Skip to main content

tv   Politics and Public Policy Today  CSPAN  January 8, 2016 9:00am-11:01am EST

9:00 am
you had to compress within two hours a seven-month-plus investigation including things that happened afterwards and you had to introduce a lot of characters and you had to introduce the important thems that emerged over that investigation. >> sunday night at 8:00 p.m. eastern on q&a. and we are live on capitol hill this friday morning as the house science, space, and technology on oversight, research and technology gathers to hear from i.t. professionals and how to prevent data breaches and cyber security attacks. expect this to get under way in just a couple of moments. this is live on c-span 3.
9:01 am
9:02 am
9:03 am
okay. so we'll start at four. the subcommittee on research and technology and oversight will come to order. without objection the chair is authorized to declare recesses of the subcommittees at anytime. good morning. welcome to today's hearing entitled cyber security, what the federal government can learn from the private sector. in front of you are packets containing the written
9:04 am
testimony, biographies, and truth in testimony disclosures for today's witnesses. i now recognize myself for five minutes for an opening statement. today's hearing continues this committee's commitment to find solutions for one of the great challenges of the 21st century's cyber security. this is the second hearing we have held on cyber security since the news over the summer that the office of personnel management was the target of two massive data breaches exposing the sensitive information of over 21.5 million americans including many of my constituents. the opm breach highlighted the challenge of responding to threats for both the public and private sectors. in 2014 and '15 cyber attacks on target, ebay, home depot and anthem health insurance were only a few of the many publicly disclosed breaches. the data breach of anthem alone exposed the social security numbers of 80 million americans. the time has come for every
9:05 am
manager and every employee in both government and private organizations to make cyber security a top priority in their daily work and for leaders to be held accountable for negligent failures to protect information. the american public and shareholders are demanding it. when criminal hackers gained access to some 40 million target customer credit cards, the ceo and the cio were fired. in the private sector. all though the opm director resigned in the wake of the opm breaches, i'm still not satisfied the responsible parties have been held accountable for the failure of the agency to address known security vulnerabilities. the most recent ig audit found that opm still has 23 systems that have not been subject to a thorough security controls assessment. opm does not have a complete inventory of servers, databases and network devices in their system. just this week i did meet with newly appointed cyber and information technology adviser clifton triplet in the omb
9:06 am
senior adviser on cyber and national security. i look forward to working with my colleagues and all federal agencies to ensure we are protecting the identities and information of our employees, applicants, and their families. the cyber criminals, activists, and state sponsored cyber terrorists are getting more creative and bolder in their attacks. the private sector has been at the forefront of dealing with these threats for some time as both the target of many of these attacks and as the leaders in developing the technology and workforce necessary to counter cyber threats. visa, which is in my district, is preparing to open a new cyber fusion center in my district just this week. this state-of-the-art cyber facility brings together nearly 100 highly trained security professionals into one high-tech campus and provides for collaboration both internally and with partners enabling rapid response, et cetera.
9:07 am
i am privileged to have a number of companies who are very much on the forefront in this area in my district and we have a number of those witnesses here today. and i look forward to hearing from our witnesses who are all innovative thinkers from the private sector. i hope we can take the lessons we learn from you today and help apply them towards protecting our federal information systems and the sensitive and valuable information they contain. we clearly must work together and be able to be more agile and adaptive to the ongoing threats that we know with the multiplication of information in all of our systems which is just going to exponentially increase over the coming years that we will always need to -- this will be a permanent employment area for all of you, i'm sure. i now recognize the ranking member of the research and technology subcommittee, the gentleman from illinois, mr.
9:08 am
lapinski for his opinion. >> thank you for holding this hearing. i want to thank all the witnesses for being here today and i look forward to hearing your testimony. as was mentioned in her opening statement, the real need to make sure we do more in this area, we need to make sure that both in the public and private sector people are held responsible for the hacks that do occur. we need to make sure that we have in place what we can do here to make sure there's an incentive both public and private sector to try to avoid these hacks, this loss of information, so very interested to hear more from our witnesses on this. i'm certainly pleased that we're
9:09 am
holding our first hearing on cyber security which is certainly an increasingly urgent challenge for our national security and the personal security of every american. it's important that we continue to hear from experts in government and the private sector about the latest developments with respect to both the risk that confronts security and cyberspace and the technologies and policies to combat those threats. our committee plays an important role in both the technology side and the policy side. and this is an area in which members have successfully collaborated across the aisle. in december 2014, congress enacted the cyber security enhancement act, a bipartisan research, education, and standards bill that i worked on with mr. mccall over several years. over the last month congress enacted a cyber security law to promote information sharing and strengthen coordination between the private and public sectors. as a committee and as congress we need to continue to confront
9:10 am
the serious cyber threats. unfortunately we see an increase in cyber attacks in both the public and private sectors. in the hearing we held here in july we heard from the significant breach at the office of personnel management in which personal information of millions of current and former federal employees and job applicants was compromised including some of us here. highly sensitive security clearance files were also compromised making it not just a problem for all those individuals but national security issue as well. we have laws in place to address the security of federal information systems. the federal information security management act or fisma established the necessary policies and procedures for the development of standards and protocols. an important role in this. it is clear federal agencies need to do a better job implementing the standards and protocols and congress needs to
9:11 am
give them adequate resources to do so. the private sector is also under constant threat from cyber attacks. in the case of large-sized companies, a recent study conducted found that there was a 19% increase in cyber crimes between 2014 and 2015. the study also found that cyber crimes caused significant economic damage. for 2015, cyber attacks resulted in total average costs of $15 million. while threats continue to grow, many in the private sector are increasingly taking steps to protect their information systems and the personal information of americans that they gather in a routine business. to reduce our risk and improve the security of cyberspace it will take the combined effort of the federal government, the private sector, our researchers and engineers and the general public. although cyber attacks are becoming more sophisticated, often cyber attacks are successful because of human error such as unknowingly opening a malicious e-mail or
9:12 am
allowing one's credentials to be compromised. participate of our effort must be to educate the public. another part must be to better understand human behavior in order to make new tools and technologies more effective such as the work being done to move beyond pass words. i look forward to hearing from our witnesses today. best practices, those opportunities for public/private partnerships that could help address our shared cyber security challenges. i'm also interested in hearing to what extent private business and organizations voluntarily implement fisma and how you may be participating in or benefiting from other from the excellence in the framework for critical infrastructure. thank you and i yield back the balance of my time. >> thank you, mr. lipinski. i recognize the chair of the oversight subcommittee, the gentleman from georgia, mr.
9:13 am
loudermilk. >> this discussion on our federal information systems, i would like to thank or witnesses for being here today and to help us understand industry's best practices when it comes to cyber security. i look forward to hearing about lessons learned and how to apply those lessons to our federal systems to help prevent future cyber attacks. it is clear that our federal systems are not adequately protected. in fact, just this past summer a witness from the government accountability office before this committee stated, it is incouple bent upon federal agencies to implement the appropriate security controls to mitigate those risks at a cost effective and acceptable level. and we found out that these agencies have not consistently implemented agency wide programs to mitigate that risk effectively. when i asked that same witness to grade our federal cyber security, he gave it a "d." a rating of "d" is not an acceptable grade. this administration owes it to the american people to significantly improve its
9:14 am
deplorable standing in order to sufficiently protect government information and thereby our national security. this administration also needs to explain how it is protecting the american people's personal information. as i stated at the hearing this summer the breach of data from the office of personnel management is exactly why the oversight subcommittee i chair continues to look into the collection of americans' personal data through the website in fact, i am still waiting for complete answers from the administration to questions i posed in letters to the science and technology policy and the centers for medicare and medicaid services back in june. this administration is not sufficiently explained why it was ever necessary to indefinitely store americans' personal data they submitted when logging into the website, particularly those who did not end up enrolling. one would think president obama would agrow such a practice is unnecessary as he identified
9:15 am
cyber security as one of the most serious economic and national security challenges we face as a nation. with you one that we as a government or country are not adequately prepared to counter. if cyber security is one of the most serious challenges this government faces, why on earth would the government ever consider storing all of this personal information indefinitely in data warehouses? as the chairman of the oversight subcommittee, i will it continue to ask questions and demand answers until we are satisfied the federal departments and agencies are making decisions in the best interests of protecting the personal mfgs of all americans. the safety and security of americans and this nation must be our number one priority. having continuously subpar security of our federal system is embarrassing and must be rectified immediately. the delays must stop. it's time to finally do something about federal cyber security. i look forward to the witnesses' testimony in today's hearing. i hope to learn more about the
9:16 am
various industry best practices and lessons learned in hopes that it will shed light on what the government could and should be doing to protect our citizens from constantly evolving cyber threats. madam chairman, i yield back the balance of my time. >> thank you, chairman loudermilk and i recognize the ranking member on oversight for his opening statement. >> thank you, chairwoman comstock and chairman loudermilk for holding this hearing. as we keep learning after each new attack cyber security is obviously a critical and daunting challenge. today the data we create store access and often share online information about almost every aspect of our lives, our collective digital universe is composed of banking records, birth records, personal health files, tax filings, on and on. last week i was going on to see how long i was going to live and now the cyber security attackers are going to know my cholesterol, my weight, the name of my dog and the last year i had a cigarette.
9:17 am
i took an alzheimer's test last night online which results i hope don't show up in my next campaign. we electronically communicate with our kids' teachers about their academic achievements. i find that none of my kids will return my phone calls but they will text me right back. news flash -- none of this information is secure. immediate access to these digital connections provides tremendous advantages for businesses and consumers and our own familiy business were highl dependent on all the information we've gathered on our customers the next time congresswoman delbene needs an oil change on her subaru, for example. nefarious opportunities for cyber criminals, foreign governments on espionage and even more dangerous actors. protecting against known and emerging cyber threats is an ongoing enterprise that requires constant vigilance and continuous adoption. last year's opm attack was a huge concern for all the federal
9:18 am
work eers that live in our districts across the country and procedural issues being addressed, but nobody is immune to cyber attacks not in the government, not in the private sect sector. tracking cyber attacks. in 2015 there were 17 reported breaches against dot-gov addresses that resulted in access to $27.8 million records, the big one was opm. during the same time period the private sector experienced 184 breaches that resulted in exp e exposure of 131.5 million records. a huge problem for both sides. and i believe sharing best pr practices to reduce i.t. vulnerabilities, educate federal workers is very important. i really look forward to today's hearing. i'm sure there are many lessons that we will learn from you today. i also look forward to the equal certainty that there's much that the private sector can learn
9:19 am
from the government especially department of defense and our intelligence community. so i look forward to today's discussion and thank you so much for being with us. madam chair, i yield back. >> thank you. and i now recognize the distinguished chairman of the full committee, mr. smith. >> thank you, madam chair. last year more than 178 million records of americans were exposed in cyber attacks. the breach of the office of personnel management alone compromised the personal information of more than 20 million people which included members and staff of this committee. the united states is a top target for foreign countries. cyber criminals and hack i havists obtain valuable information. the number of incidents reported by federal agencies has increased over 1,000% in the last eight years. in 2014 more than 67,000 cyber attacks were reported and many others, of course, were not. a number of federal agencies
9:20 am
guard america's cyber security interests. several are under the jurisdiction of the science committee. these include the national si science foundation, the national institute of standards and technology, the department of homeland security science and technology directorate and the department of energy. all of these promote cyber security and set federal standards. however, it is clear that too many federal agencies like opm fail to meet the basic standards of information security. more must be done to ensure agencies make cyber security a top priority. last year audits revealed that 19 of 24 major federal agencies failed to meet the basic cyber security standards mandated by law, yet the administration has allowed deficient systems to stay online. what are the consequences when a federal agency fails to meet its basic duties to protect
9:21 am
sensitive information? what does it say to federal employees not to mention our adversaries when cabinet secretaries don't take cyber security seriously and fail to follow the most basic e-mail security practices involving our country's classified information? in the private sector those who neglect their duty to keep the information of their customers secure are usually fired. and the federal government, it seems the only people penalized are the innocent americans who have their personal information exposed. during the last congress the science committee approved cyber security enhancement act which was signed into law. this law improves america's cyber security abilities and strengthens planning for federal cyber security research and development. it supports scholarships to improve the quality of our cyber security workforce. it also improves cyber security research development and public outreach organized by nst.
9:22 am
the cyber security act of 2015 was signed into law. very importantly this bill encourages private companies to voluntarily share information about eminent cyber threats with each other as well as with the federal government. the science committee will it continue research and development. i look forward to hearing from our witnesses today about what more we can do to support innovation and help set national standards and guidelines that will enhance our cyber security. i thank you again, madam chair, and yield back. >> thank you. at this time i would like to introduce our witnesses. john wood is chief executive officer and chairman of the board for a leading technology company that addresses cyber security, secure mobility issues
9:23 am
for corporations and governments worldwide. mr. wood sefbs on the boards of the northern technology council and the foundation for the performing arts, home of the nationally acclaimed wolf trap institute for early learning through the arts and its early stem arts program. he is also the founding chairman of the loudoun county ceo cabinet and served for five years as chairman of loudoun county's economic development commission. prior to joining in 1992, mr. wood worked on wall street after completing computer science at georgetown university. he also is very active in education throughout loudoun county and our district in getting young people engaged and involving them personally i know both with your company and with our school system so we appreciate all you do in that area. dr. martin casado is a vmware fellow and vice president and manager for the networking and security business unit.
9:24 am
dr. casado joined vmware in 2012 when the company acquired nesara of which he was co-founder and chief technology officer. he has previously held a research where he worked on network security in the information operations assurance center. he has been recognized as one of the industry's leading innovators and featured as one of business insider's 50 most powerful people and enterprise tech forbes innovators and dr. casado received his masters and ph.d. from stanford. mr. ken snyder serves as vice president of technology strategy at symantec where he focuses on driving overall technologies strategy across the company. he was previously chief technology officer of the enterprise security and security endowed management groups. prior to joining symantec mr. snyder served as cto and vp of
9:25 am
operations for bright mail, the leading anti-spam soft ware company acquired by symantec. mr. snyder founded south beach software, a consulting company that developed products for the professional video market. he also received a master of science and mechanical engineering from university of california berkeley and a bachelor of science in engineering from swathmark. mr. clinton is the president and chief executive officer of the internet security alliance, a multisector trade association focused on cyber leadership, policy advocacy and promoting sound security practices for corporations. mr. clinton is widely published on cyber security and is the principle author of the cyber risk handbook for corporate boards from corporate directors in 2014 and endorsed by the department of homeland security in 2015. the nacd also named mr. clinton as one of the 100 most
9:26 am
influential individuals in the field of corporate governance last year. mr. clinton is in demand internationally having spoken in europe, asia, and latin america, and we are glad to have him here today. in order to allow time for your discussion, please limit your testimony to five minutes and then your entire written statements, which i know are more extensive and have lots of good information that we'll have in our public record. and since we're on c-span today i would encourage the public to look at those full statements to get more information there. with that, i will now recognize mr. wood for five minutes to present his testimony. >> thank you. i'd like to thank chairwoman comstock and the other chairs and ranking members for the invitation to share some thoughts on behalf of telis corporation on industry best practices for cyber security and risk management. as i noted in my written statement, we protect the world's most security conscious enterprises providing our
9:27 am
customers with solutions for cyber security, secure mobility, and identity management. the first point i'd like to highlight is that all enterprises public and private need to emphasize cyber hygiene in their day-to-day operational practices and employee training. why do i make this first point? because the 2015 verizon data breach investigations report found that the overwhelming common denominator in security incidents is people. nearly all of the security incidents verizon cataloged might have been avoided if organizations had taken basic steps to help their employees follow simple cyber security precautions. here are five basic steps that organizations should take to help better protect themselves from attacks. first, establish and enforce cyber security policies and procedures. second, include effective password management practices.
9:28 am
third, require regular security awareness training. fourth, implement timely updates and patches to manage vulnerabilities and, fifth, to use up-to-date end point security solutions. these five basic steps serve as the foundation for a strong cyber security program. every i.t. security professional knows them and yet the importance of following through with them cannot be overstated. further, these practices must be embraced in the boardroom and by management so that a culture of cyber security is created throughout the organization from the top down. that being said, every organization with high value digital assets needs to assume it has already been breached or will be. this leads to my second point. and that is that incident response and remediation are just as important to organizations as cyber defense and depth strategies. telis has developed incident response with essential steps
9:29 am
like preparation, containment, eradication and recovery which we use ourselves and implement for our customers. further, it isn't realistic to expect every organization to have the time or financial and human resources needed to successfully defend everything. that's why management is so critical to effective cyber security. risk planningment involves identifying, evaluating and either accepting or mitigating uncertainty in decision making. private and public sector organizations need to make cost benefit choices about which systems to defend and how to defend them based on the li likelihood of an asset being attacked, the value of the asset being attacked, the cost of defending the asset, and the cost of losing the asset. that approach is reflected in the it continuous diagnostic and mitigation program established by congress, quote, to provide adequate risk-based and cost-effective cyber security
9:30 am
and more evidently allocate cyber security resources, end quote. this continuous diagnostics and mediation program or cdm program extends continuous monitoring into the areas of diagnostics and mitigation while acknowledging that risk management is called for when you have to meet nearly infinite needs with finite resources. that's also the value of initiatives like the nst risk management framework and cyber security framework. they put cyber security solutions and best practices in the context of risk management and compliance which brings me to my third point, the standards in the nst framework are very good but they cannot succeed unless companies follow them. we should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves which includes following the nst standards and best practices.
9:31 am
the critical sectors are just that, krcritical. they're so important to our national defense, our economy, and our way of life that it's imperative government and private secotors encourage organizations and these sectors to use best security practices. one promising area is tied to the growth of the cyber insurance market. the commerce department has described cyber insurance as, quote, an effective market driven way of increasing cyber security, end quote. the increasing demand for cyber insurance may help drive private sector policyholders to adopt the cyber security framework. insight into what clients are doing. are they applying ongoing protection for the systems and data? are they using the framework or
9:32 am
an equivalent standard? in fact, insurance companies may require their clients to adopt the framework in order to demonstrate inshushlt and reduce premiums. we could see greater pressure brought to bear. so market forces in the fear may make nist voluntarily guidelines the standards to demonstrate to insurers or in court that they've exercised all due care to protect their customers and their assets. one additional point, cyber security is just too important to do on the cheap. overreliance on technically acceptable accounts c acceptable contracts can be risky. our fifth war fighting domain, cyberspace, must be appropriately funded. u.s. cyber command has been funded at a level that represents a mere 1/1000th of the budget.
9:33 am
four banks, jpmorgan chase, bank of america, citibank and wells fargo are spending three times of the amount on cyber security. jpmorgan, after they got hacked, decided to double their i.t. security spent from $250 million a year to $500 million a year more than all of cyber command. the financial sector is an example of the private sector taking responsibilities very seriously and devoting resource s to protect themselves. i'd be glad to answer any questions. thank you. >> thank you. now we'll hear from dr. casado. >> thank you, members of the committee, for the opportunity to testify today. i'm super thrilled to be here. i'm martin casado general manager of networking and vmware, the fourth largest software company in the world
9:34 am
with revenues over $6 billion and over 18,000 employees. the breach was not unique. hackers were able to gain access to opm and department of interior systems where they were free to access and steal sensitive data over a period of several months. hackers typically use this attack methodology because perimeter centric security systems are structurally designed to be doors to the network. these doors allow authorized users access and prevent unauthorized users from entering a network or data center. however, perimeter security is a single point of entry that must be breached or circumvented to enter the network. once the intruder has passed the perimeter, there's no simple means to stop malicious activity from moving throughout the data center. in many cases the response from companies, agencies and network security investors is to add more security technology to the
9:35 am
perimeter which ignores the structural issue creating a line. salient points for consideration, one, every recent agency breach has had one thing in common, the attacker once inside the perimeter security was able to move freely around the agency's network. two, perimeter centric cyber security policies, mandates and techniques are necessary but insufficient and ineffective in protecting cyber assets alone. three, the cyber attacks will continue but we can greatly increase our ability to mitigate and limit the damage and severity of the attacks when they do. so in today's legacy networks there are a lot of centric technologies designed to stop an attacker from getting inside a network. clearly this is not sufficient to combat today's cyber attacks. security solutions are analogous to a locked door that can only be accessed with a key. the primary function of the door is to deny initial authorized entry by anyone who does not have a key. however, once the door is forced open or breached, the unauthorized actor is free to move about unabated.
9:36 am
in order to effectively prevent an attacker from moving freely around the network they must add zero trust or micro segmented network environments within the data center. a zero trust environment prevents unauthorized lateral movement by establishing automated governance rules that manage the movement of users and data between business systems or applications within the data center network. when a user breaks the rules, the potential threat incident is compartmentalized and staff can take remediation and not put the entire network in jeopardy. compartmentalization is equivalent to limiting the intruder's ability to move around freely within the house significantly. this mitigates the magnitude of a perimeter security breach or break-in. these approaches are already the gold standard in the commercial industry and need to be across the federal government. the many government agencies conclude the most effective means is to build a new network environment or data center
9:37 am
called a green filled environment with enhanced security protocols. agencies reach this because environments are soon to be unsalvageable. this is a legitimate strategy, however, it fails to address the persistent threat to existing cyber infrastructure. there are two main issues with this approach. existing networks or data centers continue to operate while the new environment is being provisioned which leaves sensitive data vulnerable to continued attack. it can take months or years. as we've seen this is what happened with the attack at opm. they were building a new enhanced network but the attack happened on the existing system. without clear cyber security guidelines mandating new software based security strategies that go beyond centric security, the new environments are subject to attack as soon as they become operational. in an era of constrained resources and imminent threat this is insufficient and untimely. agencies have the ability to upgrade the posture of their infrastructure and add zero trust software than new
9:38 am
expensive based solutions. by deploying these technologies within our existing net works and data centers, agencies can avoid billions of dollars in new greenfield infrastructure when the driver is strictly security related. thank you very much for the opportunity to testify today, and i look forward to answering the committee's questions. >> thank you. now we'll hear from mr. snyder. >> gentlewoman comstock, chairman loudermilk, ranking members lipinski and beyer, thank you for the opportunity to testify today. cyber -- >> i don't think your microphone is on. sorry. >> sorry about that. chairwoman comstock, chairman lawedermilk, chairman smith, ranking members lipinski and beyer, thank you for the opportunity to testify today. the focus of today's hearing is right on point. cyber security is a shared responsibility in the public and private sectors must work together closely to counter ever evolving threats. many of the recent headlines about cyber attacks have focused
9:39 am
on data breaches both in government and across the spectrum of industries but cyber attacks do much more than that and the incidents we see today range from basic confidence schemes to massive denial of service attacks to sophisticated and destructive intrusions into critical infrastructure systems. the attackers run the gamut and include highly crippminal enterprises, disgruntled employees, activists and state sponsored groups. attack methods vary and the only constant is the techniques are always evolving and improvement. spear fishing or customized e-mails is still one of the most common forms of attack. social media is also an increasingly popular attack as people tend to trust links and postings that come from a friend's social media feed. we've seen the rapid growth of targeted web-based attacks known as watering hole attacks, and trojanized updates where malware is cloaked in updates. for example, last year legitimate software developers were tricked into using
9:40 am
compromised software to publish their apps, then pushed into apple's app store and downloaded by unsuspecting consumers. further, the attacks continue to he can panned as both the private it tech tore move to the cloud and the internet of things and new devices coming online will bring a new set of security challenge. ccs insight predicted the sale of 84 million wearables in 2015. each of those 84 million users is transmitting sensitive data into cloud platforms that must be secured. preventing these attacks requires layered security. we refer to this as unified security strategy. the national institute of standards and technologies reflects this approach and its functions serve as an outline for discussing an approach to security. first is identify, simply put, you can't protect what you can't see. the task goes beyond just identifying hardware and software and includes a risk
9:41 am
based approach to make sure the most critical are identified and protected. next is protect and it starts with people. an organization needs to ensure that its workforce practices good cyber hygiene and is alert for the latest scams and schemes but, of course, it technology is important, too. modern end point examines numerous characteristics of files for emerging threats that might otherwise be missed. it's critical to monitor the overall operation of a system to look for unusual, unexpected or anomalous activity. information protection is equally important. this requires a data loss protection system that indexes, tracks, and controls the movement of data across an organization. the third function is detect. an organization needs to know what is going on inside of its systems as well as who is trying to access what and how they're trying to do so. monitoring analytics in a huge volume of machine and user data and advanced behavioral analytics to know whether a series of anomalies is malicious
9:42 am
activity. the systems are able to detect threats that bypass other protections. fourth is respond. good planning is the foundation of an effective cyber security strategy. if and when an incident occurs an organization must have a well-defined and practiced playbook to respond quickly and effectively. interviewing potential vendors and assigning roles and responsibility is not a good use of time while an organization is hemorrhaging sensitive data. the last function is recover. this is twofold, getting the impacted systems back up and running and improving the lessons learned. it requires preparation and planning. for example, poor preparation could leave an organization with incomplete or corrupted backups. but perhaps the most important part of fixing identified mraus in both systems and processes is to learn from the incident. cooperation is key to improving cyber security. public/private partnersships to combat crime including forensic and training alliance, fbi nato
9:43 am
and ameripol. taking down networks including high-profile such as the financial fraud, the botnet. the only path to improvement security for the nation is through partnership and shared expertise and the government can learn from the private sector's experience incorporating cutting edge security tools into their security programs. we appreciate the committee's interest in learning from systemex and i'll be happy to take any questions during the day. thank you. >> thank you. and now we'll hear from mr. clinton. >> thank you, madam chair and members of the committee. it's an honor to be here. i appreciate the opportunity. i'd lick to focus on five areas where the federal government can learn from the private sector. first, the government needs to invest much more in cyber security. spending on cyber security has nearly doubled in the last several years to $120 billion annually. the federal nondefense spending
9:44 am
on cyber security this year will be between $6 billion and $7 billion. private sector spending will increase 24% next year. the federal government spending is increasing about 11%. i know of two banks of a combined security budget of $ $1.25 billion for next year. dhs' entire budget for cyber security next year is about $900 million, 75% of what two banks are spending by themselves. cyber crime costs our nation a half trillion dollars a year, yet we are successfully prosecuting maybe 1% of cyber criminals. we need to spend more on cyber security. two, government needs to act with greater urgency. it took congress two years to -- sorry, it took congress six years to pass information sharing bill. in 2009 major trade associations presented congress and the administration with detailed recommendations on cyber security. in 2011 the house gop task force reported on cyber security
9:45 am
embraced the recommendations as did president obama's executive order. four years after the task force report we still have not seen any substantial work on the top recommendation in that report or the executive orders. for example, the gao task force report on the executive order and the national protection plan all call for the creation of a menu of incentives to promote the adoption of cyber security yet aside from the information sharing bill, the president has not proposed, congress has not introduced a single incentive strategy bill. last month gao report ed that 1 of 15 sectors -- sector specific agency had not identified incentives to promote cyber security even though that's called for in the national protection plan. the president's executive order called for the framework to be both cost effective and prioritized. three years later there has been no objective measurement of the framework's effect on improvement security, adoption, or its cost effectiveness. three, the government needs to
9:46 am
escalate -- to educate the top leadership as the private sector is doing. in 2014 isa and aig create add handbook on cyber security for corporate boards which was published by the national corporate directors and is the heart of the training program that they are launching. price water house cooper recently validated the success of this approach saying boards appear to be listening to the nacd guidance. this year we saw a double digit increase in board participation cyber security leading to a 24% boost in security spending. other notable outcomes include the identification of key risks, fostering an organizational culture of security, and better alignment with overall risk management and business goals. we believe, madam chair, the government needs a similar program to educate the government equivalence of corporate boards, members of congress, members of the cabinet, agency secretaries. most senior government officials are not sophisticated with their understanding of cyber security. if they are educated as we're educating the private secotor w
9:47 am
think we could have more effective policy. four, the government needs to reorganize for the digital age. over the past several years the private sector has moved away from the i.t. department as the central focus of cyber security and involving more enterprise risk management approach. unfortunately the federal government is still caught up in legacy structures and turf wars that are impeding our efforts. a bank of america/merrill lynch study found in 2015 the u.s. government is still in the process of determining who will have jurisdiction in cyberspace, departments, agencies and commands are all battling for jurisdiction and funding. the result is a fragmented system, muddled political agendas that is hindering the secure system and, finally, five, government needs to become more sophisticated in managing their own cyber security programs. a 2015 study compiled -- compared federal civilian agencies with the private sector and found that the federal agencies ranked dead last in terms of understanding cyber security, fixing software problems, and fail to comply with industry standards 75% of the time. the reason the government does
9:48 am
so badly according to gao is they simply evaluate by a predetermined check list. the private sector, on the other hand, uses a risk management approach wherein we anticipate what the future attacks will be based on risk posture and forward looking attempt to adopt standards and practices. we believe that the government needs to follow the private sector's lead. they need to become more educated, more sophisticated and innovative and act with greater emergency and commitment with respect to cyber security. i appreciate the opportunity to speak to you today. thank you. >> i thank the witnesses for their testimony, and we now will move to questioning and we have five-minute question rounds. i will recognize myself for the first five minutes. thank you all so much for your expertise and your passion about this important issue. i remember back in 2014 i was able to sit down with mr. wood
9:49 am
and we spent a pretty long afternoon identifying a lot of the problems. i'm sorry to say everything you said came true and that all the problems you identified were dead on. i appreciate that you're here to help us address that. i was just out at the consumer technology conference earlier this week, and so we're seeing a lot of the new things that are in practice and certainly the concept of innovate or die is very much a reality here. so i was wondering if -- because i think you've all address add little bit, but how do existing maybe government accounting provisions impact the ability for the public sector to be agile and to be able to do what you do in the private sector, and how can we -- i know this is a little bit out of our jurisdiction in terms of
9:50 am
government accounting but sort of identifying the problem and how we can address it. we have the standard. we have the practices. we need to be more risk management based instead of just a check list. can we all get thf policies in the government that are as agile as what you're dealing with in the private sector. >> one suggestion i would have is that i think it would be very helpful for the government to move more towards a best value approach to government contracting versus lowest price technically acceptable approach. the same individuals that we put on assignment with the government often we can will receive a much higher rate for those individuals working commercially because commercial companies tend to value the kind of capabilities that our security professionals have. when i say much high rer, it's
9:51 am
often 300% higher. that's a really big issue that the government. needs to at least address. otherwise you tend to get what you pay for. >> i agree with mr. wood. i think this speaks to part of the education issue that i was speaking to. we need to have a better understanding of the breath of cyber security. . what you're talking about is not an i.t. problem. it's an economic problem. that's what sicyber security is. it's not an i.t. problem. it's an economic problem. and we immediate to find a way to move away from lowest cost items particularly in the federal space. we have examples where federal agencies are buying equipment off ebay from nonsecure suppliers because it's e lower in cost. while we appreciate the tension and the need for economy in these times, we have to understand that there is a direct trade off between economy
9:52 am
and security. we had the same problem a few years ago. we might be able to have a better appreciation between cyber security and the technology of cyber security. the real problem that you're speaking to in my opinion mostly comes in the smaller business elements of cyber security. it you're going to deal with the major defense contractors, frankly, you compensate them per affordable care actually well and they have prelt good sign r security. but r they are required essentially to farm out a lot of the procurement to smaller firms across the country and districts and those smaller firms do not have the economies of scale to meet the cyber security standards that the primes have. we have to find a way to provide incentives for those smaller companies to come up to grade
9:53 am
because it's not economic from their business point of view in order to do that. we think it there are a number of suggestions we have made and i referred to in my oral statement paper that could talk about how to better incentivize the smaller companies so we can get them up closer to where the majors are and if we can do that, we can achieve our goal, which is a cyber secure system as opposed to cyber secure entities. >> mr. snider? >> i think another thing and this isn't directly a contract issue is to use the tools that they have already purchased. one thing we see a lot in the private sector and the public sector is the acquisition of technologies that then aren't even configured properly and used properly. a lot of the investment that happens both within private organizations as well as the public organizations is to take the technology purchases and make sure that you have the right human capital and the best practices to deploy those
9:54 am
properly. the most cost effective thing you can do is use the money spent more wisely. that's one key we see as well. >> thank you. >> just quickly on a positive note. i'm kind of a personal success story, when i graduated with my ph.d. i was thinking of being a professor. . instead i worked with the intelligence community who decided to fund a startup that we were doing and they were great to work with early on. kind of to the congressman's point, there's a lot we can learn from the government. that turned into one of the largest tech sector acquisitions ever and a huge security initiative. so i think more working with the startup ecosystem funding that. allowing us access to the way that you think about the security and technology will hugely help innovation. >> thank you. i want to particularly note mr.
9:55 am
wood you call it the fifth war fighting command. the numbers and comparison and the public sector and what we're spending in the quality, that's a very membershipful contrast in understanding. this is part of our defense system and certainly as we see in social media being used and the terrorism area and all of those, i appreciate you putting a real emphasis on that. thank you. i will now recognize mr. lipinski. >> thank you, so many things to talk about. i just got set off in another direction, so first i'll say it's good to see a stanford and berkley guy be able to sit next to each other. i'm a stanford guy. you had just mentioned there should be more done by the
9:56 am
government to engage silicon valley entrepreneurs. what more could the federal government with doing right now in this area? >> i'm actually very positive about the actions the government has taken over the last few years. i've worked directly with government agencies and i think continue iing to fund efforts t engage with start ups understanding that that risky propositions and the high level of risk i think is very beneficial. again, all of the work that i have done in the last eight years has been based on my experience personally and then funding from the government and it's turned into a major initiative. i would encourage you to continue the wrk you're doing. >> anything not being done now that should be being done? >> i think -- i think the problem is you're great at funding on the early stage and when things get big.
9:57 am
er, it's harder to engage with the government buzz you get into procurement processes that are owned by a a number of people. so normally what happens is you do a great job incubating and find out that we can't sell to the government because it's too hard and too sticky. not only get this and providing the initial funding but give them end roads being an actual vender to the government and helping that out. originally we try to engage the government and it wasn't until eight years later we could do it in a viable way. now we're doing it in a way that we're excited about. hand holding would have been helpful. >> anyone else on this subject before we move on? >> we're seeing moren gau engag. dhs has been active over the last couple years. there's a new dod project where they have now established a field across from silicon valley
9:58 am
trying to invest in startups to bring some of their technology needs to the valley. i think we're seeing a lot more engagement over the last year. >> anyone else? mr. wood? >> thank you, sir. i'm honored to sit on the commonwealth of virginia's sign r security commission as well. one of the things i have been encouraging the commonwealth to do is encourage closer relationships between the university ecosystem and the business ecosystem and to really promo promote research. i think that will propel the startup activity that the gentleman to my left are both talking about whether it's in silicon valley or research triang triangle. we far more research than we currently have. the reason is is because when i talked about earlier the dollars being spent in the federal government and the commercial side, it's very simple.
9:59 am
we have a scarcity of resources in terms of professionals. so e we need more tools being able to deal with the complex environment that's going on out there. the tools are the way forward in order to help deal with that scarcity of resources. there are other things we can do as well. but i think that research would really help us a lot from a cyber security perspective really as a nation. >> very quickly and continuing with mr. wood, i want to thank you for your work and education and thank you for bringing up how important it is that the human behavior is critical in preventing so much of this. i think you said nearly all of these tasks would have been awarded with better behavior and that brings up the importance in understanding human behavior and funding social science research
10:00 am
into things like this. but the last thing i wanted to ask you is you talked about insurance. i'm very interested in how do we incentivize the private sector. is this something that should be required or do you think this will develop over time? do you see a need for the government to require insurance against these types of attacks? >> sir, i personally don't think there's a need for the government to require it because the lawyers will at the end of the day will help corporations and other organizations understand the legal liability associated with not taking the appropriate actions. >> have companies really suffered that much who have been -- who have had these data breaches? >> i think they are beginning to. i'm seeing more and more board
10:01 am
room kind of calls being made to our company than ever before. i think the very public retail breaches that have occurred are now heading into not just the ceo's office but right into the board rooms. i also believe the critical infrastructure industries that are already regulated feel the pressure associated with doing something. that's why i think that the insurance companies are doing what they are in terms of really trying to promote cyber insurance. they a their feeling is if the corporations can provide evidence that they are doing what's appropriate from a risk management point of view, that will result in two things. one is lower premiums to the corporation who is looking to get the insurance, and secondly, better legal defense to the extent that they are sued. >> thank you. i yield back. >> mr. clinton. >> if i could very quickly, first of all, we're big fans of
10:02 am
insurance so we have been promoting cyber insurance for over a decade but i don't think that a requirement is appropriate. >> if you have been promoting it for over a decade, it doesn't seem like it's that widespread. >> no, that's because systemic problems in the insurance market. lack of data and in. particular the e enormous risk that the insurance companies realize that if they ensure and there's a major ka it's a. if i they are on the line for everything. we face the same in terms of insurance in the last century with crop insurance and flood insurance. there are ways we can work with the federal government in order to address that problem. i'd be happy to go into those in some detail, but i wanted to get to the requirement piece. one of the things the federal government could do is require insurance, cyber insurance ii your information systems in the same way that you require
10:03 am
physical insurance when you build build. ings. i think if the government did that, it would be a market leader in that regard. the other thing i want to point out, and this bears more conversation because i think this is a widespread misnomer, of the reality when you look at the data of the economic impacts of the high profile breaches is not what you think. if you go back and look six months after the sony attack, their stock price was up. if you lock at most of the high profile breaches, you find there's an initial reduction and then there's a bounceback. . i can explain why that is because the smart guys on wall street say, oh, nice distribution system, i like the price point of their products and the price is down, buy opportunity. so the natural things we assume are going to happen really are not happening when e we look at the data. but mr. wood is right about the fact that corporate boards are spending much more attention on this. . but i think that has to do with
10:04 am
the threat to their intellectual property, which is being vacuumed out and is a tremendous economic risk. >> so they are not concerned about the consumers and people use iing their business. they are concerned about their own -- that's a suggestion th e there. >> we're going to have to move on. >> i will get back to that. >> and please do so. i'd appreciate submitting some more information on the insurance area. i think that would be very interesting. i now recognize mr. loudermilk. >> after spending 30 years in the i.t. industry myself, i can equate to a lot of what you're saying. especially the cyber insurance. big support r of cyber insurance because of the standards that the insurance companies. put upon these businesses. . and i sold my business a r year ago. was greatly reloefed whleaved wn i sold the business. while it was on my mind 24/7, it
10:05 am
was not on the minds of my customers. mr. clinton mentioned ebay. we had many instances where we had a secure network in place and we engineer it and put the products in. some of the products that you represent from spam filters, firewalls, content managers. then we would find out that they would go and buy parts for these off of ebay that would come from somewhere overseas and we don't know the firmware that's on it and i understand that what's on their mind, especially dealing with small businesses, is bottom line. lawyers are being lawyers, they are doing what they are doing. we're supposed to take care of them. but when we go forward and say this is what we need to upgrade and say we don't want to do that right now, do we have to do it. your nrk will still function but
10:06 am
you're very -- at a high amount of risk. that usually doesn't change their mind set. so having those standards is important. another thing brought up is risk based management. we use d to emphasize to our employees. there's two types of computer users. those that have been hacked and those that don't know they have been hacked. i think that's -- another part of risk management is we mp size to our customers don't keep what you don't need. if you don't need the data, you don't have it, you don't have to secure it. that really brings to an issue that i have great concern about here in the federal government here and that's with the mitus system, which is storing information on americans who access the health care website. not just those who got their health insurance, but those who even shopped it.
10:07 am
it's storing personal identifiable information of americans without their knowledge in a data warehouse. mr. wood, considering what's happened to the federal governme government, the recent data breaches, does it concern you that the federal government will be holding information -- citizens without their knowledge, even for those who did not get their health care coverage through this system. am i justified in my concern over the risk of storing this data, especially data that is not needed? >> so you're raising both a privacy perspective as well as a cyber security issue. at the risk of being a monday morning quash if i were to reflect on the opm situation, the unfortunate situation because like all of you shs, i
10:08 am
also received my letter that gave me the good news. i think that in retrospect had opm been using two factor authentication, had they been using encryption at rest, had they had log files, we would have had a lot -- a much different situation than perhaps we ended up having with opm. so as it relates to the situation, u don't know how they are storing the data to be. able to reflect to you about what is appropriate, but. i think generally speaking most people are a a little nervous because those of us in the know worry that there just isn't enough resources being applied from a financial perspective to the i.t. security issue. it's not just that the federal level, it's at the state level too. commercial corporations, on the other hand, i see around the
10:09 am
world are taking the appropriate steps. i gave the example early on in my testimony about jpmorgan chase. when they were hacked, they were spending at that time about $250 million. after their customer information -- after the customer got out, they went to the board. the board determined that they had to increase substantially what they spend. one was to actually butt russ what they were doing, but the other thing it was to do was to raise the confidence of their customers. so at the end of the day, i would argue that while their shareholder price has gone up over time. , they care about customer data. >> i would like to ask to respond to the same question, but also mr. wood, part of mitt gauting your risk is not keeping data that you don't need. would you agree that that is a good practice. if you don't need data to not store it. >> yes, sir. >> mr. clinton?
10:10 am
>> that's absolutely right, sir, thank you. >> and now i'll recognize mr. myoer. >> i was fascinated by your testimony, especially, once the intruders past the perimeter, there's no simple means to stop malicious activity from propagating throughout the data center. this whole notion of unauthorized lateral movement and your call for sozero trust microsegmented environments. is this recognition built into this cyber security framework? >> the moving from just the perimeter to the internal stuff? >> we're actually working with them now, but i think making it part of a standard would be greatly beneficial. >> it sounds like an essential part of the cyber security
10:11 am
framework president bush. >> this is becoming a best practice. part of a standard would be very beneficial. >> mr. snsnider, you said we're well past the days when a a password will be much more than a speed bump for sophisticated attacker. and authentication combining something you know with something you don't know like a text message is essential for any system to be secure. is this part of the cyber security framework that was developed? >> i think it's similar in that it's a best practice that's not codifiey eied into the framewort the ability to protect your information is becoming a best practice. the example i would give there should not be passwords as a core element of how we access information because it's so hackable. we really feel like a future
10:12 am
with rich multifactor levels is the right approach. you can imagine yourself. you can go back to your office and sit down to check r your e-mail. if you're using a mobile device, there's r already two or e three factors that say i'm supposed to be in my office, i'm in my office, i'm accessing e-mail. you may then ask for a pin or additional level of authentication, but it's having those kind of authentication we see in the future and not static passwords. >> so both of these revolutions, which leads me to mr. wood. you wrote very l kwently on page four of your stm that most businesses would prefer the government impose the fewest possible requirements on them. we hear that every day in the house. how many breaches will it take before it's recognized that allowing the private sector to choose the path of least resistance creates an opportunity to put critical
10:13 am
infrastructure at risk and our national economy at risk. it's purely voluntary. when do businesses come together to recognize this really needs to be the mandated standard across the country? >> so earlier we were talking about insurance. and the insurance industry and why hasn't it adopted more cyber skur insurance more quickly. the simple reason is because there was no standard, there was no agreed upon standard until not that long ago. so i think that ultimately i look at the cyber security framework as a baseline. what these gentlemen are talking about are, in fact, good points and they ared a tuf to the baseline. if we can get to an agreement about what the baseline is and all adhere to a baseline, we know the other person i'm dealing with is going to be able to evidence for me i can do business with them because they are taking the appropriate steps. >> it just seems to me, thank
10:14 am
you very much, that we look at so many things that affect us and we have mandated it. regulations have to be cost effective. we did air bags in cars and seat belts and health care. rather than relying on the threat of a lawsuit and insurance. >> with respect, sir, i would push back in the opposite direction. in my testimony i pointed to the fact that the federal government that does operate in the model that you're talking about with standards that they must comply with and when we e evaluate them independently versus the private sector, the federal government comes out dead last. the reason is that this is not air bags. this is not consumer product saufty where there's some magic standard that we come up to the
10:15 am
standard and we are set. the problem is not that the it cannolo -- technology is under standard, it's that it's under attack. that's a different problem. we need to be forward looking. if we talked about mandating standards a couple years ago, we would be talking about mandating firewalls and things like that that we now see as obsolete and companies would be spending a lot of money complying with these it outdated standards. so e we need a different model. the digital age is much more forward looking. that's why the obama administration and the house republican task force and the private sector all agree that what we need is a forward looking incentive-based model and we need to get industries to understand that it's in their best interest to be continually advancing security. they have tor looking forward. we can do this, by the way, but it is a completely different mind is the. we need to understand that in
10:16 am
the digital age, the old model just isn't going to work for this modern a problem that includes nation states attacking private companies. there's no minimum standard that's going to protect them. we need a different model. we think we can develop that, but it's going to be different. >> i recognize chairman smith. >> thank you, madame chair. mr. wood, let me direct a couple questions to you. but let me describe this scenario first and ask you to comment on this particular situation. for conducting official and personal business. these e-mails could include sensitive or classified information about national security. in addition, all e e-mails would be installed in a server located in their private residence. intrusions would be obvious
10:17 am
threats among other security risks. material being transmitted could be a matter of national security. so two questions. could this scenario unnecessarily expose classified information to being hacked? >> yes. >> do you want to elaborate? second question is how would your company respond. >> e we wouldn't do it. >> you're exposing classified data in the open. that would not be prudent and also be illegal. >> why illegal? >> because the government requirement is that all official information be used through official means. >> i don't have had any other
10:18 am
questions. i yield back. madame chair. >> thank you. >> thank you, madame chair. all of this hearing isn't focused on research. mr. wood had addressed research as a component for growth in this region and this area. as you know the government plays an important role in sporting cutting edge research on alls a aspects of cyber security. through agencies such as the national science foundation, national institute of standards and technology and the department of homeland security we fund everything from basic research to test beds for emerging technologies. and all these cyber security are coordinated under the networking and information technology programs. so while mr. wood did raise the issue of research, are there recommendations that you ory of
10:19 am
our individuals testifying any recommendations you'd have about federal agencies and how to set research priorities and what major research gaps exist out there so we can better partner in a more effective manner with research opportunity? >> i think the national labs are doing tremendous work around all kinds of initiatives that regrettably many don't see the light of day. i think more can be done. to make industry aware of what the national labs are up to and then, b, provide a mechanism tr license some of those very critical research and development initiatives that have really may have one specific customer but ultimately could have an entire industry u it could help serve.
10:20 am
that would do a couple things. it would provide an income stream back to the labs and the government and the other thing it would do is provide more i o innovati innovation. >> thank you, anyone else? >> one area that we're very invested in right now is on helping the people part of the e equation. technology will continue to be an important element of any security approach and automation underneath. but clearly it's the people on top that we have to make sure are adequately trained. one of the areas we've been highly invested in is platforms to help us understand what cyber breaches look like and be able to respond to those. so many companies send out fake fishing e-mails to their employees and see whether they respond or not and if they reported to their security organizations. that's one simple example. there's also simulation
10:21 am
platforms that talk real world breaches and allow people to interact with those. things like initiatives, mature for a number of years. this is really now coming into the private sector and civil indiana agencies in a situation they have invested in and there's a lot of potential for cooperation with some of the labs. >> thank you. mr. clinton? >> perhaps a slightly different level of abstraction, we would strongly support the notion of the government doing some research on the cost effectiveness of the framework. we are big fans of the framework. e we like to think it was our idea. we published material on this a number of years ago. the executive order says that it's supposed to be prioritized and cost effective and voluntary. we believe that if properly tested we would be able to determine various elements of the framework. the framework is enormous and applies in different ways to to
10:22 am
e companies and sectors. if we did cost effectiveness studies we could demonstrate what elements are most effective to varying sizes and sectors of industry. once you can demonstrate that the framework is cost effective, you don't need mandates. companies will do what is cost effective. when you go to a board room, you cant just say it's a kbood idea. they are going to say where are the numbers. show me that it's cost effective. . if we did that kind of research which is pretty easy, we can get a lot of bang for the buck in terms of doing what we all want, which is for industry to adopt these things on a voluntary basis. >>. i was a research scientist in the national lab. dhs paid for my program, was a fellow, started my company. i have done a number of research grants. the biggest difference in my
10:23 am
experience between funds is the number of constraints that are on them. more flexibility in applying funds to our agenda led to bet. er research. so i think the more agenda that goes prior to the funding, the harder it is for us to fit it within our broader research agenda. i think it's great to fund certain areas. i don't think it's so great to overconstrain the problems that are being looked at. >> with that, i yield back. >> thank you. and i now recognize mr. lahood. >> thank you, chairwoman and thank the witnesses for being here today and for your testimony. . when we talk about cyber security and these breaches whether in the private sector or in the government and whether we describe them as hackers or something more sophisticated, every time this is done either in the private sector or to a government agency or entity,
10:24 am
would you describe that as criminal behavior? is that a violation of a state or federal statute in some respect? >>. i think one of the challenges of cyber security is it's a global phenomenon. a lot of the attackers are not in the u.s. but the assets they are protecting may be. so i think the legal considerations can be pretty pli caughted. the other thing is as more and more infrastructure moves to cloud platforms, even where those assets becomes more of a challenge. so i think in general the answer is yes, but there's a lot of complexity to the global nature of cyber security. >> i guess as a follow up to that, if we look at traditionally when there's criminal behavior that is engaged in, there's somebody held responsible. there's a prosecution, there's a legal process that happens.
10:25 am
it seems as if i guess the question to you is are you aware of a successful prosecution where somebody is held accountable where there's a deterrent effect. there's no penalty, there's no pain, there's no consequences to anybody that engages in this activity. mr. clinton? >> congressman, i think you put your finger on what i would think is one of the number one problems in this space. i would answer that it sab luteally should be criminal, but it's not in certain places. so we need to be doing two things. we need to be dramatically increasing our law enforcement capability. as i said in my testimony, we're successfully prosecuting maybe 1% of sicyber criminals. there's no deterrent on the criminal side or a viable deterrent. we need to be helping our law enforcement guys doing a great job, but they are under
10:26 am
resourced dramatically. then we also need to be working aggressively with our international community to create an appropriate legal structure in the digital age. we don't have it. we're operating many an analog world with cyber attacks and it sumplly is unsustainable. we need to be doing both of those things. >> anybody leading the way out there? either internationally or here domestically? where are we at with that process? >> we are not doing near ly enough. there are people who will give a speech here and there. i'm not going to point fingers at law enforcement. i think they are doing everything they can. they are underresourced. we need leadership from the congress to demonstrate that this is a priority and we are going to fund it much more aggressively. >> thank you. mr. wood? >> thank you for your question, sir. the issue is that on a law enforcement perspective is as mr. clinton pointed out, it
10:27 am
requires global cooperation, but then the standards of prosecution also have to be the same. so a a standard of prosecution might be different than at the commonwealth level, which might be different than in paris. there needs to be some agreement as to what the standards are for prosecution as well. >> why are we waiting around for that? it seems this is ongoing. there should be some standards set to do that and it doesn't sound like there's a a framework in place to address that. >> we did an analysis in the commonwealth on just that point. it was a really great analysis, which i would be more than happy to provide to you from the commonwealth of virginia. i don't know why. all i can say is that the standards, even within the states are different for prosecution. >> and can you point to me in the commonwealth of virginia where there's been a successful prosecution or that deterrence has been put in place in virginia? >> we just changed the laws within the last six months. i'd have to refer to my
10:28 am
colleagues in law enforcement to let you know. >> thank you, i yield back. >> one point if i can. there are a a number of great examples where there's been cooperation between the private sector and law enforcement to do takedowns. game over zeus was a recent one. zeus has been a financial proud that's been around successful for a number of years. the next version of that came online. it was propagating things that maybe you heard about where it takes people's machines and encrypts the information. so there's some successful examples, but to your point, a a much more consistent global approach is needed. >> in your case, was there actual individuals held accountable there in prison right now? >> there's particular individual that has been prosecuted and
10:29 am
convicted. >> are they in the united states in prison? >> no, it's in europe. >> thank you. >> thank you,. >> thank you very much, madame chair. thank you for holding this hearing. it's such an important issue. certainly one where there's a lot of room for bipartisan cooperation. i think mr. clinton identified the challenge of setting policy in this area because the technology always changes so much faster than policy changes. so that being said, i look forward to working with colleagues and continuing to raise awareness about this important issue. and also come up with policy that not only addresses the issue but prevents it. i was recently out in oregon visiting id experts that specializes in health care data breaches. this is not just a federal issue, as some colleagues might have suggested. we're talking about millions of
10:30 am
people here. and most people think when they think about identity theft think about the financial consequences, but with medical identity, if someone gets a procedure or prescription or something and that's entered into the individual's electronic health records, their health rusks involved in that as well as financial risks. it's no surprised that people don't carefully view their benefits statements just like a lot of people don't carefully review their financial statements or credit card statements. i want to follow up on something, the conversation about the psychological aspects. in your testimony, you say this is put a picture in my mind like the lion in the wild who stalks a watering hole for prey. cyber criminals lie in wait on legitimate websites that they previously compromised and used to infect visitors. most of these attacks rely on social engineering, trying to
10:31 am
trick people into doing something they would never do if fully cognizant of their actions. it's as much psychology as it it is technology. i'm going to have this vision of a lion waiting and maybe that will help stop me from clicking on things i shouldn't click on. but could you talk a little bit about do we need to fund more behavioral or social science research? do we need to do a better job educating people about those risks and how to identify them? how do we -- are we adequately addressing the psychological aspect? when we talk about the risk, you brought this issue up as well that we have to do more to prevent that. so could you address that, please? >> ultimately social engineering is going to be part of the security equation because we are
10:32 am
fallible. systems have to be put in place to do a better job of helping to secure our own information as well as our company or agent's information. some of the examples i would give you are in the trabing area we have talked about helping all of us to be more thoughtful about security. it's the security architecture underneath that makes it harder for attackers to get the information that we care the most a about. so all the world's information is not created equal. medical health records are much more important to us, financial records are much more important to us than the lunch menu we're going to look at today. it's taken a much more granule approach to information protection, identifying the sensitive information we care the most about and putting more security around those kinds of assets than the generic assets that are out there. >> what's your thought on that?
10:33 am
>> i'm 39 years old and when i was 37 i got an e-mail from my sister on my birthday. it was like, dear brother, i'm so happy you're my brother and there's a picture of us when we were kids. . it was nice to see you last week. happy birthday. there's a a little link. the first thing i thought is this is so sweet. my sister has never remembered my birthday. before. i thought my sister has never remembered my birthday before. so i looked through the mail headers and it had come from russia. i've got a technical background and a sister that doesn't remember my birthday and if either of these weren't true, i would have clicked on that link and infected my computer. i think this tells me fundamentally that it's very important to train users. it's important to do passwords, but a determined attacker will find a way in. they got these pictures off of
10:34 am
facebook. it wasn't that hard to do. that was probably two hours of work to send me that e e-mail. if i was anybody else i would have clicked on that link. >> can you real quickly, i serve on the education workforce committee. what are we going to do in terms of educating the next generation to make sure we are get. ing a step ahead? >> i think there's two approaches. core education around security primitives, mr. wood was clear. these best practices are important. the second thing is there are um plemts we need to put in place assuming a breach will happen because it will happen. it's a determined adversary will get in. we need to implement a a zero trust type model. >> i think the other point is there's a huge gap of security professionals in this country today. creating the educational programs to enable returning veterans and high school and college students to choose careers in cyber security is something that's very important as well. >> thank you, my time is expired. >> thank you. i now recognize mr. palmer.
10:35 am
we'll have to work on that birthday. >> i'm happy to report for the record that my sister does remember my birthday but my brothers do not. on that same line, though, you can have the best technology in the world you can have. but if employees are negligent in their use of it, you're still exposing yourself. i bring this up in the context of an article that was in "the wall street journal" back june 9th. it relates to the fact that the customs enforcement agency sent a memo to their employees in 2011 because they had seen an uptick in cyber attacks related to employees using the federal website -- federal server to access their personal websites
10:36 am
or their personal e-mail. unfortunately the labor union filed a grievance and prevented them from doing that and that's where one of the breaches occurred later last year. and my question and this would be for corporations and the federal government. does it make sense to prevent employees either in the private sector or the government sector from using their company servers or the federal servers to access personal information. >> it seems to me i.t. goes through phases where it collapses and expands. they went to a whole bunch of computers and now they are expanding again. they have mobile, iphones, clouds, it's unrealistic from a
10:37 am
day-to-day perspective to assume people at work aren't accessing outside information. every time i travel i'm constantly connected. so we need to assume that this information is going to be accessed no matter where they are or what capacity we're running under. >> i agree with the comments. particularly with respect to my len y'alls. if you adopt that workforce policy, you're probably not going to be having much of a workforce left to deal with. there are things we can do and we are doing some in the private sector. so one of the things we're trying to do is move out of this i.t. centric notion of of cyber security. and involve the human resources involve the departments and what we're seeing some success with is we are integrating policy into the employee evaluation
10:38 am
system so if you have downloaded things, you're less likely to get the bonus at the end of the year. we have to make it part of the overall process. there are other things we can do and we are seeing adapted in the private sector such is having separate rooms with separate equipment so that people can access their personal information or the data without using the corporate system. and so i think if we're a little bit more inventive and use that incentive model, we're going to have more success. >> if you opened that e-mail from your sister through the federal mainframe, would that have potentially infected? >> i have worked and had four that are comfortable.
10:39 am
i think if you want to be competitive from a business perspective against other companies, you have to assume that your employees are fully connected. >> can you not create a spate environment. i don't think you can do this without an operational overhead. you eliminate the ability to function. >> i would just want to follow up on what was said. as the use of the internet uncreases. and everything has an ip addr s address. . so where do you draw the line. at some level i would prefer that people use my infrastructure because i know what we do from a security perspective. i don't know what they do from a security perspective. to the extent that there should be some separation, there are good arguments on both sides. i would rather have them in my infrastructure because i know
10:40 am
what we do. >> i think the approach that makes sense when you go through the connectivity is to understand the information and the identities of the folks that are trying to access it. truly understanding the information and putting the right kinds of protection around that. >> my time is expired, but i want to thank the witnesses for the clarity of your answers. this has been an excellent hearing. thank you, i yield back. >> thank you. >> thank you, madame chairman. i want to first thank each of the panelists for their service and for talking about this important issue. and i want to highlight that you graduated from stanford university in the bay area and began your career in my congressional district. so i'm honored to represent the folks there.
10:41 am
tstz to wall off segments to prevent intruders who penetrated outer defenses from gaining access to sensitive information. you argue that they need to become the gold standard across the central government. how much time and resources would it take for the federal government to do this and are the costs worth the benefits? >> that's a great. question. so the technology and adoption has evolved that we know how to do this without disruption. . so early on it was like this extremely secure environment and we can kind of go and retrofit things. now we have mostly software based solutions you can put in and do nondisruptively. cost makes sense. so much so that this adoption is one of the fastest growing. it's not only practical, but we have enough experience to see
10:42 am
adoption. so i think this stuff is retrofitting. >> just for all of the witnesses following up on mr. lahood's question earlier, as a former prosecutor, i too am quite frustrated that it seems that individuals are able to attack networks and individuals with relative little punishment and i understand the challenges of these attacks are originating in russia, ukraine or from state k actors. for nonstate actors, i'm just wondering what could we do internationally to maybe have an accord or agreement where we could make sure that we bring people to justice? i remember i asked a high ranking cyber security official at one of our laboratories naively, i guess. are we going after these individuals? this person kind of laughed not
10:43 am
being rude, but just saying, we're not going after them. we're just trying to defend against what they are doing. i agree with mr. lahood. until people start paying a stiff price, u don't know if this is going to change. i know as a prosecutor putting together a case like this is very difficult. just the chain of evidence and proving whose fingertips were touching the keys to carry out an attack can be difficult. what more can we do internationally? >> thank you for your question, sir. so right after -- i'll answer your question over a period of time. right after september 11th, i was sitting in a meeting with a large number of information security professionals from within the intelligence community. the question was posed in the auditorium where there are about 250 people. when are we going to start sharing information?
10:44 am
and the answer came back from one senior person in 50 years. and the other answer came from another person not in my lifetime. it was very disappointing, to say the least. you roll forward 15 years and look at where the intelligence community is today, it's not like that at all. today i see the intelligence community sharing information in a way like they have never shared it before from dni on down. i think what's happened as more and more breaches are occurring and as more and more of this culture of trust is occurring, there's a willing neness to wor together that didn't happen before. as i mentioned earlier on the cyber security commission in the commonwealth of virginia, we work very closely with dhs and fbi and state police and they work very closely with others. i can say there is a spirit of cooperation that i haven't seen in a long time.
10:45 am
what is lacking, however, is the resources and the funding associated with actually prosecuting, number one, and number two, having a common level of standards of what's prosecutorial and what's not. >> thank you, mr. wood. thank you all for your service on this issue. i yield back. >> thank you it. i now recognize mr. westererman. >> thank you, madame chair. u would like to commend the panel today for your very informative testimony and also for the zeal you have in working in cyber security and i believe it's potentially the war of the future that we're fighting here in cyber security. and i'm from arkansas. do you have any arkansas ties?
10:46 am
i've been listening to the testimony and the answers to the questions. i have a 20-year-old college student and i had a fascinating conversation over christmas and you guys were talking about how millennials are always connected. he was telling me that that's a huge consideration where you take a job now what the connectivity speed is. and that wasn't something we considered when i was getting out of college, but it played a big key in where they would go to work and where they would live. i know we're in this connected world now. to follow up on the question, he was talking about being on offense and the prosecution. but from the technology side, is
10:47 am
it all defensive or proactive ways to combat. hackers before they make their attack. >> there are a set of approaches that are more proactive that are in place today and. will continue to expand. you realize you're able to study what they are doing at the same time. there's also things like shock absorbers where the attack r hits you with traffic, the more you slow them down and do things like tarpting. there's a whole set of defensive and more proactive defensive measures that aren't offensive and don't go after the attackers that are in place today and are actually very successful within the enterprise. >> congressman, if i may. i think that's true.
10:48 am
there are some others. i think i want to build off this point into having a better understanding of the multifacets nature of the cyber problem. so for example one of the technological mechanisms that we use in the private sector is we understand that the bad guys are going to probably get in. and will pierce your system. but we have more control over the wad guys when they are inside the network than when they are outside the network. if you're dealing with a cyber crime situation, you're basically dealing with theft, which means they have to get in the network and find the data and get back out. if we block the outbound traffic rather than try to block the inbound traffic, we can actually solve the cyber breach problem and have a look at their data. from a criminal perspective, that's a problem. if you're looking at this from a national security perperspectiv they be interrupted.
10:49 am
they don't care about getting outside your network. so we need to understand that we're dealing with multiple different cyber problems. some are national security, infrastructure, making sure the grid doesn't go down. we need a different strategy with regard to that than we may need for the theft problem. when we have a a more sophisticated policy in this regard, i think we're going to be able to make more progress. >> and also just to briefly follow up on a question that was talking about as far as developing new workers for the cyber security workforce. are your companies seeing a workforce shortage? do you see a lot of growth for the future in that? >> we do see an e enormous shortfall of cyber security
10:50 am
professionals. . in the state of virginia alone, the state government has announced that we have about 17,000 unfilled cyber security professional positions just in the commonwealth in the commonwealth of virginia. sir, if i might go back to your other question if you don't mind about offensive, that is very near and dear to my heart. if someone were to come in my house uninvited and either hurt my children, my wife, or take my stuff, i have the right to defend myself. if someone were to come into my corporate house and virtually take my stuff, whether it be be intellectual property, customer data or whatever it might be, financial information, whatever it might be, we need the ability to defend ourselves, particularly if we don't have -- if our cyber command is not going to fund itself in a way that gives us the comfort the same way that we have the comfort i think as a nation from
10:51 am
the station of air, land, sea, and space. thank you, sir. >> madam chair, i am out of time but i would like to plug our challenge and encourage all members to promote that in under district because it does help develop a new workforce for cyber security and a lot of other areas. >> thank you. and i will also join you in plugging that. it's on our facebook page and our website. the date is january 15th when things are due, right? >> unless you extend it. >> laughter. >> mr. abraham. >> i want to thank the witnesses for giving answers to direct questions. it is refreshing and somewhat of a novel idea in a committee hearing. so kudos to you guys for answering straight up. appreciate that. some of you have espoused the
10:52 am
value of sharing cyber security information, whether it be a cyber threat tread or a cyber crime with certainly other companies or government officials. this last cyber security bill we passed last month, did that help or hurt in this area? >> sir, i think that that was a good bill. we endorsed the bill. we support the bill completely. the most important thing, however, is that is not the cyber security bill. that's a very useful tool to have in the toolbox. it can help. but it is nowhere near sufficient. >> so we need to do more. >> absolutely. we need to do a great deal more. >> just give me your top three recommendations. what would be your bullet points for the new legislation. >> for new legislation, we would like to see the incentive program that has been endorsed both by the president is and
10:53 am
republican task force, stimulating the cyber insurance market that we talked about today. it would include providing some benefits for smaller businesses who don't have the economies of scale to get in here. it would include streamlining regulation so that we had an opportunity to reward entities that were doing a good job with cyber security in the way we do other sectors of the economy. a lot of incentives i refer to in my testimony are things that we are already doing in aviation, grand transport, agriculture, even environment. we simply haven't applied these incentives programs to the cyber security issue. so i think if we did that we could do more. and the third thing would be i think we need to have a much better and more creative and innovative workforce development
10:54 am
program. we have talked here about the fact that we are always in an online -- we are all connected. we all know this. but the slogan that dhs uses for their workforce education program is stop, think, connect. which is directly out of the dial-up age. no millennials stop and think before they connect. we need to be leveraging espn and reaching to the millions of young people who are interested in gaming. popularize that and use that as a bridge to get them interested in cyber security. we need to be much more aggressive, much morin ventive in this space. by the way, they are doing this in other countries. and the final thing i will mention is, i'm not kidding, we need an education program for senior government officials like we do for corporate boards who are just like you guys, really
10:55 am
busy, lots of things they have to do, demands on their time. we found when we actually educated them about cyber security, we got better policy, better risk management. we need to do that on the public sector just like we do the private sector. >> for many, many years in the cyber security industry we have been sharing those kinds of information. some of the keys are being able to take it and aggregate it and share it in a safe way. we are taking information that is specific to a particular industry or set of customers and trying to gain the security knowledge but not, you know, not put any of that information at risk. so it's something that's been happening many, many years in the security industry and an important element but not of course the final answer. >> thank you, i yield back.
10:56 am
>> thanks so much for being here. many things have been asked and answered. as we say around here, not everyone has asked that same question yet. so my turn. i have been trying to focus a couple different things. thank you. ive do think this is so important. i think the american people, constituents, are waking up and feeling some of that fear and wanting to know the right thing to do. so we always want to hear how we can be informing our constituents of wise decisions, along with ourselves, our families, and our staff to protect important information. so much of our society, of our financial system is based on consumer confidence. and if there's a feeling that this isn't safe or whatever it is. i think there's going to be -- we're going to lose the benefits that much of this technology has. so we want to do this well. i do want to talk briefly or ask
10:57 am
you your thoughts. we have talked a little bit about what government can do better. learning from the private sector, certainly the private sector is ahead of us in so many areas. we have heard, and i appreciate your response, that for us to say this is like an air bag problem. it isn't. it is completely different. for us to be prescriptive of saying you have to do this, we always pick the wrong technologies always too late. sit this framework of a way of thinking how to solve this problem. but the question i would have is really with impediments that government is putting up to your or other businesses from new innovation, what would you say maybe the greatest impediment that you feel from government from your business innovating or doing what you do best, is there something that has been a hurdle you have had to overcome? >> this is going to be an indirect answer to your question. actually working with the government on the procurement
10:58 am
side, something that is very difficult is when there isn't flexibility in budgeting. it is difficult for the a agencies and the departments to adopt new technology because the working capital they have doesn't allow them to move as quickly as possible. from the sell side, more flexibility in their budgeting will help them and help us to introduce new technologies into the government. >> okay. mr. clinton. >> i would offer two things, congressman. first of all, we need to really rid our government partners from the blame the victim attitude that they have particularly at some of the independent agencies. the ftc and sec, for example. it is fairly common knowledge up in congress, as has been said. the determined attacker is going to get in. the fact that you are subject to
10:59 am
a breach is not evidence of malfeasance or nonfeasance. there are some with we should investigate those. we need to move on from that particular notion. the second thing that i would say is that we need to -- the government really needs to get its act together with respect to cybersecurity. you're right, sir. cyber security is real hot now. so every entity in the government, every state, every locality are can coming up with their own cyber security programs. a lot of times they differ just a little bit. so when you try to do these things, you are forced to meet with multiple different compliance regimes, trying to do essentially the same thing. we are in favor of this framework and using that. but let's have one. let's make sure we are all working in the same direction. as we have also pointed out, we do not have adequate resources
11:00 am
in this space. frankly, one of the big problems that my companies tell us is they are spending all their time on compliance, which means they don't have the time to spend on security. >> yeah. >> i have one company that told me a story how they were following a legitimate best practice, quarterly testing, testing your system every quarter to make sure you have not been invaded. they need to go from quarterly because there was 70% due to overregulation coming from different elements. we need to streamline that process, have a good process but have one process that is cost-effective. >> yeah. that's great. go ahead. >> if you both can speak on this and then i'll be finished. i think this is real important. >> the one point i would make and double click on is education. there is a huge gap in the number available and doing work


info Stream Only

Uploaded by TV Archive on