HEARING OF THE HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE - SUBJECT: CYBER SECURITY;
Wednesday, September 24, 2008 at 10:55 CHAIRED BY: REPRESENTATIVE SILVESTRE REYES (D-TX) WITNESSES: PAUL KURTZ, FORMER SENIOR DIRECTOR, CRITICAL INFRASTRUCTURE PROTECTION, WHITE HOUSE HOMELAND SECURITY COUNCIL; AMIT YORAN, FORMER DIRECTOR, NATIONAL CYBER SECURITY DIVISION, DEPARTMENT OF HOMELAND SECURITY; JOHN NAGENGAST, FORMER ASSISTANT DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY; MARTHA STANSELL-GAMM, FORMER CHIEF, COMPUTER CRIME AND INTELLECTUAL PROPERTY SECTION, DEPARTMENT OF JUSTICE; SUZANNE SPAULDING, FORMER MINORITY STAFF DIRECTOR, HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE LOCATION: 2218 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C. TIME: 9:30 A.M. EDT DATE: THURSDAY, SEPTEMBER 18, 2008
REP. REYES: Good morning and welcome to this hearing. I apologize for the slight delay this morning. And I want to thank all our witnesses for being here. Today marks our committee's first, but certainly not our last, open hearing on cyber security.
We've had numerous closed hearings and roundtables on this topic, but I believe it's important to hold some of our sessions in an open hearing process. I hope this will help to stimulate a public dialogue on an increasingly important issue that impacts the security and potentially the privacy of every American.
Improving cyber security has been a -- (inaudible) -- for some time. It is now only the beginning -- at the beginning stages of getting the attention that I believe it merits and deserves. The threat to our economy and national security is very real.
The Bush administration rolled out a major cyber security initiative in conjunction with the Fiscal Year 2009 budget. Even though many of its elements were placeholders awaiting the development of much needed strategy and policies, I want to applaud the fact that the administration has taken this long overdue concrete action.
The House passed Intelligence Authorization Act for 2009. We expressed our support for taking action in this issue, but also raised concerns in several areas including, one, lack of an effective governance structure; two, lack of an effective model for a new kind of public/private partnership, and three, the excessive secrecy associated with this initiative. It will now be up to the next administration to address these issues and figure out how to shape the cyber security initiative for the future.
That brings us to our panel today. Over a year ago, before the administration announced the cyber security initiative, the Center for Strategy and International Studies chartered a commission on cyber security for the 44th president. Its purpose was to advise the new administration on the way forward for improving cyber security.
The commission was made up of many of the finest cyber brains in industry and in government, and they have spent many hours developing their recommendation. The commission is co-chaired by Harry Raduege, who is the former director of the Defense Information Systems Agency and by Scott Charney of Microsoft, along with our own congressman and member of our committee, Congressman Jim Langevin of Rhode Island, and also my good friend and colleague from Texas Congressman Mike McCaul -- welcome, Mike -- the chairman and ranking member of the Homeland Security Subcommittee on Emerging Threats, Cyber Security, and Science and Technology.
On Tuesday, Mr. Raduege and Mr. Lewis of the commission staff briefed Congressman Langevin and McCaul and Congressman McCaul's subcommittee on some preliminary findings and recommendations of the commission. We will hear a recap of those this morning. And then we will delve into the intelligence ramifications of those recommendations and what role the intelligence community should play in a national cyber security initiative.
The commission's draft report identifies cyber espionage as one of the major problems facing our nation, and currently facing our intelligence community, which has a major role to play in countering that threat. Cyber espionage poses some special challenges in the areas of detection, attribution, and prosecution.
I look forward to hearing from our distinguished panelists today on those challenges, and on other issues the intelligence community and this committee should be thinking about for the future. We are obviously interested in where your facts diverge from the administration's current cyber security initiative, and also why?
Finally, although the bulk of the administration's cyber security budget request goes to the intelligence community, this committee is the only one committee of jurisdiction for an issue that spans multiple committees and their oversight responsibilities. We are committed to working this issue collaboratively with our colleagues in the next Congress and with the new administration.
In his hearing on this subject on Tuesday, Congressman Langevin announced the creation of a cyber security caucus. I'm sure we will all -- have many members eager to participate in that caucus. The committee is committed to conducting what business we can in the open, because the issue of cyber security is one that affects the security and the privacy of every American.
I would now defer recognizing the ranking member until such time as he gets here. And without objection, we'll include his statement for the record on this very important issue. So with that I now would like to recognize my colleague, who is a valued member of this committee and who is the co-chair of the commission. Congressman Jim Langevin, you're now recognized to make some introductory remarks.
REP. JIM LANGEVIN (D-RI): Thank you and good morning. First of all, I would like to thank you, Mr. Chairman, for your impressive leadership on cyber security, for what you do for protecting our country, and particularly the work you do in the intelligence community. I also want to thank our witnesses today from the CSIS commission.
And I know I'm also joined today by my colleague Congressman McCaul. I know that at some point there would be a unanimous consent request to allow him to speak -- (inaudible) -- today for the purpose of giving a statement.
But let me begin by saying, as the chairman mentioned, in addition to my duties on the intelligence committee, I do chair the Homeland Security's Subcommittee on Emerging Threats, Cyber Security, and Science and Technology.
Over the course of the 110th Congress, we've held eight hearings and conducted dozens of investigations into a variety of cyber security issues including hacking incidents at State, Department of Commerce, and DHS. Cyber attacks on our internet infrastructure, oversight of the cyber initiative, the need for additional investments in cyber security research and development, mitigating cyber vulnerabilities in the electric grid, and incentives for private sector critical infrastructure as to mitigate cyber vulnerabilities.
I'm very proud of what we've achieved during this Congress. And I'm especially proud of the bipartisan partnership that I have enjoyed with my ranking member, Mike McCaul, from Texas who, as I said, is also joining us today.
I believe our oversight has enhanced federal and critical infrastructure at cyber security by improving security at DHS, highlighting and filling gaps in federal policy and holding individuals in the public and private sectors accountable. I spent a great deal of time on this issue because I believe national and economic security depends on securing our nation's information and our critical infrastructure from cyber attack or exploitation.
I want to be clear about the threat. As vice chairman of -- a colleague of the -- joint chair -- the vice chairman of the Joint Chiefs of Staff has said in the past, America is under attack in cyberspace. We must stop treating this as a hypothetical situation and understand that the enemy is here and we're taking on damage. We must deal with this issue with all urgency.
Cyber security is a highly complex problem that requires clear leadership and vision across all levels of government. In October 2007, I was asked to co-chair the Center for Strategic and International Studies Commission on Cyber Security for the 44th presidency; a non-partisan commission composed of approximately 40 renowned cyber security experts from across the country, both in and out of government.
It's an impressive, experienced, and diverse group of people. Mike McCaul, my ranking member, and Scott Charney of Microsoft and retired general Harry Raduege sat with me as co-chairs. And we are ably led by Dr. Jim Lewis of CSIS who I know wanted to be here this morning, but had a scheduling conflict, but did testify before my subcommittee, as the chairman mentioned, this past Tuesday.
The goal of the commission is to develop recommendations for comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. We've held five plenary sessions since September 2007.
The goals were to assess current and future threats to federal systems and to critical infrastructure, review authorities, policies, and government organization's for cyber security, and identify requirements for critical infrastructure protection including the new incentives legislation or regulation. Throughout the last year, members of the commission have also participated in a number of briefings and tabletop exercises with subject matter experts in the public and private sectors to address these issues.
Our goal is to develop these recommendations in a report to the 44th president to be released in November of this year. (Inaudible) -- commissioners and co-chairs including myself and Mr. McCaul will personally brief the campaigns about these issues.
On Tuesday, as I mentioned, the subcommittee discussed many of the commission's preliminary findings as it relates to organizational structure, authorities, budgets, public/private partnerships, and regulatory structures. Today, I look forward to continuing that discussion, particularly focusing on the legal issues that affect the intelligence community. We are joined by some true experts in the field, and I certainly appreciate all of their contributions.
With that, I'm very proud to be associated with the commission and its work. And I want to thank you, again, Mr. Chairman, for providing me the opportunity to speak today. With that I yield back.
REP. REYES: Thank you, Mr. Langevin. Before I recognize my colleague from Texas, I would like to recognize Congresswoman Heather Wilson who will make a statement on behalf of the ranking member.
REP. HEATHER WILSON (R-NM): Thank you, Mr. Chairman. I apologize. For some reason we had HC-5 on our schedule. I don't know whether there was a change or whether we just got the wrong word. But we didn't know about this room until they called me and said can you come find us. And so --
MR. : (Off mike)
REP. WILSON: (Laughs). So I apologize for folks who got the right word and were waiting. We thank the panelists for being here today. I think that's one of the things we need to make sure that everyone understands, that when we use the word "commission," we're not referring to something that is established under the Federal Advisory Committee Act, but the coalition of the ruling sponsored by the Center for Strategic and International Studies, which use the term "commission."
I'm glad they came together to address this issue. Most of the things that we need to talk about as a committee would be best discussed in closed sessions. That's one of the policy issues probably -- (inaudible) -- broader public discussion, including who's in-charge, how can our government or executive branch do a better job at establishing the lines of authority so that policy may be developed in what is an extremely difficult area.
Secondly, we've got to address the issue of development and modification of law and strategy and policy, and there may be laws that do need to be changed. Third, we need to balance the need to share with the need to compete. That's particularly true when we're dealing with private entities. And it's one thing for us to look at the protection of government computers, but there are serious vulnerabilities for our infrastructure, for companies, private organizations, potentially even banking that could have a very serious effect on the American economy.
And then finally, how technology may outplace bureaucracy and how we can develop policies that adapt as technology changes and as the threat changes. I would ask unanimous consent to put the entire opening statement into the record. (Cross talk.)
REP. REYES: Without objection. Thank you, Ms. Wilson.
And now, I'd like to ask unanimous consent to allow Congressman Mike McCaul, the other co-chair of the commission and the ranking member of the Subcommittee on Emerging Threats, Cyber Security, and Science and Technology to make some introductory comments. Without objection, Mr. McCaul, you are recognized to make your statement.
And again, thank you very much for joining us this morning and also for your work in this very important field that, I think as Ms. Wilson and others have said, we're going to have a lot of work to do in the coming months and years. So Mr. McCaul, you're recognized.
REP. MICHAEL MCCAUL (R-TX): Thank you, Mr. Chairman. I have always wanted to serve in the intelligence committee. So you gave me that wish today, I guess -- (laughs). I thank you for that.
I also want to thank my good friend and colleague, chairman of the Homeland Security Subcommittee, Chairman Langevin. We have been working on this issue from almost since the beginning of this Congress, very steadfastly, a lot of hearings culminating in the formation of this commission.
And I want to say -- (inaudible) -- it's been a real pleasure to work in such a bipartisan fashion on such an issue of importance to the American people. This goes beyond the homeland security issue to national security issue. And that's -- I think what the American people want and deserve is for us to work together on issues like these.
Now, the hearings that we have had over the past almost two years were somewhat alarming. The question is are we getting attacked or are we prepared for an attack. Are we prepared for a cyber Pearl Harbor, if you will, are you prepared for a cyber 9/11?
And I think the answer, as Mr. Kurtz will testify to, is that we are being attacked. There have been massive intrusions into our federal networks. There has been espionage taking place.
And this goes beyond even intrusions into federal networks, into criminal enterprises hurting the private sector. In addition, the issue of -- finally, the issue of cyber warfare.
When were based on the, what has now been declassified, the program to expose the vulnerabilities with respect to our power grids, that with the click of a mouse the power grid could be blown up. And the fact of the matter is, all of our critical infrastructure -- (inaudible) -- through our networks, whether that be the aviation sector, the financial sector, the power sector in my home state of Texas.
As the chairman knows, returning from the Houston coast area, we shutdown. The power was shutdown, massive destruction -- (audio break) -- done by a natural disaster. But I've seen that that can be done in perpetrating -- by a man-made disaster. And that is why this issue, I believe, is so important.
I believe that it deserves the high level of attention. This is sometimes one of those issues that people get it all glazed over, yeah, dissed (ph) at the headlines, but I -- it deserves high level attention. I think this commission is doing that. And I think that in briefing the candidates, and then briefing the next president of the United States, whoever it is, in a non-partisan way, would be a great -- (inaudible) -- for the American people and the next president.
And the recommendation that this should be an office out of the White House, I believe is a very good recommendation. They would put this issue front and center in the White House. And with that, Mr. Chairman, I'll yield back. Thank you.
REP. REYES: Thank you, Mr. McCaul. And again, thank you for the work that you're doing on this very important battle (ph) topic. It's now my pleasure to introduce and welcome finally the distinguished members of our panel. Our lead witness is Mr. Paul Kurtz of Good Harbor Consulting Group. He is the senior director for critical infrastructure protection on the White House Homeland Security Council.
We also want to welcome Amit Yoran of NetWitness, formerly the director of the National Cyber Security Division in the Department of Homeland Security. Welcome.
Next, Mr. John Nagengast of AT&T, formerly the assistant deputy director of the National Security Agency. And next, Martha Stansell- Gamm, formerly the chief of the Computer Crime and Intellectual Property section of the Department of Justice.
And finally, Suzanne Spaulding of Bingham Consulting Group, formerly the assistant general counsel of the Central Intelligence Agency and the minority staff director of this committee. Someone we are very familiar with and someone we want to welcome back. So welcome all of you.
And thank you for the work that you are doing as well with -- in concert with our two colleagues, in an area that is going to be, I believe, one of the critical challenges with the next administration, in concert with working with the Congress, what they're doing.
So we're -- I'm looking forward to your report, I believe that comes out in November. Is that correct? Any recommendations? So we are all looking forward to reading that report and the recommendations.
With that, Mr. Kurtz, you're recognized to make an opening statement.
MR. KURTZ: Thank you, Mr. Chairman, it's a pleasure to be here today. And other members of the committee, thank you for asking us to come testify. I've been asked today to cover three areas, the work of the commission established by CSIS on cyber security, a comparison between the work of the commission and the president's comprehensive national cyber initiative. And third, the role of the intelligence community in cyber security.
As has been said already, if I can just make a couple of comments before I drill down to each of those, cyber security is no longer a homeland security issue. It is now immediately relevant to our economic and national security, it is a national security issue today, and it is needed to be treated that way.
American industry and government are spending billions to develop new products and technology that are being stolen at little to no cost by our adversaries. Nothing is off limits; pharmaceuticals, biotech, IT, renewable energy plans, vehicle designs, weapon system designs.
It is not just intellectual property that is at stake. Information ranging from personal financial data, -- (inaudible) -- data, location of military forces, emergency response programs -- (inaudible) -- leadership are at risk.
Unlike Y2K, there is no single fix. The adversaries are not limited to nation states' military and intelligence organizations. Criminals, organized crime, terrorists, malicious insiders, and business competitors can and do engage. The battle in cyberspace is just beginning. It is destined to be very complicated and costly.
The commission. In this context, what I just said, the commission was established to make recommendations to the 44th president. After examining the issue over the past year, the 35- member commission is focusing on recommendations in the following areas. Leadership, organizational structure, strategy and priorities, the role of regulation, government authorities, public and private sector collaboration, identity and attribution, R&D, and the use of all instruments of power to secure cyberspace including diplomacy, military, economic, law enforcement, and intelligence capabilities.
The commission will release its findings in late October or early November. Some of the recommendations, I must say, generate a little debate. Others will require additional deliberation by the commission. For example, it is clear that we need a strategy and that cyber security is a national security issue requiring senior level policy and program coordination in the White House.
However, determining the best place to house and coordinate operational collaboration across federal agencies and with the private sector requires careful consideration. The role of regulation is also being considered. For example, the commission is considering whether internet service providers and carriers should be required to scan for malicious code.
Today such action is voluntary. The unclassified nature of the commission's product precludes a detailed discussion on military intelligence issues associated with cyberspace. However, the commission is in agreement that there is a very close relationship between steps to secure information systems and the measures to collect and attack information systems.
On the second issue of a comparison between the CNCI and the commission's work, despite its name, the president's Comprehensive National Cybersecurity Initiative is not comprehensive. For example, unlike the commission's work, it does not set out a strategy or address the challenges the private sector is facing.
However, it is a worthy, if belated, start on establishing and coordinating stronger cyber security programs across the federal government. Many agencies, including DOD, FBI, NCIX, elements of DHS, and ODNI provided unclassified briefings to the commission on the initiative despite White House staff wishes.
In other words, the White House has not been transparent on this issue. Members of the commission appreciate the transparency shown by the agencies and as a result many of the commission's recommendations in fact build on the work of the CNCI. A very important point that we want to make sure everyone understands.
The CNCI taskforce under the leadership of Melissa Hathaway has made steady progress on the initiative over the past year. Even with the CNCI's shortcomings, Congress as it looks at funding the initiative should provide adequate funding. The federal government will continue to fall behind in our efforts to set foundations to build a more secure and reliable, resilient information infrastructure without such funding.
Now let me finally return to the role of the intelligence community. Simply stated, it is vital that the intelligence community serve a supporting role in securing cyberspace as well as supporting the warfighters. The IC carries its traditional responsibilities of providing indications and warnings of plans, intentions, and capabilities of adversaries.
However, the challenges to the IC in cyberspace are daunting, especially in security. Technical -- let me make a few points about why it is so difficult. Unlike traditional collection analysis that focuses primarily on the substance of communications or visual observations via satellite, in cyberspace, the IC must collect and dissect and analyze code.
Adversaries are growing more sophisticated in hiding the malicious nature of code and its functionality. This process is labor intensive, requiring new resources, capabilities, and skill sets.
The second challenge, determining attribution. Should the functionality of code be uncovered? This leads to the critical question of origin. Who developed the code? Where did it come from? Was it installed remotely, or did insiders facilitate access? Internet communications routinely transit several "hops," making it easy to hide or spoof the origin of an attack.
This is an exceptionally difficult challenge to overcome. And the IC would be critical in helping to unwrap it, especially when it comes to the case of the U.S. contemplating a military response in the case of cyber attack.
Scope; finally, there is the issue of scope. The IC must think beyond traditional target set of information systems that support government and military systems. While government and the military systems may be targeted through cyberspace, equally, if not more plausible are attacks against privately owned and operated systems.
This poses a challenge to IC: how to establish intelligence and collection requirements that ensure we understand the plans, programs, and intentions of adversaries that try to strike private sector systems. Equally important, the IC must develop the strategy and procedures to share information with the private sector about such attacks.
The NCIX is charged with the responsibility of leading counterintelligence efforts within the government and the private sector. It appears that the authority, resources, and capabilities to address this issue are wholly inadequate with the NCIX.
For example, if the IC learns that a U.S.-based auto manufacturing company, for example, is a target of state and industrial sponsored espionage, the NCIX has real limitations on providing information to the targeted firm and industry that would help it defend against the attacks. Offering information on what ports to block is simply not enough. Adversaries are seeking to establish a persistent presence and using increasingly sophisticated command and control means to piggyback on legitimate applications.
The committee should do at least three things. One, request a briefing from the NCIX, FBI, and CIA, and NSA, and other relevant agencies as to how they are addressing the provision of classifying information to a private sector about ongoing attacks. It is no longer sufficient for the U.S. government to not share such information with companies ongoing attacks everyday.
Secondly, the committee should request an annual assessment from the NCIX and the NIC on cyber attacks that the IC and law enforcement authorities had witnessed against the private sector. And the steps that they are taking to inform the affected parties that sufficient information is provided to take protective action.
Finally, I would note, the Congress, if I may, must rationalize the current committee structure to address the cyber threat. Currently, several committees in each chamber have jurisdiction. At a minimum, there should be a joint cybersecurity committee similar to the function of the Joint Economic Committee. The House has made a good step forward this week by establishing the caucus to address these issues, a vitally important step forward. Thank you.
REP. REYES: Thank you very much, Mr. Kurtz. And I know the other witnesses are going to be making some key points. If I can ask you to make those points briefly. Since we started late, we would like to get to questions as quickly as possible. So with that let me -- Mr. Kurtz, you have come as the lead guy. We are going to --
MR. : Be the first --
MR. : -- and go down the line.
MR. KURTZ: All right. Thank you, Mr. Chairman. I will be brief. I invite your attention to my written statement. A couple of key points --
REP. REYES: And by the way, all your statements would be included in the record.
MR. KURTZ: Thank you, sir.
A couple of key points. First of all, the U.S. does not have a comprehensive strategy today to deal with cyber, and nobody is in charge of creating that strategy. I think that's one of the things that we point out in the report.
We applaud the CNCI as a great step forward, but it's going to have to come out of the closet and get into the public domain in large measure in order for it to be properly vetted and debated and for the Congress and the public at large to have confidence in it. And it also needs to look and challenge the intelligence community as this continues to evolve because how do you leverage capabilities in the private sector?
It is very much today an introspective kind of approach. And we think there are many capabilities out in the private sector that could be leveraged as a part of the CNCI strategy and that's something that we need to pay attention to in the future, and also explain competition in the private sector.
We at AT&T view cyber security as one of the competitive market advantages and invest heavily in that. And I think that's something that the government should be leveraging as you think about how to evolve programs in the future.
Last, but not least, the policy and legal framework for dealing with cyberspace really doesn't exist today. We have wars about electronic surveillance and FISA modernization, but cyberspace is kind of something that -- and cyber security is a grey area in between the existing legal framework.
And we talk about sharing and collaboration information, and the ability to exchange classified information between the private sector and the government. Share information about cyber attacks. I think there's going to have to be some new framework created to allow that to happen and to protect the equities of all the different parties involved. So thank you, sir. And I look forward to your questions.
MS. STANSELL-GAMM: Good morning and thank you, Mr. Chairman. I appreciate your leadership, Congressman Langevin and McCaul in this very important non-partisan issue.
I'd like to focus in my brief remarks on two issues. The first is the organizational one. The internet and global networks are a distributed resource and they are flat.
They are owned by many individuals and organizations. There is no central point and so there is neither a central point of control. The threats against this resource are similarly distributed. As you have heard already, they come from anywhere on the planet with money motivation. And it is an extraordinary challenge to counter threats that are so distributed.
In answering to this, we need to think about response mechanisms that are similarly distributed. These capabilities exist all over government, and we are beginning to see them working together better, but not really well enough. There are lots of reasons for this. One of them is that we all have a tendency to be prisoners of our training.
Even if we try to confront this, it is difficult. If you have lived all your professional life in the intelligence community, it is natural that you would have a tendency to frame this issue as an intelligence problem with intelligence solutions. And so you do what intelligence professionals do.
If you are a technologist, you see this as a computer science problem with computer science solutions.
And if you are in law enforcement, which is my background, we see it as a crime problem with law enforcement solutions. And the warfighters understand perfectly well that cyberspace is battle space.
So which is it? All of the above, of course, and more. But what each one of these groups needs to understand is that each cannot be a comprehensive solution. Each group needs to understand that it is part of a much larger distributed response. And we need to think about how best to harness the existing power of government so that it works together the way a unit does.
There is no way to drive this kind of effective distributive leadership across government at all levels without leadership from the top. And that means the White House, and it means you. It's not going to happen unless this new comprehensive Internet age organizational vision is driven by real leadership. That's my first point.
The second is this is not just a national security issue. There is no way for the United States to protect itself, its people, its property, its interests in isolation from the global network. It can't be done. What this means is that the United States has a clear self interest in fostering the growth of secure information technologies worldwide. This is a self interest.
As part of the global strategy that you will be hearing about from all of us, I argue to you that an essential component of that will be thinking about how to use all of the -- (inaudible) -- of U.S. power, all of the elements of U.S. influence to promote secure information technologies -- (inaudible). The commission has lots of ideas for doing this, but the international strategy is going to be in the central component of the comprehensive plan. Thank you.
MS. SPAULDING: Chairman Reyes, members of the committee, it is indeed an honor and a pleasure to be here this morning and to see so many familiar faces both at the box, and in the chairs behind you.
You have heard some concerned testimony today, and we are here about the problems that the Department of Homeland Security is having, and trying to get its arms around this challenge. This is not surprising given the complexity of the issues, the magnitude of the threat, and the vast universe of diverse and dispersed stakeholders involved.
This would be a huge challenge for any agency, let alone one that is only five years old. But still heading the cyber security effort may indeed be beyond the current capability of DHS. This might lead some people to turn to the intelligence community or the Department of Defense to lead this effort.
There are many factors to consider in assigning appropriate roles and missions in the cyber security effort. And this is a task that Congress and the executive branch have a responsibility to undertake. It's something that has not yet been done, and is desperately needed. As an aside, I would note that my experience has been that professionals working in government are highly motivated to accomplish their mission.
But that mission has to be clearly defined in order to provide clear link in the road, and most importantly, clear accountability. But as you sort through this essential task, I would like to put out a few cautionary flags. Clearly, the intelligence community can and must play an important role in the overall cyber security effort.
However, the IC operates in an environment of secrecy. And as this committee is well aware, secrecy has significant costs. These costs are not just in terms of dollars, although operating in a classified environment does add significantly to the monetary cost of operations. But secrecy also undermines public trust and confidence.
It reduces the prospects for public education, it hampers effective oversight, and it complicates collaboration with other agencies and with the private sector, all of which undermine implementation of an effective cyber security strategy. Some aspects of the cyber security effort must be kept secret in order to maintain strategic advantage, protect sources and methods, and ensure appropriate privacy protections.
The risk in putting too much of the effort inside the IC, however, is that it will fall prey to the over-classification that is so often the default mechanism in the intelligence community. Similarly, there are costs associated with assigning the overall cyber security effort to the Department of Defense.
First of all, like terrorism, cyber security is not principally a problem susceptible to a military solution, although aspects of it clearly fall within DOD's mission.
More importantly, however, my concern is that DOD has been so vocal about the development and deployment of cyber warfare capabilities, that it would be very difficult for that department to develop and sustain the trust necessary to undertake essential collaboration on Defense' cyber security aspects with the private sector and with international stakeholders.
There is a significant risk that these vital partners will suspect that the collaboration is really aimed at strengthening our offensive arsenal.
In conclusion, Mr. Chairman, I believe the key is to continue to press for transparency in this effort as this committee and others have done, to reserve to the IC and DOD only those roles that no one else can perform, and to set up guidelines, procedures, and oversight mechanisms to try to guard against over classification.
I want to commend the committee for holding this hearing for its focus on this subject. And thank you for the opportunity to participate today.
MR. YORAN: Mr. Chairman and members of the committee, thank you for the opportunity to testify on this very important topic. And thank you for Congress' nonpartisan focus on this very important cyber security topic.
Cyber security must be treated as a critical national security concern. The CNCI is a significant step forward, but more work is needed, and greater attention is wanted on this important topic. The Internet drives much of the globalization that we see in communications, and computer automation drives every industrial base in the world.
Combined, these technologies and communications represent the greatest threat to and also opportunity for the intelligence community. There is a critical role for intelligence in the cyber domain. This world does not come without its fair share of challenges. Some of these challenges are driven by a natural bias by the intelligence community to prioritize intelligence over law enforcement and other operational concerns.
The challenges could fall into multiple categories. There are technical challenges and how can the intelligence community best leverage the private sector which operates most of the critical infrastructures and is responsible for protecting those infrastructures as well as developing the technologies that might be used for protecting those infrastructures.
There are legal challenges dealing with the framework that's largely inadequate for the speed with which Internet and cyber technologies can change operations. There is a bias and a challenger on over-classification in the inability to share classified information with the private sector, which again is responsible for developing the technologies and protecting the infrastructures on which the nation relies.
There are privacy and privacy oversight challenges, and finally, there are bureaucratic challenges. Cyber is driven at Internet speeds and is asymmetric in nature. The intelligence community and government is bureaucratic and hierarchic in nature, and ill-designed to deal with cyber challenges.
I appreciate your focus and attention on this matter, and I'm glad to be given the opportunity to testify before you today.
REP. REYES: Thank you.
And thank you all.
I think with your -- summation of your written statement and the comments you've made this morning, in concert with the written testimony, I think we've got plenty of areas to focus on this morning and ask questions.
I'd like to start out by asking the question -- it appears to me that you are likely to conclude that -- as a commission -- you are likely to conclude that the current proliferation of advisory and -- (inaudible) -- councils is not effective for policy development or information sharing.
In our committee's intelligence authorization bill for 2009, we included a provision directing the president to identify options for creating a senior level advisory body that will include representatives from the executive branch, from the legislative branch, and from the private sector. The question I have is, is this an idea that's consistent with you -- your commission's rules?
MR. : The commission has spent a lot of time looking at the number of committees that are out there. And if you go back in time to PD63, which was established under President Clinton, it actually started to foster some -- (inaudible) -- committees within the private sector, these things called Information Sharing and Analysis Centers.
Those have proliferated, in addition to additional homeland security advisory committees that were established in the aftermath of 9/11. And over and above that, you have the presidential advisory committees like NSTAC and NIAC which have been around for years as well. Bottom line is we have a myriad of committees, many of which, actually produce some useful product.
But it -- well, some of these committees, we put in so many people that the product is often lost, and so we have people in the private sector and people in the government spending very significant amounts of time in producing product that ultimately nobody reads or acts on. So, as the commission looks at this and unwraps it, well, let's rationalize this process.
As we look at information security, let's look at all those committees and advisory groups that are relevant to the problem, let's consolidate them as much as possible, let's make sure we have that blue ribbon team, that CEO team, that the upper echelons of government can communicate with. But also we need more operational interaction as well.
You know, right now there are some 17 separate sectors with their own committees. And if you are in the industry, we are participating in a whole myriad of commemorations (ph) it's very difficult to track. So the commission wants to rationalize that into a very simple structure. We're working out the details of how exactly that would be stood up, and how the interaction with the structures of government.
But I believe, and I ask the others to join in as well that we need a very, you know, significant streamlining consolidation of advisory committees.
REP. REYES: Thank you. And let me switch to another topic quick. The preliminary commission recommendation that does not figure in the administration's Comprehensive National Cyber Security initiative, involves identity authentic -- authentification. You recommend that this be required but only in -- for critical infrastructure network.
So the questions that I have is do you limit that this recommendation to critical infrastructure networks because of the privacy issues that it raises? And can you explain the thought process on this particular issue?
MR. : First, let me turn to others to add. One, it is clear that for certain transactions, for control of critical infrastructure, we need to have much greater use of authentication and identity management. In other words, today it is far too easy for individuals to get in and out of systems, without being fully authenticated, knowing actually who is behind it. There is -- you know, there is, you know, there is no -- (inaudible) -- cartoon, but you never know who is behind a computer, it could be a dog. And now we have to somehow authenticate that dog.
So that applies towards -- in the use and operation of critical systems. But it doesn't necessarily apply toward everyone's use of the Internet. If you will -- if you go there to surf the web, there is -- the distinction is where in the stack do you go from critical applications and critical transactions down into -- if you go web surfing, where you require that, and where is it not required.
When you do require it, the serious issues that we worked about, how you make these authentication systems work with each other. You know, -- (inaudible) -- on the panel are far more scared than trying to describe that. But the bottom line of the commission is no longer can we have or tolerate in that critical infrastructure finance, critical infrastructure supporting electric power, military government systems can be if you are not fully authenticated.
I will say that the president, under HSPD-12, which is an initiative to provide credentials that enable us physical and virtual access to systems is a good start. And the question is how much can that be if you were -- (inaudible) -- across government systems down into the private sector as well, and then may be others who want to -- (inaudible) -- on the authentication fees.
REP. REYES: Anybody have anything else to add to that?
(No audible response.)
Okay. Let me conclude by asking your opinion on the dimension of security and privacy. It's been described as an intractable problem. Is it possible to develop a tiered approach to this authentication process that would improve security without sacrificing privacy? Is that possible?
MR. : Security and privacy are, if you will, two sides of the same coin. This has been said for a long period of time. In other words, in order to ensure you have secure transactions, you must authenticate yourself in some way. If you choose not to authenticate people and who is coming in or out of your system, you lose your privacy. So we have to work both these at the same time.
The question is, as I said in response to you second question, where do we require authenticating transactions, and where do we not require authenticating transactions. I think there is a couple points here that, you know, that we can make that would raise the overall watermark from the overall level of security and privacy for citizens across the United States.
Number one, we don't have a common law which requires a) common security measures for the protection of sensitive personal information. Right now, it's a patchwork quilt. Financial institutions are covered, health care institutions are covered by something different, retail institutions are not necessarily covered.
What we have today, states individually have -- (inaudible) -- first states taking action in order to put in place minimum security measures and breach notification. This Congress could contribute significantly by passing a common law or a law that would put in place a common security scheme for the protection of sensitive personal information as well as a breach notification provision.
The legislation has been stalled up here on the Hill for at least four-and-a-half, five years. One of the issues associated with that is multiple jurisdiction. Multiple committees have a pull on this, and it hasn't moved forward. My personal view, it's high time it happens.
MR. : If I could just add to that, sir, you know, good security and privacy go hand in hand. I think what people get confused with is anonymity versus privacy, and that's a totally different kind of discussion. Obviously, there are some fans of anonymity in the Internet, but for business transactions, privacy and security and authentication all go -- all complement each other, and really need to be treated holistically.
And the anonymity question is a different kind of question. So I think that's how -- I think those things can be put together but again, you have to take a strategic view of how those pieces are going to fit.
REP. REYES: Thanks.
Amit, did you have --
MR. YORAN: Yes, Mr. Chairman. If I could just add to that, I would suggest that privacy law and security law are different. The improvements that might be made to encourage better privacy practices can also improve security at the same time. But those are two distinct objectives.
The decision as to which transactions and which types of activities might require some stronger forms of authentication and identity management, need to balance privacy and take privacy into account in addition to some of the technical complexities, in addition to some of the cost which might be introduced, and some of the delay into how technology gets adopted in our overall competitiveness as a nation. Ultimately it's a -- (inaudible) -- risk-management decision, then I think a simple choice if we would prefer to have better identity management on the Internet.
I think a significant question for the committee and for the intelligence community in general, when contemplating the CNCI and any future intelligence-related matters, is perhaps a stronger privacy oversight function or structured privacy oversight process perhaps outside of the executive branch, outside of the executing body perhaps as part of that, but with some form of term function that really sort of takes the partisanship out of it where you can have real privacy expertise playing an oversight role, making sure that privacy is being taken into account as the intelligence community takes on a greater responsibility in cyber operations.
REP. REYES: Good. Thank you.
Ms. Wilson.
REP. WILSON: Thank you, Mr. Chairman.
Mr. Nagengast, are there institutions or technical working groups made up of major private sector infrastructure companies that address cyber? I'm talking about things like, you know, you have industrial -- (inaudible) -- best practices committees and -- (inaudible) -- and standards and the industry themselves come together to start sharing strategies of best practices.
MR. NAGENGAST: Yes, there are a number of working groups that -- again, depending on the different sectors that you are looking at on the, you know, software industry. And there are a number of collaborative efforts looking at how can we make our products more secure.
In the service provider/carrier world, there are groups and in fact the -- as a sidebar of the NSTAC, there is a dialogue that goes on between the carriers on operations and how you do cyber security in the operational perspective that's part of the NCC responsibility that's at DHS today.
So there are a number of what I would call informal relationships. There is no overall top-down driven structure that says this is how industry should behave. But there are a number of collaborative efforts that are done in kind of an informal basis.
REP. WILSON: Have they been well supported by industry, and have they yielded good results? Or is this just something that kind of happens at ad hoc conferences from time to time? If you can describe a little more on what is going on out there, it would be helpful.
MR. NAGENGAST: Okay. There are cyber security conferences just about every week under some different -- at some different venue. The ITAA, for example, does a number of those kind of venues. There is a conference at NYS next week talking about security tools and automated assessment that we're participating in.
So there's no lack of opportunity in terms of the ability to exchange information and dialogue with your colleagues. What I'd say is that, you know, the downside of that there are so many of those that, you know, these people, you get lost in the noise.
So you know, I think might be one of the things to think about in terms of the ISACs and evolving that structure, and how to focus some of that energy in a more and more productive fashion. It's done at rather ad hoc, you know, today.
REP. WILSON: Is there any one of those institutions or groups that provide enough of a foundation to build upon in terms of United States government cooperating more closely with industry to make sure that best practices are propagated?
MR. NAGENGAST: I'd say in my mind, the NSTAC is probably the best vehicle for making that happen. They typically tend to work on tasks on the administration, but that clearly could be a broader role that the NSTAC takes on in the future.
REP. WILSON: Are there any -- (inaudible) -- or incentives or disincentives -- I don't know whether -- you know, antitrust or -- (audio break) -- disincentives to share -- as far as sharing information on best practices for identifying, authenticating, and defeating cyber attacks or cyber problems?
MR. NAGENGAST: I don't think there is legal restrictions on that or antitrust. I think it's just -- but you know, everybody is competing in the same market space. So, you know, sharing is always good, and you always want to know, you know, what the best practices are, but you know, I'm not sure how to refine that answer.
REP. WILSON: Well, Mr. Amit Yoran, I wanted to ask you something with respect to R&D, and since I read the various bios here on who's involved in what, my guess is that you're probably the company that's closest to looking at how research and development in this area is funded, both on the private side, and whether it's funded sufficiently, and how on the government side? For research and development, for tools to identify, attribute, and then defeat cyber attacks. Do you have any comment on that or experience with it?
MR. YORAN: Yes, ma'am, I have some experience with -- (audio break) -- welcome the opportunity to provide some comments. There is a significant role for government to play in research and development around cyber security issues.
One role would be to better inform perhaps through some of the knowledge within the intelligence community, the technical expertise that may exist at CIA and NSA, and you know, the pockets with the types of vulnerabilities which might be exploited. The types of attacks with which the private sector needs to bear in mind as it develops -- puts the next generation of protective technologies, that type of information would be critical for the private sector producing the products which might better protect both the government and the private sector.
I think the government's role in development ought to be very laser (ph) targeted and focused for fear of government developed technologies which would be less capable than some of the commercial off-the-shelf technologies which are -- can (inaudible) -- at a lower cost and ultimately become much more scalable and longtime life-cycle, manageable.
I do think there is a fundamental research role and responsibility that the government can help address through funding some of the significant challenges as you've heard today and as you've experienced through other testimony and through other -- (inaudible). There's no shortage of challenges in the existing IT environment, in the existing Internet facing the nation.
A lot of our work ends up being a patchwork, really, on top of what seems like an insurmountable environment where the advantage is always given to the offense. I think significant research is warranted for the government to fund things that the private sector won't fund, because of private sector's short-term focus on development and bringing technologies to market.
REP. WILSON: Thank you, Mr. Chairman.
REP. REYES: Thank you, Ms. Wilson.
Mr. Boswell.
REP. LEONARD L. BOSWELL (D-IA): Thank you very much. Appreciate the work you've done, very important time as I -- perhaps -- (inaudible) -- time, I've said that other times. I think we must realize that this is -- (inaudible) -- of something we've all thought is a good thing, we get more -- (inaudible) -- more competition and so on. But I've concluded, after some time, that this is not necessarily the case in accordance to -- (inaudible) -- gathering and trying to share the -- (inaudible) -- that we've started and we have -- (inaudible) -- to some degree.
And I'm very concerned about how we could -- (inaudible) -- and how do we -- (inaudible) -- to give the industry the assurance that's a thing for them to do. I think we went through quite a good discussion here about -- (inaudible) -- weeks ago over another matter. And I think everybody on this committee, as Mr. Reyes, is in full agreement that we must follow and protect the Constitution.
At the same time, when we go out and ask for private entity to share, you know, yet another statement that -- (inaudible) -- in the classification period, when you know, Chairman Reyes -- (inaudible) -- have a need to know, we couldn't talk to each other. And that was years -- (inaudible) -- should have understood the need, for me, to know, the need to share to be safe.
And the immediate responsibility is to protect the Constitution. And also -- (inaudible) -- industry to loosen up and to share, without being (inaudible) go back on them, they've done something they couldn't or shouldn't have done. It's a hard line to walk. And I would be curious of any of you, something not to say about that, because I don't see how the -- (inaudible) -- being safe in this high- tech time -- (inaudible). I know that many of us on this panel have discussed this at some length, and we have to -- (inaudible) -- work at that.
Perhaps we can try to do it, and at the same time I don't make -- no hesitation we've got to honor and protect the Constitution. You know, this country won't be what it's been, and none of us want that. So comment, please.
MR. YORAN: I shall take the first shot at that one. I think that you are hitting on a very important topic of information sharing and the value of information sharing. I believe the step number one from the information assurance from a defensive perspective, it requires a declassification of significant information.
If the information required to protect and defend our computer systems remains classified, it cannot be shared. Many of the chief information officers across the federal government, many of the chief information security officers in the federal government don't have the top secret and compartmentalized clearances that are required to obtain the signatures of what they ought to be looking for with respect to advanced and persistent threats.
When that paradigm is extended into the private sector, the likelihood of getting that information shared into the private sector is -- (inaudible) -- nil. And the likelihood of getting the system administrators who actually put the data into intrusion detection and monitoring systems again is very low.
How you get the private sector to share information with the government and with the intelligence community in my opinion boils down to two, you know, two very distinct approaches. One is you can mandate and regulate that they must share the following types of information and how that information will be protected and --
REP. BOSWELL: If I could, on that point?
MR. YORAN: Yes, sir.
REP. BOSWELL: You know, if I were to mandate you to do that, and you ensure you're going to be protected, I would -- (inaudible) -- that you'd say I got to move very slowly. And then if you move that -- if you were to do so, I just -- I think I can see why that would happen and then, you know, we may have missed a point of opportunity.
MR. YORAN: Congressman, I couldn't agree with you more. I just believe that that's one approach; it's certainly not the one that I would advocate. I believe that the second and the practical approach would be to provide -- take an entrepreneurial approach -- you know, this is America -- which figure out how we can add value to the private sector, how do we create an incentive for the private sector to share information with the intelligence community or with the Department of Homeland Security or otherwise.
So either through information which can be provided in the form of vulnerability testing, monitoring signatures, techniques, supporting various response activities, guidance, and better protected methodologies, there is a wide variety -- and I go to protection, and there is a wide variety of tools that the government has at its disposal to add value to the operators of our critical computer systems. It's just a matter of designing the processes and developing the programs that will provide that incentive to share information.
REP. BOSWELL: (Inaudible) -- I was going to -- Ms. Spaulding to make a comment on that. I think a very -- some kind of a super -- (inaudible) -- at times, but we -- (inaudible). Go ahead. Okay, thank you.
REP. REYES: Go ahead.
MS. SPAULDING: Thank you. You know, I would agree with the points that Amit made. And I think one of the key questions the private sector asks when it's asked to share information is to what end. My sense is that CEOs and CIOs are all very patriotic people, and they understand the nature of this threat and they want to do what they can to help. But information sharing simply for information sharing's sake is really a sort of nonstarter.
And one of the points, as Amit said, you know, that the government will add value, but also that the companies feel that they are adding value, that there is an objective and a clear plan and a clear strategy in terms of what's going to happen with this information. And that in fact it is going to be used to some, you know, productive end and not simply sit in a vulnerable location in the bowers of the government.
So I think we need to move away from thinking that information sharing just for information sharing's sake, see it as a necessary consequence of the need to collaborate to solve problems.
REP. BOSWELL: Well -- (inaudible) -- necessary consequence I think that's much better. But I meant -- so we need to share, I don't mean just to share, I mean by putting things that they think is safe, and there's a lot of information out there that we don't have access to, and we've got to get a fix on that.
REP. REYES: Thank you, Mr. Boswell.
Mr. McCaul
REP. MICHAEL T. MCCAUL (R-TX): Thank you, Mr. Chairman.
I guess throughout the hearings over the course of the last year or so, and when the commission testified before Homeland Security a couple of questions, you know, are we prepared? How vulnerable are we today? And the second one is who is in charge? These are fundamental questions, you know, and -- (inaudible) -- about it, but they are -- I think the wrong point.
With respect to who is in charge, I don't think -- my sense is there's not enough -- nobody seems to know definitively. There is no authority granted to one institution. There's not the coordination necessary.
As Martha talked about, in the intelligence community, you get the military, you have the law enforcement, all of the different private sector, and yet the coordination, it's very much, you know, kind of running on their own, and then no one's overseeing it. That's why I like the idea, -- (inaudible) -- the White House to have a centralized point of contact to coordinate these efforts.
And of course the ISACs are supposed to do the information- sharing that the private sector --- there's been some criticism about how successful they've been. And they don't have a lot of incentive to share vulnerable threat information. If it's going to be somehow made public, or they're, you know, they have a fiduciary duty to their shareholders.
So let me -- (inaudible) -- a lot of points there. Last one is, you know, on the piece on cyber warfare, you know, how do you trace back to the source to determine, is this inactive warfare? And I don't know if the commission is settling the issue of, you know, what would constitute inactive warfare.
Certainly, Russia, -- (inaudible) -- a serious attack on Estonia has looked pretty close to what I would consider to be, you know, inactive warfare. But in this modern cyber age, I think that those are issues we may have to come to terms with. For all you know --- I've pruned out the whole basket there and I have to turn it over to the panel for any thoughts they may have.
MR. : I --- (inaudible) -- focused on two issues that are closely related; what is attribution and military response. And this is why I think the intelligence community has a vital supporting role.
Today, we have a tremendous amount of trouble determining attribution. In the case of an attack, the intelligence community is going to be relied upon, especially with regard to foreign collection, to help determine where an attack actually came from, who is responsible, who might have been behind that computer. And we have a very, very, long way to go on that.
Until we start to get clarity in that piece, it's going to be very difficult to contemplate the military option, responding appropriate --- in the case of Estonia, what that appears to be is a bunch of nationalists and hackers who jumped into the fray.
In other words, it wasn't a state-sponsored event. Russia did not necessarily sponsor those attacks. Did they look the other way? Perhaps. But it didn't appear to be state-sponsored.
In the case of Georgia, that may be the case, it may not be the case. But it all comes down to attribution. So, this is the one area when we look at R&D, when you look at oversight, and you look at the need to share information, it's vital that, you know, the intelligence community plays a key role in attribution.
REP. MCCAUL: Any other comments?
MS. SPAULDING: I might just comment on the critical question of who's in charge, and we will focus on the question. And maybe one of the most important things we can ask is who's in charge of what, because there, again, I think one of the clear --- (inaudible) --- is to define lines in the road.
And one of the reasons is that it's critically important to have accountability. So that instead of asking who's in charge, perhaps the question is who's going to be held accountable. And their accountability is going to make people really focus on their mission. And today, because there is no one who has responsibility for this mission, there's no one who can be held accountable for it.
And finally, I think it's really important in this context and in the context of the DNI similarly, where you've got these issues that cut so widely across agencies in the dollar realm, to think of the person who we think of as being in charge, as really being the enabler, kind of flip the pyramid, so that that person, even that person that's sitting at the White House, is really not there to make everyone else do what they need them to do, but to enable the folks that are in the various agencies who have those missions, enable them to do their mission effectively by clearing away the impediments, and a big part of that is coordination. But I think it's important to think about the way we use these words and the contexts that go with them.
MS. STANSELL-GAMM: I think, Suzanne's point is critical. One way to put in -- (inaudible) -- the idea of turning the --- turning along its head, I think that's exactly right. If you spend much time at a tactical fighter wing, you realize pretty quickly that it is not the job of the wing to get the wing commander in here. It is the job of the wing commander to get the wing here, and everything that the wing commander does from the people who pack the parachutes, to the people who are working on the flight line, to training, to making sure people or fleet are in good health --- all of that goes toward the mission of getting those planes in the air, and everybody's on that base to make sure that happens.
So I think Suzanne's exactly right. The leadership at the White House and the leadership at lower levels needs to understand that it's not the central point of control or failure, it's there to enable, to support, to remove impediments, to diagnose miscommunications and gaps and overlaps in the part of the network for which they're responsible. So this is an enabling exercise.
REP. MCCAUL: Very good. I see my time has expired.
REP. RILES: Yeah. Thank you, Mr. McCaul.
Ms. Eshoo.
REP. ANNA ESHOO (D-CA): Thank you Mr. Chairman, for having this hearing, and thank you to the witnesses and the work that you've done as a commission, and to our colleagues, Jim Langevin and Mr. McCaul, thank you too for your great interesting leadership on this issue.
A couple of observations. I think --- you know, I kind of think in columns and check things up. I think on the plus side, to the credit of the DNI and all of those that are associated with him for raising the issue of cybersecurity, and that our country has a problem and that we need to address it. There isn't anyone who disagrees with that. So that's a big thing, that's not being debated. We know that it's an issue and that we have to do something about it.
On the other side of the ledger, it is so large that I'll use a phrase that I've used often around here, it's like "trying to get socks on an octopus." Where do we begin? Where do we begin, how do we do this, where should it be, who should be in charge? Are these agencies really fighting for territory or is it legitimate that it be in seven places, two places, one place? Who is the best one to do this, how to do it -- (inaudible) -- private sector.
The DNI has said to us ad nauseam that it's 95 percent private sector, 5 percent government. And we've got to get that 5 percent right I think, otherwise the private sector is not going to save that 5 percent and whatever it is that we invest in it.
So let me say what my questions are. First of all, I think that what you put out that compares and contrasts the CNCI was what your views are --- is invaluable to us. I think, Mr. Chairman, that this committee should really come out with a white paper, because we're at the tail end of an administration, a new one is coming in, there has been work and thinking, but we should really issue something for a new administration.
I believe that it should be in the White House, because if it's not --- if the direction from the top is not there, this is going to be a seven or eleven-headed effort, and it's going to fall of its own weight. The left hand's not going to know what the right hand is doing.
Do you think that internationally -- because this is not just a U.S. issue -- that there should be a NATO-like effort around this, and if so, how so? What recommendations would you have about how you perceive that? I think it may be early on, but I still think we should be thinking in those terms, and I think we're going to have to have our own house in order to help give direction as a nation to other countries.
And the other question that I have is, when we talk about a military response to a cyber threat, what are we talking about? Are we talking about the intelligence community identifying the source, and then the military doing what? Taking that source out? Bombing it? What are we talking about? And anyway I could spend hours with you. So I -- (inaudible) -- in all of you, I you've done a terrific job.
MR. : Two questions ---Martha is in the best position to answer the first because she's actually spent a lot of time working on this for the commission as well as when she was with Justice. I'll defer to her on the first question.
On the second question, I think that the intelligence community has a vital supporting role.
REP. ESHOO: Who does?
MR. : The intelligence community has a vital supporting role in helping understand who is actually behind an attack. Once you --- once you understand who's behind the attack, I think it evolves up in the system into the normal, if you will, the national command authority to weigh all the options as to what you'd use to respond.
And it doesn't necessarily have to be a response in times in cyber space. It could be another form of traditional military response. But I'll be real candid here. These are issues that we really have not thought through as you mentioned, and now, we're starting to generate this in this debate.
When we look in the '50s, when you look at the ground nuclear threat, there's a quite clear discussion and debate about how we handle that issue. That kind of -- (inaudible) -- about what did deterrence look like, what did our response look like, how do we handle the mutual reference in a context of multilateral or bilateral relations? And that's not there right now.
That all has to be developed, and I commend the committee for having this hearing, an open hearing. Because we do mean --- we all have a lot of very smart people in the commission and a lot of very smart people in the government, we do need to bring other brains into the process; to start thinking through the implications of what's going on in Chinese (ph) territory.
REP. ESHOO: -- do that by bringing in private sector people, because the community, I think community said, oh, we're in touch with this and that, whatever, I talked to --- you know, where the intelligence community goes shopping is into my district, and so I asked people, and they said no, we haven't heard from anyone.
So we've got a lot of work to do on this, you know, I guess --- Martha did you want to ---
MR. STANSELL-GAMM: On the international question, it probably will not surprise you to hear me say that we need to be doing a lot of things at the same time, and we made a fair amount of progress, but, boy, is there a long way to go.
For example, if we think about what needs to be in place for foreign partners to assist us in pursuing our interest, in investigating crimes, in arresting people who steal intellectual property or financial information, for example, and this is a huge problem in some quarters of the world.
What needs to be in place? Well, they have to have the laws locally in these foreign jurisdictions, that empower them to do that.
REP. ESHOO: Uh-huh.
MR. STANSELL-GAMM: They will need to have the substantive and procedural laws so that they can collect the kinds of evidence that we need to make those cases, and then we need to have the permission to put those laws and operation capabilities to the service of other countries.
That is exactly what the cybercrime convention negotiated at the Council of Europe does. It has those three pieces. It requires signatory nations to pass laws, it requires -- of both types; it requires them to begin to develop an operational capability; and it require them to assist each other. The United States took a huge step in signing and ratifying that convention, but many important countries have not so far.
It seems to me that one of the things that leadership should be doing is to think about all the ways in which it can encourage foreign partners to pass the laws and make the commitments that would make it possible for them to join cybercrime convention. That is an incredibly important piece of foundational work.
There are many other things we should be doing as well, but that's one example.
REP. ESHOO: Thank you. Mr. Chairman?
REP. RILES: Thank you, Ms. Eshoo, and ---
REP. ESHOO: The suggestion we should be, seriously considering this was that inside the Congress that we have a tight and coordinated body that's in charge of this, because here we are at the end of the session, and all of the jurisdictional fights are going on. Well, we can't get the -- (inaudible) -- to break through, oh no, Ways and Means doesn't like it, oh no, so-and-so is holding it up, and it all comes --- it either comes to a screeching halt at two or four or six years of work, just falls apart.
So I think that we should, as a committee, let's say, should examine that the structure that will allow for things to really move forward and not fall apart between these provincial jurisdictions with God knows how many committees.
REP. RILES: Yeah, I agree and I wanted to publicly thank you, Ms. Eshoo, for your interest and your leadership. Ms. Eshoo has really been at the forefront for this committee on the issue of what needs to be done, how it needs to be done, and how comprehensive. I personally thought it was quite interesting that the administration put DHS in charge of this project. I thought it was the equivalent of having somebody floundering, drowning, and tossing him an anchor and saying okay, good luck.
But I feel that's what --- the point that you're making, Ms. Eshoo, is that we need to, perhaps from the congressional side, in concert with perhaps recommendations from this commission that we've started, at least from my perspective, a way forward on this. So I appreciate that.
Mr. Langevin.
REP. LANGEVIN: Thank you, Mr. Chairman, and I whole -- (inaudible) -- with your comments and I thought Ms. Eshoo hit the nail on the head with a lot of these coordination issues.
And that kind of leads me to my question of what are some of the things -- (inaudible) -- about a more --- first of all I want to, again, thank the panel for being here. I become more and more impressed with the caliber of people that are on the CSIS commission in establishing a --- this blueprint for the next president, on cybersecurity, and so I appreciate again your testimony here today.
Let me start with the issue of, you know, the CNCI and why so much is being so classified. You all as, most if not all, of the members of commission, as I understand it, have security clearances of "top secret" or above, you know what classified information looks like, what it should look like. Can you talk about the justification of why this insight is being so classified? Why --- you know, does it need to be classified, what elements need to be classified, and --- or should it -- or just most of it be in the open.
So we'll start with that, and then I'm going to talk about more of the lines of authority, plus that I've got a more of --- I've got the --- the overall blueprint should look like. But let's talk about that. Just for the -- those in the committee and the public, you know, what elements should be classified or why; does it need to be classified at all?
MR. : First of all, there are some elements of -- (inaudible) -- that need to be properly done, must be properly classified, especially those related to offensive operations and plans in that area. And there is also a healthy respect for releasing so much information that it exposes vulnerabilities that our adversaries could take advantage of.
However, as has been said earlier, the vast majority of this information infrastructure, is owned and operated by the private sector. So the focus -- (inaudible) -- to CNCI was, if you will, to secure government systems. Why, given that the government relies upon cops and the private sector to support a two-commission-system operations, why the government earlier did not declassify more information is really not clear.
I want to make a couple more points, and I'll turn to the others. One is the commission really applauds the efforts of many agencies that despite the wishes of the White House came to speak with the commission. ODNI has -- Commissioner Hathaway and her team have worked with the commission. DOD, at a very senior level, has worked with the commission. FBI, at a very senior level, has worked with the commission. The National Counter-Intelligence Executive has worked with the commission. (Inaudible) -- of DHS have worked with the commission, not all. So I'm really at a loss as to why the White House couldn't release more information about what this says, because this was served on Tuesday.
This is really a good-news story.
It's bad news in the sense that we have some serious problems we need to deal with, but it's good news in the sense if the administration heat up the issue, put forward a plan, has asked you for money, is trying to put the programs in place. And why the White House wouldn't want to push that out sooner, so people can understand it, the consequences and ramifications. I'm at a loss of words, and I think the committee really needs to take it up with the White House directly, and I --- I leave it at that.
REP. LANGEVIN: Let me get to this before my time runs out. Just with, you know, the people that are being introduced as the --- first time particularly, can we just do a quick compare and contrast of what the CNCI looks like right now in terms of who is in charge, taking policy and budget authority, and then what the commission is proposing in its findings.
MR. : I think you're actually --- (inaudible) -- the CNCI doesn't really tackle the question of who's in charge. We have to call together this joint task force under the leadership of the DNI to do portfolio your management, if you will, to make sure, the right hand was talking to the left hand as much as possible, as far as getting the program up and out of the ground and try to get funding for it.
And if they don't really shoot to put someone in charge, although there has been the statement this week that DHS -- (inaudible) -- to be in charge of all aspects of and including intelligence community, I don't know if that's a cargo (ph) or whatever, but there is this joint task force.
When we move to what the commission is thinking about, it's the functionality of that task force. In other words the powerful and budget coordination issues that were moved to this White House into the --- along the lines of the USTR-like structure. Those functions would be performed in the White House, I want to be very clear. That does not mean that operational issues that agencies are currently responsible for right now, would migrate to the White House's realm.
What remains as an open question, within the commission, is what, if anything, is left at the Department of Homeland Security, given the nature of this now being a national security problem, which requires international coordination, you could argue that the emphasis should go more towards the traditional national security agencies and less towards the Department of Homeland Security.
But I don't want to prejudge ultimately where the commission will come down. You know, what do you do with the national communication systems within the Department of Homeland Security. What do you do with the national coordination center that was recently set up under the directive as well?
What do you do at the U.S. -- (inaudible)? Those are questions that we need to resolve in the closing months. And I don't really want to prejudge where the commission is going to come out because we're saying -- we're still debating that, but as I've said you know, as I think we're in general agreement with this, there's a lot of skepticism, not only ourselves, but the GAO about the ability of DHS to effectively perform those functions.
REP. LANGEVIN: Okay. Any one else care to comment? Okay. Well, thank you very much. I agree that having the Department of Homeland Security, not that -- I did appreciate the good work that the men and women in the Department of Homeland Security are doing.
They're very dedicated and patriotic and trying to do what's right for the country. But in an agency, I believe that is just -- it's just a new agency, it extends -- still struggling to get on its feet, how difficult it would be take on this type of major initiative. And I think we do need obviously better coordination at the very top level of government in terms of setting policy and budget authority, and so I really appreciate the work that the commission is doing.
I believe that we're moving in the right direction on this issue. And just in closing, I will say that, you know, to the administration's credit, this is a major problem, very complex, and I -- it's my understanding that it really wasn't until the president realized how bad this was that he personally stepped in and said, fix this, do something. And that's why the cyber initiative was first launched.
So to their credit, they, you know, they tried to do something real quickly, but it needs to be much better brushed out, thought out, and that's what the work the commission is doing, so thank you again for your work, and with that I yield back.
REP. REYES: Thank you. Mr. Ruppersberger.
REP. DUTCH RUPPERSBERGER(D-MD): First of all, it's great to have good minds like you sitting on the panel, to hear your point of view -- Suzanne, good to see you.
And Congressman McCaul and Congressman Langevin, I thank you for your involvement. Now, this is a very serious issue, it's very complex. And when something is complex, sometimes you have to break it down to the most smallest equation or whatever.
And I think the issues that we're talking here today are very relevant and important; first thing, we need leadership, and clearly that leadership has to come with the president. If you need to get something done, you're going to have to have money also. And that's why I think that it is very important that the president has it in his budget, and work in conjunction with Congress to make sure that we do what we have to do.
But then if you want money, you have to justify it, and that's where we are at now. I'm looking forward to the report of the commission, the CSIS Commission. I'm glad that you've decided to put Congressmen Langevin and -- on the committee, and McCaul. And the unique think about having Congressman Langevin is that he's on Intelligence and Homeland Security.
Now -- (inaudible) -- Congressman Langevin, but I think because the past history of Homeland Security, a lot of us don't have confidence. I just know, from my point of view on the intelligence committee and generally representing my district that the turf battles are not -- are serious there. You see FBI fighting with -- on terrorism with Homeland Security. That's got to be resolved and worked out, because failure is not an option in this issue.
So where -- the issues that I'd like to talked about in my short period of time, I think, personally, trying to develop a roadmap. And I think the commission will do that along with -- those of us who know what's going on. Leadership is important, organization is important, and strategy is.
But when you really look at where we are, what are the different roles. We are subject -- everybody in this country, because the Internet is open, anybody who has a server -- a bad guy, a hacker, another government, al Qaeda, whatever, can go in through a server and disrupt our banking system, our energy system, whatever they need to do. Now, the other countries aren't going to do that, because they have too much invested in this country.
So the question is what is going to be the role. I think, you know, anything we've put together. Who is going to be in the -- (inaudible) -- administration, and if they have to have a major role, because they're the best in what they do. We're going to talk about it -- a lot of what here was -- (inaudible) -- an integral part, and yet we also have to give a level of comfort to the public, because what happened with FISA, they're going to say it was -- (inaudible). So as far as the other issue -- the other issue is the involvement of the commercial sector. We have -- (inaudible) -- traditional sector. It's going to cost billions of dollars.
We've met with Microsoft, Verizon, AT&T, and they're willing to step up, but what is the system that's --. They said that in order to have this security, we might have to have a new network, a total new network, and major things that we'd have to work out. So the first thing I'd like to know is where do you think the authority and the oversight should be? I mean, talk about the president, let's get beyond the president, and you're advising the president, how would you set up this roadmap? And number two, how would we -- how can we justify paying this large amount of money? There's some -- (inaudible) -- we're going to have in the group.
MR. : Sure -- (inaudible) -- and then other people can jump in. Sir, what the commission has in mind is to establish a -- appoint a very senior leader within the executive office of the president that has a staff that is comprised of individuals who run the agencies, that would take in a great deal of the functionality that is currently being performed by the joint taskforces -- (inaudible) -- the CNCI.
So as the real programmatic and policy issues for cyberspace migrate into this new agency, we'll -- the interagency coordination would take place. This -- (inaudible) -- would not change the authorities in place for DOD, the intelligence community, law enforcement alike, would not affect the operational issues. However, there is a clear need to make sure that both the national security organizations and the civilian organizations -- civilian agency organizations are collaborating and sharing information about what's happening on their networks. That's a question we're trying to resolve. The other key issues here --
REP. RUPPERSBERGER: (Inaudible) -- we have problems in the intelligence community and -- (inaudible). And the word DNI has -- (inaudible) -- some problems. I know they've done a good job in connecting the agencies and maybe show that this communication and that we deal with the end game, that's to protect our country. Would you suggest that DNI take position as it runs the cyber?
MR. : I want to be careful in response, because when we say DNI, I presume it has implications in intelligence, and it's driven by intelligence and that's not what we're suggesting.
REP. RUPPERSBERGER: What you're suggesting is the role of someone who has the authority. The DNI has the authority to both CIA, NSA, all the agencies together and make sure they communicate. And I'm not talking about intelligence, I'm talking about a position like that without authority, a direct line with the president so that we get this together.
MR. : Yeah, definitely. It has the ability to provide the vision and leadership overall. I want to -- the question of funding has come up a couple of times, and I think we need to address that. It's -- I believe where the commission is standing right now is that the budget which still will be largely driven by OMB. In other words, they have to retain responsibilities meeting in the budget. But this new entity would engage with the Office of Management and Budget as budget planning goes forward in the outyears.
What would be the removed from the Office of Management and Budget would be their oversight under the FISMA, the Federal Information Security Management Act, over IT systems. That would migrate into this new entity. So if you will, the Office of Management and Budget would have a more traditional role of looking at the budget and management issues, but they really have the role of looking over the security of information systems across the federal government.
Right now, Karen Evans, who does a tremendous job, has no staff -- next to no staff. It is silliness for OMB, to -- (inaudible) -- coordinate security across federal civilian agencies, when she has a staff of like -- (inaudible) -- people. That's got to change. This new entity would help bring that level of coordination and oversight into the White House so we have far more effective management across federal agencies. Nothing against Karen and her capabilities, it's just that the reality as it is today, it's not --
REP. RUPPERSBERGER: How about DISA involvement, right now, it's job is to protect --
MR. : DISA would still have its traditional responsibilities of the protection of DOD systems. And nobody would take that away. However, this entity would work very closely with DISA. DISA would report -- what their needs are as far as budget -- those policy issues that would be coordinated within the White House. This has been done in battling the scourge of drugs, this has been done in the case of terrorism, even prior to 9/11. The national coordinator for counter-terrorism in the -- under the -- (inaudible) -- had some level of input to the overall budget to make sure things were adequately funded.
REP. RUPPERSBERGER: Anyone else have comments? (Inaudible).
REP. REYES: Thank you, Mr. Ruppersberger. I -- we've got about 15 minutes, because we're going to need the room. So I will ask members to prepare if you want to ask an additional question. I wanted to get your opinion on the fact that in your preliminary finding, that a credible offensive capability is necessary to deter potential attackers. Almost all the current offensive information that we have on warfare capability is classified.
Should some of -- how much of that capability -- or may be is any of that capability necessary to be in the public domain? In other words, how do we notice potential attackers, whether they're nations or groups like al Qaeda or others, that there are going to be real consequences for trying to attack through cyber? Do you have any thoughts on that?
MR. KURTZ: Invite others to join. Yeah, I think it's very difficult for us to draw red lines in the space or lines in the sand when we have such critical issues in play over attribution. That being said, this shouldn't be seen as you know, the gate is open, come, engage in cyber attack, and there won't be consequences. I just think that a great deal of thinking needs to be done with e- government, with very sooner we have the leadership involved. And there needs to be enough dialogue about what is happening in cyberspace, not only in the -- (inaudible) -- side, but the attack side, and ultimately some level of discussion with the American people as to what cyber war could potentially look like.
It is something different, and we all struggle with this, because it's easy to kick the tires in the physical space. You can see the aircraft carrier, you can see the planes, you can see the tanks, you can see the missiles. In cyberspace, it's not that way.
And how you describe that to people, who are not into the technology at all, is exceptionally difficult. And I think that the critical bridge is to try to build -- is to try to get some of the great minds that are out there who have thought about big national security issues in the -- (inaudible) -- in this debate.
I think our national security learned from the past. But as far as answering your question directly is, they're still not exactly where the red lines are, exceptionally difficult to do so until we come to better terms with the issues in attribution.
REP. REYES: Anybody else got any thoughts on that?
MR. : Yeah, I got -- I'd echo a little bit of what Paul said. Clearly our offensive capabilities and our, you know, force is the message that we probably do not want to disclose in any detailed way. But clearly as part of an overall doctrine and strategy in cyberspace, we need to consider, you know, what are the deterring factors and how do we package that for consumption on an international basis.
So that's where the entire intelligence community really needs to play a strong role in working that whole issue of cyber doctrine with the Department of Defense, or what the General Cartwrights were thinking about those kinds of things, but you got to start with what is the doctrine, what is the deterrent strategy and then what pieces of that do we want to make public as part of that deterrent strategy and what do we need to keep secret, because, you know, most of our offensive capabilities should be kept secret.
MS. : I'd like to also echo Paul's call to bring great minds together to work through these problems, not just the technical experts, or cyber security experts. I'd like to see some very thoughtful people give some more thought to how we apply the -- (inaudible) -- the laws of armed conflict to the context of cyber warfare. And whether we need to revise our craft, there's no Geneva Convention for cyber warfare or whether in fact we can simply come to a consensus about how our traditional, fundamental principles about protection of civilians et cetera apply in this context, and I think there's some value in establishing some international norms in this arena.
REP. REYES: Thank you.
Mr. Boswell.
Mr. Langevin, do you have any additional questions?
Well, if not, thank you -- I want to thank you on behalf of the committee for both being here this morning and providing some really important testimony, as we try to establish kind of a roadway for recommendations for the next administration. We are in the process, I think, of spending billions of dollars on an initiative that's very important, which is truly a 21st century issue for us.
And it's not just -- wouldn't just impact our national security, but potentially the security of our allies worldwide, and the protection of the -- of our capability that has now become kind of second nature, which is the Internet. And how it has tied in with virtually everything that we take for granted, from the ability of water and electricity, to our capability of utilizing everything from our nation's roads and highways to perhaps even counting on the GPS navigational system.
So it's very important. As you can see, we are extremely interested in taking the lead on this very important issue? And in that vein, I again want to thank you for being part of the commission that is -- I think, is going to be instrumental in helping us in Congress to plot our way forward on this, regardless of the results of the election of November 4th.
So thank you all, and in particular, I want to thank my colleague, Mr. Langevin, and also Mr. McCaul who worked with you on this commission. And as I said, we look forward to receiving your report and your recommendations.
And I just want to let you know that perhaps we will have you back once that -- we get an opportunity to look at that report, digest its recommendations, and probably in the 111th Congress, we'll get an opportunity to further look at conceptually, what the results of your report and recommendations working in concert with the next administration and also with the Congress, we can work together on.
So thank you all, and with that the hearing is adjourned.
View Printer Friendly Version
Email Article to Friend