Cybersecurity: An Overview of Risks to Critical Infrastructure

good morning everybody and the sub committee will come to order and I’ll start with my opening statement I’ve called to order this subcommittees first hearing on cybersecurity and critical infrastructure protection over the last 15 years our federal government has wrestled with the question of how best to protect our nation’s critical infrastructures from cyber attacks since September 11th our infrastructure system have become even more automated and more reliant on information systems and computer networks to operate this has allowed our system to become more efficient but it is also open the door to cyber threats and cyber attacks recent reports and news articles have highlighted how threats and risks to cyber security have created vulnerabilities in our nation’s critical infrastructures in information systems for example just last week the Department of Homeland Security sent out a bulletin about potential insider threats to utilities that bulletin stated that Outsiders have attempted to obtain information about the utilities infrastructure to use in coordinating and conducting a cyberattack in march two thousand eleven the computer system of RSA were breached our a RSA manufacturers tokens for secure access to computer networks sensitive information about these tokens was stolen and later used to hack into the network of lockheed martin a department of defense contractor last summer stuck stuck net attack was identified stuck neck target’s vulnerabilities in industrial control system such as nuclear and energy to gain access to the systems and then manipulate the control process this kind of attack has a potential to bring down or severely interrupt the functions of an electricity or even a nuclear power plant the issues surrounding critical infrastructure protection and security are complex our systems are interconnected and depend on depend one other depend on one other to operate a vulnerability and one critical infrastructure naturally exposes other critical infrastructures to the same threats and risk easy either because they are linked together through information systems or because one infrastructure depends on another to operate in addition much of the country’s critical infrastructures are privately owned as much as eighty or ninety percent they therefore have different operations components and control systems and computer networks as well as vastly different resources available to address problems like cybersecurity and infrastructure protection my colleagues we must identify and protect the very systems that make our country run energy water healthcare manufacturing and communications pursuant to the Homeland Security Act of 2002 DHS has led the coordination of infrastructure protection efforts with the private and public sectors and numerous federal agencies one way DHS does this is to coordinate working groups and information sharing and analysis centers or ice axe in the individual critical infrastructure sectors and in cross sectors working groups DHS is primarily responsible for conducting threat analysis and issuing warnings about cyber threats so that other federal agencies and the owners and operators of critical infrastructure can simply protect their systems DHS’s efforts to protect our critical infrastructure have been the subject of some criticism since 2003 the Government Accountability Office has designated quote protecting the federal government’s information systems and the nation cypress critical infrastructure quote as a high-risk end quote area in particular in a report issued last sheet last July Gao has found that public and private sector owners and operators of critical infrastructure were not satisfied with the kind of cyber threat information they were getting from DHS Gao has also expressed some concern that the sector specific plans for dealing with cybersecurity need to be updated in light of growing and more sophisticated cyber attacks this is obviously a critical issue as I mentioned previously this is the subcommittee’s first hearing in this Congress on critical infrastructure protection and cybersecurity the purpose of this hearing in particular is to get an overview of DHS s role and responsibilities and how it coordinates with the sector specific federal departments and agencies many of which are subject to this committee’s jurisdiction once we have a better understanding of DHS s role is my intention to call additional hearings to

understand the issues that are presented in protecting the individual sectors such as energy and information systems and communication many ideas have been presented about how to improve critical infrastructure protection and cybersecurity i believe the oversight investigation subcommittee has an important role to play in examining and bringing to light what is working now and what can be done better I should note that this subcommittees inquiry into this matter began with a bipartisan letter to the Department of Homeland Security asking for a briefing about its efforts to protect critical infrastructure I appreciate the support of the ranking member mr. get and the minority in this investigation as members of Congress one of our foremost responsibilities is protecting our nation’s security and the safety of its citizen with that I yield our opening statement to the ranking member mr. get thank you very much mr. chairman and like you I’m this is a matter of great urgency I’m glad we’re having this overview hearing and I’m also happy to work with the majority on additional hearings into particular issues of cybersecurity just today in the Washington Post it talked about a Gao here a GAO report on significant breaches of classified computer networks in the Department of Defense and while that’s not well that’s not in the jurisdiction of this committee it just points out how vulnerable this country can be and why it’s so important to keep our information system safe the Chairman referred to the cyber attack on our SI which caused compromises to department of energy systems that necessitated shutting down internet connectivity for several days and breaches of citibank data belonging to hundreds of thousands of customers anecdotally at least it seems like these breaches are becoming more and more frequent the incidents remind us of the need for vigilance regarding efforts to prevent cyber security breaches and respond effectively when they occur and the importance of congressional oversight in these areas as the chairman mentioned I asked him earlier this Congress to look into these issues and I’m really glad that we’re going to have a rigorous review of all of the cyber security issues as the chairman mentioned we have jurisdiction over a number of key components of our nation’s critical infrastructure including the electrical grid drinking water system chemical plants healthcare system and telecommunications activities in the last Congress we saw progress in this committee regarding addressing cybersecurity issues in a number of these areas the committee developed and passed on a bipartisan basis legislation to promote security and resiliency in the electrical power grid by providing the Federal Energy Regulatory Commission new authorities and providing for Department of Energy Assistance to industry to protect the grid against cyber threats and other vulnerabilities the committee also developed and passed legislation regarding chemical and drinking water facilities to meet risk-based cybersecurity performance standards cybersecurity issues our complex and evolving and deserve continuing and focused attention one major question is how to best ensure an effective public-private partnership to address cybersecurity threats the majority of our nation’s critical infrastructure is owned or operated by the private sector while there are incentives for private sector entities to protect the security of their information networks national security priorities may not always align with priorities and capabilities of the private sector I know that the Department of Homeland Security witnesses before us today are helping lead the administration’s efforts to foster private and public sector cooperation in promoting cybersecurity and I look forward to hearing their insights on progress that’s being made and obstacles that may still exist another question we have to ask is how to best ensure that the federal government is drawing on its own expertise and experience to ensure cyber security measures are appropriately tailored to address specific needs in different critical infrastructure sectors I look forward to hearing from Gao about these challenges but even with a maximally effective partnership among federal agencies state and local governments and the private sector in our country on cyber security protection we must still address issues raised by the fact that information networks do not have national boundaries many reports suggested that the cyber attacks have started outside of American borders raising serious questions about how we ensure international cooperation to protect against threats that cross borders and in this in this DoD example in the GAO report today apparently the

cyber attack came from a portable computer a laptop computable computer that was somehow tapped into and so I look forward to the insights of today’s witnesses on these and other issues I hope that we will build on this hearing with additional hearings on cybersecurity it’s one of the few bastions of bipartisanship left around here this week and I’m happy to be part of it I am back Thank You gentlelady recognize the gentleman from Texas dr Burgess for two minutes I think that you’re to say that this committee has been working diligently for years is kind of an oxymoron but it does seem through for several terms on this subcommittee we have indeed dealt into this issue I’m anxious that we bring this to a legislative conclusion and Institute those things that will provide the protection that I think we all feel that we need there are critical urgent things that need to be done to protect our transmission grid our power plants from attacks from those who wish to do us harm the threats are real time to move the legislation forward we do have to be careful that we don’t unduly shift the balance of responsibility that has been properly maintained between the government and the private sector for decades it is important that we be careful it’s important that we be prudent in providing the federal government any additional authority if indeed any is necessary it must be done in a way that cannot be abused and will not result in significantly higher costs to consumers and businesses at a time when the economy is so fragile and it must not result in the loss of any personal freedoms that people now have the testimony we here today will help this committee in perfecting legislation that was considered last year I certainly look forward to working on members of both sides of the Dyess to ensure that the legislation is mindful of both the real threats that we face and the burdens that granting new powers to the federal government can create ensuring this balance cannon should be done Thank You mr. chairman for the recognition I’ll yield back my time elomi yields back and the gentlelady from Tennessee mr. Blackburn’s right I recognized for two minutes Thank You mr. chairman and I want to welcome our witnesses we appreciate that you would take the time and come over here to the hill we all do know and do agree that cybersecurity is an important issue and we know that there are those who are as we speak waging war if you will on our vital infrastructure last month wall street journal reported that the IMF was investigating a recent cyber attack not surprisingly this attack came just one month after a group called Anonymous indicated its hackers would target the IMF website in response to the strict austerity measures in its financial package for Greece closer to home in my state of Tennessee resides our nation’s largest public power utility the Tennessee Valley Authority TVA’s Power Networks stretch across 80,000 square miles in the southeastern US and provide electricity to more than eight point seven million Americans under Homeland Security presidential directive number 70 VA is considered a national critical infrastructure and must take great steps to protect and to safeguard its essential cyber assets a power grid disruption or other thread on TV operations or any other public utility in our country would cause a cascading effect impacting our economy safety and daily lives in fact this concern was reaffirmed last month as former CIA director and current Secretary of Defense Panetta appeared before the Senate Armed Services Committee and declared that the next Pearl Harbor our nation confronts could very well be a cyberattack that cripples our power systems the grid our security systems our financial systems and our governmental systems with all that in mind I thank the chairman for the hearing and thank you all for your participation as we discuss what steps DHS is taking to avoid what would be the unimaginable a Pearl Harbor attack on our nation’s vital infrastructure and I yield back jelly lady yields back and recognize mr. Christensen from the Virgin Islands for 45 minutes Thank You chairman Stearns and thank you ranking member to get for holding this hearing to discuss cybersecurity risks threats and challenges to our nation’s critical infrastructure many of today’s battles are in cyberspace where terrorists and hackers help attack our cell phones computer grids and have the potential to destroy sensitive information and in our 18 of our critical nation’s most

critical sectors since 911 we have known to expect that we would experience terrorist attacks that would be cyber attacks as a former member of the Homeland Security Committee have taken part in many hearings and worked on legislation addressing this issue as our witnesses who we welcome here today will testify a lot has been done to create entities to coordinate and oversee efforts to address and prevent cyber security threats but there are still challenges to protecting our nation’s infrastructure from these threats we must can you continue to examine how we can overcome these challenges in doing so it’s important that we pass legislation to protect our nation’s electric grid all of these long-term initiatives require a national electric grid that is reliable and secure the electrical grid serves more than 143 million American customers has to operate without interruption and is a key foundation of our national security designing and operating and electrical system that prevents cyber security events from having a catastrophic impact is a challenge with masala dress and I want to add that the health care sector is not immune these attacks either so I’d like to thank DHS and Gao and commend both agencies for their efforts to address imminent cybersecurity threats and with that Ellie about the balance of my time gentlelady yields back and at this time we’ll move to our first panel our witnesses let me address you folks you’re aware that the committee is holding an investigative hearing and when doing so has had the practice of taking testimony under oath do you have any objections to taking testimony under oath all right no the chair then advises you that under the rules of the house and the rules of the committee you’re entitled to be advised by counsel do you desire to be advised by counsel during your testimony today all right in that case if please rise raise your right hand house where you in swear the testimony you’re about to give is the truth the whole truth and nothing but the truth so help you God you’re now under oath subject to the penalty set forth in Title 18 section 1001 of the United States Code we welcome the three of you and for your five minute summary statement and we have this Bobby stem free acting secretary of the DHS office of cybersecurity and communications welcome and mr. Sean P mcGirk director of national security cybersecurity and communications integration center in the office of cybersecurity and communications at DHS and lastly mr Gregory Wilson will shows and Government Accountability Office Director of Information Security ish thank you and Steph Lee we welcome your opening statement just turn the mic on if you don’t mind just move it close to use okay here you may be super thanks great thank you very much so thank you very much chairman Stearns ranking member to get and other members of the subcommittee as as you heard my name is Bobby’s template and I am the acting assistant secretary in the office of cybersecurity and communications at the Department of Homeland Security and it is definitely my privilege to be here to speak to you today with my colleagues from across government to talk about cybersecurity which is an area of great passion for all of us the opening comments were did such a wonderful job describing the threat landscape that we operate in today it certainly is one with increasing sophistication increasing severity and an environment where no one is immune from individuals to private sector companies and one where we see it slightly untenable where the threat actors have to make one right choice in an environment where only a single wrong does the wrong implementation in the in the networks that are being defended enables access and so it is an environment where we spend a great deal of time bringing together private sector partners and others we have identified 38,000 vulnerabilities over a period of time in critical infrastructures and provided warning notification and awareness products around those vulnerabilities to private sector individuals it is an environment as the Chairman pointed out of significant interdependence both between critical infrastructure sectors between corporations between environments the several examples that you provided do a wonderful job illuminating that interdependence across the board and that means that it requires an interdependent and integrative approach in order to provide productive preventative and restorative measures both across government and within the private sector it is the job of the National protection and program Directorate it is our mission

responsibility to secure the federal executive civilian branch that is the federal departments and agencies to provide technical support to private sector individuals owners and operators to help them with risk assessment with mitigation with restoral and response activities it is also our mission to provide general awareness to the broad public and finally as mr. McGurk will discuss to provide National Coordination in response across the board it is as I said not an environment where I single solution works or a single organization provides all of the answers it is an environment where much progress has been made and it is a team sport for us all cooperation between law enforcement between intelligence agencies between the Homeland Security between as I said government and private sector is a significant part of how we need to move forward of the successes we’ve had to date examples such as as you pointed out the compromise in RSA really helps demonstrate the progress that has been made in government the response that we had in that defined a set of worked across a set of responsibilities defined in the National cybersecurity incident response plan where law enforcement has responsibility for pursuit and for investigation where intelligence has warning responsibilities and attribution responsibilities and where Homeland Security’s responsibilities are in protection prevention restoral and response and that partnership across government is so important for us as we work through each of the events that occurs we have in a proactive manner responded to a hundred requests from critical infrastructure partners largely across water oil and gas and power to help identify vulnerabilities in their environments and help them improve the capabilities that they have for protection and for response it is through that part her ship that we continue to work to enhance our prevention activities because as we’ve said as we said we are in that untenable environment today what we have also put a great deal of effort in is to increase visibility and information sharing across environments and again we’ll look forward to the comments of mr. McGurk and our operation center but it’s it’s information sharing not only in operations and in response but information sharing writ large that’s important across the board and so in conclusion I look forward to further questions from the committee to the sky discuss what we’ve done and it again is my pleasure to be here today Thank You mr. McGurk you’re welcome for your opening statement Thank You chairman Stearns ranking member to get and distinguished members of the subcommittee my name is schaumburg I’m the director of the National cybersecurity and communications integration Center also known as the end kick thank you for inviting me here today along with my distinguished colleagues to discuss the overall cyber risk to critical infrastructure the department greatly appreciates the committee support for our central mission and looks forward working with the committee to establish the necessary plans and programs moving forward to address risk to the critical infrastructure the cyber environment is not homogeneous under a single department or agency nor under the private sector each of the 18 critical infrastructure and key resource sectors are completely different energy water nuclear transportation they all have their unique challenges and their unique environments in fact within a particular company two plants may not have the same operating environment we rely on this continuous availability of a vast interconnected critical infrastructure to sustain our way of life a successful cyberattack of potentially result in physical damage and even loss of life we face a significant challenge moving forward strong and rapidly expanding adversary capabilities and a lack of comprehensive threat and vulnerability awareness support of these efforts for up from our private sector partners is key to securing these critical infrastructures the government does not have all the answers so we must work with the private sector to establish those guidelines there’s no one-size-fits-all solution in a cyber environment there is no cyber Maginot Line we must leverage our expertise and our access to information along with the industry specific needs capabilities and timelines each partner has a role and unique capability is demonstrated by the diversity of this panel two-factor authentication was mentioned earlier the RSA example in that particular example within a 24-hour period the department working along with law enforcement and with the intelligence community responded to a request from the private industry partner to provide a mitigation identification and assessment team in support of their mitigation efforts the department continuously works with our private sector partners in the financial services sector energy sector

communications IT and others to prepare prevent respond recover and restore coordinating the National Response to domestic cyber emergencies is the focus of the national cyber incident response plan and indeed the end kick the what and the how of a cyber attack is the focus and and the intent of our mitigation activities to WHO and the why usually come later the end kick works closely with the government and at all levels and private sector to coordinate and integrate a unified cyber response sponsoring security clearances for our partners enable them to participate fully in our watch center environment to date we have physical representation from the commercial communication sector and it’s information sharing an analysis center from and also with companies such as AT&T Verizon and Sprint the information technology sector is represented physically on the watch floor along with the financial services sector Newark and representing the North American energy reliability corporation representing the energy sector information sharing analysis center and most recently we’ve begun to coordinate and share information with the National electric sector cyber security organization or nesco we have the virtual connections as well as physical connections with these organizations and we share data in near real-time additionally we have a physical representative from the multi-state isec enable us enabling us to provide actionable intelligence to state local tribal and territorial governments and their representatives each of these partners bring a unique perspective and a unique capability to the watch environment currently within our legal authorities we continue to engage collaborate with our partners and provide analysis vulnerability mitigation assistance to the private sector we have experience and expertise in dealing with the private sector in planning steady-state and crisis scenarios we’ve deployed numerous Incident Response Teams and assessment teams that enable us to prevent and to respond and recover and restore to cyber impacts finally we work closely with the private sector and our interagency partners and law enforcement and intelligence to provide the full complement of capabilities from the federal standpoint in preparation for in response to significant cyber incidents chairman Stearns ranking member to get and distinguished members of the subcommittee let me conclude by reiterating that I look forward to exploring opportunities to advance the mission in collaboration with the subcommittee and my colleagues in the public and private sector thank you again for this opportunity to testify and would be happy to answer your questions Thank You mr. Wilson thin chairman Stearns ranking member to get and members of the subcommittee thank you for the opportunity to testify at today’s hearing on the cybersecurity risks to the nation’s critical infrastructure but before I begin if I may mr. chairman I’d like to recognize Mike Gilmore of cami Corvette and Lee McCracken who’s sitting behind me and also Brad Becker from our Denver office who are responsible for the significant contributions and reviewing this area in helping me prepare this testimony today I’m glad you did thank you critical infrastructures and our systems and assets whether physical or virtual so vital to our nation that their incapacity or destruction would have a debilitating effect on our national security economic well-being and public health and safety they include among other things banking and financial institutions telecommunications networks and energy production transmission facilities most of which are owned by the private sector these infrastructures have become increasingly interconnected and dependent on interconnected networks and systems and while the benefits of this interconnectivity have been enormous they can also pose significant risk to the networks and systems and more importantly to the critical operations and services they support in my testimony today I will describe the cyber threats running critical infrastructures recent actions by the federal government to identify and protect these infrastructures and ongoing challenges to protecting them mr. chairman our nation’s critical infrastructures faced a proliferation of cyber threats these threats can be intentional or unintentional unintentional threats can be caused by equipment failures software upgrades and maintenance procedures that inadvertently disrupt systems intentional threats include both targeted and non-targeted attacks from a variety of sources including criminal groups hackers insiders and foreign nations engaged in intelligence gathering and espionage first recent reports of cyber attacks and incidents involving cybers reliant critical infrastructure underscore their risks and illustrate that they can be used to disrupt industrial control systems and operations commit fraud steal elect electoral property and personally identifiable information and gather intelligence for future attacks over the past two years the federal government has taken a number of steps aimed at

addressing cyber threats in better protecting critical infrastructures for example a cyberspace policy review identified 24 recommendations to address the organizational and policy changes needed to improve the current US approach to cyber security DHS updated the national infrastructure protection plan in part to provide a greater focus on cyber issues and issued an interim version of the national cyber incident response plan it also conducted cyber storm 3 a cyber attack simulation exercise intended to test elements of the National Response plan in addition DHS as you know created the National cybersecurity and communications integration center or in kick to coordinate national response efforts as well as work directly with other private and public sector partners despite these threats more needs to be done to address a number of remaining challenges for example implementing the recommendation made by the president cyber security policy review updating the national strategy for securing the information and communications infrastructure strengthening the public-private partnerships for securing cyber relying critical infrastructures enhancing cyber analysis of warning capabilities and securing the modernized electricity grid in summary the threats to information systems are evolving and growing and systems supporting our nation’s critical infrastructures are not yet sufficiently protected to consistently throughout the threats while actions have been taken federal agencies in partnership with the private sector need to act to improve our nation’s cyber security posture including enhancing cyber analysis and warning capabilities and strengthening the public-private partnerships until these actions are taken our nation’s critical infrastructure will remain vulnerable mr. chairman this concludes my statement I’d be happy to answer any questions from you or other members of the subcommittee I thank the gentleman let me ask you a question I have your opening statement here in which you mentioned various cybersecurity attacks are these primarily with their putting software viruses into the network is that primarily what it is it could be a number of different attacks in terms of one and two included computer intrusions in which it was able to individuals are able to gain access through the installation of malicious software for example if a user inadvertently plugged in a USB port into his computer that was corrupted it could install some malicious software which might facilitate an attack it could have an attack occurs generally what does that attack look like they’re coming in to steal information or they coming in to put in a replicating software that will destroy it or is it just putting in there to observe what what is the three of those you could be it could be any of the company of those recombinant right you know to one in terms of either to sabotage this particular system or gain information for future attacks perhaps or as well motivation depending upon their motivation system a Kirkwood Kirk what do you think yes sir i would also echo my colleague statements that the vast array of it of capability which he demonstrated with the malicious code is such that it encompasses all of those things mr. chairman you had mentioned Stuxnet earlier that’s a great example of a particular piece of malicious code that demonstrated very unique capabilities it not only exploited what we call zero-day vulnerabilities which are vulnerabilities that are not known in in the public environment but also it used advanced communications capability it did advanced reconnaissance so it was gathering information and subsequently it left behind that malicious code that was able to have a physical impact now is are we in the United States you know we have jurisdiction over energy water information technology communication nuclear plants are we von erable to stuck next in your opinion so sir because of the ubiquitous nature of information technology in the critical infrastructure the exploitation may occur in one sector and it could actually migrate into another sector oh yes or no do you think we’re vulnerable I would say the vulnerabilities exist and the exploitation of the and the capability to exploit those vulnerabilities exist okay so the big question is the American people want to know what has the United States government done about that to make sure we don’t have that attacked much of the department’s focus over the past several years has been on mitigating the vulnerabilities associated with those critical infrastructure systems we have to do it by having an oculus or something that inoculates this from the software or do you do it to make sure you don’t put the USB port or how are

you doing this upper to multi faceted approach sir much of it is through an education program so we work with the private sector to develop standards required to educate the community on on good practices and uses of equipment and technology we actually conduct you think education alone would do it yes sir we also conduct vulnerability analysis of products in our laboratories in conjunction with the National Laboratory community where we actually take vendors products and do a complete vulnerability assessment of those products we also develop practices for asset owners and operators because in some cases especially in the power companies it’s not a matter of replacing the technology so you have to be able to put practices in place that mitigate the risk and they’re also working with the security communities to actually provide an enclave in capability so that we can secure the environments around which they operate so by taking this multifaceted approach we can identify not necessarily the threat actors and focus on the threats which are coming from many areas but the vulnerabilities themselves and mitigating the risks associated with those vulnerabilities let me ask you a question but with this stuck neck what have we done to protect those specific vulnerabilities and Siemens product in other words has DHS issued a guidance on this yes sir the department when we started analyzing Stuxnet back in july of last year we identified the capabilities of the particular piece of mal code we understood its capabilities and subsequently we put mitigation plans in place at working with the specific sectors to identify the mitigation strategies associated with that but since that particular piece of mal code was looking for a very unique combination of hardware and software it was it was easy to identify what the mitigation strategies would be okay Emmis stem flea just last Friday the head of us cert resigned us-cert is a group charged with collaborating with state and local governments and private industry on cyber attacks they have been a number of recent attacks on government system the Senate FBI CIA and even the gmail hacking aimed at top government officials have all of these recent attacks caused any change of direction or change in operation and us-cert no sir the u.s. cert set of responsibilities stays the same and as we commented in the opening statements and your opening statements as well this is a very sophisticated environment and it is constantly evolving and as a part of that evolution we have we understand that we have to have a bench and a mechanism for growth of individuals as we go forward and so Randy’s departure was a decision that he made and we have a continued direction and focus in prevention preparedness and restoral responsibilities across the board what were the vulnerabilities that allowed the assistant to be infiltrated and to the same kind of vulnerabilities exist in the private sector and on control systems I’m sorry sir could you repeat the question with regard to the Senate FBI and CIA CIA and even the gmail hacking aimed at top government officials what were the vulnerabilities that allowed these systems to be infiltrated there were a number of vulnerabilities that were associated with these these kinds of events that occurred and to respond to other members of the private sector potentially vulnerable I believe that is a true statement as we commented earlier there a great deal of vulnerabilities that exist in the environment and you’ll see that through the production of warning products and awareness notifications we provide mitigations and indicators for private sector owners and operators to put in place in their infrastructure it is a shared responsibility between us and the private sector in order to implement the restorative and preventive measures thank you my time is expired gentlelady from Colorado thank you very much mr. chairman I want to go a little bit more in depth into some of the issues that we face trying to work on interoperability between our governmental agencies and private privately-owned endeavors in particular with our communications infrastructure which is of course an essential part of our critical infrastructure one of the things I’m concerned about ninety percent of our communications networks are privately owned by commercial carriers so traditionally the FCC has worked with commercial carriers to ensure the reliability of the communications networks and under current FCC rules carriers have to report regarding adages on legacy commute telecommunication system now the FCC in turn uses this data to help industry standards groups to improve on the best practices so I’m wondering miss templin and mr. McGurk if you can talk to me for a minute given FCC’s historic all involvement with the communication

infrastructure and the relationship with commercial carriers don’t you think that they can take an important role in helping drive greater awareness of cyber threats I so reporting is always good and the ability to get information about what is going on is an important part of how we can frame that national picture of what’s happening and the response activities and so we have a history of working both with private industry directly and with other members of government in order to increase the awareness and the response actions that are necessary I think the same would be true here in addition man what I would like to add is that in response to the to the reporting that’s conducted part of the capability that exists within the end kick is our national center for coordination for communications and they receive those direct reports so from a situational awareness standpoint the watch center receives real-time reporting from not only the telecommunication industry itself but also from other federal departments and agencies so that we better get a better understanding from a holistic view on the impacts the communications because as we recognize that many of the critical infrastructures are relying on communications for controlling issues for communications issues and for flowing of data in addition we have the physical carriers themselves located within the watch environment so they can provide up-to-date and actionable intelligence that we can take the necessary steps and make proper recommendations now the Office of Homeland Security coordinates those efforts on cyber threats and and so I guess my question to you following up is if there’s a breach in the communications network then then how do DHS and FCC respond how do they interact together to respond part of the national cyber incident response plan includes the development and coordination of cyber unified coordination group or cyber UCG this is a steady state body of emergency response and incident handlers at the working level at the operational level and also at the senior decision-making level for our cyber UCG seniors it encompasses individuals from the department’s an agency the assistant secretary at level or higher so these are at the actual decision makers in the federal government and then we have a staff which encompasses not only private sector but representatives from the federal departments and agencies that coordinate on a daily basis and share real-time information whether it comes from the from the communication sect of the energy sector or one of the other 18 critical infrastructures set enables us to have that constant flow of data and provide that actionable intelligence so that private-sector companies can take the necessary steps to mitigate risk okay now as I understand it the FCC has proposed to rule this spring to extend reporting requirements about network shortages to the broadband network and they’re taking public comments on that issue and so mr. will shoes and I was I was going to ask you do you think that collecting data on broadband outages would help gain a better understanding of when hackers have gotten into our systems we haven’t examined that issue but I would imagine collecting information can only be helpful in making such a determination okay and for the other two witnesses do you have any thoughts on the potential for reporting of broadband network adages to contribute to situational awareness like if after there’s a major emergency something like that yes ma’am as I believe as Miss Temple had mentioned earlier reporting as good and more reporting is even better so the more information that enables us to develop that common operational picture that takes all the data that we’re receiving and then fuses that together so the more information we receive in the end kick the better situational awareness we can provide not only to the Secretary of Homeland Security and the other executive secretaries but also to the president for decision-making capability and just one last question relating to to my opening statement about our communications networks is there’s a lot of issues around supply chains for equipment and components that have been manufactured abroad for use in the US so I’m wondering if our first if these two witnesses on the end missed em flamen and mr. McGurk can talk about this publicly can you talk about how DHS is working with other federal agencies to address that issue of supply chain that’s part of it is foreign so as you pointed out the telecommunications supply chain activities are an interagency response within the federal government it would be more than happy to bring an interagency body back to to discuss that in detail thank you thank you very much mr. chairman thank the gentlelady gentleman from Texas dr. Burgess recognized for five minutes Thank You mr. chairman now if I understand things correctly there is an authority they exist within the executive branch to

take some control of of transmission grid operations in the event of a national emergency is that correct yeah either of our DHS witnesses yes so that the the secretary for the Department of Energy has that authority and is it necessary to place any limits on that authority sir I have the luxury of being a simple sailor and an operator and I don’t normally identify or make recommendations on policy or or operational requirements I can’t i can say that within the guidelines that we currently have any authorities that we currently have were able to execute our mission both efficiently and effectively so i’ll leave that to other members of the department took to comment as far as additional requirements list in flee do you have any thoughts on that respect laser i believe it would be most appropriate for DHS not to comment on the illegal authorities of another department well let me ask you this should such an authority be necessary should such an occurrence happen that the authority was necessary how long would you expect that presidential emergency authority to be exercised over a continuous time period regrettably sir I’m not in a position to answer that question well let me ask you this it seems like and I think it was referenced by either the chairman of the ranking member in their opening statements that we’re hearing more and or about this does just just reflect the situational awareness that these types of threats and these types of attacks can occur or is in fact this a real phenomenon where the rapidity with which these attacks are coming is is increasing so it’s believe it’s all all of those things are there is certainly more awareness within the community of the importance of cybersecurity and of the overall activity that is increasing both the detection actions that are occurring on the reporting actions that exist based on that awareness then what we’re seeing is that increase across the board we’re also as we all indicate in our opening statement seeing an increase in sophistication of the attacks as they occurred as well so I believed as a phenomenon involving sir mr. Kirk do you have any thoughts on there that’s not an addition sir the only thing i would add was that because of the adoption of information technology capabilities into the critical infrastructure we’re also exposing a greater landscape of vulnerabilities to areas that were in the past specifically closed off and proprietary in nature so by adopting that technology we also advanced the vulnerability landscape associated with those critical infrastructure operations one of the hazards in this is you’re always fighting the last attack what sort of forward-looking policies or procedures are is being implemented by DHS are you looking into what is what is the value for whoever the perpetrator is what is the value that they’re deriving from these and are there ways that we could perhaps preempt some of these attacks before they happen rather than just simply reacting to them so part of what the national national cyber incident response plan focuses on is moving from the left end of the continuum where we are primarily focusing on response and recovery which to your point sir is accurate we’re always fighting that last event or that last battle what we’re looking forward to working with the private sector is moving to the right and putting the preparedness the protective and the preventative measures in place and taking again a multi-faceted approach through education through advanced technology working with the S owners and operators and also with the vendor community to establish criteria for four new systems and new operational parameters the department produces a procurement guideline for asset owners and operators which talks about security requirements for new systems and new operating procedures we also work closely with the integration community so that we’re identifying how to install and how to manage these systems as they’re being updated in the critical infrastructure so we are looking at it as a continuum shifting more from the left the responsive part over to the right where we’re being preventative and predictive you know vast majority of this critical infrastructure is in private hands is that correct that is correct sir so is there any type of analysis as to the cost that may be incurred by the private sector to keep up with what you just articulated yes sir in fact the department identifies and and describes a risk as an equation of threats vulnerabilities and consequences when we work with the private sector we understand that the denominator there is also cost so the

procurement standards I had mentioned earlier takes that into account not everything can be a gold standard nor why not we’re not saying that you have to have absolute security across the board it’s a risk-based approach so we take that same level lized approach and build the business case to identify what we need to implement in what areas so we’re going to spend a dollar to mitigate risk should we focus on the threats or should we focus on mitigating the rest of the vulnerabilities and then what are the subsequent consequences associated with that that’s really one of the approaches that we’re taking in addressing this issue and you solicit and accept input from the private sector the owners of the critical infrastructure as to that pricing consideration yes sir in fact as the chairman had mentioned earlier or one of the things that we focus on is a number of working groups and in the industrial control systems area we actually sponsor a joint public-private working group the industrial control systems Joint Working Group ICS jwg which looks at not only mitigating risk but also product development implementation education and a whole host of issues and that is a complete joint environment with both public and private member’s reference it Thank You chairman I yield back gentlemen dr. christensen is recognized for five minutes Thank You mr. chairman and again welcome to our panel under Homeland Security presidential directive 7 health care and public health are identified as critical infrastructure sectors and of course it plays the health care sector plays a significant role in response and recovery in the event of a disaster so I’d like to talk with all of our witnesses about the efforts to protect this sector against cyber threats beginning with Miss temple’ and mr. McGurk what do you see is a major challenge is to ensuring cyber security in the health care sector I will begin with some of the kinds of policy challenges we’ve been working through in the federal government associated with this and so for example we are working to deploy technological solutions that enable detection and prevention measures in place those technological solutions often times require a very detailed analysis of the kinds of privacy and protection requirements that need to be put in place that we all feel so strongly about as well and we need to work through some of those key policy nexuses between the two so that we can take into we can provide that kind of support and prevention support while still being very true to the protection measures that we feel so strongly about in terms of privacy in other areas those kinds of infrastructure systems are very important to us and we we agree with that once we get past the policy questions then it’s a matter of how we employ those both solutions best practices across the board and handle the equally important integrative systems that exist in health care and have that nexus between IT and embedded systems as well yes ma’am I would also mention that one of the department’s focus is also on the not just that protecting the information in accordance with the number of regulations and requirements but also the equipment itself when we look at the vulnerabilities associated with the other sectors the healthcare industry also has an equal number of vulnerabilities associated with embedded medical devices or with advanced technology that could potentially be exploited because of the inherent communications capability of those devices so again the department is taking not just a data in motion data at rest approach but a holistic approach to the healthcare industry working with the private sector working with the manufacturers of these pieces of equipment and also with the necessarily federal departments and agencies so that we understand the risks associated with the healthcare industry and provide actionable steps that will better improve not only the quality of service but the quality of life thank you in those focus assessments on great I’m assuming you’re working with department of health and human services on as well as with the private sector is it with it with any of the particular sectors ma’am we work very strongly with the sector specific agency and helping humans services specifically in this situation in fact ma’am we have the national health information sharing an analysis center coming to visit and tour the end kick tomorrow in part of our development process to get them physically located on board so they will be actually visiting us tomorrow so that we can identify those connections great great mr. Walsh’s and I’m also interested in hearing more about jos work on cyber security issues that affect health and public health as providers use more computer-based mechanisms and programs to help them treat patients and I guess this side of follows up on what you were saying as a bigger you agree that it poses additional risk the personal health information could be released to

the public certainly in fact we have a couple of engagements that we have ongoing or will start soon one it was mandated by the hitech act in which geo is responsible for reviewing the security and privacy protections over informations that’s transferred in exchange through the electronic prescription system or looked be prescribing we’re will anticipate starting that engagement in September with the report release date and September 2012 in addition we have another engagement that we’re currently working on to look at the security controls and risk associated with embedded or implantable medical devices such as insulin pumps pacemakers of that that can be accessed through wireless technologies and may have chips and in place so we’re also examining the security reported security risk associated with that as well as FDA’s premarket and post market review processes to address those particular risks well thank you my time is running out I appreciate the information because the ever increasing use of technology in our healthcare system obviously holds a lot of promise of many benefits but it also increases our as we increase our reliance on technology there’s also as you’ve pointed out very clearly the opportunity to hack in and interfere with that so Thank You mr. chairman I’m I thank to gentlelady gentlelady from Tennessee mrs. Blackburn recognized for five minutes Thank You mr. chairman miss temple’ I wanted to come with you I was just meeting with one of my airports and I wanted to know tsa what does the DHS and TSA do with the body images that they collect from the scanners at the airports how long are they stored and do you protect to these images do you share them with any other agency and what would you do what action would you take in case you had a breach ma’am the office of cybersecurity and communications is responsible for setting standards that the federal government has to comply with to include TSA I am not familiar with their specific we’ll get back to me on they certainly would I’m what I know that it’s a part of what we’re talking about and it also pertains to the privacy work that we are doing in our CMT committee and I think as we work with some of the issues we’re having with ESA I’d love to have the answer if you could do that got another question this would be for you and mr. McGurk and I mentioned TVA in my opening comments and the amount of coverage that we have with the power security want to see what your interface is with the state local governments and the infrastructure by facilitating the information sharing of the cyber threats and the incidents and through the ice axe so there are 16 of those I sex right okay and very briefly if you just go through how it works what kind of information that is shared put your process would be how you protect the data that you get and what your expectation is of those state and local governments that they’re going to protect that data and then what your response would be if you had a breach thank you ma’am I just like to start off by saying that we have a very close working relationship with the Tennessee Valley Authority in fact we visited many times and we share real-time information through a number of sensor programs that we operate so that we understand it better I have a better understanding of the actual threats and impacts associated with those operational environments what we do and how we share that information from the standpoint at the national level is much of the data that is voluntarily submitted to the end kick comes from either the ice axe themselves the information sharing analysis centers including the multi-state or it comes from the private sector companies themselves much of that data is submitted under the Secretary’s Authority for protection of critical infrastructure information or PII that protects that information from being released even to a regulator for instance if it’s a power company and they submit the information to us we then take that and we work directly with that company to develop a mitigation strategy that is a company-specific and then B we anonymize it to the point where it becomes a sector specific mitigation strategy the RSA data breach was a great example of how within a short period of time less than 24 hour hours of notification of the breach we had more than 50 companies and federal departments and agencies represented

under the cyber unified coordination group the veiling developing sector-specific mitigation plans so those individuals not only from a physical environment but also a data sharing environment collaborate to generate those mitigation play and at what point do you pull state or local government into that to participate continuously so their representative they actually have a representative on the floor of the multi-state ice axe so they’re there in real time alright nvm to continue on in that discussion we have worked with 50 states to provide clearances to the chief security officers in each of the states and then share classified information through their fusion centers so that that provides not just their representation on the floor in real time around an event but also gives us an ability to push data to that Indian their states and then are you training do you do any Co education and training with local law enforcement back into your protocols the training activity that we provide all of our training is provided on an open basis and so that state representatives can come and participate I can’t speak to which states have chosen to come in with particular law enforcement of individuals but we make it available to them in order for them to pick excellent Thank You mr. chairman you’ll be jealous finished uh gentlelady from Florida miss casters recognized for Thank You mr chairman thank you to the witnesses for your insight today it’s apparent that an effective partnership between the federal government and the private sector is necessary to ensure the security of all of our networks whether those networks manage critical infrastructure or simply handle the day-to-day data of the federal government and communications mr. will Susan in your testimony you noted that the private sector has expressed concerns that DHS is not meeting their expectations in terms of information sharing what concerns does private industry ham about DHS’s willingness to provide information yes ma’am we did a review in which we surveyed 56 individuals from the private sector from 5 sect or private sector consoles and we found that they identified a number of key activities that they thought were critical or important for the public private partnership to include the provision of timely and actionable threat and alert information having a certain secure mechanism for collecting information or sharing information with the public sector and they indicated 90 only twenty-seven percent of those respondents indicated that they felt that their public sector partners were actually meeting those expectations to a grade or moderate extent and so there are a number concerns about being able on the part of the private sector to collect timely information from the public sector partners were there any particular sectors that that stood out that appeared to be problematic well from the private sector side it was pretty much across the board the five sectors that were included in our study included the banking and finance sector the IT structure or sector the communications energy and the defense industrial base sectors and it was pretty much across the board as I mentioned only twenty-seven percent of the 56 response actually felt that they were receiving support coming to tow great or moderate extent so mr. McGurk what is DHS doing to address these concerns and to ensure that you all are working collaboratively with the private sector ma’am I’d like to start off by saying you know can we do better absolutely we have modified much of the structures by actually standing up and creating the the end kick that met some of the requirements moving forward by actually having the private sector participate and not only receiving the information but developing the information by having them physically present in the environment really assists us in putting the information in a language that’s necessary to reach our constituents great example is in the past when we would produce information we would produce it in a language that we understood and then we would send that out and that may or may not meet the needs of the of our private sector partners by having power engineers and financial services specialists and IT specialist sit physically sitting there working with us and collaborate ly developing the knowledge necessary to distribute were able to provide actionable intelligence just last year we receive the report in an intelligence communication of a particularly malicious piece of mail code that had a subject line on an email called here you have within a few hours of that

appearing in a classified report the u.s. cert produced an early warning and notice that went out to the broad private sector because we took that data Declassified it and provided actionable intelligence for our private sector partners but by having them there and participating really enables us to provide better products for our partners and also speeds up the time necessary to generate that product well how about the flip side I’m also curious about how well the private sector is communicating with DHS when they suffer a cyber attack or a breach mr. McGurk what are private companies required to report cyber attacks or coordinate their responses to those attacks with DHS so there’s no requirement to report the information directly to the department but I think what’s happened over the development of the partnership over the past several years is the stigma associated with cyber breaches has started to be removed and companies are volunteering the information because they understand that it not only benefits their ability to maintain goods and services but it will also assist the broader community because they recognize that when they share with the department we’re not going to publish company specific information we’re going to anonymize that and produce mitigation strategies and plans that help the broad sectors and they have been working very closely with us and developed there are there instances where DHS has become aware of a cyber attack or a breach on a particular company and then you contacted that company to assist and they’ve declined your offers to work with them declined assistance yes ma’am what can we do about that how do we improve the the collaboration and working together part of that is an awareness and understanding from the private sector standpoint I understand that we have to demonstrate value and they have to see where DHS working with DHS and partnering with DHS adds value to their capability in some cases in those those particular companies had a very advanced capability we gave them the early warning notice that they that they needed to take the necessary steps to protect their networks so subsequently additional response from DHS wasn’t required and in the extreme case we receive the declination for support but recognition of the awareness or the alert thank you very much thank you ma’am gentleman from Virginia is recognized for five minutes mr. Griffith I’m just curious mr. McGurk under what circumstances if any would the DHS in kick withhold cyber threat information that it has encountered from owners or operators of critical infrastructure sir we do not withhold threat information but subsequently we don’t develop threat information under the authorities of the department we focus primarily on mitigation of risk and that’s where we focus our activities threat information is really developed by the intelligence community and we rely on that partnership with the intelligence community to identify the threat actors alright you have any indication that they may be sometimes withholding information no sir in many cases what what is germane to mitigation is not necessarily associated with the actor it’s the activity so it’s the exploitation of the vulnerability which is necessary to share to protect that networks not who’s actually doing it mr wills fusion Gao reported in October of 2010 that only two of 24 recommendations by the president cyber security policy review had been implemented and the rest had only been partially implemented what can you tell us about whether any additional progress has been made well one of the reasons we found that the partial implementation occurred was because many of the agencies were not taking effect because they were not given specific roles and responsibilities to implement some of those recommendations and that kind of delayed actions to implementing that we will be following up as part of our annual review follow up on our recommendations to see what extent those recommendations are now being met but we just since we just issued that in October we have not gone back to follow up on our prior recommendations and to do a reassessment should we expect an updated report is coming October if we’ll be updating the status of our recommendations and if you request us to do we will certainly do it yeah I would be curious since only two of the 24 were implemented as of last year and I’m just wondering should we be concerned that so few of the recommendations had been fully implemented it at that time well those implement there are 10 near-term recommendations coming out of that policy review 14 midterm recommendations several the midterm recommendations are actions of such a nature that it’s going to take multiple years to fully implement those but the near-term recommendations are very important and

key and should be implemented as soon as it possible all right I thank you yield back my time tell me yields back yes for follow up quail for follow-up let me just have Tucker Christianson asked some very good questions on the health care aspects of the critical infrastructure and going along with with what the gentleman was just asking as far as those forward-looking threats it seems like we’ve created some problems for ourselves of the HITECH Act and and some of the things we’ve done with the information technology infrastructure as applied to health stark laws for example which prohibit the hospitals from putting a wire in a doctor’s office if the doctor is not directly affiliated with the hospital so pushing a lot of these vertically integrated systems to go on the internet in order to have the abilities or the ease of transfer the data which then renders them vulnerable to attacks on the Internet have you looked at that whether whether it perhaps there is something that could be done on the policy side to lessen the impact of the of the vulnerability if if we were to to make some changes on the regulatory side a closed loop if you would between a hospital and a group of doctors even though they are not all part of the same business model might be one way to do that have you explored that at all so your example is a wonderful example of furthering the pendants between the infrastructure says they go forward no it’s an example of how we’d make things harder than they need to be in the first place and then we got to do a whole bunch more stuff to make it workable in the real world but continue thank you sir the specific reviews technical reviews of proposals is not something that we’ve we certainly do what we work towards our best practices for the kinds of separation and containment that might be necessary in order to understand the environment each of the owners and operators has a better understanding of the risks in their particular environment in the business models that best serve them in each of these cases and so the set of best practices are an important part of how we do this but do we look at the regulations that we the federal government have put in place that make it harder for people to do the right thing in the real world so i’m not sure i can say that specific regulation was reviewed prior to in order to understand the potential implications across the board but we do look at regulations and procedures as they come i preach the gentleman for yielding what time’s expired let’s let’s look at that going forward I yield back thank you gentlemen miss Schakowsky is recognized for five minutes thank you have at any of you the three of you read stieg larsson’s book The Girl with the Dragon Tattoo etc yes you have if you if you haven’t people who are into cyber security would not only enjoy them but probably be a little worried about it the pretty flawed hero one Lisbeth Salander can seem to there’s no firewall too high or wide or low to that she can’t that she can’t get through and I think it’s it’s really uh she is the heroine the sort of the the good guy but the notion of individual actors out there who have this tremendous capacity to infiltrate I think is a real concern I said also on the Intelligence Committee and we think about that a lot so here’s what I I wanted to ask do we employ sort of old-school kinds of techniques like redundancy to make sure I remember sitting in a hotel room and watching a rolling blackout in Ohio a number of years ago which turned out to be a failure of the grid and not some sort of attack this was a post-911 but felt like it it might have have been so do we do we build in things like we do in aircraft or whatever that just redundancy so we’re not as vulnerable can someone answer yes ma’am I do agree that one of the salient points of the book was that they were focusing on perimeter defense as a method of ensuring their security and as you quite adequately pointed out that there was no wall too high or too thick that you couldn’t get through in the process and subsequently that’s why the department doesn’t look at only a perimeter defense strategy as part of enabling a sound cyber security profile we look at a defense-in-depth strategy so there’s layers upon layers of security implemented in addition we want to focus on the practices and the procedures to address the various risk associated with operating those networks whether it’s from insider activity whether it’s from

nation state sponsored whether it’s criminal activity we treat the act separate from the actor so that we can understand what they’re trying to exploit as far as the vulnerabilities so that’s the approach that the department takes and we do work very closely with the intelligence community law enforcement community and the private sector to develop those necessary strategies so that we can have a better and more secure defense posture let me ask another question there’s a lot of och and even advertising about how we can centralize data management and storage and and concentration and then you can access that without individual servers and all kinds of things to make business more efficient etc I’m wondering if this creates a new layer than of vulnerability if everything is sort of outsourced to one place the what I call ray architecting moments that are going on in the environment things like the movement to cloud computing and mobility are a challenge and an opportunity at the same time so there are certainly our vulnerabilities that exist in that environment that must be addressed as we architect to move things there but it isn’t isn’t generally a lump-sum just pick up and move there are design considerations that must be taken into account as you move and so they are these opportunities for individuals to look at how they both handle their data procedurally and how they protect it through this defense in depth approach across the board and if I may add we did a review over the cloud computing security you’ve identified a number of both positive as well as negative security implications of going to the cloud computing particularly of the negative sort is just agencies lose control over the access to their data who has access to it as well as the ability of agencies who are still responsible for the protection of that information to assure themselves through independent testing or other evaluations that their cloud service provider is actually implementing a security effectively over their environment and the information and those are still issues that are still being worked out the federal government through GSA much of DHS is involved with this on B and others are setting up different procedures through FedRAMP and some other programs to try to address some of those areas I started by talking about this rolling blackout that I I saw I wondered if we can talk about how secure our power grid really is I don’t know if you address that earlier there was a the Aurora project is that mr. McGurk that that showed the effect of hacking into a power plants control station via computers and digital devices so I’m just wondering how we how that came out and and if we are if there are vulnerabilities that we’re correcting yes ma’am the the purpose behind the Aurora evaluation and experiment that was conducted by the department in conjunction with the Idaho National Lab back in 2007 was essentially identifying the interdependencies between the critical infrastructures that’s how it started out we wanted to see if we could have a negative impact in an environment by attacking the capabilities or the equipment of another environment for instance if I if I destroyed the generation capability could I then have an adverse impact on a data storage center or an airport or some other physical infrastructure so subsequently we took a look at the the interconnected nature of these devices and we conducted a series of experiments that identified the capability by modifying settings and accessing control networks to actually take a digital protective circuit and turn it into a digital destructive circuit a simple explanation of what we did with Aurora it’s like you’re driving down the road at 60 miles an hour and you throw your transmission in reverse it’s going to have a negative impact on that car to operate so and that’s really what we were trying to demonstrate and then subsequently once we identify the vulnerabilities how do we put those protective measures in place whether it’s through equipment design and modification or in many cases it’s just through procedural changes so we look at low-cost or no-cost approach and that from from that point forward the department is conducted numerous equipment vulnerability assessments to not only identify inherent vulnerabilities in the devices but to work with industry to develop those mitigation strategies and in some cases working with the manufacturers to physically modify the equipment so that’s more secure thank you my time is well expired thank you the gentleman from Louisiana mr Scalise recognized for five minutes

Thank You mr. chairman if I could ask all the panelists first just want to get your opinion on if our critical networks are more vulnerable today than they were five years ago so my opinion is they’re not necessarily more vulnerable than they were five years ago a great deal has happened over the last five years in terms of coordination collaboration across the board but I believe is that we’re much more aware now than we were five years ago both of the role that they play in the environment we are certainly more dependent on cyber security solutions and interdependent today more aware of that and there is a higher sophistication in the threat that exists today then did some time ago McGurk thank you sir i would also agree that i believe that it’s have been an evolutionary period perhaps in the past we refer we were focusing more on information insurance as a method of achieving cybersecurity but since then we’ve recognized that since the physical and the virtual are all interconnected we’re taking a more direct approach toward cybersecurity so there may be more reporting but there’s more awareness as well and I would also say that the threats to cyber critical infrastructures are increasing their evolving and growing and becoming more sophisticated so those to raise their overall risk to those infrastructures our reviews have shown that when we have you evaluate the security of our specific systems that they are vulnerable and that numerous vulnerabilities exist because appropriate information security controls which are well known have not been implemented on a consistent basis throughout so while there’s greater awareness there is also greater threat I believe in also the vulnerability still remain mr. Wilson in your testimony the GAO and you listed here that some GAO recommendations to enhance the protection of cyber reliant critical sure regarding these these recommendations that you laid out do you see that other agencies are looking at these are open to these and specifically with what the members of DHS that are here and you know I’d like to get their take two but what has been your the reaction you’ve seen from the GAO report of these specific recommendation well for most of our reports in this area we have received largely concurrences with their recommendations particularly from DHS they have taken a number of actions to implement our recommendations and we will be following up with them to ensure that they’re effectively implemented over time in some cases even when DHS non concurred for the purposes of our report with the recommendation they ultimately reverse themselves and decided to implement the recommendations so I think there’s awareness and action and concurrence on the most part of the agencies to implement our recommendation i’ll ask the same mr. Garrick and miss tensley just uh both those recommendations but also other tools that that you think should be available I would like to add that in addition to the recommendations from Gao and we do evaluate them not only from a technical standpoint but also from an implementation standpoint and it’s part of the challenge that we identified in the critical infrastructure the networks are so in some cases unique that you can apply a particular standard or requirement that is identified by a recommendation and actually have an interrupt you you may actually cause an interoperability challenge so we do look at that from a technical standpoint and then we work with other standard settings bodies such as NIST to identify those best practices in those requirements and then work with the private sector to ensure that we can actually implement that without causing an adverse impact or additional cost miss templin so we agree that the recommendations in the GAO report are ones that we focus love attention on and recognize that cyber is one of the high risk items that do execute we have a regular interaction with them around this particular activity particular given the consequences we talk to a great deal about consequence of active malicious activity in this particular environment we watch very closely that and as we work through issues both in terms of owners and operators execution and implementation of practices in their environment and come out as we’re requested to come out and provide voluntary review of information and infrastructures and the opener operator sites were also able to identify how they are doing in terms of implementation and get information about what is generally accepted practice real quickly one final question before my time runs out the Department of Defense’s director of intelligence and counterintelligence has talked about supply chain integrity and then you know they suggest that some equipment that we

buy hardware that we buy could be corrupted both hardware and software and there’s some things that they’re looking at in that regard and wanted to get your take from Homeland Security to geo wants to chime in is that something that y’all have looked at as well have you seen any problems there so I believe I made an offer earlier to bring back an interagency review around supply chain we appreciate that it is important for us to look across the entire lifecycle of both equipment and of software development as well so that we can make sure that we have good practices in each of the steps of the life cycle and if I’m a chime in we are currently evaluating the supply chain risk process of several agencies including DoD DHS justice energy as part of our review over the supply chain risk of for IT were assessing also the agency’s efforts to employ a risk-based approach to assessing supply chain risk Thank You mr. chairman he’ll back Thank You gentleman from Texas mr. greens recognized for five minutes Thank You mr. chairman and following up our colleague from Tennessee mrs. Blackburn you know our committee has jurisdiction both over cybersecurity and in health care and so when we go through those screenings could release may be in our jurisdiction have a radiologist look at those so we can do those full body scans and it maybe save us on our imaging costs but I want to welcome our panel here it’s been a long hearing for y’all and I thought we ought to laugh a little bit the Geo is long identified protecting the federal government’s information system and nation cyber critical structures and mr. Lucius in’ when did the geo first identify cyber security as part of our high-risk series that was back in 2003 okay and you did your first major review DHS or cyber security average in 2005 that’s right that’s when we assess the department’s performance and actually implementing some thirteen roles and responsibilities that it was responsible for have you seen improvements in the way that the federal government prepares for and address the cyber threats since you’ve been reviewing the DHS’s program we’ve seen progress at DHS in the way that it is addressing some of these areas we also recognize that there’s more needs to be done particularly with some of the sector’s specific planning efforts its cyber analysis of warning capabilities as well as just as I mentioned earlier related to its partner private public partnerships I understand in 2009 DHS launched a 24-hour DHS led coordinated watch and warning system known as a national cybersecurity communications integration system did mr. McGurk what private-sector entities have currently access to the resources at this facility sorry currently we have a direct partnership with each of the 18 critical infrastructure and key resource sectors physically located on the watch floor today we have representatives from the energy sector the financial services sector the communication sector IT sector multi-state I sack we’re also finalizing agreements with chemical and others so they can be physically present on the watch floor in addition we recognize the unique capabilities of some of our other partners in the manufacturing and antivirus environment and we’re working with with them to develop cooperative research and development agreement so they could be physically present so that we can share data in real-time last week there were reports emerged about a department on the secure report insider threat to utilities and when you mentioned utilities we’re involved in it you have pretty well unanimous support or working relationship with our utilities in our country from investor owns municipal own coops like the TVA even is that pre whoa uniform throughout the country yes sir we have very direct connections with many of the private sector partners we have spent a lot of time developing cooperative agreements with for instance there’s a organization that is made up of the 18 largest utilities in the United States and they have a chief information security officer panel which we interface with directly I’ve personally briefed them on a number of occasions and provided input into those organizations that they have a better cyber awareness okay i know the report was not released to the public in in the news story talked about we have a high confidence in our judgment that insiders and their actions pose significant threat the infrastructure and information systems of us facilities and understand like i said the reports not made public I’d like to ask some questions about insider threats to our utilities miss step line could utility facilities be targets for terrorists on cyber side we know physical targets so I

think you’ll find that the vulnerabilities that exist and are possible to be exploited exist in many places to include utilities across the board that’s one of the reasons why as we’ve reiterated we try to look at this from a common approach across the environment in our area in texas in houston we have mostly investor owned utilities our service provider center point and i know they doing some really great things but do they have access there’s access to these sensitive facilities mostly owned by the private companies need to be closer guarded and carefully monitored to protect these threats the best practice activities in the cyber security systems are ones of multiple layers of Defense and which would include not just perimeter defense but internal architecture approaches that separate it’s insensitive data from each other rely on identity and other services those kinds of best practices which are widely available should be employed across the board I know a new story last week described an insider sabotage and April in a water treatment plant in Arizona where a disgruntled employee to control the control room to create a methane gas explosion what is DHS doing to ensure that these type of insider sabotage again whether they’re just a one person or a plan what is DHS doing to try and limit some of these insider cyber sabotage as we have identified we continue to provide the kinds of warning products indicators of activities that might be that might be necessary and the kinds of best practice guides for owners and operators to employ in your example it would be up to that particular an operator to employ those practices miss chairman just like to ask one last thing and do you get pretty well cooperative put a good cooperation throughout the country with the utilities yes sir absolutely we get to a very very close working relationship with utilities okay Thank You mr. chairman thanks gentlemen will quickly go for a second round we don’t have votes and so I welcome my colleagues if they wish to have a second round I’d like to return to the stuck neck the issue if I don’t mind mr McGurk if you can just answer yes or no do you know how many operators in the industrial controls infrastructure actually implemented DHS’s guidance on stuck net no sir ok how many US companies use a type of Siemens industrial controls products that were the target of Stuxnet attacks a total number of companies it’s very difficult to quantify sir because we don’t have visibility into all of their networks but there were approximately 300 companies that had some combination of hardware and software so cut three hundred US companies yes sir approximately good do you believe that if the US companies implemented the DHS guidance on stuck net they will be able to fend off a future attack from this software yes sir from this particular piece of mail code in addition to this software we have heard that there have been other vulnerabilities identified in industrial control systems including a Barris Ford vulnerability or exploit does that ring a bell yes sir given that Stuxnet impact and the other vulnerabilities exist are you comfortable that our country’s industrial control systems are secure from cyberattacks I think it’s an evolving threat surf so it we have to continue to move forward and not focus on the previous attacks wasn’t the Beresford attack developed by one researcher in about two and a half months is that our background and what does that say about the safety of our system that someone could work with his laptop computer in two and a half months developed something that’s monocle and be used would you care to come in yes sir what that really highlights is the fact that it’s not necessarily attributed to the actor itself but it’s the action and the vulnerabilities that we need to focus on because as um had mentioned in your opening statement and again when focusing on Stuxnet it’s not the capability of the actor that necessarily brings about the consequence it’s the actual vulnerability associated that’s being exploited and that’s really where the department is focusing much of its efforts okay and you say what step has DHS taken to prepare and defend against eight a varus for type of attack to an industrial control system and has this guidance or other direction but issued to the industry the private sector and I’ll ask you later go ahead mr. mccurtain sir the department has produced a number of specific actions as an guidance associated with various types of cyber risks and cyber threats but again not focusing on the actor or the activity but focusing on the vulnerability and the necessary methods to secure the networks we actually will not only address that issue but maybe

the next generation issue that that could occur do you actually talk to the US companies to see how they’re implementing and doing this yes are in many cases were invited to actually do an on-site assessment associated the vulnerabilities to see how we they implement the mitigation plans well just approximately how many do you think you’ve assessed we have assessed approximately this past year we did 53 of the year before we did about 40 these are voluntary assessments the year prior to that another 30 so we’ve done over a hundred assessments voluntary assessments and incident response activities over the past three years now was that oriented toward the stuxnet or did was it also involved with a varus Ford it’s involved with all types of vulnerabilities not just those 42 particular instances mr. Lucia then do you mind commenting well in our reviews we often also focus on the vulnerabilities of systems because that’s what the agencies are the operators can control they can always control the threats that come their way but they can control how well they protect their systems and protect against known vulnerabilities and so that’s one thing that we often look at and if the systems that we examine in a detailed level we typically find that they are vulnerable miss Tim flee you and indicating a question was five years ago are we more vulnerable today than we were five years ago you seemed to indicate you didn’t think so and I guess the question is based upon what I’ve just given you some examples and how a man and just two and a half months can come up with something that can make our system fundable I guess a question for each panel can you explain how the cyber threats you’re seeing now are different from two or three or five years ago and I’ll start with you mr. simply so the the cyber threats now are certainly more sophisticated than they were several years ago the threats are focused more on individuals and very specific activities an example i have used as spearfishing is very targeted to an individual i received an email not too long ago that appeared to be from my husband as a situation and it was about a topic about college payment activities and that was identified and sent to me and had i clicked on it it may have been something that was malicious that’s an example of increased sophistication and increased focus that exists the number of vulnerabilities that have existed and the kind of model that you presented where a researcher identified of vulnerability and something that has already in existence that formerly had been there from the beginning it was just recently identified and so the specific vulnerabilities have not increased in that situation that scenario we’re just more aware of it now and more able to respond our protective measures and protective guidance are about building these infrastructures in a way that reduces the exposure of those vulnerabilities and makes it less likely for threat actors to be able to be successful in mr. Kirk yes sir I would also agree that you know it’s a matter of awareness and understanding the interconnected nature’s of the universe hybrid securities increasing in the last five years do I see cyber security risk threats threats increasing yes sir as a result of exploiting those vulnerabilities because of the sophistication and also the targeted nature in the past we were talking about just basic data exfiltration from a very broad audience now we’re seeing in the RSA example that was mentioned earlier very specific targeted attacks against these aggregation centers and I agree and I think you’ll see continue to see more blended types of attacks that exploit a number of different vulnerabilities in order to gain access to its target so you would agree that the cyber threats are more now than they were five years ago and more sophisticated let me just conclude by this question I’m not quite clear myself with this bear is Ford software does or did can you describe mr. mcurtin what it does do you know anything about it throw that’s I don’t have those specific details of the analysis in front of me today sir so I couldn’t really comment on that anybody know okay all right my time is expired the gentlelady from Colorado thank you very much mr chairman first of all I’d like to ask unanimous consent to put mr. Waxman’s opening statement and the records nicely unanimous consent so more thank you so work is the perfect segue actually to just one question I had of clarification we’re all throwing around the words threat vulnerability and risk quite a bit today and mr. Wilson I’m wondering as we prepare for our subsequent hearings on these topics you can just basically described for us whether there’s a difference between those three words and what the technical descriptions are sure yes and there is a difference a threat is basically any circumstance or event that can

potentially cause harm to an organization’s operations asset assets excuse me personnel or whatever a vulnerability is a weakness in the security controls that are over a system or network and risk there’s actually a fourth component here before we get to risk and that’s impact what’s the impact that could occur should a threat either and thread actor or an event occur exploit a vulnerability what’s the impact that it could have and then that those three of those kind of equate to what risk is thank you and are they all three things we should be concerned about yes indeed absolutely threats are what you try to guard against the vulnerabilities are what you try to prevent and minimize by taking corrective actions and implementing appropriate security controls and you do that in such a manner that you minimize the impact should such a security incident occur and so the yes it’s important to think of all of them so you’ve heard both me and the chairman and other members of Congress are other members of the subcommittee talk about this committee jurisdiction wondering if there’s any particular sectors of our jurisdiction that you think we should look more closely at in subsequent hearings well I think in terms of a from a cyber perspective I think probably the key sectors would be would be energy electricity both nuclear and and other just because of the interdependencies that they have with other sectors IT finance and banking and also communications would be that I think the four that are probably the most oranges because of the interdependencies that they have with the other critical sectors great thank you thank you very much mr. Chairman I thank the gentlelady I want to thank the witnesses for their participation they’re coming here this morning the committee rules provide that members have ten days to submit additional questions for the record the witnesses and with that the subcommittee’s adjourn