Subscribe: by email or Podcast
Enter your Email to Track Changes in OSINFO


Powered by FeedBlitz
View Paulo Felix's profile on LinkedIn Follow osint on Twitter online ping broadband test
SEARCH SITE
NEWS & ARCHIVE
Navigation

Widget_logo

World Newspapers Frontpages

Login
« The Pirate Returns: Historical Models, East Asia and the War against Somali Piracy | Main | Political violence against americans 2008 »
Saturday
Jun272009

HEARING OF THE SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION OF THE HOUSE COMMITTEE ON SCIENCE AND TECHNOLOGY

DateSaturday, June 27, 2009 at 15:04
26 June 2009
Federal News Service

REP. WU: This hearing will now come to order. (Strikes gavel.) Good afternoon. I'd like to welcome everyone to today's hearing on the cybersecurity activities of the National Institute of Standards and Technology and the Department of Homeland Security.

This is the third hearing the Science and Technology Committee has held on this very, very important issue. The prior hearings discussed the research and development needs for improved cybersecurity and federal agencies' responses to recommations made in the Cyberspace Policy Review.

All of us, in both public and private sectors, rely on IT networks to manage a great many things, ranging from online bank accounts to the power grid. With this increased reliance on networks, we have become more sensitive to the security of these networks. To support cybersecurity efforts, the prior administration implemented an estimated $40 billion Comprehensive National Cybersecurity Initiative in January of 2008.

This year alone, DHS and NIST have requested over $500 million for their cybersecurity efforts, with an additional $340 million requested for research through the Networking and Information Technology Research Development Program. Even by government standards, almost $850 million is a fair amount of money.

Despite the substantial funding levels and many hours spent by federal employees on this issue, the assessment remains the same: Overall, our cybersecurity remains poor.

The administration's cybersecurity policy review emphasized the recommations made in prior reports: first, bolster cybersecurity operations protecting the federal network systems; second, improve interagency and private sector coordination; third, modernize and coordinate the research aga; and fourth, enhance public education on cybersecurity. This committee wants to understand the impediments that have prevented similar recommations from being successfully implemented in the past.

I believe one key recommation made in the cybersecurity -- the Cyberspace Policy Review is the need for objectives and metrics to accurately measure cybersecurity performance. The development of these metrics would provide a base from which we could improve program assessment, budgeting, research and development prioritization, and strategic planning. This recommation mirrors the subcommittee's belief that agencies should be accountable for real-world outcomes, rather than outputs measured in terms of money spent, projects supported, and interagency meetings, which is how the agencies categorized their success at a subcommittee hearing last week.

As is generally the case, we have many recommations, but the devil is in the details. I hope that in addition to making suggestions on this hearing's issues, our witnesses can tell us what is required to implement their recommations.

I want to thank our witnesses for appearing before us today.

And now I'd like to recognize my fri and colleague Mr. Smith from Nebraska for his opening statement. REPRESENTATIVE ADRIAN SMITH (R- NE): Thank you, Mr. Chairman, for calling the hearing today on cybersecurity, the third in a series of hearings held by the committee this month.

While the committee's jurisdiction on cybersecurity issues is generally limited to two agencies -- DHS and NIST -- because of their broad roles and responsibilities, the activities of both agencies directly impact not only the entire federal government but also many private sector computer security stakeholders. Accordingly, we have the benefit of being able to examine cybersecurity through a very broad lens and the opportunity to influence the debate on the government's actions in the most important and pressing policy areas.

To this , I would like to briefly outline what I see as the key high-level outstanding questions which should drive the direction of cybersecurity policy for this committee and Congress as we do go forward.

First, as we explored last week with respect to protection of government networks, are we confident the reported $30 billion effort comprising the administration's Comprehensive National Cybersecurity Initiative, CNCI, is appropriately focused? And will DHS's centerpiece Einstein Program provide effective and lasting security?

If not, what are the best alternatives to this investment and focus area? And perhaps more importantly, how do we a better job at measuring cybersecurity so we can more systematically evaluate technology and policy options and perhaps even fit in a hearing between votes?

But the largest outstanding questions, however, revolve around the nature of the relationship between the government and the private sector in efforts to secure non-government systems.

Stakeholders on all sides place a great deal of emphasis on strengthening public- private partnerships to secure critical infrastructure. But beyond the well established goals of improving information sharing and policy dialogue, the precise features of the desired partnerships as well as the scope of what constitutes critical infrastructure have remained largely undefined. Does this entail a new regulatory regime at DHS or NIST, new liability protections or incentives for private sector actors or some combination thereof? Are there other innovative partnership models which could be explored?

These are all weighty questions which will not be answered at this hearing or in the immediate future, but I believe they require the careful attention of Congress going forward, as we consider legislative options to improve network security.

I thank the chairman for assembling an excellent panel today.

Thank you for being here, and I look forward to the productive discussion. REP. WU: Thank you, Mr. Smith. And as you all probably noticed from the bells, votes have been called. This will be a substantial series of votes. I want to apologize to the witnesses and all the participants here for the inconvenience, but I just want to note that these votes are called without consideration of any of the individual members and rarely of any individual committee.

But my -- what I int to do is to proceed to introduce the witnesses.

And we may be able to get through the testimony of one or two witnesses before Mr. Smith and I and any other members who come here will have to leave to vote. And then we will recess this hearing until after the last vote, at which time we will reconvene and finish the testimony and proceed to questions.

And with that, it's my pleasure to introduce our witnesses.

Mr. Greg Wilshusen is the director of information security issues at the Government Accountability Office. Mr. Mark Bregman is the executive vice president and chief technology officer of Symantec Corporation. Mr. Scott Charney is the corporate vice president of Microsoft's Trustworthy Computer (sic: Computing) Group. And Mr. Jim Harper is the director of information policy studies at the Cato Institute.

You each will have five minutes for your spoken testimony.

Your written testimony will be included in the record in its entirety.

And when you complete all of your testimony, we will start with questions. And at that point, each member will have five minutes to ask questions.

Mr. Wilshusen, please proceed.

MR. WILSHUSEN: Okay. Chairman Wu, Ranking Member Smith, thank you for the opportunity to testify at today's hearing on the cybersecurity activities performed by the Department of Homeland Security and the National Institute of Standards and Technology.

Federal laws and policy have assigned important roles and responsibilities to DHS and NIST with securing computer systems and networks. DHS is charged with coordinating the protection of cybercritical infrastructures, much of which is owned by the private sector, and securing its own computer systems, while NIST is responsible for developing standards and guidelines for implementing security controls over computer systems and information.

Today, I will describe cybersecurity efforts at DHS and NIST, including partnership activities with the private sector, and the use of cybersecurity performance metrics in the federal government.

Over the past three years, GAO has consistently reported that DHS has yet to fully satisfy its key responsibilities, including those for coordinating and protection of cybercritical infrastructures and serving as the primary federal focal point for cybersecurity efforts.

While the department has achieved some successes, shortcomings exist in key areas, including bolstering cyber analysis and warning capabilities, improving the security of infrastructure control systems, strengthening its ability to help facilitate recovery from Internet disruptions, reducing organizational inefficiencies, completing actions identified during cyber exercises and securing internal information systems.

We have made about 90 recommations to assist DHS in addressing these shortcomings. The department has implemented some of our recommations, but still has not fully satisfied most of them, and thus needs to take further action to address these areas.

Pursuant to its responsibilities under the Federal Information Security Management Act, or FISMA, NIST has developed a suite of mandatory standards and guidelines that are inted to assist agencies in developing and implementing information security programs and in managing risk to agency operations and assets. In addition, NIST has worked with both public and private sector entities to enhance its cybersecurity products. The resulting guidance and tools provided by NIST serve as important resources that federal agencies can apply to their information security programs.

Mr. Chairman, as the old adage goes, what gets measured, gets done, and so it is with the security measures that agencies use to report on their progress implementing the requirements of FISMA.

According to the performance metrics established by the Office of Management and Budget, agencies generally reported increasing compliance in implementing key cybersecurity control activities. However, GAO and agency IGs continue to report significant weaknesses in controls. This dichotomy exists in part because the OMB-defined metrics generally measure whether or not a control activity has been implemented, not how well it has been implemented.

As a result, reported metrics may not provide a complete picture of the agency's cybersecurity posture. Providing information on the effectiveness of controls and processes could further enhance the usefulness of the data for management and oversight of agency information security programs.

In summary, Mr. Chairman, DHS has not fully satisfied its cybersecurity responsibilities and needs to take further actions to address shortcomings in several areas, including its efforts to coordinate with the private sector to ensure protection of our nation's cybercritical infrastructures.

NIST has developed a significant number of standards and guidelines for information security, and continues to assist organizations in implementing security controls. And while NIST's role is to develop guidance, it remains the responsibility of federal agencies to effectively implement and sustain security over their systems. Developing and using metrics that measure how well agencies implement important controls can contribute to increased focus on the effect of implementation of federal information security.

Mr. Chairman, this concludes my opening statement. And I'll be happy to answer questions at the appropriate time.

REP. WU: Thank you very much, Mr. Wilshusen.

And I think at this point, I am going to recess the hearing for both prudential reasons -- we have plenty of time to get to the floor -- but also I think that this is an important set of topics and I'd hate for any of the members of Congress or the staff to be watching the clock ticking down rather than paying attention to these very, very important topics. So at this point, we will adjourn until after the last vote. I'm sorry; we will recess until after the last vote in this series of votes. (Strikes gavel.) (Recess.) REP. WU: This hearing will come back to order. I thank everyone for their forbearance.

Mr. Bregman, please proceed.

MR. BREGMAN: Chairman Wu, Ranking Member Smith, members of the committee, good afternoon. And thank you for the opportunity to testify today on cybersecurity efforts at NIST and DHS.

As a global information security leader, Symantec protects more people from online threats than anyone in the world by assuring the security, availability and integrity of their information. We're headquartered in California, the fourth-largest software company with operations in 40 countries. We employ over 18,000 people, including -- several of which are located in the chairman's district in Beaverton. And I want to thank you for your support there.

Symantec releases an annual Internet Security Threat Report, which is a comprehensive analysis of information security threat activity that analyzes network base threats on consumers and business.

We compile the data via our global intelligence network, which consists of over 40,000 sensors monitoring computer activity in 180 countries. So, in short, if there's a class of threat on the Internet, we're aware of it.

This year's report found that while vulnerabilities continue to increase dramatically, the scope and size and sophistication of cyberattacks is also growing dramatically. They're becoming much more targeted and more dangerous to our nation's critical infrastructure and our economic security.

The most common type of attack during this period targeting our government's critical infrastructure was denial of service attacks, accounting for about half of the top 10 threats in 2008.

Denial of service attacks are a threat to government and critical infrastructure, since the purpose of such attacks is to disrupt the availability of high-profile websites and other network services and rer them inaccessible to users and employees.

These kind of attacks are often associated with political protests and were used to disrupt the Estonian government websites in 2007, as well as the Georgian government websites that were rered inaccessible during the Georgia-Russia conflict in 2008.

But denial of service attacks are just one type of cyber threat that affects government and critical infrastructure. As the 60-day cyber review rightly points out, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century, and we applaud the president's commitment to take action on cybersecurity. We hope that the coordinator will be elevated within the White House to have the appropriate decision-making and budget authority that is necessary to set strategic direction for the nation, to empower our government agencies and private sector to do their mission in a coordinated and balanced way and take a more prominent role in international cyberpolicy.

Cybersecurity isn't a civilian or military problem or even a government problem; it's a universal problem. All networks -- military, government, civilian and commercial -- are based on the same computers, same networking hardware technology, same Internet protocols, many of the same software packages. We're all the target of the same attack tools and tactics. In addition, since most of the nation's critical IT infrastructure is in commercial hands, hackers consistently go after both military and civilian targets.

We all have the same security challenges, so solutions must be shared. I want to underscore today that cybersecurity is a shared government and private sector responsibility. We need transparent and accountable government processes as well as cutting-edge government cybersecurity programs to improve security for everybody.

So with that in mind, let me turn to what DHS and NIST's respective roles and responsibilities are or could be in cybersecurity.

We've seen a marked improvement in the Department of Homeland Security in their engagement with the private sector. Under the National Infrastructure Protective -- Protection Plan construct, DHS is the lead department for engaging the IT sector, and Symantec and other private stakeholders, through the Sector Coordinating Councils, have provided input to DHS on a number of Comprehensive National Cyber Initiative projects. We've been engaged with DHS on several other cyberpolicy initiatives, including resiliency, incentives, metrics, risk assessment, information sharing and cyber exercises.

There are a few areas in which we believe more can continue to be done by the department and private sector jointly, including establishing a front-line cyberdefense, seeking ways to def against threats to the supply chain and taking cybersecurity to the next level through workforce education.

In cyberspace, we have a very rich base from the commercial sector. This is quite different from other historic government models for addressing front-line national defense, where there is -- where much of the solution comes from government or the defense industrial base. The U.S. government could benefit greatly if the private cybersecurity sector were brought in more consistently to assist in the development of cybersecurity solutions. One example that was mentioned earlier where more input from the private sector could be helpful to DHS would be in Project Einstein.

To date, the private sector has not been formally asked to participate in DHS's global supply chain initiative, despite the fact that much of the supply chain the government cares about is in the hands of private sector. If more information is not shared by the government on the threats or risks that government sees, then how can the private sector do more to protect against these threats and risks?

Symantec is a co-founder of SAFECODE, a nonprofit organization created for companies to share software assurance and supply chain best practices. We strongly urge the Department of Homeland Security, Department of Defense, NIST and other agencies to work closely with SAFECODE and its member companies to work collaboratively in addressing supply chain and software assurance.

DHS has also taken a lead role in education and awareness.

For example, it's a sponsor and active participant in the National Cyber Security Alliance and StaySafeOnline.gov. The purpose of NCSA is to educate consumers, K-12, higher education and small business on how to protect themselves and their data and cyber infrastructure.

DHS is also working with NCSA and other stakeholders to develop a plan for the development and retention of trained cybersecurity professional workforce within the government. And we certainly support these.

DHS has a role to play in the area of cybersecurity R&D. We believe that much of the work completed by the S&T directorate is very important, and that R&D determined to not be commercially viable should be funded by the government. We respectfully ask that the U.S.

government engage with the private sector more on the R&D collectively to collaborate on common problems. Given this committee's jurisdiction, I'd like to comment on NIST's mission in cybersecurity -- it's very important -- through the promotion of national standards.

In particular, the work NIST does with federal agencies, industry and academia to research, develop and deploy information security standards and technologies is critical. As these standards become more important, NIST's role and responsibility will continue to grow. And with that, we believe NIST's funding level is not adequate and should be increased.

NIST has played a leading role in the development of FISMA guidelines and Federal Information Processing Standards. And as Congress looks to reform FISMA, we'll look to NIST to -- for appropriate guidance and standards.

Symantec has worked closely with NIST on Common Criteria for several years, and we fully support Common Criteria because it offers many advantages, including international certification framework for products. As the lead technical standards organization for the federal government, NIST has a critical role to play in revising the protection profiles and improving Common Criteria, and we ask that NIST become an active member of NIAP again and would like to see them play an even more active role in other international consensus standard bodies and organizations.

NIST has contributed to raising the quality of federal information security by promoting operational norms and by helping agencies to find model security processes. Experience shows that federal standards aligned with established commercial practices generally succeed, whereas unique government-only standards such as the Government Open Systems Interconnection Profile have achieved poor results.

Whether rigid or flexible, standards must be appropriate for the activities being regulated. They must be mindful of the market drivers. Credible federal mandates must strike a balance between ideal and practical standards, including setting reasonable expectations for compliance in the huge base of installed federal systems.

NIST guidelines strike a balance between general rules of thumb for all agencies and local knowledge and expertise of on-the- ground federal officials. However, fixed, inflexible process standards can't easily accommodate these situations. So, in summary, the constantly changing cyberthreat landscape and its reliance on human activity coupled with rapidly changing technology makes it essential that security doctrine remains flexible.

I strongly recomm that NIST also engage with the private sector to include development of an indepent supply chain verification process that will allow us to validate software integrity focusing more on how technology is developed and less on where it is developed globally. The near-term action plan within the president's cyber review requires establishment of cybersecurity performance metrics, and this is another area that's ripe with opportunity. And we believe NIST should be a key driver of this activity, working with the private sector and other agencies.

In addition to cybersecurity metrics, NIST should consider collaborating more with the private sector in other areas, such as cloud computing architecture and standards, SCAP and other data taxonomy standards, health IT and smart grid architecture with security standards built in from the beginning.

We also want to stress the importance of NIST working with private sector to ensure the agreed-upon standards, protocols and requirements are rolled out with reasonable time lines and milestones to meet realistic commercial product development road maps.

In conclusion, we believe both the Department of Homeland Security and NIST have done much to carry the cyber torch forward in many areas. However, there is much work still to be done and much more collaboration that needs to take place with the private sector.

We stand committed to working with the administration and Congress to improve cybersecurity.

I'd like to thank you, Chairman Wu, for allowing me the opportunity to testify before the members of this committee.

REP. WU: Thank you very much, Mr. Bregman.

Mr. Charney, please proceed.

MR. CHARNEY: Thank you. Chairman Wu, Ranking Member Smith, members of the subcommittee, thank you for the opportunity to appear today at this important hearing on cybersecurity. My name is Scott Charney. I'm the corporate vice president for Trustworthy Computing at Microsoft.

In cyberspace today, we are locked in an escalating and sometimes hidden conflict. Cyberthreats have grown in sophistication, expanding from opportunistic viruses and worms that were once disruptive and sometimes damaging to include very targeted, stealthy and persistent attacks. In the information age, any individual can engage in activities formerly limited to nation states. And any nation, regardless of traditional measures of power and sophistication, can gain economic and military advantage through cyber programs.

The lack of identity for hardware, software and people on the Internet also makes it difficult to determine the source of an attack.

Understanding the sources and motivations of attacks is essential to ensuring the appropriateness of response. Absent strong attribution abilities which balance security and privacy, international and national strategies to deter cyberattacks will not succeed.

Attribution can and must be a top priority to improve cyberspace security moving forward. The challenge for the government today is that it must balance dual and often interrelated roles to manage cyberthreats effectively. The government is responsible for protecting public safety and national security, and it is also responsible for managing a large IT infrastructure. I support the near-term action plan in the recently released White House 60-day review, and specifically the action to prepare an updated national strategy to secure the information and communications infrastructure.

Just as we need an updated national strategy to ensure the nation's cybersecurity, the government must also implement an effective model for managing its own cybersecurity. Such a model would include a centrally managed horizontal security function to provide a foundation of government-wide policy standards and oversight. And because each federal agency has its own mission, customers, partners and threats, there must also be vertical security functions resident in each agency to ensure that agency-specific missions are accomplished and agency-specific risks are managed appropriately.

Let's turn to the more specific roles for DHS and NIST. The hybrid model I just outlined could be applied more effectively to the federal enterprise. In this implementation, DHS and NIST would provide the horizontal, centrally managed cybersecurity functions, and individual agencies would have vertical functions to manage their unique risks.

Simply stated, the Department of Homeland Security should set security control policy articulating minimum cybersecurity baselines, goals and outcomes. DHS should also develop processes to exchange and foster implementation of best practices, so that agencies can more quickly achieve higher levels of security when necessary. NIST should create government-wide standards to help agencies meet the security control policy set by DHS.

To realize the value created by analyzing data horizontally, DHS and NIST must have the right data, they must analyze that data, and the data must drive action. This will require enhanced cybersecurity monitoring, audit and analytics to gain valuable insights on the real- time health of the federal enterprise and enable agile actions to mitigate and respond to incidents.

Agencies should continue to have the responsibility and the accountability for creating documented information security programs, assessing their risks, implementing effective management controls and responding to agency incidents. This is the vertical function in the hybrid model.

In conclusion, as long as threats evolve, so must our efforts to protect against them. Technology alone will not create the trust necessary to secure cyberspace. Technological innovation must be aligned with social, political, economic and IT forces to enable change. Microsoft helps drive and shape these forces with partners in the ecosystem to create a safer, more trusted Internet. The United States must similarly drive forward with a clear vision and holistic information-age strategies to combat threats to national and economic security and to public safety.

Thank you again, Chairman Wu, for providing me the opportunity to testify before the distinguished members of the Subcommittee on Technology and Innovation. I am happy to answer any questions you may have.

REP. WU: Thank you very much, Mr. Charney.

Mr. Harper, please proceed.

MR. HARPER: Thank you. Thank you very much, Chairman Wu, thank you, Ranking Member Smith, for having me here to testify on cybersecurity activities at DHS and NIST today. I welcome your oversight and your focus on results rather than outputs, such as dollars spent. This is very important work, but not very easy.

As I tried to illustrate in my written submission, talking about cybersecurity is like talking about securing all the things we prize. Cybersecurity is many different problems, and it would be a mistake to believe that a discrete number of activities or a discrete set of government policies could solve all of them.

I'm concerned that in the cybersecurity area there's a common practice of threat exaggeration, and that that could buffalo this Congress to adopt policies that are not balanced and that ultimately waste resources, frustrate innovation and threaten privacy and civil liberties. Yesterday, I came across an article in the Boston Review called "Cyber-Scare" on this very topic. And if it would please you, I'd be happy to submit it for the record.

I was pleased, by the way, also to see that my co-panelists and colleagues didn't engage in threat exaggeration here and spoke about cybersecurity seriously, without hyping threats.

I'd like to feature one cybersecurity policy that I think has been lost in some of the cyberterrorism, cyberwarfare cacophony, and that is the policy of keeping critical infrastructure off the public Internet. This policy's a proven success, but some policymakers, I believe, have ignored it, thinking that all resources should be on the public Internet or managed over the public Internet. So I encourage you and your colleagues to keep in mind the policy of keeping the true critical infrastructure off the net. That takes care of the lion's share of many security problems.

As I said, cybersecurity society-wide is many, many different problems. And I think your goal in Congress should not be to solve cybersecurity but to determine the systems, the social and legal systems that will best discover and propagate good security technology and practices. You might think of a hierarchy of legal mechanisms that Congress could consider for advancing that goal, starting with contracts, considering also toward liability and arriving last at prescriptive regulation.

Because the government is a large consumer of technology, it is well positioned to positively effect the cybersecurity ecology, and NIST standards are integral to that process. As a representative and worker at the Cato Institute, I'd like to see the federal government a smaller purchaser of things, but while it is a large market actor, its buying decisions can help the market for secure technology products advance. One way, obviously, is by setting high security standards in its purchasing.

A second is to consider pushing technology providers to accept the risk of loss when their products are not sufficiently secure.

There is a market failure in technology when insecure technology harms networks or harms other users. I wouldn't leap to regulating in these cases, though, especially because none of us know efficiently and effectively how to solve these problems. Nobody knows what a regulation would say.

For getting buyers and sellers of technology to internalize risks, I think liability should be the preferred mechanism. Liability is an open-ed process of discovery. As courts discover the legal doctrines that will help them prevent cyber harms, buyers and sellers of technology will have to discover the technologies and practices that prevent cyber harms. Concerns for me arise when the government steps out of its role as a market participant and becomes a market dominator, a regulator, a partner or investor with private sector entities.

Standards are difficult things, as you and my co-panelists know well. When done right, they are extraordinarily valuable, and that can't be overstated. But when done wrong, they can distort markets or threaten privacy and civil liberties. I briefly note in my written testimony a potential concern with a standard like FIPS 201.

And one of the witnesses in your earlier hearings mentioned that FIPS 201, an identity standard for federal employees and contractors, was becoming a national rather than a government standard. I work extensively on national ID issues, and I'm concerned with the idea of a single standard for identification throughout the country.

I'm suspicious of various public-private partnerships in the cybersecurity area and elsewhere. They can be valuable, and threat information-sharing is valuable, but they can also suppress competition, they can foster security monoculture and immunize responsible parties from liability and, as I mentioned before, threaten privacy and civil liberties.

I will conclude my remarks there and thank you again for having this hearing. You're looking at important issues in a careful way, and I appreciate that. Thank you again.

REP. WU: Thank you very much, Mr. Harper. And at this point, we'll open for our first round of questions. And the chair recognizes himself.

You each referred at least in part to cybersecurity performance metrics. And apparently we have not been as good at developing them as we should. What have been some of the impediments and how can we better off if we're better at developing them?

MR. WILSHUSEN: Well, I guess I'll start. One of the things about the metrics that have been developed at least by OMB for FISMA reporting purposes is that the metrics themselves probably served a useful purpose when they were first developed. This was several years ago. The ones that they have developed were primarily implementation- related metrics and determining whether or not a control has been activated and implemented.

When they were first developed several years ago, many of the federal agencies were not performing some very basic security controls. And so over the intervening years, as agencies increasingly performed these control activities, it's natural to start taking a look at these metrics and see, do we need to make them evolve as well?

Is there a need to continue to report whether or not agencies are implementing specific controls when they're all up in the 90-plus percentile of performing these control over their systems?

So now it's important to look at, well, how well are these agencies implementing these controls and looking at different types of measures. We have an engagement that's ongoing right now looking at how leading organizations develop and use metrics in -- to gauge and monitor their information security activities. And we'll be issuing a report later on this summer about that particular topic. But one thing that we have noted previously is that it's probably time to start looking to see how well agencies and -- are actually implementing controls and the effectiveness of their control activities, rather than just the mere implementation of those specific control activities.

REP. WU: Several of you referred to having a unified standard or set of standards for the federal government. That is, we currently have a division between defense applications and civilian governmental applications. And I just wanted to confirm that that's a consensus view of the panel, that the division between DOD and NSA on the one hand and DHS and NIST on the other is maybe one rooted in jurisdiction but not rooted in utility or the sense of the field.

MR. CHARNEY: Yeah, I would agree with that. I mean, as the co- chair of the CSIS Commission on Cybersecurity, one of the things we noted that there were historical reasons in the past why there was a clear delineation between the national security world and the civilian world, but to some extent in cybernetworks a lot of these things t to merge together. And when you're trying to devise the best security practices, you want to take all of your great capabilities and knowledge and bring that together and have holistic programs in cybersecurity. So bringing them together is helpful.

REP. WU: And I'd like to walk that over a little bit further. Getting to the civilian nongovernmental sector, my understanding is that there are different cybersecurity standards for different fields, whether you're dealing with health care or banking.

And these have developed over time. Would there be a utility in developing consensus standards for cybersecurity for the civilian nongovernmental sector or -- and Mr. Harper may not like this -- or will that field de facto borrow what governmental standards exist? Or is it not possible to better develop cybersecurity standards for that field at this point in time?

MR. CHARNEY: No, I actually think it is possible. One of the things that we have done at Microsoft is we looked at the different regulations that impose certain security requirements on information systems. So you have things like Gramm-Leach-Bliley for financial data; you have PCI, which is the credit card standard for securing credit card data; you have HIPAA for health care data. It turns out most of these regulations actually promote the same concepts in terms of the framework, which is reasonable security controls based on traditional risk management principles.

So what we did is we looked at all those laws and then we mapped the controls that are necessary through an international standard. ISO Standard 27001, by the International Standards Organization, is a standard for controls around IT systems, and we've actually gotten ISO certification for our -- one of largest properties and networks.

So I think the short answer is there's a lot of similarity in these regimes. Having a unified standard that people can map to is a good and healthy thing. And the other nice thing, of course, is as threats evolve, those standards can always be modified to address new environments.

REP. WU: Well, I see nodding heads there. I just want to ask one quick follow-up on this topic before I yield to Mr. Smith.

Would NIST and NIST existing activities in the field be a logical place to begin working on consensus private sector standards?

Anyone on the panel.

MR. BREGMAN: Yeah. I think so, but I think it has to be done in collaboration with private sector.

REP. WU: Yes.

MR. BREGMAN: I think it's the logical place to bring together the various constituencies to coalesce the standards into an overarching set of security guidelines and standards.

REP. WU: Mr. Wilshusen, Mr. Charney, Mr. Harper, any comments on that? MR. WILSHUSEN: No, I would also agree. And NIST does have a mechanism in place where they do coordinate and collaborate with like the International Standards Organization or ISO, rather. And the review would be a logical place to start.

MR. HARPER: I'll voice the concern that I think you anticipated from me. Federal developed standards should be available to the private sector and perhaps produced in collaboration with the private sector.

There is a touch of concern, though, that the federal government, as a large market actor, would drive standards into the marketplace that don't meet the needs on the other side of the security equation, which include privacy and anonymity and that kind of thing.

So standards are important. They're good. They're -- but it's not a given that all federal developed standards should be imported into the marketplace. They have to go through a different series of tests for private adoption, I think.

REP. WU: Yeah. What we're working on here is the divide between the public sector and the private sector. And NIST traditionally has played, if you will, a light leadership role in assisting the private sector to develop consensus bottom-up developed standards from players in particular arenas. At least, that is what I was asking about. And I take that to the answers of the other panelists.

Mr. Charney and then -- MR. CHARNEY: Yes, but like you just -- I think you're right.

It's one thing for NIST to develop standards for the government's own use, but to be clear, NIST also participates in international standards organizations with members of industry. So if you're looking at standards that would apply more broadly than the government, there are four that already exist to do that. The government and industry participates in that. So the mechanism is there to work it through that process.

REP. WU: Thank you very much.

Mr. Smith, you're recognized for five minutes.

REP. SMITH: Thank you, Mr. Chairman.

Mr. Harper suggested in his testimony that the critical infrastructure vulnerabilities should be addressed by physically separating such infrastructure from the public Internet, as similar to the DOD network. What are -- what is your response for that, Mr.

Charney and Mr. Bregman, Mr. Wilshusen?

MR. BREGMAN: I think it's impractical in many cases, because it's one thing in the realm of DOD or the intelligence community to operate in a separate environment, but in many cases, other parts of government have to interact with citizenry; they have to interact with private sector in the course of their normal operations. And the challenge in cybersecurity is as soon as I connect my perhaps well defed, well defined network to someone else, I've opened myself up to vulnerabilities that may be present in the other components that I don't control.

And so there's a real risk in isolating government function in the attempt to achieve this security through isolation and becoming much less effective. So I think the real challenge is finding ways to develop security and secure the cyber infrastructure even in a world in which it isn't an isolated, totally controlled environment for the government.

REP. SMITH: Go ahead.

MR. CHARNEY: Yeah, I would echo those points. And if you think about some of the evolving models, like a smart grid, for example, where people's homes can communicate intelligent power consumption information to the power grid so that they can draw power at appropriate times or feed power back into the grid, I don't know how you do that by creating a power infrastructure that's isolated from all the citizens that need to connect to it.

I think the tr of these private critical infrastructures are basically becoming Internet enabled is because of the huge business imperative in efficiency and cost drivers and other things that are really critical to the success of these new technologies.

MR. WILSHUSEN: And it's our experience, too, in the reviews that we've done at the Tennessee Valley Authority, where we looked at the control systems and the security over the control systems, that the -- it appears that the tr is to go to more IP-based type of systems to run these control systems. Now, while that is -- it really helps and serves additional benefit to the company and able to do -- to enable such control protocols, but it also raises the risk because the risk associated with running those IP-based systems can now expand to control systems.

So agencies need to make sure that they assess those risks and take the appropriate steps to secure against and mitigate those risks. But certainly the benefits and the tr seems to be going more towards going to an IP-based type of network and structure.

REP. SMITH: Mr. Harper?

MR. HARPER: I would anticipate these criticisms of what I said. And they're not -- they're not wrong; they're not unfair.

I would -- and the way I thought about it was that criticality should be a very, very tightly circumscribed adjective, and dealt with -- dealt with it a little bit in my written testimony, though I wouldn't call myself an expert. Criticality should be when there's an immediate and proximate danger to life and health from the loss of an asset. And that's under basically a definition that I've worked on; there's a lot of history behind it that didn't go into my testimony, which is why there's a lot of stuff out there that's referred to as critical infrastructure that I would not.

But if, again, something would immediately injure life and health and proximately -- so the example of an electrical grid going down, it would -- it could kill people in a hospital, for example, to lose electric power for an hour -- people who are on a heart-lung device, that kind of thing. Well, it's not proximate, because what you do for a likely risk like that is you put electrical infrastructure at the hospital that would take care of things when the -- when the broader infrastructure went down.

So again, these are -- these are fair comments. I think that critical infrastructure should be very tightly defined to a -- to a small universe of assets.

REP. SMITH: Okay, thank you.

And another one, we heard that liability is preferable to regulation as a tool for internalizing any market failures that exist in terms of private sector cybersecurity. I was wondering, Mr.

Bregman and Mr. Charney, how do Symantec and Microsoft feel about this, if you could elaborate.

MR. CHARNEY: So, we have repeatedly said that you have to think about different ways to motivate the markets to do the right thing. And there are many ways to do that, everything from incentives to regulation and liability.

The biggest challenge in the software industry, I believe, is that software is extremely complex. And it's not entirely clear what the reasonable practice would be in developing security today and how you could apply them uniformly in the spectrum of people who make software. So it's not just about large companies. I mean, one of the great things about the Internet is that it creates this incredible innovative environment where people in their garage can develop software and distribute it around the globe. And this has led to a lot of great innovative technologies. And I don't know how they survive under a regime that's laden with a lot of up-front costs.

Having said that, I think there are better ways to get there.

One of the things that we have been active proponents of is reforming Common Criteria, which is the method by which the government evaluates products for security. And that affects purchasing acquisitions in the government. And I think if the government wants to drive better security practices, one of the ways to do that is to use Common Criteria reform and acquisition regulations to achieve that result. I think that drives a much more effective and efficient process. It also allows, you know, still a very innovative and low barrier to entry environment. MR. BREGMAN: Yeah, I would echo Mr. Charney's remarks, but I'd add two other things. I think not only is software very complex, but any software that is delivered by a supplier becomes part of an even more complex, integrated solution. And in most cases where we have seen vulnerability at the system level, it's traceable to configuration that is outside of the core of any given product, but it's the interaction in the customer's environment or in the user's environment which opens up the vulnerabilities. That's something that's very hard to legislate liability around without putting tremous constraints on what people are willing to supply.

This -- and related to that, I think -- and it was also echoing Mr. Charney's remarks -- liability as a way to control this will stifle a lot of the innovation which is what we need in order to get ahead of the threat. And so I would be fearful that if liability were to be the tool primarily used to improve security, we would actually see the opposite effect. There would be retrenchment on the part of suppliers and fear to try innovative new solutions.

REP. SMITH: Maybe I hear you saying you would not advocate liability in addition to regulation.

MR. BREGMAN: That's correct.

REP. SMITH: Mr. Wilshusen, can you elaborate on your findings on the impact of such things?

MR. WILSHUSEN: Yes, in a couple areas. One, regarding like the Common Criteria and the use of that, we did a review several years ago looking at the National Information Assurance Program, or NIAP, in which -- it's a program in which NIST and NSA at that time established certified laboratories to examine the security controls that were designed into these products.

One of the problems that we identified and challenges is -- was just the length of time that it took these laboratories to go through and evaluate the security of these products. In many cases, some of the vors indicated that by the time it went through the process, the technology and the applications were already obsolete.

There were newer versions out there. So to implement that, we're going to need to have some sort of measure and mechanism that will allow speedy and a quicker response time to evaluate such products.

Another issue is just what the -- the risk involved or, actually, there's also another mechanism that government can use in addition to providing incentives; it's also through its procurement policy. You know, the government procures 60 (billion dollars), $70 billion worth of products a year. Using that ability and specifying the requirements that it needs or security requirements into the products that it requires can help maybe move markets into an area where they implement security or design security into the products more readily. REP. SMITH: Thank you. Thank you, Mr. Chairman.

REP. WU: Thank you, Mr. Smith.

We have had a -- several different cybersecurity czars. And at least a couple of them have departed or resigned. Can the panel comment on whether there is a(n) integral problem to the way that we have tried to structure our cybersecurity program at the federal level?

MR. WILSHUSEN: I'll tread lightly here, but I think one of the issues that may be resulting -- and I guess going -- as we go forward with the new official that will be the cybersecurity official in the White House is -- one of the concerns is, what is going to be their authorities? And what control will they have over budgets and strategy? And what will be their levers of power to affect change?

And I don't know that -- (inaudible). And that will be just one of the challenges, I'll say, in trying to make sure that those conditions are established to where they can be productive in that role.

REP. WU: Well, Mr. Wilshusen, you are from the GAO. And you're supposed to give it to us unvarnished. What I'm hearing between the lines is that this is a difficult field with a lot of responsibility and perhaps not enough line authority in budget to accomplish the mission or the multiple missions.

MR. WILSHUSEN: It will dep upon what their role and responsibilities are; I would agree.

REP. WU: Mr. Bregman, do you have anything to add to this?

MR. BREGMAN: I would agree with that. I think appropriate decision-making and budget authority is going to be necessary, because a key part of the role is helping coordinate the strategic direction across the various parts of government and also coordinating better on an international front. One of the challenges is this is not a problem that occurs just within our own borders. It's borderless. And so better coordination globally is going to be an important part of this as well.

REP. WU: Thank you.

Several of you referred to the importance of public-private partnerships and coordinating with the private sector. What in our structure today is not creating the kinds of public-private partnerships that we need? And what kind of incentives should we try to build in?

MR. CHARNEY: You know, since the early '90s we've been talking about this public-private partnership. And it was really a reflection of the fact that the private sector designs, deploys and maintains about 90 percent of the critical infrastructure. And so government's in an interesting situation here. Unlike things like nuclear weapons, where they had both responsibility and control, here they have responsibility for public safety and national security, but they don't control the assets to be protected or maintained. And so the idea of a partnership is the right idea. I think it got off on the wrong foot.

In large part, early efforts at partnership were focused on information sharing. And there was a lot of discussion that industry and government should share information about threats and vulnerabilities. The problem is information sharing is not an objective; it's a tool. You share information so you can do something. Sharing information just for the sake of sharing information doesn't make any operational change that makes security better. So the first problem is the wrong focus, focus on sharing instead of action.

The second thing is that the government has been concerned for understandable reasons about not playing and picking favorites in the marketplace. So it often took the view that it has to share with everyone or no one. And of course, when you share with everyone, when you share a lot of information about vulnerabilities, threats and risks too broadly, you actually make the problem worse. And if you share with no one, then there's nothing. And so I think in addition to focusing on what information to share -- that is, how is this information actionable -- the next question is, who is it actionable by? And we have to share it with the organizations, people, companies, whatever, who can do something with the information specifically and not worry so much about sharing with everyone or no one, because that's not a productive model.

REP. WU: Mr. Charney, is one of your criticisms of the current advisory committees and coordinating committees that they are mechanisms for sharing information and that that becomes an goal rather than a tool for accomplishing mission objectives?

MR. CHARNEY: That is correct, although there has been effort in recent times to refocus on more operational security issues and share actionable information. But there was a long history of having the wrong focus.

REP. WU: Thank you.

I might have a couple more questions, but at this time I'm going to yield to my colleague Mr. Smith five minutes.

REP. SMITH: If Mr. Charney or others would still like to maybe elaborate on what exactly the partnership would look like -- I mean, I think he started down the -- down that track. But obviously, it can be difficult to define. I know that sometimes partnerships are overstated here on the Hill. But if you could elaborate?

MR. CHARNEY: Sure. I'd be delighted to. In addition to the mis-focus, I don't think the partnership ever had the right philosophical underpinning. Here's the way I see the problem: Markets actually do deliver some level of security. Customers demand it and markets deliver it. Governments need a level of security for public safety and national security that often exceeds what the market will provide. Markets are not designed to do national security. You cannot make a market case for the Cold War. And in those situations, the government steps in and does things.

It seems to me that the proper basis of a partnership is to figure out how much security you're going to get from the market through its natural proclivities and a little more, because companies do have a sense of corporate responsibility. They do care about public safety and national security, so they do a little more than the markets would require. Then you have to figure out what the government thinks it really needs.

And the key is filling the gap between what the market will provide and what the government sees as necessary. And then there are a lot of ways to fill that gap: acquisition regulations are an example, to drive the market in a particular direction; regulation; standardization. There are many ways to fill a gap -- tax incentives.

So the real key and I think the basis of the partnership is to focus on meeting the requirements that span between where markets are and what government wants and figures out the right way to incentivize the right behaviors so the products take you where you want to go.

REP. WU: Anyone else?

MR. HARPER: I'll briefly comment on it some more. I think the question of public-private partnerships -- I agree in large part with what Mr. Charney said, that partnerships formed up to share information as if that was the goal. The problem is goal setting and then asking what achieves that goal. And I think it has been the idea, well, let's have a public-private partnership. An area I have a relative amount of experience, homeland security issues -- everyone said data sharing, you know, connect the dots. And nobody knows exactly what that means. It's a -- it's a more difficult problem.

I would prefer to see the government play the role of partner that you see in security of houses and buildings in a given city. The primary responsibility is on the holder of private infrastructure to secure the house with locks on the windows and doors. And when something really goes wrong and there's criminal behavior afoot, the police are called, or if the police have information about what's afoot, they can contact the community. That's a public-private partnership that I think is a success.

But putting together programs to try to describe that don't really work. What works is when the government stays in its law enforcement and national security role for the most part and the private sector, for the most part, takes the role of securing its own infrastructure. That doesn't mean they can't work together, but I don't think the focus has to be on them working together to improve security. It works with them separate.

REP. SMITH: Thank you.

Mr. Bregman, relevant to Einstein and the program there and the software -- obviously, it was developed a number of years ago and the focus was on threats and intrusions. And perhaps that's not enough of a focus now. Would you concur with that?

MR. BREGMAN: Well, I think we see a very, very rapidly evolving threat landscape. And Einstein was developed with, you know, somewhat looking at the then-current threat landscape. And so given the long lead time and deployment lead time, it's not taking advantage of the best practice, best technologies that are currently available in the private sector. And an exact scenario where, again, private sector, working together with government to do a much better job of looking forward, anticipating things and being closer to the leading edge of protection, as opposed to looking backward at what the previous threat were -- threats were and then going through a rather cumbersome development process to deploy something which is inadequate when it's deployed.

REP. SMITH: Okay. Thank you.

REP. WU: Several of you have referred to the importance of setting goals rather than processes. And also I think there's been reference to having a more crisp strategic -- a strategy for cybersecurity. What are the components that we need to put together to develop a strategy or a means of accomplishing a clear set of goals?

MR. CHARNEY: It seems to me there are two separate issues.

And it comes back to a comment in my testimony about the government as a policy arm and the government as a large IT enterprise. So part of the goal of developing a comprehensive strategy is recognizing that the way cyberspace works today, there are some very interesting challenges about how you secure it and also respond to incidents.

I'll give you a somewhat classic example. There have been widespread reports in the media about attacks on U.S. Defense Department systems. There's a lot of interesting questions about what constitutes cyberwarfare. When can you shoot back? What's it mean to do collateral damage on the Internet? These are hard policy questions.

And it's even an interesting question of whether or not you want to respond in a cyber way or impose a trade sanction, you know, because cyberspace, of course, ties all our economies together, just like it ties all our systems together. And so the government has to think very holistically about diplomatic efforts, intelligence efforts, military efforts, economic efforts and law enforcement efforts and integrate them into a strategy and set norms, because right now around the world we now have norms on certain behaviors like proliferation of weapons of mass destruction or proliferation of nuclear material. We don't even have norms on what constitutes appropriate cyber conduct around the world. And as a result of that, countries internationally haven't developed the processes, procedures and strategies to deal with these issues, because the Internet is sovereign-agnostic, even though sovereignty is very much well and alive.

And so in a policy space, this is one of the reasons why the commission recommed the adviser has to be at the White House, and could not sit in any one agency, because thinking about this problem comprehensively means that the government has to think about all the tools in its arsenal and how to implement as one government.

On the IT infrastructure protection side, that's when you get into very specific controls, when you want security controls in place.

And I would echo the comments made earlier about the need to actually test the efficacy of those controls, make sure they're doing what you think they're doing and making sure they're always current. And as I said, there are international standards now, as well as regulations that require controls be put in place.

So to some extent, the more I think about some of these issues, we're reaching the point, at least in the network enterprise, where the philosophy is right and we're getting to the point of we need to execute well and we need to focus on execution. And that requires being rigorous about putting your policies in place; testing your controls; having audits done, whether they're internal, self- certifications or external, to make sure you're achieving your desired levels of security.

REP. WU: Well, I think we've surfaced a lot of concerns about the lack of -- the dearth of rules of the road for the Internet.

But Mr. Charney, your reference to accords about WMD and so on brings to mind that we've been able to work -- at least try to work on rules for warfare for, oh, 4,000 years at least. And the early versions of the Internet are, at most, 30 years old. And cyberspace probably is more like in the teens than anything else. So, in essence, we are here all together at the inception. And some of the decisions we make will have reverberations down the road.

Let me ask you a question about research. There is a set of challenges about identifying research priorities at DHS and commentary that this process should include private industry to a larger extent.

Can you give us your best analysis of the research that is currently being done at either NIST or DHS?

MR. BREGMAN: I think when we think about research in the cybersecurity space, there are several different objectives. There obviously is the primary objective of the research itself and the outcome of that research and with a goal, one would think, of ultimately impacting technologies and products which can be delivered and implemented. And so that's an area where linking the research activities with the industrial base is important, because to exploit them there's going to have to be some commercialization that takes place.

The other dimension of research is that research sping, research -- setting the research aga is a very good way to stimulate alongside investment both by private sector and sort of intellectual capital investment within the academic world.

And I think one of the things we need to improve our cybersecurity posture is a larger cadre of expertise at all levels, people who can be the next generation leading researchers, but also practitioners in government and in private sector. And carefully aligning the research aga with the interests of DHS, NIST and the private sector and using that to create interest within the academic community will draw more -- I think draw more students, more people into that area and that field and create a much large community of expertise.

REP. WU: Mr. Wilshusen or anyone else, anyone to add to the research aga strategy?

MR. WILSHUSEN: Well, we haven't -- right. We haven't look at the -- in fact, we have -- we just received a request to look at research and development in cybersecurity that we -- a couple of weeks ago. And we're just starting a review of that within the federal government.

But about four years ago we did a review over cybersecurity research and development and looking at the (Nider ?) and the group that was responsible for coming up with a plan for conducting cybersecurity within the federal government. And we found that while there was some overall goals and objectives that were identified, there really wasn't a clear concise plan on how to conduct and how to perform and fund which particular projects. And so making sure that there's a clear consideration of what the goals are and coming up with a plan to fund those projects I think will be important.

MR. HARPER: Chairman, if I may -- REP. WU: Yes, Mr. Harper.

MR. HARPER: It often falls to me to be the skunk at the garden party, and I enjoy it. Research that benefits -- REP. WU: Answers of all stripes are valued.

MR. HARPER: (Laughs.) Research that benefits industry really is subsidy. And I love to -- I want research done; I think everybody does. But research that's funded by industry goes, then, into the price of products and is paid for, then, by the users of the security technologies rather than taxpayers, many of which don't use the Internet and live perfectly good lives without it. REP. WU: Mr.

Charney?

MR. CHARNEY: Yes. I actually don't disagree. And earlier I said the philosophy of the partnership, it should be that the government doesn't do what the market's already delivering, but do something else. That's true in research, too.

So industry does a lot of research and we do research that we can monetize and commercialize. And there's other very hard research that we can't do, because there's no economic model that permits it.

Remember, the Internet was a government research effort which has revolutionized the world. It came out of DARPA. So I think it's really important that the government, as part of its strategy, do two things: one, invest in the research that actually advances the overall strategy that we've talked about to create a more secure environment, but also do the things that industry won't do.

And to be clear, Mr. Bergman's point about commercialization is not the same as financing industry research. The Internet, which was invented by the government, was then commercialized by the private sector because the government made it available. That's not exactly funding industry research. It's saying invest in things that will find a place in the commercial market so it gets widespread adoption so that everyone benefits from the research. But do research that won't otherwise happen and is consistent with your cybersecurity strategy.

REP. WU: Well, perhaps as an artifact of the committee that I sit on or -- it's a natural draw, but my bias is toward the direction that we underfund research rather than overpurchase research, compared to other immediately pressing needs. There is the tency to address those pressing needs rather than something which is long term.

Something else which we underfund publicly is education.

Well, the market would probably not fund education properly. And along those lines, I think several of you mentioned the role that education -- consumer education, user education -- could play in improving cybersecurity at relatively low cost. Can you identify some things that we could be doing, either as a society or as a government to use that education tool more effectively to enhance cybersecurity?

MR. HARPER: Well, Mr. Chairman, you mentioned the fact that the cyber world that we're living in today is only maybe dozens of years old. And it's changing at a pace which is much more rapid than the generational shift. And I think there's a very important role in education -- in educating our citizens on how to behave and what are the norms and what the risks and what are the processes to use to protect oneself in the cyber world. And I think that it requires government to take the role particularly of coordinating that delivery of that education, because if it's delivered in a very fragmented way it's just confusing to the -- to the populace. So the programs that are in place today in CSA and others I think are good starting points for government collaborating with private sector to bring that education to the mass market, to the citizens.

MR. CHARNEY: And there are several federal programs which allow, for example, scholarship for service, in which the federal government offers scholarships and either repays student loans for graduates who have studied in cybersecurity and then decide to work for the federal government. So there are various different programs available now where there's -- like an education assistance program.

It can help bring those individuals with information security degrees into the federal workplace.

REP. WU: Thank you all very much. You have traveled a long ways, and this is a large, bedeviling set of topics. We've only had the opportunity to ask a few questions and not engage across the breadth and depth of this topic. If there -- if there are things that you would like to comment on or tell us at this point, I'd like to open this to all the witnesses. And we can just go from left to right or right to left so that those things that you might wake up tonight or tomorrow and say, gee, I wish I'd said that, this is your chance of laying it out in the record.

MR. WILSHUSEN: One thing I would just like to add related to the research and development question that came up earlier is that the results of these research and development activities should be made available, and particularly those funded by the federal government.

There's a requirement under the E-Government Act that these federally funded research -- particularly in cybersecurity -- be -- maintain the results of -- in repositories. We found several years ago that the results of many of the efforts were not being considered and implemented into these repositories, thereby making them unavailable for other researchers who might have benefit from the knowledge gained from those research efforts.

REP. WU: Thank you.

MR. BREGMAN: Well, I'd like to start by thanking the committee for taking on this task. I think as you -- as the chairman mentioned, it's a very complex problem and one that is changing very rapidly. And it's very important that this committee and other parts of the government focus on it.

I think there has been increased focus and we see improvement in the work we do with DHS and with NIST and with other parts of government. We need to continue that and accelerate that momentum if we're going to be able to really protect our nation in the face of this increasing cyberthreat.

Thank you.

REP. WU: Thank you. MR. CHARNEY: Thank you. I do want to comment one further point about education, in particular. We have spent a lot of time educating consumers about some of the basic steps they can take to protect themselves on the network. And I think this is important to do and we will all continue to do it.

The challenge, it seems to me, is in part that IT technology is very opaque to users. My mother is 79 and found e-mail, bless her heart.

And when I talk to her about security issues, she really does not want to become a security IT professional. She remembers the day of the telephone where it just worked and if something went wrong the telephone company took care of it.

And I think to some extent we have to think about models that provide consumers a higher level of protection with less work. And I don't think we're going to get there unless we start thinking about some very hard problems, some of which I outlined in my testimony, about things like attribution. How does my mother know where her mail really came from or who really wrote the software that is being asked to be installed on her system? And what do we -- how do we think about the role of Internet Service Providers who are the choke points to the Internet and might be able to look at machines and clean infected machines?

There are a lot of difficult, challenging things we have to do. There are some very interesting models, if you think about WHO, the World Health Organization, and the way we deal with pandemics.

You know, they're called viruses and worms for a reason in the computer world, because they propagate in many of the same ways.

And we have to start thinking about other models that have worked and how we bring new protections to the Internet, because the ability to create malicious malware and propagate it worldwide at machine speed -- virtually at the speed of light -- is going to continue unabated. Human beings are not going to be able to react fast enough to respond to machine-based attacks. And so one of the areas for intense research and development and one of the things we have to think about is how we're going to protect people in this environment where things move that quickly and things change so rapidly.

REP. WU: Thank you very much, Mr. Charney.

 

AuthorPF | Comments Off |

PrintView Printer Friendly Version

EmailEmail Article to Friend