[House Hearing, 112 Congress]
[From the U.S. Government Printing Office]
DRAFT LEGISLATIVE PROPOSAL ON CYBERSECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
DECEMBER 6, 2011
__________
Serial No. 112-61
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
_____
U.S. GOVERNMENT PRINTING OFFICE
74-646PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Jackie Speier, California
Joe Walsh, Illinois Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania Hansen Clarke, Michigan
Ben Quayle, Arizona William R. Keating, Massachusetts
Scott Rigell, Virginia Kathleen C. Hochul, New York
Billy Long, Missouri Janice Hahn, California
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair Laura Richardson, California
Patrick Meehan, Pennsylvania Cedric L. Richmond, Louisiana
Billy Long, Missouri William R. Keating, Massachusetts
Tom Marino, Pennsylvania Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Coley C. O'Brien, Staff Director
Zachary D. Harris, Subcommittee Clerk
Chris Schepis, Minority Senior Professional Staff Member
C O N T E N T S
----------
Page
Statements
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 1
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 2
Witnesses
Mr. Gregory E. Shannon, Chief Scientist for Computer Emergency
Readiness Team, Software Engineering Institute, Carnegie Mellon
University:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Ms. Cheri F. McGuire, Vice President of Global Government Affairs
and Cybersecurity Policy, Symantec Corporation:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Mr. Gregory T. Nojeim, Senior Counsel and Director, Project on
Freedom, Security and Technology, Center for Democracy and
Technology:
Oral Statement................................................. 18
Prepared Statement............................................. 20
Mr. Kevin R. Kosar, Analyst in American Government, Congressional
Research Service:
Oral Statement................................................. 28
Prepared Statement............................................. 30
DRAFT LEGISLATIVE PROPOSAL ON CYBERSECURITY
----------
Tuesday, December 6, 2011
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:15 a.m., in
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren
[Chairman of the subcommittee] presiding.
Present: Representatives Lungren, McCaul, Walberg, Meehan,
Long, King (ex officio), Clarke, Richardson, Richmond, Keating,
and Thompson (ex officio).
Mr. Lungren. The Committee on Homeland Security
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order. We have been advised
by top staff on the subcommittee that we may proceed. Ms.
Clarke, unfortunately, is caught in traffic, which I think a
lot of people are this morning, but we will proceed.
The subcommittee is meeting today to examine the
committee's ``Draft Legislative Proposal on Cybersecurity.''
The draft legislation was distributed with the hearing notice,
although the draft was circulated with Members of the other
side of the aisle, I believe, in August, and there have been
very few changes made since that time. I would ask other
Members if they wish at the conclusion of this hearing to co-
sponsor the draft before us. We intend to drop this immediately
so that we can begin the process moving this forward.
Top Government intelligence and military leaders point to
cybersecurity as the issue that worries them the most,
primarily because it touches every aspect of American life,
including our military operations. Tomorrow is December 7, the
date recalled by CIA Director Leon Panetta in recent testimony
before Congress about his fear of a cyber Pearl Harbor. The
growing connectivity between information systems, the internet,
and our critical infrastructure creates opportunities for
attackers to disrupt telecommunications, electric power, energy
pipelines, and our financial networks. We hear every day that
cyber attacks are escalating around the world, but particularly
here in the United States where extensive digital networks'
information systems provide a rich target for thieves and rogue
nations. Disgruntled employees, hackers, even foreign
governments, ``are knocking on the door of these systems and
there have been intrusions.'' There has been a 40 percent spike
in cyberthreats to Government networks in the last year alone,
as reported. The Commerce Department estimates that the theft
of intellectual property, most stolen via electronic means,
costs $250 billion annually and eliminates approximately
750,000 U.S. jobs.
Cybertheft, unfortunately, is no longer our only concern.
The Stuxnet virus demonstrates the offensive capability to
attack and incapacitate critical infrastructure. This presents
a more immediate destructive threat, a digital warhead
delivered through the internet. Cybersecurity is now recognized
as a critical component of our National economic and National
security. Failure to improve our cyberdefenses will expose our
intellectual property to continued theft and damage to our
critical infrastructure, putting in jeopardy our future
economic prosperity. Congress needs to act to improve our
cyberdefenses by designating the responsible agency and
Government to coordinate defense of the Government networks.
We agree with the administration that the Department of
Homeland Security is the appropriate agency to lead this effort
and protect our critical information infrastructure, and our
bill codifies DHS' cyber roles and responsibilities. Further,
we need to improve our ability to assess cyber risks and
strengthen cyber standards, generally with help from NIST. We
should also encourage existing regulators to improve the cyber
standards for the most critical infrastructure within their
purview. The cyberthreat must be addressed in partnership with
the private sector which owns, as we know, most of the
country's critical infrastructure. This will require
establishing a true, trusted partnership between Government and
the private sector. Our objective is to create a partnership of
equals designed to facilitate the exchange of cyber information
and intelligence, thereby to accelerate cyberthreat
identification and remedies. This trusted partnership under our
bill will be known as the National information-sharing
organization.
These changes proposed in our legislation are within our
committee's jurisdiction and will, we believe, enhance
cybersecurity of our critical information infrastructure.
Today's hearing will afford our private sector partners another
opportunity to weigh in on our approach to protecting critical
information infrastructure from this escalating cyberthreat.
We look forward to hearing your comments. I now would
recognize the Ranking Member of our subcommittee, the
gentlelady from New York, Ms. Clarke.
Ms. Clarke. Thank you very much, Mr. Chairman, and thank
you for bringing your proposed legislation to our subcommittee.
I appreciate the diligence that our witnesses have shown in
analysis of the legislation and want to particularly thank Mr.
Kosar for his scholarly work and quick turnaround. From my
perspective, the Department must have sufficient authority to
make sure that Government and privately-owned critical
infrastructure install and monitor ample protection for their
cyber systems, both agency-wide in the Federal Government and
for identified critical infrastructure that supports the
economic, social, and security needs of our Nation. Effective
implementation of that authority will enable DHS to lead by
example a prerequisite for building credibility and trust with
privately-owned critical infrastructure.
In H.R. 174, the Homeland Security Cyber and Physical
Infrastructure Protection Act of 2011, introduced by Mr.
Thompson in January of this year, and which I co-sponsor, the
Department is specifically given major cybersecurity
responsibility and includes a plan to oversee cybersecurity
efforts for identified critical infrastructure, much like we
already do in the CFATS program, which I think is a prudent
risk-based approach.
The draft legislation we have before us includes an
emphasis on voluntary incentives for private companies with
some narrowly-targeted regulation for critical infrastructure
industries that are already highly regulated. I think we are
all looking for a way not to have regulation that duplicates
what is already being done. Government can ask the critical
infrastructure systems to improve security only if Government
is a model leading by example.
Mr. Chairman, I am glad to see the language of the
discussion draft does provide some provisions that are broadly
similar to provisions in H.R. 174 and the White House cyber
proposal. For example, by increasing the responsibilities of
the Department for cybersecurity in Federal agencies and
critical infrastructure, authorizing US-CERT, addressing supply
chain vulnerabilities, increasing cyber R&D, and providing
enhanced personnel authorities to improve the cybersecurity
workforce.
My concern is two-fold. How can we realistically increase
our cybersecurity efforts if the House appropriations
drastically-reduced level of funding is implemented? Second,
the discussion draft relies on purely voluntary actions and
establishes a non-profit quasi-Governmental entity, the
National Information-Sharing Organization, with private and
public sector members, for the purposes of facilitating
information exchange, performing collaborative cybersecurity
R&D, and encouraging non-Federal use of voluntary cybersecurity
standards.
I think it is important that we look closely at the details
of this quasi-Governmental entity to explore the real-life
implications of such a body and its actions, and how it would
affect the Department's ability to enhance cybersecurity for
our Government agencies, our crucial critical infrastructure,
and ultimately for our citizens.
So thank you again, Mr. Chairman. These are issues that I
am anxious to learn more about, and I look forward to the
testimony today, and I yield back.
Mr. Lungren. I thank the gentlelady. Other Members of the
committee are reminded that opening statements may be submitted
for the record.
We are pleased to have a very distinguished panel of
witnesses before us today on this very important topic.
Dr. Greg Shannon is the chief scientist for the CERT
Program at Carnegie Mellon University Software Engineering
Institute. In this role he works with CERT management and staff
to establish and enhance the program's research visibility,
initiatives, strategies and policies. Prior to joining CERT,
Dr. Shannon was the chief scientist at two startups where he
worked on insider threats, the science of cybersecurity and
statistical anomaly detection.
Ms. Cheri McGuire serves as the vice president of Global
Government Affairs and Cybersecurity Policy, where she leads a
global team focused on cybersecurity, data integrity, and
privacy issues. She works extensively with industry and
Government, including serving as chair of the IT Sector
Coordinating Council. That is one of the 18 critical sectors
identified by the President and DHS to work with the Government
on critical infrastructure, protection, and cybersecurity
matters. Prior to joining Symantec in 2010, she served as
director for critical infrastructure and cybersecurity in
Microsoft's trustworthy computing group.
Mr. Gregory Nojeim is senior counsel at the Center for
Democracy and Technology, or CDT. In this capacity he conducts
much of CDT's work in the areas of National security,
terrorism, and Fourth Amendment protection. Prior to joining
CDT in May 2007, he was legislative counsel of the American
Civil Liberties Union and for 7 years was the associate
director and chief legislative counsel of the ACLU's Washington
legislative office.
Dr. Kevin Kosar is an Analyst in American National
Government for the Congressional Research Service where he has
served since 2003. CRS' research portfolio includes
Congressionally-chartered organizations, the U.S. Postal
Service classified information policy, Government
communications and privatization, all obviously non-
controversial areas. He previously testified before Congress in
April 2010, before the House Oversight and Government Reform
Committee, regarding the U.S. Postal Service's financial
condition. A contributing editor at Public Administration
Review Journal, Dr. Kosar received his Ph.D. in politics from
New York University.
As you all know, your printed texts will be made a part of
the record in their entirety. You are each recognized for 5
minutes to give us a summary of your testimony, and at the
conclusion of which we will go in order for questions.
So the Chairman will recognize Dr. Shannon to testify.
STATEMENT OF GREGORY E. SHANNON, CHIEF SCIENTIST FOR COMPUTER
EMERGENCY READINESS TEAM, SOFTWARE ENGINEERING INSTITUTE,
CARNEGIE MELLON UNIVERSITY
Mr. Shannon. Thank you Chairman Lungren, Ranking Member
Clarke, and subcommittee Members. I am honored to testify
before you again now on this important legislation. I am the
chief scientist for the CERT cybersecurity program at the
Software Engineering Institute which is a DOD FFRDEC, operated
by Carnegie Mellon. The CERT Program's Associated Coordination
Center was created in 1988 in response to the moratorium
incident, and we have grown into a National asset in
cybersecurity with 250 staff supporting the cybersecurity needs
of the DOD, DHS, and others. CERT has been and continues to be
a key partner with US-CERT in its important work.
As we talk today about the draft legislation and in
particular the concept of a National Information-Sharing
Organization, or NISO, please consider the role of trust in
sharing sensitive information, especially the process of
establishing trust. Consider for a moment, if you will, your
own personal experience in trusting--consider for a moment, if
you will, your own personal experience in trusted sharing of
sensitive information with an organization such as your last
visit to the doctor, a parent-teacher conference, or the voting
booth. Your willingness to share sensitive information was
probably driven by the degree to which you trusted that
organization and derived benefit from that organization. That
trust took time to establish and is expressed in cultural
norms, laws, relationships, processes, et cetera. That trust
wasn't legislated, though it often is assisted by a
legislation. So it is likewise with sensitive cybersecurity
information provided by private entities to a NISO.
I appreciate the frustrations with the current range and
pace of information sharing. We all wish for more, better,
sooner. Our view is that DHS is making great progress and this
legislation should augment that work. I endorse the committee's
proposal to establish a non-profit private entity to serve as a
National clearinghouse for the exchange of cyberthreat
information. We believe that a third-party, honest broker
facilitator for the disclosure and dissemination of
cybersecurity knowledge creates an excellent environment where
all participants, both Government and non-Government, almost
readily share sensitive information. Like with the conflict of
a working group, trusted relationships are a critical success
factor for NISO and reliable trust takes time to establish,
especially that scale.
The type of information that organizations are being asked
to share with each other in the U.S. Government is sensitive,
and sharing such information requires trusted relationships
established and tested over time.
Another critical success factor is data value, in addition
to protections and policy that we discuss in our testimony. The
data information and knowledge that the NISO collects and
shares must be distinct and not readily available; else there
is little or no incentive to participate. Value results from
not only access to unique data but also from analysis that
enables reactive and proactive responses by participants. Like
the CDC, the Centers for Disease Control, the NISO must have
distinct capabilities that make it the go-to organization for
cyberthreat awareness for private entities.
Federally-enabled sharing of cybersecurity information is
evolving. Many of the existing sharing relationships are shown
in diagram 2 of my written testimony. The jumbledness of the
links demonstrates that a NISO should complement sharing,
clarify roles and responsibilities and, as appropriate, help
consolidate those roles and responsibilities. We don't need yet
another loosely mandated cybersecurity information-sharing
organization, and NISO can be a step in the right direction,
especially in helping to clarify interactions.
Since we are discussing data, information, and knowledge,
let's also talk about the importance of operationally and
scientifically valid data, especially in the context of
research, development, acquisition, and assessment. This
applies to both sections 2 and 4 of the draft legislation.
Given the preponderance of threats, standards,
technologies, products, best practices, et cetera, in
cybersecurity, I strongly encourage the committee to include
language in the legislation that emphasizes the need for
operationally and scientifically valid, scientifically sound
capabilities. Not every best practice scales well and not every
technology has scientifically sound evidence of its efficacy
and its limitations. Such legislation language would create an
important positive demand for well-formed pilots and
experiments that produce broadly meaningful data and results.
This would stimulate the development and maturation of ever-
improving methodologies for pilot projects, assessments,
experiments, and research.
In conclusion, I look forward to working with the
subcommittee to improve the timely sharing of actionable
cybersecurity information that is operationally and
scientifically valid. Thank you.
[The statement of Mr. Shannon follows:]
Prepared Statement of Gregory E. Shannon
December 6, 2011
Chairman Lungren, Ranking Member Clarke, and other distinguished
Members of the subcommittee, thank you for the opportunity to testify;
it is my pleasure to discuss your draft legislation.
about cert�
The CERT Program is part of the Carnegie Mellon University Software
Engineering Institute (SEI), a Department of Defense Federally-funded
research and development center (FFRDC) located on the Carnegie Mellon
campus in Pittsburgh, Pennsylvania (www.sei.cmu.edu).
The CERT Program (www.cert.org) has evolved from the first computer
emergency response team, created by the SEI at the request of the
Defense Advanced Research Projects Agency (DARPA), in 1988 as a direct
response to the Morris worm incident. The CERT Program continues to
research, develop, and promote the use of appropriate technology and
systems management practices to resist attacks on networked systems,
limit damage, restore continuity of critical systems services, and
investigate methods and root causes. CERT works both to mitigate cyber
risks and to facilitate local, National, and international cyber
incident responses. Over the past 23 years, CERT has led efforts to
establish over 200 computer security incident response teams (CSIRTs)
around the world--including the Department of Homeland Security (DHS)
US-CERT. We have a proven track record of success in transitioning
research and technology to those who can implement it on a National
scale.
I am Dr. Greg Shannon, the Chief Scientist for the CERT Program,
where I lead efforts to sustain and broaden CERT's strategic research,
development, and policy initiatives.
testimony
I first want to ensure that the committee appreciates the
exceptional work that is under way at the Department of Homeland
Security (DHS) in the area of information sharing. I understand
frustrations with the current range and pace of information sharing,
but I assure you that DHS is making great progress. The type of
information that organizations are being asked to share with each other
and the U.S. Government is sensitive, and sharing such information
requires trusted relationships, established and tested over time.
Established trust is a key success factor for such programs, and
reliable trust takes time.
Working from the objectives of the current draft legislation,
drawing on CERT's 23 years of experience, and using concepts from
public health models,\1\ I will discuss how to leverage current
efforts, the strengths and challenges of both the current efforts and
the legislation, and specific recommendations. The mission of our FFRDC
is to improve the state of the practice, so I will focus on what should
be done versus who should be doing it.
---------------------------------------------------------------------------
\1\ I am drawing on ideas and language in the forthcoming report
from the EastWest Institute, Using a Public Health Model to Support
Collective Action to Improve Global Internet Health, that is being
written by an international private-sector-led working group.
---------------------------------------------------------------------------
I endorse the committee's proposal to position a non-profit private
entity to serve as a National clearinghouse for the exchange of cyber
threat information--the NISO (National Information Sharing
Organization). We believe that a ``third-party, honest broker''
facilitator for the disclosure and dissemination of cyber-security
intelligence creates a superior and more productive environment where
all participants, both Government and non-Government, more readily
share sensitive information. Moreover, it is imperative that the
designated organization is making decisions for the greater good based
on the highest quality data, openly acquired and objectively analyzed.
Many of the goals proposed for the NISO have parallels to the
activities of the Centers for Disease Control and Prevention (CDC)--the
fact that it is a Federal agency notwithstanding. As the Nation's
leader in health, monitoring, prevention, and preparedness, the CDC
works to monitor and prevent outbreaks, implement prevention
strategies, and maintain National statistics--it is a central
clearinghouse for information with response capabilities. Crucially, it
does so by working with partners throughout the Nation and the world to
collaboratively create the expertise, information, and tools that
people and communities need to protect themselves.
We envision the NISO, like the CDC, filling a cyber information
leadership role while interacting with existing groups. The NISO, run
by a non-profit would have in-house functions, maintain a common
operating picture, and the 24/7 help desk, but its biggest role will be
to interface with present-day efforts and improve communications and
collaboration. I want to ensure the committee recognizes the on-going
work within established frameworks and discuss the benefits of
utilizing progress already made. To add yet another institution could
in practice derail the current advancements and delay the committee's
ultimate goal of timely information sharing. I suggest that instead of
creating a duplicative organization, the committee charge the NISO with
being the single point of interaction for those successful efforts and,
when appropriate, consolidate work under the NISO.
I share and understand frustration that capabilities for cyber
threat information sharing are not being created quickly enough. Human
nature reasons that adding people to a late or slow project will
accelerate performance; however, Brooks's Law, also known as the
``mythical man-month,'' suggests otherwise. Based on his experiences at
IBM, Dr. Fred Brooks states: ``adding manpower to a late software
project makes it later.''\2\ Brooks found that there is ``ramp-up''
time to adding staff to a project--they aren't productive immediately,
and their education diverts resources from the rest of the team.
Furthermore, a new player sharply increases communication costs. As you
add additional ``reporting'' bodies, confusion as to who should be told
what and when is only exacerbated. Everyone working on the same task
needs stay synchronized, so as more people are added, they spend more
time trying to find out what everyone else is doing. Furthermore, Dr.
Brooks famously said, ``Nine women can't make a baby in one month,''
implying that regardless of the manpower, some undertakings just take
time. For information sharing, building the necessary trust
relationships cannot be rushed.
---------------------------------------------------------------------------
\2\ Frederick P. Brooks, Jr. ``The Mythical Man-Month.'' 1995
[1975]. Addison-Wesley.
---------------------------------------------------------------------------
To better understand our vision, I have mapped out how a NISO
organization might look--see Diagram 1. In doing so, we made
assumptions about the overall goals of the organization based on the
stated and implied objectives, and I encourage the committee to think
carefully about what problems they want the NISO to solve and how the
structure and authority of the NISO helps solve those problems. Using
CERT's experience we have listed what we see as the necessary
capabilities and enablers for a successful NISO.
There are four critical success factors for such an entity to
accomplish the objectives set out: Data of value, trust, protections,
and policy. First, for the NISO to have success, it absolutely must be
able both to share and facilitate the sharing of timely, actionable
information. The existence of the former will enable the latter.
Furthermore, that which the NISO shares must be distinct and not
readily attainable by participating organizations. Otherwise there is
little or no incentive to participate. The value of NISO's information
would come from either being the exclusive distributor of an insight
through novel aggregations or applying a new analysis technique to
unique, participant-shared, or public information. Providing valuable
data is not only the result of having access to unique data, but also
the ability to fundamentally analyze the data differently to provide
real, actionable, intelligence from which best practices are derived.
For the NISO to truly serve a significant and useful role, the timely
and actionable information they disseminate to participating
organizations must be reactive as well as proactive, such as best
practices. The promise of exclusive information, such as fused analysis
of network data, network traffic, or forensic artifacts, will be the
value added that NISO participants need to justify their participation.
This information will also differentiate the suggested common operating
picture (COP) from the several entities that offer situational
awareness, and bring the necessary added value to ensure participant
involvement. Furthermore, the COP should strive to be able to
fundamentally analyze the data differently, further differentiating the
NISO from similar organizations and enticing participation. This
function would draw nicely from the anticipated collaborative research
and development. Like the CDC, the NISO needs distinctive capabilities
that make it the ``go-to'' organization for cyber threat awareness.
Next, I want to stress to the committee the importance of trust to
facilitate meaningful exchanges. The need for trust is yet another
reason that building on existing efforts is important. While there may
be frustrations with the current range and pace of information sharing,
you cannot legislate trust, and any new organization needs time to
build the necessary relationships for meaningful communications. I
believe the committee's intentions are best served by building upon the
existing rapports.
Last, it is imperative that solid protection mechanisms and safe
harbors be in place for the designated organization and its
participants for unencumbered information sharing and analytical
product delivery to occur. This will likely require both legislative
updates and policy changes, which must be done with the utmost care to
privacy and civil liberties. This is an important yet difficult task,
and I commend the committee for beginning the dialogue.
Moving on to the information-sharing objective of the NISO
organization: As you can see from Diagram 2 \3\ (NISO relationships
with existing efforts), there are currently many organizations that
``specialize'' in information sharing. Several Government agencies have
information-sharing entities--not just DHS--and not to mention the
hundreds of private-sector and academic entities, some quasi-
Government, that all claim to be centers where cyber information can be
shared. Without a recognized body, coordinated with United States
Government (USG) efforts, private-sector organizations are confused
about with whom and under what circumstances they should engage all of
these other efforts. This fragmentation results in sub-optimal
dissemination of timely information. NISO would serve as the National
cyber-security aggregation point and coordination center endorsed by
and coordinating with the Federal Government. We advocate establishing
a single point of interaction, to be run by the designated non-profit
entity, while collaborating and working with the mechanisms and
organizations already in place. For certain operational tasks, it might
make sense to re-brand current efforts and place them under the NISO,
all the while ensuring we are building on the successes and not
starting over.
---------------------------------------------------------------------------
\3\ Caveat: The diagram is in no way truly comprehensive of all the
current organizations that claim to be cyber information-sharing
centers. These are simply some of the most prominent entities.
Furthermore the relationships represented in the diagram are derived
from public mission statements and budget documents and are meant to be
illustrative, not comprehensive.
---------------------------------------------------------------------------
For the sake of clarity I will run through a real-world example of
a cyber threat and how a NISO, organized as suggested above, would have
had a positive impact on the situation. Let us take the Conficker worm,
first discovered in early November 2008, which used flaws in Microsoft
Windows software to infect millions of computers. Realizing a
collaborative effort was needed to combat the advanced malware
techniques behind Conficker, an industry group was serendipitously
formed during an ICANN conference in February 2009. While the Conficker
working group (CWG) had many successes, and several similar working
groups have since formed using the same model, the threat clearly
demonstrated gaps in our National capabilities. First and foremost, the
ramp-up delay: The effort expended to form the group and time spent
finding the right skill sets, capabilities, and authorities before any
work could be done on the problem at hand. Had there been an
established and trusted entity, such as a NISO, Microsoft could have
approached them and begun combating the problem much sooner. There are
other gaps the CWG has conceded they were unable to fill, such as the
need for a dedicated project manager, administrative support, testing
facilities, and a more coordinated approach with the anti-malware tool
vendors--roles that a NISO could clearly execute. Likewise, there are
lessons to be learned from why the group was successful. The CWG has
attributed their success to trust. The operational members of the group
all knew each other, had previously worked with each other, and had
confidence that all members would a good job, follow through with their
given tasks, and do no intentional harm. That trust was the glue that
enabled a group of colleagues to form an effective collaboration that
was largely able to contain the worm. Their success corroborates the
model of a third-party organization working with existing functions and
building on already established relationships.\4\
---------------------------------------------------------------------------
\4\ Nazario, Jose. ``Conficker Working Group Overview.'' Institute
for Information Infrastructure Protection (I3P). 12 October 2011. Web.
http://www.thei3p.org/docs/events/cybercprfiles/
NAZARIOI3PCONFICKER.pdf.
---------------------------------------------------------------------------
I encourage the committee to require that the NISO maintain a
National repository of malware for research purposes. Currently there
are several organizations that have malware repositories but they are
seen as a competitive advantage and rarely shared. Access to such a
repository would enable cyber research to reach new levels. Currently
researchers work with only small pieces of the puzzle, resulting in
reactive research, and impeding research that can look more globally at
the problem. Again, if we use the public health model, imagine if
cancer researchers were only told that cancer affects thousands of
people who die every year, and the data was broken down by neither type
nor outcome. Such data would make it impossible to make well-informed
decisions about priorities for response as well as research. Armed with
a well-maintained malware repository, with appropriate controls on
access, the NISO could provide more effective methods for basic cyber
hygiene.
Finally, I want to touch upon the bill's research and development
objectives. Given the preponderance of threats, standards,
technologies, products, best practices, etc. in cybersecurity, I
strongly encourage the committee to include language in the legislation
that emphasizes the need for operationally and scientifically sound
capabilities. Not every best practice scales well, and not every
technology has scientifically sound evidence of its efficacy and its
limitations. The academic research community increasingly recognizes
the need for such sound methods as evidenced by workshops on Cyber
Security Experimentation and Testing (CSET)\5\ and Learning from
Authoritative Security Experiment Results (LASER).\6\ Such legislation
language would create an important positive demand for well-formed
pilots and experiments that produce broadly meaningful data and
results. This would stimulate the development and maturation of ever-
improving methodologies for pilot projects, assessments, experiments,
and research.
---------------------------------------------------------------------------
\5\ Established 2008: http://www.usenix.org/events/cset12/
index.html.
\6\ New: Learning from Authoritative Security Experiment Results
(LASER), http://www.laser-workshop.org.
---------------------------------------------------------------------------
For example, in the draft language, phrases such as the following
are used:
Develop and conduct risk assessments;
Comprehensive assessment techniques;
Foster the development of essential information security
technologies;
Facilitate the adoption of new cybersecurity technologies
and practices;
Guidelines for making information systems more secure at a
fundamental level;
Catalogue of risk-based performance standards;
Cybersecurity research and development.
I recommend adding clarifications that such artifacts and
activities are:
Operationally valid and scalable in situ;
Scientifically, theoretically, and/or experimentally valid
or sound;
Evidence-based capabilities and limitations.
Participants can further facilitate effective security by
authorizing the NISO to support creation of and access to high-fidelity
data sets to qualified researchers, of course with appropriate access
controls. Access to such data is essential for creating and evaluating
critical technologies and best practices, especially to understand
important limitations.
To finish, I want to applaud the committee's foresight in combining
research functions with operational objectives in the NISO design. It
is an ambitious and difficult task, and consequently there are
currently few successful mixed organizations. Nevertheless, combining
research and operations can and does have many benefits. I see the
SEI's CERT Program as a viable model for successfully bringing together
research and operations to add value to both communities. At CERT, our
strategy is to create usable technologies, apply them to real problems,
and amplify their impact by accelerating broad adoption. Having one
foot in operations gives us the insight into real-world problems and
ensures our research has real-world applications. Moreover, having
operational access gives us the opportunity to test our research and
make the necessary improvements for a successful and scalable
transition.
Thank you for the opportunity to comment on this important
legislation and leverage CERT's 23 years of experience in the area of
information sharing.
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
Mr. Lungren. Thank you very much.
Ms. McGuire.
STATEMENT OF CHERI F. MC GUIRE, VICE PRESIDENT OF GLOBAL
GOVERNMENT AFFAIRS AND CYBERSECURITY POLICY, SYMANTEC
CORPORATION
Ms. McGuire. Chairman Lungren, Ranking Member Clarke, and
distinguished Members of the subcommittee, thank you for the
opportunity to testify today on behalf of Symantec Corporation
and the Business Software Alliance. In addition to my role at
Symantec Corporation, I also serve as the chair of the IT
Sector Coordinating Council, as well as a member of the board
of Information Technology and Information Sharing and Analysis
Center or the IT ISAC. I also serve as the principal IT sector
representative to the Partnership for Critical Infrastructure
Security, which is the cross-sector cyber working group, a
cross-sector critical infrastructure working group that works
most closely with the Department of Homeland Security and other
agencies on infrastructure protection matters.
As the world's information security leader, Symantec
maintains 11 security response centers globally and we utilize
over 240,000 attack sensors in more than 200 countries to track
malicious activity 24 hours a day, 365 days a year.
As you all are too well aware, our Nation's critical
infrastructure systems are constantly under attack. In our
latest internet security threat report, we observed a 19
percent year-over-year increase in threat activity and
identified more than 286 million unique variations of malware
alone. In addition, based on data in our 2011 Norton cybercrime
survey we estimated that 431 million cybercrime victims have
been impacted globally with cyber attacks in the past year. At
an annual combined cost of $388 billion globally, based on both
financial losses and the lost time to recover from attacks,
cybercrime costs us more today than the global black market for
marijuana, cocaine, and heroin combined.
Symantec has been a long-time proponent for improving our
Nation's cybersecurity. As a member of the Business Software
Alliance, we were part of a coalition that offered a white
paper on improving our Nation's cybersecurity through public-
private partnerships. This paper laid out core principles for
cybersecurity policy. I would like to submit it for the record
as part of my testimony today.
As part of these core principles, first we must promote and
improve information sharing, which is often referred to as the
key to combating cyberthreats. However, we also must recognize
that information sharing is not an end goal but rather is a
tool to providing situational awareness or visibility so that
appropriate protective and risk mitigation actions may be
taken.
Second, effective and efficient cybersecurity cannot be
accomplished under a one-size-fits-all regime. For example, a
small mom-and-pop convenience store should not be required to
implement the same policies or standards as a nuclear facility.
Using a risk-based approach provides a mechanism for the
Government and industry to assess risk and expend the necessary
resources on areas that are truly needed.
Third, any proposed legislation must also promote, not
stifle, innovation. Cybersecurity policy should maximize the
ability of organizations to develop and adopt the widest
possible choice of cutting-edge cybersecurity solutions.
With regard to roles of industry and Government in
cybersecurity, the private sector's role is clearly defined to
operate and protect their networks. Industry must continually
tune their security environments to manage the level of risk
associated with the information they are protecting, while at
the same time working within the current economic pressures of
doing more with less.
Further, industry must move from a device-centric security
model to one that is identity- and information-centric. This
new security paradigm of data-centricity is not only about
protection of devices, but more importantly is about protecting
the information. The Government, of course, plays an important
role in cybersecurity. Government can create incentives to
encourage the adoption of cybersecurity technologies, it can
assist with education, training, and awareness to empower
users, it can serve as a facilitator for preparedness by
sponsoring exercises, and it can share actionable information
with industry to improve cybersecurity situational awareness
and the ability to respond.
Symantec was very pleased to review the draft bill that has
been circulated by you, Mr. Chairman. The draft legislation we
believe is a positive step forward in developing a National
cybersecurity policy that helps fulfill the core principles
that I have just discussed.
First, we believe there needs to be improved coordination
between and among public and private entities. Thus we are very
supportive of the bill's designation of a single entity as the
National cybersecurity authority.
Second, we support the bill's inclusion of a risk-based
approach to cybersecurity so that we do not overburden small
businesses with unnecessary security requirements, while still
ensuring that our critical infrastructures are protected.
We are also supportive of using existing internationally-
recognized performance standards, including those developed by
NIST. We are also pleased that the legislation takes into
account how our National cybersecurity policy will enhance
economic prosperity. Keeping this goal in mind will help to
prevent burdensome regulations, and it also appropriately
emphasizes the need to maximize market-based incentives and
public-private partnerships.
Finally, we support the bill's emphasis on promoting
information sharing. The bill clearly articulates that the
Government must share real-time actionable information with
critical infrastructure, owners, and operators. The mandate
within the structure of the proposed NISO that the Government
must share information is a strong step in the right direction.
However, some questions still remain about how we will continue
to utilize the existing entities under the proposed framework.
We believe that it is important to give the significant time
and resources that companies have invested in the sector
coordinating councils and the ISACs the appropriate venue to
participate.
In conclusion, recognizing that there is no silver bullet
for cybersecurity as a first step, but we really do have to
shift this dialogue from solving the cybersecurity problem to
managing the risks associated with it. We welcome the
opportunity to answer any questions you may have at this time.
Thank you.
[The statement of Ms. McGuire follows:]
Prepared Statement of Cheri F. McGuire
December 6, 2011
introduction
Chairman Lungren, Ranking Member Clarke and distinguished Members
of the subcommittee, thank you for the opportunity to testify today on
behalf of Symantec Corporation \1\ and the Business Software Alliance
(BSA) \2\ as you consider this very important issue.
---------------------------------------------------------------------------
\1\ Symantec is a global leader in providing security, storage, and
systems management solutions to help consumers and organizations secure
and manage their information-driven world. Our software and services
protect against more risks at more points, more completely and
efficiently, enabling confidence wherever information is used or
stored. More information is available at www.symantec.com.
\2\ The Business Software Alliance (www.bsa.org) is the leading
global advocate for the software industry. It is an association of
nearly 100 world-class companies that invest billions of dollars
annually to create software solutions that spark the economy and
improve modern life. Through international government relations,
intellectual property enforcement, and educational activities, BSA
expands the horizons of the digital world and builds trust and
confidence in the new technologies driving it forward.
---------------------------------------------------------------------------
My name is Cheri McGuire and I am the vice president of global
government affairs and cybersecurity policy at Symantec Corporation. I
also serve as the current chair of the Information Technology (IT)
Sector Coordinating Council (SCC), which is one of 18 critical sectors
identified by the President and the U.S. Department of Homeland
Security (DHS) to work in partnership with the Government on critical
infrastructure protection (CIP) and cybersecurity policy and
operational matters. I am also a member of the board for the IT
Information Sharing and Analysis Center (ISAC), and serve as the
principal IT Sector representative to the Partnership for Critical
Infrastructure Security (PCIS). Prior to joining Symantec in 2010, I
served as Director for Critical Infrastructure and Cybersecurity in
Microsoft's Trustworthy Computing Group, and before that, at the U.S.
Department of Homeland Security (DHS), where I led the National Cyber
Security Division and the U.S. Computer Emergency Readiness Team (US-
CERT).
Symantec is the world's information security leader, with over 25
years of experience in developing internet security technology. Today,
we protect more people and businesses from more on-line threats than
anyone in the world. We maintain 11 Security Response Centers globally
and utilize over 240,000 attack sensors in more than 200 countries to
track malicious activity 24 hours a day, 365 days a year. Our best-in-
class Global Intelligence Network allows us to capture world-wide
security intelligence data that gives our analysts an unparalleled view
of the entire internet threat landscape, including emerging cyber
attack trends, malicious code activity, phishing, and spam. In short,
if there is a class of threat on the internet, Symantec knows about it.
At Symantec, we are committed to assuring the security,
availability, and integrity of our customers' information and the
protection of critical infrastructure is a top priority for us. We
believe that CIP is an essential element of a resilient and secure
Nation. From water systems to computer networks, power grids to
cellular phone towers, risks to critical infrastructure can result from
a complex combination of threats and hazards, including terrorist
attacks, accidents, and natural disasters.
We welcome the opportunity to provide comments as the committee
continues its important efforts to bolster the state of cybersecurity
in the United States and abroad. In my testimony today, I will provide
the subcommittee with:
our latest analysis of the threat landscape as detailed in
the Symantec Internet Security Threat Report Volume XVI (ISTR
XVI) and in the 2011 Norton Cybercrime Report;
principles for improving our Nation's cybersecurity;
appropriate roles of industry and Government in
cybersecurity; and
our views on your draft legislative proposal for
cybersecurity.
threat landscape
Today, we rely on technology for virtually everything we do, from
driving to and from work, to mobile banking, to securing our most
critical systems that protect our Nation such as our nuclear plants and
electric grid. Our Nation's critical infrastructure systems are
constantly under attack, and the methods for attacking us are
constantly evolving and becoming more sophisticated with each passing
minute. It is our goal to ensure that we are thinking ten steps ahead
of the attackers. Looking at the current threat landscape is not
enough--we must also keep our eyes on the horizon for evolving trends.
In the latest Symantec Internet Security Threat Report (ISTR)
Volume XVI, we observed significant changes to the threat landscape in
2010.\3\ The volume and sophistication of threat activity increased
more than 19 percent over 2009, with Symantec identifying more than 286
million unique variations of malicious software or malware. These
included threats to social networking sites and users, mobile devices,
and phishing.
---------------------------------------------------------------------------
\3\ Symantec Internet Security Threat Report XVI, April 2011.
http://www.symantec.com/business/threatreport/index.jsp.
---------------------------------------------------------------------------
However, to understand the evolving threat landscape, we first need
to look at who is behind the vast array of cyber attacks that we are
seeing today. Attacks originate from a range of individuals and
organizations, with a wide variety of motivations and intended
consequences. Attackers can include hackers (both individual and
organized gangs), cybercriminals (from petty operators to organized
syndicates), cyber spies (industrial and nation-state), and
``hacktivists'' (with a specific political or social agenda).
Consequences can also take many forms, from stealing resources and
information, to extorting money, to outright destruction of information
systems.
It is also important to recognize that attackers have no boundaries
when it comes to their intended victims. All organizations and
individuals are potential targets. Corporate enterprises are often the
object of targeted attacks not only to steal customer data and
intellectual property, but also to disrupt business processes and
commerce. Small businesses are often less resilient and the impacts of
stolen bank accounts and business disruption can be catastrophic in a
very short time frame. In addition, end-users or consumers are
confronted with the financial and disruptive impacts of identity theft,
scams, and system clean-ups, not to mention the lost productivity and
frustration of restoring their accounts. Finally, Governments are most
often the victims of cyber sabotage, cyber espionage, and hactivism,
all of which can have significant National security implications.
Over the years, we have observed an ominous change that has swept
across the internet. The threat landscape once dominated by worms and
viruses developed by irresponsible hackers is now being ruled by a new
breed of cybercriminals. As more people have access to technology,
criminals leverage it for criminal purposes. In October, we released
our 2011 Norton Cybercrime Report where we examined on-line behavior in
24 countries and interviewed nearly 20,000 consumers.\4\ We calculated
the cost of global cybercrime at $114 billion annually. We also
calculated that lost time due to recovery and impact on personal lives
was an additional $274 billion world-wide. Further, we found that more
than two-thirds of on-line adults (69 percent) reported having been a
victim of cybercrime in their lifetime. Every second, 14 adults become
a victim of cybercrime, resulting in more than 1 million cybercrime
victims every day.
---------------------------------------------------------------------------
\4\ 2011 Norton Cybercrime Report. www.norton.com/cybercrimereport
---------------------------------------------------------------------------
With an estimated 431 million adult victims globally in the past
year, and at an annual combined cost of $388 billion globally based on
financial losses and time lost, cybercrime costs are significantly more
than the global black market in marijuana, cocaine, and heroin
combined--which is estimated at $288 billion per year.
It is not just our computers that we need to secure from
cybercriminals. Today, a high percentage of consumers use their mobile
phones to conduct nearly every aspect of their life, from basic
communication to on-line shopping to mobile banking. Most of these
phones are not secure. The Norton Cybercrime Report revealed that 10
percent of adults on-line have experienced cybercrime on their mobile
phone. Further, we reported in the Symantec ISTR XVI that there were 42
percent more mobile vulnerabilities in 2010 compared to 2009--a sign
that cybercriminals are turning their efforts to the mobile space.
Recently, there has been an up-swing in press reports regarding
cyber attacks and the ``advanced persistent threat'' or APT. While APT
is one of the most overused terms in the security industry today, it is
nevertheless something to be taken seriously. APTs covertly infiltrate
systems and hide and wait for opportune moments to steal information or
damage systems.
The APT is not one entity; rather it is many different and
independent entities, with a tremendous range of motivations. Some of
these motivations include financial gain, exfiltration (or theft) of
sensitive and personal information, cyber espionage, and a new turn in
the last 18 months, cyber sabotage as exemplified by the Stuxnet
malware.
Another trait of the APT is to infiltrate a system, enterprise, or
organization, but not immediately execute the ultimate mission. Often
the APT will lie in wait, gaining intelligence, observing patterns, and
use this information to glean information to further refine the
ultimate attack.
The threats we are seeing are not new, they are just newly
packaged. However, while the attacks are not new, they are becoming
more targeted and the monetary losses have grown exponentially. Most
indicators point to future cyber attacks as being more severe, more
complex, and more difficult to prevent and address than current
threats. Thus, it is even more vital that we have a cybersecurity
policy that is flexible, fosters innovation, and enables us to stay
ahead of those with bad intentions.
principles for improving our nation's cybersecurity
Symantec has been a long-time proponent for improving our Nation's
cybersecurity. We have testified before Congress on the issue each of
the last 4 years and have been a key stakeholder in the numerous
legislative efforts and public-private partnerships to improve cyber
research and development, cyber education, security standard setting,
CIP, and more. We have also participated in various multi-industry
efforts aimed at improving our cybersecurity policies. For example, as
a member of the Business Software Alliance, we were part of a large
coalition of cybersecurity stakeholders that authored a white paper on
``Improving our Nation's Cybersecurity through Public Private
Partnerships.''\5\ This paper laid out a number of principles, and we
believe any cybersecurity legislation should stay true to the core
principles associated with these key elements:
---------------------------------------------------------------------------
\5\ March 8, 2011. ``Improving our Nation's Cybersecurity through
Public Private Partnerships: A White Paper.'' http://www.bsa.org/�/
media/Files/Policy/Security/CyberSecure/
cybersecurity_white_paper_publicprivatepartnership.ashx.
---------------------------------------------------------------------------
Risk management standards, assessment, and incentives;
Incident management;
Information sharing and privacy;
International engagement;
Supply chain security;
Innovation and research and development (R&D); and,
Education and awareness.
For the purposes of my testimony, I will discuss a few of these in
the context of your draft legislative proposal.
Information Sharing
Any cybersecurity legislation must promote and improve information
sharing. Information sharing is often referred to as the key to
combating cyber threats. However, we must first recognize that
information sharing is not an end goal, but rather a tool or mechanism
to provide situational awareness, or visibility, so that appropriate
protective and risk mitigation actions may be taken. In order for
information sharing to be effective, information must be shared in a
timely manner, must be shared with the right people or organizations,
and must be shared with the understanding that so long as an entity
shares information in good faith, it will not be faced with legal
liability for sharing the information.
In order to achieve truly effective information sharing, there must
be increased coordination between and among industry and Government. In
my roles both inside and outside of the Government, and more recently
as Chair of the IT Sector Coordinating Council and on the Board of the
IT-ISAC, I have seen first-hand both successes and challenges in our
current public-private partnership with respect to information sharing.
In particular, cybersecurity exercises have been one of the most
successful public-private partnership and information-sharing
initiatives to date. The level of engagement and resources brought to
bear from the Government and industry to jointly plan, develop
scenarios, define information-sharing processes, and execute the
exercises has been unprecedented. The lessons learned from these
exercises have been invaluable to both industry and Government.
However, much work still needs to be done to address recommended
actions associated with information sharing and realize improvements.
One way to improve information sharing is to provide the Government
with the proper tools and authority to effectively disseminate
information. I have seen too many instances of the Government releasing
information on cyber threats, days and sometimes weeks, after the
threat has been identified. In many of these cases, by the time the
Government releases the information, it has little use because the
private sector has already identified and taken actions to mitigate the
threat. There is no single solution that will eliminate these delays,
but passing legislation that sends a clear message to the Government
that sharing information with the private sector is both a priority and
necessary to protect our infrastructure from cyber attacks will go a
long way.
At Symantec, we also support an incentive-based approach to
information sharing. There is no doubt that businesses can gain a
competitive advantage by not disclosing information to their
competitors. However, a well-incentivized program of collaboration can
help offset the disadvantages and keep the information flowing freely.
At the same time, Government does have an important role in
fostering the effectiveness of information sharing. For example,
Government can increase voluntary information sharing through tax
incentives, grant funding, and streamlining of regulatory procedures.
We also need to address policies that discourage businesses who would
be willing to share information but choose not to because of fear of
prosecution. Therefore, liability protections are necessary to improve
bi-directional information sharing.
As with any partnership, information sharing is founded upon and
enabled by trust. That trust is weakened when Government information-
sharing mandates are imposed on industry. Enhanced self-interest and a
flexible approach are more likely to improve information sharing than
Government mandates to private industry.
Risk Assessment
Effective and efficient cybersecurity cannot be accomplished under
a ``one-size-fits-all'' regime. Each system within our critical
infrastructure and each cyber threat pose different risks. For example,
a small mom-and-pop convenience store should not be required to
implement the same policies or standards as a nuclear facility. Using a
risk-based approach, as outlined in the National Infrastructure
Protection Plan (NIPP),\6\ provides a mechanism for the Government and
industry to assess risk and expend the necessary resources on areas
that truly need it, rather than spending equal amounts of resources on
both high- and low-risk targets. Thus, it is imperative that any
cybersecurity legislation use a risk-based analysis system rather than
a one-size-fits-all regime. Leveraging existing regulatory and
voluntary regimes to encourage cybersecurity risk assessments and the
adoption of standards should be considered first in any proposals.
---------------------------------------------------------------------------
\6\ National Infrastructure Protection Plan, http://www.dhs.gov/
xlibrary/assets/NIPP_Plan.pdf.
---------------------------------------------------------------------------
Innovation
Any proposed legislation must also promote, not stifle, innovation.
As I discussed earlier, threats are constantly evolving and so must the
technology to mitigate those threats. Symantec has long been a
supporter of a National cyber R&D strategy. Any cybersecurity
innovation legislation must promote technology advancement so we can
stay ahead of the curve. Cybersecurity policy should therefore maximize
the ability of organizations to develop and adopt the widest possible
choice of cutting-edge cybersecurity solutions. An effective way to do
this is through the creation and implementation of a National
Cybersecurity R&D Plan.
Currently, we have a Federal plan for cyber R&D, but industry must
be part of the larger process, with prioritized, National-level
objectives set jointly by public and private partners. The public-
private partnership should be used to create a genuine National
Cybersecurity R&D Plan that contains a detailed road map and specifies
the respective roles of each partner. This would include input from
industry, academia, and Federal, State, and local governments. The plan
and its implementation road map should be regularly reviewed by the
partners to verify the action plan, determine progress and
accountability, and adjust as necessary.
roles of industry and government in cybersecurity
In discussing public-private partnerships, we should first consider
the various roles of industry and Government with regard to defending
critical infrastructure. The private sector's role is clearly defined
to operate and protect their critical information networks. Just as a
private citizen needs to lock the doors to their home, infrastructure
owners and operators need to ensure that their network security
environment is the most up to date to defend against the latest
threats.
In addition, industry must continually tune their security
environments to manage the level of risk associated with the
information they are protecting, while at the same time working within
the current economic pressures of doing more with less. Further,
industry must move from a device-centric security model to one that is
identity- and information-centric, with a focus on infrastructure that
is secured and more importantly trustworthy. The new security paradigm
of ``data-centricity'' is not only about protection of devices, but
more importantly is about protecting the information.
While the defense of critical infrastructures and the networks they
rely on rests with owners and operators, the Government does play an
important role in cybersecurity. As discussed above, Government has the
ability to create incentives that encourage the adoption of
cybersecurity technologies. It can also assist with education,
training, and awareness to improve the first line of defense by
empowering users. In addition, the Government can serve as a
facilitator for preparedness by sponsoring exercises and drills that
include private industry. Further, it can raise the bar of security
within the Government by outlining minimum requirements for Government
procurement. Last, the Government can support public-private
partnerships and information sharing with industry to improve overall
cybersecurity situational awareness.
While the Government plays a number of roles in cybersecurity, one
of the challenges is measuring the effectiveness of Government CIP
programs. To examine awareness, engagement, and readiness with regard
to Government CIP programs, Symantec conducts an annual global survey
of critical infrastructure providers. Released in October, our 2011
Critical Infrastructure Protection Survey, found a drop in awareness
and engagement on a global basis.\7\ We saw a marked decline in
companies that are engaged in Government CIP programs, with 37 percent
in 2011, compared to 56 percent in 2010.
---------------------------------------------------------------------------
\7\ Symantec's Critical Infrastructure Protection Survey is the
result of research conducted in August and September 2011 by Applied
Research, which surveyed C-level, IT professionals in SMBs and
enterprises in 14 industries specifically designated as critical
infrastructure industries. The survey included 3,475 organizations from
37 countries in North America, Europe, Middle East and Africa, Asia
Pacific, and Latin America http://www.symantec.com/about/news/release/
article.jsp?prid=20111030_01.
---------------------------------------------------------------------------
While the findings of this survey are somewhat alarming, it is not
that surprising. Many survey respondents reported limitations on
staffing and resources which help explain why critical infrastructure
providers have had to prioritize and focus their efforts on more day-
to-day cyber threats. However, given the increase in targeted attacks,
such as Stuxnet, Duqu, and Nitro, against critical infrastructure
providers, businesses and governments around the world should be
aggressive in their efforts to promote and coordinate protection of
critical cyber networks. Given the survey results, we have several
recommendations for governments to promote CIP programs to owners and
operators in order to raise awareness:
Governments should continue to put forth the resources to
establish government critical infrastructure programs.
The majority of critical infrastructure providers confirm
that they are aware of government critical infrastructure
programs.
Furthermore, a majority of critical infrastructure
providers support efforts by the government to develop
protection programs.
Governments should partner with industry associations and
private enterprise groups to disseminate information to raise
awareness of government CIP organizations and plans, with
specifics about how a response would work in the face of a
national cyber attack, what the roles of government would be,
who the specific contacts are for various industries at a
regional and national level, and how government and private
business would share information in the event of an emergency.
Governments should emphasize to critical infrastructure
providers and enterprises that their information be stored,
backed up, organized, prioritized, and that proper identity and
access control processes are in place.
views on draft legislative proposal for cybersecurity
Symantec was pleased to review the draft bill that has been
circulated by you, Mr. Chairman. The draft legislation is a positive
step forward in developing a National cybersecurity policy that helps
fulfill the core principles I discussed above.
National Cybersecurity Authority
To accomplish the goal of improving cybersecurity, we believe there
needs to be improved coordination between and among entities.
Currently, there are several Government agencies working on various
aspects of cybersecurity, though there is no designated lead. Thus, we
are supportive of the bill's designation of a single entity as the
``National Cybersecurity Authority.'' We must be mindful, however, that
we do not create an additional level of bureaucracy.
Risk Assessment and Standards
We support the bill's inclusion of a risk-based approach to
cybersecurity. Requiring the Secretary of Homeland Security--in
collaboration with industry--to identify risks within our cybersecurity
infrastructure ensures that we do not overburden small businesses with
unnecessary security requirements, while ensuring that our chemical
facilities, dams, and electric grid are appropriately protected. We are
also supportive of using existing internationally recognized consensus-
developed risk-based performance standards, including those developed
by the National Institute of Standards and Technology (NIST). In
addition, we support the bill's instruction to the Secretary to develop
market-based incentives designed to encourage the use of such
standards.
We are also especially pleased that the legislation directs DHS to
take into account how our National cybersecurity strategy and
implementation policies will enhance economic prosperity. Keeping this
goal in mind will help to prevent burdensome regulatory policies from
being implemented. It also appropriately emphasizes the need to
maximize market-based incentives and public-private partnerships for
improved cybersecurity.
Information Sharing
Finally, we support the bill's emphasis on promoting information
sharing. The bill clearly articulates that the Government must share
real-time, actionable information with critical infrastructure owners
and operators.
We also understand the motivation to create a National Information
Sharing Organization, or the NISO. The current system of SCCs and ISACs
was developed to facilitate bi-directional information sharing between
and among Government and private industry. These entities have been
successful in facilitating information sharing within industry, and
have had varying levels of success in industry-to-Government sharing.
However, improvements must be made with regard to how well the
Government shares threat information with private industry.
We believe that one of the reasons the Government is reluctant to
share real-time actionable information is because there is no mandate
to do so. The mandate within the structure of the NISO that the
Government must share information is a strong step in the right
direction. However, questions remain about how we will continue to
utilize the existing entities under the proposed NISO framework. We
believe this is important given the significant time and resources that
companies have invested in the SCCs and ISACs. We look forward to
working with the committee to address these important issues.
conclusion
In conclusion, if we are to successfully mitigate today's multi-
dimensional threats more effectively--and use public-private
partnerships and information sharing as tools--we must incorporate a
comprehensive approach for risk, resiliency, and collaboration to
improve critical infrastructure and cybersecurity. The U.S. public-
private partnership has encountered both successes and challenges over
the years, but it is clear that we must continue to work together to
leverage the best that industry and Government bring to the table and
confront the challenges directly. Recognizing there is no silver bullet
for cybersecurity, we must shift the dialogue from ``solving'' the
cybersecurity problem, to ``managing the risk'' associated with it.
On behalf of Symantec and the Businesses Software Alliance, we
commend you and your staff's efforts in crafting this legislation that
appropriately focuses on risk management, information sharing, and
technology innovation. We look forward to working with you in the
future as the bill moves through the Congress. I look forward to
answering any questions you may have.
Mr. Lungren. Thank you very much.
Mr. Nojeim.
STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR,
PROJECT ON FREEDOM, SECURITY AND TECHNOLOGY, CENTER FOR
DEMOCRACY AND TECHNOLOGY
Mr. Nojeim. Chairman Lungren, Ranking Member Clarke, and
Members of the subcommittee, thank you for the opportunity to
testify today on behalf of the Center for Democracy and
Technology. CDT is a nonprofit public-interest organization
dedicated to keeping the internet open, innovative, and free.
We applaud the subcommittee for holding this hearing on
cybersecurity legislation. I will address the information-
sharing provisions in the draft bill in some detail, but start
with some high-level observations about the bill which we think
is a very good start. It has a light regulatory touch,
generally relying on market incentives rather than Government
mandates to increase cybersecurity performance. A heavy-handed
approach, by contrast, could discourage security innovation.
The regulation it imposes would extend primarily to owners and
operators of critical infrastructure information systems. It
defines critical infrastructure more carefully than do other
bills, but more specificity would be helpful. It properly
cements DHS as the lead Federal agency for the civilian
cybersecurity program instead of giving this role to NSA or
Cyber Command.
Civilian control promotes the transparency and trust that
are essential to program success. The bill appropriately avoids
giving the Government the authority to shut down or limit
internet traffic in a cybersecurity emergency. Conferring such
authority is anthema to civil liberties. It also undermines
security by discouraging companies from sharing information
that could be used to shut down their operations. Most
importantly, instead of giving the Government the authority to
monitor privately-owned networks for intrusions, it leaves this
authority where it belongs: With the private sector network
operators who know their systems best.
We are, concerned, though about the information-sharing
provisions of the bill and we encourage you to tighten them.
The bill would create a non-profit industry-led, quasi-
Governmental National Information-Sharing Organization, NISO,
through which cyberthreat information would be shared among its
Governmental and private sector members. A privately-run
information-sharing organization is more likely to have the
necessary agility than would a Government-run entity. NISO's
initial board of directors, hand-picked by DHS, would set the
information-sharing rules, but the current draft of the bill
gives it little guidance on what those rules should require and
provides little privacy protection.
Some amendments could address these problems. The bill
should narrowly define the cyberthreat information that can be
shared. This would preclude the flow--the unnecessary flow of
large streams of private communications through NISO to its
Governmental members.
The bill should ensure that information shared for
cybersecurity purposes is used for cybersecurity. This would
prevent cybersecurity information sharing from devolving into
something approaching a surveillance program. It would also
prevent companies from using the data that is shared for
commercial purposes unrelated to cybersecurity, such as for
behavioral advertising.
The bill should require minimization of personally
identifiable information and communication shared through NISO.
Finally, the information-sharing rule should be
enforceable. The bill currently imposes no liability on
private-sector employees and on employees of State and local
governments who violate the information-sharing rules. These
matters must be addressed in the legislation. NISO's board will
not adopt rules to adequately address them absent clear,
strong, specific Congressional direction to do so. We caution
you against amending the bill to permit information to flow to
or from NISO, notwithstanding any law. Such provisions are
almost sure to have unintended consequences.
The cybersecurity bill of the House Intelligence Committee
reported last week includes such a provision, and it is coupled
with an overbroad definition of cyberthreat. They worked
together in that legislation to permit communication service
providers to share with intelligence, law enforcement, and
other agencies' ordinary user traffic that the providers
routinely monitor for cyberthreats. It would be unwise to go
down that road. Cybersecurity legislation need not override
privacy and other laws to promote information sharing. An
incremental approach is called for.
Targeted exceptions to privacy and other laws may be
necessary and we will work with you to craft them. Thank you.
[The statement of Mr. Nojeim follows:]
Prepared Statement of Gregory T. Nojeim
December 6, 2011
Chairman Lungren, Ranking Member Clarke, and Members of the
subcommittee: Thank you for the opportunity to testify today on behalf
of the Center for Democracy & Technology.\1\ We applaud the
subcommittee for holding a hearing on draft legislation to address
significant cybersecurity challenges. Clearly, cybersecurity is a
growing problem that Congress needs to address, but with a careful,
nuanced, and incremental approach in order to minimize the unintended
consequences, such inhibiting innovation, diminishing privacy, or
damaging civil liberties. We believe that the legislation you are
considering is a good start in many ways and that it could use some
improvements in key areas:
---------------------------------------------------------------------------
\1\ The Center for Democracy & Technology is a non-profit public
interest organization dedicated to keeping the internet open,
innovative, and free. Among our priorities is preserving the balance
between security and freedom. CDT coordinates a number of working
groups, including the Digital Privacy and Security Working Group
(DPSWG), a forum for computer, communications, and public interest
organizations, companies, and trade associations interested in
information privacy and security issues.
---------------------------------------------------------------------------
The draft bill has a light regulatory touch, generally
relying on market incentives rather than Government mandates to
increase cybersecurity performance. This approach, which we
favor, encourages companies to enhance their cyber defenses
without forcing compliance with Government-imposed standards
that could discourage security innovation.
The regulation that the draft bill would impose extends
primarily to owners and operators of critical infrastructure
systems, so it is important to carefully define those systems.
The draft bill wisely cements the role of the Department of
Homeland Security as the lead Federal agency for cybersecurity
for the civilian Government and private sectors, instead of
putting an element of the Defense Department in this role.
The draft bill appropriately avoids giving the Government
authority to shut down or limit internet traffic in a
``cybersecurity emergency.''
We are concerned about the information-sharing provisions of
the draft bill and the impact that they could have on privacy.
We will share our suggested changes to those provisions.
network providers--not the government--should monitor privately-owned
networks for intrusions
One of the most important things to get right about cybersecurity--
for civil liberties and for effectiveness--is to ensure that the
private sector remains responsible for monitoring and protecting its
own networks and that monitoring authority not be transferred, directly
or indirectly, to the Government. When the White House released the
Cyberspace Policy Review on May 29, 2009, President Obama embraced this
principle, stating:
``Our pursuit of cybersecurity will not--I repeat, will not--include
monitoring private sector networks or internet traffic. We will
preserve and protect the personal privacy and civil liberties that we
cherish as Americans.''
CDT strongly agrees. No Governmental entity should be involved in
monitoring private communications networks as part of a cybersecurity
initiative. This is the job of the private-sector communications
service providers themselves, not of the Government. Most critical
infrastructure computer networks are owned and maintained by the
private sector. Private system operators know their systems best and
they already monitor those systems on a routine basis to detect and
respond to attacks as necessary to protect their networks; it is in
their business interest to continue to ramp up these defenses.
At a top-line level, all of the major cybersecurity bills,
including the legislation the White House has proposed, honor the
administration's pledge. But Government monitoring of private-to-
private communications likely will not occur through the front door.
Rather, Government monitoring would most likely grow as an indirect
result of information sharing between the private and public sectors or
as an unintended by-product of programs put in place to monitor
communications to or from the Government. For that reason, we focus
extensively here on the information-sharing provisions of the draft
bill. We conclude that they have benefits over the language in both the
administration bill and the Cyber Intelligence Sharing and Protection
Act reported by the House Intelligence Committee on December 1 (H.R.
3523), but we also see areas that need to be clarified or otherwise
improved.
sharing information between the private sector and the government
There is widespread agreement that the current level of
cybersecurity information sharing is inadequate. Private-sector network
operators and Government agencies monitoring their own networks could
better respond to threats if they had more information about what other
network operators are seeing. How to encourage more robust information
sharing without putting privacy at risk is a central policy challenge
that falls to Congress to resolve.
Preferred Approach to Information Sharing
CDT strongly recommends an incremental approach to the information-
sharing problem. First, Congress should determine exactly what
information should be shared that is not shared currently, and why it
is not being shared. We believe that what is most important to share is
attack signatures, information describing other exploits, and
information identifying the source or attribution of attacks or probes.
The assessment of current practices should start with an understanding
of why existing structures, such as the U.S. Computer Emergency
Readiness Team (``US-CERT'') \2\ and the public-private partnerships
represented by the Information Sharing and Analysis Centers (ISACs),\3\
are inadequate. The Government Accountability Office (GAO) has made a
series of suggestions for improving the performance of US-CERT.\4\ The
suggestions include giving US-CERT analytical and technical resources
to analyze multiple, simultaneous cyber incidents and to issue more
timely and actionable warnings; developing more trusted relationships
to encourage information sharing; and providing US-CERT sustained
leadership within DHS that could make cyber analysis and warning a
priority. All of these suggestions merit attention.
---------------------------------------------------------------------------
\2\ US-CERT is the operational arm of the Department of Homeland
Security's National Cyber Security Division. It helps Federal agencies
in the .gov space to defend against and respond to cyber attacks. It
also supports information sharing and collaboration on cybersecurity
with the private sector operators of critical infrastructures and with
State and local governments.
\3\ Each critical infrastructure industry sector defined in
Presidential Decision Directive 63 has established an Information
Sharing and Analysis Center (ISAC) to facilitate communication among
critical infrastructure industry representatives, a corresponding
Government agency, and other ISACs about threats, vulnerabilities, and
protective strategies. See Memorandum from President Bill Clinton on
Critical Infrastructure Protection (Presidential Decision Directive/
NSC-63) (May 22, 1998), http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.
The ISACs are linked through an ISAC Council, and they can play an
important role in critical infrastructure protection. See The Role of
Information Sharing and Analysis Centers (ISACs) in Private/Public
Sector Critical Infrastructure Protection 1 (January 2009), http://
www.isaccouncil.org/whitepapers/files/ISAC_Role_in_CIP.pdf.
\4\ See Government Accountability Office, Cyber Analysis and
Warning: DHS Faces Challenges in Establishing a Comprehensive National
Capability (July 2008), http://www.gao.gov/products/GAO-08-588.
---------------------------------------------------------------------------
Second, an assessment should be made of whether the newly-
established National Cybersecurity and Communications Integration
Center (NCCIC) has addressed some of the information-sharing issues
that have arisen. The NCCIC is a round-the-clock watch and warning
center established at DHS. It combines US-CERT and the National
Coordinating Center for Communications and is designed to provide
integrated incident response to protect infrastructure and networks.\5\
Industry is now represented at the NCCIC \6\ and its presence there
should facilitate the sharing of cybersecurity information about
incidents.
---------------------------------------------------------------------------
\5\ See DHS Press Release announcing opening of the NCCIC, http://
www.dhs.gov/ynews/releases/pr_1256914923094.shtm.
\6\ See DHS Press Release announcing that it has agreed with the
Information Technology Information Sharing and Analysis Center (IT-
ISAC) to embed a full-time IT-ISAC analyst at the NCCIC, November 18,
2010, http://www.dhs.gov/ynews/releases/pr_1290115887831.shtm.
---------------------------------------------------------------------------
Third, Congress must make a realistic assessment as to whether an
information-sharing model that puts the Government at the center--
receiving information, analyzing it, and sharing the resulting analysis
with industry--could ever act quickly enough to respond to fast-moving
threats. Though the White House cybersecurity proposal \7\ and the lead
Senate bill, the Cybersecurity and Internet Freedom Act, (S. 413) adopt
the Government-centric approach, we have serious concerns about it. An
industry-based model, subject to strong privacy protections, would be
able to act more quickly and would raise few, if any, of the Fourth
Amendment concerns associated with a Government-centric model.
---------------------------------------------------------------------------
\7\ The text and an analysis of the White House proposal are at
http://www.whitehouse.gov/omb/legislative_letters.
---------------------------------------------------------------------------
Fourth, Congress must account for the significant authority current
law gives providers of communications service authority to monitor
their own systems and to disclose to Governmental entities in formation
about cyber attack incidents for the purpose of protecting their own
networks. In particular, the Federal Wiretap Act already provides that
it is lawful for any provider of electronic communications service to
intercept, disclose, or use communications passing over its network
while engaged in any activity that is a necessary incident to the
protection of the rights and property of the provider.\8\ This includes
the authority to disclose communications to the Government or to
another private entity when doing so is necessary to protect the
service provider's network. Likewise, under the Electronic
Communications Privacy Act (ECPA), a service provider, when necessary
to protect its system, can disclose stored communications \9\ and
customer records \10\ to any Governmental or private entity.\11\
Furthermore, the Wiretap Act provides that it is lawful for a service
provider to invite in the Government to intercept the communications of
a ``computer trespasser''\12\ if the owner or operator of the computer
authorizes the interception and there are reasonable grounds to believe
that the communication will be relevant to investigation of the
trespass.\13\ These provisions do not, in our view, authorize on-going
or routine disclosure of traffic by the private sector to Governmental
entities but, rather, go a long way to authorizing the type of targeted
information sharing that we believe is needed.
---------------------------------------------------------------------------
\8\ 18 U.S.C. � 2511(2)(a)(i).
\9\ 18 U.S.C. � 2702(b)(3).
\10\ 18 U.S.C. � 2702(c)(5).
\11\ Another set of exceptions authorizes disclosure if ``the
provider, in good faith, believes that an emergency involving danger of
death or serious physical injury to any person requires disclosure
without delay of communications [or information] relating to the
emergency.'' 18 U.S.C. �� 2702(b)(8) and (c)(4).
\12\ A ``computer trespasser'' is someone who accesses a computer
used in interstate commerce without authorization. 18 U.S.C. �
2510(21).
\13\ 18 U.S.C. � 2511(2)(i).
---------------------------------------------------------------------------
While current law authorizes providers to monitor their own systems
and to disclose voluntarily communications and records necessary to
protect their own systems, the law does not authorize service providers
to make disclosures to other service providers or to the Government to
help protect the systems of those other service providers. We believe
it probably should. There may be a need for a very narrow exception to
the Wiretap Act, ECPA, FISA, and other laws that would permit
disclosures about specific attacks and malicious code on a voluntary
basis and that would immunize companies against liability for these
disclosures.
The exception would be narrow so that routine disclosure of
internet traffic to the Government or other entities remains clearly
prohibited. It would bar the disclosure to the Government of vast
streams of communications data, but permit liberal disclosure of
carefully defined cyber attack signatures and cyber attack attribution
information. It may also need to permit disclosure of communications
content that defines a method or the process of a cyber attack. Rather
than taking the dangerous step of overriding the surveillance statutes,
such a narrow exception could operate within them, limiting the impact
of cybersecurity information sharing on personal privacy.
Information Sharing in the Draft Bill \14\
---------------------------------------------------------------------------
\14\ In addition to the information-sharing entity discussed at
length below, the draft bill calls on DHS to facilitate information
sharing and interactions and collaborations among Federal agencies,
State and local governments and academic and international partners, to
disseminate timely and actionable cybersecurity threat, vulnerability,
and mitigation information, to compile and analyze risks and incidents
regarding threats to Federal systems and critical infrastructure
information systems, and to provide incident detection, analysis,
mitigation, and response information to Federal agencies and to private
entities and other Governmental entities that own or operate critical
infrastructure. This is consistent with its duties today.
---------------------------------------------------------------------------
The draft bill establishes \15\ the National Information Sharing
Organization (NISO), a non-profit, quasi-Governmental organization to
serve as a National clearinghouse for the exchange of undefined ``cyber
threat information''--including information derived from intelligence
collection--among owners and operators of critical and non-critical
networks and systems in the private sector, the Federal Government,
State and local governments, and educational institutions. One of its
goals would be to create a ``common operating picture'' by combining
network and cyber threat warning information shared with the Federal
Government and with NISO members designated by its board of directors.
NISO would be required by law to ensure that information exchanged is
stripped of all information that identifies the submitting entity, but
it would not be required by law to minimize personally identifiable
information that is shared. Threat and vulnerability information
derived from intelligence collection could only be shared with cleared
NISO members.
---------------------------------------------------------------------------
\15\ It is not clear whether NISO is a newly-established non-
profit, or whether an existing non-profit, or existing non-profits,
would become NISO. This should be clarified.
---------------------------------------------------------------------------
DHS would select NISO's initial board of directors. That board
would set procedures for future board elections and criteria for
membership in NISO by non-Federal entities. It would establish a
governing charter setting information-sharing rules for NISO and its
members, including the treatment of intellectual property, limitations
on liability, measures to mitigate anti-trust concerns, and protections
of privacy and civil liberties. NISO would determine the extent to
which its own activities would be transparent to the public--
information submitted to and exchanged through NISO would be exempt
from disclosure under FOIA and information it shares with State and
local governments would be exempt from disclosure under State law.
Participation in NISO would be mandatory for the Departments of
Energy, Defense, and Homeland Security and the FBI. Other entities such
as companies, State and local governments, and academic institutions
would participate voluntarily by becoming members under criteria
established by the NISO board of directors and by paying membership
fees determined by the board.\16\ Industry representatives would
dominate its board of directors, which would include representatives of
small business, seven critical infrastructure sectors, DHS, the
Department of Defense, the Department of Justice, the intelligence
community and the privacy and civil liberties community.\17\
---------------------------------------------------------------------------
\16\ Up to 15 percent of NISO's annual expenses would come out of
the DHS budget.
\17\ Industry representatives would outnumber Governmental
representatives by 2-1 and would outnumber privacy and civil liberties
community representatives by 5-1.
---------------------------------------------------------------------------
Evaluation of the Proposed Information-Sharing Regime
At a top-line level, NISO would be something of a ``super ISAC.''
Like an ISAC, it would be convened by the Government, devoted to
cybersecurity information sharing, and dominated and paid for by
industry. It would partner with the same Governmental and private
organizations that an effective ISAC would. The largest differences are
that NISO is not sector-specific, thus facilitating information sharing
across sectors, that some of its information-sharing rules are guided
by statute instead of being set by its members or governing board, and
its enabling statute removes any doubt that classified cybersecurity
information could be shared with participating entities cleared to
receive it. Whether NISO will be effective or not seems to turn on
whether it addresses deficiencies in the current ISAC/US-CERT
structures. We suggest that you measure NISO against any identified
shortcomings in these existing structures to ensure that the bill does
not establish a redundant information-sharing entity.
We would make a number of suggestions to protect privacy and
promote efficacy if the committee determines to move forward with
NISO:\18\
---------------------------------------------------------------------------
\18\ The NISO provisions are very much a work in progress and we
will be suggesting some technical clarifications to staff that are not
outlined here.
1. Carefully define, with reference to existing law, the cyber
threat information that can be shared with or through NISO. It
is not necessary to run a bulldozer through existing laws that
protect privacy and other societal values with a provision
permitting the sharing of broadly-defined cyber threat
information ``notwithstanding any law.'' Such an open-ended
exception would be damaging to privacy and would likely have
adverse unintended effects. Both the White House information-
sharing proposal and the House Intelligence Committee's Cyber
Intelligence Sharing and Protection Act, H.R. 3523, have this
defect.\19\ In contrast, CIFA, the lead Senate bill, explicitly
provides that cyber attack reporting must comply with the
surveillance statutes, rather than override them.\20\
---------------------------------------------------------------------------
\19\ The House Intelligence Committee's bill defines cyber threat
information so broadly that it would permit carriers to share all of
the communications traffic they scan to protect their networks, and to
share that traffic with the FBI, NSA, and other Governmental agencies.
Our analysis of the bill can be found at http://www.cdt.org/blogs/
gregnojeim/112cyber-intelligence-bill-threatens-privacy-and-civilian-
control.
\20\ S. 413, the Cybersecurity and Internet Freedom Act of 2011,
proposed Section 246(c)(1)(A)(ii) to the Homeland Security Act.
2. Restrict the purpose and use of the information being shared to
cybersecurity. Cybersecurity should not become a back door for
the flow of information to the Government for law enforcement
purposes, or to the private sector to help it target
advertising or for other commercial purposes unrelated to
cybersecurity. The draft bill falls short in this area,
permitting Government participants in NISO to use information
shared to prosecute any crime,\21\ and permitting industry
participants to use the information for any commercial purpose,
including commercial purposes that might be at odds with the
interests of the party submitting the information. While the
bill permits entities submitting information to NISO to impose
use and disclosure restrictions on the information when it is
disclosed to officials of the U.S. Government, this provides
little comfort to the computer user to whom the disclosed
information may pertain and whose interests may not align with
those of the company submitting the information. We are
particularly concerned about the degree to which personally
identifiable information and communications content would flow
to Governmental entities through the NISO. These issues should
be addressed by law; rules and procedures the NISO board adopts
will not be sufficient.
---------------------------------------------------------------------------
\21\ Since the prosecution of cybersecurity crimes serves a
cybersecurity purpose, cyber threat information shared through the NISO
could be used to prosecute such crimes, including violations of the
Computer Fraud and Abuse Act.
3. Make the restrictions on information sharing enforceable by
people and entities aggrieved by violations. Companies that
share carefully-defined cyber threat information through NISO
should be insulated against liability for doing so. However, if
they break the rules, there should be consequences. The current
draft makes it a misdemeanor for an employee of the Federal
Government to knowingly disclose without authorization cyber
threat information protected against disclosure. There are no
penalties if a State or local official or an employee of a
company participating in the NISO makes a similar disclosure.
The bill's penalties should apply to intentional violations by
---------------------------------------------------------------------------
State or local officials or private-sector employees.
4. Require that information sharing to and from the NISO minimize
the personally identifiable information and communications
content that is shared. When cyber threat information includes
PII or communications content that is not necessary to identify
and respond to the threat, such information need not, and
should not be shared, and the bill should so provide. Like the
White House bill, it should require destruction of
communications intercepted or disclosed for cybersecurity
purposes that do not appear to be related to cybersecurity
threats.
5. Ensure that information sharing by NISO members is voluntary. We
assume that the bill does not intend to mandate information
sharing, but proposed Section 248 in the draft bill, entitled
``Voluntary Information Sharing,'' does not actually specify
that information-sharing be voluntary. Instead, the bill
permits the NISO board to set the information-sharing rules,
which could be misread as permitting the board to adopt a rule
that would require members to share information as a condition
of membership. The enabling statute should prohibit the NISO
board from adopting any such rule.
6. Enhance transparency with audits and Inspector General reports.
DHS Inspector General should be required to issue an annual
report that evaluates the efficacy of NISO's information-
sharing activities and their impact on privacy. These reports
should be public, but may have a classified annex. The bill
could also require publicly-reported independent audits to
ensure that information sharing though NISO comports with
statutory requirements and rules and procedures adopted by the
NISO board.
7. Consider whether information sharing through NISO should be
complemented by efforts to enhance information sharing directly
within industry, subject to audits, reporting and other privacy
controls. While it may have disadvantages, a distributed
information-sharing system may be more nimble than a
centralized, hub-and-spoke model.
cybersecurity role of the department of homeland security and of dod
entities
The draft bill would firmly establish DHS as lead Federal agency
responsible for improving the security of civilian Federal systems and
for working with the private sector to improve the security of civilian
critical infrastructure systems. Under the bill, DHS cybersecurity
activities would include: Conducting risk assessments of Federal
systems and, upon request, of privately-owned critical infrastructure
information systems; facilitating adoption of new cybersecurity
policies and practices; becoming a focal point within the Federal
Government for protecting Federal systems and critical infrastructure
systems; coordinating among Federal agencies and State and local
governments, academia, and international partners on cybersecurity;
developing a cybersecurity incident response plan; sharing information
about cyber threats and vulnerabilities and mitigation strategies with
Governmental agencies and with owners and operators of critical
infrastructure information systems; and a host of other cybersecurity
activities.
Putting DHS in the lead is the right approach, and in this regard
the draft bill is superior to other proposals that could put an element
of the Department of Defense--the National Security Agency or Cyber
Command--formally or de facto at the head of civilian cybersecurity
efforts. Some have suggested that these military entities be given a
lead role because of their expertise and resources. We believe that to
be most effective, the Government's cybersecurity program should
harness the expertise and resources of the DOD, but a civilian agency
must remain in control of the overall program in order to ensure
transparency and thereby instill trust of the private sector and the
public. Less transparency means less trust, less corporate
participation, and less effectiveness of the Government's cybersecurity
program.
Over 85% of critical infrastructure information systems are owned
and operated by the private sector, which also provides much of the
hardware and software on which Government systems rely, including the
Government's classified systems. The private sector has valuable
information about vulnerabilities, exploits, patches, and responses.
Private-sector operators may hesitate to share this information if they
do not know how it will be used and whether it will be shared with
competitors. Private-sector cooperation with Government cybersecurity
effort depends on trust. A lack of transparency undermines trust and
has hampered cybersecurity efforts to date. In addition, without
transparency, there is no assurance that cybersecurity measures
adequately protect privacy and civil liberties and adhere to due
process and Fair Information Practice Principles. Transparency is also
essential if the public is to hold the Government accountable for the
effectiveness of its cybersecurity measures and for any abuses that
occur.
NSA and Cyber Command, operate, understandably, in a culture of
secrecy that is incompatible with the information sharing necessary for
the success of a civilian cybersecurity program. As a result, a DOD
entity should not be given a leading role in monitoring the traffic on
unclassified civilian Government systems, nor in making decisions about
cybersecurity as it affects such systems; its role in monitoring
private sector systems should be even smaller. Instead, procedures
should be developed for ensuring that whatever expertise and technology
DOD has in discerning attacks is made available to a civilian agency.
We applaud steps taken in this direction, such as the September 27,
2010 MOU between DHS and DOD setting forth the terms by which each
agency provides personnel, equipment, and facilities to increase
collaboration and support and synchronize each other's cybersecurity
operations.\22\
---------------------------------------------------------------------------
\22\ Memorandum Agreement Between DHS and DOD Regarding
Cybersecurity, effective September 27, 2010, http://www.dhs.gov/
xlibrary/assets/20101013-dod-dhs-cyber-moa.pdf.
---------------------------------------------------------------------------
designations of critical infrastructure should be narrowly targeted
DHS should concern itself only with genuinely critical
infrastructure, and that infrastructure should be narrowly defined. A
narrow definition focuses agency resources where they are most needed
and ensures minimal conflicts with other regulatory regimes. Such a
definition also ensures that the burdens of Government reporting and
regulatory compliance are imposed only on private-sector network
operators who are truly ``critical'' and limits impact on traditionally
non-regulated entities.
In this regard, other cybersecurity proposals raise very serious
concerns. The May 12, 2011 White House proposal does little to provide
specificity, defining critical infrastructure as those entities whose
incapacity or disruption would cause ``a debilitating impact.''\23\
This standard is ambiguous and could sweep vast swaths of U.S. industry
into a regulatory fold. The Senate's CIFA bill does a better job, and
requires that the disruption of any critical infrastructure system
would cause ``a mass casualty event which includes an extraordinary
number of fatalities,'' ``severe economic consequences,'' ``mass
evacuations with a prolonged absence,'' or ``severe degradation of
National security capabilities, including intelligence and defense
functions.''\24\
---------------------------------------------------------------------------
\23\ White House proposal, proposed Section 3(b)(1)(A) of the
Cybersecurity Regulatory Framework for Critical Infrastructure Act.
\24\ S. 413, Cybersecurity and Internet Freedom Act of 2011,
proposed Section 254 of the Homeland Security Act and amendments to
Section 210E of the Homeland Security Act.
---------------------------------------------------------------------------
The draft bill does better than either the administration proposal
or the Senate bill. It defines covered critical infrastructure as a
facility or function which, if destroyed, disrupted, or accessed
without authorization, through exploitation of a cyber vulnerability,
would result in: (i) loss of thousands of lives; (ii) major economic
disruption, including disruption or failure of financial markets; (iii)
mass evacuation of a major metropolitan area for longer than 30 days;
or (iv) severe degradation of national security or non-military defense
functions. While more precise than the definition of critical
infrastructure in either the White House proposal or in CIFA, this
definition, too, would benefit from more specificity.
It would be useful, for example, for the statute to define the
level of economic disruption and of lives lost that would trigger
coverage as ``critical infrastructure.'' DHS has already drawn these
lines in its definitions of Tier 1 and Tier 2 Critical Infrastructures
and Key Resources, and DHS uses these more precise definitions to
allocate resources used to protect critical assets. If the draft bill
becomes law as written, DHS would have discretion in specifying what is
critical and what is not. It could draw those lines as it already has
or it could draw new lines. The question for the committee is whether
Congress draws the lines that determine what assets are subject to DHS
regulation or whether to leave that decision to DHS. We favor Congress
drawing those lines in a transparent, precise, and measureable way. We
also suggest that the draft bill be amended to include a meaningful
appeal process companies could trigger when they believe an asset of
theirs has been incorrectly designated as ``critical infrastructure.''
incentivizing risk-based conduct to secure critical infrastructure
In terms of enhancing the security of private networks and systems,
the Government may assist the private sector but it should not intrude
into the details of private sector cybersecurity planning processes and
it should not dictate technology standards. Certain agencies may have
unique insights into burgeoning threats, specific attack signatures, or
useful defensive techniques, but private-sector information
technologists typically understand the operation of their own networks
better than Government regulators. The goal should be to enhance the
capability of the private sector, not to transfer it to the Government.
Furthermore, when it comes to securing critical infrastructure, one
size does not fit all. Existing regulatory regimes reflect this
reality: The regime governing operation of a nuclear power plant is
much more prescriptive that the regulatory regime governing most
information technology. Cybersecurity measures should build on this
insight.
The draft bill would authorize DHS, in coordination with Federal
agencies and owners and operators of critical infrastructure, to assess
cybersecurity risks to critical infrastructure and the harms that could
result from disruption, destruction, or unauthorized use of critical
infrastructure information systems. DHS would also catalogue
internationally recognized consensus-developed risk-based performance
standards and develop unspecified market-based incentives designed to
encourage use of those standards. It would then coordinate with the
relevant regulatory agencies and private-sector entities to work to
include the risk-based performance standards in the regulatory regimes
applicable to the covered critical infrastructure. This approach helps
ensure alignment between existing regulatory regimes and performance
standards DHS has identified. In cases where there is no existing risk-
based security performance standard, DHS would work with the owners and
operators of critical infrastructure to mitigate identified risks and
would coordinate with international bodies to develop and strengthen
standards to address the identified risks.
We believe this consultative, risk-based approach will contribute
to cybersecurity without inhibiting innovation. It gives DHS
flexibility to draw distinctions between different types of critical
infrastructure and to work with industry to identify appropriate risk-
based performance standards for each.
For the sake of privacy, innovation, and effectiveness, Government
efforts to improve private-sector cybersecurity should adhere to
several overarching principles. The Government should generally avoid
technical mandates. DHS in particular should not have the power to
dictate technical standards or to override a company's decisions about
how to best protect its information systems. Nor should DHS have any
enforcement power with respect to the performance-based standards it
identifies. Instead, enforcement and oversight should occur through
existing regulatory schemes. When trying to raise standards, the
Government should generally avoid punitive measures. Penalizing
companies that fall short of some standard will discourage the
reporting of security incidents and will put the Government in the role
of adversary rather than partner.
As we understand the section of the draft bill adding a new Section
227 to the Homeland Security Act, it adheres to these principles. In
contrast, some of the Senate bills have been particularly worrisome in
this regard, giving DHS open-ended regulatory powers to approve
security plans and to penalize actors who fail to comply with those
regulations.\25\ Under the draft bill, existing regulatory regimes that
already authorize a Governmental agency (other than DHS) to dictate
technical standards for an industry or to override decisions of a
particular company would remain in place. This seems appropriate--it
would leave enforcement with those agencies already set up to regulate
a given sector, most of which have already been addressing
cybersecurity, sometimes for years. The draft bill seeks to empower
those regulators with additional knowledge about risk-based performance
standards. It would encourage DHS to play a consultative, rather than a
directive role, and to work with industry rather than against it. We
believe the bill is intended to leave decisions about the measures a
company should take to reach the necessary level of performance where
those decisions belong, with the people who know those systems best--
the owners and operators of critical infrastructure information systems
and the regulators who intimately know the industry. It might be
appropriate to amend the bill to make the foregoing more explicit, as
the White House did in its own legislative proposal.\26\
---------------------------------------------------------------------------
\25\ S. 413, Cybersecurity and Internet Freedom Act of 2011,
proposed Section 250(c) of the Homeland Security Act (civil authorizing
penalties for violators of Section 248, as added by the bill, which
establishes a risk management regulatory regime).
\26\ White House proposal, proposed Section 4(b)(5) of the
Cybersecurity Regulatory Framework for Critical Infrastructure Act.
---------------------------------------------------------------------------
For companies that operate critical infrastructure in sectors that
do not have an existing regulatory regime, the bill includes no
mechanism to promote the adoption of internationally recognized,
consensus-driven risk-based performance standards, other than market-
based incentives and the existing authority of the Federal Trade
Commission, which has brought cases against companies engaging in
inappropriate security practices involving consumers' personal data.
While this seems to leave a gap in oversight and enforcement, we
believe that there is relatively little critical infrastructure that
does not fall within an existing regulatory scheme. To the extent that
there are such critical infrastructure systems that do not fall within
an existing scheme (other than the FTC's overarching Section 5
authority), the committee to might consider whether it would be
appropriate to require some level of transparency for companies of a
certain size so that the public and/or Congress is made aware of when
such companies fail to adopt and adhere to relevant standards. Any
transparency requirement should not mandate disclosure of information
that would tip off hackers to particular vulnerabilities.
presidential authority in cybersecurity emergencies
There has been much discussion about whether the President or the
Department of Homeland Security ought to be given authority to limit or
shut down internet traffic to or over a privately-owned \27\ critical
infrastructure information system in an emergency or to disconnect such
systems from other networks for reasons of National security.\28\
Through omission, both the draft bill, and the White House legislative
package implicitly reject this dangerous idea, and we urge you to
oppose any efforts that may be made to include it in any cybersecurity
legislation.
---------------------------------------------------------------------------
\27\ Presumably, the Government already has the authority to
disconnect its own systems from the internet and CDT does not challenge
such authority.
\28\ The leading Senate cybersecurity bill, S. 413, the
Cybersecurity and Internet Freedom Act, includes such a provision. For
an analysis, see http://www.cdt.org/blogs/greg-nojeim/does-senate-
cyber-bill-include-internet-killswitch.
---------------------------------------------------------------------------
To our knowledge, no circumstance has yet arisen that could justify
a Governmental order to limit or cut off internet traffic to a
particular privately owned and controlled critical infrastructure
system. We know of no dispute where a critical infrastructure operator
has refused to take appropriate action on its network that would
justify the exercise of such a power. Operators have strong financial
incentives to quarantine network elements and limit or cut off internet
traffic to particular systems when they need to do so. They know better
than do Government officials whether their systems need to be shut down
or isolated.
In contrast, a new Presidential ``shut-down'' power comes with a
myriad of unexamined risks. A shut-down could interfere with the flow
of billions of dollars necessary for the daily functioning of the
economy. It could deprive doctors of access to medical records and
cripple communications among first responders in an emergency. These
and other consequences could have world-wide effect because much of the
world's internet traffic flows through U.S. networks.
Even if such power over private networks were exercised only
rarely, its mere existence would pose other risks, enabling a President
to coerce costly, questionable--even illegal--conduct by threatening to
shut down a system.
Giving the Government the power to shut down or limit internet
traffic would also create perverse incentives. Private-sector operators
will be reluctant to share information if they know the Government
could use that information to order them to shut down. Conversely, when
private operators do determine that shutting down a system would be
advisable, they might hesitate to do so without a Government order, and
could lose precious time waiting to be ordered by the Government to
shut down so as to avoid liability for the damage a shut-down could
cause others.
Finally, the grant of unfettered ``shut-down'' authority to the
President would give aid and comfort to repressive countries around the
world. The Government of Egypt was widely condemned when it cut off
internet services to much of its population on January 27, 2011, in
order to stifle dissent. The United States should not now endorse such
a power, even if only for cybersecurity purposes, because to do so
would set a precedent other countries would cite when shutting down
internet services for other purposes.
We urge you to reject proposals to give the President or another
Governmental entity power to limit or shut down internet traffic to
privately-held critical infrastructure systems.
conclusion
We appreciate the opportunity to testify about the draft
legislative proposal that is before the committee. We believe the
legislation is in many ways a good start and that its light regulatory
touch would enhance cybersecurity without stifling innovation. The bill
would benefit from some substantial tightening of the information-
sharing provisions, and we have suggested a number of changes. We look
forward to working with you on those changes and on other provisions of
the draft legislation as it moves through the legislative process.
Mr. Lungren. Thank you very much, Mr. Nojeim.
Mr. Kosar.
STATEMENT OF KEVIN R. KOSAR, ANALYST IN AMERICAN GOVERNMENT,
CONGRESSIONAL RESEARCH SERVICE
Mr. Kosar. Chairman Lungren, Ranking Member Clarke, Members
of the subcommittee, on behalf of the Congressional Research
Service I would like to thank you for the opportunity to
testify today.
CRS was asked to examine draft legislation to amend the
Homeland Security Act of 2002 to establish a National
Information-Sharing Organization, or NISO. CRS' examination
focused solely upon the organizational structure of NISO and
does not address cybersecurity policy.
My written testimony provided a preliminary examination and
analysis of NISO as presently proposed. In my limited time
here, I will briefly review NISO's proposed structure and
provide comments on it.
The draft legislation would establish NISO as a not-for-
profit organization for sharing cyberthreat information and
exchanging technical assistance, advice, and support, and
developing and disseminating necessary information security
technology. NISO would have a 15-person board of directors that
initially would be appointed by the Secretary of the Department
of Homeland Security. Board members would include a
representative from DHS, four persons from Federal agencies
with cybersecurity responsibilities and ten individuals from
the private sector.
After the first year, the private-sector members would be
replaced through elections held by NISO. As my written
statement indicates, NISO would appear to meet CRS' definition
of a quasi-Governmental entity. It would be a Government-
established organization that combines the legal
characteristics of both the Governmental and private sectors.
NISO would be authorized by Federal statute and required to
serve purposes set by Federal statute. Yet NISO also would be
led by a board comprised mostly of individuals from the private
sector, and NISO would be mostly funded by the private sector.
In the limited time available, I was able to locate only
one precedent for an organization that was substantially
structured like NISO: SEMATECH, which Congress established by a
statute in 1987. That said, NISO would have notable differences
from SEMATECH. Now, quasi-Governmental organizations are not
new in the United States. Congress chartered the quasi-
Governmental First Bank of the United States in 1791. Quasi-
Governmental entities can be creative vehicles for addressing
complex public policy issues.
However, for Congress an enduring question with quasi-
Governmental entities is the matter of accountability;
specifically, how to ensure a partially or mostly private
organization will faithfully execute the law and be responsive
to policymakers.
Now, trying to ascertain how an organization might behave
based upon examining its statute is inherently challenging as
its plain organizational behavior is affected by non-statutory
factors, such as the quality of its management and the Federal
Government's oversight thereof.
With those caveats noted, based upon a preliminary
analysis, NISO appeared to likely be an organization that would
operate in a largely self-directed private-sector manner.
I suggest this based upon the following observations:
First, the draft legislation would have Federal
representatives fill a minority, five, of the 15 board
positions. The rest would be private-sector representatives.
Second, the board itself, not the President or the DHS
Secretary, would have the authority to choose NISO's chair and
co-chair, and these persons must be private-sector
representatives. Additionally, the board would also be
empowered to incorporate NISO as an organization, set all its
rules for operations, employment, and compensation, and to
appoint its officers.
Third, who would actually do the day-to-day work of NISO is
unclear. NISO's board would choose one or more operators based
upon the criteria set in section 241(d). Additionally, whether
board members would be full-time employees actively engaged in
operational oversight is not clear.
Fourth, NISO would appear to have considerable discretion
to decide which non-Federal organizations would be permitted or
able to join NISO.
Fifth, there would not appear to be any requirement that
GAO or an inspector general be able to audit or examine NISO's
books. NISO would not be required, so far as I can tell, to
provide annual reports to the Congress and the President on its
operations and whether or not it is reaching its benchmarks.
Sixth and finally, the draft legislation would limit the
Federal Government's contribution to no more than 15 percent of
NISO's annual operating costs. Whether the threat of losing
that 15 percent contribution would be a sufficient carrot to
encourage on-going NISO compliance to Government direction is
not clear.
I will conclude my testimony here. If CRS may be of further
assistance to you, I and my colleagues stand ready to help.
Once again, thank you for the privilege to appear before you
today.
[The statement of Mr. Kosar follows:]
Prepared Statement of Kevin R. Kosar
December 6, 2011
introduction
Chairman Lungren and Ranking Member Clarke, and Members of
subcommittee--on behalf of the Congressional Research Service, I would
like to thank you for this opportunity to appear before you today.
CRS was asked to examine draft legislation that would amend the
Homeland Security Act of 2002 (6 U.S.C. 101 et seq.; HSA) for multiple
purposes.\1\ In particular, CRS was asked to provide its observations
on Section 3 of the draft legislation, which would amend Title II of
HSA to establish a National Information Sharing Organization (NISO).
---------------------------------------------------------------------------
\1\ The draft legislation supplied by the committee is dated
November 2, 2011 (1:58 p.m.).
---------------------------------------------------------------------------
Per your request, this written statement focuses solely upon the
organizational structure of the NISO.\2\ It first describes the
organizational attributes of NISO as proposed in draft legislation, and
then provides observations on NISO as a type of quasi-Governmental
entity.
---------------------------------------------------------------------------
\2\ Thus, no analysis is provided of the role the NISO would play
in the realm of cybersecurity policy or how NISO would integrate or
coordinate with existing cybersecurity authorities.
---------------------------------------------------------------------------
organizational attributes of the proposed niso
The draft legislation would establish NISO as a ``not-for-profit
organization for sharing cyber threat information and exchanging
technical assistance, advice, and support and developing and
disseminating necessary information security technology.'' The draft
further defines the NISO's purpose as:
``serving as a National clearinghouse for the exchange of cyber threat
information so that the owners and operators of networks or systems in
the private sector, educational institutions, State, Tribal, and local
governments, entities operating critical infrastructure, and the
Federal Government have access to timely and actionable information in
order to protect their networks or systems as effectively as
possible.''
The NISO would have a 15-person Board of Directors that would be
appointed by the Secretary of the Department of Homeland Security.
Board members would include a representative from the Department of
Homeland Security, four persons from Federal agencies with
``significant responsibility for cybersecurity,'' and 10 individuals
from the private sector. These latter appointees would include two
representatives from the ``privacy and civil liberties community,'' and
eight representatives of critical infrastructure stakeholders,
including: Banking and finance, communications, defense industrial
base, energy (electricity, oil, and natural gas), health care, and
information technology. Each Board member would serve 3-year terms, and
private sector members would be replaced through elections held by the
NISO.\3\
---------------------------------------------------------------------------
\3\ The initial private-sector Board members would serve 1-year
terms, and then would be replaced through elections. Whether said
members would be permitted to seek re-election is not addressed by the
legislation.
---------------------------------------------------------------------------
The Board would be empowered to incorporate the NISO, to choose its
own chairperson and co-chairperson, and to devise all bylaws and rules
for the operation of NISO. The draft bill does not address explicate
whether NISO Board Members would be full-time employees or what their
compensation would be.
The draft legislation would limit the Federal Government's
contribution to 15% of NISO's annual operating costs.
observations
NISO: A Governmental, Private Sector, or Quasi-Governmental Entity?
According to the discussion draft, the NISO would appear to meet
CRS's definition of a quasi-Governmental entity: A Government-
established organization that combines the legal characteristics of
both the Governmental and private sectors.\4\ As Table 1 indicates, the
NISO would have attributes that are Governmental, private sector, and
hybrid (both Governmental and private sector).
---------------------------------------------------------------------------
\4\ Generally, see CRS Report RL30533, The Quasi Government: Hybrid
Organizations with Both Government and Private Sector Legal
Characteristics, by Kevin R. Kosar.
TABLE 1.--ATTRIBUTES OF THE PROPOSED NISO
------------------------------------------------------------------------
Private Sector
Governmental Attributes Attributes Hybrid Attributes
------------------------------------------------------------------------
Authorized by Federal statute... Board members The Board of
would incorporate Directors is
the NISO by comprised of 10
filing private-sector
incorporation representatives
papers with a non- and 5 Federal
Federal authority agency
(e.g., a State or representatives.
District of
Columbia).
Required to serve purposes set The NISO would NISO would be
by Federal statute. have the funded by both
authority to the Federal
establish its own Government and
operating the private
procedures and sector.
mission statement.
Secretary of Homeland Security The NISO is NISO membership is
appoints the Board of Directors. explicitly partially set by
exempted from the statute, and
Freedom of partially devised
Information (Act by NISO's Board
5 U.S.C. 552). of Directors.
------------------------------------------------------------------------
When Congress creates quasi-Governmental entities, it tends to do
so on an ad hoc basis. That is, each quasi-Governmental entity is
crafted by a separate statute, and that statute is sculpted according
to a variety of policy and political considerations. That caveat noted,
CRS previously has identified a number of types of quasi-Governmental
entities.\5\ The entities for each of these types share basic
organizational attributes (e.g., GSEs are for-profit), and these quasi-
Governmental types are listed in Table 2.
---------------------------------------------------------------------------
\5\ CRS Report RL30533, The Quasi Government: Hybrid Organizations
with Both Government and Private Sector Legal Characteristics, by Kevin
R. Kosar.
TABLE 2.--TYPES OF QUASI GOVERNMENTAL ENTITIES IDENTIFIED BY CRS
------------------------------------------------------------------------
Type Example
------------------------------------------------------------------------
Quasi-Official Agencies................... State Justice Institute.
Government-Sponsored Enterprises.......... Fannie Mae.
Federally-Funded Research and Development Sandia National
Centers. Laboratories.
Agency-Related Nonprofit Organizations.... (See below):
Adjunct Organizations Under the National Pork Board.
Control of a Department or Agency.
Organizations Independent of, But Henry M. Jackson Foundation.
Dependent Upon, Agencies.
Nonprofit Organizations Affiliated National Park Foundation.
with Departments or Agencies.
Venture Capital Funds..................... In-Q-Tel.
Congressionally Chartered Nonprofit American Legion.
Organizations.
Instrumentalities of Indeterminate U.S. Investigation Services.
Character.
------------------------------------------------------------------------
Source.--CRS Report RL30533, The Quasi Government: Hybrid Organizations
with Both Government and Private Sector Legal Characteristics.
As presently proposed, the NISO could be characterized as an
agency-related non-profit organization. NISO would be a non-profit
organization and it would have an affiliation with the Department of
Homeland Security by virtue of the Secretary's role in selecting a
minority of NISO's board members.
However, NISO organizationally would not fit neatly into any of the
subtypes of agency-related non-profit organizations above. Rather, it
would possess characteristics associated with all three subtypes. Like
the National Pork Board and other agricultural check-off entities, it
would charge its members fees. As with the Henry M. Jackson Foundation,
the NISO would undertake a research agenda that is broadly defined in
statute. And like the National Park Foundation, the NISO would be
affiliated with a Federal agency and have Federal representatives on
its board.\6\
---------------------------------------------------------------------------
\6\ A board comprised of representatives of both the Government and
private sector is not unusual for quasi-Governmental entities. The
American National Red Cross, which chartered a century ago, is a well-
known example. Federal representation on the board of the Red Cross was
changed most recently in 2007. Pub. L. 110-26 authorizes the President
to appoint one board member and to name the chairman of the board. CRS
Report RL33910, The Charter of the American National Red Cross: Current
Issues and Proposed Changes, by Kevin R. Kosar.
---------------------------------------------------------------------------
One particularly notable aspect of the NISO as currently proposed
is that it would charter itself. Typically, quasi-Governmental entities
are chartered via Federal statute; the law itself incorporates the
entity. Such charters typically set forth the corporation's: (1) Name;
(2) purpose(s); (3) duration of existence (limited or in perpetuity);
(4) governance structure (e.g., executives, board members, etc.); (5)
powers; and (6) the schema for Federal oversight (e.g., annual
reporting).\7\
---------------------------------------------------------------------------
\7\ CRS Report RS22230, Congressional or Federal Charters: Overview
and Current Issues, by Kevin R. Kosar, p. 1.
---------------------------------------------------------------------------
In the limited time available, CRS could locate only one recent
precedent for self-chartering--the Semiconductor Manufacturing
Technology (SEMATECH) consortium--an entity established by Congress in
1987 (Pub. L. 100-180, Part F; 101 Stat. 1068).\8\
---------------------------------------------------------------------------
\8\ A copy of SEMATECH's legislation is attached to this
memorandum.
---------------------------------------------------------------------------
Congress established SEMATECH in response to the United States'
growing dependency upon Japan for semiconductors.\9\ Viewing this as a
National security vulnerability, SEMATECH was a quasi-Governmental
entity comprised of more than a dozen major domestic semiconductor
manufacturers, such as AT&T Microelectronics and Intel.\10\ SEMATECH
was a research and development enterprise whose purposes were to
``encourage the semiconductor industry in the United States--(A) to
conduct research on advanced semiconductor manufacturing techniques;
and (B) to develop techniques to use manufacturing expertise for the
manufacture of a variety of semiconductor products.'' SEMATECH was
affiliated with the Department of Defense (DoD) but was led and staffed
by the private-sector stakeholders (not Government appointees and
employees).
---------------------------------------------------------------------------
\9\ CRS Report 92-749 SPR, SEMATECH: Issues in Evaluation and
Assessment, by Glenn J. McLoughlin. (Archived report available from the
author of this report.)
\10\ CRS Report 91-831 SPR, SEMATECH Facts, by Glenn J. McLoughlin.
(Archived report available from the author of this report.) SEMATECH
also had an adjunct organization, SEMI/SEMATECH, comprised of
approximately 130 U.S. equipment suppliers and materials suppliers.
---------------------------------------------------------------------------
The costs of SEMATECH were shared between the Federal Government
and the private sector--the Federal Government funded SEMATECH via
grants authorized by the Secretary of Defense, and SEMATECH charged its
members annual dues.
While NISO and SEMATECH share some organizational attributes, there
are at least two considerable differences (Table 3). First, SEMATECH's
legislation required the DoD and SEMATECH operate under a memorandum of
understanding (MOU) that provided the DoD with certain authorities over
SEMATECH, such as the authority to participate in the development of
SEMATECH's annual operating plan. Additionally, SEMATECH's statute
created an Advisory Council on Federal Participation in SEMATECH. This
12-person panel was comprised of both Federal stakeholders and
Presidential appointees from the private sector.\11\ The panel advised
``Sematech and the Secretary of Defense on appropriate technology goals
for the research and development activities of Sematech and a plan to
achieve those goals,'' and conducted annual reviews of its
progress.\12\ The draft legislation for the NISO does not include
similar provisions.
---------------------------------------------------------------------------
\11\ The members were: The Under Secretary of Defense for
Acquisition, who served as chair; the Director of Energy Research of
the Department of Energy; the Director of the National Science
Foundation; the Under Secretary of Commerce for Economic Affairs; the
Chairman of the Federal Laboratory Consortium for Technology Transfer;
and seven Presidential appointees who were to include four members
``who are eminent individuals in the semiconductor industry and related
industries;'' two members ``who are eminent individuals in the fields
of technology and defense;'' and one member ``who represents small
businesses.''
\12\ Additionally, SEMATECH's legislation required annual
independent audits of SEMATECH and Comptroller General review of these
audits. SEMATECH had to submit its audits to Congress and the DoD
Secretary. No reporting or audit requirements are including in the
draft legislation for the NISO.
TABLE 3.--COMPARISON OF SELECTED NISO AND SEMATECH ORGANIZATIONAL
ATTRIBUTES
------------------------------------------------------------------------
Similarities Differences
------------------------------------------------------------------------
Self-chartering. MOU between SEMATECH and
DoD.
Affiliated with a Federal agency. Advisory Council on Federal
Participation in SEMATECH.
Funded by the Federal Government and
private sector.
Private sector leadership and employees...
------------------------------------------------------------------------
quasi-governmental entities: rationales, accountability, and niso
Benefits and History
Congress has been establishing quasi-Governmental entities since
the Nation's founding. For example, Congress chartered the First Bank
of the United States in 1791 (1 Stat. 192, Section 3) to stabilize the
Nation's currency and provide a safe depository for funds and serve as
a source of credit. The bank was a hybrid entity--it was capitalized
through a stock offering, and both the Federal Government and private
investors purchased shares. The bank's debt was the Nation's debt.
Private shareholders elected most board members, and the Treasury
Department was authorized to inspect the bank's accounts.
The creation of Federal quasi-Governmental entities has increased
since the 1960s. Many arguments have been advanced to support the
creation of these hybrid organizations. However, the current popularity
of the quasi-Government option may be traced to the following
impetuses:
1. the desire to avoid creating another Federal ``bureaucracy;''
2. the current controls on the Federal budget process that
encourage Federal agencies to rely less on annual
appropriations;
3. the desire to make Government operate more like a private-sector
organization; and
4. the belief that management flexibility requires entity-specific
laws and regulations, and thus exemption from Government-wide
management statutes (e.g., Administrative Procedure Act; 5
U.S.C. 551 et seq.)\13\
---------------------------------------------------------------------------
\13\ CRS Report RL30533, The Quasi Government: Hybrid Organizations
with Both Government and Private Sector Legal Characteristics, by Kevin
R. Kosar, p. 1. On the Federal Government's management laws, see CRS
Report RL30795, General Management Laws: A Compendium, Clinton T.
Brass, Coordinator.
---------------------------------------------------------------------------
Many quasi-Governmental entities exist, and many have been
considered to be successful. The National Park Foundation, for example,
annually raises significant private support for the Nation's public
parks.\14\
---------------------------------------------------------------------------
\14\ National Park Foundation, 2011 Annual Report, at http://
www.nationalparks.org/files/about/financials/annual-report-2011.pdf.
---------------------------------------------------------------------------
Cost
With quasi-Governmental entities there also may come a cost--
reduced accountability to Federal Governmental direction.\15\
---------------------------------------------------------------------------
\15\ Jonathan G.S. Koppell, The Politics of Quasi Government:
Hybrid Organizations and the Control of Public Policy (New York:
Cambridge University Press, 2003); and Ronald C. Moe, ``The Emerging
Federal Quasi Government: Issues of Management and Accountability,''
Public Administration Review, vol. 61, iss. 3, May/June 2001, pp. 290-
312.
---------------------------------------------------------------------------
An organization's institutional structure can affect its
accountability to Congress and the President. In simplest terms, the
more tightly yoked to Legislative and Executive Branch authorities an
organization is, the more responsive to those authorities the
organization can be expected to be. Hence, if organizations are
considered as existing on a spectrum--with a wholly-Governmental agency
on one end and a wholly-private firm on the other--the former would
tend to be the most accountable and responsive to Federal direction,
while the latter the least.
This organizational responsiveness to Federal direction comes
through a number of means, including: (1) Federal involvement in the
appointment of the organization's leadership; (2) the organization's
location within or outside the Government; (3) requirements for annual
auditing and reports to Federal authorities (Congress, the President,
and agency heads); and (4) the organization's reliance on appropriated
funding.\16\
---------------------------------------------------------------------------
\16\ An organization that is required to be self-financing will
have a strong incentive to act in its own self-interest, possibly at
the cost of fully pursuing its statutorily-prescribed goals or
complying with Government-prescribed operational rules.
---------------------------------------------------------------------------
Assessed on these criteria, NISO might be expected to behave
independently of the Federal Government (Table 4).
TABLE 4.--ORGANIZATIONAL ACCOUNTABILITY AND NISO
------------------------------------------------------------------------
NISO
------------------------------------------------------------------------
Federal appointees........................ Minority; 5 of 15 directors
would be Federal
representatives; the board
would choose its chair and
co-chair, who cannot be
Federal representatives.
Location within or outside the Government. Private sector; not
explicitly placed within a
Federal agency or branch of
Government.
Annual auditing and reporting requirements None.
Reliance on appropriated funding.......... Low Federal contribution
(not more than 15% of
annual operating costs).
------------------------------------------------------------------------
Organizational accountability to overseers, it has been noted, is
not an unalloyed good. A frequent criticism of Federal Governmental
entities (such as agencies) is that they are too responsive to diverse
Federal oversight authorities. Their efforts to satisfy the demands of
diverse stakeholders may result in underperformance of an agency's
general or National policy objectives.\17\ As noted above, one of the
arguments for establishing a quasi-Governmental entity is the intention
that it operate less like a Governmental entity and more like a private
firm.\18\
---------------------------------------------------------------------------
\17\ For example, Congress established Base Realignment Commissions
in order to close unneeded DoD facilities. CRS Report 97-305, Military
Base Closures: A Historical Review from 1988 to 1995, by David E.
Lockwood and George Siehl.
\18\ The presumption is that a private firm will perform more
optimally than a Governmental one.
---------------------------------------------------------------------------
Additionally, an aspect of organizational accountability is
predictability, that is, that the entity created will behave as its
creators expect. When Congress establishes an entity, Governmental or
quasi-Governmental, it inevitably includes in the statutes the
``purposes'' of the organization and provides the organizations with
authorities to attain its purposes.
In public administration parlance, there is a principal-agent
relationship, wherein Congress (the principal) has established an agent
(the entity) to execute the law. Quasi-Governmental entities sometimes
behave unpredictably should they be established with starkly competing
organizational imperatives. Governmental entities are to pursue policy
objectives (e.g., National defense, poverty reduction, etc.); private
firms pursue private objectives (e.g., profit, financial self-
perpetuation, etc.) Arguably, the Government-sponsored enterprises,
Fannie Mae and Freddie Mac, serve as examples of the unpredictability
of entities driven by competing Governmental (diverse housing policy
goals) and private-sector imperatives (maximizing private shareholder
value).\19\
---------------------------------------------------------------------------
\19\ These GSEs' statutes contain five different public policy
objectives. CRS Report R40800, GSEs and the Government's Role in
Housing Finance: Issues for the 112th Congress, pp. 2-3. See also
Koppell, The Politics of the Quasi Government, chapter 5; and
Congressional Budget Office, Controlling the Risks of Government-
Sponsored Enterprises (Washington: GPO, 1991), chapter 1.
---------------------------------------------------------------------------
Whether NISO would face strongly competing organizational
imperatives is unclear.\20\ Unlike the GSEs, the NISO would be a not-
for-profit organization and would not have stockholders. Its objective
is a collective good--improving security against cyber threats, an end
which each stakeholder has an interest in but cannot attain alone.
NISO's board would have both Governmental and private-sector
representatives, whose interests may or may not coalesce.\21\
---------------------------------------------------------------------------
\20\ As NISO resembles SEMATECH, Congress may find value in
reviewing the performance of SEMATECH.
\21\ Determining the alignment of interests among the board's
Governmental and private-sector board interest goes beyond the scope of
this memorandum and would involve cybersecurity policy and other
considerations.
---------------------------------------------------------------------------
The legal framework within which organizations operate can greatly
influence their behavior by setting incentives and expectations for
operations.\22\ Quasi-Governmental entities sometimes behave
unpredictably due to their ambiguous legal nature. When Congress
establishes a fully Governmental entity, such as an agency, many of
entity's attributes are set by default. That is, absent statutory
provisions exempting the agency from Federal laws and regulations, the
agency is subject to them.\23\ The Federal Government-wide management
laws are many, and include statutes such as the aforementioned
Administrative Procedures Act, the various civil service employment and
compensation statutes (5 U.S.C. 101 et seq.), and the Lobbying with
Appropriated Monies Act (18 U.S.C. 1913).\24\ Government agencies'
actions also are bound by various Constitutional limitations.
Oppositely, when a private individual or group establishes a
corporation, this private entity will not be subject to the general
management laws that are applicable to Federal agencies.
---------------------------------------------------------------------------
\22\ Thomas H. Stanton, ``Assessing Institutional Development: The
Legal Framework That Shapes Public Institutions,'' in Robert Picciotto
and Ray C. Rist, eds., Evaluating Country Development Policies and
Programs: New Approaches for a New Agenda (Jossey-Bass, 1995), pp. 55-
68.
\23\ Ronald C. Moe, ``The Importance of Public Law: New and Old
Paradigms of Government Management,'' in Phillip J. Cooper and Chester
A. Newland, eds., Handbook of Public Law and Administration (Jossey-
Bass, 1997), p. 46. To be clear Congress may exempt a Governmental or
quasi-Governmental entity from coverage by a particular Government
management statute. For example, in 1995 the Supreme Court considered
the issue of distinguishing between a Governmental and private
corporation. The National Railroad Passenger Corporation (AMTRAK)
established by Congress (45 U.S.C. 451), and enumerated under 31 U.S.C.
9101 as a ``mixed-ownership corporation'' (e.g., it was owned by both
the private and Governmental shareholders), was sued by Michael Lebron
for rejecting, on political grounds, an advertising sign he had
contracted with them to display. Lebron claimed that his First
Amendment rights had been abridged by AMTRAK because it is a Government
corporation, and therefore an agency of the United States. AMTRAK
argued, on the other hand, that its legislation stated that it ``will
not be an agency or establishment of the United States Government'' and
thus is not subject to Constitutional provisions governing freedom of
speech. The Court decided that, although Congress can determine
AMTRAK's Governmental status for purposes within Congress's control
(e.g., whether it is subject to statutes such as the Administrative
Procedure Act), Congress cannot make the final determination of
AMTRAK's status as a Government entity for purposes of determining
Constitutional rights of citizens affected by its actions. Michael A.
Lebron v. National Railroad Passenger Corporation; 513 U.S. 374 (1995).
The AMTRAK Reform and Accountability Act of 1997 (Pub. L. 105-134; 111
Stat. 2570) removed AMTRAK from the GCCA list of mixed-ownership
Government corporations.
\24\ CRS Report RL30795, General Management Laws: A Compendium.
---------------------------------------------------------------------------
The United States, then, ``has two distinctive forms of law: public
law, which governs the activities of governmental bodies in their
capacities as agents of the sovereign . . . and private law, which
governs the relations of private parties with one another.''\25\ Thus,
when Congress creates quasi-Governmental entities that are not clearly
Governmental nor private sector, confusion may result as to which laws
apply to the quasi-Governmental entity.\26\ To cite just four examples,
quasi-Governmental entities have found themselves in legal disputes
involving questions as to which courts may hear suits against them,
which Government-wide management laws apply to them, to what extent
they need to respect a private citizen's First Amendment rights, and
the constitutionality of prohibiting the removal of their directors
except for cause. \27\
---------------------------------------------------------------------------
\25\ Moe, ``The Importance of Public Law: New and Old Paradigms of
Government Management,'' p. 42.
\26\ Statutes establishing quasi-Governmental entities often
include provisions exempting the entity from a particular Government
management law. SEMATECH, for example, was exempted from the Freedom of
Information Act (5 U.S.C. 552). Yet, this effort at clarification may
lead Federal overseers to question whether the statute's silence
regarding other Government management laws implies that they are
applicable to the entity. Currently, Congress is considering whether
the Freedom of Information act ought to apply to the GSEs Fannie Mae
and Freddie Mac since they are in Federal receivership and effectively
Government-owned. See CRS Report R42080, Fannie Mae, Freddie Mac, and
FOIA: Information Access Policy for the Government-Sponsored
Enterprises, by Wendy Ginsberg and Eric Weiss.
\27\ Respectively, see Michael T. Maloan, ``Federal Jurisdiction
and Practice: The American National Red Cross and the Interpretation of
`Sue and Be Sued' Clauses,'' Oklahoma Law Review, vol. 45, 1992, pp.
739-760; Animal Legal Defense Fund v. Shalala, 104 F.3d 424 (D.C. Cir
1997); Michael A. Lebron v. National Railroad Passenger Corporation
(513 U.S. 374 (1995)); and Free Enterprise Fund, et al. v. Public
Company Accounting Oversight Board, et al., 561 U.S. ____, 130 S.Ct.
3138, 177 L.ed.2d 706 (2010).
---------------------------------------------------------------------------
It is difficult to anticipate how predictably the proposed NISO
would behave due to its ambiguous nature. The draft legislation for
NISO does not explicitly state whether it is a Governmental entity or a
private-sector entity. By virtue of the provision that the entity
should charter itself (presumably under State law), it might be assumed
that it is intended to be private. The legislation also exempts the
NISO from the anti-trust provisions of the Clayton Act (15 U.S.C. 12),
a statute which apply to private-sector firms.
However, the draft legislation also would make non-applicable to
NISO two Government management statutes, the Freedom of Information Act
(5 U.S.C. 552) and the Federal Advisory Committee Act (5 U.S.C.
Appendix). Furthermore, as NISO would be designed to serve as an
``information-sharing'' venue regarding cybersecurity issues, the draft
legislation does provide for the protection of this information. It
would forbid ``any officer or employee of the United States or any
Federal agency'' from knowingly disclosing information regarding a
cyber threat. Violators could be removed from their positions, fined,
and imprisoned. Whether such information protections would apply to all
NISO directors and employees is unclear.
Mr. Lungren. Thank you very much for the testimony of each
member of the panel. I appreciate you staying within the time
limits assigned. We will have a round of questions and I will
start with 5 minutes.
Dr. Nojeim, thank you--or Mr. Nojeim, thank you very much
for your testimony. I wonder if you might elaborate on why it
is important that the DHS is the lead agency in charge of
civilian cybersecurity. We generally speak about the notion
that under our Constitutional Governmental structure, it is
both explicit and implicit that there is civilian control of
the military. This administration engaged in a memorandum of
understanding between DOD and DHS so that you have some cross-
fertilization there, but I think they have done a pretty good
job of making sure that we don't violate the notion of civilian
control of the military. We happen to think it was important in
this bill to make it clear that DHS was in charge of civilian
cybersecurity. But I wonder if you would elaborate a little bit
on that issue.
Mr. Nojeim. Thank you for the question. I agree, the bill
does cement DHS as the lead for civilian cybersecurity
operations. That is important because those operations need to
be transparent, and they need to be transparent because the
private sector controls about 85 percent of the critical
infrastructure that needs to be protected. It needs to be able
to trust that information it shares will be used for the proper
purposes, and it needs to know what is going on because that
will encourage the private sector to cooperate.
In a military-led operation, something led by NSA or Cyber
Command wouldn't be able to build that trust, because for
otherwise legitimate reasons they operate secretly. So I think
the administration is right to try to draw on the expertise of
Cyber Command and NSA without putting those agencies in control
of a civilian program.
Mr. Lungren. Directed to both Dr. Shannon and Ms. McGuire,
during the both formal and informal discussions we had, both
the Republican task force and this committee, and other things
that we have done with our Democratic counterparts in the past,
there seem to be at least to me a consensus that with the
structures we already have, as good as they may be in the
different industry sectors, the idea that timely access of
information of threat from the Government to the private sector
has been an issue, and the issue of trust; that is, that we
have not established the mechanism by which the private sector
is encouraged to share more of their information in a timely
fashion, I guess in some ways because we haven't articulated
the limits of the use of that information. Why are you going to
self-report if there is some liability on the other end? So on
our efforts in coming up with this draft, we came up with a
concept of NISO.
Can you give us your thoughts on, if you disagree or if you
agree, why this shouldn't be done by already existing
structures, or what problems we have with the suggestion we
have got in the bill right now? Ms. McGuire.
Ms. McGuire. So first off, I think there is a couple of
issues that we see on a regular basis with the current system.
One is that we don't see that timely actionable information
coming from the Government flowing to industry. So we have a
little bit of a chicken-and-an-egg problem here. Industry
doesn't see valuable information coming from Government,
therefore industry doesn't perceive the need to provide
information back to the Government.
But we also see a situation where industry is not
necessarily incentivized to provide information to the
Government. There is not a clear articulation of what kind of
information the Government needs from industry. I have actually
sat in meetings where I have had Government folks actually say
to me: Well, just give us everything. Well, that is impossible.
I don't think the Government has enough data centers to store
all the information that industry has, nor do they want it.
Mr. Lungren. Nor do you want to give it all to them.
Ms. McGuire. Nor do we want to give it all to them.
Exactly. So we have a little bit of that situation. So I think
that this notion of incentivizing industry to share more
information is a really important concept that is articulated
in the bill.
To your question about why current structures in existence
shouldn't be used for the NISO, my view is that we already have
private industry engagement and buy-in to a NISO-like concept
and that we really do need to build on those existing
structures and frameworks that we have in place. So if there is
a way to articulate this NISO framework that includes those
existing structures, I think you will get a lot more buy-in
from industry than trying to set up a separate new entity.
Mr. Lungren. Dr. Shannon.
Mr. Shannon. Thank you. I have four quick points. One is
the notion of sharing information has been evolving for over 2
decades, and the need for timeliness and what information there
is, the technologies involved, the players involved, the civil
liberties issues involved, have been evolving. So I think that
is part of why you see in that second diagram this jumble of
links is kind of what has accrued over the decades. This sort
of legislation I think is another important attempt to try and
get it to the right point.
Incentives are about encouraging the emergence of a capable
organization. We are not going to know, a priori, what the
right incentives are, so I suggest soft incentives rather than
hard incentives, such as tax breaks and such, to encourage
people to consider doing the right thing. As you see them doing
the right thing, then you can provide for their encouragement
for those lagging behind.
As Ms. McGuire mentioned, I think feedback, timely feedback
from the Government to private entities is a missing
capability, and that really will cement the deal. It is about
valued propositions on both sides. Regardless of how much the
private industry is paying up front, if anything, the fact is
they invest a tremendous amount in cybersecurity on their own,
and so any involvement has a price and they want to know kind
of how they can benefit from that for the benefit of their
shareholders and their customers. Thank you.
Mr. Lungren. Ms. Clarke is recognized for her questions.
Ms. Clarke. Thank you, Mr. Chairman. Thank you to our
panelists for your testimony here this morning.
My first question is posed to Ms. McGuire and to Dr.
Shannon and to Mr. Nojeim. There is general agreement that
enhanced information sharing is key to improving cybersecurity.
For DHS' part, it has worked diligently to support sector ISACs
as forums for information sharing and has stepped up its cyber
operations with the creation of NCIC and US-CERT. There is
limited cybersecurity resources, financial and personnel, in
the private sector and Government.
If the NISO was established, how do we guard against these
limited resources being diverted from existing efforts to the
new platform?
Ms. McGuire. Well, I think that your statement about the
limited resources is a particularly challenging area for the
Department of Homeland Security. As a former employee, I
actually was the director for awhile, as well as a deputy
director of the National Cybersecurity Division in the US-CERT,
with first-hand knowledge and experience of some of those
resource challenges. I think they are particularly challenged,
though, by a lot of staff turnover amongst their leadership.
This is creating a continuity issue there. So the progress that
they have made thus far with the NCIC, while I think it is
commendable given the current situation, there is still a long
way to go. In particular, dealing with private industry, the
level of which we are seeing information sharing has not
matured to a level where I think it is creating the kind of
value proposition that Dr. Shannon just talked about, and that
effort really needs a focused concerted effort by the
Department and its leadership if we are going to realize this
information sharing. I am not even going to say nirvana, just a
progress step forward.
Mr. Shannon. Thank you. There are two elements. One is that
there is a desire to reach a broad spectrum very quickly. Some
of the programs that you talked about, the NCIC and the DIB
programs, for example, are just beginning to scale and still
haven't demonstrated what the challenges are going to be in
reaching full scale. So I see the current NISO effort as
being--it will help existing efforts by in some sense taking
the pressure off and trying to reach a broader audience faster,
as opposed to waiting for these smaller efforts to mature.
Mr. Nojeim. We think that an incremental approach is called
for, an examination of why information sharing under the
current structures isn't working. Then once those problems are
identified, Congress should ask, well, does NISO address each
one? If it doesn't, then you are creating a redundant
information-sharing entity. But if it does, you are creating
one that will solve problems. So that is the approach that we
would recommend.
Ms. Clarke. I fully understand where all three of you are
coming from, but the issue, though, is resources, right? So if
we are at a point where resources are limited and there is a
possibility that there could be some redundancy, how do we sort
of reconcile that? You could have a situation where you are
spread so thin that no one meets their mission, and I don't
know whether that has been a consideration, given the entities
that we currently have that are working on these efforts--we
are now considering an additional, and how we would make sure
that they have what they need to meet their mission.
So I wanted to just sort of get a sense of, you know, is
there something innovative that you can think of that would
maybe make one of the entities self-funding, I don't know. But
it would appear to me that if we have all of these entities out
there, many of whom have not fully stood up yet but are going
to require a resource in order to meet their mandates, that is
something that we ought to consider up front.
Mr. Shannon. If I might add, setting measures of success
and expectations of success I think is important. It goes back
to being operationally and scientifically valid, to know what
the intention of the organization is and how you will know when
that organization's mission is being met. As I mentioned,
because of the evolving threat, landscape, and technologies,
what works today may not work as well tomorrow. So it is
difficult to divine what the right organization is today. So I
encourage you to consider multiple efforts such as we do have
today, but I would agree that consolidation to the current
budget environment is important.
Ms. Clarke. Thank you, Mr. Chairman.
Mr. Lungren. Thank you. The gentleman from Texas, Mr.
McCaul, is recognized for questioning.
Mr. McCaul. Thank you, Mr. Chairman. Let me commend you for
this legislation. I think it provides clarity and guidance as
to who should be in charge. For a long time we have talked
about who is in charge of cybersecurity in the Federal
Government. For a long time NSA was not coordinating with the
Department of Homeland Security, and they are now.
But when we talk about the issue of information sharing,
which is critical to protecting these infrastructures, that is
where I think this bill really comes into play. Mr. Nojeim, you
talked about civilian control, and I agree with that
assessment. There is a bill that was passed out of the
Intelligence Committee that does not really specify which
agency within the Federal Government should be in charge of
this effort of information sharing. Some would argue that the
NSA, because of the pilot program, the Defense industrial base
pilot program, that NSA is the best agency to conduct that.
I tend to disagree with that assessment, because as you
mentioned, civilian control is important here. In terms of
international sharing of information, I don't think going to
the intelligence community is going to be the right answer to
this issue.
So with that, I just want to throw that out to the panel.
Who do you see is the best agency to be in charge of this
critical component of information sharing? I personally think
it should be DHS. Tell me why I am right, or maybe why I am
wrong, in that assessment.
Mr. Nojeim, if you want to lead on this.
Mr. Nojeim. I will start. As I said a minute ago, civilian
control will promote the transparency that is essential to
building cooperation and trust with the private sector. You got
to have the private sector involved because they own and
operate most of the critical infrastructure.
But thinking for a minute through what the House
Intelligence Committee did, one thing they did that seems like
a good idea is to unlock the classified information,
particularly the classified attack signatures that the NSA has,
for the benefit of industry. It is important to accomplish that
in legislation. If that legislation stopped there, with this
flow of information from the intelligence agencies to private
network operators who could then use it to protect their
systems, we would support it.
The problem with that bill is that it opens a flow back to
the intelligence agencies and to Cyber Command, and to other
Governmental agencies that are not specified at all, of
information from the private sector that could include regular
user communications. It is important to limit that flow back,
and I think that your bill, the bill that you are looking at,
could do that with some very targeted amendments.
Mr. McCaul. Dr. Shannon and Ms. McGuire, what is your
assessment in terms of who should be the lead agency?
Mr. Shannon. I have to say no comment, thank you. We are a
Federally-funded research and development laboratory.
Mr. McCaul. I understand. Ms. McGuire, you may have the
same response.
Ms. McGuire. We believe that a civilian agency is the right
and appropriate authority for this entity. As a global private
company, it is very difficult for us to operate in a global
playing field if we have this kind of interaction direct with
some of the other agencies.
Mr. McCaul. For a long time we have had the ISACs. The
Information Sharing Analysis Centers have been kind of the
vehicle for information sharing in the past. I think this bill
actually provides again that clarity that I think is needed.
The ISACs have not been totally functional. They haven't
worked as I think they were expected to work. I think this is a
good opportunity to really put something in place in
legislation that can be a real vehicle for information sharing.
Do you all agree with that assessment?
Ms. McGuire. While I agree that the NISO as a concept and a
framework can seek to accomplish that, I do have concerns about
ensuring that those existing entities, such as the ISACs and
the sector coordinating councils, that industry has put so much
effort and resources into over the last 10 years, do not go by
the wayside. I am a firm believer that we have to improve those
entities. I think that the information sharing and the direct
engagement with Government has not always been, shall I say, as
positive between the ISACs and the Government agency of DHS. I
would be happy to share some specific examples with you after
this hearing when there is more time.
Mr. McCaul. How would you recommend merging--I see my time
is about expired--how would you recommend merging the
existing--you know, the ISACs--with this National information
sharing organization?
Ms. McGuire. Well, I think that is something that we need
to explore more in depth, because those ISACs for the most part
are privately funded, privately incorporated, industry-owned
and -operated entities, and so I think we need to have that
dialogue of how we would incorporate them into this framework.
Mr. McCaul. Dr. Shannon, do you have any comments?
Mr. Shannon. One comment is, again, going back to measures
of expectations. When you stand up, whether it is the ISACs or
any other entity over the last couple of decades, there were
original intentions about what they should be able to achieve.
Some of the things they were able to achieve and some things
they were not, for various reasons. So I think doing a critical
assessment at the current time of what those needs are would be
helpful. I mean that is part of what CERT and the SEI has been
involved in in assisting the Government with the DIB
evaluations that have gone on. It is excruciating, but I think
in the end it was very valuable to policymakers.
Mr. McCaul. We look forward to your comments following up
on how we can best merge these entities. Mr. Chairman, my time
is expired. Thank you.
Mr. Lungren. Thank you. Mr. Walberg is recognized for his
questions.
Mr. Walberg. Thank you, Mr. Chairman. Living in a
delegation who has the dubious distinction of having the
Chairman of the Intelligence Committee in our delegation, with
a perverted sense of just giving us enough information about
cybersecurity potential attacks and causing us to not sleep as
much as he, I think that is a challenge that we have. So I
appreciate your efforts here and I appreciate the panel being
here today as well.
Mr. Kosar, let me ask you, is there anything in the draft
language regarding the structure of NISO that in your opinion
would prevent the NISO from accomplishing its mission?
Mr. Kosar. It is difficult to say. I think one underlying
requirement for the organization to be functional is that
organizations have to feel it is going to be a safe space where
they can share information and that the information is not
going to get out. I looked over the information protection
provisions, and I confess I just didn't quite fully understand
whether there were sufficient incentives to ensure that NISO
participants did not leak or illicitly share information and
cause damage to members.
Mr. Walberg. How could that be remedied?
Mr. Kosar. I honestly don't know at this point. I would
have to think further about it and consult with my colleagues.
Mr. Walberg. Okay. You were going on. I apologize for
jumping in.
Mr. Kosar. Oh, sure. No, I think one interesting aspect
that I gleaned from looking at this is that if NISO is able to
get up and running and to gain a reputation for appearing to be
a very sound organization, private-sector members might want to
flock to be part of this organization, not only because they
could get information from it which is valuable to it, but also
because it might kind of create a sort of Good Housekeeping
Seal of Approval for companies who are participants. So that
might be a pull factor and encourage collaboration.
Mr. Walberg. Thank you.
Ms. McGuire, you evidently have a lot of personal
experience with DHS and its cybersecurity mission. With regard
to the authorities provided to DHS in the draft bill, are there
any left out?
Ms. McGuire. I don't think so. I mean, I read the draft
legislation in detail, of course, in preparing for the hearing
and I don't see anything there that--or didn't see anything
that was missing, no.
Mr. Walberg. Well, a credit to the bill sponsor then. Let
me follow up and ask you if you could explain what you mean by
risk assessment and any examples that you might have where a
risk assessment approach has been used to protect against the
cyberthreats.
Ms. McGuire. So when we talk about risk assessment we are
really looking at what are the threats, vulnerabilities, and
consequences of any particular threat vector. With regard to
specific examples where risk assessments have been used, the IT
sector endeavored in 2009 to develop a sector-wide, not a
company-by-company, but a sector-wide risk assessment to look
at specific risk to the IT sector at large. We worked in
concert, public-private partnership, with DHS to develop that
risk assessment and we identified some specific areas in DNS
routing, identity management, supply chains, some specific
areas that we felt that we needed as a sector to focus some
more detail on.
As a follow-on to that work, we developed some specific
guidance that was released earlier this year to provide to IT
sector companies' owners and operators, to help them focus on
particular risks that we saw from a National level to the
sector. Interestingly enough, what that risk assessment,
though, demonstrated was that we as an industry were largely
resilient because we had a lot of redundancies and processes in
place to deal with incidents such as cybersecurity attacks and
things of that nature, but there still were areas that we need
to improve on.
So from a risk assessment standpoint, we believe that that
allows companies to focus in their resources and efforts on
what they should potentially be protecting according to that
National-level risk.
Mr. Walberg. Thank you.
Mr. Nojeim, how important do you think it is for the
Department of Homeland Security to identify sector-specific
cybersecurity risks?
Mr. Nojeim. I think that having a sector-specific approach
helps DHS modulate its level of regulation of cybersecurity
information systems. So, for example, you wouldn't want, as
Cheri said earlier, you wouldn't want a situation where the
same kind of security performance standard is applied to a
nuclear power plant as is applied to something that is much
less dangerous but it fits within a definition of covered
critical infrastructure. So DHS needs to have the flexibility
to adopt a risk-based approach, and I think that the bill gives
it that flexibility.
Mr. Walberg. Thank you.
Mr. Lungren. We have time for a second round. So I just
remember the old deal about tomato-tomahto, we now have
``NESO'' and ``NISO.'' I asked my staff what is it, and they
said, Well, since you wrote the legislation you can say. We
will wait until later until we figure that one out.
Mr. Nojeim, we talked about protection of privacy and civil
liberties, how important they are. Would limiting the type of
information that is shared with the NISO and then limiting how
that information can be used by members, including the Federal
Government, address your concerns; and how would you define
that?
Mr. Nojeim. I think NISO can be nice to civil liberties.
The way it could do that, I would define it as, first, I would
start with attack signatures. Everybody agrees that cyber
attack signatures ought to be freely shareable. There may be a
need also to define cyberthreats with reference to actually
overcoming a technical control, something that is in place to
stop unwarranted access to a database. We think that this
information can be defined, we think it can be defined broadly
enough to permit the share of information that is necessary,
and we have provided some language to your staff and we will
continue to work with your staff on that language.
Mr. Lungren. Ms. McGuire and Dr. Shannon, if NISO is going
to be successful, there has to be some value there for the
private sector as well as for the Government. But we are the
Government setting this concept up, so I suppose we should be
appealing to the private sector. So it has got to be value.
So as I think, Ms. McGuire, you mentioned, it has got to be
something that is unique or something that they can't get
otherwise, because otherwise why buy into this?
On the other hand, in terms of the participation of the
private sector, we could set up rules, as suggested by Mr.
Nojeim, to say this is the limitation on the use of the
information by the Government that has been given to them by
the private sector.
But does the concept of subsequent liability protection
come into play, or is that something we don't have to discuss?
If I'm making a decision for myself or my company as to whether
I should share this information with the Government, even
through this entity, I might be dissuaded if I thought that is
going to subject me to a slew of lawsuits. Do we have to deal
with that concept? I know there are other things to figure out.
Have they followed proper procedures and so forth before they--
but is that something that is necessary, or is that a concept
that is redundant or unnecessary?
Mr. Shannon. As I testified back in June, the notion of
safe harbor protections I think is important. You want to free
the people involved in incidents and collecting using the
information.
Mr. Lungren. I know it is important. Is it crucial?
Mr. Shannon. I think it is. You want to enable
organizations to do the right thing.
Mr. Lungren. Ms. McGuire, is it necessary?
Ms. McGuire. I would agree with that, yes.
Mr. Lungren. Mr. Nojeim, do you have any problems with
that?
Mr. Nojeim. I think it is important that there be
consequences for breaking the rules. If the rules are followed,
I think there should be immunity for people who are following
the rules. For people who are breaking the rules, I think there
should be consequences. Without them, you put companies between
a rock and a soft place.
Mr. Lungren. Ms. Clarke.
Ms. Clarke. Thank you, Mr. Chairman.
Dr. Kosar and Mr. Nojeim, in your testimony, you mention
that, as designed in the proposed legislation, it would be
difficult to know how the NISO would behave. The lack of
predictability, even as the Federal Government invests
significant resources, is a concern. Please explain the
possible risks to the Government of establishing this quasi-
Governmental entity without specificity as to its range of
activities and responsibilities to its members; more
especially, DHS.
Mr. Kosar. Well, I guess the first question that I would
have is whether or not the NISO would see strong incentives to
coordinate its activities with the Department and to be
responsive to the Department's needs, or would it have
incentives to basically act otherwise?
A second issue or question I would have is: If this
organization does not stand up well, will it have long-term
negative ramifications for future efforts to do something on
this? Will it kind of poison the well in some way, shape, or
form? As I mentioned earlier, it seems like this kind of
consortium for sharing this information is heavily based upon
trust, and if something gets done incorrectly, there could be a
lot of very bad feelings all around.
Third is the question of predictability. One thing I
noticed in the mission for this organization is that on the one
hand it is to be a place where information and advice is to be
shared. But it is also a place where there seems to be R&D
activities that will be undertaken to develop new technologies
to aid in cybersecurity production.
So you have kind of two different operational activities,
and I guess the question that entered my head is, these new
technologies, are these going to be sold to companies? Will
they be given to members of NISO? Will this organization split
itself off and create a for-profit side organization?
It is not unprecedented that organizations created by the
Federal Government have in the past, without Congress'
expecting it, to have split themselves and have divided
themselves into multiple organizations. So I guess those would
be my thoughts.
Mr. Nojeim. I actually think that the bill includes a
number of provisions that will allow the Government to protect
its own interests in NISO. First, it reserves a number of seats
on the board of directors to Governmental entities. Many of
NISO's member entities, the ones who receive information, will
be Governmental entities, State, and local, and Federal.
It also gives the Department of Homeland Security the
ability to partially fund NISO. One could discuss whether 15
percent is enough or not, but it is a significant chunk of
money. But the Government has something that NISO members will
want. It has classified information about attacks that in a way
give it a lot of leverage, maybe more leverage than it ought to
have, over NISO's operations.
So I think that as it is structured, there is actually
enough--there are enough provisions in the bill to protect the
Government's interests in the NISO.
Ms. Clarke. So in other words, you are saying that the way
that the bill is currently constructed it should mitigate risk;
is that what you are saying? Because I'm asking about possible
risk.
Mr. Nojeim. I think you were asking about whether the bill,
as structured, protects the Government's interests in the NISO.
My answer is I think it does, because I think it gives the
Government substantial authorities. In fact, if we were
drafting the bill, we would probably more limit the
Government's participation and make it more clearly a
privately-run entity as opposed to a Governmental entity.
One of our biggest concerns is the flow of personally
identifiable information to Government members of NISO through
the NISO entity.
Ms. Clarke. Thank you.
Then just a final question. Dr. Kosar, you mentioned that
the legal framework within which organizations operate can
greatly influence their behavior by setting incentives and
expectations for operations. You are a specialist in American
Government, and in your opinion how does the legal framework
described in this proposed legislation for NISO lend itself to
defining the actions, incentives, and goals of the
organization?
Mr. Kosar. Well, I really appreciate the point brought up
just a moment ago about DHS possibly having a lever for dealing
with the NISO by virtue of its access to classified information
policy. I think that is a subtle insight.
This entity, as structured, is primarily private-sector;
and so presumably, its incentives lie with the perceived self-
interest of the members.
Just going back to the example of SEMATECH, created in
1987, that was an organization--that legislation is
substantially similar to this one. It created an organization
of kind-of like firms, firms that produced, manufactured,
semiconductors here in the United States. It looked at them and
said, you have a shared interest in upping your technology and
jumping forward, vis-a-vis Japan. This was a shared goal, and
you guys can work together on this, you just need a little
Government coordination.
Here we have, I think, members that are a little more
diverse than those that were participating in SEMATECH. I guess
an open question for me is whether or not the individual
incentives of these organizations align as neatly as they did
with SEMATECH. Because of this organization's success it would
seem to me to be largely dependent on the activities of the
private-sector parties.
Ms. Clarke. Thank you, Mr. Chairman.
Mr. Lungren. Thank you very much. I think the questions of
the hearing have indicated the fact that we are going into a
new area here. We are trying to create a platform that makes
sense for both the private sector side and the Governmental
side. It is creating a mechanism in which there are incentives
so that all will cooperate.
We thank you for your thoughts on this. We seek your
thoughts in the future as we move forward. We intend to move on
this because the issue is one that cannot wait. I am encouraged
by the interest that we have received from our colleagues on
both sides of the aisle, from people in the administration,
from those in the private sector, because I think that is a
good sign that while we are certainly not perfect, we are at
least moving forward with a concept in an area that needs to be
dealt with.
I want to thank all witnesses for your valuable testimony
and the Members for their questions.
The Members of the subcommittee may have some additional
questions for you. We would ask if we would submit them to you,
that you would respond to these in writing. The hearing record
will be held open for 10 days.
The subcommittee stands adjourned.
[Whereupon, at 11:25 a.m., the subcommittee was adjourned.]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
