[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] OVERSIGHT OF THE CYBERSECURITY ACT OF 2015 ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ JUNE 15, 2016 __________ Serial No. 114-76 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PUBLISHING OFFICE 24-379 PDF WASHINGTON : 2017 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Scott Perry, Pennsylvania Sheila Jackson Lee, Texas Curt Clawson, Florida James R. Langevin, Rhode Island Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Katie Rashid, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Michael T. McCaul, a Representative in Congress From the State of Texas, and Chairman, Committee on Homeland Security: Oral Statement................................................. 4 Prepared Statement............................................. 6 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 7 The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas: Prepared Statement............................................. 7 Witnesses Mr. Matthew J. Eggers, Executive Director, Cybersecurity Policy, National Security and Emergency Preparedness, U.S. Chamber of Commerce: Oral Statement................................................. 9 Prepared Statement............................................. 11 Mr. Robert H. Mayer, Vice President, Industry and State Affairs, United States Telecom Association: Oral Statement................................................. 16 Prepared Statement............................................. 18 Mr. Mark G. Clancy, Chief Executive Officer, Soltra: Oral Statement................................................. 20 Prepared Statement............................................. 22 Mr. Mordecai Rosen, General Manager, Security Business Unit, CA Technologies: Oral Statement................................................. 28 Prepared Statement............................................. 30 Ms. Ola Sage, Founder and Chief Executive Officer, E-Management: Oral Statement................................................. 36 Prepared Statement............................................. 38 For the Record The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas Letter......................................................... 52 Appendix Questions From Chairman John L. Ratcliffe for Matthew J. Eggers.. 57 Questions From Ranking Member Cedric L. Richmond for Matthew J. Eggers......................................................... 58 Questions From Ranking Member Cedric L. Richmond for Robert Mayer 61 Questions From Ranking Member Cedric L. Richmond for Mark G. Clancy......................................................... 63 Questions From Chairman John L. Ratcliffe for Mordecai Rosen..... 65 Questions From Ranking Member Cedric L. Richmond for Mordecai Rosen.......................................................... 66 Questions From Ranking Member Cedric L. Richmond for Ola Sage.... 68 OVERSIGHT OF THE CYBERSECURITY ACT OF 2015 ---------- Wednesday, June 15, 2016 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to notice, at 10:12 a.m., in Room 311, Cannon House Office Building, Hon. John Ratcliffe (Chairman of the subcommittee) presiding. Present: Representatives Ratcliffe, McCaul, Perry, Clawson, Donovan, Richmond, Thompson, Sanchez, Jackson Lee, and Langevin. Mr. Ratcliffe. Pursuant to committee rule 5(a), I now convene the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies with the concurrence of the Ranking Member. Before we begin this morning, I would be remiss if I didn't again mention the Orlando terrorist attack that killed 49 innocent victims, the largest attack in the United States since 9/11. I would ask that we would open with a moment of silence in remembrance of the victims and their families. Thank you. The subcommittee meets today to fulfill its obligation and oversight responsibility of examining the implementation of the Cybersecurity Act of 2015 since its passage last year, and to look at the necessary steps going forward to strengthen our Nation's cyber defenses. Congress' job doesn't end when a piece of legislation is signed into law, and that is especially true when it comes to cybersecurity legislation. Continued oversight is essential to making sure that the bill is implemented in a manner that actually improves our cyber defenses. If agency guidance isn't clear, if tweaks need to be made, we want to hear that feedback and we want to address those concerns. For that reason, we are pleased to be joined today by a distinguished panel of industry experts to discuss this very important issue. Pushing the Cybersecurity Act of 2015 across the finish line last year was a significant accomplishment that was years in the making. During that time, these witnesses that are here today and others representing critical sectors devoted substantial energy to collaborate with policy makers like me on the best path forward. Hundreds of hours of stakeholder outreach were conducted across literally every relevant industry group: Energy, health care, financial services, technology, telecom, retail, you name it. In the end, this bill recognized many of the practices that were already being deployed by these industry groups and codified them into law, while providing important rules for the road, as well. My objective is to maintain that same posture as we assess the implementation of the Cybersecurity Act of 2015. This law recognizes the role of DHS's National Cybersecurity and Communications Integration Center, the NCCIC, as the civilian portal for the sharing of cyber threat indicators. The key aim was to see that our cyber threat indicators containing critical information about the nature, methodology, source, and scope of cyber attacks would be shared with other parties, so they, in turn, could fortify their own networks against future intrusions. In response to the devastating attack on the Office of Personnel Management, this law also bolsters DHS's ability to deploy intrusion detection and prevention capabilities across the Federal Government. I think we can all agree that the need for stronger cybersecurity posture is clear. Every day, our country is facing digital intrusions from criminals and hacktivists, terrorists, nation-states. Cybersecurity is National security. The impacts of those intrusions are being felt everywhere, from kitchen tables to boardroom tables across American companies. We can't tolerate acts of cyber threat and cyber warfare, especially when they result in the theft of intellectual property and innovation, and put our Nation's critical infrastructure at risk. We can't sit idly by while escalating ransomware attacks on our hospitals and our health care providers threaten our citizens by locking out access to their medical records. Cybersecurity breaches and data manipulation can undermine consumer confidence and they can damage a company's hard-earned reputation in just a matter of seconds. While we have yet to see a major corporation completely collapse due to a cyber attack, the possibility is no longer science fiction. One can only imagine the turmoil that would be caused if Americans suddenly found out that their checking accounts had all been drained. The loss of trust in our financial system would cause an economic meltdown. Nearly a third of CEOs surveyed recently identified cybersecurity as the largest issue impacting their companies today, and only half of those say they are fully prepared for a cyber event. We have learned that there are only two types of companies: Those who have been hacked and those who don't know yet that they have been hacked. Information sharing between companies, the Government, and critical sectors improves our ability to defend against all of these attacks. Beyond the impact on the private sector, safeguarding cyber space is also one of the great National security challenges of our time. The American people recognize this. In fact, in a recent Pew Research poll, Americans named cybersecurity as their second-biggest perceived threat only to ISIS. Imagine a catastrophic cyber attack on our gas pipelines or the power grid. Such an assault on our critical infrastructure could cripple our economy and weaken our ability to defend the United States. Our adversaries are right now hard at work developing and refining cyber attack capabilities and they are using them to intimidate our Government and to threaten our people. But the threat extends beyond the industrial engines that drive our economy, right into the homes of the American people themselves. Criminals and countries alike can now use cyber attacks to raid American savings accounts or steal their personal health records. The recent breach at Anthem last year demonstrated the very real capability and intent of bad actors to prey upon Americans' most sensitive information. We can't leave the American people, the American economy, and our critical infrastructure to fend for itself. This is why Congress passed the Cybersecurity Act of 2015. Information is the currency of today's age, and we have to constantly work together across all sectors if we expect to stay one step ahead of our adversaries on this new battlefield. Congress must utilize rigorous oversight to ensure that DHS is fulfilling its mission to better protect our networks, and that's why we are all here today. I want to thank all the witnesses for testifying before our subcommittee, and I look forward to your testimony. [The statement of Chairman Ratcliffe follows:] Statement of Chairman John Ratcliffe The subcommittee meets today to fulfill its oversight responsibility of examining implementation of the Cybersecurity Act of 2015 since its passage last year, and to look at necessary steps going forward to strengthen our Nation's cyber defenses. Congress' job doesn't end when a piece of legislation is signed into law, and that is especially true when it comes to cybersecurity legislation. Continued oversight is essential to making sure the bill is implemented in a manner that actually improves our cyber defenses. If agency guidance isn't clear, if tweaks need to be made, we want to hear that feedback and address those concerns. For that reason, we are pleased to be joined by a distinguished panel of industry experts to discuss this very important issue. Pushing the Cybersecurity Act of 2015 across the finish line last year was a significant accomplishment that was years in the making. During that time, these witnesses and others representing critical sectors devoted substantial energy to collaborate with policy makers on the best path forward. Hundreds of hours of stakeholder outreach were conducted across every relevant industry group--energy, health care, financial services, technology, telecom, defense, retail, you name it. In the end, the bill recognized many of the practices already deployed by these groups and codified them into law, while providing important rules of the road. My objective is to maintain that posture as we assess the implementation of the Cybersecurity Act of 2015. The bill recognized the role of DHS's National Cybersecurity & Communications Integration Center, or NCCIC, as the civilian portal for the sharing of cyber threat indicators. The key aim was to see cyber threat indicators--which contain critical information about the nature, methodology, source, and scope of cyber attacks--shared with other parties so they can, in turn, fortify their own networks against future intrusion. In response to the devastating attack on OPM, the law also bolstered DHS's ability to deploy intrusion detection and prevention capabilities across the Federal Government. The need for a stronger cybersecurity posture is clear. Every day our country faces digital intrusions from criminals, hacktivists, terrorists, and nation-States like Russia, China, and Iran. Cybersecurity is National security, and the impacts of those intrusions are felt everywhere--from kitchen tables to American businesses. We cannot tolerate acts of cyber theft and cyber warfare, especially when they result in the theft of intellectual property and innovation, and put our Nation's critical infrastructure at risk. We cannot sit idly by while escalating ransomware attacks on hospitals and health care providers threaten our citizens by locking out access to medical records. Cybersecurity breaches and data manipulation can undermine consumer confidence and damage a company's hard-earned reputation in a matter of seconds. And while we have yet to see a major corporation completely collapse due to a cyber attack, the possibility is no longer science fiction. One can only imagine the turmoil that would be caused should suddenly Americans' checking accounts be drained. Loss of trust in our financial system would cause an economic meltdown. Nearly a third of CEOs surveyed identify cybersecurity as the largest issue impacting their companies today, and only half say they are fully prepared for a cyber event. There are two types of companies: Those who have been hacked and those who don't know they have been hacked. This is why Congress passed the Cybersecurity Act last year. Information sharing between companies, the Government, and critical sectors improves our ability to defend against these attacks. Beyond the impact on the private sector, safeguarding cyber space is also one of the great National security challenges of our time--and the American people recognize this. In fact, in a recent Pew Research Poll, Americans named cybersecurity as their second biggest perceived threat only to ISIS. Imagine a catastrophic cyber attack on our gas pipelines or the power grid. Such assaults on our critical infrastructure could cripple our economy and weaken our ability to defend the United States. Our adversaries are hard at work developing and refining cyber attack capabilities, and they are using them to intimidate our Government and threaten our people. But the threat extends beyond the industrial engines that drive our economy, to the homes of Americans themselves. Criminals and countries alike can use cyber attacks to raid Americans' savings accounts or steal their personal health records. The recent breach of Anthem demonstrated the very real capability and intent of bad actors to prey upon Americans' most sensitive information. We cannot leave the American people, the American economy, and our critical infrastructure to fend for itself. That's why Congress passed the Cybersecurity Act of 2015. This new law strengthens DHS's ability to more effectively secure Government networks and incentivizes the sharing of cyber threat indicators among critical sectors and with the Government to bolster protections from future attacks. Information is the currency of today's age, and we must constantly work together across all sectors if we expect to stay one step ahead of the adversaries on this new battlefield. Congress must utilize rigorous oversight to ensure that DHS is fulfilling its mission to better protect our networks, and that's why we're here today. I want to thank the witnesses for testifying before this subcommittee and I look forward to your testimony. Mr. Ratcliffe. The Chair now recognizes the Chairman of the full committee, the gentleman from Texas, Mr. McCaul, for his opening statement. Chairman McCaul. I thank the Chairman for holding this important hearing today. Before I start, I would like to say a few words about the tragic events Sunday in Orlando. Our thoughts and prayers go out to the victims and their families. Our deepest gratitude goes out to the first responders who helped save so many lives. It was the deadliest attack on the United States homeland since 9/11. But our response has shown that Americans are resilient and will not be intimidated by extremists. Yesterday, I moderated a Classified briefing on the investigation with the Secretary of Homeland Security, the director of the FBI, and the National Counter Terrorism Center. In the coming months, we will continue to seek answers and have an oversight hearing on this very important issue. We will also take action to protect our country and prevent such an attack from ever happening again. The events in Orlando are a reminder that our Nation is being targeted by those who want to undermine our freedom and diminish our prosperity. But the threat is not just from kinetic terrorists. Today we will discuss how our Nation is also being targeted and attacked in real time by faceless intruders across the web. As we speak, a war is being waged against us in cyber space. Criminals, hacktivists, violent extremists and nation-states are infiltrating our networks and infecting our systems. Their motives are to deceive, steal, and destroy, and the impacts of their attacks are felt everywhere, from our kitchen tables to our corporate boardrooms. This committee has made our Nation's cybersecurity a top priority. In recent years we passed a number of landmark cybersecurity bills. First, we established a Federal civilian interface at the National Cybersecurity and Communications Immigration Center, or NCCIC, to facilitate cyber threat information sharing. This allows the Government to communicate more effectively across the 16 critical infrastructure sectors and with the private sector, with liability protection. Second, we laid down the rules of the road regarding how information is shared, making sure these data exchanges are efficient, timely, and secure. Third, we put in place measures to keep Americans' rights and personal information protected. Fourth, we made sure that DHS was able to hire and retain top cybersecurity talent, because we cannot protect our networks without a cyber work force that is smart and aggressive. And fifth, we enhanced the Department's ability to prevent, respond to, and recover from cyber incidents on Federal networks. Those measures went a long way in helping us secure our systems. But even with the fundamentals in place, we still have major vulnerabilities, especially lack of information sharing. After 9/11, we learned that if our agencies did not connect the dots, we could not stop attacks. The same principle applies to cyber threats. If no one shares data, everyone is less secure and intrusions go undetected. We realized that companies were very hesitant to share this sensitive data, so last year we drafted and passed the Cybersecurity Act to get the information flowing. The law now provides liability protection so that companies and other organizations can more freely exchange threat indicators. This includes Government-to-private information sharing, but also, importantly, private-to-private sharing. The legislation was a major win for security and privacy, allowing companies to secure their networks and keep hackers away from our bank accounts, health records, and other sensitive information. But we cannot be satisfied with this progress. We have got to be aggressive, as our adversaries are. We should aim to stay a step ahead of them at every turn. So I hope our witnesses, and I want to thank our witnesses for being here today, but I hope you will help us understand how we can do exactly that, how can we effectively implement this law to enhance America's digital defenses. I am very interested as well to see how this program is working at the Department and what this committee can do to enhance and strengthen their efforts. So with that, Mr. Chairman, I yield back. [The statement of Chairman McCaul follows:] Statement of Chairman Michael T. McCaul Before I start today, I would like to say a few words about the tragic events in Orlando. Our thoughts and prayers go out to the victims and their families, and our deepest gratitude goes out to the first responders who helped save lives. It was the deadliest terrorist attack on the U.S. homeland since 9/ 11, but our response has shown that Americans are resilient and will not be intimidated by extremists. Yesterday I moderated a Classified briefing on the investigation with the heads of DHS, the FBI, and the National Counterterrorism Center, and in the coming months we will continue to seek answers. We will also take action to protect our country and prevent such an attack from happening again. The events in Orlando are a reminder that our Nation is being targeted by those who want to undermine our freedom and diminish our prosperity. But the threat is not just from terrorists. Today we will discuss how our Nation is also being targeted and attacked--in real time--by faceless intruders across the web. As we speak, a war is being waged against us in cyber space. Criminals, hacktivists, violent extremists, and nation-states are infiltrating our networks and infecting our systems. Their motives are to deceive, steal, and destroy, and the impacts of their attacks are felt everywhere--from our kitchen tables to corporate board rooms. This committee has made our Nation's cybersecurity a top priority, and in recent years we have passed a number of landmark cybersecurity bills. First, we established a Federal civilian interface at the National Cybersecurity and Communications Integration Center, or NCCIC, to facilitate cyber-threat information sharing. This allows the Government to communicate more effectively across 16 critical infrastructure sectors and with the private sector. Second, we laid down the rules of the road regarding how information is shared--making sure data exchanges are efficient, timely, and secure. Third, we put in place measures to keep Americans' rights and personal information protected. Fourth, we made sure DHS was able to hire and retain top cybersecurity talent, because we cannot protect our networks without a cyber workforce that is smart and aggressive. And fifth, we enhanced the Department's ability to prevent, respond to, and recover from cyber incidents on Federal networks. Those measures went a long way in helping us secure our systems. But even with the fundamentals in place, we still saw major vulnerabilities, especially the lack of information sharing. After 9/11, we learned that if our agencies did not connect the dots, we could not stop attacks. The same principle applies to cyber threats. If no one shares data, everyone is less secure and intrusions go undetected. We realized that companies were very hesitant to share their sensitive data, so last year we drafted and passed the Cybersecurity Act of 2015 to get the information flowing. The law now provides liability protections so that companies and other organizations can more freely exchange threat indicators. This includes ``Government-to-private'' information sharing and ``private- to-private'' sharing. The legislation was a major win for security and privacy, allowing companies to secure their networks and keep hackers away from our bank accounts, health records, and other sensitive information. But we cannot be satisfied with this progress. We've got to be as aggressive as our adversaries--and we should aim to stay a step ahead of them. I hope today our witnesses will help us understand how we can do exactly that--and how we can effectively implement this law to enhance America's digital defenses. Thank you. Mr. Ratcliffe. Thank you, Mr. Chairman, and thank you for your leadership on this issue. Other Members of the committee are reminded that opening statements may be submitted for the record. [The statements of Ranking Member Thompson and Hon. Jackson Lee follow:] Statement of Ranking Member Bennie G. Thompson June 15, 2016 Today, the subcommittee turns its attention to another pressing issue: Securing our cyber networks. Cyber threats are constantly evolving. While a few years ago, critical infrastructure operators were primarily concerned about spear-phishing and DDOS attacks, today, the threat of ransomware attacks are front-of-mind. Over the past year, the proliferation of ransomware attacks, where networks of a hospital system, Government agency, or utility are held hostage for electronic payments, has reached epidemic proportions. In March, DHS reported that over the past year, there have been 321 incidents of ``ransomware-related activity'' affecting 29 Federal networks. The FBI Internet Crime Complaint Center, for its part, has acknowledged that over the last decade, of the $58 million in financial damage attributable to such attacks, attacks in just the last year account for $24 million in damage. With more Americans coming to embrace the Internet of Things, the disruptive and damaging effects of ransomware and other innovative modes of attack deployed by hackers have the potential to inflict significant damage to our Nation. To counter this threat, we must redouble our efforts to promote cyber hygiene practices, encryption, and information sharing. The enactment of the ``Cybersecurity Act'' in December provides for the sharing of information on cybersecurity threats and defensive measures between the Government and the private sector and within the private sector. Privacy, liability, and anti-trust provisions that are universally understood as essential to the timely sharing of cyber threat information are part of this law. Under the Act, the epicenter for such activity is, of course, the National Cybersecurity and Communications Integration Center. I am interested in exploring two key mandates in the Act. First, I want to hear from industry stakeholders how they see the launch of the ``Automated Indicator Sharing'' capability, as required under the Act, impacting information sharing. Second, I would like to hear the witnesses' perspective on how well DHS is carrying out the requirement to periodically share, through publication and targeted outreach, cybersecurity best practices in a manner that gives ``attention to accessibility and implementation challenges faced by small businesses.'' Before I close, I would like to note that, this past week, I was heartened to see how the United States stacks up to other nations when it comes to vulnerability to hacking. The United States was ranked fourteenth on the ``National Exposure Index,'' a worldwide comparative analysis of vulnerability to cyber attacks and cyber crime that is based on the scanning of millions of internet channels for vulnerabilities such as unencrypted and plain text services. While it is good to see that the United States is less vulnerable than Brussels, Australia, France, and China--countries on the list found to have weak authentication and encryption practices--now is not the time to rest on our laurels. ______ Statement of Honorable Sheila Jackson Lee Chairman Ratcliffe and Ranking Member Richmond, thank you for holding this morning's hearing entitled ``Oversight of the Cybersecurity Act of 2015.'' This hearing is an opportunity to receive testimony regarding implementation of the Cybersecurity Act of 2015, enacted on December 18, 2015, which was intended to resolve long-standing issues that prevented private-sector participants from sharing information on cyber threats with the Federal Government or with each other. I look forward to hearing from today's witnesses: Mr. Matthew J. Eggers--senior director, National Security and Emergency Preparedness, U.S. Chamber of Commerce; Mr. Robert H. Mayer--vice president, Industry and State Affairs, U.S. Telecom Association; Mr. Mark Clancy--chief executive officer, Soltra; Mr. Mordecai Rosen--general manager, Security Business Unit, CA Technologies; and Ms. Ola Sage--founder and chief executive officer, eManagement. As Ranking Member of the Judiciary Subcommittee on Crime, Terrorism, Homeland Security and Investigations and a senior member of the Committee on Homeland Security, I am a strong believer in the legislative process as the best path for addressing the most complex issues of the digital communication age. The Cybersecurity Act of 2015 did not follow regular order to become law--it was included in the Omnibus Appropriations bill passed at the end of last year. The bill encourages private companies to voluntarily share information about cyber threats with each other as well as the Government and includes the authorization of information sharing and its impacts on privacy and civil liberties; risks of misuse by the Federal Government or the private sector; and effects of proposed liability protections for companies and entities who participate in cybersecurity information sharing. The law requires the U.S. Attorney General and Secretary of Homeland Security to publish guidelines, and jointly submit to Congress interim CISA policies and procedures by February 16, 2016, and publish final policies and procedures by June 15, 2016, to assist businesses in identifying information that would qualify as a cyber threat indicator and eliminating personal information from shared cyber threat information. These guidelines will seek to: (1) Identify cyber threat indicators that contain personal information and are unlikely to directly relate to a cybersecurity threat, and, (2) identify types of information that is protected under privacy laws and are unlikely to directly relate to a cybersecurity threat. the cybersecurity and information-sharing legislation The law broadly authorizes the Federal Government to share Unclassified ``cyber threat indicators'' and ``defensive measures'' technical data that indicates how networks have been attacked, and how such attacks have been successfully detected, prevented, or mitigated. The law authorizes the sharing of Unclassified information among Federal agencies, as well as with businesses and the public. Classified cyber threat information, in contrast, may be shared outside the Government only with entities that have appropriate security clearances. Vulnerabilities in computing products are the chief method used by data thieves and terrorists to breach computing systems. Since 2005 to the present, the Privacy Rights Clearinghouse, reports that 895,886,345 records have been breached. Entities and their customers that have fallen victim to data breaches range in size from small businesses to major corporations and Federal Government agencies, including:The IRS--101,000 the agency block payments to data thieves who used stolen identity information from elsewhere to generate pins using stolen Social Security Numbers (date reported 2/10/ 2016). Scottrade--lost over 4 million records (October 1, 2015). Excellus Blue Cross Blue Shield--lost over 10 million patient records (September 10, 2015). Office of Personnel Management (OPM)--lost over 21.5 million Government employee or former employee records (June 4, 2015). Most data breach reports include no details on the number of records breached or stolen. There is no law that requires companies to report breaches, but there are laws that require reports to consumers when their personal information may have been lost or stolen. Identifying and closing vulnerabilities in software and firmware IS one important means of securing systems from threats. The link between commercially available computing devices and our Nation's critical infrastructure lies in the role of products in ensuring the proper maintenance and operation of critical infrastructure. ransomware and hacking activity The latest threat from cyber hackers is ransomware. Bad actors find vulnerabilities in a computer or computing network and use it to introduce an encryption application that locks the data so the owner or user of a computer system cannot access it until a ransom is paid to the hackers who then unlock the data. Government agencies, businesses, and consumers are struggling to protect themselves from cyber threats large and small. Innovation in the form of stronger encryption has to move at unprecedented speed to try to catch up to the attacks currently being used. In this fast-paced environment, businesses are offering some of the most important cybersecurity protections for digital communications. The lessons that can be learned and the protections that could be developed is dependent on how well the private and public sectors cooperate. I look forward to hearing from our witnesses on the issue of overstays. Thank you. Mr. Ratcliffe. As I mentioned earlier, we are pleased to have with us a distinguished panel of witnesses today on this very important topic. Mr. Matthew Eggers is the executive director of national security and preparedness at the U.S. Chamber of Commerce. Good to have you back before our subcommittee, Matt. Mr. Robert Mayer is the vice president of industry and State affairs at the U.S. Telecom Association. We are glad to have you as well, Mr. Mayer. Mr. Mark Clancy is the chief executive officer at Soltra. Welcome, Mr. Clancy. Mr. Mordecai Rosen is the general manager of the Security Business Unit at CA Technologies. Thank you for being here today. Finally, Ms. Ola Sage is the president and chief executive officer of e-Management. Welcome, and again, welcome to you all. I would now like to ask the witnesses to stand and raise your right hand, so I can swear you in to testify. [Witnesses sworn.] Mr. Ratcliffe. Let the record reflect that the witnesses answered in the affirmative. You all may be seated. The witnesses' full statements will appear in the record. The Chair now recognizes Mr. Eggers, for 5 minutes, for his opening statement. STATEMENT OF MATTHEW J. EGGERS, EXECUTIVE DIRECTOR, CYBERSECURITY POLICY, NATIONAL SECURITY AND EMERGENCY PREPAREDNESS, U.S. CHAMBER OF COMMERCE Mr. Eggers. Thank you, sir. Good morning, Chairman McCaul, Chairman Ratcliffe, Ranking Member Richmond, and other distinguished Members of the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. My name is Matthew Eggers, and I am the executive director of cybersecurity policy with the U.S. Chamber. The chamber and I welcome the opportunity to testify. I will confine my statements to CISA, or the Cybersecurity Information Sharing Act of 2015, which is Title I of the act that we are discussing today. Last year, information-sharing legislation was the chamber's top cyber priority. We led the Protecting America's Cyber Networks Coalition, a partnership of more than 50 leading business associations representing nearly every sector of the U.S. economy. CISA, a voluntary program, gives businesses legal certainty that they have safe harbor against frivolous lawsuits when freely sharing and receiving cyber threat data in real time. CISA also offers protections related to public disclosure, regulatory and antitrust matters. The law safeguards individual's privacy and civil liberties. The chamber is championing CISA as part of our National cybersecurity campaign. Businesses' use of CISA falls into roughly 4 categories. I am generalizing. One, earlier information-sharing leaders. Companies in this category are eager to see a sea change in the real-time sharing of threat indicators. According to a chamber member who addressed the administration's cyber commission in May, our adversaries should only use an attack or technique once. If our business spots an attack today, all businesses should be protected against it by day's end. This company and ones just like it is an active member of the sharing community. It wants public-private sharing capacity expanded right away. The chamber agrees. No. 2, ISAO and ISAC members. Rank-and-file organizations in this group typically share cyber threat data with other businesses and with the Government through information-sharing bodies known as ISAOs and ISACs. This category is expected to swell as confidence in the CISA program grows and new information-sharing organizations are stood up. The administration's promotion of ISAOs is expected to have a positive influence, too. No. 3, be intrigued, but cautious. I attended DHS's C3 program on June 1 in Indianapolis, and one individual's remark comes to mind. He said, ``I have heard about CISA, but we are not ready as a company to participate. It will take a cultural shift.'' This person's apprehension tells us how central it is that trust in CISA's protection be earned and maintained. No. 4, small businesses and under-resourced organizations. A goal of information-sharing legislation is to foster economies of scale in real-time sharing. The chamber believes that the market will eventually provide inexpensive and easy- to-use technologies that conform to CISA's rules and generate and swap indicators at internet speeds. Such an outcome is important for small and under-resourced organizations. The chamber is a strong supporter of CISA, but it's not a silver-bullet solution. CISA is part of a mix of policies that need to advance together. Some select examples. First, the joint-industry NIST cyber framework is a sound baseline for businesses' cybersecurity practices. The chamber urges policymakers to help agencies streamline existing regulations with the framework. We oppose the creation of new mandates. Second, the chamber is engaging issues that are linked to information sharing. The chamber supports a piloting, a CIDAR, which is shorthand for a Cyber Incident Data and Analysis Repository. Also, we appreciate Congress' efforts to press the administration to renegotiate the Wassenaar Agreement control language governing so-called intrusion software. Industry is urging Wassenaar officials to eliminate the controls on technology software and hardware. Discussions are underway, but we still have much work to do. The CISA program is off to a good start. CISA procedures and guidance were finalized yesterday, and chamber members will review them. While oversight by Congress is crucial, it is too soon to make changes to the legislation. CISA does not need to be reauthorized for several years. The chamber's public message is two-fold. No. 1, to policymakers we say thank you for getting CISA done, and we urge lawmakers and the administration to be industry's ally as they use the program. No. 2, to businesses we say that you should use the framework, join an ISAO or an ISAC and take advantage of the CISA AIS system as appropriate. The chamber believes that CISA will enable private organizations to be more secure and resilient against America's cyber adversaries. Thank you for giving me the opportunity to convey the chamber's views. I am happy to answer any questions. [The prepared statement of Mr. Eggers follows:] Prepared Statement of Matthew J. Eggers June 15, 2016 Good morning, Chairman McCaul, Ranking Member Thompson, and other distinguished Members of the House Homeland Security Committee (committee). My name is Matthew Eggers, and I am the executive director of cybersecurity policy with the U.S. Chamber's National Security and Emergency Preparedness Department. On behalf of the chamber, I welcome the opportunity to testify before the committee regarding industry's perspectives on the Cybersecurity Act of 2015. The chamber's National Security and Emergency Preparedness Department was established in 2003 to develop and implement the chamber's homeland and National security policies. The Department's Cybersecurity Working Group, which I lead, identifies current and emerging issues, crafts policies and positions, and provides analysis and direct advocacy to Government and business leaders. The chamber applauds the committee and its staff members for their dedication to getting cybersecurity information-sharing legislation enacted. Recent cyber incidents in the public and private sectors underscore the need for legislation to help businesses improve their awareness of cyber threats and to enhance their protection and response capabilities in collaboration with Government entities. Cyber attacks aimed at businesses and Government bodies are increasingly being launched from sophisticated hackers, organized crime, and state- sponsored groups. These attacks are advancing in scope and complexity. Industry and Government have a mutual interest in bolstering the economic security of the U.S. business community. cybersecurity information sharing act of 2015 (cisa): the basics I will largely confine my written statement to the Cybersecurity Information Sharing Act of 2015 (CISA), which is title I of the Cybersecurity Act of 2015.\1\ President Obama signed this legislation into law in December 2015. The House passed two cybersecurity information-sharing bills in April 2015 with robust majorities from both parties and with broad industry backing. Indeed, the House's action prodded the full Senate to take up cybersecurity information- sharing legislation in the fall. --------------------------------------------------------------------------- \1\ The cyber legislation was included in the Consolidated Appropriations Act, 2016 (Pub. L. No. 114-113). www.congress.gov/bill/ 114th-congress/house-bill/2029. --------------------------------------------------------------------------- Passing cybersecurity information-sharing legislation was the top cyber policy priority of the chamber. We led the Protecting America's Cyber Networks Coalition (the coalition), a partnership of more than 50 leading business associations representing nearly every sector of the U.S. economy. It took a dedicated team working with Capitol Hill and the administration to get CISA done. CISA establishes a voluntary information-sharing program, intended to strengthen businesses' protection and resilience against cyber attacks. The law gives businesses legal certainty that they have safe harbor against frivolous lawsuits when freely sharing and receiving cyber-threat indicators (CTIs) and defensive measures (DMs) in real time and taking actions to mitigate cyber attacks. CISA also offers protections related to public disclosure, regulatory, and antitrust matters in order to increase the timely exchange of information among public and private entities. The law safeguards individuals' privacy and civil liberties and establishes appropriate roles for Government agencies and departments. CISA reflects sound compromises among many parties on these issues.\2\ --------------------------------------------------------------------------- \2\ See Automated Indicator Sharing (AIS) resources, including the Cybersecurity Information Sharing Act of 2015 (CISA) implementation procedures and guidance, available at www.us-cert.gov/ais. Also see pro-CISA advocacy papers: ``It's About Protecting America's Cyber Networks, Not Surveilling You'' (August 10, 2015) [http:// www.uschamber.com/sites/default/files/ cisa_myth_v_fact_cyber_protection_not_surveillance_final_0.pdf]; ``Sharing Cyber Threat Indicators (CTIs)--Separating Fact From Fiction'' (August 19, 2015) [http://www.uschamber.com/sites/default/ files/cisa_ctis_separating_fact_from_fiction_aug_19- _final.pdf]; `` `Voluntary' Means Voluntary--Separating Fact From Fiction'' (August 26, 2015); and ``Going on the `Defensive'--Separating Fact From Fiction'' (October 5, 2015) [http://www.uschamber.com/sites/default/files/ cisa_going_on_the_defensive_separating_fact_- from_fiction_oct_5_final.pdf]. http://insidecybersecurity.com/daily- news/info-sharing-debate-shifts-implementation-privacy-advocates-now- back-cyber-law. --------------------------------------------------------------------------- CISA called for the Department of Homeland Security (DHS) to establish a ``capability and process'' (aka a portal) in the Department to receive CTIs and DMs shared by businesses with the Federal Government in an electronic format--i.e., through email or media, an interactive form on an internet website, or a real-time, automated process. In March 2016, DHS launched an Automated Indicator Sharing (AIS) platform that enables the Government and the private sector to exchange cybersecurity threat information with one another.\3\ The AIS initiative reportedly has more than 100 participants--spanning the banking, energy, and technology sectors, as well as both small and large companies--up from 6 participants this past spring. --------------------------------------------------------------------------- \3\ www.us-cert.gov/ais. --------------------------------------------------------------------------- Groups have begun testing their ability to share and receive indicators, but there is not yet sharing on a massive scale. The platform uses technical specifications, including the Trusted Automated eXchange of Indicator Information (TAXII), which defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information. It also uses Structured Threat Information eXpression (STIX), a collaborative effort to develop a structured language to represent threat information.\4\ --------------------------------------------------------------------------- \4\ http://blogs.wsj.com/cio/2016/03/21/homeland-security- department-launches-cyber-threat-sharing-platform. --------------------------------------------------------------------------- An industry participant at last week's (June 9) CISA implementation workshop captured the thinking of many when he said, ``Our adversaries are employing automated techniques against us. Machine-to-machine sharing is a key element needed to help solve our cybersecurity problems.'' He added that the United States cannot succeed if we pit cyber professionals--which are a significantly limited workforce asset--against machines. chamber promoting cisa as part of our national cyber campaign The chamber is championing CISA as part of our National cybersecurity campaign. The chamber will develop a document in concert with industry groups and other parties, including DHS and the Department of Justice (DOJ), that summarizes the CISA/AIS program, describes participants' protections and obligations, and urges the private sector to get involved in the AIS network. Appropriate, real- time automated sharing will strengthen the security and resilience of industry and Government, thus heightening the costs of executing malicious attacks by U.S. adversaries. Many experts contend that the timely sharing of cyber indicators among various information-sharing and analysis organizations (ISAOs), information-sharing and analysis centers (ISACs), and private- and public-sector entities can reduce both the probability and the severity of cybersecurity incidents. (ISACs are considered to be ISAOs.) The chamber launched our cybersecurity roundtable series in 2014. This National initiative recommends that businesses of all sizes and sectors adopt fundamental internet security practices, including using the framework and similar risk management tools, engaging cybersecurity providers, and partnering with law enforcement before cyber incidents occur. Nine regional roundtables and two summits in Washington, DC, have been held since 2014. More events are planned this year, including in San Antonio, Texas, on June 28 and in Chicago (Schaumburg, Illinois) on July 12. The chamber's Fifth Annual Cybersecurity Summit will be held on September 27. Each regional event includes approximately 200 attendees and typically features cybersecurity principals from the White House, DHS, the National Institute of Standards and Technology (NIST), and local FBI and Secret Service officials. cisa implementation guidance and proceduers: a good start The enactment of CISA triggered an array of Government guidelines and procedures. The chamber has tracked implementation dates and monitored agencies' progress toward meeting the deadlines--and DHS and the DOJ delivered. In particular, DHS and DOJ released interim guidance in February 2016 to assist ``non-Federal entities''--including organizations in the private sector and State and local governments--to share CTIs with the Federal Government. The departments also released interim procedures relating to the receipt and use of CTIs by the Federal Government, interim guidelines relating to privacy and civil liberties in connection with the exchange of these indicators, and guidance to Federal agencies on sharing information in the Government's possession. At the time of this writing, the chamber expects that DHS and DOJ officials will release by June 15 final procedures and guidance, which we generally agree with. We anticipate that the departments will accommodate the chamber's request to clarifying the protections afforded to a non-Federal entity when it shares cyber threat information with another non-Federal entity. The chamber and public authorities have a mutual interest in ensuring that the important protections authorized under CISA are clearly stated and utilized. looking ahead: promoting cisa, building and maintaing trust Looking forward to the next several months, the chamber believes that businesses' use of the CISA program arguably falls into roughly 4 categories. I want to emphasize that these groups are generalizations-- shorthand for where private entities are in the information-sharing ecosystem. Early Information-Sharing Leaders: Increasing the Quality and Volume of Sharing Under CISA.--Private organizations in this category are actively engaged in sharing threat data. They were in the vanguard of businesses establishing and funding ISAOs and ISACs several years ago. Companies in this grouping have long-established information-sharing relationships among multiple industry peers and Government partners, and several of them are already directly connected to sharing programs like AIS.\5\ --------------------------------------------------------------------------- \5\ www.dhs.gov/topic/cybersecurity-information-sharing. --------------------------------------------------------------------------- CISA should give the lawyers and risk management professionals in these top organizations added certainty to receive CTIs and DMs and to share them with business and the Government. A core purpose of the new law is to extend liability protections to companies to encourage them to share cyber threat information.\6\ --------------------------------------------------------------------------- \6\ http://insidecybersecurity.com/daily-news/mccaul-evaluate- effectiveness-cyber-info-sharing-law-including-liability-protections. --------------------------------------------------------------------------- Companies in this category are eager to see a sea change in the real-time sharing of threat indicators within and across sectors, as well as between Government and businesses. According to a chamber member who addressed on May 16 the Commission on Enhancing National Cybersecurity, ``Our adversaries should only use an attack or technique once. If our business spots an attack today, all businesses should be protected against it by day's end.'' Clearly, this company is an active member of the sharing community and wants public- private capacity to expand their capability to exchange threat data immediately. The chamber agrees. ISAOs/ISACs Members: Leveraging the Expanding Network of Sharing Conduits.--Many members in this dispersed network of ISAOs/ISACs do not share cybersecurity threat data directly with the Government. Instead, rank-and-file members in this category typically share CTIs and DMs with other businesses and with the Government through the channels that information bodies (e.g., the Financial Services-ISAC, the Oil and Natural Gas-ISAC) provide. This category is expected to swell as confidence in the CISA program grows and new information- sharing organizations are stood up over the coming months and years. The comparatively new ISAO standards organization is a key component of the Obama administration's cybersecurity strategy, launched in early 2015.\7\ The administration's promotion of ISAOs is designed to encourage the protected sharing of information based on emerging and evolving threats that transcend industry sectors and geographic regions.\8\ CISA is expected to have a positive influence on the expansion of the community of ISAOs and ISACs. --------------------------------------------------------------------------- \7\ In February 2015, President Obama signed an Executive Order (EO) to promote cybersecurity information sharing among multiple business and Government entities. The EO urges the private sector to develop information sharing and analysis organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and Government. www.whitehouse.gov/the-press-office/2015/02/13/executive- order-promoting-private-sector-cybersecurity-information-shari. \8\ http://insidecybersecurity.com/daily-news/isao-standards-body- issue-next-round-draft-plans-info-sharing-july. --------------------------------------------------------------------------- The Intrigued But Cautious: Sharing Should Pick Up as Both Education and Confidence Increase.--Businesses in this category have probably heard something about CISA through social media, cybersecurity events, and colleagues. Business leaders are interested in protected sharing arrangements, yet they are not ready to commit to routine sharing and receiving. Perhaps they do not know how to begin. The former view is due to misgivings about CISA's protections. The latter situation can be addressed through outreach and education. Many cautious businesses have pictures in their heads of bureaucrats lying in wait with regulations and privacy groups readying law suits. The chamber does not agree completely with these perspectives, but we hear them expressed frequently. I attended a DHS-led C3 Voluntary Program in early June in Indianapolis and one individual's remark comes to mind. He said, ``I have heard about CISA. But we are not ready as a company to participate--it will take a cultural shift.'' This person's apprehension tells us how central it is that trust in CISA's protections be earned and maintained. The chamber and most Government leaders appreciate that business attitudes change over time and participation in CISA/AIS will be gradual. One change that may accelerate the use of CISA is business contracting arrangements. The chamber foresees situations where large firms require their supply chain partners to belong to an ISAO/ISAC and to utilize AIS or some other automated means of timely indicator sharing. Small Businesses and Underresourced Organizations: Indirect Beneficiaries of Innovations in Sharing.--Many small and midsize businesses, especially underresourced enterprises, will be able to benefit from an innovative, automated sharing ecosystem. A key long-term goal of information-sharing legislation is to foster economies of scale in real-time sharing. The chamber anticipates that the marketplace will eventually provide inexpensive and easy-to-deploy technologies that conform to CISA's rules (e.g., scrubbing privacy information from CTIs) and generate and swap threat signatures at internet speeds. Systems like AIS will be able to block attacks sooner and more regularly, compared with the relatively human-intensive sharing schemes in use today. cisa fits within a collection of policy issues that need attention The chamber is a strong supporter of CISA and its potential to clear away real or perceived hurdles to information sharing. CISA is not a silver-bullet solution to our Nation's cybersecurity challenges. However, chamber members say that increasing the speed and quality of bilateral information flows of CTIs and DMs is essential for developing a holistic approach to cyber defense. CISA is part of a mix of cybersecurity policies that need to advance together. Here are some select issues that are worth highlighting for the committee: First, the joint industry-NIST Framework for Improving Critical Infrastructure Cybersecurity (the framework) is a sound baseline for businesses' cybersecurity practices. The CISA program and the framework are highly complementary. Businesses implement a cybersecurity risk management program before investing in information-sharing programs. In February 2016, the chamber sent a letter to NIST, commenting on the framework. Key points that the chamber made in the letter include the following: The chamber has been actively promoting the framework. Chamber members are using the framework and urging business partners to manage cybersecurity risks to their information networks and systems. The chamber urges policymakers to help agencies and departments with streamlining existing regulations with the framework and maintaining the framework's voluntary nature. Industry opposes the creation of new or quasi-cybersecurity regulations, particularly when Government authorities have not taken affected entities' perspectives into account.\9\ --------------------------------------------------------------------------- \9\ http://csrc.nist.gov/cyberframework/rfi_comments_02_2016/ 20160209_US_Chamber_- of_Commerce.pdf. --------------------------------------------------------------------------- The bottom line: The chamber values the Obama administration's leadership on the non-regulatory framework and urges the next administration to actively support it. NIST did an admirable job working with industry to development the tool. As framework stakeholders begin the year-long transition from the Obama administration to its successor, the chamber wants to sustain the view held by most businesses and policymakers that the framework is a policy and political cornerstone for managing enterprise cybersecurity risks and threats. To sustain the momentum behind the framework, the chamber believes that both industry and government have jobs to do. On the one hand, the chamber has been actively promoting the framework since it was released in 2014. Our national cybersecurity campaign is funded through members' sponsorships and through the contributions of State and local chambers of commerce, other business organizations, and academic institutions. Further, chamber members are using the framework and urging business partners to manage cybersecurity risks to their data and devices. Industry is working with government entities, including DHS, to strengthen their information networks and systems against malicious actors. On the other hand, the chamber urges policymakers to help agencies and departments with harmonizing existing regulations with the framework and maintaining the framework's voluntary nature. Our organization opposes the creation of new or quasi-cybersecurity regulations, especially when government authorities have not taken affected entities' perspectives into account. Second, the chamber is engaging policy issues that ultimately relate to cybersecurity information sharing. The chamber supports piloting a CIDAR, shorthand for a cyber incident data and analysis repository. In May 2016, we sent a letter to DHS saying that (1) data submitted to a CIDAR need to be made anonymous, (2) additional sharing protections may be needed, and (3) an experimental CIDAR could offer tangible upsides to public- and private-sector cybersecurity. Comprehensive information about cyber events could assist insurers in expanding cyber coverage and in identifying cybersecurity best practices for their customers. The chamber appreciates the efforts of the Congressional Cybersecurity Caucus, particularly co-chairs McCaul and Langevin, to press the administration to renegotiate the Wassenaar Agreement (WA) control language governing so-called intrusion software and surveillance items aspects of a controversial international agreement to prevent the export of sophisticated hacking tools to repressive governments and criminal organizations. Industry and democratic governments have a mutual interest in keeping malicious software out of the hands of bad actors. But the 2013 WA control language governing so-called intrusion software and surveillance items takes a seriously wrong approach to cybersecurity.\10\ --------------------------------------------------------------------------- \10\ https://www.uschamber.com/sites/default/files/documents/files/ final_group_letter_- bis_proposed_rule_intrusion_software- surveillance_items_july_20_2015.pdf. --------------------------------------------------------------------------- WA officials are gathering from June 20 to 24 in Vienna, Austria, at the working-group level. Industry is urging officials to completely eliminate the controls on technology, software, and hardware. If deleting the controls is not possible, the chamber and many others recommend that WA officials substantially narrow the scope of the control language and dramatically simplify the language in order to bring clarity and enable compliance.\11\ If the WA control language is not eliminated or at least adequately amended, it could have a powerfully (unintended) negative effect on the CISA program. Creating cybersecurity policies and laws in the WA environment lacks sufficient transparency and does not advance public-private partnerships at home and abroad. --------------------------------------------------------------------------- \11\ http://insidecybersecurity.com/daily-news/obama- administration-agrees-renegotiate-cyber-export-controls. --------------------------------------------------------------------------- On June 8, the chamber's board of directors approved a policy statement on cybersecurity norms and deterrence. The paper argues that despite the existence of written blueprints, such as ones related to global prosperity and defense, the U.S. cybersecurity strategy is seemingly uncertain--both to many in the private sector and our adversaries alike. The chamber believes that policymakers need to refocus National and global efforts to heighten the costs on sophisticated attackers that would willfully hack America's private sector for illicit purposes. Public-private policymaking needs to spotlight increasing adherence to international norms and deterrence to reduce the benefits of conducting harmful cyber activity against the U.S. business community and the Nation. The statement makes several policy endorsements. For instance, the chamber contends that the United States and its allies should enhance businesses' situational awareness through protected information sharing. recommendations on congressional oversight The chamber believes that the CISA program is off to a good start. The CISA/AIS implementation guidance documents will likely be finalized today. We look forward to reviewing them with our members. The chamber appreciates the open and constructive discussions that we have had with DHS and DOJ officials. While oversight by Congress is crucial, it is too soon to make changes to the legislation. CISA does not need to be reauthorized for several years (i.e., September 2025). The chamber's public message is two-fold: To policymakers we say thank you for getting the cybersecurity information-sharing legislation across the finish line. And we urge lawmakers and the administration to be industry's ally as they use the program. Companies need to feel that policymakers have their backs. It is important that businesses see that the protections granted by the law- including matters tied to limited liability, regulation, antitrust, and public disclosure-become real. To businesses we say that you should use the framework, join an ISAO/ISAC, and take advantage of the CISA/AIS system as appropriate. The chamber urges the senior leaders of industry groups to promote these initiatives among their peers and constituencies. The chamber and many stakeholders worked diligently over several years to craft policy that would serve multiple interests--namely individuals' security and privacy. We believe that CISA will enable private organizations of all sizes and sectors to be more secure and resilient against America's cyber adversaries. Mr. Ratcliffe. Thank you, Mr. Eggers. The Chair now recognizes Mr. Mayer, for 5 minutes, for his opening statement. STATEMENT OF ROBERT H. MAYER, VICE PRESIDENT, INDUSTRY AND STATE AFFAIRS, UNITED STATES TELECOM ASSOCIATION Mr. Mayer. Thank you. Good morning, Chairman McCaul, Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the committee. My name is Robert Mayer, and I serve as vice president of industry and State affairs at the United States Telecom Association. Thank you for giving the communications sector and me personally the opportunity to appear before you today for this important oversight hearing. Today, our Nation faces unrelenting assaults from a variety of bad actors, including, among others, nation-states, criminal enterprises, terror organizations and individual and group hackers. As new interconnected platforms, technologies, and applications grow exponentially, so does the attack surface expand, placing every U.S. citizen and organization in harm's way. In this setting, information sharing represents a fundamental building block in protecting the vital interests of all well-intended stakeholders in the cyber ecosystem. The U.S. Congress and this committee in particular are to be applauded for passing bipartisan legislation that now serves as a cornerstone in protecting our Nation's economic and National security from the perils of cyber attack. The Cybersecurity Act of 2015 is a complex bill that represents a careful balance of interests across a broad spectrum of stakeholders. The act was founded on the voluntary sharing of information and provides authority for preventing, detecting, analyzing, and mitigating cybersecurity threats. On the privacy front, great care was taken to safeguard individuals from having their personal information shared with the Government in a manner not directly related to specifically authorized activities. Of great importance to our industry were the assurances that information shared with our Government partners would not be directly used to regulate lawful activity, to monitor or operate defensive measures, or share cybersecurity threat indicators. Similarly, protections from Federal and State disclosure laws provide the appropriate balance between interest and transparency, and vital information sharing. Furthermore, by authorizing the EINSTEIN 3 Accelerated and Enhanced Cybersecurity Service programs and eliminating statutory obstacles to their implementation, the Act took important steps to make the network of Federal civilian agencies, State governments, critical infrastructure providers and other entities safer, especially from advanced, persistent threats. Perhaps of greatest significance on the impact of future information sharing were the protections from liability incorporated into the act. While there may remain some lingering questions in this area that will be the subject of further clarification, the lack of such protections was one of the most serious impediments to sharing information. The communication sector has been actively engaged in information sharing, operational and planning activities at DHS and elsewhere both before and subsequent to the passage of the act. Today at the operational level, over 50 private companies and 24 Federal agencies share critical communications information in the DHS National Coordination Center which also operates as our communications ISAC. Another noteworthy undertaking in this area involves activity in the Communications Sector Coordinating Council where a new committee was created following the passage of the act to evaluate current information-sharing activities and what the sector can do to support new and evolving initiatives. That committee is also planning to conduct a preliminary assessment of how the current, more narrowly circumscribed information sharing has been effectively and appropriately expanded as a consequence of the legislation adopted by Congress. While the act is only 6 months old, it is already evident that the new law is having an impact on both industry and Government efforts to facilitate greater information sharing. We want to take this opportunity to acknowledge the significant and largely successful efforts by DHS to meet their aggressive implementation and guidance deadlines. Both DHS and the DOJ have been extremely forthcoming with respect to explaining and clarifying administrative, operational, technical, and legal aspects associated with implementing information-sharing mechanisms, including those associated with a newly modified, automated information-sharing capability. While there are still some operational improvements needed to facilitate the efficient sharing of both automated and non- automated processes, and Government guidelines remain to be finalized, there is clear evidence of a strong commitment on the part of industry and government to address any remaining barriers. Several major companies in our sector are already enrolled in the program and others are in process of completing their evaluations. One note of concern that we would like to share with this committee involves the implications of potential privacy rules that the FCC recently announced. Under the act, an entity can share information on a specific person if at the time of the sharing that entity did not knowingly reveal personal information unrelated to a cybersecurity threat. Unlike the language in the act, the FCC proposal would grant the protection only when the sharing is shown to be, ``reasonably necessary.'' This language creates ambiguity and uncertainty and is likely to spur reticence on the part of the companies, who could fear enforcement action based on an after- the-fact FCC determination of reasonableness. We will work hard to secure the appropriate clarity, and we continue to engage the FCC in this rulemaking proceeding. In closing, let me once again thank the committee for their on-going work to oversee the implementation of this landmark legislation. Given the magnitude of the threat and the promise of this legislation, periodic oversight by this committee will only bring us closer to making the cyber world much safer. Thank you, and I look forward to your questions. [The prepared statement of Mr. Mayer follows:] Prepared Statement of Robert H. Mayer June 15, 2016 Chairman McCaul, Ranking Member Thompson, and distinguished Members of the committee, thank you for giving the Communications Sector and me personally the opportunity to appear before you today for this important oversight hearing. My name is Robert Mayer, and I serve as vice president of industry and state affairs at the United States Telecom Association. USTelecom represents companies ranging from some of the smallest rural broadband providers to some of the largest companies in the U.S. economy. I am a past chair and current cybersecurity committee chair of the Communications Sector Coordinating Council (CSCC) which represents the Broadcasting, Cable, Satellite, Wireless, and Wireline segments. The CSCC is one of the 16 critical infrastructure sectors under the Critical Infrastructure Partnership Advisory Council (CIPAC) through which the Department of Homeland Security (DHS) facilitates physical and cyber coordination and planning activities among the private sector and Federal, State, local, territorial, and Tribal governments. Today, our Nation faces unrelenting assaults from a variety of bad actors including, among others, nation-states, criminal enterprises, terror organizations and individual and group hackers. And as new interconnected platforms, technologies and applications grow exponentially, so does the attack surface expand placing every U.S. citizen and organization in harm's way. In this setting, information sharing represents a fundamental building block in protecting the vital interests of all well-intended stakeholders in the cyber ecosystem. The United States Congress and this committee in particular are to be applauded for passing bipartisan legislation that now serves as a cornerstone in protecting our Nation's economic and National security from the perils of a cyber attack. The Cybersecurity Act of 2015 is a complex bill that represents a careful balance of interests across a broad spectrum of stakeholders.\1\ The Act is founded on the voluntary sharing of information and provides authority for preventing, detecting, analyzing, and mitigating cybersecurity threats and includes fundamental protections important to our industry including those related to privacy; exposure to regulation; State, Tribal, or local disclosure laws; and general legal liabilities. --------------------------------------------------------------------------- \1\ Cybersecurity Act of 2015 was passed as part of the Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, 129 Stat. 2242 (available at https://www.congress.gov/114/plaws/publ113/PLAW- 114publ113.pdf). --------------------------------------------------------------------------- On the privacy front, great care was taken to safeguard individuals from having their personal information shared with the Government in a manner not directly related to specifically authorized activities associated with cyber threat indicators and defensive measures. Of great importance to our industry were the assurances that information shared with our Government partners would not be directly used to regulate--including enforcement actions--lawful activity to monitor, operate defensive measures or share cyber threat indicators. Similarly, protections from Federal and State disclosure laws provide the appropriate balance between interests in transparency while not impeding vital information sharing. Finally, by authorizing the EINSTEIN 3 Accelerated (E3A) and Enhanced Cybersecurity Service (ECS) programs, and eliminating statutory obstacles to their implementation, the Act took important steps to make the networks of Federal civilian agencies, State governments, critical infrastructure providers and other entities safer, especially from advanced persistent threats. Perhaps of greatest significance on the impact of future information sharing were the protections from liability incorporated into the Act. While there may remain some lingering questions in this area that are now the subject of further clarification, the lack of such protections was one of the most serious impediments to sharing information. The law establishes an appropriate standard by applying an exemption to liability protection only in such instances where there was a knowing sharing of personal information or information that identifies a specific person not directly related to a cybersecurity threat or where there exists evidence of gross negligence or willful misconduct in the course of conducting the authorized activities. The Communications Sector has been actively engaged in information sharing operational and planning activities at DHS and elsewhere, both before and subsequent to the passage of the Act. Today at the operational level, over 50 private-sector communications and information technology companies and 24 Federal Government agencies share critical communications information and advice in the DHS National Coordination Center (NCC) which also operates as the Communications Information Sharing and Analysis Center (ISAC) in accordance with a 2000 Presidential Directive.\2\ In this trusted NCC/ Comms ISAC environment, information on cyber vulnerabilities, threats, intrusion, and anomalies is routinely exchanged among Government and industry participants.\3\ --------------------------------------------------------------------------- \2\ Presidential Policy Directive 63, (available at http://fas.org/ irp/offdocs/pdd/pdd-63.htm). \3\ See, DHS description of the NCC/Comms ISAC (available at www.dhs.gov/national-coordinating-center-communications). --------------------------------------------------------------------------- Another noteworthy undertaking is this area involves activity in a newly-established information sharing committee under the CSCC. This committee was created following the passage the Act to evaluate current information-sharing activities and what the sector can do to support new and evolving initiatives. The committee has identified a variety of mechanisms and venues for information sharing including those with trusted peers and commercial partners, Government agencies under contract, law enforcement, industry peers as part of the sector policy and planning process, DHS via the National Cybersecurity and Communications Integration Center (NCCIC) and other affiliated organizations like US-CERT, other public and private partners and finally by ISPs for their own internal use to protect their networks and customers. The committee is also planning to conduct a preliminary assessment of how the current, more narrowly circumscribed information sharing has been effectively and appropriately expanded as a consequence of the legislation adopted by Congress. While the Act is only 6 months old, it is already evident that this new law is having an impact on both industry and Government efforts to facilitate greater information sharing. We want to take this opportunity to acknowledge the significant and largely successful efforts by DHS to meet their aggressive implementation and guidance deadlines. Both DHS and the Department of Justice have been extremely forthcoming with respect to explaining and clarifying administrative, operational, technical, and legal aspects associated with implementing information sharing mechanisms including those associated with a newly modified, Automated Information Sharing (AIS) capability.\4\ While there are still some operational improvements needed to facilitate the efficient sharing of both automated and non-automated processes, and Government guidelines remain to be finalized, there is clear evidence of a strong commitment on the part of industry and Government to address any remaining barriers. Several major companies in our sector are already enrolled in the program and others are in the process of completing their initial evaluations. --------------------------------------------------------------------------- \4\ See DHS information on Automated Information Sharing Program (available at https://www.dhs.gov/ais). --------------------------------------------------------------------------- One note of concern that we would like to share with this committee involves the implications of potential privacy rules that the FCC announced in their recent Notice of Proposed Rulemaking.\5\ Under the Act, an entity can share information on a specific person if at the time of the sharing that entity did not knowingly reveal personal information unrelated to a cybersecurity threat.\6\ Unlike the language in the Act that would allow for liability protection in such instances, the FCC proposal would grant the protection only when the sharing is shown to be ``reasonably necessary.''\7\ This language creates ambiguity and uncertainty and is likely to spur reticence on the part of companies who could fear enforcement action based on an after-the- fact FCC determination of reasonableness. We will work hard to secure the appropriate clarity as we continue to engage the FCC in this rulemaking proceeding. --------------------------------------------------------------------------- \5\ Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Notice of Proposed Rulemaking, FCC 16-39 (rel. Apr. 1, 2016) (FCC NPRM). \6\ See, Cybersecurity Act of 2015 Section 104(d)(2)(A). \7\ See, FCC NPRM at para. 117. --------------------------------------------------------------------------- In closing, let me once again thank this committee for their on- going work to oversee the implementation of this landmark legislation. Given the magnitude of the threat and the promise of this legislation, periodic oversight by this committee will only bring us closer to making the cyber world much safer. Mr. Ratcliffe. Thank you, Mr. Mayer. The Chair now recognizes Mr. Clancy, for 5 minutes, for his opening statement. STATEMENT OF MARK G. CLANCY, CHIEF EXECUTIVE OFFICER, SOLTRA Mr. Clancy. Chairman McCaul, Chairman Ratcliffe and Ranking Member Richmond, and Members of this committee, thank you for scheduling today's hearing. My name is Mark Clancy, and I am the chief executive officer of Soltra. I want to thank you for your efforts and long-standing dedication to addressing cybersecurity concerns in this committee, including the passage of the cyber information- sharing legislation. CISA's passage was a critical step toward improving the collective resiliency of our Nation's critical infrastructure. It has only been 6 months since CISA was signed into law, but its implementation is moving forward quickly. As an early participant in the DHS Automated Indicator Sharing System, I believe that Soltra can offer a unique window into AIS's progress, key lessons learned and suggested improvements as this implementation continues. Formed in 2014, as a joint venture between DTCC and the FS- ISAC Act, Soltra and its automation software, Soltra Edge, are bringing cutting-edge innovation and technical capabilities to the cybersecurity information-sharing process. DTCC is a participant-owned and -governed cooperative that serves as critical infrastructure of the U.S. capital markets, as well as financial markets globally. In 2015, DTCC subsidiaries processed securities transactions valued at $1.5 quadrillion. The FS-ISAC is a not- for-profit organization formed in 1999 to address cyber threats in the Nation's critical infrastructure. The FS-ISAC has grown rapidly in recent years, and today the FS-ISAC has nearly 7,000 member organizations across 37 countries. Soltra leverages the unique expertise of both these entities in our solutions to shorten the time from awareness, to decision, to action in addressing cyber threats. Soltra began as a cross-industry initiative that provides a no-cost platform that users can access to share cyber threat intelligence, or CTI, within or across communities. After less than 18 months, Soltra Edge has been downloaded by over 2,600 organizations in 75 countries across 25 industries. Our threat-sharing ecosystem relies on 3 open standards first developed by DHS and MITRE and now managed by OASIS. These are known as STIX, TAXII, and CYBEX. By using these standards, Soltra enables users to communicate CTI in a format that a human can understand and a machine can process, thereby cutting down hundreds of hours of effort that are currently needed to distill this information. These open standards also allow Soltra users to exchange CTI from community sources like ISACs and ISAOs, commercial sources, Government sources such as DHS, Treasury, FBI, and utilize that information in a variety of commercial and open- source tools. As I mentioned earlier, Soltra is one of the handful of companies that has already enrolled in AIS. DHS has been a helpful partner in this process, and as is normal in the case of any program there are a few areas that would benefit from clarification. First and foremost, it has been our observation that additional guidance is needed from DHS and DOJ that the liability of protections under CISA cover private-to-private sharing. The initial guidance was silent on that point and created much confusion in the industry as a result. Just as of today, it looks like that was addressed in the updated guidance that DHS had published, and we look forward to reviewing that in the fall. As you know, privacy is and always will be a top priority for the financial services sector. As we move forward with CISA, additional guidance is also needed from DHS to provide clarity on the definition of personally identifiable information, or PII. Thus far, the definition of PII in the AIS guidance differs from the definition of PII in other DHS programs. It is critical that clarity be provided quickly by DHS to ensure top protections by all who participate in the program. While it is still early on in the AIS program, I would like to focus on 5 recommendations for improving the AIS system. First, to maximize the potential of AIS, it would be beneficial to streamline the process for signing up and to simplify the process for obtaining digital certificates from Federal Bridge providers. Second, various aspects of the law as well as the implementation have caused DHS to add extensions into the STIX standard. AIS also includes a series of required fields in STIX data submitted to the Department, which if not included will reject any attempted submission from a company. It would be helpful for DHS to specify those things up-front in order to help implementers understand what needs to be done in advance of connecting to the AIS system. Third, DHS should issue guidance on how the CISCP program fits under CISA to provide greater verification. Fourth, for greater participation and ease of use in the future, it would be beneficial to add a test environment where companies can ensure its AIS interface works effectively. Finally, there are 3 main data points that the private sector would like to see added to the AIS system to help increase the effectiveness of the platform. These include additional information about the types of threat actors associated with threat intelligence, recommended defensive measures, and a feedback loop to refine the context of CTI data. I want to thank you once again for providing me with the opportunity to share my insight today, and I look forward to working with the committee, Congress and the Executive branch as well as with our private-sector partners to achieve the collective goals of CISA. I would be happy to answer any questions that you may have. [The prepared statement of Mr. Clancy follows:] Prepared Statement of Mark G. Clancy June 15, 2016 Chairman Ratcliffe, Ranking Member Richmond, and Members of the committee, thank you for scheduling today's hearing on industry perspectives on the Cybersecurity Act of 2015 (CISA). My name is Mark Clancy, and I am the chief executive officer of Soltra. Soltra's mission is to design and deliver solutions that shorten the time from awareness, to decision to action, in addressing cyber threats. First, thank you for all of your efforts and dedication to addressing key cybersecurity concerns and for successfully passing cybersecurity information-sharing legislation. As our Nation continues to confront serious cybersecurity threats to our critical infrastructure, cybersecurity information sharing is one critical way to address these challenges. cybersecurity information sharing Cybersecurity information sharing has been a cornerstone of various aspects of my career, beginning in 2004. At that time, I was running Citigroup's global Security Incident Response Team. Twelve years ago, we worked to combat the menace of phishing attacks targeting our customers. We quickly learned that the criminals were using the same approaches to target customers of other financial institutions; and by bi-directional sharing of the technical observations of those attacks with our competitors, we all were better able to minimize the impacts of these incidents. That first generation model of sharing was born out of personal trust between individual practitioners who met face-to-face frequently. By 2008, a new sharing model was needed as the Financial Services Information Sharing and Analysis Center (FS-ISAC) started to grow significantly. This second generation trust model had widened to a larger number of institutions and individuals who still meet face-to- face on occasion, but now had moved to using electronic mail lists as the primary method of exchanging information between face-to-face meetings. By 2010, when I was the chief information security office at The Depository Trust and Clearing Corporation (DTCC), we realized the scale of the community and the tonnage of information being shared grew to the point we could not utilize all the information, and that a third generation approach to sharing was required to use standardization and automation. This lead to us exploring standards that described a cyber threat in such a way that a human could understand it, but a machine could process it. soltra creation: dtcc and the fs-isac collaboration Soltra is the financial industry's answer to the third-generation information-sharing model. Soltra is a joint venture created by DTCC and the FS-ISAC that leverages the unique expertise of both entities, bringing together the best and brightest of the industry. DTCC is a participant-owned and governed cooperative that serves as the critical infrastructure for the U.S. capital markets as well as financial markets globally. At its core, it develops and harnesses technology to provide a variety of risk management and data services to the financial services industry. More than 40 years ago the firm was created largely out of the need to leverage technology and automation in order to ensure securities transactions were more efficiently settled, thereby reducing risk of loss in the event of a counterparty default. In this respect, DTCC presently is among the most sophisticated financial technology or ``FinTech'' companies. Today, DTCC continues to deploy evolving and improving technology in service to its mission as the primary financial market infrastructure for the securities industry. DTCC simplifies the complexities of clearing, settlement, asset servicing, data management and information services across multiple asset classes. In 2014, DTCC's subsidiaries processed securities transactions valued at approximately US$1.6 quadrillion. The FS-ISAC is a 501(c)6 nonprofit organization and is funded entirely by its nearly 7,000 member firms and sponsors. It was formed in 1999 in response to 1998 Presidential Decision Directive 63 (PDD 63), which called for the public and private sectors to work together to address cyber threats to the Nation's critical infrastructures. The FS-ISAC expanded its role to encompass physical threats after the attacks on 9/11/2001, and in response to Homeland Security Presidential Directive (HSPD) 7 (and its 2013 successor, Presidential Policy Directive (PPD) 21) and the Homeland Security Act. The FS-ISAC has grown rapidly in recent years. In 2004, there were only 68 members which were mostly large financial services firms. Today, FS-ISAC has nearly 7,000 member organizations, including commercial banks and credit unions of all sizes; markets and equities firms; brokerage firms; insurance companies; payments processors; and 40 trade associations representing all of the U.S. financial services sector. Because today's cyber-criminal activities transcend country borders, the FS-ISAC has expanded globally and has active members in over 37 countries. soltra Soltra advances cybersecurity capabilities and increases resilience of critical infrastructure organizations by collecting and distilling cybersecurity threat intelligence from a myriad of sources to help safeguard against cyber attacks and deliver automated services at ``computer speed,'' cutting down the hundreds of human hours that are currently needed to distill cyber threat information. Soltra began as a true cross-industry initiative that included a live prototype involving over 125 security practitioners that included FS-ISAC members, private-sector representatives from other critical sectors, and Government entities to refine the requirements, architecture, and design of Soltra's automation software, which is known as Soltra Edge.TM Soltra Edge provides for a free platform that users can access, and after less than a year-and-a-half, Soltra Edge has been downloaded by over 2,600 organizations in 75 countries spanning 25 industries to consume, utilize, and share cyber threat intelligence using open standards. The Soltra Edge platform sends, receives, and stores messages of Cyber Threat Intelligence (CTI) in a standardized way. It hides the complexity of the underlying technical specification so that end users can setup and start receiving threat information in under 15 minutes in most cases, changing the paradigm where it could take months or millions of dollars to change internal systems if companies wanted to do it on its own. The information that is received can be used to push instructions to other security tools to perform detection and mitigation of those threats. To support the widest possible adoption, we also made a highly functional version of the platform available at no cost to end-user organizations to defend themselves. We also offer a low-cost or no-cost solution to ISAC and ISAO community organizations to act as the community hub for machine-to-machine threat sharing if they lack an existing operational capability. For organizations with additional needs, we also offer a paid membership which includes system integrations for platforms that have not adopted standards, enterprise grade operational features, and technical support. soltra creates the first-ever interoperable information sharing platform: provides cross-sector sharing to better combat threats Soltra has built a threat-sharing ecosystem using 3 open standards first developed by DHS and MITRE called the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression (CybOX). STIX, TAXII, and CybOX have been transitioned into an international standards body, OASIS. These open standards are foundational for the interoperability and machine processing that are key to addressing complexity, and acting on information quickly. The OASIS CTI Technical Committee, which maintain these standards, has the largest amount of corporate and individual members of any technical committee in the standards body. Soltra utilizes these open standards and has the unique ability to be the ``glue'' between different sectors and to provide connectivity for those who do not have the time or infrastructure to manage the transition to STIX/TAXII. This common standard also allows a defender of networks to use CTI from community sources like ISACs and ISAOs; Government sources such as the U.S. Departments of Homeland Security (DHS) and Treasury, along with the Federal Bureau of Investigation (FBI); and utilize that information in a variety of commercial and open-source security tools. It also addresses the problems companies currently have when using multiple vendors whose bundling of CTIs may only work with that same vendor's tools. Soltra fixes this problem and allows for the use and scalability of information from multiple sources to be utilized in multiple tools that detect or defend the network. Soltra also helps break down barriers between and amongst key sectors of the economy, providing the bridge from financial services to key sectors like health, energy, retail, as well as State, local, Tribal, and territorial (SLTT) governments. Historically, sectors only shared information within that sector. While important and effective to do, it also stovepipes the fact that the attackers are using the same Tactics, Techniques, and Procedures (TTPs) against all sectors and allows them to effectively use the same tool to attack all sectors. Soltra breaks down the barriers to sharing by ultimately providing the ``utility platform'' and enabling interchange of, information already in the STIX/TAXII format. We see this today with firms that are members of multiple ISAC/ISAO organizations and with ISACs that have sharing relationships with each other. Both of these act as cross-sector bridges since it is simple to share information. Friction is greatly reduced when using Soltra to connect organizations--the same standard format, communications method, and access controls are used to respond to the data-handling instructions driven from the Traffic Light Protocol markings of content. soltra and information sharing bring greater security Sharing information about threats remains essential as Mandiant reports\1\ that for 2015 the median number of days from compromise to discovery was 146 days. This improved from a median of 229 days from the 2014 Mandiant report,\2\ but is still an extensive window. The 47% of firms that detected a breach themselves took 56 days to discover the breach, but the 53% of firms notified by an external party had a median of 320 days from compromise to detection. --------------------------------------------------------------------------- \1\ https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf. \2\ http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf. --------------------------------------------------------------------------- This is directly relevant to information sharing in two ways. First, the delta between the time of an internal and external notification are likely a symptom of poor access to information about threats or ability to act on that information. Second, information shared about threats may represent intrusion sets recently identified that had been in situ for a long time. We need to both increase the percentage of internally discovered breaches and shorten the time to detect them. Sharing CTI data is one such way these discoveries are made and timely sharing leads to timely discovery. Soltra is working to solve this problem by widening the access to CTI data and shortening the time to act on it over manual methods. It is hard to know with certainty why the industry improved the lag in compromise to discovery, but it is highly likely information sharing tipping defenders on what to look for was a part of the improvement. Third, there are some important lessons learned about the benefits of sharing information that, quite simply, will vary based upon the maturity of the institution participating in the program. However, a few things are universal: First, initially when a company receives CTI data, it is purely a consumer of that information. It might find that it has limited technical or operational capabilities to utilize some or all of the information in an effective way. For example, it may receive indicator information about malware on endpoint, but not have a capability to scan end points for such files. At that juncture, the company will begin to realize that it needs to better understand what is in the data to actually be able to utilize it. For example, understanding how to use information when the temporal context is of an intrusion 300 days ago is important. If it then looks for that activity from the moment the CTI is received, it could miss the event that precipitated the intrusion several hundred days earlier. If it was just recently reported, the original victim may have just identified it and that data, even if it is a year old, might be the clue needed to ascertain if the same incident had occurred in your infrastructure. As a company moves up the maturity curve, it also moves from primarily utilizing the telemetry which is represented by the CTIs and starts to utilize insights and contextual information to anticipate hazards down the road. Even in mature sectors the bulk of the activity is around the telemetry CTI data. As a company matures into using CTI data that was shared, it starts to realize that some data lacks sufficient context and may appear to be a false positive. This comes about between the very natural tension between sharing quickly when information is fresh, but could still be incomplete. This also occurs by the very nature of the investigative process that produces information and observations of activity that may have occurred during an attack but could be unrelated to the attacker's actions and are an artifact of normal IT system behavior. In order to address this, a company will want to have a method to ask the producing source to confirm details, or perhaps after its own research it will understand the context was lost or the CTI data is, in fact, inaccurate. A company will need to have a mechanism to share these results back to the producing source so they can adjust the content and send out a revision to the community. This is important to note because as a company builds information- sharing products it will need to support a range of needs and maturity levels. It will also need to have the capability to receive feedback on existing products in addition to the ability to consume new submissions from the community. Finally, a company will also need to create methods to address the level of trust needed between members of a community as that community scales and the parties become more remote to each other. cisa implementation It has only been 6 months since CISA was signed into law, and while there has been a rapid fire of activity in that time, more work certainly remains to be done. Guidance issued on how to submit information under CISA by DHS/DOJ adhered to the letter of the law and described private-to-Government sharing, but was silent on private-to- private sharing. This created some confusion concerning the scope of liability or when protections might apply. As an example, the FS-ISAC had to send a memo to all its members to clarify that the protection in the law did apply to private-to-private communications within the FS- ISAC membership. As recently as Thursday, June 9, 2016, DHS advised that CISA covers private-to-private sharing and that it would be included in the revised guidance required by Congress on June 15, 2016. Soltra is one of the handful of companies that already has enrolled to DHS's Automated Indicator Sharing (AIS) program. As required by law, in March 2016 DHS opened access to its AIS platform along with the procedural documents of how to submit data to comply with the requirement in the law related to personal information. DHS has been a helpful partner in this process, and as is normally the case in any program, there are a number of areas that would benefit from clarification at this juncture. They include: 1. Additional guidance is needed from DHS on the definition of Personally Identifiable Information (PII).--Thus far, the definition of PII in the AIS submission guidance differs from the definition of PII in other DHS programs and was not defined in the Act. The vast majority of information sharing about cyber threats does not involve any personal information, but the lack of clarity as to which definition would be used for personal information across DHS programs needs to be made clear. The financial sector sent a letter on May 11, 2016 to DHS and the U.S. Department of Justice (DOJ) asking for clarification on this matter. 2. Current ``Lessons Learned'' Using the AIS System: Streamline the process for signing up for AIS.--To enroll in the AIS program participants need to execute two agreements with DHS, enroll to get an authentication certificate from an approved FedBRIDGE provider, submit network address information, and technical details of the sharing platform to be used. Digital Certificates.--The AIS process requires all users to obtain a digital certificate from 1 of the 3 FedBRIDGE providers which has become a cumbersome process. As background, these certificates are traditionally issued to individuals to support strong authentication and email encryption whereas the use case for AIS is to authenticate a machine used for sharing within a company. At this juncture, the AIS system requires a single person within the company to obtain the certificate which then has to be loaded into the server to communicate with the AIS system. That automated process actually requires paper documentation that has to be sent to DHS via the U.S. mail system. While the need for the authentication is critical, there is an inherent disconnect between the ultimate goal of the AIS system which is machine-to-machine. Going forward, it would be more helpful for a system to be created that allows for an organization level credential to be issued to the server used by the company to participate in the program. Other submission methods such as the web form and fax do not have the same authentication requirements. AIS Changes to STIX/TAXII Fields.--Various aspects of the law as well as implementation have caused DHS to modify aspects of the STIX/TAXII fields. AIS also includes a series of ``required'' fields in STIX data submitted to the department which if not included, will reject any attempted submission from a company. It would be helpful for DHS to specify those up-front in order to help companies understand what needs to be done in advance of connecting to the AIS system. Clarify how CISA protections apply to CISCP.--The AIS program does not support submissions of Proprietary Information (PROPIN) nor Protected Critical Infrastructure Information (PCII) although DHS does indicate information submitted under the CISCP program can receive protections for PROPIN or PCII. Many companies are used to submitting both PROPIN and PCII related information and it would be critical to ensure that companies can continue to do so, hopefully using the AIS system for sake of ease. DHS should also issue guidance on how the CISCP program fits under CISA to provide for greater clarifications. Add a Test Environment Where Companies Can Ensure Its AIS Interface Works Effectively.--As is the case with many systems, it is preferable to be able to test whether or not a company's systems are interoperable with the AIS platform. Short deadlines in the law required the AIS system to be stood up quickly, and at this point, DHS does not have a system integration or test environment available. As a result, a company must attempt to work out the various issues in a live production environment. Moving forward, a test environment would be helpful for other companies and may allow for greater participation and ease of use in the future. new data points to add to ais There are 3 main data points that the private sector would like to see added to the AIS system to help increase the effectiveness of the AIS system: 1. Types of Threat Actors.--It would be exceptionally helpful if the AIS data could include an assessment of the type of threat actor behind the activity when that is known. It is clear that there are practical challenges of ``naming names'' in an Unclassified context. However, examples exist, including in the 2013 Defense Science Board report, ``Resilient Military Systems and the Advanced Cyber Threat,''\3\ that includes a 6-tier scale that would provide sufficient context to companies without naming specific actors. --------------------------------------------------------------------------- \3\ http://www.acq.osd.mil/dsb/reports/ ResilientMilitarySystems.CyberThreat.pdf. --------------------------------------------------------------------------- 2. Defensive Measures.--One of CISA's objectives was to support the development of ``defensive measures.'' While more work will be needed to get to that point, AIS could add in recommendations to how recipients might use the AIS data sets. For example if a set of AIS information was to include the suggested defensive measure of ``block, mitigate, or monitor'' it would inform consumers the best type of ``defensive measure'' to employee even if detailed recommendations are unavailable. This would be an important benefit to the AIS system that could bring a greater number of participants into the system. 3. Feedback Loop and Context to Data Context is important for all companies who participate in the AIS program. As the AIS system continues to be fine-tuned, there are a number of issues that would be helpful to review and clarify which may increase greater connectivity and participation overall. As we know, the spectrum of possible participants will bring with them different skills, capabilities, and maturities so for those submitting to AIS the downstream recipients want to understand the context and credibility of the information from AIS. These types of questions are foundational issues that have come from the variety of sectors Soltra supports, including those that are participating in the AIS program or those who have indicated they intend to participate in the near future. In the near future, industry participants will want to be able to select the type of data they want to receive from AIS which could include sector- specific or even cross-sector information. Levels of ``trust'' associated with the data will be important and industry participants will want to understand what process DHS will use if AIS members ask for more specific information from the AIS system, including the ability for DHS to reach back out to the original submitter of the data. Ultimately, DHS will need to be able to communicate how its internal process is set up to identify and vet the data submitted, a challenge that many ISACs have gone through themselves. The DHS guidance does mention a process that will be put in place to deal with false positives and mechanisms to address updating data and it will be critical that DHS provide clarity on that quickly. cybersecurity information sharing and collaboration program (ciscp) and private-sector security clearances under ciscp Many of Soltra's customers and community members participate in the CISCP program, which is widely viewed as a beneficial program that facilitates cross-sector engagement with government. It brings private- sector and government analysts together at quarterly in-person meetings, the Advanced Technical Threat Exchanges (ATTE). CISCP also allows the private sector to work on the National Cybersecurity and Communications Integration Center (NCCIC) floor, giving participants access to DHS, LE, and IC analysts. We are seeing an increase in production around CISCP analysts turning FS-ISAC reports into CISCP Indicator Bulletins. changes to security clearances needed Challenges continue to exist in obtaining security clearances for companies. First, post the cybersecurity attack on the Office of Personnel Management (OPM), clearance times are much longer. Second, it would be helpful if there was more transparency into the process with key performance metrics being available to Critical Infrastructure and Key Resources (CIKR) members or their ISACs. It should include monthly breakdowns by sector and clearance types of the number of new clearances requested, the number of investigation completed, the aging of applications by stage, the number of reinvestigations initiated/completed per month, as well as median times for each stage. Third, there have been a number of changes to the security clearance program that has caused a number of challenges to many companies, including those who have historically had individuals on the NCCIC floor. As background, private-sector companies have 2 routes to have essential personnel cleared for access to Classified Information. The first is the Private-Sector Clearance Program (PSCP) initiated via the sector-specific agency and sponsored/operated by DHS, and which holds clearances to the Secret level. The second route is by executing a Cooperative Research and Development Agreement (CRADA) with DHS. With a CRADA in place the firm needs to have a Facilities Clearance (FCL), which allows it to hold staff clearances up to Top Secret and have access to the NCCIC floor. A recent change that greatly impacted a number of ISACs was the requirement to have the FCL in place for their company. This was not a previously requirement of the CRADA process for CISCP as DHS rolled it out and was added at later date by the Defense Security Service (DSS.) A number of ISACs did not have FCLs current and therefore were removed from the NCCIC floor leaving no representation in the coordination process for those sectors. These ISACs do not have Classified work areas in their offices and were using the NCCIC floor for any handling of Classified materials. The requirements for obtaining the FCL are determined by the DSS. One attribute of this process is a requirement to clear top executives or board directors for companies. This program requirement made a lot of sense in the Defense Sector when the main objective of the FCL was managing contractors working on defense system projects. With the cybersecurity threat, the majority of the attack surface is in the private sector and many of the companies are multinationals with non-U.S. citizens on corporate boards or executive management, rendering the existing scheme less tailored for successful application to today's environment. The CISCP program with DHS requires a CRADA be in place for the receipt of Unclassified information such as Cyber Threat Indicators. As a direct result of the change requiring the FCL for the CISCP CRADA a number of financial sector firms are in the process of ending their CRADA with DHS and going back to using the PSCP program to avoid the entanglement of having top executives or board members without cybersecurity responsibilities having to hold clearances which are orthogonal to their duties for the company. Again this is to receive Unclassified information from the DHS CISCP program. The ISAC's that have an FCL will participate in CISCP via the CRADA and then be able to share Unclassified information from CISCP with their members. As a practical matter, when Classified information is shared with the private sector, this is done in a U.S. Government Facility with the appropriate FCL in place. It is unclear how ISACs that do not have the FCL will participate in the CISCP program going forward. In addition to the problems with the CRADA and FCL, the problems and frustration with the clearance processes remain. next steps Implementation of the Cybersecurity Information Sharing Act is moving forward quickly and DHS, DOJ, and the Congress are to be commended for how quickly the AIS system has been stood up, and the various guidance documents issued on time. As with every system, there are lessons learned and items that can be improved, and we look forward to working closely with DHS and others to achieve our collective goal. Soltra and Soltra Edge are bringing cutting-edge innovation and technical capabilities to the cybersecurity information-sharing process. Soltra Edge is providing a simple and easy solution by providing the core backbone and technical processes that have previously prohibited many companies from sharing, thinking that the process is too cumbersome or difficult just to get started. Soltra is helping companies in all sectors to increase the ability and likelihood that information sharing can help provide vastly improved cybersecurity defenses and ultimately make it harder and more expensive for attackers. We look forward to working with this committee, Congress, and the Executive branch, as well as with all of our private-sector partners to achieve our collective goals. Mr. Ratcliffe. Thank you, Mr. Clancy. The Chair now recognizes Mr. Rosen, for 5 minutes. STATEMENT OF MORDECAI ROSEN, GENERAL MANAGER, SECURITY BUSINESS UNIT, CA TECHNOLOGIES Mr. Rosen. Good morning, Chairman McCaul, Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittee. Thank you for the opportunity to appear before you today. My name is Mordecai Rosen and I serve as the senior vice president and general manager of the Cybersecurity Business Unit at CA Technologies. CA is one of the largest enterprise software companies in the world. We serve a global customer base in nearly every major commercial and industrial sector. CA software helps our customers develop, manage and secure the systems and services that form the basis for the new application economy. I want to thank the committee for getting the cybersecurity act of 2015 over the finish line last year. CA was a strong supporter of the legislation and is encouraged by DHS's implementation thus far. I want to focus on two topics today. First, I plan to highlight why identity and access management are so important in protecting our infrastructure and establishing trust in the cybersecurity ecosystem. Second, I will provide our overall perspective on the act and its implementation. Applications have become the central way businesses connect with their customers. Identity is the new security perimeter for the application economy. In virtually every large network breach in recent memory, compromised identities were the common threat. CA believes that robust identity solutions covering both human-to-machine and machine-to-machine connections will be vital to protecting Government and commercial networks and applications. Identity solutions ensure that users, devices, and applications are who and what they say they are. I want to congratulate DHS for the job they have done to date on implementation. The legislation had very aggressive time lines to get the program up and running. DHS has met those deadlines and has worked collaboratively with their Government and industry partners to provide clarity around the overall program, and this should be commended. At the same time, there are specific areas where further clarification will help accelerate adoption. CA, like many organizations, is actively exploring participation in the DHS Automated Indicator Sharing program. While we have strong interest, we and others still have outstanding questions. First, organizations will need even greater clarity on targeted liability protection for the database, shared or received. Our hope is that the updated guidance, which I know has been released this morning, that DHS releases will answer outstanding questions. DHS will need to remain actively engaged with industry to help them fully understand these protections. Second, ensuring trust in the system and providing robust privacy protections will remain central to successful implementation and adoption. DHS must be able to effectively authenticate users that share or receive information under the program. For example, DHS must be able to confirm that a participant sharing information is a real entity, not a front for hackers. We are concerned that confidence in the program will lessen if participants cannot be authenticated and the data being shared cannot be trusted. Maintaining confidence in the act's privacy protections remain critical. DHS's initial guidance made strong privacy commitments, but participants will need even greater clarity. Stakeholder outreach and engagement through implementation will ensure that privacy considerations remain at the forefront. Third, we have to make it as easy as possible for organizations to participate. The uptake of automated, real- time information exchanges that protect user privacy will define whether the act is a success, and the data received must be timely and actionable for the program to have maximum impact. We look forward to reviewing DHS's updated guidance and hope it will give us the certainty needed to become an active partner in the program. You asked CA to also address the Federal agency cyber provisions contained in Title II of the act. The EINSTEIN and Continuous Diagnostics and Mitigation, CDM, programs, when fully deployed will help Government agencies be more secure. CA has been an active participant in Phase 2 of CDM, which addresses identity and access issues with a significant focus on privileged users. Managing the rights of privileged users remains one of the most important areas of IT risk for organizations today. Improper actions by privileged users can have disastrous effects on IT operations and security. Privileged axis management solutions provide the visibility, monitoring, and control needed for users and accounts that have the keys to the kingdom. Deployment of CDM is at a critical stage. We have growing concerns that this deployment will be delayed, however, because agencies do not have the adequate contracting personnel to acquire the services from DHS. We recommend the committee keep a watchful eye on this issue as part of your oversight. Thank you for your focus on cyber threat information sharing. CA stands ready to continue our partnership with you, with DHS and with our industry colleagues to enhance trust and make it as easy as possible for organizations to participate. Thank you again for the opportunity to be here. I look forward to answering any of your questions. [The prepared statement of Mr. Rosen follows:] Prepared Statement of Mordecai Rosen June 15, 2016 Chairman McCaul, Ranking Member Thompson and Members of the committee: Thank you for the opportunity to appear before you today. My name is Mordecai Rosen and I serve as senior vice president and general manager of the Security Business Unit at CA Technologies, where I manage global development of CA's cybersecurity products and solutions. CA is one of the largest enterprise software companies in the world, serving global customers in nearly every major commercial and industrial sector. We are headquartered in New York, and have 11,000 employees across the globe, including many in districts represented on this committee. CA delivers software that is mission critical to the development, management, and security of technologies, which optimize business operations and enable digital transformation in what is being referred to as the ``application economy.'' I intend to focus my remarks today on two important and related topics. First, I want to highlight some of the emergent and serious cybersecurity threats we see in the application economy. Second, I'll plan to provide CA's specific perspective on the Cybersecurity Act of 2015--how it can be effectively implemented, and how we ultimately feel it can serve as a guidepost for reducing cyber risk in both Government and commercial systems. introduction CA Technologies was a strong supporter of the Cybersecurity Act of 2015 and is encouraged by the implementation thus far. Cyber threat information sharing helps us improve our collective cyber defenses by enabling us to prioritize and deploy resources against current and anticipated attacks. Improving Federal agency cybersecurity helps defend National security and protect citizen data. We want to thank the committee for your driving this legislation over the finish line last year. The application economy is transforming the way organizations do business. From entertainment to communications to finance, applications are rewriting the world in which we live, and are enabling organizations and governments to provide services to customers and citizens in new ways that reduce costs, enhance efficiencies, and improve outcomes. Software has become the principal means through which organizations deliver these new services. Examples of these technologies include mobile banking applications, the smart grid to reduce energy costs, and connected vehicle communications to improve safety and efficiency. Applications have become the critical point of engagement for organizations of all sizes, optimizing experiences and providing a direct and constant connection from organizations to their end-users. CA software transforms businesses' ability to thrive in this new reality, delivering the means to deploy, monitor, and secure their technology investments. However, the increasing volume and sophistication of cyber attacks threatens to undermine this progress through the illegal transfer of intellectual property, the theft of personally identifiable information (PII) and other sensitive data, and the undermining or destruction of critical infrastructure systems. Cyber attacks that disable systems, such as the electric grid, water utilities, financial markets, or even mass transit systems, could have a potentially catastrophic effect, putting the health and safety of large populations at risk. Federal agency breaches that result in the loss of sensitive data can lead to massive identify theft and fraud, and can put National security at risk. The Federal Government has suffered significant and harmful breaches over the past few years, most notably the Office of Personnel Management (OPM) breach that compromised the data of more than 20 million current and former Government employees and contractors. Yet, the Government doesn't stand alone as a target for attack. The critical infrastructure community of the United States includes public and private operators of critical systems and assets, and they are all experiencing sophisticated attacks that carry with them the possibility of catastrophic outcomes. The German government recently said in a report that hackers successfully broke into the control systems of a domestic steel plant and caused massive damage to the blast furnace. Here in the United States, the Wall Street Journal recently reported that 2 years ago hackers infiltrated the control system of a small dam less than 20 miles from New York City. As the Federal Government and critical infrastructure owners and operators look to create efficiencies through automation and modernization, they must build security in to their systems on the front end and abandon the model of bolting security on afterwards. the role of identity protections in robust cybersecurity In this new threat environment, CA believes that identity and access management technologies are central to protecting systems, networks, devices, and data and to enabling secure interactions with customers and citizens. The traditional network perimeter can no longer provide a control mechanism for this access. Identities now constitute the new perimeter and are the single unifying control point across all apps, devices, data, and users. As such, identities and application programming interfaces (APIs) serve as the foundations of the application economy because they enable easier deployment of secure apps and help simplify control of access to those apps. They are how you protect access to apps and data, whether that be by human-to- machine or machine-to-machine. APIs provide a way to connect computer software components and data. Broadly speaking, APIs make it possible for organizations to open their backend data and functionality for reuse in new application services (think hotel websites using Google or Bing for their maps and directions). An API achieves this by facilitating interactions between code modules, applications, and backend IT systems. The API specifies the way in which these different software components can interact with each other and enables content and data to be shared between components. Given these new realities, identity is now the attack vector of choice for cyber criminals. In virtually every large network breach in recent memory, compromised identities were the common thread. Protecting identities is foundational to robust security in the application economy. CA Technologies has made a strategic commitment to addressing identity-centric cybersecurity challenges in today's dynamic threat environment by developing effective identity management solutions through our in-house development process. CA software manages millions of user identities in most major countries around the world. We provide identity-centric security solutions to multiple Federal agencies. Our API Management tools are used within the Federal Government and the commercial sector to protect network and application interfaces, to facilitate the secure exchange of information, and to ensure that any data shared protects personal privacy. We believe all of these capabilities will further enable robust cyber threat information sharing. I'll touch more on this below. dhs implementation of cyber threat information sharing provisions in the cybersecurity act Congress passed the Cybersecurity Act of 2015 to help businesses and governments better protect themselves against cyber attacks. The Act promotes cybersecurity information sharing between the private sector and the Government, and across the private sector. In addition, the Act includes provisions to strengthen Federal agency cybersecurity through a Federal intrusion and detection system, through capabilities to continuously diagnose and mitigate cybersecurity risks, and through other measures. CA Technologies supported the passage of the Cybersecurity Act of 2015 because it includes key provisions for which CA has been an active advocate: The bill includes targeted liability protections for program participants; it includes measures to protect the privacy of individuals; and it promotes the further development of automated mechanisms for sharing cyber threat indicators. CA Technologies believes the Cybersecurity Act will enhance security and provide businesses with the assurances needed to securely share with trusted partners the security threats they are seeing on their own networks, and to receive threat indicators from the wider ecosystem, which will help them optimize defenses. We believe the automated capabilities provided through the DHS Automated Indicator Sharing (AIS) program will make it easier to accept and exchange cyber threat data in real time. CA Technologies welcomes the opportunity to provide our insight on implementation to date, and to make recommendations to encourage greater participation in the information sharing program and to improve Federal agency cybersecurity. At the outset, I want to congratulate DHS for the job they've done thus far on implementation. The Cybersecurity Act of 2015 contained very aggressive time lines for DHS to release initial and final guidance to implement the program and to designate the primary system that would be used to exchange threat data between participants. DHS has met those deadlines thus far, and has worked collaboratively with their Government and industry partners to provide clarity around the overall requirements for sharing, the privacy protections and processes required to participate, and the process required to take full advantage of the program's benefits. We know how challenging it is to balance competing interests and meet very aggressive deadlines. While the initial guidance documents that DHS issued have raised some questions that we will address below, by and large we feel they provide good clarity on the technical, legal, and practical considerations entities need to weigh when determining whether to participate in the program. We are encouraged by DHS's openness to the feedback they have received from industry, civil society, and other actors in the cybersecurity ecosystem, and by DHS's consultative approach. DHS has indicated that they intend to address the majority of these questions in their final guidance documents. We look forward to reviewing those in detail when they are released later today. We are committed to working with DHS to move implementation forward with active and constructive industry dialogue. Among other organizations, CA Technologies is a member of the Information Technology Information Sharing and Analysis Center and sits on the Executive Committee of the IT Sector Coordinating Council, which helps advise DHS and other Federal agencies on information-sharing policies and public-private partnerships. I'd now like to turn to our views on specific provisions of the legislation and the issues we see at play and where some further clarity is needed in implementation. Liability Protection Organizations should have targeted liability protection for the data they share or receive. This protection will encourage greater participation in the program, leading to better cyber defense. Liability and regulatory concerns are powerful inhibitors of participation in information sharing agreements. Reducing these barriers through targeted protections helps organizations feel more secure in sharing, receiving, and acting upon cyber threat indicators. The Cybersecurity Act included targeted liability protections, and DHS today is releasing updated guidance providing greater clarification on these protections and the requisite responsibilities of participating companies. Cybersecurity information sharing is based on trust, and this trust needs to be underpinned by strong certainty for participating companies. While the preliminary guidance released by DHS in February began to provide greater clarity around processes and procedures to gain protections, it also left a great deal of uncertainty. Our understanding is that the updated guidance should provide more clarity and we look forward to exploring this in greater depth. Beyond the release of the updated guidance, we encourage DHS to actively engage with industry and legal groups to help them better understand the information-sharing program, the responsibilities of participating organizations, and the liability protections that will be afforded participants. Preserving Privacy The Cybersecurity Act of 2015 requires organizations to take reasonable steps to remove PII of individuals not related to the threat from any cyber threat information they share through the program. It also requires the Government to further scrub this information to ensure that PII is removed. This is vital to protect the privacy of customers and citizens. The global IT industry is very sensitive to issues of protecting customer privacy and enhancing trust in the solutions we deliver. Therefore, we believe it will be helpful for DHS and the administration to reassert that the purpose of cyber threat indicator information sharing is to protect networks. Any Government exceptions to this purpose must be clearly defined and limited. In addition, CA and others advocated strongly that cybersecurity threat indicator information should be shared through a civilian portal under the legislation. We want to thank the committee for pushing the National Cybersecurity and Communications Integration Center (NCCIC) at DHS as the portal for information sharing, and we encourage the administration to continue to promote this portal as the principal mechanism through which to share. While requirements to remove PII are important to protect privacy, it's also important to help organizations better understand how they can remove PII automatically. DHS's STIX/TAXII effort can help organizations understand what data to share, and how to share it, but companies will need further help to take the guesswork out of this process and automate the removal of PII before sharing. Myriad tools and capabilities exist in the commercial sector to enable automated PII removal. To the extent that organizations are able to effectively utilize these tools, it will lessen their concerns about liability and will heighten user confidence in the program. We feel that the initial guidance released by DHS made strong commitments towards preserving privacy under this program, though participants will need greater clarity. We look forward to reviewing the updated DHS guidance in this space. Again, active stakeholder outreach and engagement throughout the policy implementation process can help lead to effective outcomes that address both security and privacy needs. DHS can work with sector-specific agencies to convene workshops and other engagement activities where organizations can learn best practices on privacy protection as part of information-sharing programs. Ideally, these workshops and programs can target different types of industries and can take place in different regions of the country. DHS can also work to encourage greater participation in the information-sharing standards development process, established under the President's Executive Order from February 2015. The Standards Development Organization, led by the University of Texas at San Antonio in partnership with LMI, is currently developing draft standards for Information Sharing and Analysis Organizations (ISAOs). This work should be as open and inclusive as possible, enabling multiple types of organizations, including both nonprofit and for-profit organizations to establish ISAOs. Automated Indicator Sharing Ultimately, in order to truly move the needle on improving cyber defenses in a significant way, organizations will need to leverage automated, real-time, actionable information exchanges. Cyber attacks happen rapidly and without up-front notice. Once cyber threat indicators are discovered, this information must also be disseminated rapidly to allow organizations that are the subject of attacks to mitigate their impacts, and to help other organizations target their defenses against the newly-discovered threat. DHS has been working to promote its Automated Information Sharing (AIS) program, which leverages explicit protocols to identify and structure information on cyber threat indicators and to provide for a secure manner of exchanging this information. CA Technologies has been working with DHS and other industry partners to help enable this secure, automated exchange of information across a wide range of different organizations. CA provides API management software that helps authenticate, authorize, validate, transform, and filter near-real-time cyber-threat messaging. We believe that any successful information sharing program must depend heavily on the authentication of the individuals and organizations that participate, and on the validity and integrity of the information and the data that is shared under the program. CA would like to thank the committee for promoting further development of automated information sharing mechanisms in the final legislation. While DHS's activity on automated sharing programs pre- dates the passage of the Cybersecurity Act, the inclusion of this program in the Act should boost confidence and encourage greater participation. We recommend that DHS continue to leverage key outreach and partnership programs, such as the Critical Infrastructure Cyber Community or C3 program, and partnerships with Sector Coordinating Councils to build greater awareness around automated information sharing, and to help organizations understand what technical and procedural steps they will need to take to participate. Industry can also play a significant role to build awareness. Sector groups can develop user guidance and promote this with their members. In addition, we recommend that DHS and the Federal Government continue to promote the STIX/TAXII protocols with global standards development organizations. Ultimately, cybersecurity is a global challenge that doesn't recognize National borders. Global security solutions providers, including CA Technologies, seek to develop products that can scale for the global marketplace. The STIX/TAXII protocols are already commonly used to enable cyber threat information sharing across the Federal Government and in the private sector, and we hope that this progress can be leveraged to improve cybersecurity internationally. DHS's recent decision to transition continued development of the STIX standard to OASIS is a positive development that will build international engagement and consensus around the protocol. CA Technologies is not a current participant in the AIS system. Our internal security team currently utilizes multiple private-sector tools to identify, analyze, and prioritize cyber threat indicators. However, CA recognizes the significant benefits that we can derive from participation in information-sharing partnership programs in order to defend against cyber attacks. Therefore, we are actively exploring participation. We welcomed the passage of the Cybersecurity Act of 2015 because of its authorization of activities and its calls for protections for participants. However, while we have strong interest, we are being very deliberate in making a determination on participation because we have outstanding questions associated with the program. First, will the information we receive through this program be timely, accessible, and actionable? Our security analysts must review and act on threat information from myriad sources in real time. Information shared through this program must help organizations to prevent, detect, or mitigate attacks. Therefore, information needs to be shared in an expedited fashion. Information has to be understandable for participants in the program. And participants need to be able to act on the information, whether that be mitigating against specific on- going threats, or re-deploying defenses for anticipated attacks. We continue to examine how we would need integrate AIS threat indicators into our overall threat management processes. Second, how will DHS authenticate users who are receiving or sharing information in the program? Trust is vital to the success of information sharing and users must have confidence that the information they are sharing or receiving will not fall into the hands of adversaries and enable further attacks. Participants will want to know that the information they share will not be leveraged in a way that harms them. They will also want to know that the cyber threat indicator data they are acting on is valid. And, citizens and customers will want to know that participating businesses and the Government are doing everything they can to protect their privacy under this program. Therefore, identity and access management will play a crucial role in protecting the underlying information-sharing systems. And third, will there be greater clarification and guidance around liability and privacy protections in the program? This includes clarification around liability protections for the sharing of information with other private-sector organizations and for acting or not acting upon the receipt of indicators. It also includes greater clarification on privacy protection requirements. To reiterate, CA Technologies believes that DHS has done an admirable job of early-stage implementation of the information-sharing provisions of the Cybersecurity Act. CA looks forward to reviewing the updated guidance released by DHS today, which we hope will give us the certainty needed to become an active partner in AIS. We also encourage DHS to continue to conduct industry outreach, to help raise industry awareness of the programs, and to further provide clarification on associated liability and privacy protections. We look forward to working with DHS and the committee on continued successful implementation of these programs. protecting federal information systems A significant number of recent Federal breaches resulted from compromised identities, including those of privileged users. Title II of the Cybersecurity Act recognized this issue and authorized solutions to more fully address the vulnerabilities in Government systems. The EINSTEIN and Continuous Diagnostics and Mitigation (CDM) programs, when fully deployed will help Government agencies acquire vital security capabilities and tools to better secure Government networks and systems. The EINSTEIN program is designed to detect and block cyber attacks from compromising Federal agencies, and to use threat information detected in one agency to help other Government agencies and the private sector to protect themselves. The CDM program provides Federal departments and agencies with capabilities and tools that identify cybersecurity risks on an on-going basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. CA has been an active participant in the CDM implementation. While CDM Phase 1 focused on asset discovery and management, Phase 2 is titled ``Least Privilege and Infrastructure Integrity'' and has prioritized both identity management and privileged access management. One of the most important areas of IT risk relates to privileged users. Whether inadvertent or malicious, improper actions by privileged users can have disastrous effects on IT operations and on the overall security and privacy of organizational assets and information. Therefore, it is essential that administrators be allowed to perform only those actions that are essential for their role-enabling ``least privileged access'' for reduced risk. Privileged Access Management solutions provide the visibility, monitoring, and control needed for those users and accounts that have the ``keys to the kingdom.'' This visibility provides insight on activity and works to prevent or flag anything unusual that indicates security risk. Both identity management and privileged access management positively affect operations, putting security activity in the background to make sure security is not seen as a barrier, but instead as an enabler to more secure business operations. CA would like to thank the committee for authorizing these programs under the Cybersecurity Act. In particular, we believe that legislative language calling on the head of each agency to assess access controls to sensitive and mission critical data will help protect against the threat of improper use of privileged credentials. Finally, on behalf of our IT industry partners, we would like to thank the committee for its help in conference negotiations to ensure that the EINSTEIN program would be designed to promote the security of Federal networks without jeopardizing multi-tenant cloud environments. In addition, we welcome continued committee oversight of DHS implementation to improve effectiveness and accountability. Overall, our primary recommendations in this space are the need for procurement flexibility and improvements in the workforce development process. Currently, Federal agencies recognize the value in deploying CDM solutions. However, they recognize that these deployments could be paid for by DHS in the following appropriations cycle. Agility and speed are very important in this context. Ultimately, a plan and a strategy are worthless without deployment. There is a distinct risk of a moral hazard where agencies will not prioritize cyber funding in the short term, leaving them susceptible to risk of a significant breach in the interim. Further, DHS partners with GSA on the development of contract vehicles for these programs, and there is a need for more trained contracting personnel to accelerate deployment of these new contract vehicles. We think this should be a key focus for implementation of Title III of the Cybersecurity Act. In the wake of the OPM breach, we saw Government officials working around the clock to improve systems. These are committed individuals, and the sense of urgency following the breach resulted in quick and decisive action to resolve significant challenges that became immediately apparent. However, the long-term success in implementing those decisions may be hamstrung by backlogs in the procurement process. Reacting to specific events to shore up defenses is different than proactive planning. As we look forward, we believe there is opportunity for DHS and its partner agencies to leverage the lessons learned in the cyber sprint and apply them proactively to enhance overall cyber posture across the Federal Government. I would mention two things in particular that we think warrant further consideration by this committee. First, we believe it is critical for the Federal Government to align its own cybersecurity practices with the NIST Cybersecurity Framework that is quickly becoming the standard for private-sector information security management efforts. Ensuring that the same approach is being used across the public and private sectors will standardize terminology and ensure that the Government is walking the walk when it comes to the approach evangelized in the Cybersecurity framework. We want to commend the committee for favorably reporting the ``Improving Small Business Cybersecurity Act of 2016'' last week. As this legislation moves forward in the House and ultimately, we hope, to enactment, we would recommend that an explicit requirement be included directing DHS and the Small Business Development Centers to also leverage the NIST Framework in maturing their cybersecurity programs. Second, we recommend the committee maintain focus on the unique cyber threats emanating from the compromise of digital identities. As we note above, the attack vector of choice in today's threat environment remains identity. CA believes that any conversations about cybersecurity threats and solutions must keep a strong focus on shoring up identity protections and enabling organizations to protect themselves from sophisticated identity-based attacks. conclusion Cybersecurity represents a significant challenge for industry officials, and for State, National, and global policy makers. At the same time, the application economy is unlocking a multitude of opportunities to provide new services and value to customers and citizens. State, National, and global governments must work with private sector, academic, and public stakeholders to develop and implement cybersecurity policies that improve security, enable innovation, and build public trust. The Cybersecurity Act of 2015 recognizes the crucial role of public-private partnerships in enhancing cybersecurity by authorizing and promoting active cyber threat indicator information sharing across the private and public sectors. It also recognizes the National imperative to protect Federal information networks and systems. Ultimately, the success of this legislation will depend on stakeholder engagement, agility and inter-agency cooperation and buy- in. CA believes that DHS has made great strides in partnering effectively with the private sector on the implementation of information-sharing provisions and we encourage DHS to continue to improve in this regard. The Title II provisions of this Act, in combination with last year's updates to the Federal Information Security Management Act, further enhance DHS's position to play the lead operational role in protecting Federal information civilian systems. CA Technologies applauds the efforts the committee has taken in tackling these key issues. We stand ready to continue partnering with the committee, DHS, and our industry colleagues in the effective implementation of the Cybersecurity Act of 2015. Thank you very much for the opportunity to testify today, and I look forward to answering any questions you may have. Mr. Ratcliffe. Thank you, Mr. Rosen. The Chair now recognizes Ms. Sage, for 5 minutes for her opening Statement. STATEMENT OF OLA SAGE, FOUNDER AND CHIEF EXECUTIVE OFFICER, E- MANAGEMENT Ms. Sage. Good morning, Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the committee. Thank you for the opportunity to testify this morning as a small-business owner of a 17-year-old tech firm on the Cybersecurity Information Sharing Act, CISA, and other information-sharing initiatives. Today I will discuss my company's experience, some perspectives on CISA and some final thoughts. In 2013, through our own research, we became aware of the DHS Enhanced Cybersecurity Services initiative, known as ECS, which is a voluntary information-sharing program that augments capabilities of critical infrastructure owners and operators by providing Classified cyber threat indicators to improve protection of their systems and customers. Following the execution of a memorandum of agreement with DHS, we experienced a significant hurdle. We knew ECS was a Classified program, and while we had a facility clearance, it was not at the level required to gain access to information needed to determine if we could participate in ECS. We spent weeks trying to locate a SCIF, or a Sensitive Compartmented Information Facility, that we could use just for a few hours to review the requirements to be an ECS partner. We eventually found a solution, but to our disappointment the financial barrier to entry was so high we determined that it would be cost-prohibitive. A year later, we entered into a Cooperative Research and Development Agreement, a CRADA, with DHS for an Unclassified program that allowed us to receive actionable Government- developed cybersecurity threat information and maintain access to or have an on-site presence within the National Cybersecurity and Communications Integration Center. Our experience to date has been mixed. We do receive regular updates on threat information through the portal, which is very accessible. However, much of the Unclassified information is already widely available on the internet or is dated. We have ended up building our own TAXII server which provides communication specifications for exchanging cyber threat information through open sources. In 2015, DHS informed us of another new program called the Automated Indicator Sharing dissemination capability. While we are interested in participating, establishing the necessary operational capabilities has been constrained by our own limited resources. I would like to share 4 observations and a few thoughts on CISA and other information-sharing initiatives as it relates to small businesses like ours. No. 1, small businesses are unaware of CISA. We recognize the law is new, and though it applies to any size organization, today it is largely an interest of larger companies with greater infrastructure and resources. There is an opportunity for the Government to increase the visibility of the law through its existing outreach and awareness programs to the SMB community through, for example, SBA programs or by working with chambers of commerce, small- business associations and trade groups. Second, small businesses need to understand how CISA helps them. In the law itself, there are only two references to small business, which highlights that this law is not directly focused on small businesses. How does CISA apply to SMBs in general? How does an SMB use CISA to help them better protect their business? What protocols would help facilitate and promote the sharing of cyber threat indicators within the SMB community? Answers to these and other questions would help clarify the law's applicability SMBs. Third, small businesses are confused by the myriad of information-sharing initiatives. The number and variety of information-sharing initiatives is overwhelming to many small businesses, if they are even aware they exist. For example, Enhanced Cybersecurity Services, the Cooperative Research and Development Agreement, the National Cybersecurity Communications Integration Center, Automated Indicator Sharing, the Information Sharing and Analysis Centers and the Information Sharing and Analysis Organizations are just a few that we can participate in. It would be very helpful if these initiatives could be streamlined and tailored to our community. Last, cybersecurity is costly for small businesses. Some industry estimates suggest costs of up to $60,000 a year for a 50-employee company, and it is not clear to many what the concrete benefits are of investing those kind of dollars in cybersecurity. As information-sharing is voluntary under CISA, the key driver for a small-business CEO like myself to consider participation is the cost to implement. A significant percentage of small-business owners still do not believe that they have anything that criminals want. It would be helpful if there could be an estimate of what it would cost a small business to participate in various information- sharing forums, similar to the time estimates that are provided for completing Government forms. In closing, CISA is in its early stages and we recognize that over time the implementation of the law will mature, providing more clarity for its application, in particular for small businesses. I remain committed to working with Government and industry partners to identify and promote affordable solutions that enable small businesses like ours to strengthen their cybersecurity readiness and posture. Thank you again for the opportunity to testify and I am ready to answer any questions you may have. [The prepared statement of Ms. Sage follows:] Prepared Statement of Ola Sage June 15, 2016 opening remarks Good morning Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the committee. It is an honor for me to be here today. My name is Ola Sage and I am the founder and CEO of two technology small businesses, e-Management and CyberRx, located in Silver Spring, Maryland. e-Management was founded in 1999 and employs nearly 70 information technology (IT) and cybersecurity professionals who deliver services in our core areas of IT Planning, Engineering, Application Development, and Cybersecurity. In 2013 e-Management was honored to receive the Department of Energy's Cybersecurity Innovative Technical Achievement Award, highlighting the capabilities of our cybersecurity experts in designing and implementing advanced cybersecurity detection and risk management capabilities. Earlier this year the U.S. Chamber of Commerce selected e-Management as one of the top 100 small businesses in America in 2016. CyberRx, my second company, was launched in 2015 and offers a software platform that private-sector companies, and small businesses in particular, use to help them measure, manage, and improve their cybersecurity readiness. Our software allows companies to quickly assess their cyber readiness and resilience using a unique application of the Cybersecurity Framework (CSF), which was developed collaboratively with the National Institute of Standards and Technology (NIST), academia, and industry. CyberRx is both vendor-agnostic and affordable, as we believe cybersecurity should be manageable and accessible to all organizations, particularly the most vulnerable small- and medium-sized businesses (SMBs). In April of this year, I was elected to serve as the chair of the IT Sector Coordinating Council (IT SCC). The IT SCC comprises the Nation's top IT companies, professional services firms, and trade associations, and works in partnership with the Department of Homeland Security (DHS) to address strategies for mitigating cybersecurity threats and risks to our Nation's critical infrastructure, especially for organizations and businesses that are particularly vulnerable, such as SMBs. One of the joint priorities this year with the IT SCC and DHS is to provide the SMB community with best practices and products for implementing the CSF to better protect businesses and manage risk. I am also a 9-year member of Vistage, an international organization of more than 20,000 CEOs who control businesses that have annual sales ranging from $1 million to more than $1 billion. I regularly meet with and speak to small business CEOs in Vistage and other small business forums about why cybersecurity should matter to them and how it can affect their ability to keep business, stay in business, or get new business. Over the last 12 months alone, I have spoken to more than 200 SMB CEOs in a diverse mix of industries. I am a champion and advocate for SMB cybersecurity readiness. Thank you for the opportunity to testify today as a small business owner. In my testimony today, I will discuss: My company's experience with various Government information- sharing initiatives Perspectives on the Cybersecurity Information Sharing Act (CISA), and opportunities for the SMB community Concluding thoughts. experience with government information-sharing initiatives As an IT and cybersecurity small business provider, maintaining our competitiveness requires us to constantly add value to our clients by offering them the best combination of new products and services. In 2013, through our own research we became aware of the Enhanced Cybersecurity Services (ECS) program at DHS. ECS is a voluntary information-sharing program that augments capabilities of critical infrastructure owners and operators by providing Classified cyber threat ``indicators'' to improve protection of their systems and their customers. We reached out to learn more and were invited to establish a Memorandum of Agreement (MOA) to govern the Government's provision and e-Management's receipt and use of information and ECS-related activities. Following the execution of the MOA, we experienced our first hurdle. We knew ECS was a Classified program and while we had a facility clearance, it was not at the level required to gain access to information needed to determine if we could participate in ECS. We spent weeks trying to locate a Sensitive Compartmented Information Facility (SCIF) that we could use just for a few hours to review the requirements to be an ECS partner. We reached out to various Government contractors whom we knew either had a SCIF or access to one, but were turned down time after time. We eventually found a solution that enabled us to review the requirements, but to our disappointment, the financial barrier to entry was so high, we determined that it would be cost-prohibitive for us to participate. A year later, in 2014, we entered into a Cooperative Research and Development Agreement (CRADA) with DHS for an Unclassified program that allowed DHS and e-Management to engage in data flow and analytical collaboration activities, including receiving relevant, Unclassified, and actionable Government-developed cybersecurity threat information. Through the CRADA, e-Management was also permitted to maintain access to or have an on-site presence within the National Cybersecurity and Communications Integration Center (NCCIC). Our experience with the CRADA has been mixed. We do receive regular updates on threat information through the portal, which is very accessible; However, much of the Unclassified information received is already widely available on the internet or is dated, and therefore has limited use for our cybersecurity analysts or our clients. We ended up building our own Trusted Automated eXchange of Indicator Information (TAXII) server, pulling from open sources to collect threat information that we could use to better protect our company. In 2015, we were informed of a new initiative called the Automated Indicator Sharing Initiative Dissemination Capability, which could enable us to participate in the dissemination of cyber threat indicators under the DHS Automated Indicator Sharing (AIS) Initiative TAXII server, in addition to the existing portal means provided through our CRADA. While we have an in interest in participating, establishing the necessary operational capabilities is constrained by limited resources. an smb ceo's perspective on opportunities for the cisa and information- sharing initiatives for small businesses The Cybersecurity Act of 2015 provides a way for the Government and the private sector to collaborate on cybersecurity while providing the necessary protections to alleviate the concerns of many companies, large or small, that they may be exposed to civil or criminal liability, reputational damage, or competitive threats. Some observations about the law, other information sharing initiatives, and some recommendations for how CISA can be more relevant to the SMB community, are as follows. 1. Small businesses are unaware of CISA.--CISA is new and though it applies to any size organization, today it is largely an interest of larger companies that have the infrastructure and resources to act. There is an opportunity for the Government to increase the visibility of the law through its existing outreach and awareness programs to the SMB community through, for example, Small Business Administration (SBA) programs, or by working with Chambers of Commerce, small business associations, and trade groups. 2. Small businesses need to understand how CISA helps them.--In the law itself, there are only 2 references to small business, which highlights that this law is not directly focused on small businesses. How does CISA apply to SMBs in general? How does an SMB use CISA to help them better protect their business? Is CISA more applicable to certain types of small businesses? What protocols would help facilitate and promote the sharing of cyber threat indicators with the SBM community? Answers to these and other questions would help clarify the law's applicability to SMBs. 3. Small businesses are confused by the myriad of information- sharing initiatives.--The number and variety of information- sharing initiatives is overwhelming to many small businesses, if they are even aware they exist. For example, Enhanced Cybersecurity Services, the Cooperative Research and Development Agreement, the National Cybersecurity and Communications Integration Center, Automated Indicator Sharing, the Information Sharing and Analysis Centers, and/or the Information Sharing and Analysis Organizations, are just a few of the information-sharing initiatives companies can participate in. It would be helpful to the SMB community if these initiatives could be streamlined and tailored for the SMB community. 4. Cybersecurity is costly for small businesses.--Implementing cybersecurity best practices and solutions is costly for many small businesses. Some industry estimates suggest costs of up to $60,000 a year for a 50-employee company, and it is not clear to many what the concrete benefits are of investing those kinds of dollars in cybersecurity. As information sharing is voluntary under the law, the key driver for a small business CEO to consider participation will be the cost to implement. There is still a significant percentage of small businesses owners who do not believe that they have anything that criminals would want. It would be helpful if there could be an estimate, on average, of what it would cost a small business to participate in the information-sharing forum (e.g., similar to the time estimates that are provided for completing Government forms). conclusion CISA is in its early stages and we recognize that over time the implementation of the law will mature providing more clarity for its application, particularly for SMBs. We at e-Management and CyberRx are committed to working with Government and industry to identify and promote affordable solutions that enable small businesses to strengthen their cybersecurity readiness and posture. Thank you again for the opportunity to testify. I am ready to answer any questions you may have. Mr. Ratcliffe. Thank you, Ms. Sage. Thanks to all the witness for your testimony. I now recognize myself, for 5 minutes, for questions. I will start by saying that after receiving today's hearing testimony, I want to try and make one thing clear, and that is that this subcommittee will try to do everything that we can to ensure that the final DHS and DOJ information-sharing guidance explicitly states and clarifies that the Cybersecurity Act's liability protections are in fact extended for sharing between non-Federal entities. I would in fact like it noted for the record that it was Congress' full intent to grant private-to-private liability protections when such sharing was conducted in accordance with the law. Having said that, I know that the Department of Homeland Security and Department of Justice this morning issued final guidance. I don't know if our witnesses have had an opportunity to review that, so I am not going to put any of you on the spot. But I would like to give you the opportunity to address this issue and how a lack of clarity in liability protection might cause general counsels in some private companies to prohibit their cyber operators from sharing information. I will start with you, Mr. Eggers. Mr. Eggers. Thank you, Mr. Chairman. I think, at least in terms of the interim guidance and procedures documents that we have been reviewing since February, our members view them as very good. I haven't had a chance to look through the latest documents that were just released, I think, over the evening. We'll do that. My impression, but we'll wait to see what the language states, is DHS and DOJ have tried to clarify, per the law, that the protections attach when non-Federal entities or private organizations or even State and local governments share between themselves and among themselves. I think just kind of taking a step back, organizations are able to enter into the CISA and the AIS program when they are sharing threat data for a cybersecurity purpose, right, and they are doing other things, such as monitoring, sharing, receiving indicators and defensive measures. Irrespective of the size of an organization, those protections and I should say the authorizations and the protections should attach. Mr. Ratcliffe. Thank you, Mr. Eggers. Mr. Mayer, I want to give you an opportunity. Mr. Mayer. Sure. Sure. Thank you. Real quickly, I also haven't had an opportunity to read the guidance. I think this has its roots in perhaps some comments that came out of DHS at one point suggesting that there was some uncertainty or ambiguity around this issue. We had always felt that reading the statute that private-to-private sharing was permitted. So I would say that, since some uncertainty was introduced, resolving that explicitly, as you did just now and as I am sure the guidance states, will only be helpful in terms of us being able to take advantage of the program. Thank you. Mr. Ratcliffe. Great. Thank you, Mr. Mayer. Mr. Clancy, anything you would like to comment on? Mr. Clancy. Just to add, I think to, you know, build on the comments of the earlier panelists, I would just say that the place where the confusion was the greatest was in the ISAC community when sharing between a member to the ISAC to a member. The ISACs themselves went and did their own legal reviews, got legal opinions and started to clarify that issue on their own. I think just reinforcing it by your statements and the additional clarified guidance from DHS and DOJ can help us move past this issue. Mr. Ratcliffe. Thank you, Mr. Clancy. Mr. Rosen. Mr. Rosen. Yes, I think we primarily agree with what has been said down the line. We understand the existing liability we have today with sharing threat information, sharing breach information. We just want to make sure, and we will hopefully find it in the additional guidance, that we are not increasing our liability for either good-faith acts or lack of action based on some cybersecurity indicator. So I think that kind-of is the most important clarity for us. Mr. Ratcliffe. Terrific. Thank you. Ms. Sage, anything you would like to add? Ms. Sage. I haven't read it. Sorry, Mr. Chairman. Mr. Ratcliffe. No, that's fine. Ms. Sage. Happy to get back to you. Mr. Ratcliffe. On March 17, I was at the NCCIC to witness the certification to Congress that the Automated Information Sharing program, or AIS, was operational. Mr. Clancy, you are the CEO of Soltra, which I understand is currently going through the process of connecting with DHS's AIS system, could you talk a little bit about how that process is going so far? What are the next big milestones for the AIS program going forward, as you see it? Mr. Clancy. Thanks for the question. So yes, we have been enrolled in the program. We have been doing I will call it the technical integration side of the story. As with any new technical capability, there are those normal, you know, bumps in the road as you get going. We have been working through them and the Department's been pretty responsive in addressing them. As I mentioned in my testimony, there are some challenges in the on-boarding, the process by which you get credentialed. To go to Mr. Rosen's comment, I think the challenge is establishing identity of the participants and the process that was used, vis-a-vis how it interacts with machine-to-machine sharing. We believe that the other challenge was the customizations that were made and quite necessary for submitters of information to mark how they wanted their identity to be handled. So did they want comments attributed to them, to everyone in the program, to only U.S. Government or to no one outside of the NCCIC? That just takes time for the platforms and the implementers to absorb. So I think that's moving forward, I think it is in the right direction, but it had a little bit of latency for everyone getting started. Mr. Ratcliffe. Thank you, Mr. Clancy. The Chair now recognizes the Ranking Minority Member of the subcommittee, the gentleman from Louisiana, Mr. Richmond, for any statement that he may offer or any questions he may have. Mr. Richmond. Mr. Chairman. I would ask unanimous consent to submit for the record the DHS and Department of Justice document released this morning entitled Guidance to Assist Non- Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act. Mr. Ratcliffe. Without objection.* --------------------------------------------------------------------------- * The document has been retained in committee files. --------------------------------------------------------------------------- Mr. Richmond. Thank you. Let me start, I think, Ms. Sage, where you kind-of touched. The act requires periodic circulation of cybersecurity best practices, paying special attention to the needs of small businesses. When this guidance is published, presumably probably early next year, what would you like to see in it? I would take from your testimony that you mentioned, like, cost estimates and others, but anything else you would like specifically to see in it? Ms. Sage. Some degree of prioritization. Where should we start? Where are the areas that have the most impact to a small business like ours would also be helpful. Mr. Richmond. Thank you. Well, to Mr. Clancy, do you see potential conflicts between the FCC's proposed privacy rules for ISPs and the monitoring and information sharing authorized under the Cybersecurity Act? Mr. Clancy. I think that question might be better for Mr. Mayer, but I can certainly see any ambiguity in what the definition will add uncertainty and will chill the ability for people to share information. Mr. Richmond. Mr. Mayer. Mr. Mayer. Thank you, sir. As I indicated in my opening remarks, I think that any time you introduce a level of uncertainty into this process, the lawyers are going to be inclined to want to be very prudent and careful. What the FCC has done, well, let me correct that, what the FCC may do, because it is a proposed rulemaking, is they may have a standard in there that talks about being reasonably necessary versus the standard that is in the Act, which is that there has to be knowing that the information was not consistent with a cybersecurity purpose. So what that means for us is that we understand what the bar is for knowing, we can understand what it is for gross negligence and willful misconduct. But when you are talking whenever it is reasonable, reasonably necessarily, we don't know if that means you should have known if you didn't know. We don't know where the determination is going to be made after the fact as to what our instructions are, what the rules will require. That is going to require probably another layer of legal scanning and review on the part of our attorneys. That really is very much inconsistent with what you are trying to accomplish with respect to real-time information sharing. So I am confident that we can work with the FCC and explain how that provision could complicate what was intended through this legislation. Mr. Richmond. Thank you. Well, in the lead-up to the Cybersecurity Act we passed, industry told us consistently over and over again that information sharing, the fear for participating was exposing oneself to legal liability. In fact, Mr. Eggers, you specifically testified about a year ago to urge legislation granting businesses a safe harbor from frivolous lawsuits, public disclosure, regulatory and antitrust actions. Ultimately, we passed that law. However, we talked with DHS this morning, and only about 30 entities are actually participating on a day-to-day basis. Some say a hundred have signed up, but only 30 have skin in the game. Would you say that the private sector is holding up its end of the bargain? Mr. Eggers. No, sir, I think that we've seen, as I noted in my opening testimony, we've kind of got two bookends. We've got companies that can't share enough and get enough cyber threat data. There are a lot of leading companies in this space that have been sharing and receiving data without protections for several years. In that middle, I think, and the final guidelines just came out, so I think it is too soon to make a definitive judgment, but we are very optimistic. On the other hand, we still have companies, as I noted I was at a DHS C3 event in Indianapolis, we still got companies who have, I think, pictures in their head of regulators lying in wait or consumer privacy groups writing lawsuits. That is the picture in their head. We don't think that that is completely accurate. What we think is going to happen is the new protections, whether they are liability, regulatory, antitrust or public disclosure, are going to help those leading companies, right, and those folks who are part of ISAOs and ISACs now, or soon will be, do more confidently. Then I think over time and to the point about small businesses, I hope that what we will see is that we won't necessarily have to put a large burden on the smaller and under-resourced organizations. There will be some kind of technologies, and I think they already exist, that can be put on networks and systems that can generate and swap threat indicators at real time. Those companies and that companies that help those organizations will enjoy those protections, too. I also understand that there are about 30 companies that are directly plugged into the AIS system with about a hundred companies signed up. I expect that that number will grow as folks interpret the guidance and he ISAOs are created as we go forward. Mr. Richmond. Thank you, Mr. Chairman. I yield back. Mr. Ratcliffe. Thank the Ranking Member. The Chair now recognizes the gentlemen from Pennsylvania, Mr. Perry. Mr. Perry. Thank you, Mr. Chairman. Ms. Sage, over here. In your opinion if you can, do you see the Federal Government's responsibility regarding vulnerability disclosure as a component of information-sharing process? Do you see the current level of vulnerability disclosures are strengthening your defensive posture, if that makes sense to you, if I have stated that correctly? Ms. Sage. If I understand the question, do I believe that the level of vulnerability information that we are receiving from the Federal Government is helping our companies? Mr. Perry. Essentially, correct. Ms. Sage. I would say probably, but there are just so many places to get it and it's overwhelming. We are not sure if we are getting the right information. I welcome, you know, Matt Eggers' comment over there. If at some point this kind of information could be built into tools that we already use so that we are not having to go to all these different places to get it, that would be a very welcome development. Mr. Perry. OK. So somewhat of a consolidation and indexing if it so you know what is current and that you have the complete panoply of everything available at one place, you are not wondering if you are missing something. Ms. Sage. Correct. Mr. Perry. All right. Ms. Sage. To the comment of the AIS program, I mean, we were as I mentioned in my testimony, interested in participating, but in order to participate you have to have your own TAXII server. Mr. Perry. Right. Ms. Sage. So for a small business to invest in that, you know, it just adds to the cost. Mr. Perry. Right. Yes, I am not sure as to how you get there quite honestly. Ms. Sage. Right. Mr. Perry. But I appreciate the comment. Yes, I think it highlights an interesting aspect that maybe was not considered fully for sure. Mr. Eggers. Congressman Perry, if I may just offer up a thought? Mr. Perry. Sure. Mr. Eggers. I think what we are going to here is, I think we are going to have a situation where kind-of the vanguard of companies in ISACs and ISAOs are going to start moving out a lot more confidently and swiftly. We've had really good discussions with policy makers and DHS, other Government bodies. I think we are really working together better than ever, at least in this space. But I do think that it is really tough for a small business who doesn't have paid professionals necessarily to do these kinds of things to expect them to have either the capital or the---- Mr. Perry. Technical. Mr. Eggers [continuing]. The technical talent. So what we want to end up doing is we are going to innovate our way to where technology will help those small businesses keep doing what they are doing, whether they are inventing new drugs or what have you. That technology will let them generate and receive threat data, and perhaps even kind-of heal, if you will, their networks and systems at real-time speeds. We are not there, but I think we will get there at some point. Mr. Perry. Yes, I appreciate that. As a former small- business owner myself, when I listen to this, I don't see how you get from point A to point B at the current position that we are. I think it is just exceptionally difficult. Mr. Rosen. Can I add one comment to the discussion? Mr. Perry. Sure. Mr. Rosen. So, we are a large business, $4 billion a year, 11,000 employees. Part of our analysis of AIS is the operational side. So our organization is analyzing how it fits into our threat intelligence analytics engine, whether it is duplicate, whether it adds value, whether we can handle the feed, whether it adds . . . So that's us at $4 billion a year, 11,000 people, so I think that will give you some nature of what---- Mr. Perry. Yes, so it is not just small business. I was going to ask you a question, Mr. Rosen, regarding the requisite tech refresh needed to ensure Federal networks. Do you think that they have the hardware or the software in network defense? I mean, do you get that sense now or do you think that they are lacking there? Mr. Rosen. I think they have made great progress since the cyber sprint last year, but it wasn't starting from a fantastic place to begin with. Mr. Perry. There is a new term right there, cyber sprint, I like that as well, at least new to me. Mr. Rosen. But the one thing I can suggest, is that in this Act and what DHS is doing, you have described the strategy and you have come up with the plan and you have come up with the metrics to measure it, but there is no security without deployment. That is where I think the focus has to wind up being. We saw under emergency situations post-OPM breach, and CA was involved in the DHS cyber sprint where we were aggressively implementing PIV authentication and privilege access management throughout all the components, we operate very well when friction is reduced, and then you wind up having deployment and you have made genuine progress to securing the Nation. It's that gap, it's operationalizing the plan that I think has to wind up being the focus of whatever stumbling blocks there are in the way. You know, if they are acquisition-related, if they are technology-related. I think the one thing you did a very good job of in the Act is not dictating technology. I think that was a really good thing. But I think that any focus that can help reduce the friction to deployment, how do we take that unbelievably effective sprint, and everybody pays attention to a sprint, the 100-yard dash, and how do we apply that to the marathon, which is our job, and divide it up in a way so people pay attention, friction is reduced and we can actually deploy? That's my recommendation. Mr. Perry. Thank you, Mr. Chairman. I yield. Mr. Ratcliffe. Thank the gentleman. The Chair now recognizes the gentlelady from California, Ms. Sanchez. Ms. Sanchez. Thank you, Mr. Chairman. Well, as usual, we are at a spot where it's just all so overwhelming. I know so many of us on this committee have been working on this for such a long time. I am worried about every aspect of business, large businesses, medium-sized businesses, technology companies, you know, we have only to look at the whole issue of Estonia a few years ago to understand that every business that uses IT can be hit. Whether it is just a threat of just taking your business off-line for a week while you are trying to figure it all out, or whether it's an imminent threat of taking all moneys out of everything, we are all concerned. So I want to go back to the small-business issue because I think there is a lot of help with the larger companies. We deal with them all the time. We look at the banking industry, we have robustness et cetera. Ms. Sage, I was very discouraged, quite frankly, after your frank and to-the-point testimony that you put forward. For a small business that is actually plugged in and aware in trying to work with the Department of Homeland Security programs, but can't leverage so many of those offerings unless you go through an established ISAC or a Sector Coordinating Council or any of the other layers that you mentioned in your testimony. So a small-business owner who also happens to be the sitting chair of the IT-ISAC and to not meaningfully get access to how we are trying to help from the Department, I can't imagine what other smaller business are facing. I mean, they are throwing their hands up and saying I can't do this. So is a small business best served by going through an ISAC? Is there a value proposition being offered from DHS to help small businesses? Can you from your interaction tell me what are the benefits of what we put in place under the cyber act and what are the biggest hurdles from your perspective for a small business? Ms. Sage. Thank you, Congresswoman. I didn't intend to make you depressed, so my apologies for that. Ms. Sanchez. You know, I used to own a small business. So the biggest thing people need to understand about small- business owners is that they get some letter from the Government or something through the mail and fear strikes you, right? You didn't put somebody's tax moneys in the right way, you messed up on some IRA for your employees and there are penalties and the nasty letters. So, you know, in an effort to try to help people to actually secure their businesses and their information, it's really disappointing to have seen your testimony. I love that you are frank, but what can we do? Ms. Sage. Well, you know, in our world it is all about simplification. Keep it simple. So while it's great to have all of these choices, you know, cybersecurity, and I am speaking as a small business, you know, I have run my company for 17 years, we're about customers and growing our businesses, but we have so many different challenges that cybersecurity right now is just the latest one. Right? So whether, you know, we are worrying about payroll, we are worrying about employees as you know, and so we have now this huge thing, cybersecurity, that we are being told is going to wipe us out. You know, Chairman Ratcliffe mentioned in his opening statements, there are two kinds of companies, the ones that have been hacked, the ones that don't know that they have. So there are lot of small businesses that I interact with who basically say if that is the case, why do I need to spend any more money? Because if we are already hacked and we just don't know it, why do I need to spend? So I just think that, you know, I applaud what, you know, DHS and NIST, for example, did with the cybersecurity framework, the C3 program which I participated in some of their session and found the information very valuable. But I think, you know, and as you mentioned, I am one who is actually trying to get ahead of this. A lot of it is time. We just don't have the time to attend all of these different---- Ms. Sanchez. The resources, you don't have the personnel to put---- Ms. Sage. Exactly. So I just go back to my point at the top, if there is a way to streamline, simplify, and prioritize these initiatives, I think that would be helpful. Ms. Sanchez. Mr. Chairman, I didn't get to my second question, but maybe the panel can submit to this. Small businesses don't have the latest up-to-date software and the latest up-to-date hardware, and so is Department of Homeland Security working with programs of small businesses who have more dated equipment and technology? Or are we just moving to the forefront of what is the latest cutting edge? That would be my second question. Mr. Eggers. Congresswoman, if I may? Let me maybe set a little bit, frame things. I think you are asking some very practical, good questions. Let me see if I can maybe frame things a little bit more---- Ms. Sanchez. Optimistic? Mr. Eggers [continuing]. Optimistically. So I think you are right. I think on a lot of levels you have got to cut small businesses some slack. I think that is the underlying kind of notion behind your concern. I think that is right. On the other hand, I think small business obviously produce some of the most innovative products and services out there. So small doesn't necessarily mean not capable, but clearly our experience is, is that they are obviously the bulk of our membership. We've got a campaign that we have been waiting for several years to get out to State and local chambers. We've hit 9 big cities in the last several years to promote the framework and really the solutions for all companies. Right? Then we also do, I mean, for example, we are going to be in San Antonio at the end of this month, we do smaller meetings with places like Beaumont, Texas, Longview, Texas. I will be in Green Bay in August. What we try to do is get out to our State and local chambers, just talk about some of the basic things that they need to do because they need help. Right? Some of the small businesses are actually ready to go and provide solutions. I think one of the things that we can think about is trying to continue the education effort. Resources are an issue. I will note that there are a couple, if not more, businesses focused on small businesses in cyber, both here in the House and in the Senate, that will try to leverage entities like small business development centers. That looks like that could be pretty good. The other thing I would note is in terms of, what do we tell businesses? I think we want to orient small business and companies and organizations of all sizes around the cybersecurity framework. If anything, I kind-of think of it as a written tool, maybe something companies can use to ask questions up and down from the CEO to the first hire. It is something that is really, I think, in a lot of ways, a mindset and it is also something that we want to focus on promoting here at home and globally. Ms. Sanchez. Thank you, Mr. Chairman. If the rest of the panel will submit that issue of, you know, what are your ideas for small business? I would really appreciate it. Thank you for the indulgence. Mr. Ratcliffe. I thank the gentlelady. For the record and for the benefit of some in the audience and for a point of optimism on this question and issue, last week this committee did mark up and pass legislation to support small businesses. H.R. 5064 is the Improving Small Business Cybersecurity Act, and the bill, if it became law, would require DHS to work with the Small Business Administration to jointly develop a strategy to aid small businesses. So hopefully that will, to address some of the issues that have been raised here, move forward for consideration by the full House. With that, I will recognize the gentleman from Rhode Island, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I want to thank our panel for our testimony today and Mr. Chairman, especially I want to thank you and the Ranking Member for holding this hearing. As you know many of us, Chairman McCaul and I and many others, have been trying for years to get information-sharing legislation passed. Thankfully, the leadership of this Congress and last year, we finally passed that legislation. Now comes the implementation and holding hearings like this and making sure that we are implementing it the right ways is vitally important. Before I begin my questions, I just wanted to mention, Mr. Eggers, I want to thank you for mentioning the work that Chairman McCaul and I have been doing on the Wassenaar Arrangement. I think we are moving in a good direction on that. I also want to say, you know, how much I appreciate the chamber being so proactive on Wassenaar. It has been very helpful in getting it to a good place. But to my questions, if I could, following up on Mr. Richmond's question, I think you all touched on this issue in your written testimony, but as directly as possible, again why is the uptake of AIS so low given Mr. Clancy's testimony that one can be up and running with a Soltra install in as few as 15 minutes? So, you know, I find it hard to understand why more mature companies wouldn't at least be experimenting with the threat stream. Again, I understand the guidance for sharing with DHS is just being finalized, but why wouldn't they at least be receiving data from the Government when there is known threat indicators and applying those to their cyber defenses? Mr. Eggers. Is that for me, sir? Mr. Langevin. For the panel. Mr. Eggers. I will jump in. Thanks for your comments about Wassenaar. I would say discussions are progressing on that front. We have been encouraging our colleagues in Europe to engage European and Wassenaar officials that handle cyber and export- control issues. I think we have made progress thanks to you all here, but we are not out of the woods yet. A nod to the administration for saying that the cyber controls in that space need considerable work, if not, our preference, elimination. Now, in terms of sign-up, you know, I might say, gosh, the AIS system was turned on, if you will, formally in March. The final guidance just came out. We are pretty optimistic that things will keep moving. In my mind, what I think we're trying to do is to make sure that we're moving and grooving with our largest and most sophisticated organizations that can tap in, if they are not already tapped in, tomorrow and then make sure that we are boosting the confidence of companies that are on the sidelines waiting to see how policymakers handle this issue. I think the key word is trust. I think, as I noted in my opening remarks, we've got a, let's say, a representative company that says, hey, we have heard about CISA, but it is not exactly clear yet if this program will work for us or against us. I think they have got still, I would say, somewhat legitimate fears about liability, but I think the program is such that that should minimize those fears. The other thing is, is we want to make sure that regulators are kept at bay in terms of the data that they receive. But I think on balance, we would say jump in, get involved as appropriate. Mr. Langevin. Yes, and just on that, I understand that on the business side of building the trust on sharing the information with the Government. That I get, even though it is voluntary, but I am talking about actually receiving from the information, from the Government, not what private sector would share with Government, yet. I understand that trust will be come in time and hopefully soon. But at least accepting information from the Government where there are known threat indicators, why not at least accept it? Mr. Eggers. Yes, I think most companies are probably more than happy to receive, rather than share. Right? Because when you share, then you are putting yourself out there and your data out there. But I will finish there and see if others here on the panel have thoughts. Mr. Clancy. So a few thoughts for you. I think there is a technical dimension and operational dimension. On the technical dimension, platforms like mine need to complete our certification that we can fully support bidirectional communication with AIS. Because of those adjustments that were made, we had to make some code changes and we are going through that process. I think one of the barriers and I mentioned it in my testimony is there is no actual test system to use with DHS. So in their rush to produce the platform and make it live, they didn't have, you know, an extra system, if you would, where you can go test things out, and so you want to be very sure before you turn things on in production. I think that's one piece. On the operational side, I think there are just some mechanical issues that need to get worked through with signing up. I mentioned earlier the credentialing process. That process that is being leveraged was really set up to get individuals encryption certificates so they can send secure email or authenticate as individual humans to websites. That provisioning process wasn't designed for machine-to-machine sharing. A simple example is, all of the issuance processes assumes you are using Windows desktop. Our service platform is a Linux workstation, it is a completely different technical environment. So we have to add wizards and helpers to help people import those credentials to get them to work. So there are those kind of pieces. Then there is a tiny bit of thing on the agreement side where you sign one agreement, you get some paperwork back, you have to sign a second agreement and put it through. If I can take that to my general counsel once, it will take weeks out of the process because I need to get back in their queue to review agreement No. 2. So it is little things like that I think will help. We are early. I mean, the law is 6 months old. The program is only 3 months old. So I think it is just, you know, if we have this problem again in 12 months then we are in a very different place. Mr. Mayer. I would like to offer some comments on that. Building on what's been said previously, I think the fact that we have 30 companies that are operational right now, frankly, given the scope of engagement that is required at the financial level, at the operational level, at the technical level, at the legal review level, is not a bad situation. In fact, Mr. Clancy talks about not having the test bed environment. The live environment has, in a sense, become part of the test bed process right now. So for example, I can speak to a company in our sector where they did try to work through the AIS engagement. I think Mr. Clancy can substantiate this, and DHS has acknowledged this, that there is legacy data in the systems that has triggered some reaction that was not anticipated. It's delaying the process of AIS. That is something that can be overcome. They are talking about 6.2.0. We have guidance that is still coming out as recently as this morning. So I think that the prudent thing for a lot of companies right now is to see these issues get resolved, to understand what the value proposition is for them, to work with DHS and other sectors to see what we can do to expedite and facilitate a more streamlined process. I think that will happen, but expecting that all to be resolved in 6 months is probably a little bit, I don't know what the word is, overly optimistic or whatever. But progress is being made. Mr. Langevin. Thank you. I know my time is expired, so I don't know if--OK. Mr. Eggers. Mr. Ratcliffe---- Mr. Rosen. I thought I would just give a brief response from our perspective. So I think other than the issues that we have discussed on clarification of liability and even what do we mean by PII data and privacy, and especially for a global company where, you know, we have, you know, general data protection regulation coming out of the European Union, so we have to look at it from a lot of aspects. But other than that, we are looking at it very similar to what just got described from an operational point of view and a priority point of view. So we have a broad threat intelligence feed and analytics engine inside of our company to protect it, to protect our company. We are in the process of exploring what this looks like, how do we add that to the feed, does it generate additional work for our operations, how do we tune it? So that will be our next step in exploring it once the clarifications on the privacy and liability issues get put by the wayside. Again, bringing it to general counsel once is better than bringing it multiple times. I do think this idea of having a test bed for folks like us to try it, get the data feed, do the analytics, see what the impact is, it is really an operational and priority issue for us. But we believe, if the data feeds aren't what we are getting today, meaning if it is not duplicative data, you know, the more intel feeds for us, the better. Mr. Langevin. Sure. Very good. Thank you. I will mention, too, that one of the things that I am not clear on yet, too, is that the ISACs have not signed up for this yet either, so it is not just a problem with businesses not yet signing up, it is also the ISACs, which are designed for information sharing, have not yet signed up. I find that troubling and hopefully we will move it to a better place in the very near future. So, thank you, Mr. Chairman. I yield back. Mr. Ratcliffe. Thank the gentleman. The Chair now recognizes my colleague from the great State of Texas, Ms. Jackson Lee. Ms. Jackson Lee. I thank the Chairman very much. Chairman Ratcliffe, let me thank you and Ranking Member Richmond for being so diligent on these issues. I am going to stay narrowly focused and say somewhat of the obvious. I am glad that we passed the Oversight of the Cybersecurity Act of 2015 and included privacy elements in that bill as well, and now that we are having an oversight of the Oversight bill to find ways to improve our service to the American people. But I want to be the one that poses or at least puts in the record that we are dealing with fire here. We are dealing with something that probably is not evidenced in the calmness of our conversation. But I hope you will view this committee as being very serious about this issue. So I am going to ask to put into the record, Mr. Chairman, the ``Crime Pays: Ransomware Bosses Make $90K Annually.'' It speaks to the Russian ransomware boss making $90,000 a year, or 13 times the average income for citizens in the country who stick to the straight and narrow. Of course, their job is to maintain, update it so that the antivirus systems won't recognize the software that they are maintaining as malware. So I ask unanimous consent to place that into the record. Mr. Ratcliffe. Without objection. [The information follows:] Article Submitted For the Record by Honorable Sheila Jackson Lee SPOTLIGHT ON SECURITY.--Crime Pays: Ransomware Bosses Make $90K Annually By John P. Mello Jr., June 14, 2016, 5 o'clock AM PT http://www.technewsworld.com/story/83603.html If crime doesn't pay, Russian ransomware bosses wouldn't know it. The average Russian ransomware boss makes US$90,000 a year--or 13 times the average income for citizens in the country who stick to the ``straight and narrow,'' according to a recent Flashpoint study. What does a ransomware honcho do for those rubles? Basically, the job calls for supporting and maintaining the malware. ``The software has to be constantly updated so that antivirus systems won't recognize it as malware,'' explained Vitali Kremez, a cybercrime intelligence analyst with Flashpoint. ``It's not a situation where you provide the malware and sit back on a couch waiting for your payments. You have to work on it on a daily basis,'' he told TechNewsWorld. ``The boss controls the source code for the malware.'' ransomware as a service The malware model is evolving, according to the Flashpoint study, which focuses on the Russian ransomware scene. ``A new form of ransomware has been developed that is in effect `Ransomware as a Service' (RaaS),'' notes the report. It ``enables `affiliates' to obtain a piece of ransomware from a crime boss and distribute it to victims as these affiliates wish.'' That's a departure from the past, when ransomware was available only to criminals willing to make a hefty upfront payment for the malware--$2,000 to rent or $5,000 to buy. That began to change last November, Kremez noted. ``We started to see developers considering giving their malware free of charge to criminals and keeping 40 to 50 percent of each ransomware payment made,'' he said. The new business model has lowered the barriers to getting into the business. It is not particularly hard for newcomers to start spreading ransomware quickly. They can attack corporations and individuals through botnet installs, email and social media phishing campaigns, compromised dedicated servers and file-sharing websites. ``It used to be a one-on-one business,'' Kremez said. ``At this stage, it's all automated. We see marketplaces. We see services on the dark web where you deposit your money and buy what you have to buy without any direct communication with the seller.'' malicious infrastructure growing More evidence of the popularity of ransomware is evident in Infoblox's latest quarterly report on malicious infrastructure building globally. To measure that kind of activity worldwide, Infoblox has created a threat index. Upon its launch in the first quarter of 2013, the threat index was 76. During this year's first quarter, the index reached it's highest point ever: 137. Activity related to ransomware has fueled the index's rise. ``While exploit kits remain a major threat, this latest jump was driven in large part by a 35X increase in creation of domains for ransomware over the previous quarter, which in turn drove an increase of 290 percent in the overall malware category,'' the report States. The activity of malware kit developers is another indicator of ransomware's attractiveness to criminals. Kits are used to infect devices with a variety of malware programs. ``A number of exploit kits and threat actor gangs behind them have started adding ransomware to their repertoire over the last few months,'' said Sean Tierney, director of cyber intelligence at Infoblox. ``These are gangs that were using their kits to deliver other kinds of malware,'' he told TechNewsWorld, that ``have either started including or switched entirely to ransomware.'' It's likely that the ransomware market will level off as security software makers get better at detecting it and consumers get smarter about avoiding it, suggested Tierney. ``Then the market will become saturated,'' he said, ``and the return won't be able to support the amount of activity going on.'' expanding 2fa Two-factor authentication, which requires both something you have and something you know in order to access an account, has proven to be a good way to thwart data thieves. One problem with the technology, though, is that it isn't easy for many rank-and-file developers to deploy. One authentication company aims to change that with a recently launched program. Centrify actually goes beyond 2FA to include single sign-in--which allows the use of a single set of credentials to log into multiple accounts--along with password reset and access control of a device. Under the program, developers can plug into those features through Centrify system APIs. ``Developers who are building an application from a great idea aren't necessarily expert in security,'' said Chris Webber. security strategist at Centrify. ``We can give that to them,'' he told TechNewsWorld. ``They can take advantage of all the user management and multifactor authentication that Centrify's built, so they don't have to learn about that world and can concentrate on their great idea,'' Webber pointed out. ``It's more and more critical that we need to figure out how to put two-factor auth everywhere, because passwords alone are just not a great way to do authentication anymore.'' breach diary May 30. Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned, advises his subscribers that information on 65 million Tumblr accounts is being offered for sale on the dark web. May 30. Twitter account of Katy Perry breached and her 89 million followers sent tweets filled with profanity and slurs, TechCrunch reports. May 31. MySpace announces it has reset the passwords of all accounts created prior to June 11, 2014, due to a data breach. May 31. A Federal district court in Pheonix, Arizona, rules that insurance provider Chubb does not have to reimburse P.F. Chang under a cybersecurity policy for payments to credit card processors connected to a 2014 data breach. June 1. U.S. Federal Reserve detected more than 50 breaches between 2011 and 2015, including several incidents described in internal documents as espionage, Reuters reports. June 1. Medical information of thousands of NFL players is at risk after backback containing the data was stolen from an athletic trainer's car, Deadspin reports. June 1. FBI alerts public that extortion attempts are being made against victims whose personal information has been compromised in recent large data breaches. Extortionists are threatening to make victim's personal informtion public if not paid two to five bitcoins. June 1. TeamViewer reports it experienced a service outage due to a DDoS attack, but its systems were not breached by hackers. June 2. Medical records of some 40,491 customers of the Stamford Podiatry Group in Connecticut impacted due to a system intrusion, HealthIT Security reports. June 2. 2015 payroll tax data of employees of Verify Health Systems in California at risk after an employee was duped by a phishing scam, SC Magazine reports. Ms. Jackson Lee. Speak the obvious of the hacking of the Democratic National Committee, which brings it really home. For those of us young enough to remember Watergate, we are managing now 21st Century. But again, the individuals allegedly attached to that were Russian. I don't speak particularly to Russia, but it does say that this is an international threat that goes to our private sector. Some years back I chaired the Transportation Security Subcommittee, and this component was under that committee. I remember noting the 80 percent-plus cyber issues would be in the private sector. So I am glad of your presence here today. Then I want to ask unanimous consent to put into the record ``Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.'' That is, of course, a bestseller investigation by Ted Koppel. Mr. Ratcliffe. Without objection.* --------------------------------------------------------------------------- * The information has been retained in committee files. --------------------------------------------------------------------------- Ms. Jackson Lee. So I want to go first to Ms. Sage and indicate, if I could, very briefly for your answer. Pointedly, you indicated that the information was dated. And that you, I guess, on your receiving end needed a secure entity. Help me understand what we can do to help. Obviously, I want the data to be current. I don't want it to be where you have just turned on National news and said, well, I just saw this on the National news. Then, is the idea of a secure channel yours or ours? Or how can we help you do that? Ms. Sage. Sure. Thank you, Congresswoman, for your question. The Enhanced Cybersecurity Services initiative is the one that is a Classified program. That was the one where we had difficulty getting access to a facility where we could even just review the requirements, not even whether or not we were going to participate. So there, if there is a way for DHS or the Government or some Government entity to be able to provide those kinds of facilities so that companies--and we had a clearance, it just wasn't at the level, you know, needed to be able to review these requirements--to make that easier, that would be very helpful. Because we actually had to start looking at, did we need to build a SCIF, and those costs are just cost- prohibitive. Then, you know, without even getting into the merits of the program itself, once we were able to review, it just was not something that a small business would be--and there are two pieces to that program. You can be a provider or you can partner with the larger firms. So that's now kind-of what we are exploring, because, you know, trying to invest, is just not possible. On the question of data, and this also speaks, I think, to the AIS initiative, I think at the end of the day, I agree with what, you know, my colleagues have talked about in terms of financial, technical, and operational considerations. But I think it all, at the end of the day, comes down to the quality and the value of the data that is received. So it was our experience with the CRADA, when we participated in the Unclassified program, that a lot of the data that we were receiving through the portal was already widely available. So it was just another stream of data that was not particularly adding, you know, value above and beyond. So I can't speak, you know, and I believe the AIS program is a good initiative, and I would just urge on the DHS side and the Government side that as that data is being provided, that it is reviewed for the quality and the currency to the recipients. Ms. Jackson Lee. I think, Mr. Chairman, this is something that we really pointedly can look at together with DHS on the accuracy or the currency of the data. Mr. Chairman, I have just one or two points and I will be finished. I thank you. One is going to be deviating, because I made a commitment that I would make mention of this, whatever Homeland Security meeting I was in, and that is, of course, to acknowledge my sympathy for those who lost their lives this past Sunday, the most heinous and largest mass murder, massacre, and slaughter of American people here in the United States in our history. I believe that there is a great deal of morality in this Congress, and so I am hoping and looking for action this week on a ban on the assault weapons. No. 2, no-fly, no-buy. If you are on a terrorist watch list, you should not be able to buy assault weapons. Something to say to the American people that we get it, that our pain is as deeply embedded as theirs, that families who mourn tragically do not mourn in vain. I am hoping that this Homeland Security Committee can be a bipartisan leader on these issues. I hope the American people and those who are listening in this audience in their own way will rise up and be actively engaged in ensuring that we are responsive to the deeply embedded pain. I asked the question whether or not we are in fact good Samaritans and whether or not it is your neighbor, and if it is your neighbor, what would you do? If it is yourself, what would you do? So I am looking forward to us working on that issue. But let me conclude my remarks on the cybersecurity and raise this question out of Ted Koppel's article. Maybe some of you have read his book. So, Mr. Eggers, I am going to go to you because you represent a vast number of private sector. So I won't read it all, but Mr. Koppel suggests that a massive cyber attack, we would have no running water, no refrigeration or light, food and medical supplies dwindling, we would be going in the dark, banks no longer function, looting is widespread, law and order are being tested as never before. What is your response to the private sector's preparation for what might be? Because we have to answer those questions. Mr. Eggers. Congresswoman, good to see you. Ms. Jackson Lee. Thank you. Mr. Eggers. You know, I think in a lot of ways, and hearing Mr. Koppel speak, I get the sense more he uses kind-of the electric sector as kind-of a gateway for his concerns. I think it's less about that, it's more about some kind of dystopian future, right? But I think what he leaves out, if you talk to folks in the administration and the private sector, they are going to say, you know what, the book paints the private sector and Government as if we are sitting still, when in fact there is so much going on, not only in the electric sector and other sectors that frankly even individuals like myself, I can't keep up. So leaving aside the regulatory platform that the electric sector works under, I am pleased to hear situations where, let's see, I think Secretary Spalding recently said, hey, look at what has happened in Ukraine with an incident with their electric sector. We know how to handle that here. Now, I am the last person that is going to say an incident won't impact us, but when I think about the Sector Coordinating Councils, the ISACs and ISAOs, our organization of critical infrastructure at greatest risk, we know who those folks are. I would say, if anything, we are pretty busy. One of the things that I think we need to focus on is making sure that they have got everything they need for a bad day. The other thing is we often point the fingers at ourselves, right? I like this program, CISA and AIS, because we are working together pretty well. The chamber just approved a norms and deterrence statement last week, our board of directors, saying at least a couple of things. We impose a lot of costs on ourselves, but we can do better in an active, restrained, legal way to impose costs on bad guys. We are doing that. But let me give you an example. So the Cyber Forum of Independent and Executive Branch Regulators, there is something like a dozen or so agencies in that body. If I look at organizations like the Secret Service or DHS that are positioned to push back, that's two. I am not saying we act recklessly, but I am saying that we need to be mindful about how we impose costs on bad actors, many of whom or which are State actors or their proxies or super criminal groups. So when I think about small business or even larger companies, I think that they are going to be ultimately resource-constrained against a nation-state or their surrogates. I hope that helps. Ms. Jackson Lee. It does. I will just end, Mr. Chairman and say, as I heard some good news from Mr. Eggers, I want to emphasize that I think we need a SOS or Red Cross team dealing with cybersecurity in light of these possibilities. I yield back. Thank you. Mr. Ratcliffe. Thank the gentlelady. I wish we could do another round of questions, but prior commitments of the Chair prevent that. So I will thank the witnesses for your valuable and important testimony today, and I thank all the Members for their questions. Members of this committee, I think, will have some additional questions for the witnesses. That being the case, we will ask you to respond to those in writing. Pursuant to committee rule 7(e), the hearing record will be held open for a period of 10 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 11:41 a.m., the subcommittee was adjourned.] A P P E N D I X ---------- Questions From Chairman John L. Ratcliffe for Matthew J. Eggers Question 1. Does the U.S. Chamber of Commerce believe that the Cybersecurity Act of 2015, specifically Automated Indicator Sharing, is applicable to all businesses, including small businesses, and private organizations? Answer. The chamber believes that the Cybersecurity Act of 2015-- particularly title I, the Cybersecurity Information Sharing Act of 2015 (CISA)--and Automated Indicator Sharing (AIS) are applicable to businesses and private organizations of all sizes and sectors. Question 2. What avenues do Government and industry have to increase businesses' awareness of the Cybersecurity Act of 2015, specifically Automated Indicator Sharing? Do you expect that all businesses, especially small ones, will use the Cybersecurity Act of 2015, specifically the Automated Indicator Sharing program, directly? Answer. There are many ways to publicly promote CISA. The chamber led the Protecting America's Cyber Networks Coalition, a partnership of more than 50 leading business associations representing nearly every sector of the U.S. economy to pass CISA. Each association has on average thousands of members. The chamber is championing CISA as part of our cybersecurity campaign, which was launched in 2014. This National initiative recommends that businesses of all sizes and sectors adopt fundamental internet security practices, including the joint industry-National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the framework) and the new information-sharing law. The chamber spearheaded 11 major regional roundtables and 2 summits in Washington, DC. More events are planned for 2017. The chamber's Fifth Annual Cybersecurity Summit was held on September 27. Each regional event had approximately 200 attendees and typically features cybersecurity principals from the White House, Department of Homeland Security (DHS), NIST, and local FBI and Secret Service officials. The chamber also partners with State and local chambers and universities to produce cyber educational events in locations such as Appleton, Wisconsin; Augusta, Georgia; Oak Brook, Illinois; Indianapolis, Indiana; Irving, Texas; and Longview, Texas. We endorse CISA and AIS at each gathering. In addition, chamber professionals regularly speak on and/or moderate industry panels tied to cybersecurity, where we can actively pitch CISA/AIS to multiple businesses. DHS Deputy Secretary Ali Mayorkas addressed the chamber's Small Business Summit on June 14, and he advocated that businesses take basic, prudent steps to protect their devices and sensitive data, including leveraging cybersecurity information-sharing services. Big picture: The chamber is urging businesses to use the framework, join an information-sharing body, and take advantage of the CISA/AIS system as appropriate. We are pressing senior leaders of industry groups to popularize these initiatives among their peers and constituencies, including through jointly written chamber-DHS op-ed articles.\1\ --------------------------------------------------------------------------- \1\ http://thehill.com/blogs/congress-blog/technology/304163- cybersecurity-building-resiliency-together, www.csoonline.com/article/ 3124626/security/advancing-cybersecurity-through-automated-indicator- sharing.html. --------------------------------------------------------------------------- The chamber commends DHS and the Department of Justice (DOJ) for jointly holding their Cybersecurity Conference for Lawyers on September 28, which included a discussion on traditional challenges to sharing threat data and CISA's attempt to address these challenges and a demonstration of the AIS program. Question 3. The issue of how many entities are signed up for the Automated Indicator Sharing program was discussed at the hearing. Should Information Sharing and Analysis Organizations (ISAO)--and Information Sharing and Analysis Centers (ISAC)--participating entities be included in the accounting of the number of participating entities under the program if they are sharing cyber threat data through an ISAO or ISAC that is plugged into DHS's NCCIC? Answer. First, it is important to stress the chamber believes that the success of CISA and AIS should not be linked to the number of organizations that sign up for AIS. Some subcommittee Members suggested at the hearing that the number of AIS signers and the achievements of CISA/AIS are bound together. Most industry organizations are unlikely to share cyber threat indicators (CTIs) directly with Government partners. Instead, the chamber believes that the vast majority of businesses will share and receive cyber threat data with industry peers and ISACs and ISAOs. It is our understanding that most businesses will use information-sharing bodies as conduits between themselves and DHS, among other Federal entities. These businesses will not be signed up with AIS, but significant amounts of information sharing will nonetheless take place. Second, ISAOs and ISACs and their respective members should be part of the calculation of private organizations that are possibly using CISA/AIS. The chamber defers to DHS's data concerning AIS involvement. Yet at the time of this writing, we understand that approximately 150 private organizations have signed DHS's Terms of Use that govern the use of CTIs and DMs and participation in the AIS initiative.\2\ Fifty- eight of these organizations are attached to the AIS server and consume Government-furnished CTIs. In addition, 12 of these organizations are either ISACs or ISAOs. For instance, the Financial Services-ISAC (FS- ISAC) has upward of 7,000 member financial institutions and partner organizations. Presumably, many of these entities are engaged in protected information sharing under CISA but may not be part of AIS accounting.\3\ --------------------------------------------------------------------------- \2\ www.us-cert.gov/sites/default/files/ais_files/ AIS_Terms_of_Use.pdf. \3\ http://media.wix.com/ugd/ 416668_2c6d85d4964743f8b4d3470b860f6e3b.pdf. --------------------------------------------------------------------------- Similarly, the Health Information Trust Alliance (HITRUST) Cyber Threat XChange, the health industry's ISAO, is now connected to AIS and supports the bidirectional sharing of cyber threat data with DHS. The real-time sharing of CTIs between HITRUST's more than 1,000 members and DHS helps private-sector organizations reduce their cyber risks.\4\ --------------------------------------------------------------------------- \4\ https://hitrustalliance.net/hitrust-advances-State-cyber- threat-information-sharing-nations-healthcare-sector. --------------------------------------------------------------------------- The chamber understands that several entities are testing the sharing process before they initiate automated, bidirectional sharing on routine basis. Questions From Ranking Member Cedric L. Richmond for Matthew J. Eggers Question 1a. In accordance with 1A103 and 105(a)(4) of the Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General issued updated, final guidance on the sharing of cyber threat indicators and defensive measures among multiple Federal and non-Federal entities. What was your impression of the guidance? Are there aspects that you find insufficient or impractical? Answer. The chamber was impressed at the wide-spread support CISA/ AIS stakeholders showed for the final CISA procedures and guidance documents that were released on June 15. The chamber especially commends DOJ's Leonard Bailey, senior counsel, and DHS's Gabe Taran, acting assistant general counsel for infrastructure programs, for their positive roles in negotiating with multiple parties and writing the documents under a tight deadline. The chamber believes that the procedures and guidance are sufficient and practical. Question 1b. In addition to resolving the question of liability protections for private-to-private sharing, are there other aspects of the DHS guidance that you believe would benefit from additional clarity? Answer. The issue related to clarifying liability protections for private-to-private sharing seems to have been dealt with adequately. The procedures and guidance do not need additional clarification at this time. In the main, the chamber is urging industry to take advantage of CISA/AIS as appropriate. Question 1c. Are there aspects of the law that should be clarified? Answer. No. The CISA/AIS program is off to a good start. While oversight by Congress is crucial, it is too soon to make changes to the legislation. CISA does not need to be reauthorized until September 2025. The chamber urges lawmakers and the next administration to be industry's ally as it uses CISA/AIS, which is currently more important to businesses than clarifications. Companies need to trust that policy makers have their backs. It is important that businesses see that the protections granted by CISA--including matters tied to limited liability, regulation, antitrust, and public disclosure--become real. For some businesses, the protections are still an open question. The chamber agrees with a witness who spoke on June 21 before the Commission on Enhancing National Cybersecurity at the University of California-Berkeley. He noted that the Government could make it easier for companies to create a ``regulatory safe space,'' where they can more effectively share information about threats and attacks.\5\ --------------------------------------------------------------------------- \5\ https://cltc.berkeley.edu/2016/06/27/cltc-hosted-white-house- commission-considers-challenges-opportunities-for-the-next-president. --------------------------------------------------------------------------- The chamber hears such sentiments frequently and believes that Government entities like DHS want to use company data prudently. However, many more agencies and departments will have to adopt attitudes and actions that do not discourage businesses from reporting threat and vulnerability data. Question 2. As a general rule, small- and medium-size businesses do not have the resources to devote to the most advanced, state-of-the-art information technology systems. As such, smaller enterprises may use older systems that have known cybersecurity vulnerabilities. Can these companies rely on older systems to share or receive threat information or do their platforms require a more advanced system? Answer. The chamber's experience suggests that sophisticated cybersecurity programs can be very expensive to develop, deploy, and maintain for companies of all sizes, particularly small and mid-size businesses (SMBs). DHS does not charge a fee for companies to participate in AIS. However, any AIS participant will need to adhere to defined technical connectivity activities, which DHS helps organizations manage.\6\ Larger firms may have more resources to submit indicators directly through AIS. Most SMBs may not need to. --------------------------------------------------------------------------- \6\ www.us-cert.gov/sites/default/files/ais_files/ AIS_fact_sheet.pdf, www.us-cert.gov/sites/default/files/ais_files/ AIS_FAQ.pdf. --------------------------------------------------------------------------- Indeed, the chamber anticipates that many SMBs will benefit from an innovative, automated-sharing ecosystem. A key long-term goal of information-sharing policy is to foster economies of scale in real- time, machine-to-machine sharing. The chamber anticipates that the marketplace will eventually provide inexpensive and easy-to-deploy technologies that conform to CISA's rules (e.g., scrubbing privacy information from CTIs) and generate and swap threat signatures at internet speeds. Systems like AIS will be able to block attacks sooner and more regularly, compared with the relatively human-intensive sharing schemes in use today. The chamber understands that cyber threat intelligence companies have the means to enable companies to opt-in to AIS and gain from the process of receiving pertinent security event information such as IP addresses, domain names, hashes, and actor tactics, techniques, and procedures. From a resource standpoint, it is probably too much to ask most SMBs to engage in the cybersecurity threat-sharing ecosystem directly. Many SMBs will likely struggle to create and maintain sound cybersecurity programs.\7\ Technology may be challenging to use, and professional cyber talent is both scarce and pricey. Public policy does not do a sufficient job of recognizing the potentially extraordinary costs that industry faces in creating robust information-security programs. --------------------------------------------------------------------------- \7\ https://inthenation.nationwide.com/news/small-business-cyber- security-survey. --------------------------------------------------------------------------- Secretary of Commerce Penny Pritzker spoke at the chamber on September 27 concerning cybersecurity policy. She said that cyber space is the ``only domain where we ask private companies to defend themselves'' against foreign powers and other significant threats. She wondered aloud, ``Does that sound as crazy to you as it does to me?''\8\ Government does not stand between private entities and malicious hackers, she suggested. --------------------------------------------------------------------------- \8\ www.commerce.gov/news/secretary-speeches/2016/09/us-secretary- commerce-penny-pritzker-delivers-keynote-address-us. --------------------------------------------------------------------------- It is instructive, according to a Council of Insurance Agents and Brokers market survey, that 26.1 percent of SMBs purchase ``cyber'' insurance for risk mitigation assistance (4.5 percent) and post-breach resources (21.6 percent). In contrast, 20.4 percent of large entities purchase ``cyber'' insurance for risk mitigation assistance (10.2 percent) and post-breach resources (10.2 percent).\9\ In the chamber's view, companies typically have healthy and maturing cyber risk management programs in place before engaging in active information- sharing initiatives. --------------------------------------------------------------------------- \9\ www.ciab.com/news.aspx?id=6176. --------------------------------------------------------------------------- Question 3. In developing the aforementioned guidance, 103(a)(5) specified that the procedures established must facilitate periodic circulation of cybersecurity ``best practices'' designed with special attention to the accessibility and implementation challenges faced by small businesses. Do the policies and procedures described in the guidance actually facilitate the development and circulation of best practices that are mindful of small business needs? Answer. In keeping with section 103(a)(5) of CISA, the Federal Government-sharing guidance calls for the periodic sharing of cybersecurity best practices ``with attention to accessibility and implementation challenges faced by small business concerns.'' The guidance outlines several programs, activities, and Federal agencies and departments that support the recurrent sharing of sound cybersecurity techniques, which are expected to be rooted in the on- going analyses of cyber threat data. Here are some examples of cybersecurity best practices featured in the Federal Government-sharing guidance and that the chamber includes in our National cyber education campaign: NIST Computer Security Division.--NIST special publications and interagency reports, covering a broad range of topics, provide management, operations, and technical security guidelines for Federal agency information systems. Beyond these documents, which are peer reviewed throughout industry, Government, and academia, NIST conducts workshops, awareness briefings, and outreach to help ensure greater understanding of standards and guidelines resources.\10\ --------------------------------------------------------------------------- \10\ www.nist.gov/itl/computer-security-division. --------------------------------------------------------------------------- DHS Critical Infrastructure Cyber Community (C\3\) Voluntary Program.--The C\3\ (pronounced ``c cubed'') Voluntary Program helps enhance critical infrastructure cybersecurity and encourage the adoption of the framework. The C\3\ Voluntary Program aids sectors and private organizations that want to use the framework by connecting them with cyber risk management tools offered by DHS, other Federal entities, and the private sector.\11\ --------------------------------------------------------------------------- \11\ www.dhs.gov/ccubedvp. --------------------------------------------------------------------------- DHS National Cybersecurity and Communications Integration Center (NCCIC).--The NCCIC disseminates publications that recommend practices and standards for technical and nontechnical users. Information is available for Government users, as well as owners, operators, and vendors of industrial control systems.\12\ In addition, the NCCIC includes information specifically focused on securing small business and home networks.\13\ --------------------------------------------------------------------------- \12\ https://ics-cert.us-cert.gov. \13\ www.us-cert.gov/home-and-business. --------------------------------------------------------------------------- Through the US-CERT, a component of NCCIC, DHS offers the Cyber Resilience Review (CRR), a no-cost, voluntary, nontechnical assessment to help an organization evaluate its resilience and cybersecurity practices. The CRR may be conducted as a self- assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. Small Business Administration (SBA) Cybersecurity Website.-- The SBA provides information about cybersecurity best practices through its website, which features top tips, among other resources, that SMBs can use.\14\ --------------------------------------------------------------------------- \14\ www.sba.gov/cybersecurity. --------------------------------------------------------------------------- Question 4. There is a natural tension between sharing threat indicators quickly to facilitate rapid response, and sharing only the most valuable information once it has been processed and analyzed. I understand that DHS uses the former, emphasizing volume and timeliness. Do you prefer this ``time is of the essence'' approach? In other words, how useful and actionable is the information you [a business or private organization] receive from DHS? Answer. The chamber supports the ``time is of the essence'' mind- set. During the legislative debate concerning CISA, we opposed amendments that would attempt to address the ``second scrub'' issue by requiring DHS to perform another scrub of cyber threat data for personal information before disseminating indicators to appropriate Federal entities. So the speed of sharing is key. Granting authority to DHS to conduct a second scrub is not inherently bad if viewed only through the vague lens of ``privacy.'' But privacy is just one of several considerations in CISA. For example, when one understands that CTIs rarely if ever contain personal information, the second scrub would bog down the sharing of CTIs from businesses to the Federal entities that need them in a timely manner.\15\ --------------------------------------------------------------------------- \15\ www.uschamber.com/sites/default/files/ cisa_ctis_separating_fact_from_fiction_ - aug_19_final.pdf. --------------------------------------------------------------------------- A DHS privacy official said at the Cybersecurity Conference for Lawyers in September that if a CTI field ``fails or is not completed fully'' by a submitter, the whole indicator is not held back, which is constructive from a timeliness standpoint.\16\ --------------------------------------------------------------------------- \16\ www.us-cert.gov/sites/default/files/ais_files/ AIS_Submission_Guidance_Appendix_- A.pdf. --------------------------------------------------------------------------- Question 5. The Cybersecurity Act of 2015 contains numerous provisions designed to safeguard privacy and civil liberties by requiring, for instance, the scrubbing of personal information. Are private-sector organizations using their own systems to fulfill these obligations or relying on DHS mechanisms? Answer. Section 104(d)(2) of CISA requires businesses to remove any information from a CTI or DM that it knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual who is not directly related to a cybersecurity threat before sharing that data with a Federal entity.\17\ --------------------------------------------------------------------------- \17\ www.us-cert.gov/sites/default/files/ais_files/Non- Federal_Entity_Sharing_Guidance_- %28Sec%20105%28a%29%29.pdf. --------------------------------------------------------------------------- Private organizations use their own technical capabilities to scrub indicators of personal information. It is worth noting that a DHS privacy official said at the Cybersecurity Conference for Lawyers that there is no ``hard and fast list of privacy information that must be removed'' from CTIs. CISA/AIS stakeholders need to consult the non- Federal entity guidance for scrubbing protocols. Scrubbing is ``ultimately up to the company that is sharing the indicators,'' she added. The chamber instructs businesses to remove personal information from cyber threat data and not to rely on DHS mechanisms, which, among other things, may impede timely sharing efforts. Questions From Ranking Member Cedric L. Richmond for Robert Mayer Question 1a. In accordance with 103 and 105(a)(4) of the Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General issued updated final guidance on the sharing of cyber threat indicators and defensive measures between and among Federal and non-Federal entities. What was your impression of the guidance and are there aspects that you find insufficient or impractical? Question 1b. In addition to resolving the question of liability protections for private-to-private sharing, are there other aspects of the DHS guidance that you believe would benefit from additional clarity? Question 1c. Are there aspects of the law that should be clarified? Answer. As indicated in our testimony, we applaud DHS for its efforts to meet CISA's aggressive deadlines and for producing both interim and final guidance that provides additional evidence of the liability protections afforded under the Act. We now continue to focus our attention on evaluating the requirements and benefits associated with implementing CISA, and we expect that more companies will enter into arrangements for sharing cyber threat indicators and defensive measures through the new DHS portal. Our member companies believe that no additional statutory clarification is required at this time and that it would be premature to open up CISA for amendment so soon after final passage. The process to reach consensus on the language in CISA, including the liability and privacy protection provisions, was a lengthy one. The law establishes an information-sharing structure, provides for liability and privacy protections, and more granular details about how sharing is conducted are better placed in implementation guidance, policies, and procedures. We also recognize that over time issues may arise that would benefit from more clarification in the Federal guidance. Should that occur, we are confident that DHS will continue to work with the private sector through the current highly-collaborative process with appropriate dialogue on any potential future modifications to the guidance. Question 2. As a general rule, small- and medium-sized businesses do not have the resources to devote to the most advanced, state-of-the- art information technology systems. As such, they are more likely to use older systems even if they exhibit known cybersecurity vulnerabilities. In developing its information-sharing program, has DHS provided a means for entities that rely on these older systems to share and receive threat information, or does their platform require more advanced system? Answer. It is clearly the case that small communications carriers do not possess the same level of technical and financial resources that can be devoted exclusively to cybersecurity operations and technologies as do the large service providers. Still, they rely on the same vendors for hardware and software as their larger peers given that small service providers do not have the scope and scale to incent vendors to manufacture products specifically for their needs. DHS through the National Coordinating Center (NCC) and US-CERT work with the vendor community to publicize software updates and vulnerabilities--and this information is used by large and small operators alike. Implementing Automated Information Sharing (AIS) capabilities for small business in the short term is impeded by the fact that most small businesses lack the ability to devote limited technical and capital resources to fully participate in the program at this juncture. However, over time, smaller entities will be likely to pool their resources and work through the existing Information Sharing and Analysis Centers (ISAC) and the Information Sharing and Analysis Organizations (ISAOs) that are currently under development. DHS seems to be approaching the implementation of AIS in a correct fashion by enrolling entities that have the deep technical know-how and capacity to engage operationally and to provide input for enhancing current capabilities that ensure that timely and actionable information is made available to program participants. We can also report that the communications sector, through a pilot effort under the auspices of CTIA, is working with a diverse set of industry participants (including small providers) to test the capabilities of AIS and the associated protocols and make modifications necessary to support telecommunications-specific requirements to support automated information sharing. Question 3. In developing the aforementioned guidance, 103(a)(5) specified that the procedures established must facilitate periodic circulation of cybersecurity ``best practices'' designed with special attention to the accessibility and implementation challenges faced by small businesses. Do the policies and procedures described in the guidance actually facilitate the development and circulation of best practices that are mindful of small business needs? Answer. It is commonly understood that the small- and medium-sized businesses face substantial burdens when contemplating whether to share cyber threat indicators and defensive measures. The human resources and financial costs of participation can be daunting. However, we also recognize how important the small- and medium-sized businesses are in making the information-sharing environment effective. As DHS and industry gain a better understanding of the AIS process and its associated costs and benefits, small and medium businesses will be better-positioned to leverage experiences and lessons learned that are likely to be communicated and provided through their ISACs and any ISAO in which they participate. It is also worth noting that for smaller companies, the current guidance does allow for sharing via means outside of the portal including via an email or phone call. This is especially important for this class of providers who may not be using technologies such as STIX and TAXI at this point in time. There needs to be continued flexibility inherent in the overall information-sharing process to accommodate the needs and capabilities of small- and medium-sized providers. DHS might also want to consider convening a workshop with representatives of small entities to discuss current capabilities of AIS, the requirements to implement for smaller companies, the costs associated with implementation, the constraints that small companies face, and possible technical, operational, and administrative processes that may be streamlined to make participation for small entities more feasible. Question 4. There is a natural tension between sharing threat indicators quickly to facilitate rapid response, and sharing only the most valuable information once it has been processed and analyzed. I understand that DHS uses the former, emphasizing volume and timeliness. Do you prefer this ``time is of the essence'' approach? In other words, how useful and actionable is the information you receive from DHS? Answer. This may not be an either-or proposition though it is an important question. We often talk about information needing to be both ``timely'' and ``actionable'' which means that information can become quickly perishable and while it may be quality information, it may no longer be actionable. So it must be recognized that what is most important is that the information is accurate and provides the necessary context to facilitate specific action. We cannot lose these qualities for the sake of expediency. The balance between what is timely and what is useful will continue to evolve based on the nature of the threat, and the nature of the type of information being shared. One of the primary purposes of sharing is to involve more parties to evaluate cyber threat indicators and defensive measures. As part of the collaborative nature of the information-sharing regime, we must all be mindful of the need for parties to strike the right balance between ``timely'' and ``effective'' information-sharing practices. Having said that, we do value the DHS view that ``time is of the essence'' and over time, we have seen substantial improvements in the timeliness and utility of information shared with us by the Government. Information received from the Government is one of many resources that many of our member companies use as part of their own cybersecurity efforts. Generally speaking, we have no significant issues with the way that DHS is implementing the information sharing provisions of the Act. If issues arise, we expect that DHS and the private sector will address them in a collaborative way. Question 5. The Cybersecurity Act of 2015 contains numerous provisions designed to safeguard privacy and civil liberties by requiring, for instance, the scrubbing of personal information. Are private-sector organizations using their own systems to fulfill these obligations or relying on DHS mechanisms? Answer. The structure contemplated by CISA contains multiple layers of privacy protections for information sharing with the Federal Government and confers responsibilities on both the private sector and the Federal Government. The first layer places responsibility on a private sector entity sharing information to ensure it reviews the information for known personal information of a specific person, and if such information is present, that it is connected to a cybersecurity threat. Conversely, if it is not, the information must be removed. The next layer of responsibility in the private-to-Federal venue is on the Federal Government at the point of receipt, and prior to sharing with other Federal entities. Our members take the responsibility placed upon them very seriously and understand that it is not sufficient or legally prudent to merely rely on the Federal Government to conduct its privacy review upon receipt of the information. Moreover, some of our member companies have established, mature information-sharing mechanisms that long pre-date CISA and that also include strong privacy protective systems and practices. Those members will likely continue to rely on established methods to meet the baseline requirements concerning privacy protections under CISA, and to also go beyond those baseline requirements. Indeed, some members consider one step further than what is required under CISA. Namely once it has been established that it is legal under CISA to share cyber threat information that contains personal information, they will consider whether they should share it or could the cyber threat indicator be shared in a meaningful way without personal information? Our member companies will also rely on their privacy protective policies and practices in the private-to-private information sharing context, which does not contemplate DHS involvement or review. Finally, the Automated Information Sharing (AIS) system DHS established to effectuate its role as the primary automated intake portal under CISA by design substantially minimizes the likelihood that personal information could, as a technical matter, be conveyed if it is not directly related to a cybersecurity threat. The technology, by design, adds another layer of privacy protection for companies sharing through the portal with DHS. I hope that you find this information to be fully responsive to your questions. Questions From Ranking Member Cedric L. Richmond for Mark G. Clancy Question 1a. In accordance with 103 and 105(a)(4) of the Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General issued updated final guidance on the sharing of cyber threat indicators and defensive measures between and among Federal and non-Federal entities. What was your impression of the guidance and are there aspects that you find insufficient or impractical? Question 1b. In addition to resolving the question of liability protections for private-to-private sharing, are there other aspects of the DHS guidance that you believe would benefit from additional clarity? Question 1c. Are there aspects of the law that should be clarified? Answer. As you mentioned, the updated guidance issued on June 15, 2016 on sharing for non-Federal entities \1\ makes the important clarification needed about how protections still apply when sharing occurs between private-sector entities in Annex 1 ``Sharing of Cyber Threat Indicator and Defensive Measure Sharing between Non-Governmental Entities under CISA''. The guidance was extremely helpful to provide clarification for concerns previously raised with the interim guidance. --------------------------------------------------------------------------- \1\ Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015, June 2016. --------------------------------------------------------------------------- As we have mentioned, we believe the U.S. Department of Homeland Security (DHS) has been very helpful in providing updates and clarifications. As we consider these questions, there are two areas that would also be helpful for DHS to provide some assistance. There are other programs within DHS that have been very helpful over time, the Cybersecurity Information Sharing and Collaboration Program (CISCP) and the Protected Critical Infrastructure Information Program (PCII). While CISCP, PCII, and the Cybersecurity Information Sharing Act (CISA) have different statutory authorities, and over time were created for different reasons, as we consider broader cybersecurity information sharing there are overlaps and some growing questions about how the private sector should share information and which programs should be used. First, it would be helpful for DHS to address how the CISCP program fits within the scope of the Automation Indicator Sharing (AIS) system and with CISA. The CISCP data is available as a separate `feed' on the AIS system, however access to this feed requires a Cooperative Research and Development Agreement (CRADA) to be in place. Since CISCP is part of AIS, that would mean that sharing under CISCP would have the same protections under CISA as AIS and it would be important for DHS to confirm that point. If that is not accurate, then it would be helpful for DHS to provide that clarification in order to ensure that is the case. Second, as we consider other aspects of the law and cybersecurity information sharing with DHS, it would be helpful for DHS to provide clarification on how the PCII program currently does, and in the future will, work with CISA. While PCII was created many years ago for physical events, it has morphed over time to include physical and cybersecurity events and is a useful program. Many companies, whether large or small, will need to understand and ultimately choose what program to share information through and clarification now would be important. Question 2. As a general rule, small- and medium-sized businesses do not have the resources to devote to the most advanced, state-of-the- art information technology systems. As such, they are more likely to use older systems even if they exhibit known cybersecurity vulnerabilities. In developing its information-sharing program, has DHS provided a means for entities that rely on these older systems to share and receive threat information, or does their platform require more advanced system? Answer. We work closely with a number of small- and medium-sized businesses and are providing answers to your questions based on our experience working with them. As you may expect, for those companies who are small- and medium-sized businesses, they may have different perspectives than we do. However, we have a few thoughts and suggestions on this question. DHS has provided two additional methods for firms unable to use the automation to share information with the Department whether firms are small-, medium-sized, or larger ones not able to use automation. That includes a web submission form and an email box to send submissions. Both methods are accessible for small or medium business whether they are using older information technology systems or simply choose not to use automation. DHS could consider ways to share with organizations how that manual information will be shared back. It may also be helpful for DHS to provide guidance or best practices on how to craft a good submission. In fact, this may be useful for those sharing via an automated or manual submission. Question 3. In developing the aforementioned guidance, 103(a)(5) specified that the procedures established must facilitate periodic circulation of cybersecurity ``best practices'' designed with special attention to the accessibility and implementation challenges faced by small businesses. Do the policies and procedures described in the guidance actually facilitate the development and circulation of best practices that are mindful of small business needs? Answer. One area that may be more challenging for small- and medium-sized businesses could be in understanding how to understand and manage ``defensive measures.'' The guidance discussed how these will be created and what they contain. Small- and medium-sized businesses will have different abilities to understand how to manage them when they are received and may need additional support to create internal structures to implement them. Whether large or small, it would be helpful to have a method for providing feedback or surveying recipients (of such defensive measures) as to the level of detail that a company finds useful or lacking. In other instances in the past, suggestions may come from an agency that over-simplifies what defensive measure should be taken including ``patch your systems,'' ``update anti-virus,'' or ``use a firewall.'' Suggestions for defensive measures from the U.S. Government going forward will need to be tailored to the size and abilities of the companies. It is important to note that many small business use service providers to perform some or all of their IT services. These service providers are a community to which the Department must engage to effectively assist small businesses benefit from the information shared via CISA. Question 4. There is a natural tension between sharing threat indicators quickly to facilitate rapid response, and sharing only the most valuable information once it has been processed and analyzed. I understand that DHS uses the former, emphasizing volume and timeliness. Do you prefer this ``time is of the essence'' approach? In other words, how useful and actionable is the information you receive from DHS? Answer. There is an inherent tension between sharing quickly and sharing the most valuable information that no single approach will solve. However, sharing quickly with the ability to revise information shared when refined or after feedback from other parties is received is the optimal approach. Discussions have been had with DHS about adding ways to share confidence ratings within the cyber threat intelligence (CTI) AIS system that could be utilized to make the determination of how best to act on the information. As a result, CTI could be shared but if needed be matched with a lower confidence information versus those that may receive a higher high confidence based on information that has additional vetting imbedded in it. Question 5. The Cybersecurity Act of 2015 contains numerous provisions designed to safeguard privacy and civil liberties by requiring, for instance, the scrubbing of personal information. Are private-sector organizations using their own systems to fulfill these obligations or relying on DHS mechanisms? Answer. In our experience, the private sector firms Soltra works with take privacy very seriously and are taking the necessary steps to ensure that scrubbing of information is occurring before information is shared under CISA. The final DHS-DOJ guidance also does a good job providing examples of the demarcation under CISA on what data points may be related to the actual threat and how best to manage that process. We appreciate all that you do on these issues. If you or your staff would like to discuss any of these matters in more detail, please let us know. Questions From Chairman John L. Ratcliffe for Mordecai Rosen Question 1. In your opinion, do DHS's programs to secure Federal Information Systems--Einstein and the Continuous Diagnostics and Mitigation (CDM) program--together offer a comprehensive solution and a defense-in-depth strategy to secure Federal networks? Answer. Federal Information Systems are much safer today as a result of early implementation of the Einstein and CDM programs. The Federal Government has successfully integrated logical access through the use of the PIV card for all privileged users and performed an audit and reductions of privileged accounts. In particular, OPM has utilized the CDM roadmap whereby you start with identifying assets and users, then move toward managing behavior. Early implementation of the Einstein program has helped Federal agencies to detect malicious cyber attacks, and to communicate these threats across the Federal Government. However, there remain opportunities for improving security through automated response and modernization of antiquated legacy systems. We think the Cyber Sprint helped improve Government security overall as well. Some say we need a marathon and we agree, there is much work to do. But, we believe that a long series of tightly measured sprints invokes management focus and unmatched operational cadence. The Einstein and CDM programs constitute an effective strategy to improve Federal agency cybersecurity, with opportunities for continuous improvement as technology evolves. However, a plan and strategy are inconsequential without deployment. Deployment urgency will remain a critical component to maximizing protection of Federal networks. Question 2. In your opinion, are DHS's cybersecurity programs for both Federal and non-Federal entities flexible and dynamic enough for it to leverage emerging cutting-edge technologies and to keep pace with the rapidly-evolving cyber threat landscape? Answer. CA Technologies believes that DHS has become much stronger at engaging with stakeholders and incorporating private-sector input into both Federal and non-Federal cybersecurity programs. These include the Einstein and CDM programs for Federal agencies and the Automated Indicator Sharing (AIS) program for private entities. This stakeholder engagement is vital to maintaining flexibility and incorporating cutting-edge technologies. We believe the major challenge in maintaining pace with the evolving cyber threat landscape lies in the procurement, acquisition, and deployment process. In particular, we see a need for more and better-trained contracting personnel who have a strong understanding of modern technologies and are empowered to accelerate deployment of technologies under DHS programs. Further we, and our technology industry partners, continue to advocate for stronger Federal Government alignment with the NIST- developed Framework for Improving Critical Infrastructure Cybersecurity, which envisions dynamic, flexible approaches to improving cybersecurity, and calls for continuous improvement based on evolving threat dynamics. Question 3. A long-term goal of Einstein includes the filtering of email, HTTP traffic, and DNS sinkholing. What would your estimation be of the other security risks to Federal networks outside filtering email, HTTP traffic, and DNS sinkholing? Answer. CA Technologies believes that the compromise of digital identities will continue to remain a primary security risk. Compromised identities have been a common thread in virtually every large network breach in recent years, including Federal agency breaches. CA believes that identity and access management technologies are central to protecting systems, networks, devices, and data. As Federal agencies increase their utilization of digital technologies, the authentication of persons and the authentication of devices and data will remain crucial to protecting Federal networks. In addition, authentication of both individuals and data will become increasingly important to maintaining the integrity of cyber threat information-sharing programs, as they are opened up to multiple actors and organizations. Further, as the application economy continues to evolve, more organizations and governments will be opening up their data sets to third parties. Therefore, it will be critical to both effectively manage and secure the application programming interfaces that allow for these transactions. Questions From Ranking Member Cedric L. Richmond for Mordecai Rosen Question 1a. In accordance with Sec. 103 and Sec. 105(a)(4) of the Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General issued updated final guidance on the sharing of cyber threat indicators and defensive measures between and among Federal and non-Federal entities. What was your impression of the guidance and are there aspects that you find insufficient or impractical? Question 1b. In addition to resolving the question of liability protections for private-to-private sharing, are there other aspects of the DHS guidance that you believe will benefit from additional clarity? Question 1c. Are there aspects of the law that should be clarified? Answer. CA Technologies would like to congratulate DHS, ODNI, DOD, and DOJ on the job they have done in issuing updated final guidance on the sharing of cyber threat indicators and defensive measures between and among Federal and non-Federal entities. The guidance clearly explains the mechanisms for sharing cyber threat information with the Federal Government, the requirements for removing personally identifiable information, and the liability protections that will be afforded to organizations that comply with the requirements of the legislation. At this point, CA believes that stakeholders would benefit from further DOJ and DHS clarification of liability protections for actions taken in good faith participation in the information-sharing program. The Automated Indicator Sharing (AIS) program envisions a wide volume and velocity of shared cyber threat indicator data streams, which will require significant analysis in order to make them actionable. It is possible that some organizations will act on certain data streams that may ultimately prove not to be related to cyber threats, and other organizations may miss relevant indicators in the data streams, all while participating in good faith. Greater clarification of liability protections under these scenarios would benefit participants. CA believes this clarification can be provided through DHS and DOJ outreach with stakeholders and potentially through further guidance. We don't believe the law needs to be clarified at this point. Question 2. As a general rule, small- and medium-sized businesses do not have the resources to devote to the most advanced, state-of-the- art information technology systems. As such, they are more likely to use older systems even if they exhibit known cybersecurity vulnerabilities. In developing its information-sharing program, has DHS provided a means for entities that rely on these older systems to share and receive threat information, or does their platform require a more advanced system? Answer. Our sense is that DHS has developed its information-sharing program in a way that allows for maximum participation with respect to manual sharing of cyber threat indicators. In addition to allowing organizations to share indicators through the AIS program, it also allows organizations to share cyber threat indicators through a web form or email. In order to receive liability protection under the law, these organizations will need to remove any personally identifiable information (PII) from information they share that they know at the time of sharing is not related to a cyber threat. This will require the organization to use manual controls or to implement automated controls to ensure PII is removed. Automated technologies, such as Application Programming Interface management software are available in the marketplace for small- and medium-sized businesses. In order for small businesses to receive cyber threat indicators from the Federal Government in close to real time, they will need to sign up to the AIS program. This will require them to acquire a Trusted Automated eXchange of Indicator Information (TAXII) client and to receive a Public Key Infrastructure (PKI) certificate from an approved provider. This may be difficult for some small businesses. We recommend that DHS continue to conduct outreach and awareness raising with small businesses to help them properly understand how cybersecurity risks impact their overall business risk environment. This will help small businesses better prioritize cybersecurity investments, including potential participation in information-sharing programs. Question 3. In developing the aforementioned guidance, Sec. 103(a)(5) specified that the procedures established must facilitate periodic circulation of cybersecurity ``best practices'' designed with special attention to the accessibility and implementation challenges faced by small businesses. Do the policies and procedures described in the guidance actually facilitate the development and circulation of best practices that are mindful of small business needs? Answer. The guidance titled, ``Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015'' included a section on periodic sharing of cybersecurity best practices. This section includes a listing of many cross-governmental programs, which provide cybersecurity guidance. Included in this list of programs are those with a focus on small- and medium-sized businesses such as those provided by US-CERT, the National Cybersecurity and Communications Integration Center (NCCIC), and the Small Business Administration. CA believes that facilitating the development and circulation of best practices should remain a priority for DHS implementation of the Cybersecurity Act of 2015 in order to make Government cybersecurity programs more accessible and actionable for the full range of stakeholders. We would recommend that DHS continue to flesh out this section with additional guidance in future updates. Question 4. There is a natural tension between sharing threat indicators quickly to facilitate rapid response, and sharing only the most valuable information once it has been processed and analyzed. I understand that DHS uses the former, emphasizing volume and timeliness. Do you prefer this ``time is of the essence'' approach? In other words, how useful and actionable is the information you receive from DHS? Answer. CA Technologies is not currently a participant in the AIS program, however we are in the process of actively exploring engagement. At this point, we recognize the importance of emphasizing volume and timeliness. In the longer term, we believe it will be important to enable automated analysis of data in order to make it more actionable for organizations that don't have the resources to process and analyze massive data sets. Authentication of both program participants and the data that is shared will be a critical factor in the successful implementation of this program. Question 5. The Cybersecurity Act of 2015 contains numerous provisions designed to safeguard privacy and civil liberties by requiring, for instance, the scrubbing of personal information. Are private-sector organizations using their own systems to fulfill these obligations or relying on DHS mechanisms? Answer. CA Technologies' understanding of the Cybersecurity Act of 2015, and its related guidance, is that it requires organizations to scrub personal information that they know, at the time of sharing, is not related to a cybersecurity threat in order to receive liability protection under the law. CA Technologies is not a current participant in the AIS program though we are currently actively exploring participation. Should we participate in the program, we would use our own systems to fulfill privacy obligations before sharing cyber threat indicators with the Government. As we noted in our answer to question No. 2, there are existing technologies available in the marketplace to help organizations filter personally identifiable information from data sets before sharing with the Government. We anticipate that most organizations will want to utilize these automated technologies or will implement manual controls to remove personal information before sharing. The DHS mechanisms will then provide an additional level of privacy assurance. Questions From Ranking Member Cedric L. Richmond for Ola Sage Question 1a. In accordance with 103 and 105(a)(4) of the Cybersecurity Act of 2015 (Pub. L. No. 114-113), on June 15, 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense and the Attorney General issued updated final guidance on the sharing of cyber threat indicators and defensive measures between and among Federal and non-Federal entities. What was your impression of the guidance and are there aspects that you find insufficient or impractical? Question 1b. In addition to resolving the question of liability protections for private-to-private sharing, are there other aspects of the DHS guidance that you believe would benefit from additional clarity? Question 1c. Are there aspects of the law that should be clarified? Answer. Response was not received at the time of publication. Question 2. As a general rule, small- and medium-sized businesses do not have the resources to devote to the most advanced, state-of-the- art information technology systems. As such, they are more likely to use older systems even if they exhibit known cybersecurity vulnerabilities. In developing its information-sharing program, has DHS provided a means for entities that rely on these older systems to share and receive threat information, or does their platform require more advanced system? Answer. Response was not received at the time of publication. Question 3. In developing the aforementioned guidance, 103(a)(5) specified that the procedures established must facilitate periodic circulation of cybersecurity ``best practices'' designed with special attention to the accessibility and implementation challenges faced by small businesses. Do the policies and procedures described in the guidance actually facilitate the development and circulation of best practices that are mindful of small business needs? Answer. Response was not received at the time of publication. Question 4. There is a natural tension between sharing threat indicators quickly to facilitate rapid response, and sharing only the most valuable information once it has been processed and analyzed. I understand that DHS uses the former, emphasizing volume and timeliness. Do you prefer this ``time is of the essence'' approach? In other words, how useful and actionable is the information you receive from DHS? Answer. Response was not received at the time of publication. Question 5. The Cybersecurity Act of 2015 contains numerous provisions designed to safeguard privacy and civil liberties by requiring, for instance, the scrubbing of personal information. Are private-7sector organizations using their own systems to fulfill these obligations or relying on DHS mechanisms? Answer. Response was not received at the time of publication. [all]