering giving their malware
free of charge to criminals and keeping 40 to 50 percent of each
ransomware payment made,'' he said.
The new business model has lowered the barriers to getting into the
business. It is not particularly hard for newcomers to start spreading
ransomware quickly. They can attack corporations and individuals
through botnet installs, email and social media phishing campaigns,
compromised dedicated servers and file-sharing websites.
``It used to be a one-on-one business,'' Kremez said. ``At this
stage, it's all automated. We see marketplaces. We see services on the
dark web where you deposit your money and buy what you have to buy
without any direct communication with the seller.''
malicious infrastructure growing
More evidence of the popularity of ransomware is evident in
Infoblox's latest quarterly report on malicious infrastructure building
globally.
To measure that kind of activity worldwide, Infoblox has created a
threat index. Upon its launch in the first quarter of 2013, the threat
index was 76. During this year's first quarter, the index reached it's
highest point ever: 137.
Activity related to ransomware has fueled the index's rise.
``While exploit kits remain a major threat, this latest jump was
driven in large part by a 35X increase in creation of domains for
ransomware over the previous quarter, which in turn drove an increase
of 290 percent in the overall malware category,'' the report States.
The activity of malware kit developers is another indicator of
ransomware's attractiveness to criminals. Kits are used to infect
devices with a variety of malware programs.
``A number of exploit kits and threat actor gangs behind them have
started adding ransomware to their repertoire over the last few
months,'' said Sean Tierney, director of cyber intelligence at
Infoblox.
``These are gangs that were using their kits to deliver other kinds
of malware,'' he told TechNewsWorld, that ``have either started
including or switched entirely to ransomware.''
It's likely that the ransomware market will level off as security
software makers get better at detecting it and consumers get smarter
about avoiding it, suggested Tierney.
``Then the market will become saturated,'' he said, ``and the
return won't be able to support the amount of activity going on.''
expanding 2fa
Two-factor authentication, which requires both something you have
and something you know in order to access an account, has proven to be
a good way to thwart data thieves. One problem with the technology,
though, is that it isn't easy for many rank-and-file developers to
deploy. One authentication company aims to change that with a recently
launched program.
Centrify actually goes beyond 2FA to include single sign-in--which
allows the use of a single set of credentials to log into multiple
accounts--along with password reset and access control of a device.
Under the program, developers can plug into those features through
Centrify system APIs.
``Developers who are building an application from a great idea
aren't necessarily expert in security,'' said Chris Webber. security
strategist at Centrify.
``We can give that to them,'' he told TechNewsWorld.
``They can take advantage of all the user management and
multifactor authentication that Centrify's built, so they don't have to
learn about that world and can concentrate on their great idea,''
Webber pointed out. ``It's more and more critical that we need to
figure out how to put two-factor auth everywhere, because passwords
alone are just not a great way to do authentication anymore.''
breach diary
May 30. Troy Hunt, who maintains the data breach awareness
portal Have I Been Pwned, advises his subscribers that
information on 65 million Tumblr accounts is being offered for
sale on the dark web.
May 30. Twitter account of Katy Perry breached and her 89
million followers sent tweets filled with profanity and slurs,
TechCrunch reports.
May 31. MySpace announces it has reset the passwords of all
accounts created prior to June 11, 2014, due to a data breach.
May 31. A Federal district court in Pheonix, Arizona, rules
that insurance provider Chubb does not have to reimburse P.F.
Chang under a cybersecurity policy for payments to credit card
processors connected to a 2014 data breach.
June 1. U.S. Federal Reserve detected more than 50 breaches
between 2011 and 2015, including several incidents described in
internal documents as espionage, Reuters reports.
June 1. Medical information of thousands of NFL players is
at risk after backback containing the data was stolen from an
athletic trainer's car, Deadspin reports.
June 1. FBI alerts public that extortion attempts are being
made against victims whose personal information has been
compromised in recent large data breaches. Extortionists are
threatening to make victim's personal informtion public if not
paid two to five bitcoins.
June 1. TeamViewer reports it experienced a service outage
due to a DDoS attack, but its systems were not breached by
hackers.
June 2. Medical records of some 40,491 customers of the
Stamford Podiatry Group in Connecticut impacted due to a system
intrusion, HealthIT Security reports.
June 2. 2015 payroll tax data of employees of Verify Health
Systems in California at risk after an employee was duped by a
phishing scam, SC Magazine reports.
Ms. Jackson Lee. Speak the obvious of the hacking of the
Democratic National Committee, which brings it really home. For
those of us young enough to remember Watergate, we are managing
now 21st Century. But again, the individuals allegedly attached
to that were Russian. I don't speak particularly to Russia, but
it does say that this is an international threat that goes to
our private sector.
Some years back I chaired the Transportation Security
Subcommittee, and this component was under that committee. I
remember noting the 80 percent-plus cyber issues would be in
the private sector. So I am glad of your presence here today.
Then I want to ask unanimous consent to put into the record
``Lights Out: A Cyberattack, A Nation Unprepared, Surviving the
Aftermath.'' That is, of course, a bestseller investigation by
Ted Koppel.
Mr. Ratcliffe. Without objection.*
---------------------------------------------------------------------------
* The information has been retained in committee files.
---------------------------------------------------------------------------
Ms. Jackson Lee. So I want to go first to Ms. Sage and
indicate, if I could, very briefly for your answer. Pointedly,
you indicated that the information was dated. And that you, I
guess, on your receiving end needed a secure entity. Help me
understand what we can do to help. Obviously, I want the data
to be current. I don't want it to be where you have just turned
on National news and said, well, I just saw this on the
National news. Then, is the idea of a secure channel yours or
ours? Or how can we help you do that?
Ms. Sage. Sure. Thank you, Congresswoman, for your
question. The Enhanced Cybersecurity Services initiative is the
one that is a Classified program. That was the one where we had
difficulty getting access to a facility where we could even
just review the requirements, not even whether or not we were
going to participate. So there, if there is a way for DHS or
the Government or some Government entity to be able to provide
those kinds of facilities so that companies--and we had a
clearance, it just wasn't at the level, you know, needed to be
able to review these requirements--to make that easier, that
would be very helpful. Because we actually had to start looking
at, did we need to build a SCIF, and those costs are just cost-
prohibitive.
Then, you know, without even getting into the merits of the
program itself, once we were able to review, it just was not
something that a small business would be--and there are two
pieces to that program. You can be a provider or you can
partner with the larger firms. So that's now kind-of what we
are exploring, because, you know, trying to invest, is just not
possible.
On the question of data, and this also speaks, I think, to
the AIS initiative, I think at the end of the day, I agree with
what, you know, my colleagues have talked about in terms of
financial, technical, and operational considerations. But I
think it all, at the end of the day, comes down to the quality
and the value of the data that is received.
So it was our experience with the CRADA, when we
participated in the Unclassified program, that a lot of the
data that we were receiving through the portal was already
widely available. So it was just another stream of data that
was not particularly adding, you know, value above and beyond.
So I can't speak, you know, and I believe the AIS program
is a good initiative, and I would just urge on the DHS side and
the Government side that as that data is being provided, that
it is reviewed for the quality and the currency to the
recipients.
Ms. Jackson Lee. I think, Mr. Chairman, this is something
that we really pointedly can look at together with DHS on the
accuracy or the currency of the data.
Mr. Chairman, I have just one or two points and I will be
finished. I thank you.
One is going to be deviating, because I made a commitment
that I would make mention of this, whatever Homeland Security
meeting I was in, and that is, of course, to acknowledge my
sympathy for those who lost their lives this past Sunday, the
most heinous and largest mass murder, massacre, and slaughter
of American people here in the United States in our history.
I believe that there is a great deal of morality in this
Congress, and so I am hoping and looking for action this week
on a ban on the assault weapons.
No. 2, no-fly, no-buy. If you are on a terrorist watch
list, you should not be able to buy assault weapons. Something
to say to the American people that we get it, that our pain is
as deeply embedded as theirs, that families who mourn
tragically do not mourn in vain. I am hoping that this Homeland
Security Committee can be a bipartisan leader on these issues.
I hope the American people and those who are listening in
this audience in their own way will rise up and be actively
engaged in ensuring that we are responsive to the deeply
embedded pain. I asked the question whether or not we are in
fact good Samaritans and whether or not it is your neighbor,
and if it is your neighbor, what would you do? If it is
yourself, what would you do?
So I am looking forward to us working on that issue.
But let me conclude my remarks on the cybersecurity and
raise this question out of Ted Koppel's article. Maybe some of
you have read his book.
So, Mr. Eggers, I am going to go to you because you
represent a vast number of private sector. So I won't read it
all, but Mr. Koppel suggests that a massive cyber attack, we
would have no running water, no refrigeration or light, food
and medical supplies dwindling, we would be going in the dark,
banks no longer function, looting is widespread, law and order
are being tested as never before.
What is your response to the private sector's preparation
for what might be? Because we have to answer those questions.
Mr. Eggers. Congresswoman, good to see you.
Ms. Jackson Lee. Thank you.
Mr. Eggers. You know, I think in a lot of ways, and hearing
Mr. Koppel speak, I get the sense more he uses kind-of the
electric sector as kind-of a gateway for his concerns. I think
it's less about that, it's more about some kind of dystopian
future, right? But I think what he leaves out, if you talk to
folks in the administration and the private sector, they are
going to say, you know what, the book paints the private sector
and Government as if we are sitting still, when in fact there
is so much going on, not only in the electric sector and other
sectors that frankly even individuals like myself, I can't keep
up.
So leaving aside the regulatory platform that the electric
sector works under, I am pleased to hear situations where,
let's see, I think Secretary Spalding recently said, hey, look
at what has happened in Ukraine with an incident with their
electric sector. We know how to handle that here.
Now, I am the last person that is going to say an incident
won't impact us, but when I think about the Sector Coordinating
Councils, the ISACs and ISAOs, our organization of critical
infrastructure at greatest risk, we know who those folks are. I
would say, if anything, we are pretty busy. One of the things
that I think we need to focus on is making sure that they have
got everything they need for a bad day.
The other thing is we often point the fingers at ourselves,
right? I like this program, CISA and AIS, because we are
working together pretty well. The chamber just approved a norms
and deterrence statement last week, our board of directors,
saying at least a couple of things. We impose a lot of costs on
ourselves, but we can do better in an active, restrained, legal
way to impose costs on bad guys. We are doing that.
But let me give you an example. So the Cyber Forum of
Independent and Executive Branch Regulators, there is something
like a dozen or so agencies in that body. If I look at
organizations like the Secret Service or DHS that are
positioned to push back, that's two. I am not saying we act
recklessly, but I am saying that we need to be mindful about
how we impose costs on bad actors, many of whom or which are
State actors or their proxies or super criminal groups.
So when I think about small business or even larger
companies, I think that they are going to be ultimately
resource-constrained against a nation-state or their
surrogates. I hope that helps.
Ms. Jackson Lee. It does.
I will just end, Mr. Chairman and say, as I heard some good
news from Mr. Eggers, I want to emphasize that I think we need
a SOS or Red Cross team dealing with cybersecurity in light of
these possibilities. I yield back. Thank you.
Mr. Ratcliffe. Thank the gentlelady.
I wish we could do another round of questions, but prior
commitments of the Chair prevent that. So I will thank the
witnesses for your valuable and important testimony today, and
I thank all the Members for their questions.
Members of this committee, I think, will have some
additional questions for the witnesses. That being the case, we
will ask you to respond to those in writing.
Pursuant to committee rule 7(e), the hearing record will be
held open for a period of 10 days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 11:41 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John L. Ratcliffe for Matthew J. Eggers
Question 1. Does the U.S. Chamber of Commerce believe that the
Cybersecurity Act of 2015, specifically Automated Indicator Sharing, is
applicable to all businesses, including small businesses, and private
organizations?
Answer. The chamber believes that the Cybersecurity Act of 2015--
particularly title I, the Cybersecurity Information Sharing Act of 2015
(CISA)--and Automated Indicator Sharing (AIS) are applicable to
businesses and private organizations of all sizes and sectors.
Question 2. What avenues do Government and industry have to
increase businesses' awareness of the Cybersecurity Act of 2015,
specifically Automated Indicator Sharing?
Do you expect that all businesses, especially small ones, will use
the Cybersecurity Act of 2015, specifically the Automated Indicator
Sharing program, directly?
Answer. There are many ways to publicly promote CISA. The chamber
led the Protecting America's Cyber Networks Coalition, a partnership of
more than 50 leading business associations representing nearly every
sector of the U.S. economy to pass CISA. Each association has on
average thousands of members.
The chamber is championing CISA as part of our cybersecurity
campaign, which was launched in 2014. This National initiative
recommends that businesses of all sizes and sectors adopt fundamental
internet security practices, including the joint industry-National
Institute of Standards and Technology (NIST) Framework for Improving
Critical Infrastructure Cybersecurity (the framework) and the new
information-sharing law.
The chamber spearheaded 11 major regional roundtables and 2 summits
in Washington, DC. More events are planned for 2017. The chamber's
Fifth Annual Cybersecurity Summit was held on September 27. Each
regional event had approximately 200 attendees and typically features
cybersecurity principals from the White House, Department of Homeland
Security (DHS), NIST, and local FBI and Secret Service officials.
The chamber also partners with State and local chambers and
universities to produce cyber educational events in locations such as
Appleton, Wisconsin; Augusta, Georgia; Oak Brook, Illinois;
Indianapolis, Indiana; Irving, Texas; and Longview, Texas. We endorse
CISA and AIS at each gathering. In addition, chamber professionals
regularly speak on and/or moderate industry panels tied to
cybersecurity, where we can actively pitch CISA/AIS to multiple
businesses.
DHS Deputy Secretary Ali Mayorkas addressed the chamber's Small
Business Summit on June 14, and he advocated that businesses take
basic, prudent steps to protect their devices and sensitive data,
including leveraging cybersecurity information-sharing services.
Big picture: The chamber is urging businesses to use the framework,
join an information-sharing body, and take advantage of the CISA/AIS
system as appropriate. We are pressing senior leaders of industry
groups to popularize these initiatives among their peers and
constituencies, including through jointly written chamber-DHS op-ed
articles.\1\
---------------------------------------------------------------------------
\1\ http://thehill.com/blogs/congress-blog/technology/304163-
cybersecurity-building-resiliency-together, www.csoonline.com/article/
3124626/security/advancing-cybersecurity-through-automated-indicator-
sharing.html.
---------------------------------------------------------------------------
The chamber commends DHS and the Department of Justice (DOJ) for
jointly holding their Cybersecurity Conference for Lawyers on September
28, which included a discussion on traditional challenges to sharing
threat data and CISA's attempt to address these challenges and a
demonstration of the AIS program.
Question 3. The issue of how many entities are signed up for the
Automated Indicator Sharing program was discussed at the hearing.
Should Information Sharing and Analysis Organizations (ISAO)--and
Information Sharing and Analysis Centers (ISAC)--participating entities
be included in the accounting of the number of participating entities
under the program if they are sharing cyber threat data through an ISAO
or ISAC that is plugged into DHS's NCCIC?
Answer. First, it is important to stress the chamber believes that
the success of CISA and AIS should not be linked to the number of
organizations that sign up for AIS. Some subcommittee Members suggested
at the hearing that the number of AIS signers and the achievements of
CISA/AIS are bound together. Most industry organizations are unlikely
to share cyber threat indicators (CTIs) directly with Government
partners. Instead, the chamber believes that the vast majority of
businesses will share and receive cyber threat data with industry peers
and ISACs and ISAOs. It is our understanding that most businesses will
use information-sharing bodies as conduits between themselves and DHS,
among other Federal entities. These businesses will not be signed up
with AIS, but significant amounts of information sharing will
nonetheless take place.
Second, ISAOs and ISACs and their respective members should be part
of the calculation of private organizations that are possibly using
CISA/AIS. The chamber defers to DHS's data concerning AIS involvement.
Yet at the time of this writing, we understand that approximately 150
private organizations have signed DHS's Terms of Use that govern the
use of CTIs and DMs and participation in the AIS initiative.\2\ Fifty-
eight of these organizations are attached to the AIS server and consume
Government-furnished CTIs. In addition, 12 of these organizations are
either ISACs or ISAOs. For instance, the Financial Services-ISAC (FS-
ISAC) has upward of 7,000 member financial institutions and partner
organizations. Presumably, many of these entities are engaged in
protected information sharing under CISA but may not be part of AIS
accounting.\3\
---------------------------------------------------------------------------
\2\ www.us-cert.gov/sites/default/files/ais_files/
AIS_Terms_of_Use.pdf.
\3\ http://media.wix.com/ugd/
416668_2c6d85d4964743f8b4d3470b860f6e3b.pdf.
---------------------------------------------------------------------------
Similarly, the Health Information Trust Alliance (HITRUST) Cyber
Threat XChange, the health industry's ISAO, is now connected to AIS and
supports the bidirectional sharing of cyber threat data with DHS. The
real-time sharing of CTIs between HITRUST's more than 1,000 members and
DHS helps private-sector organizations reduce their cyber risks.\4\
---------------------------------------------------------------------------
\4\ https://hitrustalliance.net/hitrust-advances-State-cyber-
threat-information-sharing-nations-healthcare-sector.
---------------------------------------------------------------------------
The chamber understands that several entities are testing the
sharing process before they initiate automated, bidirectional sharing
on routine basis.
Questions From Ranking Member Cedric L. Richmond for Matthew J. Eggers
Question 1a. In accordance with �1A103 and � 105(a)(4) of the
Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the
Director of National Intelligence, the Secretary of Homeland Security,
the Secretary of Defense, and the Attorney General issued updated,
final guidance on the sharing of cyber threat indicators and defensive
measures among multiple Federal and non-Federal entities.
What was your impression of the guidance? Are there aspects that
you find insufficient or impractical?
Answer. The chamber was impressed at the wide-spread support CISA/
AIS stakeholders showed for the final CISA procedures and guidance
documents that were released on June 15. The chamber especially
commends DOJ's Leonard Bailey, senior counsel, and DHS's Gabe Taran,
acting assistant general counsel for infrastructure programs, for their
positive roles in negotiating with multiple parties and writing the
documents under a tight deadline.
The chamber believes that the procedures and guidance are
sufficient and practical.
Question 1b. In addition to resolving the question of liability
protections for private-to-private sharing, are there other aspects of
the DHS guidance that you believe would benefit from additional
clarity?
Answer. The issue related to clarifying liability protections for
private-to-private sharing seems to have been dealt with adequately.
The procedures and guidance do not need additional clarification at
this time. In the main, the chamber is urging industry to take
advantage of CISA/AIS as appropriate.
Question 1c. Are there aspects of the law that should be clarified?
Answer. No. The CISA/AIS program is off to a good start. While
oversight by Congress is crucial, it is too soon to make changes to the
legislation. CISA does not need to be reauthorized until September
2025.
The chamber urges lawmakers and the next administration to be
industry's ally as it uses CISA/AIS, which is currently more important
to businesses than clarifications. Companies need to trust that policy
makers have their backs. It is important that businesses see that the
protections granted by CISA--including matters tied to limited
liability, regulation, antitrust, and public disclosure--become real.
For some businesses, the protections are still an open question.
The chamber agrees with a witness who spoke on June 21 before the
Commission on Enhancing National Cybersecurity at the University of
California-Berkeley. He noted that the Government could make it easier
for companies to create a ``regulatory safe space,'' where they can
more effectively share information about threats and attacks.\5\
---------------------------------------------------------------------------
\5\ https://cltc.berkeley.edu/2016/06/27/cltc-hosted-white-house-
commission-considers-challenges-opportunities-for-the-next-president.
---------------------------------------------------------------------------
The chamber hears such sentiments frequently and believes that
Government entities like DHS want to use company data prudently.
However, many more agencies and departments will have to adopt
attitudes and actions that do not discourage businesses from reporting
threat and vulnerability data.
Question 2. As a general rule, small- and medium-size businesses do
not have the resources to devote to the most advanced, state-of-the-art
information technology systems. As such, smaller enterprises may use
older systems that have known cybersecurity vulnerabilities. Can these
companies rely on older systems to share or receive threat information
or do their platforms require a more advanced system?
Answer. The chamber's experience suggests that sophisticated
cybersecurity programs can be very expensive to develop, deploy, and
maintain for companies of all sizes, particularly small and mid-size
businesses (SMBs).
DHS does not charge a fee for companies to participate in AIS.
However, any AIS participant will need to adhere to defined technical
connectivity activities, which DHS helps organizations manage.\6\
Larger firms may have more resources to submit indicators directly
through AIS. Most SMBs may not need to.
---------------------------------------------------------------------------
\6\ www.us-cert.gov/sites/default/files/ais_files/
AIS_fact_sheet.pdf, www.us-cert.gov/sites/default/files/ais_files/
AIS_FAQ.pdf.
---------------------------------------------------------------------------
Indeed, the chamber anticipates that many SMBs will benefit from an
innovative, automated-sharing ecosystem. A key long-term goal of
information-sharing policy is to foster economies of scale in real-
time, machine-to-machine sharing. The chamber anticipates that the
marketplace will eventually provide inexpensive and easy-to-deploy
technologies that conform to CISA's rules (e.g., scrubbing privacy
information from CTIs) and generate and swap threat signatures at
internet speeds. Systems like AIS will be able to block attacks sooner
and more regularly, compared with the relatively human-intensive
sharing schemes in use today.
The chamber understands that cyber threat intelligence companies
have the means to enable companies to opt-in to AIS and gain from the
process of receiving pertinent security event information such as IP
addresses, domain names, hashes, and actor tactics, techniques, and
procedures.
From a resource standpoint, it is probably too much to ask most
SMBs to engage in the cybersecurity threat-sharing ecosystem directly.
Many SMBs will likely struggle to create and maintain sound
cybersecurity programs.\7\ Technology may be challenging to use, and
professional cyber talent is both scarce and pricey. Public policy does
not do a sufficient job of recognizing the potentially extraordinary
costs that industry faces in creating robust information-security
programs.
---------------------------------------------------------------------------
\7\ https://inthenation.nationwide.com/news/small-business-cyber-
security-survey.
---------------------------------------------------------------------------
Secretary of Commerce Penny Pritzker spoke at the chamber on
September 27 concerning cybersecurity policy. She said that cyber space
is the ``only domain where we ask private companies to defend
themselves'' against foreign powers and other significant threats. She
wondered aloud, ``Does that sound as crazy to you as it does to
me?''\8\ Government does not stand between private entities and
malicious hackers, she suggested.
---------------------------------------------------------------------------
\8\ www.commerce.gov/news/secretary-speeches/2016/09/us-secretary-
commerce-penny-pritzker-delivers-keynote-address-us.
---------------------------------------------------------------------------
It is instructive, according to a Council of Insurance Agents and
Brokers market survey, that 26.1 percent of SMBs purchase ``cyber''
insurance for risk mitigation assistance (4.5 percent) and post-breach
resources (21.6 percent). In contrast, 20.4 percent of large entities
purchase ``cyber'' insurance for risk mitigation assistance (10.2
percent) and post-breach resources (10.2 percent).\9\ In the chamber's
view, companies typically have healthy and maturing cyber risk
management programs in place before engaging in active information-
sharing initiatives.
---------------------------------------------------------------------------
\9\ www.ciab.com/news.aspx?id=6176.
---------------------------------------------------------------------------
Question 3. In developing the aforementioned guidance, � 103(a)(5)
specified that the procedures established must facilitate periodic
circulation of cybersecurity ``best practices'' designed with special
attention to the accessibility and implementation challenges faced by
small businesses. Do the policies and procedures described in the
guidance actually facilitate the development and circulation of best
practices that are mindful of small business needs?
Answer. In keeping with section 103(a)(5) of CISA, the Federal
Government-sharing guidance calls for the periodic sharing of
cybersecurity best practices ``with attention to accessibility and
implementation challenges faced by small business concerns.'' The
guidance outlines several programs, activities, and Federal agencies
and departments that support the recurrent sharing of sound
cybersecurity techniques, which are expected to be rooted in the on-
going analyses of cyber threat data.
Here are some examples of cybersecurity best practices featured in
the Federal Government-sharing guidance and that the chamber includes
in our National cyber education campaign:
NIST Computer Security Division.--NIST special publications
and interagency reports, covering a broad range of topics,
provide management, operations, and technical security
guidelines for Federal agency information systems. Beyond these
documents, which are peer reviewed throughout industry,
Government, and academia, NIST conducts workshops, awareness
briefings, and outreach to help ensure greater understanding of
standards and guidelines resources.\10\
---------------------------------------------------------------------------
\10\ www.nist.gov/itl/computer-security-division.
---------------------------------------------------------------------------
DHS Critical Infrastructure Cyber Community (C\3\) Voluntary
Program.--The C\3\ (pronounced ``c cubed'') Voluntary Program
helps enhance critical infrastructure cybersecurity and
encourage the adoption of the framework. The C\3\ Voluntary
Program aids sectors and private organizations that want to use
the framework by connecting them with cyber risk management
tools offered by DHS, other Federal entities, and the private
sector.\11\
---------------------------------------------------------------------------
\11\ www.dhs.gov/ccubedvp.
---------------------------------------------------------------------------
DHS National Cybersecurity and Communications Integration
Center (NCCIC).--The NCCIC disseminates publications that
recommend practices and standards for technical and
nontechnical users. Information is available for Government
users, as well as owners, operators, and vendors of industrial
control systems.\12\ In addition, the NCCIC includes
information specifically focused on securing small business and
home networks.\13\
---------------------------------------------------------------------------
\12\ https://ics-cert.us-cert.gov.
\13\ www.us-cert.gov/home-and-business.
---------------------------------------------------------------------------
Through the US-CERT, a component of NCCIC, DHS offers the Cyber
Resilience Review (CRR), a no-cost, voluntary, nontechnical
assessment to help an organization evaluate its resilience and
cybersecurity practices. The CRR may be conducted as a self-
assessment or as an on-site assessment facilitated by DHS
cybersecurity professionals.
Small Business Administration (SBA) Cybersecurity Website.--
The SBA provides information about cybersecurity best practices
through its website, which features top tips, among other
resources, that SMBs can use.\14\
---------------------------------------------------------------------------
\14\ www.sba.gov/cybersecurity.
---------------------------------------------------------------------------
Question 4. There is a natural tension between sharing threat
indicators quickly to facilitate rapid response, and sharing only the
most valuable information once it has been processed and analyzed. I
understand that DHS uses the former, emphasizing volume and timeliness.
Do you prefer this ``time is of the essence'' approach? In other words,
how useful and actionable is the information you [a business or private
organization] receive from DHS?
Answer. The chamber supports the ``time is of the essence'' mind-
set. During the legislative debate concerning CISA, we opposed
amendments that would attempt to address the ``second scrub'' issue by
requiring DHS to perform another scrub of cyber threat data for
personal information before disseminating indicators to appropriate
Federal entities. So the speed of sharing is key.
Granting authority to DHS to conduct a second scrub is not
inherently bad if viewed only through the vague lens of ``privacy.''
But privacy is just one of several considerations in CISA. For example,
when one understands that CTIs rarely if ever contain personal
information, the second scrub would bog down the sharing of CTIs from
businesses to the Federal entities that need them in a timely
manner.\15\
---------------------------------------------------------------------------
\15\ www.uschamber.com/sites/default/files/
cisa_ctis_separating_fact_from_fiction_ - aug_19_final.pdf.
---------------------------------------------------------------------------
A DHS privacy official said at the Cybersecurity Conference for
Lawyers in September that if a CTI field ``fails or is not completed
fully'' by a submitter, the whole indicator is not held back, which is
constructive from a timeliness standpoint.\16\
---------------------------------------------------------------------------
\16\ www.us-cert.gov/sites/default/files/ais_files/
AIS_Submission_Guidance_Appendix_- A.pdf.
---------------------------------------------------------------------------
Question 5. The Cybersecurity Act of 2015 contains numerous
provisions designed to safeguard privacy and civil liberties by
requiring, for instance, the scrubbing of personal information. Are
private-sector organizations using their own systems to fulfill these
obligations or relying on DHS mechanisms?
Answer. Section 104(d)(2) of CISA requires businesses to remove any
information from a CTI or DM that it knows at the time of sharing to be
personal information of a specific individual or information that
identifies a specific individual who is not directly related to a
cybersecurity threat before sharing that data with a Federal
entity.\17\
---------------------------------------------------------------------------
\17\ www.us-cert.gov/sites/default/files/ais_files/Non-
Federal_Entity_Sharing_Guidance_- %28Sec%20105%28a%29%29.pdf.
---------------------------------------------------------------------------
Private organizations use their own technical capabilities to scrub
indicators of personal information. It is worth noting that a DHS
privacy official said at the Cybersecurity Conference for Lawyers that
there is no ``hard and fast list of privacy information that must be
removed'' from CTIs. CISA/AIS stakeholders need to consult the non-
Federal entity guidance for scrubbing protocols. Scrubbing is
``ultimately up to the company that is sharing the indicators,'' she
added. The chamber instructs businesses to remove personal information
from cyber threat data and not to rely on DHS mechanisms, which, among
other things, may impede timely sharing efforts.
Questions From Ranking Member Cedric L. Richmond for Robert Mayer
Question 1a. In accordance with � 103 and � 105(a)(4) of the
Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the
Director of National Intelligence, the Secretary of Homeland Security,
the Secretary of Defense, and the Attorney General issued updated final
guidance on the sharing of cyber threat indicators and defensive
measures between and among Federal and non-Federal entities.
What was your impression of the guidance and are there aspects that
you find insufficient or impractical?
Question 1b. In addition to resolving the question of liability
protections for private-to-private sharing, are there other aspects of
the DHS guidance that you believe would benefit from additional
clarity?
Question 1c. Are there aspects of the law that should be clarified?
Answer. As indicated in our testimony, we applaud DHS for its
efforts to meet CISA's aggressive deadlines and for producing both
interim and final guidance that provides additional evidence of the
liability protections afforded under the Act. We now continue to focus
our attention on evaluating the requirements and benefits associated
with implementing CISA, and we expect that more companies will enter
into arrangements for sharing cyber threat indicators and defensive
measures through the new DHS portal.
Our member companies believe that no additional statutory
clarification is required at this time and that it would be premature
to open up CISA for amendment so soon after final passage. The process
to reach consensus on the language in CISA, including the liability and
privacy protection provisions, was a lengthy one. The law establishes
an information-sharing structure, provides for liability and privacy
protections, and more granular details about how sharing is conducted
are better placed in implementation guidance, policies, and procedures.
We also recognize that over time issues may arise that would
benefit from more clarification in the Federal guidance. Should that
occur, we are confident that DHS will continue to work with the private
sector through the current highly-collaborative process with
appropriate dialogue on any potential future modifications to the
guidance.
Question 2. As a general rule, small- and medium-sized businesses
do not have the resources to devote to the most advanced, state-of-the-
art information technology systems. As such, they are more likely to
use older systems even if they exhibit known cybersecurity
vulnerabilities. In developing its information-sharing program, has DHS
provided a means for entities that rely on these older systems to share
and receive threat information, or does their platform require more
advanced system?
Answer. It is clearly the case that small communications carriers
do not possess the same level of technical and financial resources that
can be devoted exclusively to cybersecurity operations and technologies
as do the large service providers. Still, they rely on the same vendors
for hardware and software as their larger peers given that small
service providers do not have the scope and scale to incent vendors to
manufacture products specifically for their needs. DHS through the
National Coordinating Center (NCC) and US-CERT work with the vendor
community to publicize software updates and vulnerabilities--and this
information is used by large and small operators alike.
Implementing Automated Information Sharing (AIS) capabilities for
small business in the short term is impeded by the fact that most small
businesses lack the ability to devote limited technical and capital
resources to fully participate in the program at this juncture.
However, over time, smaller entities will be likely to pool their
resources and work through the existing Information Sharing and
Analysis Centers (ISAC) and the Information Sharing and Analysis
Organizations (ISAOs) that are currently under development. DHS seems
to be approaching the implementation of AIS in a correct fashion by
enrolling entities that have the deep technical know-how and capacity
to engage operationally and to provide input for enhancing current
capabilities that ensure that timely and actionable information is made
available to program participants. We can also report that the
communications sector, through a pilot effort under the auspices of
CTIA, is working with a diverse set of industry participants (including
small providers) to test the capabilities of AIS and the associated
protocols and make modifications necessary to support
telecommunications-specific requirements to support automated
information sharing.
Question 3. In developing the aforementioned guidance, � 103(a)(5)
specified that the procedures established must facilitate periodic
circulation of cybersecurity ``best practices'' designed with special
attention to the accessibility and implementation challenges faced by
small businesses. Do the policies and procedures described in the
guidance actually facilitate the development and circulation of best
practices that are mindful of small business needs?
Answer. It is commonly understood that the small- and medium-sized
businesses face substantial burdens when contemplating whether to share
cyber threat indicators and defensive measures. The human resources and
financial costs of participation can be daunting. However, we also
recognize how important the small- and medium-sized businesses are in
making the information-sharing environment effective. As DHS and
industry gain a better understanding of the AIS process and its
associated costs and benefits, small and medium businesses will be
better-positioned to leverage experiences and lessons learned that are
likely to be communicated and provided through their ISACs and any ISAO
in which they participate.
It is also worth noting that for smaller companies, the current
guidance does allow for sharing via means outside of the portal
including via an email or phone call. This is especially important for
this class of providers who may not be using technologies such as STIX
and TAXI at this point in time. There needs to be continued flexibility
inherent in the overall information-sharing process to accommodate the
needs and capabilities of small- and medium-sized providers.
DHS might also want to consider convening a workshop with
representatives of small entities to discuss current capabilities of
AIS, the requirements to implement for smaller companies, the costs
associated with implementation, the constraints that small companies
face, and possible technical, operational, and administrative processes
that may be streamlined to make participation for small entities more
feasible.
Question 4. There is a natural tension between sharing threat
indicators quickly to facilitate rapid response, and sharing only the
most valuable information once it has been processed and analyzed. I
understand that DHS uses the former, emphasizing volume and timeliness.
Do you prefer this ``time is of the essence'' approach? In other words,
how useful and actionable is the information you receive from DHS?
Answer. This may not be an either-or proposition though it is an
important question. We often talk about information needing to be both
``timely'' and ``actionable'' which means that information can become
quickly perishable and while it may be quality information, it may no
longer be actionable. So it must be recognized that what is most
important is that the information is accurate and provides the
necessary context to facilitate specific action. We cannot lose these
qualities for the sake of expediency.
The balance between what is timely and what is useful will continue
to evolve based on the nature of the threat, and the nature of the type
of information being shared. One of the primary purposes of sharing is
to involve more parties to evaluate cyber threat indicators and
defensive measures. As part of the collaborative nature of the
information-sharing regime, we must all be mindful of the need for
parties to strike the right balance between ``timely'' and
``effective'' information-sharing practices.
Having said that, we do value the DHS view that ``time is of the
essence'' and over time, we have seen substantial improvements in the
timeliness and utility of information shared with us by the Government.
Information received from the Government is one of many resources that
many of our member companies use as part of their own cybersecurity
efforts. Generally speaking, we have no significant issues with the way
that DHS is implementing the information sharing provisions of the Act.
If issues arise, we expect that DHS and the private sector will address
them in a collaborative way.
Question 5. The Cybersecurity Act of 2015 contains numerous
provisions designed to safeguard privacy and civil liberties by
requiring, for instance, the scrubbing of personal information. Are
private-sector organizations using their own systems to fulfill these
obligations or relying on DHS mechanisms?
Answer. The structure contemplated by CISA contains multiple layers
of privacy protections for information sharing with the Federal
Government and confers responsibilities on both the private sector and
the Federal Government. The first layer places responsibility on a
private sector entity sharing information to ensure it reviews the
information for known personal information of a specific person, and if
such information is present, that it is connected to a cybersecurity
threat. Conversely, if it is not, the information must be removed.
The next layer of responsibility in the private-to-Federal venue is
on the Federal Government at the point of receipt, and prior to sharing
with other Federal entities. Our members take the responsibility placed
upon them very seriously and understand that it is not sufficient or
legally prudent to merely rely on the Federal Government to conduct its
privacy review upon receipt of the information.
Moreover, some of our member companies have established, mature
information-sharing mechanisms that long pre-date CISA and that also
include strong privacy protective systems and practices. Those members
will likely continue to rely on established methods to meet the
baseline requirements concerning privacy protections under CISA, and to
also go beyond those baseline requirements. Indeed, some members
consider one step further than what is required under CISA. Namely once
it has been established that it is legal under CISA to share cyber
threat information that contains personal information, they will
consider whether they should share it or could the cyber threat
indicator be shared in a meaningful way without personal information?
Our member companies will also rely on their privacy protective
policies and practices in the private-to-private information sharing
context, which does not contemplate DHS involvement or review.
Finally, the Automated Information Sharing (AIS) system DHS
established to effectuate its role as the primary automated intake
portal under CISA by design substantially minimizes the likelihood that
personal information could, as a technical matter, be conveyed if it is
not directly related to a cybersecurity threat. The technology, by
design, adds another layer of privacy protection for companies sharing
through the portal with DHS.
I hope that you find this information to be fully responsive to
your questions.
Questions From Ranking Member Cedric L. Richmond for Mark G. Clancy
Question 1a. In accordance with � 103 and � 105(a)(4) of the
Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the
Director of National Intelligence, the Secretary of Homeland Security,
the Secretary of Defense, and the Attorney General issued updated final
guidance on the sharing of cyber threat indicators and defensive
measures between and among Federal and non-Federal entities.
What was your impression of the guidance and are there aspects that
you find insufficient or impractical?
Question 1b. In addition to resolving the question of liability
protections for private-to-private sharing, are there other aspects of
the DHS guidance that you believe would benefit from additional
clarity?
Question 1c. Are there aspects of the law that should be clarified?
Answer. As you mentioned, the updated guidance issued on June 15,
2016 on sharing for non-Federal entities \1\ makes the important
clarification needed about how protections still apply when sharing
occurs between private-sector entities in Annex 1 ``Sharing of Cyber
Threat Indicator and Defensive Measure Sharing between Non-Governmental
Entities under CISA''. The guidance was extremely helpful to provide
clarification for concerns previously raised with the interim guidance.
---------------------------------------------------------------------------
\1\ Guidance to Assist Non-Federal Entities to Share Cyber Threat
Indicators and Defensive Measures with Federal Entities under the
Cybersecurity Information Sharing Act of 2015, June 2016.
---------------------------------------------------------------------------
As we have mentioned, we believe the U.S. Department of Homeland
Security (DHS) has been very helpful in providing updates and
clarifications. As we consider these questions, there are two areas
that would also be helpful for DHS to provide some assistance. There
are other programs within DHS that have been very helpful over time,
the Cybersecurity Information Sharing and Collaboration Program (CISCP)
and the Protected Critical Infrastructure Information Program (PCII).
While CISCP, PCII, and the Cybersecurity Information Sharing Act
(CISA) have different statutory authorities, and over time were created
for different reasons, as we consider broader cybersecurity information
sharing there are overlaps and some growing questions about how the
private sector should share information and which programs should be
used.
First, it would be helpful for DHS to address how the CISCP program
fits within the scope of the Automation Indicator Sharing (AIS) system
and with CISA. The CISCP data is available as a separate `feed' on the
AIS system, however access to this feed requires a Cooperative Research
and Development Agreement (CRADA) to be in place. Since CISCP is part
of AIS, that would mean that sharing under CISCP would have the same
protections under CISA as AIS and it would be important for DHS to
confirm that point. If that is not accurate, then it would be helpful
for DHS to provide that clarification in order to ensure that is the
case.
Second, as we consider other aspects of the law and cybersecurity
information sharing with DHS, it would be helpful for DHS to provide
clarification on how the PCII program currently does, and in the future
will, work with CISA. While PCII was created many years ago for
physical events, it has morphed over time to include physical and
cybersecurity events and is a useful program. Many companies, whether
large or small, will need to understand and ultimately choose what
program to share information through and clarification now would be
important.
Question 2. As a general rule, small- and medium-sized businesses
do not have the resources to devote to the most advanced, state-of-the-
art information technology systems. As such, they are more likely to
use older systems even if they exhibit known cybersecurity
vulnerabilities. In developing its information-sharing program, has DHS
provided a means for entities that rely on these older systems to share
and receive threat information, or does their platform require more
advanced system?
Answer. We work closely with a number of small- and medium-sized
businesses and are providing answers to your questions based on our
experience working with them. As you may expect, for those companies
who are small- and medium-sized businesses, they may have different
perspectives than we do. However, we have a few thoughts and
suggestions on this question.
DHS has provided two additional methods for firms unable to use the
automation to share information with the Department whether firms are
small-, medium-sized, or larger ones not able to use automation. That
includes a web submission form and an email box to send submissions.
Both methods are accessible for small or medium business whether they
are using older information technology systems or simply choose not to
use automation. DHS could consider ways to share with organizations how
that manual information will be shared back. It may also be helpful for
DHS to provide guidance or best practices on how to craft a good
submission. In fact, this may be useful for those sharing via an
automated or manual submission.
Question 3. In developing the aforementioned guidance, � 103(a)(5)
specified that the procedures established must facilitate periodic
circulation of cybersecurity ``best practices'' designed with special
attention to the accessibility and implementation challenges faced by
small businesses. Do the policies and procedures described in the
guidance actually facilitate the development and circulation of best
practices that are mindful of small business needs?
Answer. One area that may be more challenging for small- and
medium-sized businesses could be in understanding how to understand and
manage ``defensive measures.'' The guidance discussed how these will be
created and what they contain. Small- and medium-sized businesses will
have different abilities to understand how to manage them when they are
received and may need additional support to create internal structures
to implement them. Whether large or small, it would be helpful to have
a method for providing feedback or surveying recipients (of such
defensive measures) as to the level of detail that a company finds
useful or lacking. In other instances in the past, suggestions may come
from an agency that over-simplifies what defensive measure should be
taken including ``patch your systems,'' ``update anti-virus,'' or ``use
a firewall.'' Suggestions for defensive measures from the U.S.
Government going forward will need to be tailored to the size and
abilities of the companies.
It is important to note that many small business use service
providers to perform some or all of their IT services. These service
providers are a community to which the Department must engage to
effectively assist small businesses benefit from the information shared
via CISA.
Question 4. There is a natural tension between sharing threat
indicators quickly to facilitate rapid response, and sharing only the
most valuable information once it has been processed and analyzed. I
understand that DHS uses the former, emphasizing volume and timeliness.
Do you prefer this ``time is of the essence'' approach? In other words,
how useful and actionable is the information you receive from DHS?
Answer. There is an inherent tension between sharing quickly and
sharing the most valuable information that no single approach will
solve. However, sharing quickly with the ability to revise information
shared when refined or after feedback from other parties is received is
the optimal approach. Discussions have been had with DHS about adding
ways to share confidence ratings within the cyber threat intelligence
(CTI) AIS system that could be utilized to make the determination of
how best to act on the information. As a result, CTI could be shared
but if needed be matched with a lower confidence information versus
those that may receive a higher high confidence based on information
that has additional vetting imbedded in it.
Question 5. The Cybersecurity Act of 2015 contains numerous
provisions designed to safeguard privacy and civil liberties by
requiring, for instance, the scrubbing of personal information. Are
private-sector organizations using their own systems to fulfill these
obligations or relying on DHS mechanisms?
Answer. In our experience, the private sector firms Soltra works
with take privacy very seriously and are taking the necessary steps to
ensure that scrubbing of information is occurring before information is
shared under CISA. The final DHS-DOJ guidance also does a good job
providing examples of the demarcation under CISA on what data points
may be related to the actual threat and how best to manage that
process.
We appreciate all that you do on these issues. If you or your staff
would like to discuss any of these matters in more detail, please let
us know.
Questions From Chairman John L. Ratcliffe for Mordecai Rosen
Question 1. In your opinion, do DHS's programs to secure Federal
Information Systems--Einstein and the Continuous Diagnostics and
Mitigation (CDM) program--together offer a comprehensive solution and a
defense-in-depth strategy to secure Federal networks?
Answer. Federal Information Systems are much safer today as a
result of early implementation of the Einstein and CDM programs. The
Federal Government has successfully integrated logical access through
the use of the PIV card for all privileged users and performed an audit
and reductions of privileged accounts. In particular, OPM has utilized
the CDM roadmap whereby you start with identifying assets and users,
then move toward managing behavior.
Early implementation of the Einstein program has helped Federal
agencies to detect malicious cyber attacks, and to communicate these
threats across the Federal Government.
However, there remain opportunities for improving security through
automated response and modernization of antiquated legacy systems.
We think the Cyber Sprint helped improve Government security
overall as well. Some say we need a marathon and we agree, there is
much work to do. But, we believe that a long series of tightly measured
sprints invokes management focus and unmatched operational cadence.
The Einstein and CDM programs constitute an effective strategy to
improve Federal agency cybersecurity, with opportunities for continuous
improvement as technology evolves. However, a plan and strategy are
inconsequential without deployment. Deployment urgency will remain a
critical component to maximizing protection of Federal networks.
Question 2. In your opinion, are DHS's cybersecurity programs for
both Federal and non-Federal entities flexible and dynamic enough for
it to leverage emerging cutting-edge technologies and to keep pace with
the rapidly-evolving cyber threat landscape?
Answer. CA Technologies believes that DHS has become much stronger
at engaging with stakeholders and incorporating private-sector input
into both Federal and non-Federal cybersecurity programs. These include
the Einstein and CDM programs for Federal agencies and the Automated
Indicator Sharing (AIS) program for private entities.
This stakeholder engagement is vital to maintaining flexibility and
incorporating cutting-edge technologies.
We believe the major challenge in maintaining pace with the
evolving cyber threat landscape lies in the procurement, acquisition,
and deployment process. In particular, we see a need for more and
better-trained contracting personnel who have a strong understanding of
modern technologies and are empowered to accelerate deployment of
technologies under DHS programs.
Further we, and our technology industry partners, continue to
advocate for stronger Federal Government alignment with the NIST-
developed Framework for Improving Critical Infrastructure
Cybersecurity, which envisions dynamic, flexible approaches to
improving cybersecurity, and calls for continuous improvement based on
evolving threat dynamics.
Question 3. A long-term goal of Einstein includes the filtering of
email, HTTP traffic, and DNS sinkholing. What would your estimation be
of the other security risks to Federal networks outside filtering
email, HTTP traffic, and DNS sinkholing?
Answer. CA Technologies believes that the compromise of digital
identities will continue to remain a primary security risk. Compromised
identities have been a common thread in virtually every large network
breach in recent years, including Federal agency breaches.
CA believes that identity and access management technologies are
central to protecting systems, networks, devices, and data. As Federal
agencies increase their utilization of digital technologies, the
authentication of persons and the authentication of devices and data
will remain crucial to protecting Federal networks.
In addition, authentication of both individuals and data will
become increasingly important to maintaining the integrity of cyber
threat information-sharing programs, as they are opened up to multiple
actors and organizations.
Further, as the application economy continues to evolve, more
organizations and governments will be opening up their data sets to
third parties. Therefore, it will be critical to both effectively
manage and secure the application programming interfaces that allow for
these transactions.
Questions From Ranking Member Cedric L. Richmond for Mordecai Rosen
Question 1a. In accordance with Sec. 103 and Sec. 105(a)(4) of the
Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the
Director of National Intelligence, the Secretary of Homeland Security,
the Secretary of Defense, and the Attorney General issued updated final
guidance on the sharing of cyber threat indicators and defensive
measures between and among Federal and non-Federal entities.
What was your impression of the guidance and are there aspects that
you find insufficient or impractical?
Question 1b. In addition to resolving the question of liability
protections for private-to-private sharing, are there other aspects of
the DHS guidance that you believe will benefit from additional clarity?
Question 1c. Are there aspects of the law that should be clarified?
Answer. CA Technologies would like to congratulate DHS, ODNI, DOD,
and DOJ on the job they have done in issuing updated final guidance on
the sharing of cyber threat indicators and defensive measures between
and among Federal and non-Federal entities.
The guidance clearly explains the mechanisms for sharing cyber
threat information with the Federal Government, the requirements for
removing personally identifiable information, and the liability
protections that will be afforded to organizations that comply with the
requirements of the legislation.
At this point, CA believes that stakeholders would benefit from
further DOJ and DHS clarification of liability protections for actions
taken in good faith participation in the information-sharing program.
The Automated Indicator Sharing (AIS) program envisions a wide volume
and velocity of shared cyber threat indicator data streams, which will
require significant analysis in order to make them actionable. It is
possible that some organizations will act on certain data streams that
may ultimately prove not to be related to cyber threats, and other
organizations may miss relevant indicators in the data streams, all
while participating in good faith. Greater clarification of liability
protections under these scenarios would benefit participants.
CA believes this clarification can be provided through DHS and DOJ
outreach with stakeholders and potentially through further guidance. We
don't believe the law needs to be clarified at this point.
Question 2. As a general rule, small- and medium-sized businesses
do not have the resources to devote to the most advanced, state-of-the-
art information technology systems. As such, they are more likely to
use older systems even if they exhibit known cybersecurity
vulnerabilities. In developing its information-sharing program, has DHS
provided a means for entities that rely on these older systems to share
and receive threat information, or does their platform require a more
advanced system?
Answer. Our sense is that DHS has developed its information-sharing
program in a way that allows for maximum participation with respect to
manual sharing of cyber threat indicators. In addition to allowing
organizations to share indicators through the AIS program, it also
allows organizations to share cyber threat indicators through a web
form or email. In order to receive liability protection under the law,
these organizations will need to remove any personally identifiable
information (PII) from information they share that they know at the
time of sharing is not related to a cyber threat. This will require the
organization to use manual controls or to implement automated controls
to ensure PII is removed. Automated technologies, such as Application
Programming Interface management software are available in the
marketplace for small- and medium-sized businesses.
In order for small businesses to receive cyber threat indicators
from the Federal Government in close to real time, they will need to
sign up to the AIS program. This will require them to acquire a Trusted
Automated eXchange of Indicator Information (TAXII) client and to
receive a Public Key Infrastructure (PKI) certificate from an approved
provider. This may be difficult for some small businesses. We recommend
that DHS continue to conduct outreach and awareness raising with small
businesses to help them properly understand how cybersecurity risks
impact their overall business risk environment. This will help small
businesses better prioritize cybersecurity investments, including
potential participation in information-sharing programs.
Question 3. In developing the aforementioned guidance, Sec.
103(a)(5) specified that the procedures established must facilitate
periodic circulation of cybersecurity ``best practices'' designed with
special attention to the accessibility and implementation challenges
faced by small businesses. Do the policies and procedures described in
the guidance actually facilitate the development and circulation of
best practices that are mindful of small business needs?
Answer. The guidance titled, ``Sharing of Cyber Threat Indicators
and Defensive Measures by the Federal Government under the
Cybersecurity Information Sharing Act of 2015'' included a section on
periodic sharing of cybersecurity best practices. This section includes
a listing of many cross-governmental programs, which provide
cybersecurity guidance. Included in this list of programs are those
with a focus on small- and medium-sized businesses such as those
provided by US-CERT, the National Cybersecurity and Communications
Integration Center (NCCIC), and the Small Business Administration.
CA believes that facilitating the development and circulation of
best practices should remain a priority for DHS implementation of the
Cybersecurity Act of 2015 in order to make Government cybersecurity
programs more accessible and actionable for the full range of
stakeholders. We would recommend that DHS continue to flesh out this
section with additional guidance in future updates.
Question 4. There is a natural tension between sharing threat
indicators quickly to facilitate rapid response, and sharing only the
most valuable information once it has been processed and analyzed. I
understand that DHS uses the former, emphasizing volume and timeliness.
Do you prefer this ``time is of the essence'' approach? In other words,
how useful and actionable is the information you receive from DHS?
Answer. CA Technologies is not currently a participant in the AIS
program, however we are in the process of actively exploring
engagement. At this point, we recognize the importance of emphasizing
volume and timeliness. In the longer term, we believe it will be
important to enable automated analysis of data in order to make it more
actionable for organizations that don't have the resources to process
and analyze massive data sets. Authentication of both program
participants and the data that is shared will be a critical factor in
the successful implementation of this program.
Question 5. The Cybersecurity Act of 2015 contains numerous
provisions designed to safeguard privacy and civil liberties by
requiring, for instance, the scrubbing of personal information. Are
private-sector organizations using their own systems to fulfill these
obligations or relying on DHS mechanisms?
Answer. CA Technologies' understanding of the Cybersecurity Act of
2015, and its related guidance, is that it requires organizations to
scrub personal information that they know, at the time of sharing, is
not related to a cybersecurity threat in order to receive liability
protection under the law. CA Technologies is not a current participant
in the AIS program though we are currently actively exploring
participation. Should we participate in the program, we would use our
own systems to fulfill privacy obligations before sharing cyber threat
indicators with the Government.
As we noted in our answer to question No. 2, there are existing
technologies available in the marketplace to help organizations filter
personally identifiable information from data sets before sharing with
the Government. We anticipate that most organizations will want to
utilize these automated technologies or will implement manual controls
to remove personal information before sharing. The DHS mechanisms will
then provide an additional level of privacy assurance.
Questions From Ranking Member Cedric L. Richmond for Ola Sage
Question 1a. In accordance with � 103 and � 105(a)(4) of the
Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the
Director of National Intelligence, the Secretary of Homeland Security,
the Secretary of Defense and the Attorney General issued updated final
guidance on the sharing of cyber threat indicators and defensive
measures between and among Federal and non-Federal entities.
What was your impression of the guidance and are there aspects that
you find insufficient or impractical?
Question 1b. In addition to resolving the question of liability
protections for private-to-private sharing, are there other aspects of
the DHS guidance that you believe would benefit from additional
clarity?
Question 1c. Are there aspects of the law that should be clarified?
Answer. Response was not received at the time of publication.
Question 2. As a general rule, small- and medium-sized businesses
do not have the resources to devote to the most advanced, state-of-the-
art information technology systems. As such, they are more likely to
use older systems even if they exhibit known cybersecurity
vulnerabilities. In developing its information-sharing program, has DHS
provided a means for entities that rely on these older systems to share
and receive threat information, or does their platform require more
advanced system?
Answer. Response was not received at the time of publication.
Question 3. In developing the aforementioned guidance, � 103(a)(5)
specified that the procedures established must facilitate periodic
circulation of cybersecurity ``best practices'' designed with special
attention to the accessibility and implementation challenges faced by
small businesses. Do the policies and procedures described in the
guidance actually facilitate the development and circulation of best
practices that are mindful of small business needs?
Answer. Response was not received at the time of publication.
Question 4. There is a natural tension between sharing threat
indicators quickly to facilitate rapid response, and sharing only the
most valuable information once it has been processed and analyzed. I
understand that DHS uses the former, emphasizing volume and timeliness.
Do you prefer this ``time is of the essence'' approach? In other words,
how useful and actionable is the information you receive from DHS?
Answer. Response was not received at the time of publication.
Question 5. The Cybersecurity Act of 2015 contains numerous
provisions designed to safeguard privacy and civil liberties by
requiring, for instance, the scrubbing of personal information. Are
private-7sector organizations using their own systems to fulfill these
obligations or relying on DHS mechanisms?
Answer. Response was not received at the time of publication.
[all]