[Senate Hearing 111-724]
[From the U.S. Government Printing Office]
S. Hrg. 111-724
CYBER SECURITY--2009
=======================================================================
HEARINGS
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
of the
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
APRIL 28, 2009
CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY
__________
SEPTEMBER 14, 2009
CYBER SECURITY: PROTECTING INDUSTRY AGAINST GROWING THREATS
__________
Available via http://www.gpoaccess.gov/congress/index.html
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
----------
U.S. GOVERNMENT PRINTING OFFICE
51-019 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware JOHN McCAIN, Arizona
MARK PRYOR, Arkansas GEORGE V. VOINOVICH, Ohio
MARY L. LANDRIEU, Louisiana JOHN ENSIGN, Nevada
CLAIRE McCASKILL, Missouri LINDSEY GRAHAM, South Carolina
JON TESTER, Montana ROBERT F. BENNETT, Utah
ROLAND W. BURRIS, Illinois
MICHAEL F. BENNET, Colorado
Michael L. Alexander, Staff Director
Deborah p. Parkinson, Professional Staff Member
Adam R. Sedgewick, Professional Staff Member
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
Asha a. Mathew, Minority Senior Counsel
John K. Grant, Minority Counsel
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk and GPO Detailee
Laura W. Kilbride, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman............................................ 1, 35
Senator Collins.............................................. 3, 37
Senator Landrieu............................................. 21
Senator Burris............................................... 24
Senator Carper............................................... 27
Prepared statements:
Senator Lieberman...........................................71, 148
Senator Collins.............................................73, 151
WITNESSES
Thursday, April 28, 2009
Hon. Stewart A. Baker, Former Assistant Secretary of Homeland
Security....................................................... 5
James A. Lewis, Director and Senior Fellow, Technology and Public
Policy Program, Center for Strategic and International Studies. 7
Alan Paller, Director of Research, SANS Institute................ 10
Tom Kellermann, Vice President of Security Awareness, Core
Security Technologies.......................................... 14
Monday, September 14, 2009
Robert O. Carr, Chairman and Chief Executive Officer, Heartland
Payment Systems, Inc........................................... 39
William B. Nelson, President and Chief Executive Officer,
Financial Services Information Sharing and Analysis Center..... 42
Michael P. Merritt, Assistant Director, Office of Investigations,
U.S. Secret Service, U.S. Department of Homeland Security...... 47
Philip R. Reitinger, Deputy Under Secretary, National Protection
and Programs Directorate, U.S. Department of Homeland Security. 50
Alphabetical List of Witnesses
Baker, Hon. Stewart A.:
Testimony.................................................... 5
Prepared statement........................................... 75
Carr, Robert O.:
Testimony.................................................... 39
Prepared statement........................................... 153
Kellermann, Tom:
Testimony.................................................... 14
Prepared statement........................................... 100
Lewis, James A.:
Testimony.................................................... 7
Prepared statement........................................... 86
Merritt, Michael P.:
Testimony.................................................... 47
Prepared statement........................................... 174
Nelson, William B.:
Testimony.................................................... 42
Prepared statement........................................... 160
Paller, Alan:
Testimony.................................................... 10
Prepared statement........................................... 90
Reitinger, Philip R.:
Testimony.................................................... 50
Prepared statement........................................... 183
APPENDIX
RESPONSES TO POST-HEARING QUESTIONS FOR THE RECORD
Mr. Baker.................................................... 114
Mr. Lewis.................................................... 120
Mr. Paller................................................... 129
Mr. Kellermann............................................... 135
Mr. Reitinger................................................ 193
ADDITIONAL INFORMATION FOR THE RECORD
Josh Bourne, President, Coalition Against Domain Name Abuse
(CADNA), September 14, 2009, prepared statement................ 194
CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY
----------
THURSDAY, APRIL 28, 2009
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:05 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Carper, Landrieu, Burris, and
Collins.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. Good morning. The hearing will come to
order. Thanks to the witnesses and others who are here.
The topic of this hearing is our national strategy for
cyber security. I am going to put my statement in the record
and just speak for a few moments.\1
\\---------------------------------------------------------------------------
\1\ The prepared statement of Senator Lieberman appears in the
Appendix on page 71.
---------------------------------------------------------------------------
It is a series of facts that brings the Committee here and
why we are grateful to a very distinguished and informed group
of witnesses for helping us.
The first fact is that America cyberspace is constantly
under attack. The second is, the best that I can determine, our
defenses to those attacks are inadequate. The third fact is
that the Obama Administration, building on work done by the
Bush Administration, has just completed a 60-day review of our
cyber policy and structures, and we expect soon to see release
of that report.
The fourth fact is that the Department of Homeland Security
(DHS), which was created out of this Committee and over which
we maintain oversight and monitoring our responsibility, has
the unique authorities given to it under the statute with
regard to cyber security.
The fifth fact, may be a probability, I believe, as part of
the reaction to the report that Melissa Hathaway is doing for
President Obama, that we will be asked to consider, and should
consider, some legislative changes or authorizations regarding
the role of the Homeland Security Department in its
responsibility to protect critical parts of America's
cyberspace, particularly, the non-defense, governmental
cyberspace and to be the main point of coordination with the
private sector.
So this hearing is really an opportunity for us to learn
from the four of you at this quite significant, potentially
transformational moment in the history of America's
relationship to cyber warfare, really. I want to just briefly
develop a few of those realities.
First, it is very clear, if I can use a harsh word, but I
will use it because it is relevant, our enemies in cyberspace,
whether they are individual hackers, foreign governments,
business competitors, organized crime groups, or terrorists,
seem too often to be one step ahead of our efforts to deter
them, and that gap must be closed.
From 2003's SQL Slammer to the most recent Conficker worm,
thousands of worms, viruses, and so-called malware have
infected and disabled computers around the world and put
sensitive data at risk of loss, theft, or improper disclosure.
Privacy breaches are a regular occurrence with identity thefts,
stolen credit cards, or exposure of financial information.
Within the Federal Government, millions of dollars worth of
equipment has been lost and the personal information of
millions of veterans, as one example, compromised.
In a speech last week, Melissa Hathaway, who is the Acting
Senior Director for Cyberspace for both the National and
Homeland Security Councils, told of an incident in which 130
automatic teller machines (ATMs), in 49 cities around the
world, were illicitly emptied by cyber theft over a single 30-
minute period. I mean, that is a stunning reality.
The Wall Street Journal reported last week that operational
information for the Joint Strike Fighter, our advanced,
stealth-capable, tactical air fighter was breached making it
easier for enemies to defend against it if not to steal some of
the highly classified systems within it.
We know that there are severe vulnerabilities in our
electricity grid and that foreign governments seeking to map
our infrastructures have intruded into our electricity systems
on a very large scale.
So there is all too much evidence that our cyber
infrastructure is insecure and, unfortunately, there is a lot
of evidence that our security capabilities are inadequate to
the challenge. GAO and various inspectors general have been
repeatedly reporting on these weaknesses. Last December, the
Center for Strategic and International Studies (CSIS) issued a
report listing a vulnerability of cyber networks as one of our
Nation's major security vulnerabilities, risks.
Let me focus just for a moment, for the record, on the
Department of Homeland Security.
The cyber security authorities of the Department of
Homeland Security are not just general under the rubric of
Homeland Security, but they are clearly outlined in statute and
presidential directives. Title 2 of the Homeland Security Act
directs DHS to lead critical infrastructure protection efforts,
which by definition includes cyber security. Critical
infrastructure was defined in that act as ``systems and assets,
whether physical or virtual, so vital to the United States that
the capacity or destruction of such systems and assets would
have a debilitating effect on security, national economic
security, national public health or safety, or any combination
of these matters.''
In 2003, President Bush released a national strategy to
secure cyberspace, which stated that the Department of Homeland
Security would be ``the focal point for the Federal Government
to manage cyber security.'' Later that year, the White House
issued Homeland Security Presidential Directive 7 (HSPD-7) to
implement the critical infrastructure responsibilities laid out
in the Homeland Security Act. HSPD-7 reinforced the leadership
role of the Department of Homeland Security on cyber security,
stating, ``The Secretary of Homeland Security will continue to
maintain an organization to serve as a focal point for the
security of cyberspace.''
In 2008, President Bush issued Homeland Security
Presidential Directive 23 (HSPD-23) to implement the
Comprehensive National Cyber Security Initiative, which focused
on the protection of Federal networks. The exact language used
in HSPD-23 is classified. However, I can say that the directive
affirmed that the Department of Homeland Security serves as the
lead Federal agency for the protection of Federal civilian
networks, that is to say all unclassified networks, and for
coordinating private sector cyber security efforts.
So as we come to this transitional point, we on this
Committee feel strongly that the Department of Homeland
Security has, under statute and presidential directive, a
central and critically important role to play. And this
Committee, in a sense, is here to ask you how you think DHS has
carried out that responsibility--I know you will testify and
much else--and also what we can do to help DHS do the better
job that we all acknowledge we needed to do.
Thank you very much for being here. Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
The information and communication networks that we refer to
as cyberspace have become critical to our economy, our national
defense, and our homeland security. Yet, every week, we learn
of more threats to our cyber infrastructure. The spector of our
adversaries disrupting our telecommunications systems, shutting
down our electric power, or freezing our financial markets is
no longer the stuff of science fiction; rather, it is a very
real possibility as thousands of cyber attacks are launched
everyday.
For example, intelligence officials tell us that China and
Russia have attempted to map the American electrical grid and
have left behind software that could be activated later perhaps
to disrupt or destroy components. The Washington Post has
reported that hackers broke into the Pentagon's Joint Strike
Fighter project and stole information. And last year, as the
Chairman alluded to, cyber thieves secretly implanted circuitry
into keypads sold to British supermarkets, which were then used
to steal account information and personal identification
numbers. As these numerous intrusions demonstrate, the cyber
security threat is real, dangerous, and accelerating.
Today, this Committee will examine the practical issues of
how the Federal Government should best be organized to counter
this threat. An effective response to cyber threats will
require coordination among law enforcement, intelligence
agencies, and private owners of critical infrastructure. The
Department of Homeland Security is the crucial nexus of these
realms.
Bringing together these three worlds is precisely the
reason that Congress created DHS following the terrorist
attacks of September 11, 2001. The Comprehensive National Cyber
Security Initiative, started last January--and the Chairman
referred to it--recognized the value of the Department's unique
perspective by placing the National Cyber Security Center at
DHS and charging the Department with the responsibility for
advancing coordination and consultation among the many Federal
entities with cyber security missions. And following up on this
directive, last year, Senator Lieberman and I introduced a
homeland security reauthorization bill that included cyber
security provisions that would have increased the
responsibilities of the center at DHS.
We also need to determine what specific authorities are
necessary for DHS to undertake the mission of better securing
Federal networks and our Nation's critical cyber infrastructure
as the Department works with but does not supplant the
important roles played by the Department of Defense, the
intelligence community, Federal law enforcement officials, and
other agencies.
These authorities must allow DHS to address many of the
most pressing cyber security issues, including how do you share
critical infrastructure on threats and vulnerabilities,
particularly with the private sector, since 85 percent of
critical infrastructure is privately owned?
How do you encourage the adoption of best practices and
standards not only across government but throughout our
Nation's critical infrastructure?
How do we best generate a strategy that deters terrorists
and hostile nation states from executing cyber attacks that
potentially could devastate our critical infrastructure?
How do we best go after cyber criminals, not necessarily
from other countries, but within our own country? Sometimes
that part is overlooked as we discuss the threat.
How do we secure the supply chain to ensure that systems we
purchase are free from malicious code?
And how do we best establish standards and performance
metrics that can guide government procurement to encourage
manufacturers to incorporate better security into their
products for the benefit of both government and the public at
large?
Finally, as we consider the reorganization of cyber
security activities, I would note that this new Administration
has shown a tendency to appoint special assistants and czars
within the White House for virtually every important issue that
we are confronting. While I understand the need to shine a
spotlight on critical problems, the creation of numerous czars
or special assistants usually leads to conflict, turf battles,
and confusing lines of authority.
Moreover, Congress' ability to effectively oversee
activities directed from the Executive Office of the President
are severely limited. Typically, we cannot call upon those in
the White House to come testify before us, and their budget
requests are presented with very limited details. So the issue
of reorganization of cyber security efforts necessarily
involves the discussion of accountability and oversight by
Congress as well. On an issue as pressing and as complex as
cyber security, congressional oversight is critical to making
real progress.
I look forward to exploring these issues with our witnesses
today.
Mr. Chairman, you have assembled the top experts, and it is
a pleasure to welcome back to the Committee, of course, Mr.
Baker, who has been here many times. Thank you for holding this
important hearing.
Chairman Lieberman. Thanks, Senator Collins. And thanks for
the very thoughtful statement. I appreciate it.
Stewart Baker, good to see you again. Welcome back. You
graduated from line authority to elder statesman, at an early
age.
STATEMENT OF HON. STEWART A. BAKER,\1\ FORMER ASSISTANT
SECRETARY OF HOMELAND SECURITY
Mr. Baker. It is a pleasure to be home again. Thank you,
Chairman Lieberman and Ranking Member Collins. It is also a
pleasure to have graduated from DHS. I served on a commission
once, and one of the old hands of the commission said, ``Yes,
they have brought back all the people who could not do the job
to tell us why we should do the things they could not do.'' And
in that spirit, I would like to talk a little bit about the
cyberspace crisis that we face and what DHS should do about it.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Baker appears in the Appendix on
page 75.
---------------------------------------------------------------------------
You both have laid out the problem quite eloquently, and I
will not try to repeat that. I would like to explain why I
think this problem persists and continues to grow worse. And I
will use an example that I have laid out in my testimony.
There was a fellow named Howard Crank, a Vietnam vet
suffering from diabetes. At home, he got an Internet
connection, and the world opened up to him. He could interact
with the world. It was a wonderful thing for him, until,
essentially, scam artists found him and induced him to mortgage
his house twice, to max out his credit cards and to go into
bankruptcy trying to recover the lottery proceeds he was told
he had won.
Right up until that moment, I think he would have said the
Internet had done a great thing for him, but interacting with
the world, and having the world interact with him, turned out
to be a disaster because not all of the world intended him
well.
We are all in that position. We are all getting benefits
today from hooking up to the Internet, from using Internet
protocols. They are making our lives easier and they are making
the delivery of services and goods cheaper. And yet, every time
we hook up to the Internet and expand the reach of those
networks to other parts of our lives, we are creating greater
risks. And, at some point the ice could give way and we could
be dropped into the lake and lose everything.
That is the greatest concern, but today we are not seeing
any obvious harm to our networks or to our way of life, and
that is what has led us to ignore the problem or to minimize
the problem.
I think it is a tribute to both this Administration and to
the last that we are finally beginning to look at the ways in
which we can address this problem more seriously, and I would
also like to give credit to Jim Lewis for the Center for
Strategic and International Studies report which I think very
profoundly raised all of the issues that have to be addressed
if we are going to successfully defend ourselves in cyberspace.
That raises, then, as Senator Lieberman and Senator Collins
both suggested, the question of how to organize ourselves to
defend cyberspace. And here, I would like to draw on my
experience. I realized as I was preparing for this hearing,
that I have helped to start two of the last three cabinet
departments created in the Federal Government. And I have
served on a commission that recommended extensive
organizational changes in the Federal Government.
If I had to do it over again, I am not sure I would do any
of that. That's because there is a predictable pattern in the
reorganization of government. You start with a failure. You
say, this is not working. We should create another organization
to solve the problem. And that organization, since you have
just dreamed it up, does not have any flaws at all. It will do
everything you want done, and much better than the obviously
failed institution that you are looking at today.
When comparing an existing institution, where we have real
failures, to an imaginary institution that has no flaws, the
imaginary institution always looks better. Then, of course,
once you actually try to start the imaginary organization, the
imaginary organization discovers that it does not have a
budget, it does not have staff, it does not have an executive
secretary, it does not have a human relations department to
begin hiring people. And pretty soon, that new institution is
deep into a cycle of failure of its own, which then leads
people to say, well, that is a failure. We should reorganize.
Maybe we should have this new imaginary organization to do the
job of the last imaginary organization.
I say that because I fear that the one recommendation of
the CSIS report that I disagree with most strongly is the one
that says, DHS is not doing everything it should. Consequently,
we should dream up a new organization, a national cyberspace
office that will perform all of the functions that DHS should
be performing perfectly and is not performing perfectly.
That recourse to an imaginary organization, in my view, is
precisely the problem with the CSIS report. We would be much
better, in my view, fixing DHS, which, of course, was given
many of these authorities when it was an imaginary organization
and now is deep into the second cycle, where people find that
it is not doing the job perfectly. We would be much better off
building DHS's capability, something that has just begun, I
think, seriously for the first time in the last year or two.
DHS has now launched on the job of building a genuinely
strong cyber security office that can provide guidance across
the government, provide services and detailed capabilities to
the President. If they are given the opportunity to do that,
they will succeed. If they are kicked aside because they cannot
perform and have not performed every job that they have been
given in the last 5 years, I think that we will be making the
mistake that we made with other organizations where we have
said, since we do not have a perfect job being done by the
existing agencies, let's make up a new agency, and hand them
the responsibility.
I do not think we want to be in a position 2 years from now
looking at a new organization that has been created to carry
out this mission in the Executive Office of the President and
say, ``Well, gee, they have just hired their staff. They have
just begun to organize their budget. They have just determined
who their executive secretary should be. And, so for 2 years,
we have been treading water and there have been a lot of
failures since then.'' That is a recipe for treading water and
not for making improvements.
I think we would be better off if we took the capabilities
that DHS has and funded them, provided the resources and the
staff that DHS needs, and let DHS carry out its
responsibilities under guidance from a very strong National
Security Council that can provide the muscle in the interagency
that is necessary to actually achieve coordination across the
government.
Very briefly, I will also talk about the question of
regulation. I think it is clear that some form of regulation is
necessary in this area. No private sector agency can be
expected to fend off State actors who are bent on infiltrating
its network. We do not expect Bank of America to fight our wars
for us, and if the bank finds itself on the front lines of a
war, we should be providing assistance to them at the Federal
level.
In fact, there is regulatory authority in many of these
areas. The Gramm-Leach-Bliley Act requires the financial
regulators to have substantial authorities over cyber security.
The Federal Communications Commission (FCC) has provided, and
certainly has substantial authority over, cyber security
standards if they choose to use all of their authority. The
Federal Energy Regulatory Commission (FERC) has some authority.
What is probably missing is some coordination and what I would
describe as nimbleness in responding to new threats. And that I
think is something that DHS can do if it is given clear
authority and clear--not authority; they have the authority.
They need a mandate from the Administration, from the
President, and perhaps from this Committee.
Thank you very much.
Chairman Lieberman. Thanks, Mr. Baker. That was very
interesting testimony, very helpful, and has a certain healthy
degree of skepticism that comes with having had considerable
governmental experience. It is a longer view, but it is one
that is very valuable to us.
Next, we are going to hear from the previously mentioned
and saluted James Lewis, Director and Senior Fellow, Technology
and Public Policy Program at the Center for Strategic and
International Studies, which did the report to which both Mr.
Baker and I referred. Thanks for being here.
STATEMENT OF JAMES A. LEWIS,\1\ DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES
Mr. Lewis. Thanks very much. And I thank the Committee for
the opportunity to testify. And also, I applaud your efforts to
try and deal with the new security challenges we face. I am so
glad to be here.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Lewis appears in the Appendix on
page 86.
---------------------------------------------------------------------------
To summarize the state of cyber security, our networks are
vulnerable, our opponents are inventive and energetic, and we
are disorganized. Many people have worked hard in recent years,
but the United States is late and we are not doing enough.
As a Nation, we have been slow to realize how important
cyberspace has become for economic and national security, and,
therefore, slow to give it the priority it requires. The United
States is being dragged down by weak cyber security, losing its
edge in commerce, innovation, and defense. The problems we
face, espionage, crime, and risk to critical infrastructure,
will never go away, but they can be reduced by coordinated
government action. Put bluntly, we need a comprehensive
strategy and somebody in charge of it.
To date, the United States has been unable to produce
either leadership or a strategy. The 1998 Presidential
Directive 63 still shapes policy, but it was overly fond of
czars. The 2003 national strategy to secure cyberspace was
neutered by ideology and internal conflict. The 2008
Comprehensive National Cyber Security Initiative (CNCI) has
some valuable elements, but it was not comprehensive. It was
also hobbled by infighting, and it came far too late.
So in 2008, CSIS, as you have heard, put out a report that
recommended a comprehensive national approach. We called for
the creation of a strong White House cyber advisor with clear
authorities and a comprehensive national strategy that would
use all the tools of U.S. power, international engagement,
military activity, economic policy and regulation. Our report
contained other important recommendations that I am sure some
of my fellow witnesses will mention, including the need for
increased education, modernization of outdated laws and other
activities.
While policy must be led from the White House, agencies
must carry out implementation and operation activities.
Operational responsibility for cyber security falls on three
agencies: The National Security Agency (NSA), the Federal
Bureau of Investigation (FBI) and DHS. The previous
Administration assigned DHS the lead role for cyber security,
but this was beyond its competencies. DHS is not the agency to
lead intelligence, military, diplomatic, or law enforcement
efforts. This does not mean that DHS does not have an important
role, and it is time for that agency to begin to perform it.
DHS is responsible for protecting critical infrastructure
and for securing the civilian government networks. It is
beginning to build the capabilities needed to carry out these
missions, but this will require sustained investment in
facilities, technology, and DHS's cyber workforce.
To date, cyber security at DHS does not have the resources
it needs. DHS needs better technologies to secure civilian and
government networks. The CNCI had a program named Einstein.
Einstein is inadequate, whether it is Einstein 1, 2, or 3. Who
knows? Maybe 4 will work. The real question is whether there is
a way for DHS to work with NSA to secure all government
networks. This is, of course, a sensitive topic. NSA has the
capabilities. DHS has the responsibility. But there are
compelling constitutional reasons for restricting NSA's role.
However, it would be a serious error not to take advantage of
NSA at a time when our government networks are under sustained
and successful attack.
DHS might also want to reconsider some reorganization
within the National Cyber Security Division (NCSD). Perhaps a
first step would be to merge the U.S. Computer Emergency
Readiness Team (US-CERT) and the national communications
systems and its component into a single entity inside of NCSD.
DHS's cyber functions are part of its National Protection
and Programs Directorate (NPPD). This directorate needs better
plans to merge physical infrastructure and cyber infrastructure
protection. The National Infrastructure Protection Plan is more
like a dictionary than a plan. DHS needs short implementable
plans on how to protect critical infrastructure and assure the
delivery of critical services in the face of cyber attack.
As part of its critical infrastructure responsibilities,
DHS is the Federal interface with critical infrastructure
owners and operators. This is an important role, but the
current partnerships are inadequate, and DHS might want to look
at the Department of Defense (DOD) Defense Industrial Base
Initiative as a model for partnership and information sharing.
DHS must be part of the larger regulatory effort to improve
cyber security. To date, the United States has relied on market
forces and voluntary action. But to quote the former chairman
of the Securities and Exchange Commission, ``The last 6 months
have made it abundantly clear that voluntary regulation does
not work.'' Much of the opposition to regulation involves the
replay of warmed-over dot-com ideology and a strong desire by
the private sector to escape liability. I am very sympathetic
to that.
As with any complex issue, there is no black or white
answer. Too much regulation will damage the economy. Too little
regulation will damage the economy and also harm national
security. We need to find a middle course that balances
commercial and national security interests. A new Federal
approach to cyber security must elicit action from the private
sector that it will not otherwise perform.
DHS does not have the regulatory authority for most
critical infrastructure when it comes to cyberspace. One thing
to consider is whether to give DHS new and expansive
authorities or whether to use existing authorities with current
regulatory agencies, like the FCC, FERC, Nuclear Regulatory
Commission (NRC), Federal Deposit Insurance Corporation (FDIC),
and there are many others.
The Administration has recently concluded a 60-day review
of cyber security policy. This was a spectacular effort. Most
of us did not think they would be able to finish on time. And
while few public details have been released, it appears that
the White House will play a greater role in organizing and
leading cyber security policy. There will be greater attention
to international engagement and to relations with the private
sector, and there will be closer coordination among agencies.
My hope is that the 60-day review leads to a strong White
House cyber advisor with clear authority to set policy and
guide budgets. More fumbling among agencies will only lead to
disaster. But with so many different equities involved in cyber
security, we face gridlock. There is a regrettable debate over
how much authority the White House cyber advisor should have
over policy and how strenuously the United States should
protect its cyber networks. There is a trade off, some say,
between security and innovation. I say this debate is
regrettable because our opponents are not waiting 60 days to
attack us.
The United States is in a very unfortunate situation. We
have made better use of cyberspace than our competitors, and
this has provided real economic benefits. Our reliance on
cyberspace holds the potential for innovation and future
growth. However, the combination of greater reliance and
inadequate attention to security has left us more vulnerable
than our opponents. If we cannot change this, the power and
influence of the United States will shrink, and our prosperity
and security will be damaged. Congress and the Executive Branch
have the opportunity to avert this damage if we can act
decisively.
I thank you for the opportunity to testify. I will be happy
to take your questions. Let me say, it was more fun to testify
against Mr. Baker when he was in the government because he was
a little more constrained, but I welcome the opportunity to
take your questions.
Chairman Lieberman. Thank you.
Well, we like Mr. Baker in both roles. He is more
unpredictable in this one. Both of you, though, have portrayed
a crisis, which this is. And the question is what we can do
together about it. Thanks for your testimony
Next, we are going to hear from Alan Paller, Director of
Research at the SANS Institute.
Thanks so very much for being here.
STATEMENT OF ALAN PALLER,\1\ DIRECTOR OF RESEARCH, SANS
INSTITUTE
Mr. Paller. Good morning, Senator Lieberman, Senator
Collins, Senator Carper, and Senator Landrieu. Your taking on
this issue is really impressive. It is a complex issue. The
language is arcane. It is just a pain.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Paller appears in the Appendix on
page 90.
---------------------------------------------------------------------------
It turns out that you in your opening statement talked
about what is really the central problem, which is that there
is a gap between the attackers and our defenses. What is
problematic is that the gap is growing at an increasing rate.
So all this discussion is important, but we are falling behind
at an increasing rate.
Let me give you just one simple example. There is a young
man named Tan Dailin, who is a graduate student at Sichuan
University. In 2005, the People's Liberation Army (PLA) noticed
he was hacking into a computer in Japan, so they picked him up
and said, wouldn't you like to be a contestant in our annual
competition for who the best hackers are in Chengdu province?
That is a southwest province of China.
He entered the competition. His team actually won 10,000
Renminbi. They put him through a 30-day, 16 hour a day,
workshop, where he learned to develop really high-end attacks
and tuned his skills. And then they put him in competition with
teams from all of the rest of the military sub-units in the
Southwest China, and his team won that. They won 20,000
Renminbi. He was famous and important.
He set up a little company. No one is exactly sure where
all the money came from. But that company created the hacks
that were found inside--this was September 2005 when he won it.
By December, he was found well inside DOD computers. The summer
of 2006 was a particularly bad summer for the United States
because there were a lot of what are called zero-day attacks,
which are attacks that happened using vulnerabilities that the
vendor has not patched yet. So there is no defense. And his
team was found to have been the team that built six of those 30
or so zero-day vulnerabilities.
What I am trying to say is that other nations are investing
heavily in creating massive new technologies, and our defenses
are childlike. What we have done under the Federal Information
Security Management Act (FISMA) regulations is just
embarrassing. And the result is much more than the public
knows. You have not, but the House has had testimony saying the
Commerce Department and the State Department have been deeply
penetrated. What has not been told is that every other major
department has been equally or more deeply penetrated, one so
greatly that NSA had to bring their blue teams in just to find
all of the problems.
We do not tell the public that because it is embarrassing,
but it is just a symptom of what is happening. Eastern Europe
has organized crime groups that recruit developers. But the way
they recruit them is with lies and money. And then when they
find out that they are working for organized crime, and they do
not want to, crime groups use terror. They threaten their
families. They kill their families if they do not want to work.
You talked about the $10 million that was obtained in 30
minutes. What was interesting about that case is the reason it
stopped was the ATMs ran out of money. That was the only
reason--they were just empty.
Chairman Lieberman. Just take a moment and explain why the
30 minutes. Was that thought to be a period of vulnerability in
the systems?
Mr. Paller. Well, I did not talk to them. The FBI thinks
they assumed they would not get caught doing it if it was short
enough; that the triggers would not happen. What was
fascinating is you might ask, how can they get that much money
out?
The attackers actually had control of the computers inside
the bank and were raising the limits of how much each of the
cards could take out of the ATM as the ATMs were being emptied.
You normally have a $300 or $500 limit. Those limits just kept
growing, and it was because the attackers had control of the
computers as well as they had made all these white plastic
cards. But that $10 million is one of thousands of attacks.
You heard about the multi-city power outage that the
hackers did. Why did they do that? Well, it is all extortion.
If I have control of your computers, and I say I am going to
take the power out, and you say, no, you will not, well, all I
have to do is take the power out for 2 days, and every other
utility will pay. It is a massive money-making scheme, and that
money can be used to buy extremely advanced technologies. Our
defenses, the way we have built them under the FISMA
legislation are just--they are antagonistic to improve
security. They are not just not improving security, they are
actually working against it.
But there is a wonderful story I want to share with you. It
is why I was happy to come today. It is one huge success. It is
a Federal success. It shows not only can the Federal Government
radically improve security, but that the effect can spill over
into the defense industrial base and into the critical
infrastructure.
It started when NSA was briefing John Gilligan, who is the
Chief Information Officer (CIO) at the Air Force, and they told
him they could get into Air Force systems in 30 minutes. And he
said to them, you are not helping us. Tony Sager was the
briefer from NSA. John said to Tony, ``You are just not helping
us. You show us how you break in. We fix everything. A few
months later you are going to come in and break in again.''
This is the key statement. ``Can you get all your attackers
together and tell us what the critical things are we should
have done that we should do to protect ourselves?''
You hear Melissa Hathaway talking about offense must inform
defense. The fundamental error under FISMA was that we asked
the people who did not know about offense to tell us how to do
defense. You cannot do that. You just cannot do that.
So Tony went back and got the attackers together, showed
John how to configure the systems, and they implemented those
better configurations on a half a million computers, but they
had to--this is from your opening statement, Senator Collins.
You talked about the key role that the private sector plays
using procurement. That is the one huge lever you have. There
is nothing close to it. If you want to change security, the
lever you have is procurement.
So what John did is he went to Microsoft. Microsoft said,
no, we are not going to give you a different configuration than
what we give everybody else. One size fits all. You have to
take the one we give you. And he went to Steve Ballmer and
talked him into giving them a more secure configuration. They
implemented across a half a million machines. Here are the
results.
One, it used to take 57 days on average to patch the
machines. That is a good number in the Federal Government, 57
days, way too long. Now it is 72 hours and heading down toward
24. So they were able to change the way they manage computers
because they have these good configurations. They saved $100
million in procurement. They save more than $100 million every
year because they do not have to test the patches on every one
of their different configurations. And they save $30 million on
energy costs because the settings actually were energy-saving
settings.
But most importantly, because all the experts said this
would not happen, the users were significantly happier. The
help desk director at the Air Force reported that their help
desk calls were down by 50 percent because the users actually
were better off. So here you have much better security, much
lower costs, and happier users. And Karen Evans, to her credit,
actually took that initiative and said to the rest of the
government, let's do that as a government.
The challenge right now is that the attackers have gotten
so far ahead, that is only one piece of what has to be done. So
John went back to Tony and said, what are the rest of the
things that have to be done, and he has created a new list of
the critical things that must be done to secure Federal
systems.
The one most important thing in all of that lesson is, the
Federal Government has the big lever. And it is the $70 billion
in information technology (IT) procurement that you use each
year. When we talk about a public-private partnerships, those
are endless meetings. I am sure you have sat in on some of
them. They go completely different, if you are about to spend a
half a billion dollars, which is what John Gilligan did.
The great partnership is: Let's spend little pieces of that
money--I am not saying increase the money. These commercial
organizations are more than willing to deliver more secure
systems. They actually like it, if you will tell them what
secure is. That is where NSA comes in. You cannot ask the
National Institute of Standards and Technology (NIST) to do it.
They do not know what the attacks are. You have to get it from
NSA and US-CERT.
But once you know what the defenses should be, you can use
procurement dollars to actually spend less money and have more
secure systems. And what I like most about that story is that
it trickled down. Microsoft now sells that more secure
configuration to the defense industrial base, to the utilities.
So you, using your procurement power, actually changed the
nature of software and hardware so that it has been built more
securely, there is nothing to stop the venders from selling
that more secure version to everyone.
So the idea of leadership to me is not whether it is a
White House or DHS leadership, it is whether you use the $70
billion a year that you spend on information technology to make
the Nation safer. Thanks.
Chairman Lieberman. Thanks very much, Mr. Paller. That was
really riveting testimony. And it is very important to tell
these stories to help laypeople, if you will, get into this.
We will enter your statement, along with everybody else's
statement, into the record. Also, please take a moment to tell
us what the SANS Institute is and, therefore, what credibility
you bring to this task.
Mr. Paller. We are the main teachers. We have about 100,000
alumni in 60 countries. We train the FBI, the NSA, the British,
the Japanese, and the Indonesians. We teach the very advanced
cyber security courses, forensics, and intrusion detection. And
we also run the Internet Storm Center, which is an early
warning system.
Chairman Lieberman. That is great. Thank you.
Tom Kellermann is the Vice President of Security Awareness,
a pretty good title, for Core Security Technologies. He brings
another unique perspective to assist the Committee as we
undertake this responsibility. So we thank you for being here
and welcome your testimony now.
STATEMENT OF TOM KELLERMANN,\1\ VICE PRESIDENT OF SECURITY
AWARENESS, CORE SECURITY TECHNOLOGIES
Mr. Kellermann. Thank you, Senator. I greatly appreciate
the opportunity to debrief this Committee on serious economic
and national security risks that we are facing today from a
cyber perspective. Much of my experience comes from my days at
the World Bank Treasury on the security team there. And I will
caveat that with the need for all of us to appreciate the Art
of War by Sun Tzu. We need to really appreciate how offense
informs defense, but not only that, how we can better layer
security and implement policies and programs to create defense
in depth across not just the Federal Government but critical
infrastructures.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Kellermann appears in the
Appendix on page 100.
---------------------------------------------------------------------------
The horrible events of September 11, 2001, should have
taught us a fundamental lesson, which was that non-state actors
will use technology against our critical infrastructures. More
importantly, it is obvious since September 11, 2001, that
terrorists' financing has been directly related to the proceeds
of cyber crime, and the modern day silk road directly relates
to those bank accounts that were pilfered in that case that
Melissa Hathaway spoke of at RSA Security.
The DHS has done a successful job, I think, regarding
increasing the Federal standing per cyber attacks, however,
there are some challenges that do detract from these efforts.
First of all, the lack of management continuity. Many of DHS's
senior cyber security leadership positions are political
appointments by nature, and they result in frequent turnover of
management personnel and changes in priorities and focus of an
organization's mission. There is an insufficient support
structure within DHS to provide fundamental functions to
support cyber security needs, particularly the needs of what I
consider the four most functional aspects of the National Cyber
Security Division, which are the Electronic Crimes Task Force,
the Secret Service, the US-CERT, and the Federal Network
Security Branch.
Specifically, as I relate to this, the Federal Network
Security Branch is no longer the lead when it comes to
establishing the standards of cyber security and computing
across civilian agencies, and many times it has to defer to the
Office of Management and Budget (OMB). So that leadership
position should be increased. I think that they should have the
capacity to conduct red-teaming exercises against civilian
agencies to determine where these vulnerabilities are, to
determine where the priorities should be for IT spending.
This is a common problem across the Federal Government,
where you have CIOs and Chief Technology Officers (CTOs)
leading the way vis-a-vis what should be spent on IT and IT
security. And CIOs' mind-sets are much about productivity,
efficiency, access to services, and culturally differ from the
defensive perspective of Chief Information Security Officer
(CISO) community. And I think that it is important from a
governance perspective that the perspective be raised to the
top, particularly vis-a-vis the allocation of budgets and the
expenditures of funds necessary to secure systems.
To this point, as evidenced by specific campaigns carried
out against Federal agencies in recent years and further
illustrated by recent trends emerging in the larger cyber crime
landscape, a true lack of situational awareness and an
inability to predict the specific methods being utilized by
electronic assailants is pervasive throughout the Federal
Government, particularly as it relates to the recognition that
the enemy no longer wants to disrupt service; the enemy wants
to remain persistent and clandestine. The enemy in fact wants
to launch a cyber insurgency or a cyber infiltration against
your systems. And in the end, if they are given command and
control, they want to remain on mission but also be able to
control the integrity of your data to manipulate you in any
which way they should feel necessary.
To address this dire reality, which has been highlighted
most recently by the publicly incidence of energy hacking
across the grid, not only in the U.S but overseas, and the
Heartland payment systems breach, which was one of the most
massive financial breaches in the past 50 years--to that note,
over 200 banks were impacted by the Heartland breach, not just
the cards themselves, but those bank systems that were
connected to those systems--we need to represent the reality
here that cyberspace is an aquatic environment. And if you can
attack one segment of the water, you can infect the entire
environment.
It is important that because of this reality, the Federal
Information Security Management Act compels agencies to undergo
more frequent, internal assessments to gauge their risk to
cyber attacks, and not just check-the-box exercises for
compliance, but really using the dynamic guidance given that is
being sponsored by Tony Sager and John Gilligan, vis-a-vis the
Common Audit Guidelines (CAG). And, specifically, agencies
should be required to conduct regularly extensive security
audits of their IT systems using the red team mentality and
best practice identified by folks like Tony Sager, John
Gilligan, and the CAG.
In addition, I would ask this Committee to consider the
creation of systems of accountability, including penalties for
those organizations and civilian agencies who are not properly
addressing those critical vulnerabilities, and tailoring their
IT budgets to addressing those critical vulnerabilities. There
is too much plausible deniability in the system right now, and
people do not actually undergo this type of red teaming or
penetration testing because they want to maintain plausible
deniability to insulate themselves from not only the clean up
but also the criminal negligence that would come had they not
addressed or remediated the problems that were found.
In addition, we must use these benchmarks to extrapolate
this phenomenon to third-party outsourcing. The infamous breach
of DHS 3 years ago was based on a lack of a standard of care in
due diligence enforced by a third-party managed service
provider. The previously noted Verizon Data Breach report noted
that 39 percent of breaches were directly related to strategic
partners. This was not cases of strategic partners attacking
systems, but those systems of the strategic partners being
compromised and used as island hops to transit and attack those
primary systems.
It is imperative that we grapple with this systemic risk
imposed by the outsourcing and offshoring of not only American
jobs but the digital ecosystem on which we are heavily
dependent. In order to promote and create a secure U.S. cyber
ecosystem, this Committee should consider mandating that all
entities who provide managed information security services, of
any sort to the U.S. Government, or providers of such services
to critical infrastructures as defined by the National
Infrastructure Protection Plan (NIPP), at the very least enter
into information security service level agreements, which go
beyond the service level agreements today, which are
essentially contracts that have mediocre terms of liability and
recourse and are far too much focused on resiliency and up time
of the data versus the integrity and confidentiality of said
data.
The agreements must require that these service providers,
at a minimum, have the same standards of legal and layered
security as defined by NIST-800-53, but also move forward and
allow that entity, the primary consumer of those services, to
conduct audits based on things like the CAG of those systems,
and mandate remediation timetables of those systems.
We must use Federal acquisitions policy to require that
these service providers comply with all these individual
requirements. Those organizations who already are compliant
with FISMA, who are being proactive, should inherently receive
tax credits or some sort of benefit from the system for being
good Samaritans in the cyber landscape.
In summary, while the national and worldwide cyber pandemic
is currently scaling in an exponential manner, I would submit
that the significant gains can be realized through the Federal
Government today by the political obligation of more aggressive
attention to these issues. In this dark hour, we need strong
bipartisan leadership. The dramatic increase in cyber attacks
necessitates action. The recent 60-day cyber review developed
by Melissa Hathaway represents a great starting point for real
policy and strategic leadership, but it cannot be operational
without the good work of DHS and this Committee.
It is paramount that this Committee understand that it too
can serve a fundamental role of change in defending our
Nation's critical infrastructures from this pervasive
phenomenon, and I appreciate your consideration of my statement
and, of course, your public service.
Chairman Lieberman. Thanks so much, Mr. Kellermann.
That sets it right up for the question period. We will do
7-minute rounds of questions.
Let me make a statement based on what you have said and
what I have learned here on this Committee, but also in the
Armed Services Committee. We have a lot of overlap between the
two committees.
For a number of years, we have been warned in the Armed
Services Committee of the threat of asymmetrical warfare, which
is to say the United States has become so strong in what might
be called conventional warfare that it would be natural for
somebody wanting to do us ill to not try to compete with us on
that level, but to look for the weakness, the vulnerability,
and to attack us in that sense, asymmetrically.
The second reality that we are dealing with, of course, is
that after September 11, 2001, we are involved with Islamist
terrorists in a global conflict, in which some of the old,
traditional rules of warfare are gone, which is to say, this is
not planes against planes, ships against ships, armies against
armies in conventional battlefields. People strike it as from
the dark and have no hesitancy to strike civilian populations,
as we saw here, painfully, on September 11, 2001.
So you put both those together, the warnings that we got
about asymmetrical warfare and the new rules of the conflict we
are in, particularly in which civilian targets are open
targets, cyber attacks just jumps right out at you, doesn't it,
as a major threat to the security of the United States; and
makes relevant not just the defense that the Department of
Defense must provide to defend cyber systems, but all of the
privately controlled cyber systems in our country that really
are in control of our financial system, our power generating
system. You could go on and on; our healthcare system could be
incapacitated.
So I want to invite a reaction. To me, this is a real
crisis, but I invite you, if you think I am overstating it, to
say that. But here is my concern. If I were an enemy, either a
state enemy or a non-state enemy, like a terrorist group
wanting to do us harm, it seems to me one of the first most
attractive ways to attack us would be a cyber attack, both
because of the difficulty of finding me, the enemy, but also of
the tremendous damage I could do at this point in the status of
our cyber defenses.
Is this true, Mr. Paller?
Mr. Paller. I think you are absolutely right, but I do not
think the time is yet, meaning I think right now it is easier
to bring a bomb across the border and blow somebody up. And if
you are going to do terror right now, that simply works.
As we strengthen the borders, as we make it harder and
harder to do kinetic attacks, this kind of cyber attack will
become the attack of choice. And the reason that it is such a
challenge, that you have to act right now, is that asymmetric
warfare means pre-establish and control. So when the Chinese or
another Nation gets into a Senate committee computer, they do
not get in to steal the data, they get in to steal the data and
to leave something so that they can change information at
critical moments.
Chairman Lieberman. Correct.
Mr. Paller. So it is now that we have to fix cyber security
in government and the commercial sector because the war will
come later that will be fought in cyberspace. But I do not
think we are sitting here waiting for a new attack against the
power plants of America in the next 6 months.
Chairman Lieberman. OK. You in your testimony, Mr.
Kellermann, made some references as to how these both come
together. Organized criminal groups see an opportunity to hold
up private entities for money by threatening cyber attack or
actually carrying them out. You raised the question of whether
that clearing of the $10 million from the ATMs, some of that
money may have ended up or may have started with organized
crime, maybe not, and terrorism usage. But in your written
testimony, you used the example of the Bali bombings in 2002 as
an example of a terrorist attack that was funded by cyber
crime.
Just take a quick moment and tell us about that.
Mr. Kellermann. What is interesting about the Bali bomber,
Imam Samudra, was that he not only financed the attack through
credit card fraud and precipitated through cyber crime, but he
wrote a manifesto of sorts while in an Indonesian prison,
stressing that Jihad could best be waged by using the money of
the infidels to finance the physical acts of terror against the
infidels. And you will see actually a spike--and I am sure Mr.
Paller can speak to this with Internet Storm Center. You have
seen a spike since in the number of hacker attacks emanating
out of Indonesia. There is a realization of sorts that this
Robin Hood mentality, that the lack of resources that these
communities traditionally have, can be acquired through cyber
means because the financial sector is so porous and too over-
reliant on perimeter defenses.
But more importantly, vis-a-vis the different types of non-
state actors, you have a dark ages mentality now in the
underground, where you literally have communities that are
assisting other communities without ever meeting them, in a
very ephemeral sense, and acquiring the weapons grade
technologies to attack systems, whether or not they have
computer skill sets, as well as the sale of systems that have
already been compromised is widespread, as well as financial
details in bank accounts and credit card numbers can be sold
for $40 a pop in this system, to any actor, so long as they are
not considered a ripper, which is someone who is untrustworthy,
that they do not follow through with deals.
Chairman Lieberman. I have very little time left, but I
want to just draw out, Mr. Baker and Mr. Lewis, on the debate
you have about how we should best organize to respond to this.
Am I right that both of you agree that the Department of
Homeland Security should have primary responsibility for non-
defense Federal Government computers and for the interaction
between the Federal Government and the private sector in regard
to cyber defenses? Is that right?
I want to say for the record that both are nodding
affirmatively.
So let me understand. Mr. Lewis, you have been very clear.
You think there ought to be an office in the White House to
coordinate everybody involved, DHS, NSA, DOD, and others.
But, Mr. Baker, let me understand what you are suggesting.
Do you think the Department of Homeland Security should play
the overall governmental coordination role or that there is not
really a need for one?
Mr. Baker. Let me address that. There is a need for more
coordination; there is no doubt about it. It would be my
suggestion that what is needed is not just a coordinator. This
is something that the National Security Council does all the
time. They coordinate and resolve disputes between agencies,
and they can lead agencies.
What they will need is support in actually identifying the
precise steps that ought to be taken on an urgent basis, if
necessary, the kind of day-to-day research into the problem and
the response to the problem, the development of standards and
regulatory approaches and procurement standards that we have
been talking about here. Everyone recognizes there needs to be
greater detail in the Administration of the actual cyber
security enterprise, and the question is, should that be done
at DHS or by some new agency that will be created in the
Executive Office of the President. I would suggest that it
ought to be done at DHS.
Chairman Lieberman. You would prefer DHS. And insofar as
the overall coordination, you would have that be done by
someone working at the NSC or the HSC.
Mr. Baker. There is no doubt there needs to be very strong
presidential leadership, probably through the NSC on this. It
is really a question of how you staff that leadership.
Chairman Lieberman. Right. Thank you. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Mr. Baker, let me resume where the Chairman left off.
When Senator Lieberman and I sat down to implement the
recommendations of the 9/11 Commission back in 2006, we quickly
realized that one of the Commission's recommendations having to
do with the placement of the National Counterterrorism Center
(NCTC), within the Executive Office of the President was not a
good idea. And our concern is that it would have placed the
NCTC largely beyond the reach of congressional oversight, and
it also would have limited the personnel and budget that the
center could have. And it also had implications for privacy
concerns as well.
When I hear this debate today, it is very reminiscent of
the debate over the placement of the NCTC. One of the issues
that we want to avoid is stovepiping again, of having agencies
that are not coordinated, that are also beyond the reach of
congressional oversight.
I know that you followed that debate very closely. Do you
see any lessons for us as we decide where the appropriate
entity is to do this coordination in the decisions that were
made back in 2006 with regard to the placement of the National
Counterterrorism Center?
Mr. Baker. I do, actually. And I did follow NCTC's
implementation closely, both because of the Commission on the
Prevention of Weapons of Mass Destruction Proliferation and
Terrorism and because I knew the first two heads of the NCTC
and worked with them closely at DHS.
I think that the NCTC is a success, and a success in part
because it is not in the Executive Office of the President. It
is not buffeted by whatever is on the President's plate that
day. It can actually build institutions, take the long view,
and approach problems with a bit more discipline than you can
afford when you are trying to follow the ball in the Executive
Office of the President.
It also has been able to develop a privacy agenda that I
think has worked. The responsibility to report to Congress has
worked out well for NCTC and I think for the insight of the
Nation into its activities. And I would envision a similar role
for DHS. That is to say, when I was at DHS, I saw NCTC in some
respects as an extension of the NSC. They worked for the NSC.
They were particularly responsive to the President's
priorities, but because they were outside of the immediate
battle rhythm, they could do it on a more disciplined, long-
term planning basis. And that is something that I think DHS can
do if the President and NSC choose to use them in that way.
Senator Collins. Thank you.
Mr. Lewis, I want to ask you a more fundamental question
that came up in a discussion that the Chairman and I had last
week on this issue.
If a hostile nation were to shoot missiles at our country's
power plants and, thus, disabled our electrical grid, we would
immediately recognize that as an act of war. And the United
States would marshal all of its resources to counter that
action. Yet, if a hostile nation used computers to achieve
exactly the same result, a complete disruption of our
electrical grid, it is not at all clear that our government
would view that as an act of war, assuming we could identify
who was behind the attack, which is a whole other issue and
challenge in and of itself.
It is my understanding that the CSIS report has some
specific recommendations to the President on identifying
cyberspace as a vital asset, and sending a message to those who
would attack us, using computers rather than missiles, that we
would consider that to be an act of war.
Could you talk about that issue for us?
Mr. Lewis. Sure, I would be happy to. And let me say that
we approached this as a national security problem, and we
thought cyber security should be treated the way we treat other
national security problems, which is that many agencies have a
role. No agency has the lead. And so, when you look at our
foreign policy or our national security policy, it is Defense,
State, and the intelligence community. And all of them are
coordinated by the NSC. And we thought the same sort of
approach is the only way you can fix cyber security.
So, for me, when I listen to Mr. Baker, NCTC is not a good
model. Its mission is too narrow. DHS does not have the
capabilities. We do not want DHS making the decision when
something is an act of war or when it is not. That is properly
given to the President. And that is the real issue, when is it
an act of war?
This gets back to some of your earlier statements. The
Chinese have missiles. They are pointed at our power plants or
at Los Angeles, but they are not going to launch them. They are
not going to launch them until they need to. The Chinese right
now have an intelligence advantage that exploit all of our
networks, including yours. And they probably have left
something behind that when there is a crisis, they can launch,
just like they can launch their missiles. So this is not
something that we should be surprised at. People have always
been targeting electrical systems. It is just now they have a
new weapon to attack it.
Two issues, though. How do you determine who the attacker
is? My guess right now is we only know perhaps in a quarter of
the cases at best who is actually launching the attack. The
other issue is when you decide to respond and how you respond.
A response does not necessarily have to be keyboard versus
keyboard, and we usually think of it that way. There is some
geek over in China and there is some geek over in the United
States. We have to get away from that. We have to say, from the
White House, cyberspace is a vital national asset and we will
use all means to protect it. A simple statement like that would
be very helpful in putting our enemies on notice.
We then have to follow it up with some actions. Again, for
me that points to who should the lead role be. If you are going
to expel an attache from an embassy because of a cyber
incident, this is what you would normally do in espionage, it
is not a decision that would be made by any one agency. It
would be made by a couple of agencies working through the White
House. So we have to start treating this like a grown-up
national security problem and getting the real national
security system involved.
Senator Collins. Thank you.
Chairman Lieberman. Thanks very much, Senator Collins.
Senator Landrieu, welcome.
OPENING STATEMENT OF SENATOR LANDRIEU
Senator Landrieu. Thank you. And I appreciate the
leadership of this Committee in an area that I feel very
strongly about as well. And our State has made some initial
steps working with the Air Force, in particular, to establish
some benchmarks on this effort, which is why I am here today
and want to continue to be involved.
Before I ask my questions, Mr. Paller, let me ask what
happened to the $10 million? Did they actually get it? Do we
know where it is, and was it returned?
Mr. Paller. The $10 million is in the hands of the
organized crime group.
Senator Landrieu. And that is----
Mr. Paller. It is gone.
Senator Landrieu. It is gone.
Mr. Paller. And there are several more similar things
happening as we speak, like that.
Senator Landrieu. I know the primary debate, and it is an
important debate, is how this is coordinated between agencies
and who might take the lead role, but you have been very clear
that there will be many agencies involved.
Looking at the sectors that warrant the most protection,
from the financial sector to the utilities sector, other
sectors, and given, I think, Mr. Kellermann's comments about
terrorists using our own financial sector and access to it to
actually fund their operations, how would each of you rank
those sectors in terms of importance, since we are behind?
If we had to rank in order of efforts to protect, what
order of sectors do you think is most important?
Mr. Kellermann, why don't you go first?
Mr. Kellermann. I would say financial sector is actually
most important because, right now, for the last 10 years,
organized crime and non-state actor community in general has
been feasting on financial fraud, whether it is personally
identifying information or funds transfer out of systems, which
is why there has been an 80 percent increase in wire transfer
fraud this past year.
Senator Landrieu. And what would the second area or third
area be?
Mr. Kellermann. I would think there needs to be much more
attention, actually, being paid to the healthcare sector,
considering that we are trying to digitize health records,
which can all be used to establish lines of credit in the same
fashion that financial data could, in order to have revenue
streams, per se, coming from the developed world into the
developing world. The energy sector is obviously very
important, the Smart Grid. It is going to create a huge
systemic and operational risk that needs to be dealt with, and
security must not be retrofitted on that.
But realistically, the non-state actor community is using
financial information and health information to establish lines
of credit to finance physical acts of violence against U.S.
interest. But more than likely, the state actors who have
already penetrated these systems, they are not going to
actually turn off the systems or change the integrity of the
systems until there is actually an international conflict with
the United States. So we can wait a little bit vis-a-vis those
actors due to diplomacy and the need for the DOD to get their
act together when it comes to cyber security and cyberspace.
Senator Landrieu. Would any of you like to add something
about--go ahead, Mr. Paller.
Mr. Paller. Two completely industrial sectors. I think the
greatest losses we could have, the place we have to act most
quickly is in the defense industrial base. When you hear about
the military losing things, it was not the military; it was the
contractors. Those firms advise government on how to secure our
systems, and then, like shoemakers' children without shoes,
they give up all of the data. It needs a lot of attention, and
DOD, as Mr. Lewis discussed, is already trying to focus on
that.
The second one for me is the power system. But I think the
fact that he has two and I have two different ones means that
you will find that the only way to fix those is through Federal
procurement. If you do not enable them to buy more secure
systems baked in, they are not going to be able to do it. You
cannot fix the security of a system after you have bought it.
If the people sell you a broken system, it is broken.
Mr. Lewis. Just really quickly, we went through this in the
commission, and we identified four sectors. The reason we
identified them is we wanted to be able to take punches and
keep moving, right? And those were the energy system,
particularly, the electrical grid, telecommunications, finance,
and government services, particularly at the Federal level.
If those four can keep operating in the face of attack, we
will be able to continue to perform as a nation.
Senator Landrieu. Let me ask you, has the Pentagon
identified which branch of the Armed Services should take the
lead on this effort? Is it more natural to the Air Force or to
the Army or to the Navy? If anyone would take 30 or 45 seconds
to briefly describe your views on that.
Mr. Lewis. The services all have different capabilities. I
hear Navy is the best. Do not know that, but that is what I
hear. DOD has decided to set up a new joint command with all
the services, located at Fort Meade.
There is a question about where it will be. Right now, it
is under Strategic Command (STRATCOM) It might become an
independent one. But the decision appears to be no one service;
create a joint command, and that is probably the right
decision.
Senator Landrieu. Is there any role for the National Guard
that any of you could foresee in this? And if you would like to
describe or have you thought about that at all?
Mr. Paller.
Mr. Paller. Definitely. The key is you need practitioner
knowledge. I train the National Guard guys who go over to Iraq
each summer. They are wonderful. They have a lot of experience
there. They have the skills. So the merger of that skill set of
technology-literate people with the military is one of the
great assets we have.
Senator Landrieu. And it seems to me--and Mr. Chairman and
Senator Collins, I want to particularly stress the idea of the
National Guard taking a leadership role, and the idea that the
kind of people that we need, Mr. Chairman, to man this command
would be people that could be recruited from high levels of the
private sector that might not be engaged 20 or 25 years in the
Armed Services, but would be at very high levels that could be
recruited to come into the National Guard, specifically
committed to this mission.
So I would urge this Committee to look carefully into the
role that they might play, being located in all the States,
very close, of course, to the governors and to the State
government, and a good nexus between the Federal and State
government. That might be an opportunity.
I have many other questions I will ask. I only have 14
seconds. So in closing, in terms of education and training in
either our colleges, universities, or other levels, could you
maybe, Mr. Paller, since you are involved with the SANS
Institute, give a quick response to what some of our education
committees could be doing in terms of investing in the
workforce necessary to create the kind of intellectual strength
we need in the coming decade or two for this in our country,
given that so many international students are here and then
leave with these prerequisite degrees and go back to other
countries, some of which are not friendly?
Mr. Paller. Big question. I will just give you one quick
answer, and I will give you more if you want it later. But the
quick answer is the most important thing you can do is change
the way computer science and computer programming is taught in
America, because programmers are not taught to write secure
code. Every single one of these attacks happens because of a
programmer error, and we are not teaching the kids who write
software to write software securely. The faculty does not want
to do it. So if you want to fix something, that is a wonderful
one to fix.
Mr. Lewis. Just quickly on that one, the President's speech
yesterday got it right when he said we have to re-focus on
science, technology, engineering, and math; that we have
underinvested since the end of the Cold War, and now we are
behind. And so it was great to hear yesterday. That will help
create the environment where Mr. Pallen sort of training can
really flourish.
Mr. Kellermann. If I may, also I think that MBA students
and MBA programs are very short-sighted because they teach that
technology increases efficiencies and accessibility services,
and productivity. They do not teach the risk management side of
implementing widespread technology or the implications of
systemic risk, whether it is outsourcing or offshoring. It is
just looked at as a win-win and a panacea for fraud actually.
Chairman Lieberman. Thanks, Senator Landrieu.
Senator Carper is next on the list, but he is in the
anteroom in a meeting. So I am going to call on Senator Burris
in a minute.
I want to express regret, apologies, to the four witnesses
that I have to go off to another meeting. I believe Senator
Landrieu and I are heading in the same direction. But we are
going to leave you in the able hands of Senator Collins and
Senator Burris, who will carry the hearing to the conclusion.
You have been an excellent panel of witnesses. The reward
for this behavior is that we will undoubtedly call you back.
Senator Collins and I both were briefed by Melissa Hathaway
last Friday. And her report is with the President, so we expect
some public announcement of this soon. The President has built
on the increases that President Bush asked for some of the
cyber defense initiatives, in the fiscal year 2010 budget. And
I expect that we are going to want to take a very active role
here, probably including a legislative role. So I thank you
very much for a really helpful testimony.
With that, Acting Chairman Burris.
Senator Burris. Thank you.
Chairman Lieberman. You have come a long way very quickly.
OPENING STATEMENT OF SENATOR BURRIS
Senator Burris [presiding]. Thank you, Mr. Chairman, and
Ranking Member Collins, and for an excellent testimony from our
distinguished panel.
One thing that is going through my mind, gentlemen, is a
simple question. Mostly, it seems like we are on the defensive
in all of this. We are doing all the planning to try to protect
every aspect of our data from the would be hackers or skilled
intruders.
Are we in this country doing anything on the offense? I
mean, are we seeking to reach out to some of these would be
entities and also trying to hack into them to figure out what
is going on on their side?
Mr. Lewis, would you like to take a shot at that?
Mr. Lewis. Sure. Let me start, and my colleagues can join
in.
We have offensive capabilities. They are among the best in
the world. The problem is what I would call asymmetric
vulnerabilities. We are a target-rich environment. So even
though we are as good as our opponents, they have more stuff to
shoot at. So, yes, we have offensive capabilities, but we are
not in a position where that really is enough to protect us
right now.
Mr. Baker. I would add to that. It is true. I once said
that, in contrast to my experience at NSA in the early 1990s
and my current experience in government, we have gone from a
situation in the early 1990s where the score in the game might
be one to nothing, sort of like a soccer game, today when it
might be 187 to 149. The offense has just taken over the field.
Worse from our point of view, we are playing the rest of
the world. We are on everybody's top five list as intelligence
targets and they are all trying to get into our systems. And so
for us to play defense, we really have to play defense against
everybody else and that is a very demanding requirement.
Senator Burris. Now, you mean some of our friendly
countries also or where they are so-called friendly----
Mr. Baker. As Charles de Gaulle said, nations do not have
friends; nations have interests.
Senator Burris. Well, the permanent interest arrangement,
yes.
Mr. Lewis. We have some good relations with some treaty
allies, and then there is the rest of the world. That is a good
way to think of it.
Senator Burris. And we have to try to protect our system
from all of those entities that are trying to get in because we
are the biggest person on the block, I assume.
Mr. Lewis. We are the richest and the easiest.
Senator Burris. Which leads to the other question.
But to what extent are their turf problems that are being
resolved in the various entities in these various systems that
we are having? And I assume that you, Mr. Lewis, is saying that
this should really be controlled by the White House and not by
DHS.
Is turf a problem here in our security interests?
Mr. Lewis. There are some really big elephants in the room.
You have the Justice Department. You have the Department of
Defense. You have the State Department. You have the
intelligence community. These are hard agencies to control, and
it is very difficult to get them all moving in the same
direction unless you have somebody like the National Security
Council kicking on them. And those of us who have been in the
government know that you do not just tell the Attorney General
or the Secretary of Defense and he does it. Someone has to have
a reporting relationship, and the only place that exists is the
President.
So, yes, there are huge turf battles. Those are not
necessarily bad. It would be better if we had fewer turf
battles, but the only way we will get there is by establishing
clear White House leadership.
Senator Burris. I am pretty sure we do not put all our eggs
in one basket, in terms of that would be a security problem if
that were to happen.
Mr. Lewis. That is right.
Senator Burris. But there is a concern of coordinating all
of this various defensive mechanism, which seems to be a major
problem for us to do.
Mr. Lewis. I think the place where we have had a little
confusion is the distinction between direction and an
operational role. Nobody wants an operational White House,
meaning in a battle, the general does not drive the tank, but
the tank driver does not set the policies. We need somebody in
charge, but the people who actually implement the policies, who
carry them out, who have the day-to-day missions, that should
clearly be at the agencies, particularly DHS, which has a very
major set of roles here. But none of the individual agencies
are going to be able to coordinate all the other players on the
team, and we have to think of this as a team effort.
Senator Burris. Are you saying, Mr. Lewis, that DHS is
probably the one that could look at setting the possibly policy
rules for the other agencies, and there would be some type of
oversight on those policy rules?
Mr. Lewis. Not as it is currently configured. And Mr. Baker
might disagree with me. But if you are looking for strategic
thinking, if you are looking for international engagement, if
you are looking for intelligence activities, all of those are
in other agencies outside of DHS. In fact, the most active
agency has been the Department of Defense. They have the
National Defense University. It has done a great deal of work
on defining things like when is it an act of war, what is
deterrence in cyberspace. The intellectual capital is not
located in any one agency, and that is why we need to
coordinate.
Mr. Baker. I do not disagree with much of that. NSA, in
particular, is a source of enormous expertise and anyone who
wants to make policy in this area is going to have to rely very
heavily on them. Because they are the attackers, they know what
works and they can, therefore, inform the defenders. And there
is no doubt there has to be leadership from the White House and
someone within the White House who is clearly responsible and
able to make decisions and to drive consensus on the part of
the departments.
Where I think we may diverge is, I believe that DHS really
should be staffing that person with respect to civilian agency
and private sector coordination. I recognize that DHS has had
growing pains for sure, and a lot of people would like to give
up on it, but there is no other logical place to do this. In
the last year, DHS has made real strides. They have great
leadership now. And I think they are in a position to do much
more than they have done over the last 3 or 4 years.
Senator Burris. My time has run out on this round. But one
question I hope that each one of you can respond to very
quickly, what can we in Congress do in reference to this?
Mr. Kellermann, you want to give it a----
Mr. Kellermann. I think it is very important that we
empower DHS to conduct red-teaming exercises across civilian
agencies and critical infrastructures so they can identify what
is most vulnerable; to allocate IT resources to fix these
problems, so we at least have a benchmark of where we are and
where we need to go beyond the compliance exercises that
currently exist today. As well, I think through acquisitions
policy, we need to mandate and require that those who provide
managed services that create the systemic risks, the aquatic
risks in the system, should be contractually bound to a
standard of care, which has not been established yet.
Senator Burris. Mr. Paller.
Mr. Paller. The key lever you have is forcing the agencies
to spend their money to buy security baked in. If you keep
telling them to do security after they have bought technology
that is broken, they are just not going to be able to do it. So
you are a great weapon, and this is the one committee that can
both set what needs to be done because you have wonderful
people at DHS now working with NSA.
Senator Burris. Are you saying put the authority in DHS to
deal with the other agencies?
Mr. Paller. Yes. The authority that was missing in DHS is
what everybody calls the red button. At DOD, when Defense
Information Systems Agency (DISA) says you are doing a bad job
of security, if the other group says tough, DISA can pull the
plug.
Mr. Paller. So if you want DHS to have the authority you
are talking about, you have to be able to pull the plug on
their computers. And that is something that Congress has not
yet been willing to do.
Senator Burris. Mr. Lewis, any thought on that as well?
Mr. Lewis. Sure. The three things that I think that only
Congress can do, it can set priorities, it can modernize
authorities, and it can provide the resources.
Let me talk just for a second on the first authority.
If some of us were in a classified briefing from DOD and
they said, we are having an attack--this gets to your missile
point--how do we respond? Is it Title 10, a military activity?
Is it Title 50, an intelligence community activity? Or is it
Title 3 or some other law enforcement activity?
Right now, it is not clear. There is a whole set of
problems as to how you could make it clear. But when you look
at the authorities for response or for defense, they were
mainly written in the 1980s, and they are out of date.
Mr. Baker. I agree with everything that has been said up to
now and I would offer this perspective as well. No one is going
to come to you and say ``I have a turf fight; I would like you
to take my side.'' Instead, every time changes in policy are
made, someone's ox is going to be gored. And you are going to
have business groups come to you, contractors who say ``I lost
the contract because I had too many breaches, but that was not
fair''; or ``My product was deemed insufficiently secure, so I
did not get the contract and that is not fair''; or ``they are
regulating me too hard.''
All of those things are complaints that you will hear, and
I ask that you take them with a grain of salt and ask, how are
we going to solve the problem if we listen to all those
complaints?
Senator Burris. Again, I am way over my time. Senator
Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thank you.
Welcome. Thank you each for joining us today. And thank you
for your testimony today and your responses to our questions.
Also thank you for helping to guide me, my staff, and others
here in this Committee and the Subcommittee as we attempt to
develop legislation that we hope is going to be helpful in
addressing the concerns you all have been raising.
My staff tells me that each of you has had a chance to take
a look at the bill that we will be introducing later today. As
you may recall, it revamps the way that the Federal Government
handles cyber security. We do so by creating a new office for
cyberspace. We focus on actual security instead of paper
compliance and strengthen security officers within agencies.
You just, in an indirect way, provided some answers to a
question I have. What Senator Burris had just mentioned are
some things we can do in the Congress to respond to these
concerns. So some ideas of what we can do are embodied in the
draft legislation that we expect to introduce later today.
Could we just go down the row, and start with Mr.
Kellermann, and just share with us what do you think is good
about the bill that we have prepared for introduction and what
is not so good? And are there some areas in the legislation
that need to be added? Is there something that is missing that
of which we should be mindful?
Mr. Kellermann. As you stated earlier, I think that
elevation of the office is critical. Moving away from paper-
based compliance exercises to more dynamic benchmarking is
fundamental. And increasing accountability is also highly
important and paramount to the success of this.
I would like to see, actually, an expansion of it to bring
to bear the four critical infrastructures that we have
identified in the commission report because of the systemic
nature of this risk, because all of these players, even
private, can contribute through a lack of layered security to
the economic and national insecurity of the government of the
United States and the American citizens.
Senator Carper. Thank you. Mr. Paller, before you answer,
let me just say, in our business, as Senator Collins and
Senator Burris know, we are always reminded to be on message.
And I just want to say you were really on message. You were as
good as anybody I have seen and always brought us back to
procurement.
Mr. Paller. You have three elements of the bill that are
wonderful. I happen to be up on them because one of the press
people called me at 11 o'clock last night----
Senator Carper. How convenient.
Mr. Paller. How convenient; exactly.
But one is you have attack-based metrics in there,
monitoring the things that actually block real attacks. What
people have been doing in the name of FISMA is looking at
everything in the world that might possibly be interesting in
security, and they have not focused on the things that will
actually block the known attacks. You also have continuous
monitoring.
Under FISMA, the government has been looking every 3 years.
How long do you think that look lasts after the guy leaves? So
there is a continuous monitoring of the critical ones. And the
third one you have is procurement, gently, but it is in there.
The challenge with the bill is that it also has a bunch of
other nice things that people who do not want to do those three
things will rely on. The bill is great. Whether OMB focuses on
those three, and whether you help OMB focus on those three, is
a big issue, but it is a wonderful bill.
Senator Carper. Good. Thanks so much. And thanks for your
help in crafting it. Mr. Lewis.
Mr. Lewis. You can tell who the guru is because I did not
get called by the press until this morning.
Senator Carper. Well, they called me. I gave him Mr.
Paller's number [Laughter.]
I asked him to wait to a little later in the evening. I
said I think he is out, so maybe around 11 or 12 o'clock.
Mr. Lewis. I think the bill is exactly right. It creates
leadership. It moves to better metrics. It gets away from the
paper-based approach. We desperately need to fix FISMA, so I
really hope this bill goes through.
Senator Carper. Thanks so much. Mr. Baker.
Mr. Baker. I agree, FISMA is not working very well now, and
any steps along the lines of the legislation that can focus the
effort to improve security on real threats rather than moving
paper would be useful.
Senator Carper. Thank you.
Let me stick with this a little bit if we could. I
recognize that cyberspace is not an issue that is strictly the
responsibility of the private sector. It is not the
responsibility of civilian agencies. It is not the
responsibility of just the Department of Defense or the
intelligence community.
Given that acknowledgment, what office should be
responsible for ensuring that information is not only secure
but free flowing and ensuring our expectations for privacy and
civil liberties?
Mr. Baker. In my view, there are really two agencies at the
heart of this effort, the National Security Agency for the
security of Defense Department systems and for bringing to bear
the sophistication of attackers on the defensive effort, and
the Department of Homeland Security which has defensive
responsibilities, both for civilian and private sector
networks.
There are plenty of other agencies that have enormously
important roles to play, but we do not have enough experts to
spread them evenly among those agencies. We need to begin
building a cadre of real cyber security experts on the civilian
side that can match what NSA can bring to bear in the defense
side. And I think DHS is where that critical cadre of expertise
should be.
Senator Carper. All right. Thank you. Mr. Lewis.
Mr. Lewis. This has to be a team effort, so I think there
are many agencies, as Mr. Baker said. I would have added FBI as
the third critical agency in your mix. But right now, as one of
my colleagues says, it is like a kid's soccer team, a bunch of
7 year olds, here is the ball, they are all after it. The team
needs a coach or a captain, and that is where I would say that
your bill gets it exactly right.
Senator Carper. All right. Thanks. Mr. Paller.
Mr. Paller. I think Mr. Lewis said it fine.
Senator Carper. All right. But you did not say it. No, I
was just kidding.
Everyone has said what needs to be said, except for me, so
I am going to say it again. But I appreciate your brevity.
Mr. Kellermann.
Mr. Kellermann. I would concur with those comments, but I
would stress one important fact that I think has been lost, and
that is the privacy debate. We cannot achieve privacy without
cyber security. The privacy advocates for a long time now have
stressed that cyber security somehow impacts privacy. Physical
security and the use of technology does impact privacy. But,
realistically, the government does not have monopoly on Big
Brother anymore, and that is anyone who can hack. So I think it
is important that the population respects your efforts in
trying to preserve their privacy with these efforts to improve
cyber security.
Senator Carper. I am intrigued by other nations that are
hacking into our system. I understand the motivation for kids,
they do it for fun, the challenge. I can understand the
motivation for criminal groups for the monetary gain. There is
a lot of money at stake here and they have the ability to do it
without going into a bank and robbing the bank, but still
capture even more money. And I can understand the motivation of
nations that are hostile to us, like terrorist groups that
would like to bring us to our knees. I can see plenty of
motivation there.
It is less obvious to me when I see a nation with whom we
have diplomatic relations, have had for some time, a nation
with whom we have a robust trade relationship, a nation that
buys enormous amounts of our Treasury securities. For that
nation to be so anxious to be able to infiltrate our systems
and, potentially, to undermine our systems, talk to us about
that motivation, if you would.
Mr. Baker. I think there are two things that are worth
saying about this. First, we should not assume that all of the
attacks on our systems are on behalf of a nation-state. There
is a kind of shadowy world here that is closer to Sir Francis
Drake than to an official naval force. That is to say, people
maybe protected by their government, encouraged by their
government, rewarded by their government, but they are also
free actors. And there is plenty of that going on in this
world--digital privateers, if you will.
But it is also true that many nations that we would
consider friendly want the best possible intelligence about
what we plan to do because it has a direct effect on their
national security. And so they consider it only prudent to try
to extract as much information from our networks as they can
get. That does not mean they intend to shut them down, but the
difference between extracting information and shutting down the
network is just a question of what you leave behind when you
get out. So, we do see nations that we would consider friends
in our networks for precisely that reason.
Senator Carper. All right. Mr. Lewis.
Mr. Lewis. We are moving to a more competitive
international environment. And that means, in the Cold War, it
was us versus them. Now it is a multi-player game. It is more
like baseball where you have many teams, and these teams want
to get that intelligence benefit.
For me, this is basically a spy story. Now, in particular,
the Chinese and the Russians, they have been spying on us for
decades. They found a new way. It is really cool. They are
taking advantage of it. Does that mean they are not also
planning to use this as a weapon in the event of a crisis?
Well, of course, they are planning that. But their primary
activity, the primary risk to national security now, lies in
the espionage losses that we are suffering.
Senator Carper. All right. Thank you. Mr. Paller.
Mr. Paller. There is one more dimension of it, the economic
dimension. They may be military friends, but they may be
economic competitors. The head of the British Security Service
(MI5) sent a letter to the presidents of the 300 largest
companies in the United Kingdom, saying, if you are doing
business with China, China is using exactly the same techniques
to break into your computers, and your lawyers' computers, to
take the data they need so they can negotiate from a position
where they know more than you do.
I know it is true in the United States because the managing
partner of one of the largest law firms was the first visitor
in my new house, telling me the FBI had been in to say every
single document of every one of the clients has been taken from
the law firm's computers. So there is a massive economic
dimension to this, in addition to the military intelligence
dimension.
Senator Carper. Thank you. Mr. Kellermann.
Mr. Kellermann. To that point, why even focus on research
and development anymore when you can steal competitors' ideas
and have competitor advantage in the marketplace? And
realistically, why bother actually conducting espionage in the
traditional sense, as Mr. Lewis stated, when one can remotely
access systems and compromise systems?
Senator Carper. All right. That is a lot to chew on, isn't
it, colleagues? It is a lot to chew on. Thank you so much for
being here today.
Senator Burris. Thank you, Senator. We are going to call on
our Ranking Member, Senator Collins, to see if she has any
questions or comments.
Senator Collins.
Senator Collins. Thank you, Senator. I do have a couple
more questions and one comment.
Mr. Paller, you and I agree that the Federal Government has
potentially enormous leverage to improve the security of IT
purchases just using its purchasing power. I found very
compelling the story that you told of a Federal official
essentially begging the head of Microsoft to provide a more
secure configuration.
Do you have any specific recommendations for us on how we
can use the Federal purchasing power to require the
incorporation of better computer security in the software and
hardware that we are purchasing?
Mr. Paller. There are two levels you can do it. One is the
same level the Air Force is doing, which is to persuade the
vendors to sell more secure versions of what they now sell. And
the way you do that is by setting up a partnership between the
vendor and DHS and NSA to agree on what that more secure
configuration is.
Senator Collins. So to agree on standards?
Mr. Paller. On standard configurations.
Senator Collins. Standard, yes.
Mr. Paller. So that we can all buy a safer version. They
will push back, saying ``One size does not fit all.'' And the
reality is, Microsoft sells one size of Windows to 100 million
people. Oracle sells one size of its database to 100,000
people. They all sell one size. So the line ``one size does not
fit all'' is just a lie.
But the more important opportunity for immediate action is
every contract--so this is not just the contracts to buy the
big stuff. But every contract should have three clauses, and I
actually put them in my written testimony. I think Ms. Evans
actually pushed them when she was at OMB. One is you have to
make your software work on the secure configuration because if
you sell me software that does not work on a secure
configuration of Windows, I have to change Windows or not use
your software.
Two is, you have to make sure that the 25 most critical
programming errors are not in your software. And I do not
remember the third one, but it is in the written statement.
Senator Collins. Thank you. Those are very helpful
suggestions and ones that we should adopt.
Mr. Kellermann, you have done a lot of work and research in
this area, so I want to bring up an issue we have not talked
about today. And that is trafficking in counterfeit information
technology products. That is a global and growing problem. And,
of course, it is unfair, because it costs legitimate patent and
copyright holders millions of dollars of losses each year. But
also, it is a security issue because these inferior products
are far more likely to contain security vulnerabilities, either
inadvertently because they are sloppily done, or by design.
Do we need some sort of concerted global crack down on
counterfeiting of IT products to help improve our security?
Mr. Kellermann. Yes, I believe we do. And I think the
messaging behind that should be focused on the security aspects
of that software. Even if it is pirated Microsoft operating
system software, it will not be able to receive updates. And so
it will persistently have vulnerabilities and holes in code.
And be able to message that through the corporations and/or
governments that are purchasing this type of software will be
important for their understanding of the operational risks that
they are taking by taking the short cut through the woods in
this aspect.
Senator Collins. Thank you.
Mr. Lewis, I want to end my comments today by disagreeing
with you on the record in your description of the National
Counterterrorism Center (NCTC). Along with Senator Lieberman, I
am the author of the law that created that center, so I know
very well what the NCTC's responsibilities are. And as the law
says, not only does the NCTC serve as the primary organization
within the U.S. Government for analyzing and integrating all
intelligence information, with the exception of domestic
terrorists, but also it is specifically assigned the role of
conducting strategic operational planning for counterterrorism
activities with all the instruments of international power,
including diplomatic, financial, military, intelligence,
homeland security, and law enforcement activities within and
among the various agencies.
Senator Lieberman and I were talking that we remember this
debate very well because it was extremely contentious to give
NCTC the lead role in strategic operational planning. And on
this issue, the NCTC reports directly to the President so that
the agency has the credibility needed to do the job.
Furthermore, I had my staff check this morning, after you
responded that NCTC had a very narrow mission, to see whether
in the new Administration the NCTC is still acting as the lead
for all agencies on strategic operational planning. And,
indeed, it is. In fact, more so in this new Administration.
So I just wanted to correct that for the record.
Mr. Lewis. Could I add one thing?
Senator Collins. You certainly can.
Mr. Lewis. You all have done great work, and now I want you
to do it for cyber security.
Senator Collins. As do we. But my point is an entirely
different point, which is looked at putting NCTC in the office
of the President. That was the recommendation of the 9/11
Commission. And it was one of the few areas--I can only think
of three of the dozens of recommendations--where we disagreed
with the 9/11 Commission and made an informed and considered
choice to put this center in the Office of the Director of
National Intelligence (ODNI).
It was the right decision. It has been judged as success by
virtually everyone. And I think we have to be really careful
about creating a new office, as Senator Carper had suggested,
within the office of the President for fear that we are going
to diminish our ability to exercise congressional oversight. We
cannot call the czars or the heads of offices within the
Executive Office of the President before this Committee. We
cannot. We have very little say over their budget.
So I think we have to proceed carefully. That is not to say
that we are looking at DHS, as you implied, to make decisions
on declaring war. Obviously, that is not the case. That,
obviously, is something that the President would do with
congressional input, of course. But I think we have to proceed
carefully here to make sure that we do not create a whole new
round of turf battles, inadequate congressional oversight, and
unclear lines of authority.
So I think we need, definitely, to strengthen cyber
security, and the question before this Committee is how best to
do that. And I believe that DHS is the logical agency, given
how much of cyber security is in the private sector, to
coordinate that role. That does not mean diminishing the role
of NSA or the Department of Defense. Those have vital roles,
and the FBI, as well. But this is something that I think is
going to be the subject of a lot of debate.
So, Mr. Chairman, I thank you for allowing me to have some
final comments on this important issue. And congratulations on
being the acting Chairman.
Senator Burris. Thank you, Madam Ranking Member.
Just before we adjourn this hearing, I just want to throw
out something to this distinguished panel, because I am an old
bank examiner, I am an old auditor. And I wondered if we could
not come up with the old system of having two sets of books.
Remember that? I am just wondering if we could not have two
sets of computer systems. We will let them hack into one system
and get all the information they want.
Has that been processed or brought up?
Mr. Lewis. It is an interesting question, and it has come
up several times in the past. Physically, it is probably not
possible.
Senator Burris. It is not possible. OK.
Mr. Lewis. No. But, virtually, meaning you could have two
different systems running on the same infrastructure, people
are looking at that. It may not be possible, but it is
certainly an idea that is in discussion now.
Senator Burris. Well, at least I am on time.
Senator Collins. Thank you.
Senator Burris. Thank you, Madam Chairman.
We want to thank the panel. And as you heard Chairman
Lieberman say, I am pretty sure with your expertise, you will
be back.
So we will let the witnesses know that the record will be
open for 15 days in case witnesses or senators have additional
questions or statements.
Last, I would like to say, at this time, the hearing is
adjourned.
[Whereupon, at 11:55 a.m., the Committee was adjourned.]
CYBER ATTACKS: PROTECTING INDUSTRY AGAINST GROWING THREATS
----------
MONDAY, SEPTEMBER 14, 2009
U.S. Senate,
Committee on Homeland Security and
Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:04 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman and Collins.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. Good morning, and welcome to this
hearing, and thanks to our distinguished panel of witnesses and
to all who are here this morning.
There is an old familiar saying that, ``No good deed goes
unpunished.'' The modern technological corollary of that could
be, ``No good invention goes unexploited for bad purposes.''
And so, as we will discuss this morning, it is in the world
of cyberspace, as enemies and criminals have used its
increasingly dominant role in our lives to attack our
businesses and our Federal, State, and local governments--
indeed, in some senses to threaten the continuity of our
society, at its worst.
It was only 40 years ago that the first two computers were
connected into what is now the Internet. Now nearly the entire
world is online. The Internet has led to a wonderful revolution
in commerce, communications, entertainment, and finance that
has added greater efficiency, productivity, convenience, and
even pleasure to our lives and our enterprises.
But, again, it seems that no good invention goes
unexploited for bad purposes. And that successful computer
experiment 40 years ago that gave us this remarkably
interconnected world has also given us a global wave of cyber
crime that threatens our national security, our economic
security, and in some direct senses the well-being of
individual companies and individual Americans.
In a hearing last April, this Committee examined in detail
the threats to national security brought on by terrorists,
nation-states, common hackers, and cyber criminals.
We learned a lot at that hearing, for instance, that
computers containing information on the joint strike fighter
plane and on our electrical grid have been compromised,
possibly giving our enemies information that could make our
fighter planes more vulnerable and, at worst, plunge large
sections of our society into darkness.
Today, we are going to focus on a new wave of cyber crime
in the private sector that is hitting businesses of all sizes
across our country and ask the question: What can be done by
the public and private sectors to make commercial cyberspace
more secure, especially for organizations that cannot afford to
have large information technology (IT) staffs on the job 24/7?
And this is where I am grateful to the witnesses for being
here.
We will hear first from two witnesses from the private
sector who will describe how real a problem cyber crime is and
what the private sector is doing and can do about it, and then
two witnesses from the Federal Government who will testify to
what the public sector is doing and what more it can do about
this problem.
Just to validate the reality of it, in one particular
example that now is familiar to those who follow this issue,
cyber criminals operating out of Eastern Europe stole millions
of dollars from businesses and local governments by first
sending a seemingly innocuous e-mail to an unsuspecting company
comptroller or treasurer. The message contained either a virus
or an Internet link that installs a tiny piece of computer code
designed to steal passwords.
Then, using those passwords to gain entry to accounts, the
crooks patiently siphon off amounts of money, and they are
clever enough, often, to take them in amounts of less than
$10,000, thus avoiding triggering a bank report under Federal
anti-money-laundering requirements. Their methods are so
sophisticated that the traffic often seems to be coming from an
authorized computer--which could be a legitimate computer that
has been commandeered by the cyber criminal--so the bank or the
other financial institution does not really know that anything
is amiss.
The money is then transferred to ``money mules.'' It is
amazing how that term ``mules'' turns up in a lot of our
investigatory work here, including people who carry drugs or
weapons across the border in different directions between the
U.S. and Mexico. But these a money mules are people recruited
to set up bank accounts the stolen money can be transferred to
and who then forward the money to the cyber criminals. Some of
these people may not even be aware that they are taking part in
a crime. They are often recruited to become ``local agents''
handling cash transfers for what they believe to be a
legitimate company.
The cyber gangs find these people over Internet job boards
by advertising the chance to ``make money from home'' or by
contacting people directly who have posted resumes on a
legitimate job service. Once the money shows up in the accounts
the mules have set up, they are given instructions on how to
wire it to other accounts which are controlled by the cyber
criminals.
Using this basic approach, we know that cyber criminals
have stolen an awful lot of money, in cases we know $700,000
from a school district near Pittsburgh; at least $100,000 from
a bank account of an electronics testing firm in Baton Rouge,
Louisiana; and approximately $1.2 million from a Texas
manufacturer. These, of course, are only a few examples of what
I think can now accurately be described as a cyber crime wave.
In 2007, TJX Corporation--the parent company of T.J. Maxx
and Marshall's--experienced a breach in its wireless networks
during which up to 94 million credit and debit card numbers
were put at risk of being used illegally.
In 2008, the Heartland Payment Systems--whose CEO, Robert
Carr--is before us today--was targeted by hackers in an attack
that compromised at least 130 million credit card accounts.
These are just the large intrusions we know about. A lot of
these cyber attacks, from what I have learned, go undetected or
unreported because the victims are frightened to report them,
either for reasons of security or because they have been
threatened, or, frankly, because they do not want it known that
it happened.
This is a real problem that we have to work together to
stop. Forty years ago, as I said at the outset of my statement,
the Internet was a tiny island of interconnected university
computers that was still just an interesting academic
experiment.
Today the Internet is a vast global system--a kind of new
strategic high ground that we call ``cyberspace``--that we
really must work together to secure just as any military
commander would seize and attempt to secure the high ground of
any battlefield on which they were engaged.
But securing cyberspace is in some senses more complicated,
though not, at this moment at least, as physically dangerous to
do since the Internet is so, by definition, limitless,
certainly in space, and thus, security cannot be achieved by
the government or the private sector acting alone, and in some
senses it cannot be achieved easily by either or both acting
together. But we have to figure out how to do better at this.
A public-private partnership to defend the integrity of
cyberspace is now urgently essential. Together, business,
government, and law enforcement throughout the world must come
together to deter these attacks and bring these criminals to
justice.
Our Committee is working on legislation to help to make
this so, particularly to further define and strengthen the role
of the Department of Homeland Security (DHS)--which, of course,
is the central jurisdiction of the homeland security part of
our Committee--to strengthen the role of DHS in protecting all
of us in cyberspace. That is why I look forward to this hearing
this morning as a way to help educate the Committee on how best
we can produce legislation that will really have the desired
effect.
As always, it has been a pleasure to work with the Ranking
Member of this Committee, Senator Susan Collins of Maine, and I
call on her now.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
Mr. Chairman, as you indicated, we are living in a wondrous
new age of global information, an era that is being shaped by
digital technology, consumer demand, and amazing innovation.
It truly is a remarkable time. Today, without thinking much
about it, we send pictures, words, and video over the Web in a
matter of seconds. We have immediate, 24/7 access to each
other, texting and talking over affordable wireless devices.
Technology is transforming our culture, our economy, and our
world.
While we enjoy its many benefits, and most people cannot
imagine life without computer technology, we must also be aware
of the risks and dangers posed by this new world.
As the Chairman has pointed out, for every communications
advance, there is also the risk--indeed, almost the
inevitability--that the technology will be misused and
exploited. Indeed, experts estimate that cyber crime has cost
our national economy nearly $8 billion in losses.
Protecting our cyberspace has become critically important.
In the past 18 months, this Committee has held three hearings
on the topic of cyber security. Each time, we confronted a new
line of cyber crime or cyber attacks.
Newspaper headlines paint a troubling picture of the state
of information technology security in this country. This past
Friday, computer hacker Albert Gonzalez pleaded guilty to
charges stemming from the theft of tens of millions of credit
and debit card numbers from the computers of several major
retailers, including T.J. Maxx, Marshall's, and Barnes & Noble.
According to authorities, this may not have been his only
major cyber crime. In August, he was indicted for his alleged
involvement in the largest credit and debit card data breach
ever in our country. Data relating to more than 130 million
credit and debit cards were stolen from a number of
corporations, including Hannaford Brothers--a Maine-based
supermarket chain--and Heartland Payment Systems, whose CEO is
testifying before us today.
In July, the U.S. and South Korea endured a sizable denial
of service attack against both government and privately owned
systems. The attack--launched by an unknown attacker--used a
massive ``bot-net'' of hijacked computers to disrupt six
Federal agencies, the Washington Post, Nasdaq, and other
targets.
Most recently, there has been a significant increase in
organized cyber gangs stealing money from small and mid-sized
companies. The Financial Crimes Enforcement Network reports
that wire transfer fraud rose 58 percent in 2008, with
businesses generally forced to swallow substantial losses that
they can ill afford in the current economy.
Like the Chairman, I am particularly concerned about the
impact of cyber crime on our small businesses that do not have
the armies of technology security experts available to them
that a large corporation may have.
These incidents--coupled with the attacks and crimes that
we have discussed in our past hearings--should prompt the
Federal Government to get organized and to make cyber security
a high priority. Thankfully, there has not yet been a ``cyber
9/11,'' but information technology vulnerabilities are
regularly exploited to steal billions of dollars, disrupt
government and business operations, and engage in acts of
espionage, including the theft of business, personal, and
government data. These incidents can be devastating to our
national security, erode our economic foundations, and ruin
personal lives.
We are awash in recommendations on how to better secure our
information infrastructure. The Center for Strategic and
International Studies (CSIS), the 60-Day White House Cyberspace
Policy Review, and numerous academics and industry stakeholders
have suggested numerous ways to improve cyber security. As
these latest incidents underscore, however, the time has come
for the government to move from simply planning and studying
reports to taking effective action.
Comprehensive cyber security legislation must be a high
priority for this Congress, and I know that it is a high
priority for the Chairman and for me. The Department of
Homeland Security is designated as the lead agency for cyber
security, but we must ensure that it has more authority to
effectively carry out its mission, and the Chairman and I are
working on legislation that will do just that.
A couple of important points that we should be undertaking
right now: We need to improve information sharing between the
Federal Government and the private sector. After all, 85
percent of critical infrastructure is privately owned.
Second, if we encourage the adoption of best practices and
standards across the government, and if we encourage, through
using our procurement power, computer manufacturers to build
better security into their products, that will benefit the
private sector as well, because the government is such a large
buyer.
I look forward to discussing how we can strengthen that
public-private partnership to ensure the security of this vital
engine of our economy. Thank you, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Collins, for that
excellent statement. Again, thanks to the witnesses. Normally,
Mr. Carr, we begin hearings of this kind with the governmental
witnesses. I appreciate the cooperation of the governmental
witnesses. We thought in telling this story it would be a good
idea to start with a particular case--Heartland Payment
Systems--and what the private sector is doing now, and then
invite Mr. Merritt and Mr. Reitinger to respond.
So our first witness is Robert Carr, Chairman and Chief
Executive Officer of Heartland Payment Systems, Inc. Thanks for
being here, and please proceed with your statement.
TESTIMONY OF ROBERT O. CARR,\1\ CHAIRMAN AND CHIEF EXECUTIVE
OFFICER, HEARTLAND PAYMENT SYSTEMS, INC.
Mr. Carr. Thank you, Senator. Good morning, Chairman
Lieberman and Ranking Member Collins. My name is Bob Carr, and
I am the Chairman and CEO of Heartland.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Carr appears in the Appendix on
page 153.
---------------------------------------------------------------------------
Let me begin by thanking the Committee for this opportunity
to appear today to share our lessons learned. I will talk about
the steps we have taken and what more can and should be done to
better protect our customers and the public from criminal
hackers.
Our primary business is to provide payment card processing
services to merchants. This involves facilitating the exchange
of information and funding between merchants and cardholders'
issuing banks. Heartland provides full-service electronic
payment processing services for merchants, including clearing
and settlement, merchant accounting, and support and risk
management.
When a consumer's card is swiped at one of our merchants,
we forward the authorization request through the card brand,
such as Visa or MasterCard, to the issuing bank. We then send
approval back to the merchant, allowing the purchase to be
made. We receive payment from the issuer, pass it on to the
merchant, and provide statements and accounting to the
merchant. It is important to note that in the course of our
payment processing business we do not receive cardholder Social
Security numbers, addresses, or unencrypted personal
identification number data.
We were founded in 1997, and have since grown from 25
employees to over 3,100 employees. As of December 31, 2008, we
provided our bank card processing services to approximately
230,000 merchant locations in America. Our total bank card
volume last year was almost $67 billion.
On January 20, 2009, we announced the discovery of a
criminal breach of our payment systems environment. This attack
involved malicious software. The malware appears to have
allowed criminal access to in-transit payment card data during
the transaction authorization process. This data is not
required to be encrypted while in transit under current payment
card industry guidelines.
We were pleased to hear the recent news about law
enforcement's efforts to investigate and prosecute the
individuals who make up the criminal syndicate that law
enforcement believes is responsible for the Heartland breach
and others like it. Albert Gonzalez, the alleged mastermind of
attacks on TJX and other retailers, including Barnes & Noble,
Office Max, and Dave & Buster's, has pled guilty to charges in
a 19-count indictment. The charges include conspiracy, wire
fraud, and aggravated identity theft. Mr. Gonzalez is also
accused of having hacked into our system, as well as that of
Hannaford Brothers, ATMs stationed at 7-Elevens, and two other
national retailers. It is reported that he was part of a team
with Eastern European criminals who have attacked a variety of
U.S. companies. We appreciate the efforts law enforcement is
making to stop these attacks and bring these criminals to
justice.
This has been a difficult experience for me and the
company. We have taken a financial charge of approximately $32
million just in the first 6 months of the year on forensics,
legal work, and other related efforts. Unfortunately, the
company is involved in inquiries, investigations, and
litigation so I cannot address in more detail the specifics of
the intrusion. But I now know that this industry needs to, and
can, do more to be better protected against the ever more
sophisticated methods used by these cyber criminals. I want to
provide the Committee with some additional information about
what Heartland is working on to try and prevent such intrusions
in the future.
Let me note two key areas where Heartland is hard at work
to enhance payment industry security.
First, industry and government can be better coordinated.
The Financial Services Information Sharing Council and Analysis
Center (FS-ISAC), led by Mr. Nelson, has been a great resource
to a broad range of financial services companies facing cyber
threats. However, we could benefit from greater focus on the
payment processing industry. To address the needs of payment
processors, we recently formed, within the FS-ISAC, the
Payments Processing Information Sharing Council (PPISC). The
PPISC provides a forum for sharing information about fraud,
threats, vulnerabilities, risk mitigation, and best practices.
At the PPISC, we shared with the payment industry members
the malware that we discovered had been used to victimize our
company. We did this once I learned that criminals were using
this malware to attack the entire industry. I believe that by
sharing this with others, including our industry competitors,
we can better respond to very organized attackers.
Second, as reflected in the indictments of Mr. Gonzalez, a
modus operandi frequently used by these attackers is to attempt
to steal payment card data while it is being transferred in the
clear--meaning it was not encrypted at the time. It is clear to
me that we can address this vulnerability, and our internal
technology team is now developing a possible solution we call
E3, or ``end-to-end encryption.'' I believe it is critical we
implement new technology, not just at Heartland but industry-
wide. We, at Heartland, believe we are taking the necessary
steps to do that.
Heartland is working to deploy E3 to render data unreadable
to outsiders from the point of card swipe. We plan to use
special point-of-sale terminals, with tamper-resistant security
modules to protect cryptographic secrets. We also plan to use
special tools in our processing network, hardware security
modules, to protect the cryptography associated with the card
data.
Our goal is to completely remove payment account numbers of
credit and debit cards and magnetic stripe data so that they
are never accessible in a usable format in the merchant or
processor systems. This includes expiration date, service code,
and other data. We are taking the necessary steps to implement
this E3 solution, and I want to let the Committee know where
our efforts stand.
First, we are working with various suppliers on the
technology to make E3 a reality and more ubiquitous. We are
hopeful these efforts will minimize the costs to merchants
while not inconveniencing cardholders. This is critical to a
more secure payment processing system. We are seeking partners
who will not use encryption as an opportunity to unduly profit
at our expense or the expense of our merchant customers.
Second, we believe this potential solution needs to be
implemented on an industry-wide basis. We have been working
with the Accredited Standards Committee X9 to seek adoption of
a new standard to protect cardholder data in the electronic
payments industry so all users can benefit from it. Ultimately,
the Payment Card Industry Security Council must approve this
standard, and we are hopeful it will do so.
Third, once the standards are established, we will need the
card brands and other financial institutions to cooperate and
be willing to implement on their side the encryption system our
merchants are willing to use. We have been meeting with the
card brands, and we hope we will be able to make progress on
adoption by the card brands. However, without the cooperation
of all of the card brands, some of the encrypted data would
have to be decrypted--and thereby rendered less secure--prior
to transmission to the card brands and their issuing banks. I
am hopeful that each of the card brands will ultimately accept
encrypted transactions from all payment processors.
We are working on these solutions, both technological and
cooperative, because I don't want any one else in our industry
or our customers or their customers--the consumers--to fall
victim to these cyber criminals. The attacks we face in this
country potentially can have substantial consequences, and we
can learn from our experience. While we cannot eliminate the
risk, we can make cyber theft more difficult. I look forward to
continuing to work to beat these criminals and appreciate your
help as we continue this battle.
I welcome any questions Members have about my testimony
today.
Chairman Lieberman. Thank you, Mr. Carr, for that opening
statement.
Now we will hear from William Nelson, who is President and
Chief Executive Officer of the Financial Services Information
Sharing and Analysis Center, which I have learned is known
commonly as FS-ISAC. Thanks, Mr. Nelson. I presume you will
tell us a little bit about the history of the organization.
Mr. Nelson. Yes, I will start with that.
Chairman Lieberman. Go right ahead.
TESTIMONY OF WILLIAM B. NELSON,\1\ PRESIDENT AND CHIEF
EXECUTIVE OFFICER, FINANCIAL SERVICES INFORMATION SHARING AND
ANALYSIS CENTER
Mr. Nelson. Chairman Lieberman, Ranking Member Collins, my
name is Bill Nelson, and I am the President and CEO of the FS-
ISAC. I want to thank you for this opportunity to address the
U.S. Senate Homeland Security and Governmental Affairs
Committee on this very important issue.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Nelson appears in the Appendix on
page 160.
---------------------------------------------------------------------------
The FS-ISAC was formed in 1999 in response to the 1998
Presidential Decision Directive 63 that called for the public
and private sector to work together to address cyber threats to
the Nation's critical infrastructures. After September 11,
2001, and in response to Homeland Security Presidential
Directive 7 and the Homeland Security Act, the FS-ISAC expanded
its role to encompass physical threats to our sector.
The FS-ISAC is a 501(c)6 nonprofit organization and is
funded entirely by its membership firms through dues and by
sponsors. In 2004, there were only 68 members of the FS-ISAC,
mostly larger financial services organizations. Since that time
the membership has expanded to over 4,100 organizations,
including commercial banks and credit unions of all sizes,
brokerage firms, insurance companies, payments processors, and
over 40 trade associations representing the majority of the
U.S. financial services sector.
The FS-ISAC works closely with various government agencies,
including the U.S. Department of Treasury, the Department of
Homeland Security, the Federal Reserve; our biggest partner in
law enforcement, the U.S. Secret Service; the Federal Bureau of
Investigation (FBI); the National Security Agency (NSA);
Central Intelligence Agency (CIA); State and local governments;
and other government organizations.
The overall objective of the FS-ISAC is to protect the
financial services sector against cyber and physical threats.
It acts as a trusted third party that allows members to submit
threat, vulnerability, and incident information in a trusted
manner for the good of the financial services sector. I have
provided a complete list of the FS-ISAC information-sharing
services and activities in the written testimony. I would,
however, like to mention six of them to give you an idea of how
the FS-ISAC meets the information-sharing needs of its members.
First and foremost, we provide delivery of timely,
relevant, and actionable cyber and physical e-mail alerts from
various sources through our Security Operations Center (SOC).
This SOC operation is staffed 24/7 in order to keep our
membership apprised of the latest threats, incidents, and
vulnerabilities. Obviously, the cyber criminal does not work on
a 9 to 5 schedule, and we must be constantly vigilant to
respond to their attacks.
Second, we have Subject Matter Expert committees consisting
of volunteers of our member firms. They serve on committees
that provide in-depth analyses of the risks to the sector and
recommend mitigation and remediation strategies and tactics.
Third, member surveys allow members to request information
regarding security best practices at other organizations. The
results of these surveys are then shared with the entire
membership.
Fourth, we hold regular bi-weekly threat information calls
for members to discuss the latest threats, vulnerabilities, and
incidents. And we frequently have guest speakers from
government, law enforcement--like the U.S. Secret Service--and
from other sectors that discuss risk-related subjects on these
calls.
And, five, we conduct emergency conference calls to share
information with the membership and solicit input and
collaboration. Last year, we had three emergency calls related
to cyber threats and two pertaining to physical incidents.
And, six, we routinely conduct online presentations and
have a regional outreach program to educate small to medium-
sized regional financial services firms on threats, risks, and
best practices.
A key factor in all of these activities is trust, and the
FS-ISAC works to facilitate development of trust between its
members, with other organizations in our sector and with other
sectors, and with government organizations, particularly the
law enforcement and intelligence communities.
Next I would like to briefly mention some of the public-
private sector response to the cyber crime issue. We have been
working with law enforcement, financial regulators, and our
members, and we do recognize that the criminal threat to both
affected institutions and to consumer confidence, in
particular, posed by these activities, and we are taking steps
to address areas of concern.
I think the U.S. Secret Service commitment to the financial
services sector has been tremendous. They provide classified
briefings for us, and they actually have an assigned full-time
employee to our sector.
Another example of a successful instance of government-
financial services sector information sharing occurred on
October 24 of this year when the FBI, FS-ISAC, and the National
Automated Clearinghouse Association (NACHA)--a rulemaking body
for the Automated Clearinghouse Network--in case you do not
know what that is, if you have direct deposit, you participate
in the Automated Clearinghouse Network (ACH). We released a
joint bulletin concerning account takeover activities targeting
business and corporate customers. And, Senator Lieberman, you
got a lot of your information, I think, from that bulletin or
from the Washington Post that got a hold of it.
The bulletin described the methods and tools employed in
recent fraud activities against small to medium-sized
businesses that have been reported to the FBI. FS-ISAC and
NACHA subject matter expertise was applied to that FBI case
information to identify the detailed threat detection and risk
mitigation strategies for financial institutions and their
business customers. At the same time, we preserved the ongoing
integrity of those investigations.
The bulletin was distributed to the FS-ISAC, to its over
4,100 members and its 40 member associations, so we think we
were able to reach tens of thousands of financial institutions.
So we are pretty sure that the bulletin ultimately reached
nearly every financial institution in the United States.
The FS-ISAC and NACHA developed a comprehensive list of
recommendations to financial institutions to educate their
business customers on the need to use online banking services
in a secure manner. As a result of this bulletin, financial
services firms and their business and corporate customers have
become more aware of some of the online risks facing them and
how to detect malicious and criminal activities.
The FS-ISAC also works closely with other key financial
services industry groups to protect the industry and its
customers against cyber threats. My written testimony details
some of these efforts, but I would like to mention one in
particular. This year, the American Bankers Association, the
FS-ISAC, and the Financial Services Roundtable worked with the
Federal Government's General Services Administration (GSA), the
Internal Revenue Service (IRS), and the Social Security
Administration (SSA) to develop a proposal for better ID
assurance for online e-Government applications. The goal of
this effort is to leverage the ``Know Your Customer''
requirements that banks, credit unions, and other financial
services firms employ for ID proofing and turn that into a
higher level of assurance for access to online government
applications. The project is right now in its proposal phase at
present and still requires a funding commitment and more
definition around the business model and system architecture.
However, it is a great example of how the public and private
sector cooperation is beginning to progress in this important
area of online ID assurance.
From a regulatory perspective, financial regulators are
actively involved in developing regulations and supervisory
guidance and conducting focused examinations of information
security, vendor management, and business continuity controls
at financial institutions and major service providers. There
are nearly a dozen booklets covering these key cyber security
and business continuity issues in the Federal Financial
Institutions Examination Council (FFIEC) handbook.
For the last part of my testimony, I would like to cover
six broad recommendations. One is the need to improve cyber
crime law enforcement. I think our partners in the United
States are doing a great job--the U.S. Secret Service, FBI, and
others--but there needs to be better international
collaboration in particular regarding investigations and
prosecutions. Law enforcement in many cases knows the threat
actors, but in some countries, the governments and law
enforcement in those countries often protect the cyber
criminal.
Another area is that private sector firms report that some
local law enforcement agencies require minimum thresholds
before they will take the case. However, evidence indicates
that most of these types of attacks are directed at many firms
and their customers so the cumulative dollar value of the crime
committed may be many times the threshold that has been
established. I think there needs to be improved communication
at the local level between financial services firms and their
cyber crime law enforcement contacts and an understanding of
how to report these crimes so that action can be taken.
I would support Mr. Carr's recommendation also that there
needs to be stronger authentication and encryption. Financial
services firms, processors and regulators need to encourage
smart use of encryption and stronger authentication.
We also need to improve financial institution information
security programs through a flexible and dynamic approach to
cyber security.
And the fourth recommendation I came up with in the
testimony is to improve the public-private sector
collaboration. We need to expand information sharing between
government agencies and the financial services industry. As
part of that, we also need to improve the Internet
infrastructure and use Federal procurement power to improve the
security of software and hardware and services. We would
support the recommendation that Ranking Member Collins and
Senator Lieberman have come up with.
And last is education. There needs to be more public-
private sector collaboration to support educational efforts to
increase consumer and business awareness of cyber threats and
risk mitigation best practices.
In conclusion, industry, law enforcement, regulators, and
DHS have responded to cyber crime threats against financial
services firms and businesses and consumers, but more work
needs to be done, and we look forward to making continued
progress against cyber threats to our Nation. Thank you.
Chairman Lieberman. Thanks, Mr. Nelson. Just a point of
clarification. When you referred through your statement to
physical threats as well as cyber threats as a focus of your
organization, I think I know what you meant, but why don't you
clarify it for us?
Mr. Nelson. Yes. During Hurricanes Ike and Katrina, we
stood up operations to be responsive to our sector to make sure
they were aware of what was happening. We got really good
reports from DHS about where power outages were likely to
occur. In fact, they have a great predictive model for that.
We were able to provide information through some of the
credit card processors of where merchants were actually
processing transactions, so we knew where food transactions,
medicine, building supplies, and other types of key critical
information, where those transactions were processed. We
directed that to DHS and to other sources so they could
allocate resources and send people in the right place to get
what they needed.
Chairman Lieberman. That is physical threat from a natural
disaster. Do you also include in the category of physical
threat protection of physical financial services information
from physical terrorist attacks, not cyber attacks?
Mr. Nelson. Yes, we also prepare for physical terrorism. We
have services that were actually purchased for that, too. If
there is a physical attack, let us say, in London--the
underground bombings from a few years ago, we did report that.
The Mumbai attacks, we reported that within 15 minutes of them
occurring. We did not know exactly what was happening, but we
did push that information out immediately. So we did report on
that.
Chairman Lieberman. I will leave this in a minute, but what
about actually working with the financial institution? A while
ago there was a lot of concern post-September 11, 2001, that
there might be an actual physical attack on Wall Street to
create the obvious disruption that would exist. Is that
something you get involved in? For instance, with an explosive,
a suicide bomb, something of that kind.
Mr. Nelson. Yes, we would. If there is any intelligence
about that potentially occurring, we may get that from the
intelligence community. We have over 150 people in our sector
cleared for secret clearance, and, actually we are looking at
adding more for top secret clearance. So if there is some
threat intelligence about a potential physical threat, we do
pass that on. And if the attack does occur, we report that. And
we have a Business Resilience Committee that works on that.
Chairman Lieberman. How about preventively or proactively?
Are you working with member organizations to encourage them or
assist them in protecting themselves from physical attack of
that kind?
Mr. Nelson. Yes, we do. We get reports, for instance, some
of these--the protester threat, for instance, recently. There
is a G-20 meeting coming up in Pittsburgh. We have put out a
number of reports on that from a source that we have, an
international source that we got information on it, the type of
threat actors that may appear at it--some of them actually
fairly dangerous. They are not all sitting there with non-
violent type protests.
Chairman Lieberman. Right.
Mr. Nelson. There have been violent attacks in some of
these cases. So we have been able to report on that and provide
best practices on how to deal with it.
Chairman Lieberman. OK. Thanks. We will come back to that.
Michael Merritt is next, Assistant Director, Office of
Investigations, U.S. Secret Service, which is now part of the
Department of Homeland Security. Again, thanks for being here,
Mr. Merritt. Thanks for what you do every day. I hope you will
begin by explaining to anybody who is watching this why the
Secret Service is involved in this field since generally the
public sees you almost exclusively as protecting presidents,
vice presidents, and other public officials.
TESTIMONY OF MICHAEL P. MERRITT,\1\ ASSISTANT DIRECTOR, OFFICE
OF INVESTIGATIONS, U.S. SECRET SERVICE, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Merritt. I would be happy to. Good morning. Chairman
Lieberman, Ranking Member Collins. Thank you for the
opportunity to address this Committee on the Secret Service's
role in investigating cyber and computer-related crimes.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Merritt appears in the Appendix
on page 174.
---------------------------------------------------------------------------
While the Secret Service is perhaps best known for
protecting our Nation's leaders, we were established in 1865 to
investigate and prevent the counterfeiting of U.S. currency. As
the original guardian of the Nation's financial payment system,
the Secret Service has established a long history of protecting
American consumers, industries, and financial institutions from
fraud. Over the last 144 years, our investigative mission and
statutory authority have expanded, and today the Secret Service
is recognized worldwide for our expertise and innovative
approaches to detecting, investigating, and preventing
financial fraud.
In recent years, we have observed a significant increase in
the quality, quantity, and complexity of cyber cases targeting
financial institutions in the United States. With the advent of
technology and the Internet, a transnational ``cyber criminal''
has emerged, resulting in a marked increase in cyber and
computer-related crimes targeting private industry and other
critical infrastructures. Current trends show an increase in
network intrusions, hacking attacks, malicious software, and
account takeovers resulting in data breaches affecting every
sector of the American economy.
As the well-trained, well-equipped, and sophisticated cyber
criminals continue to target the large corporations who have
historically had more resources and assets in place to protect
their networks, the less sophisticated cyber criminals continue
their attacks against the small and medium-sized businesses
that do not have the expertise in place to protect their data.
For example, in October 2007, the Secret Service identified
a complex fraud scheme in which servers owned by a payroll
company were compromised by a network intrusion. Subsequently,
four debit card accounts belonging to a small Midwestern bank
were compromised, distributed via the Internet, and used in a
coordinated attack resulting in ATM withdrawals in excess of $5
million. The withdrawals involved 9,000 worldwide transactions
in less than 2 days, and the small bank had to file for Chapter
11 bankruptcy protection.
Following the investigative leads generated in this case,
we were able to prevent additional losses by notifying victim
companies of the intrusion and compromise, often before the
companies became aware of the illicit activity. For example,
when we discovered that the computer network of a U.S. bank had
been compromised, our prompt notification enabled the bank to
significantly reduce its exposure and avoid potential losses
exceeding $15 million. Based on these investigative efforts,
the Secret Service identified 15 compromised financial
institutions, $3 million in losses, 5,000 compromised accounts,
and prevented more than $20 million in potential losses to U.S.
financial institutions and consumers.
While cyber criminals operate in a world without borders,
the law enforcement community does not. The multi-national,
multi-jurisdictional nature of these cyber crime cases has
increased in complexity and, accordingly, increased the time
and resources needed for successful investigation and
adjudication. The anonymity, level of collaboration among cyber
criminals, and transnational nature of these crimes have raised
both the intricacy of these cases and the level of potential
harm.
To face the emerging threats posed by cyber criminals, we
have adopted an innovative, multi-faceted approach. A central
component of our capabilities for investigating cyber crime is
the Electronic Crimes Special Agent Program. Today this program
is comprised of 1,148 special agents deployed in 98 offices
throughout the world who have received training in forensic
identification and the preservation and retrieval of
electronically stored evidence. They are among the most highly
trained experts in law enforcement. Additionally, in
partnership with the Department, the State of Alabama, and the
Alabama District Attorneys Association, we have established the
National Computer Forensics Institute. The goal of this
facility is to provide State and local law enforcement,
prosecutors, and judges with the necessary training, not only
to understand cyber crime, but to respond to network intrusion
incidents and to conduct electronic crime investigations. This
program has been extremely successful, and since opening in May
2008, we have provided training to 564 State and local law
enforcement officials representing over 300 agencies from 49
States and two U.S. territories.
As cyber cases continue to increase in size, scope, and
depth, as an agency we are committed to sharing information and
resources with our law enforcement partners, academia, and the
private sector. To accomplish this, we have established 28
Electronic Crimes Task Forces (ECTFs), including the first
international task force based in Rome, Italy. Currently,
membership in our Electronic Crimes Task Forces include nearly
300 academic partners, over 2,100 international, domestic,
Federal, State, and local law enforcement partners, and over
3,100 private sector partners. These partners, who range in
scope from companies with less than 20 employees to Fortune 500
companies, enjoy the resources, expertise, and advanced
research provided by the Electronic Crimes Task Forces
international network.
In addition, the network that has been established by our
ECTFs was instrumental in making the Secret Service's first
Global Cyber Security Conference last month a resounding
success. This 3-day conference was designed to share the latest
information in investigative techniques used to combat cyber
crime. The conference was attended by personnel from over 370
entities representing 11 countries.
In addition, to coordinate these investigations at the
headquarters level, we have established the Cyber Intelligence
Section to collect, analyze, and disseminate data in support of
our cyber investigations and to generate new leads. The Cyber
Intelligence Section has been instrumental in our success in
infiltrating online cyber criminal networks.
One such infiltration allowed us to initiate and conduct a
3-year investigation that eventually led to the identification
and indictment of 11 perpetrators from the United States,
Eastern Europe, and Asia. This case involved the hacking of
nine major U.S. retailers and the subsequent theft and sale of
more than 40 million credit and debit card numbers, commonly
referred to, as it has been in this forum, the TJX
investigation. The total account loss associated with this
investigation is still being assessed. However, one of the
corporate victims has already reported expenses of nearly $200
million resulting from the intrusion.
As I have highlighted in my statement, the Secret Service
has implemented a number of initiatives pertaining to cyber and
computer-related crimes. Responding to the growth in these
types of crimes and the level of sophistication these criminals
employ demands an increasing amount of resources and greater
collaboration. It is not a threat of the future. It is a
challenge being faced by law enforcement today. Accordingly, we
dedicate significant resources to increase awareness, educate
the public, provide training for law enforcement partners, and
improve investigative techniques. The Secret Service is
committed to our mission of safeguarding the Nation's critical
infrastructure and financial payment systems. We will continue
to aggressively investigate cyber and computer-related crimes
to protect consumers.
Chairman Lieberman and Ranking Member Collins, this
concludes my prepared statement. Thank you again for this
opportunity to testify on behalf of the U.S. Secret Service,
and I will be pleased to answer any questions you might have
during this session.
Chairman Lieberman. Thanks, Mr. Merritt. I must say I am
encouraged and impressed by what you have told us about all
that the Secret Service is doing. It is very good, both the
outreach here within the country to the private sector and law
enforcement, but also based on your very accurate statement
that cyber criminals do not know boundaries but law enforcement
authorities do; and, therefore, we have to create places and
perhaps institutions where the good guys can figure out how to
work across boundaries with the same speed and effect that the
cyber criminals do. So I look forward to the question period.
Our final witness on the panel is Philip Reitinger, Deputy
Under Secretary, National Protection and Programs Directorate
(NPPD) of the Department of Homeland Security. Mr. Reitinger,
we welcome you here, and really welcome you to the Department
generally, with a lot of enthusiasm and high expectations. The
Department was created out of legislation from this Committee.
We follow it closely. We feel good about a lot of the progress
being made in the Department. I personally give the Department
some good share of the credit for the fact that we have not
suffered another major terrorist attack since September 11,
2001.
But it is my conclusion also--and I am not alone--that in
this particular area of cyber security, the Department has not
moved as quickly and as effectively as it should have. So your
coming to this position is very important to a lot of us.
Everything we know about you says you have the credentials and
experience to do the job. So do not screw up. [Laughter.]
Chairman Lieberman. Go ahead, Mr. Reitinger.
TESTIMONY OF PHILIP R. REITINGER,\1\ DEPUTY UNDER SECRETARY,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Mr. Reitinger. Thank you, Chairman Lieberman, Ranking
Member Collins. It is indeed my commitment not to screw up.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Reitinger appears in the Appendix
on page 183.
---------------------------------------------------------------------------
It is an honor to be here today to talk with the Committee.
This is my first opportunity to appear before Congress to
testify specifically on cyber-related issues, and I am very
pleased to be here today to do so.
I would like to start with the threat, if I might. I think
the Committee, the panel, and the audience know that we are
dealing with an increasingly dynamic and threatening
environment in many ways. Hacker skill is rising across the
board. Not only are the best hackers becoming better and
better; ``script kiddies,'' as we used to call them during my
law enforcement days, increasingly have more and more
sophisticated tools so that they can wreak a high degree of
damage without even knowing too much about what they are doing.
And relevant to the topic of information sharing, hackers in
some ways remain better at information sharing than we, in
government, have been. So that is an area of growth for us.
There is the general movement toward targeted attacks. Back
when I first got involved in this game, if you will, back in
the 1990s, as a line cyber prosecutor in the Computer Crime and
Intellectual Property Section at the Department of Justice
(DOJ), hackers mostly were doing things like tearing down Web
pages and putting up pictures on the DOJ Web page of a Nazi
symbol and those sorts of things that were annoying, but more
annoying than anything else. And then we went through the
period of worms where mass disruption took place, but perhaps
little lasting damage.
That is not the world we are in anymore. Hackers are after
information of value and actual money, as today's panel
indicates, and they are increasingly targeting attacks for the
places where they can get value. And that makes things more
risky.
There are other elements of our risk profile that are
continuing to go up and over which we have little control. I
call them connectivity, complexity, and criticality.
Connectivity: We are increasingly connecting all of our
systems in more and more different ways, so everybody has
always-on, high-bandwidth connections, and there are
increasingly international connections, and we are building up
this vast network that makes us all able to do more but, as the
Chairman indicated in his opening remarks, also makes us more
vulnerable.
Complexity: We are connecting more and more devices, from
smart phones to embedded devices; TVs are connected to the
Internet now. And as we put all of these different devices
together, running many different types of software, the mere
complexity of the ecosystem makes it harder and harder to
secure.
Last, criticality: We depend on this network of networks
and the machines that are connected to it every day, not only
to play, to do things like social networking, but for the basic
functions of our government and economy. And that imposes upon
us a need not to stand still.
I do believe over the last 10 years we have made progress,
but we have not made enough. We have to make more. And as the
Cyberspace Policy Review indicated, the status quo is simply
not sufficient. We all need to work together in even stronger
partnership to address the growing threats that we face and, to
echo another of the Chairman's comments, to do so at Internet
speed, not just in law enforcement, although working at
Internet speed in law enforcement is a significant problem.
When I was at the Computer Crime and Intellectual Property
Section, one of the things we did was work on negotiating the
Council of Europe Cyber Crime Convention. That was a first
step, but we need to go further to build the law enforcement
and specifically the operational relationships that are
international and will allow us to respond effectively.
I would like to highlight a couple of the things that we
are doing specifically around partnerships within DHS to
address this.
First, it is critically important that we continue to build
partnership across government. This is another area where I
think we have been effective but can grow more effective. I
well remember the very first hacker case that I did when I
first joined the Computer Crime Section back in the 1990s. I
was a DOJ prosecutor, and it was investigated by the Secret
Service. So that was then a Department of Treasury-Department
of Justice collaboration. We started there. We have continued
to grow, and we are in a place now where people have come into
positions across the Federal Government. I think we have put a
strong team together not only in DHS but in multiple government
agencies so that we can work very effectively together.
In DHS, we are working very hard to continue to up our game
and build our capabilities. I am perhaps most focused on the
people part of this because I am a big believer that
organizations fail or succeed based on the people that they
have. I have some great people and an awesome team, but I do
not have enough of them. I am in the process of trying to grow
the National Cyber Security Division. It now has about 111
people on board as of last week, and we want to grow it to 260
people next year. So that is a heavy lift in government, but we
are committed to doing our best to fulfill it.
We also need to continue to work better and faster and more
effectively with the private sector. I have seen this from both
sides. I started in the Department of Justice. I worked for the
Department of Defense. I spent about 6 years in the private
sector where I had the honor of being the President of the
Information Technology Information Sharing and Analysis Center
(IT-ISAC), a companion organization to the FS-ISAC, before I
joined DHS again earlier this year. And I have seen incredible
commitment from people in both the private sector and public
sector. I believe we have a real opportunity here. And we have
built partnerships, but there is a lot more to do.
In particular, we have built the ways to work together. We
have built the framework to work together. Now we need to drive
toward outcomes. We need to worry less about having a
partnership and more about what we can achieve with the
partnership. So let me highlight a few quick examples of some
of the things that I think we need to focus on for the coming
few months.
The first is the National Cyber Incident Response Plan.
This was called for in the President's Cyberspace Policy
Review. It may sound kind of highfalutin' and sort of meta, but
it is actually not. The idea is that we need, if something bad
happens, a mechanism, a very actionable way for all of the
relevant government agencies and all of the different entities
across the private sector to come together as one Nation--not
one government, not one sector, but one Nation to respond to
the incident. And we kicked off that process as called for in
the Cyberspace Policy Review. It is a broad process, and we are
doing this differently than is the traditional government
process.
The traditional process is you get together, you talk and
talk and talk, and when it is 99 percent done, you go to the
private sector, and you say, ``What do you think about it?'' Or
maybe when it is 100 percent done, you ask them for comments.
We are not doing that. We have invited the private sector to
the table at the very start so that they can help build the
foundations of that plan.
Associated with it is the second thing. The private sector
has recommended to us for some time that we need to integrate
our cyber and communications watch capabilities so we can work
together effectively. We are doing that. We are moving towards
an integrated watch floor that will combine DHS's different
cyber watch centers, like the National Coordinating Center
(NCC), which is focused on telecommunications; U.S. Computer
Emergency Readiness Team (US-CERT), which is focused on IT; and
the National Cyber Security Center, which is focused across
government, will be collocated at the same site and able to
work together effectively across government and with the
private sector, growing our relationship with the private
sector and with State, local, tribal, and territorial
governments, so we have the organizational mechanisms,
partnerships, and trusted relationships to let us implement
that Cyber Incident Response Plan process and also work
together more actively to mitigate incidents before they become
full-blown incidents. We are going to test those processes next
year as they get developed in the Cyber Storm II exercise
currently scheduled for September 2010.
We will also be in the process over the next year of
launching a new and more significant national awareness
campaign. We know mostly how to protect systems. Technology is
not the barrier. What we need is to get the word out there and
to raise the awareness, among other things, of end users and
some of these small and local businesses, of how they can
protect themselves, the simple steps that they can take, and
what the threat looks like. So we are committed to doing that.
I am going to drop a quick footnote that the two private
sector members of the panel early on noted the importance of
authentication. I would emphasize that we need to do that. The
President's Cyberspace Policy Review called for the creation of
a Cyber Identity Management Strategy. There is little that we
could do that would be more effective to help people protect
themselves than to implement strong authentication mechanisms
that are available for people's use with privacy built in from
the very start. That would enable much better self-protection.
In conclusion, I would say that I think we are at a moment
in time when we can really make a difference. We have the right
focus across government and with the private sector. We have
leadership commitment from the President, and certainly from my
secretary and deputy secretary, and the right people coming
into key positions in the private sector. I think we can make a
real difference as a community.
With that, I look forward to your questions. Thank you.
Chairman Lieberman. Thanks very much, Mr. Reitinger. I
appreciate both the substance and the spirit of your opening
statement.
Let us start with 7-minute rounds for Senator Collins and
myself.
I am fascinated by the global nature of cyber crime. I am
curious if we know, in this case of Mr. Gonzalez, how did he
connect with the Eastern European gangs that he presumably was
working with in the cyber crimes? Mr. Merritt, do you have that
answer?
Mr. Merritt. Yes, sir. Let me put it in perspective. We
have talked about compromise today and the exfiltration of
proprietary information, such as credit and debit card
information from financial and banking institutions. Here is
where they end up. They end up in what we call ``carding
portals,'' or ``carding websites.'' The best description, in
the short time we have today, is that the carding portals are
to the criminals what Craigslist and eBay are to law-abiding
citizens.
On these carding portals, you can find anything you need.
People that, in fact, have intruded in these companies and
exfiltrated credit and debit card information are posting the
information there for sale.
Chairman Lieberman. In other words, it is a Web site,
basically.
Mr. Merritt. It is a Web site. What happens in these
loosely held criminal hierarchies is that, through reputation,
you have people who, in fact, successfully hack into companies
and then sell their wares on these Web sites. They do not know
each other personally, Mr. Chairman. They know each other by
their nicknames on these Web sites, and they conduct business
without knowing who they are. You might have some that are
involved in recruiting, some that are selling his or her own
services, or specialty services, such as hacking or phishing.
That is where they meet each other.
So when you say, do they meet each other in a physical
complex of the traditional type crime, no, sir. They are known
to each other through these various nicknames on carding
portals. In these cases, which are transnational in nature,
that is how they are able to effectively communicate via the
Internet without actually knowing who they are or even where
they reside.
Chairman Lieberman. That is really astounding, but also
absolutely predictable when you think about it. I will leave it
to you how much you want to say since we know they are meeting
in these portals for criminal purposes--law enforcement
attempts to find its way into those portals, just as if you
knew that organized crime figures were meeting at a particular
restaurant regularly, or using a particular pay phone, you
would find a way to tap that phone or be present in that
restaurant.
Mr. Merritt. I would like to comment at some point in time
about what Mr. Nelson said about the involvement of foreign law
enforcement because it is an integral component of our success
in being able to investigate these types of cases. I will give
you a good example of a success story that we had in 2005 about
one such carding portal. It was called ShadowCrew.com. It had
over 4,400 members. And what we were able to do----
Chairman Lieberman. Let me just stop you a minute. Do you
have to pay a fee or have a password to get into the portal?
Mr. Merritt. You have to have your standing in the criminal
community authenticated by other criminals. You cannot just log
on. They have to verify that either you have successfully
hacked into a company and you have an authorized access code to
buy or sell. But, just like in the old criminal scheme that you
mentioned at a restaurant, somebody has to vouch for your
authenticity as far as being part of the criminal world. We, in
here, could not access--and I hope no one here is going to try.
We would not access these Web sites since they are only for
criminals who are known to each other.
However, in 2005, we successfully conducted an online
undercover operation for about 2 years, and were the first
Federal law enforcement agency in the United States to actually
initiate a Title III on a network. We gained control of this
network.
Chairman Lieberman. Just define a Title III for a moment.
Mr. Merritt. Yes, sir. A Title III, in other words--without
the criminals knowing--we were eavesdropping, for lack of a
better word, on this criminal server, collecting criminal
intelligence, and trying to identify the main players on this
particular Web site.
We were fortunate. We affected 28 arrests, with six of
those arrests being overseas. Essentially, we shut down that
Web site, and shut down that server. We learned a lot of
lessons: One, just as Mr. Carr mentioned that he encrypts his
information, criminals are now encrypting their information,
and hard drives, which makes it more difficult for law
enforcement to, in fact, obtain that electronic or digital
evidence.
They have also come up with a technology, that at the push
of a button or even remotely, they are able to destroy the
evidence on their hard drives. So I think a grand kudo for the
investigation, is that we affected 28 arrests simultaneously
because all it would have taken would have been for one
criminal member in the organization to send out an e-mail to
notify the rest and that digital evidence would have been
destroyed. This is a critical component of our ability to
investigate and prosecute these types of cases.
There are about 10 or 12 major carding portals in the world
now, and we have shown that we do have success. Despite the
anonymity that one presumably has on the Internet, we have
dispelled that myth. But it is mind-blowing, so to speak, that
these carding portals exist.
Chairman Lieberman. Yes, it really is--so mind-blowing that
I forgot my next question. [Laughter.]
Mr. Merritt. Well, you know what? If you do not mind, Mr.
Nelson mentioned that one of the challenges we face is the
anonymity of these criminals, Mr. Chairman. It is cumbersome
and laborious to identify who they are. More often than not,
what we experience here in the United States is that many of
the intrusions targeting our banking and financial
infrastructures, our retailers, and our databases originate
overseas. That is where the level of interaction with foreign
law enforcement sometimes varies. Different countries have
different levels of ability to investigate these types of
crimes. Some countries, quite frankly, lack legislation which
allows their investigators to prosecute these types of crimes.
He mentioned the corruption level. That is true. In different
countries, one can have a very loose or, in some cases, direct
affiliation between the government and some of these hackers.
Chairman Lieberman. Yes, I was going to ask Mr. Nelson
about that. But I am regaining my balance. I remember, and the
question was this: Is there evidence the traditional organized
crime syndicates, families, whatever, are involved now in cyber
crime?
Mr. Merritt. When you say ``traditional,'' it has been our
experience that, unlike the traditional Cosa Nostras that we
had years ago, there is organized crime, but it is a loosely
held hierarchy because they do not know each other personally.
Chairman Lieberman. And it is a different operation. It is
not out of an existing organized crime family here in the
United States that had a territory that it controlled for
gambling and drug----
Mr. Merritt. No, sir. You are correct.
Chairman Lieberman. This is new. In a sense, these are new
organized cyber crime operations.
Mr. Merritt. Absolutely. You might have a hacker who is
renowned for his or her specialty in the Ukraine. You might
have a carder who sits in the Baltics and somebody that
organizes these people, who sits in Russia. So it is a loosely
held hierarchy within the criminal underworld. But they do not
necessarily know each other's identity, if that helps, sir.
Chairman Lieberman. Well, it does, and it obviously
complicates the job of law enforcement in trying to find them
and break it up.
Mr. Merritt. Yes, sir.
Chairman Lieberman. My time is up. Senator Collins.
Senator Collins. Thank you.
Mr. Carr, in looking at the indictment of the individual
who was involved in the computer theft from Heartland, 7-
Eleven, and Hannaford, I was astounded at what a long period
elapsed where these hackers were able to steal the credit card
numbers and debit card numbers. According to the indictment,
they operated from between October 2006 to May 2008. That is
more than a year and a half.
So explain to me how a breach of that magnitude could go
undetected for so long.
Mr. Carr. The way breaches are normally detected is that
fraudulent use of cards is determined, and there was no hint of
fraudulent use of cards that came to our attention until
towards the end of 2008.
Senator Collins. But are there no computer programs that
one can use to check to see if an intrusion has occurred?
Mr. Carr. There are, but the cyber criminals are very good
at masking themselves, and we formed the Payment Processors
Information Sharing Council with Mr. Nelson primarily so that
the payment processors could share that information. And, in
fact, at our May meeting, we did distribute the actual malware
that was used at Heartland and we believe other businesses. And
at our meeting last week we updated that, and there were three
additional malware attacks that had been found since May that
one of our constituents had passed out to the membership as
well.
So being able to scan systems to know what the malware is,
you have to know something about the attack vector, and you
have to know something about the malware to find it. All of us
in this, we go through annual assessments, but the bad guys are
working together to try to get around all those assessments.
Senator Collins. But it is my understanding that in this
case all of the players met the current standards for cyber
security. Is that correct? The voluntary industry-based
standards?
Mr. Carr. We passed, we were certified to be compliant with
the standards on April 30, 2008.
Senator Collins. So what does that tell us about the
standards?
Mr. Carr. Well, the standards are good standards. They are
necessary. But some of us believe that an enhanced security is
possible. A number of years ago, the U.S. Mint decided that it
was too easy to counterfeit the old bills and upgraded the
technology of the currency. And 30 years ago, when the magnetic
stripe was invented, it was invented with the card number in
the clear on the stripe. And the systems were all developed to
process that magnetic stripe in the clear.
We think it is time for that data to be encrypted so that
merchants never have those card numbers in their system and the
processors never have that card number in their system either.
Senator Collins. Because it would be encrypted from the
point of sale to the processor before going to the credit card
company?
Mr. Carr. Correct, and throughout the entire system.
Senator Collins. Is it typical when a consumer uses a
credit card at a retailer that it goes first to an entity like
Heartland? I was under the impression that it went directly to
Visa or MasterCard or to the bank.
Mr. Carr. Yes, when the card is swiped, it goes either into
a gateway that goes to a processor, or it goes directly to the
processor, and the banks hire companies like Heartland to be
the gateways and the processing entities for the authorizations
and the capture and settlement of that information.
Senator Collins. So is the problem in this case the lack of
encryption between the retailer and the processing entity or
the processing entity and the ultimate credit card company?
Mr. Carr. There are actually five--without getting too
technical, we think there are five zones of encryption. The
first zone is from the moment that card is swiped until it gets
into the gateway or into the processing system. And merchants
would like to have those card numbers encrypted during that
zone because then they would not have that data that could be
taken.
Zone two is in the processing network. Zone three is in the
computer systems of the processing network. Zone four is data
at rest, which is part of the requirements today that all that
data be encrypted. And I think the industry has done a good job
of implementing that. And then zone five is to the card brands
and the issuing institutions as well.
So it is good to have each one of those zones encrypted,
but the best is to have them all done, and that is what we are
trying to adopt through the various work that we are doing.
Senator Collins. Mr. Nelson, when a retailer is the victim
of a computer theft scheme like this, do retailers know whom to
go to in the government?
Mr. Nelson. I am actually going to defer that to Mr. Carr.
Senator Collins. Maybe I will go back to Mr. Carr.
Mr. Nelson. That is more his bailiwick.
Mr. Carr. Do the retailers know what law enforcement to go
to?
Senator Collins. Yes.
Mr. Carr. I think the larger the merchant is, the more
likely it is that they know. But I think we could do a better
job of educating all of our merchants about what process they
should go through once they are hacked. And, fortunately, Mr.
Nelson has agreed to--we have set up a new classification of
membership in our organization that will allow members to learn
that kind of information.
Mr. Nelson. Yes, I met with the National Retail Federation
in June to discuss how we could do more together, and I think
there really is not a 24/7 operation in the retail community,
which is an important part of this. We need to make sure they
are a part of this group and maybe have a link to them, even
through our organization.
Senator Collins. To whom do they go?
Mr. Nelson. The National Retail Federation has a risk
committee, but it is more a 9 to 5 staff that shares some e-
mails.
Senator Collins. Exactly my point. I mean, Mr. Merritt has
told us of the Secret Service's success in carrying off this
simultaneous arrest of 20 individuals and the fact that the
operation could have been blown with just one e-mail being sent
out.
Well, similarly, when a retailer learns that it has been
the subject of a computer breach, time is of the essence. I was
shocked to learn that in the Hannaford case, which involved
other retailers as well, a year and a half went by when these
breaches were occurring. So part of the problem here is that
once a breach is discovered, I do not think there is an
understanding of to whom you go. Do you call the local police?
Do you call the Secret Service? Do you call your trade
association? Do you call the local district attorney? What do
you do? To whom do you go?
Mr. Nelson. We have done a pretty good job in our sector
getting the banks to call us, but I think we really need to do
a better job reaching out to the retailer community. Again,
they are not part of our FS-ISAC. Can we make them part of it?
And that is what Mr. Carr has been pushing for, and my Chairman
has actually been pushing for that, too. So I think we are
going to start looking at that.
Some of the attack signatures that were shared last week,
we need to get that out to the retailers, too.
Senator Collins. Just the answers here--and I appreciate
very much the hard work that all of you on this panel are
doing, but the lack of clarity to answer that basic question is
troubling to me because if a large retailer is uncertain who to
go to, think what it is like for a small business. I think we
need far more clarity in answering that question because it is
going to be a lot easier for the business community if there is
a single source to go to, and also if it is clear who could
help you prevent a breach in the first place.
Mr. Nelson. I think Mr. Reitinger's suggestion for a joint
operations center where you have private sector and public
sector people collocated and that is the source you go to, I
think we need to get moving on that.
Mr. Reitinger. If I might, ma'am.
Senator Collins. I know I have exceeded my time, and I
apologize, Mr. Chairman.
Chairman Lieberman. Go right ahead. No problem.
Senator Collins. Mr. Reitinger.
Mr. Reitinger. Thank you, ma'am. There are a lot of
resources out there to help businesses to know to whom to
report cyber crime. My recollection is both the FBI and the
Secret Service list that on their Web pages. We have
information on our Web pages on to whom to report, as does the
Department of Justice.
I am not so sure that it is bad that there is a diversity
of places to report as long as the resources are available to
follow up and investigate. There is also the Internet Crime
Complaint Center, which is, I think, driven by the FBI.
So there are many resources that can be brought to bear.
One of the things that we definitely need to do is do a better
job on awareness: Get the word out there and then make sure we
have the mechanisms for exchanging data and for law enforcement
to work together so the case can be most appropriately
addressed and followed up.
Senator Collins. Thank you. I still think there is a lack
of clarity here. After all, the Federal Trade Commission (FTC)
is involved to some extent; the Secret Service is involved; the
FBI is involved; the Department of Homeland Security's
Infrastructure Protection Division is involved; and State and
local law enforcement are involved.
Mr. Nelson. Just to support your argument a little bit
more, I think if you go to local law enforcement, sometimes
they will not take the case because it does not meet a certain
threshold. Let us say it is $100,000. But that particular
attack might have been coming from the same entity in some
Eastern European country, and they are attacking hundreds of
different companies. So, cumulatively, it might be a multi-
million-dollar attack. That is the issue.
Senator Collins. That is exactly the issue because what may
seem to be an isolated attack affecting one business in one
State may, in fact, be part of a network of attacks on several
different businesses. And we need to have a way to look for
those patterns.
Mr. Carr. Senator, I think the stakeholders in the industry
would all agree with you. How can that be done?
Senator Collins. Right.
Mr. Carr. How can that be communicated and so on? And I
think that is a challenge we have to resolve.
Senator Collins. Thank you. My apologies.
Chairman Lieberman. Oh, not at all. I appreciate the line
of questioning.
Mr. Nelson, in your statement you mentioned the alert sent
out by FS-ISAC on August 24 that listed several best practices
and recommended controls for companies. I think it is important
to note the public-private collaboration that went into issuing
that August 24 alert.
As I understand it, it was the first time that the FBI
actually brought private sector representatives into their
offices and showed you raw intelligence on a threat impacting
your sector and asked for your assistance in determining
protective recommendations for industry.
I want to follow up on that first by asking you, Mr.
Reitinger, this question: Does DHS issue best practices for the
various sectors at this point? And if not, do you intend to? If
so, are there ways to measure the success of those
recommendations, that is, the degree of implementation or
follow-up by people receiving those notices?
Mr. Reitinger. I would not say, sir, that it is a set of
specific practices that are issued sector by sector. We issue
broad guidance from the general how to protect yourself down to
the very specific technical alerts that US-CERT regularly
produces. So far this year, we have produced over 40 specific
products, and our products are available--at least our general
products are available on our Web page, including cyber
security tips for businesses, how to protect the workplace,
those sorts of items.
We also work very closely with the private sector to
produce specific incident-related guidance. For example, when
the distributed denial-of-service attacks were launched around
July 4 of this year, US-CERT worked very closely with our
partners in government and industry and produced two distinct
products: A Federal information notice that provided
information on the attacks and advice on mitigations to the
government; and a critical infrastructure information notice
that similarly went in a non-public way to key private sector
entities throughout the infrastructure, including all of the
ISACs.
So, in general, we do produce the products. We also work
broadly with the sectors and broadly across the sectors in the
cyber security cross-sector working group, which is one way
under the National Infrastructure Protection framework that we
address cyber security horizontally across all the sectors.
With regard to measuring implementation, as I think both of
the Senators' comments indicated early on, metrics are an area
of growth, I think, for us, generally. By ``us,'' I mean not
just DHS, although I include DHS in that. But in cyber
security, judging what works and what does not work is very
difficult to do.
So, for example, Senator Collins spoke about the fact that
we need to use the procurement power to increase the security
of hardware and software that is bought. I could not agree
more. But we also need better ways to judge what software is
secure so that we can have an effective regime because good
metrics drive good behavior and bad metrics drive bad behavior.
Similarly, we need better metrics about what security practices
work effectively and do not work effectively.
I think our ability in DHS, to return to your question,
Senator, to judge how broadly our recommendations are
implemented is an area that we need to grow, but have not fully
developed yet.
Chairman Lieberman. So that is a priority for you as you go
forward.
Mr. Reitinger. Yes, sir.
Chairman Lieberman. In your testimony, Mr. Reitinger, you
stated that DHS is building an integrated cyber security and
communications watch floor that you expect to be operational
before the end of this year, and I think that is a very good
development, and I thank you for it and I hope you will push it
forward.
I wanted to ask you two things about that, if you could
provide, to the extent that you are able, more information
about the Department's plans in that regard. But also, building
on this line of questioning, do you expect robust private
sector participation on the cyber side when this watch floor is
completed?
Mr. Reitinger. Yes, sir. The watch floor is in development
right now. If you were to travel to our Glebe Road facility,
you would see a lot of people doing demolition and building,
and I would welcome your presence there. We believe it will
open substantially before the end of the year, and the
processes for how it will work are under development right now.
With regard to your second question about private sector
participation, we already have private sector participation,
particularly through the National Coordinating Center, which
has a number of telecommunications representatives that are
physically present within DHS space and others who are
virtually present on a regular basis. We intend to grow from
that core broader private sector participation and State and
local participation.
Chairman Lieberman. Good.
Mr. Reitinger. Because it is absolutely essential that we
be able in certain cases to work together, as I like to say,
breathing the same air to build the trusted relationships, and
be able to work together virtually so we have a full, one-
nation incident response organization.
Chairman Lieberman. That is great to hear. I think one of
the most significant recommendations of the 9/11 Commission,
which I am proud that our Committee played an active role in
implementing, was the creation of the National Counterterrorism
Center, and it is really--appropriately, I suppose--one of the
unsung heroes of defense of our homeland security. Even in the
cyber age, there is something to be said for having people
working on the same problem trying to defend the country from
the same kinds of threats, breathing the same air, because
there is natural interaction that goes on. So I am pleased to
hear about that.
Will the watch floor be under the National Cyber Security
Division?
Mr. Reitinger. It will be in the spaces of cyber security
and communications, but it will include US-CERT, which is part
of the National Cyber Security Division (NCSD)----
Chairman Lieberman. Right.
Mr. Reitinger [continuing]. And the National Coordinating
Center, which is a part of the National Communications System,
but also a part of the Office of Cyber Security and
Communications (CSC), and it will also include the National
Cyber Security Center. I am also the Director of that. It is
not a part of CSC or the National Protection and Programs
Directorate. In my capacity as the Director, I report directly
to the Secretary of Homeland Security. The National Cyber
Security Center has the mission to coordinate and drive common
situational awareness across all of the high-value watch
centers for cyber across the Federal Government, and all of
those pieces will be collocated.
Chairman Lieberman. That is the key. I mean, as you were
describing the acronyms and what they stand for, it began to
sound like a very complicated organizational chart. And maybe
there is a good reason for every one of those organizations,
but the key, as we have found, is to make sure they are all
working together and they are not getting stovepiped.
Let me ask a final question along this line going back to
the August 24 alert sent out by FS-ISAC. There were some real
interesting recommendations in there, I thought, among other
things one that recommended that people never access bank,
brokerage, or financial services information at Internet cafes
or public libraries.
Mr. Nelson, or anyone else on the panel, but we will start
with you, is this advice that every American should be
following? And if so, why?
Mr. Nelson. Yes, because the information that you key into
that computer in a public library or Internet cafe can be kept
there. So when you are keying in your user ID and password, a
user could subsequently steal it, or they may have put some
malware on that computer that you are not aware of, and then
they have access to your banking account.
Chairman Lieberman. I hope people are listening. Senator
Collins.
Senator Collins. Thank you, Mr. Chairman.
Mr. Reitinger, you brought up the issue of using the
Federal Government's procurement power to persuade vendors to
deliver safer IT systems, and we had testimony at our April
hearing on just this issue from the Director of Research for
the SANS Institute. He pointed out that when that is done, the
cost of the security software falls dramatically. He cited an
example of some encryption software that costs $243 on the
retail level, and the Department of Agriculture was able to
purchase it for $12, and DOD for less than $6 per copy because
of the large volume.
More to the point, however, is this expert's assertion
that, despite Federal acquisition rules that requires security
to be baked into procurements at the beginning, most times it
is not, that there are no penalties or even checks to ensure
that security is part of the acquisition process.
What is DHS doing to ensure that security is part of the
computer acquisition process?
Mr. Reitinger. Yes, ma'am, I would be glad to talk about
that. We have a special software assurance effort that is being
driven out of the National Cyber Security Division which
includes both a Software Assurance Forum where best practices
are developed, industry talks to industry and industry talks to
government, work is done around building the business case to
help companies understand what they need to do or ought to do
for secure development, and work is done on things such as
acquisitions.
We also have a Web site called the ``Build Security In''
Web site that helps to disseminate those best practices more
broadly and explain how secure development can be done.
I think in the long term this is an area for growth. It is
still too difficult, despite everyone's best work, to know
whether software is developed securely or not. So one could say
in an acquisition, ``Thou shalt only buy securely developed
software,'' but actually specifying that is hard. A lot of work
has been done, including recently some private sector groups
have developed guidelines for what that might mean, but the
evaluation regimes that we have for software remain somewhat
rudimentary in terms of their ability to judge that, including
the common criteria, which is an international standard which
gives a thumbs up or thumbs down for software, which focuses
more on the implementation of security features in the
software, as opposed to whether the software was developed
securely and its overall security.
So there is a lot of work to be done here, both in terms of
raising awareness with companies, in terms of figuring out what
is securely developed or not securely developed and how to
specify that in acquisitions, and then the research and
development around how one could develop software more securely
which could benefit the entire ecosystem.
Senator Collins. And, of course, it never ends because the
criminals become more innovative and defeat the security
software, which is why it is difficult to mandate specific
standards. You have to constantly share best practices, but the
technology is going to continually evolve and the criminals are
going to continually try to defeat it.
Let me in my final question just ask you about a specific
example that was brought to my attention recently by the CEO of
a technology company, who was very concerned that there is a
lack of a coherent cyber security policy at the Federal
Government, particularly in the civilian agencies. DOD is a
whole different animal in this case, as is so frequently the
case. He cited a recent Request for Proposal (RFP) from the
Social Security Administration as an example of his concern
about the current inadequacy of the Federal Government related
to cyber security.
The Social Security Administration had issued a RFP for a
platform that would allow Social Security beneficiaries to
access their accounts online and to make adjustments online,
such as address changes. He believes that, as drafted, the RFP
is highly likely to produce a platform that would make the
users vulnerable to spoofing--that is, directing users
unknowingly to false Web sites--and that the Social Security
Administration would lose millions in just the first month as
hackers direct payments elsewhere.
Now, I do not know if this individual's assessment is
correct, but it really concerns me that this individual, who is
a technology expert, has reviewed this RFP and concluded that
the systems to be procured will be highly vulnerable. So what
do we do in a situation like this? And how can we get civilian
agencies within the government to recognize that they are the
container of personal data that, if it is breached, will cause
great harm? We have seen example after example--such as the
sizeable breach of the Department of Veterans Affairs records a
couple years ago.
Mr. Reitinger. So let me answer this in two parts, if I
could, ma'am. First, obviously--and I cannot speak to that RFP.
I apologize. I have not read it.
Senator Collins. Right. I did not expect you to be able to.
Mr. Reitinger. But we do need generally to continue to
raise awareness not just with the private sector but with our
partners across government, because we are in sort of a
generational hump, if you will--we did not all grow up working
with computers and understanding computer security, much like
we all grew up understanding cars and how to drive cars. So we
have to get through this period and make sure that we raise
awareness broadly throughout the Federal Government, including
among those doing acquisitions.
I do believe we have a Federal Government cyber security
strategy. We have the 2003 National Strategy, and then the
Comprehensive National Cybersecurity Initiative (CNCI), as
recently expanded upon and developed by the Cyberspace Policy
Review, which is going to lead to a revised new national
strategy. But we have focus and we have a way that we are
moving forward.
Specifically around the question that you raise in terms of
access to personal data, it is a difficult problem because
right now people are accessing whether private or government
systems, with a set of computers that they find very difficult
to secure, and using a set of methods to authenticate
themselves, that are subject to theft.
In the mid- to long-term, we need to move to an environment
where no one uses user names and passwords to access sensitive
data like personally identifiable information, where one has
readily available stronger authentication means, like
certificates or tokens or whatever is used, to access data
where it is much harder to steal that credential. That will
enable great protection in the ecosystem. It will make it
harder to steal people's personally identifiable information.
And it will make theft of personally identifiable information
less valuable because you will not be able to actually take a
person's user name and password, or phish it, and then use it
against them. You would actually have to take something else.
That is called for in the Cyberspace Policy Review, and it
is related to some of the comments that my private sector
colleagues made earlier.
Senator Collins. Thank you. Thank you, Mr. Chairman.
Chairman Lieberman. Senator Collins, thank you. Just a few
more questions.
Mr. Carr, going back to the case that you unfortunately
went through, we know that your system was compromised in the
sense that, you might say, the front door was knocked down, the
cyber criminals got inside the system. There were 130 million
accounts that were vulnerable. I presume that a certain number
of people involved complained to their credit card companies or
the merchants and said, ``Hey, I did not buy this, and it is on
my bill.'' Do you have any idea at this point of the scope of
the loss, either in dollar terms or how many people were
affected? Or is it too soon to say?
Mr. Carr. It is too soon to say. We know that we have
charged off on our profit and loss statement $32 million.
Chairman Lieberman. Say that again? I am sorry.
Mr. Carr. $32 million.
Chairman Lieberman. That you charged off?
Mr. Carr. That we have had to expend to deal with this
breach.
Chairman Lieberman. In other words, to reimburse people?
Mr. Carr. No--well, part of that could be deemed to be part
of that. We do not know the extent of the fraud that was
involved at this point. We do not know how many card numbers
exactly were compromised.
Chairman Lieberman. Right. What was the $32 million for?
Mr. Carr. That was for forensics work, for legal work, and
for potential settlements of some of the claims.
Chairman Lieberman. People complaining about what they take
to be unwarranted charges on their cards, would that
information come to you? Or is it more likely to come to the
credit card company?
Mr. Carr. It comes to the issuing bank and----
Chairman Lieberman. Yes, because most people do not know
about you.
Mr. Carr. Correct.
Chairman Lieberman. And then they get back to you, I take
it?
Mr. Carr. Right. We are in that process today.
Chairman Lieberman. So at this point, would you say that
the number of accounts compromised was small or medium or
large? I know you cannot say exactly.
Mr. Carr. It is a significant compromise, but we do not
know to what extent.
Chairman Lieberman. In your testimony, you also say that
Federal law enforcement was very helpful to Heartland in this
process, and I just wanted to ask you to expand on that
comment. What kind of assistance did you receive from which
agencies?
Mr. Carr. Well, the Secret Service was at our meeting last
week and provided some really good information to the members,
and we have met with DHS people who have offered to help
provide us and our industry some monitoring tools for the
security of our computers through some technology that was paid
for by the government that is being made available to private
industry.
Chairman Lieberman. I appreciate hearing that. As you look
back--and I know you have done some work on this and have been
spreading the story throughout your business area--what are
some of the things you wish you had done, having seen this
attack?
Mr. Carr. Well, I wish we had gotten together with our
industry and shared information more quickly because by
learning how these bad guys attack others, we would have
learned a lot at that point. I wish we had done that earlier.
Chairman Lieberman. Mr. Merritt, let me ask you, and then
if anyone else wants to get into this, do you think there is a
need for amendment of existing criminal laws or adoption of new
criminal laws to facilitate the charging or even investigation,
but particularly the charging of cyber criminals? Or are you
able to operate in this new area within the general parameters
of existing criminal law?
Mr. Merritt. No, sir. In my opinion, we have the necessary
statutory authority given to us by Congress to investigate
these types of crimes and in my written statement, Title 18 of
the U.S. Code, Sections 1028, 1029, 1030----
Chairman Lieberman. Right.
Mr. Merritt. Those are all sufficient to allow us to carry
out our responsibility.
Chairman Lieberman. The other part of my question goes a
bit beyond your role in the process, and we should and will be
talking to the Department of Justice about this. But just from
your experience, is it your sense that once you turn cases
over, as it were, to the prosecutors, they have enough within
existing criminal law to proceed to prosecute these cases?
Mr. Merritt. We have been fully supported by U.S. Attorneys
across the Nation, sir, and specifically Mr. Reitinger
mentioned he was a part of them before the Computer Crimes and
Intellectual Property Section (CCIPS). We have been very
satisfied. I think they have been, too. I would defer to them
to see if they are having some issues as far as their authority
to prosecute these types of cases. But we have had very good
luck, sir. Thank you.
Chairman Lieberman. Thank you.
Mr. Reitinger, as part of your quite remarkable background
in preparation for this job, you have had this prosecutorial
experience. What is your sense of whether the criminal laws
need updating to meet this challenge or whether they are
adequate in their current status?
Mr. Reitinger. With apologies, sir, I have been out of that
part of the job since I left the Justice Department and went to
the Department of Defense back in 2001. So I would defer to my
expert colleagues at the Secret Service and the Department of
Justice.
Chairman Lieberman. We will talk to them.
Let me ask you a question that I want you all to think
about, and we will be in touch with you as we proceed to
legislation. I will start with you, Mr. Reitinger, if you have
any thoughts now about what are some of the constructive--if
you think there are any--things we can do by way of legislation
to help you better do your job or carry out your responsibility
with regard to cyber security.
Mr. Reitinger. Sir, I do not have any specific requests to
make at this time. Obviously, as I gain my experience in this
job, I am learning more about what is required and where the
shortfalls, if any, may be. I look forward to continuing to
work with you and your staff and the Committee staff on those
issues.
Chairman Lieberman. Good. Mr. Merritt, any thoughts there?
Mr. Merritt. Sir, we are aware of several pending pieces of
data privacy legislation that Congress is considering in the
different committees, that would encourage private industry,
when they have been intruded upon, to report those intrusions.
We have been very supportive when committees have asked us for
any advice, and we will continue to do so.
Chairman Lieberman. Good. Any legislation or other action
by Congress that might facilitate this process we talked about
earlier of moving ahead with international cooperation in the
investigation and prosecution of cyber crime?
Mr. Merritt. Mr. Chairman, it is very hard for Congress to
implement that type of legislation or law overseas. I think one
must rely on personal and professional relationships that we
and other law enforcement entities are able to establish with
our foreign counterparts.
Chairman Lieberman. Are you working with the State
Department--or, Mr. Reitinger, let me ask you--in regard to
this? In other words, has the development of international
conventions, treaties, or working groups to deal with cyber
crime become now an element of our foreign policy?
Mr. Reitinger. Well, sir, I think it has been for some
time. The Council of Europe Cyber Crime Convention was
groundbreaking when it was first developed as the first major
convention dealing specifically with cyber in that sense, and I
think all of us were greatly pleased when the Senate chose to
ratify it. And that has, I think, enabled a much greater degree
in terms of international collaboration.
We are actively involved in the Department of Homeland
Security in building relationships with our international
partners and are hosting a conference, the Meridian Conference
in October of this year, where a number of key players will be
coming in, as well as working to develop non-law enforcement
operational relationships.
Finally, I would say that the Cyberspace Policy Review
specifically talked about the need to build international
frameworks, and the National Security Telecommunications
Advisory Committee produced a report, I believe last year, on
the need for a broader international framework around cyber.
And so I think it is a subject of focus. There is a lot of
work that remains to be done under the overall leadership of
the Department of State.
Chairman Lieberman. While I have the two of you here, I
will say, as I said after Mr. Merritt's testimony, that I am
impressed and I did not know about all that the Secret Service
was doing in regard to cyber crime. Of course, the Secret
Service comes into the Department of Homeland Security with a
very strong, unique independent history, but the question I
want to ask is whether the Secret Service and the other cyber
security divisions are adequately integrated--in other words,
whether there is, certainly, sharing of information going on.
Mr. Merritt mentioned the Electronic Crimes Task Force and the
sharing of information going on with State and local law
enforcers. But is it also going on within the building, as it
were, or within what will be the building?
Mr. Reitinger. I think the answer is yes, sir. I think we
can continue to strengthen the relationships, but there is
someone from the Secret Service on the NPPD staff. There is a
Secret Service liaison specifically at US-CERT. They have a
regular working relationship and an ability to collaborate.
I, specifically, on more than one occasion, when I have
received a report from US-CERT, have spoken to them about
making sure that we were working both with the Secret Service
and the FBI to ensure there was appropriate law enforcement
follow-up. And there are collaboration mechanisms that the
Secret Service and the Bureau use to work broadly within law
enforcement.
So I believe the connections are there, and I think as we
move forward and build out the US-CERT capabilities, they are
going to continue to be enhanced and be more effective.
Chairman Lieberman. Obviously, that is very important.
Mr. Nelson, any thoughts about additional law, Federal law,
that could assist FS-ISAC in the work that you are doing?
Mr. Nelson. We did not really specify in our testimony
recommendations in that regard, but we do think that there are
some things. We could require support of some funding for, for
instance, better education, particularly getting the word out
on that you do not open that phish that you get, that type
phishing campaign. And one of our members, a small member, a
financial institution in southern Virginia, came up with the
idea of a logo, an anti-phishing logo almost like the no-
smoking logo, or ``Don't Pollute, Give a Hoot.'' Remember those
old campaigns? But just kind of get the national mind or kind
of the national consciousness around the need not to click on
these suspicious e-mails. So I think that is one area that I
think we could work on.
Chairman Lieberman. One suggestion that has been made to
the Committee for legislation is to require in law or encourage
or facilitate the creation of some certification process for
the private sector--in other words, either administered by a
group like yours in your area of our economy, financial
services, and in others; or perhaps with some governmental
regulatory board which would set minimum standards that we
would require private sector entities to follow to defend
themselves--and, in the larger sense, all of us--against cyber
attack either for purposes of money or terrorism.
Maybe I should start with you, Mr. Reitinger, and ask you
whether you have thought about that and if you have any opinion
on it.
Mr. Reitinger. I cannot testify to that in particular, sir.
I would have to see the details of the proposal. What I would
say is I think it is not true that cyber is completely
unregulated. Obviously, there are financial regulations. In the
chemical sector, for example, there are elements to chemical
cyber security regulation embedded in the current Chemical
Facility Anti-Terrorism Standards (CFATS) regime. So there is a
mixture of degree of regulation, and sometimes when people talk
about the proposal you are talking about, they point to what is
called the North American Electric Reliability Corporation
(NERC) and Federal Energy Regulatory Commission (FERC) model.
Obviously, there is a lot to be explored. I think it is
beyond dispute that the status quo is not sufficient. We are
committed to working within the model we have right now and
enabling our private sector partners to succeed. And in terms
of whether additional authority is necessary or appropriate, I
think we need to continue to examine that, because it is clear
that cyber security is a national security and homeland
security issue that needs to be fully addressed.
Chairman Lieberman. Yes, I agree. We have not reached a
conclusion on this, but it is very important, I think, for the
Committee to consider it because the Federal Government clearly
cannot do all this on our own. Too much of our critical
infrastructure is owned by the private sector, which, of
course, is quite appropriate and positive. What responsibility
does the society through the government put on the private
sector to take at least the minimal set of actions to protect
themselves and the larger society from cyber attack?
So I would welcome a first response, Mr. Nelson, and say to
you that we would like to keep in touch, and with you, Mr.
Carr, as well. Go right ahead.
Mr. Nelson. The one thing I would say, we have, of course,
in the financial services industry, a number of regulators. I
hear some of our firms complain that regulators are coming in
every week, a different set. FDIC comes in, the Federal Reserve
comes in the next week, and then you have the Office of the
Comptroller of the Currency (OCC), etc.
Chairman Lieberman. Tell them to get ready for the National
Cyber Security---- [Laughter.]
Mr. Nelson. I will do that. But I think on the other side,
we do have a number of cyber security areas that the examiners
are looking at that they are examining on today. One was, a
couple years ago, the implementation of a guidance, and a
guidance sounds like a loose term, but it was actually a
requirement for financial institutions to look at all of their
applications to see if multi-factor authentication should be
applied, and you have to do that evaluation. Most of the
financial institutions, at least for business accounts, do
require multi-factor authentication, for instance. Even on the
consumer side, there is knowledge-based authentication, for
instance, knowing that if I am on my computer, this is the
correct IP address for who I normally do business with. So
those types of authentication and multi-factor authentication
tools are more or less looked at by the examiners today to see
if the banks are complying with that.
Could they be stronger? And some of the things that Mr.
Carr recommended about strong encryption, that we have
recommend, and actually the whole panel has recommended, I
think that is something at which we ought to look. But, again,
we have stayed away from being too prescriptive with that and
wanted to really look at, as technologies change and as the
attacking vectors change, how do we respond to that. And I
think we really try to make that part of our regulatory regimen
today.
Chairman Lieberman. Mr. Carr, do you want to respond at all
to that?
Mr. Carr. I would just like to say that at our meeting last
week, there was a frustration expressed by law enforcement that
they would know some of these bad guys and these criminal rings
and go to countries to arrest them, and they were not able to
arrest them because of non-cooperation with that country. That
would be helpful. I am not sure that legislation can solve that
problem, but that is a problem that needs to be solved.
Chairman Lieberman. Yes, but that is the kind of problem
that can be solved either at a diplomatic level, through the
State Department, or perhaps through the development of more
and more international cooperative law enforcement efforts.
Well, that is a topic we are going to consider as we go on
to develop the legislation, whether we want to create kind of a
good certification seal if you will, whether as some have
suggested we go beyond and actually require, for instance,
encryption or some other steps to be taken. Those are big steps
to take, and we are not going to take them lightly or without
adequate consideration.
I want to thank the four of you. It has been a very
productive hearing from our point of view, both from the real-
life experiences--the nightmarish experience that you have had
to go through, Mr. Carr, and, Mr. Nelson, the work that your
group is doing--and then, Mr. Merritt and Mr. Reitinger, thanks
for what you are doing in response. This is a problem that is
not going to go away. It is going to get worse unless we can
work together to diminish the threat, which this Committee
wants to do everything it can to make it possible by those of
you who are out in the field every day.
So we are going to hold the record of this hearing open for
15 days for additional statements or questions. I thank you
again for your testimony. The hearing is adjourned.
[Whereupon, at 12:04 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
