Congressional Hearings
ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION
Congressional Hearings
SuDoc ClassNumber: Y 4.H 75
Congress: House of Representatives
CHRG-115hhrg34445
| AUTHORITYID | CHAMBER | TYPE | COMMITTEENAME |
|---|---|---|---|
| hshm00 | H | S | Committee on Homeland Security |
[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JULY 25, 2018
__________
Serial No. 115-73
__________
Printed for the use of the Committee on Homeland Security
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
34-445 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania William R. Keating, Massachusetts
John Katko, New York Donald M. Payne, Jr., New Jersey
Will Hurd, Texas Filemon Vela, Texas
Martha McSally, Arizona Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York J. Luis Correa, California
Mike Gallagher, Wisconsin Val Butler Demings, Florida
Clay Higgins, Louisiana Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
Debbie Lesko, Arizona
Brendan P. Shields, Staff Director
Steven S. Giaier, General Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania Val Butler Demings, Florida
Don Bacon, Nebraska Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
Moira Bergin, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Mr. Ken Durbin, Senior Strategist, Global Government Affairs,
Symantec:
Oral Statement................................................. 8
Prepared Statement............................................. 9
Ms. Summer Fowler, Technical Director, Cybersecurity Risk and
Resilience, Software Engineering Institute, CERT, Carnegie
Mellon University:
Oral Statement................................................. 13
Prepared Statement............................................. 14
Mr. Ari Schwartz, Managing Director of Cybersecurity Services,
Cybersecurity Risk Management Group, Venable LLP, Testifying on
Behalf of the Cybersecurity Coalition and Center for
Cybersecurity Policy and Law:
Oral Statement................................................. 18
Prepared Statement............................................. 19
Appendix
Questions From Honorable James R. Langevin for Summer Fowler..... 33
Questions From Honorable James R. Langevin for Ari Schwartz...... 34
ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION
----------
Wednesday, July 25, 2018
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:38 a.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, Bacon, Donovan, Katko,
Richmond, and Langevin.
Mr. Ratcliffe. Good morning. The Committee on Homeland
Security, Subcommittee on Cybersecurity and Infrastructure
Protection will come to order.
The subcommittee is meeting this morning to receive
testimony regarding how the Federal Government understands and
manages enterprise-wide cybersecurity risks. I now recognize
myself for an opening statement.
As we convene today, this subcommittee is concerned that
the Federal Government is not yet equipped to determine how
threat actors seek to gain access to our private information.
This challenge is one of the reasons I introduced, and
yesterday the full committee passed, the Advancing
Cybersecurity Diagnostics and Mitigation Act. H.R. 6443 will
codify and provide direction to DHS regarding the CDM program.
This was a bipartisan effort and I thank the Ranking Member,
Mr. Richmond, as well as Mr. Katko, Mr. Donovan, Mr.
Fitzpatrick, and Mr. Langevin, for working with me on this
important issue because there is an evident lack of strategy in
mitigating risk across our Federal agencies.
Cyber work force gaps and legacy IT systems are
vulnerabilities in the Federal Government's cybersecurity
posture but the efficacy of our basic cybersecurity practices
remain common liabilities. To this end the Office of Management
and Budget and Department of Homeland Security released a
report earlier this year entitled Federal Cybersecurity Risk
Determination Report Action Plan. This report spoke to many of
the challenges faced in securing enterprise-wide Federal
Government IT systems.
Perhaps not surprisingly OMB and DHS determined that 74
percent of Government agencies have cybersecurity programs that
are either at risk or at high risk. The risk assessments
performed by these agencies showed that a lack of threat
information results in ineffective allocations of limited cyber
resources. This overall situation creates enterprise-wide gaps
in our network visibility, IT tool, and capability
standardization, and common operating procedures, all of which
negatively impact Federal cybersecurity.
Given the significant and ever-increasing danger of threats
and the absence of good data inventory, risk management must be
fully integrated into every aspect of an organization. Leaders
of Federal agencies at all organizational levels must
understand the responsibilities and they must be accountable
for protecting organizational assets and managing security and
privacy risks.
The OMB and DHS report identified four main actions that
are necessary to address cybersecurity risks across the Federal
enterprise. First, Federal agencies must increase their
cybersecurity threat awareness. This seems like a too obvious
of a recommendation but often those charged with defending
agency networks lack timely information regarding the tactics,
techniques, and procedures that our adversaries are using to
exploit Government information systems.
Second, OMB urged agencies to standardize IT and
cybersecurity capabilities to control costs and to improve
asset management. Generally speaking agencies do not have
standardized cybersecurity processes, which ultimately impacts
their ability to efficiently and effectively combat cyber
threats.
The Continuous Diagnostics and Mitigation program or CDM
will accelerate both IT management efforts and cybersecurity
improvements across the Federal Government. In fact, my bill,
the Advancing Cybersecurity Diagnostics and Mitigation Act will
require the program to evolve thereby ensuring that agency CIOs
and DHS have the visibility necessary, not only to combat
threats, but also to target modernization resources and efforts
where they are most needed.
The third recommended action is that agencies must
consolidate their security operation centers to improve
incident detection and response capabilities. OMB found that
only 27 percent of agencies can detect and investigate attempts
to access large volumes of data. This troubling statistic
should cause us all to pause.
While the report identifies that Federal agencies currently
lack network visibility, the DHS's CDM program can assist with
this issue by providing insight into what is occurring on
networks--after all, you cannot defend what you cannot see.
Finally, OMB recommended that agencies increase
accountability through improved governance processes, indeed
both the Federal Information Security Management Act and
President Trump's Executive Order on Strengthening the
Cybersecurity and Federal Networks and Critical Infrastructure
already identify the agency head as the official ultimately
responsible for each agency's cybersecurity.
Of course, agency heads often delegate cyber risk
management responsibilities to the chief information officer
and chief information security officer but agency leadership
should increase its oversight of and its engagement in their
agency's cybersecurity ecosystem.
Ultimately a collaborative approach to mitigating cyber
threats is meant to prioritize meeting the needs of DHS's
partners and is consistent with the growing recognition among
Government, academic, and corporate leaders, that cybersecurity
is increasingly interdependent across sectors and must be a
core aspect of risk management strategies.
We are in an era that requires flexibility, resiliency, and
discipline. I look forward to a candid conversation with our
witnesses today about ensuring our Federal networks can embody
these goals. Your thoughts and opinions are important as we
oversee the state of Federal Government cybersecurity risks.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
July 25, 2018
This subcommittee is concerned that the Federal Government is not
equipped to determine how threat actors seek to gain access to private
information. There is an evident lack of strategy in mitigating risk
across Federal agencies. Cyber workforce gaps and legacy IT systems are
vulnerabilities in the Federal Government's cybersecurity posture, but
the efficacy of our basic cybersecurity practices are common
liabilities.
To this end, the Office of Management and Budget and Department of
Homeland Security released a report earlier this year entitled
``Federal Cybersecurity Risk Determination Report and Action Plan.''
This report spoke to many of the challenges faced in securing
enterprise-wide Federal Government IT systems.
Perhaps not surprisingly, OMB and DHS determined that 74 percent of
Government agencies have cybersecurity programs that are either at-risk
or high-risk. The risk assessments performed by these agencies showed
that a lack of threat information results in ineffective allocations of
limited cyber resources. This overall situation creates enterprise-wide
gaps in network visibility, IT tool and capability standardization, and
common operating procedures, all of which negatively impact Federal
cybersecurity.
Given the significant and ever-increasing danger of threats and the
absence of good data inventory, risk management must be fully
integrated into every aspect of an organization. Leaders of Federal
agencies at all organizational levels must understand their
responsibilities and must be accountable for protecting organizational
assets and managing security and privacy risks.
The OMB and DHS report identified four main actions that are
necessary to address cybersecurity risks across the Federal enterprise.
First, Federal agencies must increase their cybersecurity threat
awareness. This seems like too obvious of a recommendation, but often,
those charged with defending agency networks lack timely information
regarding the tactics, techniques, and procedures that adversaries use
to exploit Government information systems.
Second, OMB urged agencies to standardize IT and cybersecurity
capabilities to control costs and improve asset management. Generally
speaking, agencies do not have standardized cybersecurity processes,
which ultimately impacts their ability to efficiently and effectively
combat threats. The Continuous Diagnostics and Mitigation program, or
CDM, will accelerate both IT management efforts and cybersecurity
issues across the Federal Government. In fact, a bill that I introduced
last week H.R. 6443, the Advancing Cybersecurity Diagnostics and
Mitigation Act, will require the program to evolve to ensure agency
CIO's and DHS have the visibility necessary not only to combat threats,
but also to target modernization resources and efforts where they are
most needed.
Third, agencies must consolidate their security operations centers
to improve incident detection and response capabilities. OMB found that
only 27 percent of agencies can detect and investigate attempts to
access large volumes of data. This troubling statistic should cause all
of us to pause. While the report identifies that Federal agencies
currently network visibility, DHS's CDM program can assist with this
issue by providing insights into what is occurring on networks. After
all you can't defend what you can't see.
And finally, OMB recommended that agencies increase accountability
through improved governance processes. Indeed, both the Federal
Information Security Management Act and President Trump's Executive
Order on Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure already identify the agency head as the
official ultimately responsible for each agency's cybersecurity. Of
course, agency heads often delegate cyber risk management
responsibilities to the chief information officer and chief information
security officer, but agency leadership should increase its oversight
of, and engagement in, their agency's cybersecurity ecosystem.
Ultimately, a collaborative approach to mitigating cyber threats is
meant to prioritize meeting the needs of DHS partners, and is
consistent with the growing recognition among Government, academic, and
corporate leaders that cybersecurity is increasingly interdependent
across sectors and must be a core aspect of risk management strategies.
We are in an era that requires flexibility, resiliency, and
discipline, I look forward to a candid conversation with our witnesses
about ensuring Federal networks can embody these goals. I look forward
to hearing from our witnesses. Your thoughts and opinions are important
as we oversee the state of Federal Government cybersecurity risks.
Mr. Ratcliffe. The Chair recognizes the Ranking Member of
the subcommittee, the gentleman from Louisiana, Mr. Richmond,
for his opening statement.
Mr. Richmond. Good morning.
I want to thank Chairman Ratcliffe for holding today's
hearing on the Federal Cybersecurity Risk Determination Report
and Action Plan.
It is no secret that Federal networks are an attractive
target to our adversaries and cyber criminals alike. Thales
eSecurity 2018 Data Threat Report found Federal agencies
experienced more data breaches than any other sector.
State actors such as Russia, China, Iran, and North Korea
have become more sophisticated, more emboldened and more brazen
and the data stored on our networks about American citizens,
our National security plans, and our economy, is important to
them.
We have authorized and funded programs to defend our
Federal networks and this subcommittee has performed rigorous
oversight over many of them, this Congress. I am familiar with
the challenges related to implementation of the Department of
Homeland Security's Continuous Diagnostics and Mitigation
program, CDM, as well as cyber threat information sharing so I
was not terribly surprised by some of the Federal cybersecurity
risk determination reports general findings.
But the devil is in the details. I could have told you for
example that the collective ability of our Federal agencies to
understand what is happening on their networks isn't what it
should be but I did not realize that fewer than half of the 96
agencies surveyed can detect encrypted ex-filtration of
information at target levels or that only 27 percent can detect
and investigate attempts to access large volumes of data.
I knew that resource challenges have stunted the maturation
of programs designed to protect Federal networks but I was
troubled to learn that agencies are not equipped to make
strategic investment decisions with money Congress provides.
While I could have assumed that agencies could improve
their Cyber Incident Response procedures or how cyber risks are
communicated, I could not have predicted that just over half of
the agencies surveyed had validated Cyber Incident Response
roles in the past year and only 59 percent of agencies have a
mechanism to issue enterprise-wide cyber threat alerts. We have
to do better than this.
The Federal Cybersecurity Risk Determination Report
identified important actions the Federal Government should
undertake to resolve existing capability gaps. Many of the
proposed solutions leverage CDM tools, some of which have yet
to be fully implemented or may not be deployed anytime soon.
Yesterday, this committee approved legislation Chairman
Ratcliffe introduced, and which I co-sponsored, to make the CDM
program more robust, more accountable. I would be interested in
hearing from our witnesses about how the Federal Government can
optimize the potential of CDM and improve its implementation.
Additionally, I would be interested to know if the
witnesses disagree with any of the action items identified in
the risk determination report or if they are critical or issues
critical to risk management that the report failed to address.
Finally, I will be interested in hearing the witnesses'
thoughts about the importance of leadership from the White
House when it comes to improving the cybersecurity of our
Federal networks.
Before I close I want to point out on a separate subject
that we are heading into August recess without making any
progress toward reauthorization of the Chemical Facility Anti-
Terrorism Standards, known as the CFATS program.
Ranking Member Thompson and I have repeatedly asked the
Majority to hold oversight hearings with the Department and
begin work on negotiating and forming CFATS' reauthorization
legislation. Neither has happened and I am concerned that we
may not have enough legislative days left to get
reauthorization past the finish line. I hope the majority will
make CFATS a priority when we return from the August recess so
we can avoid a temporary extension.
With that I thank the witnesses for being here today. I
look forward to their testimony.
I yield back the balance of my time.
[The prepared statement of Ranking Member Richmond
follows:]
Statement of Ranking Member Cedric Richmond
July 25, 2018
Good morning. I would like to thank Chairman Ratcliffe for holding
today's hearing on the Federal Cybersecurity Risk Determination Report
and Action Plan.
It is no secret that Federal networks are an attractive target to
our adversaries and cyber criminals alike.
Thales e-Security's 2018 Data Threat Report found Federal agencies
experience more data breaches than any other sector.
State actors--such as Russia, China, Iran, and North Korea--have
become more sophisticated, more emboldened, and more brazen.
And the data stored on our networks--about American citizens, our
National security plans, and our economy--is important to them.
We have authorized and funded programs to defend our Federal
networks, and this subcommittee has performed rigorous oversight over
many of them this Congress.
I am familiar with the challenges related to implementation of the
Department of Homeland Security's Continuous Diagnostic and Mitigation
Program (CDM) as well as cyber threat information sharing.
So I wasn't terribly surprised by some of the Federal Cybersecurity
Risk Determination Report's general findings.
But the devil is in the details.
I could have told you, for example, that the collective ability of
our Federal agencies to understand what is happening on their networks
isn't what it should be.
But I didn't realize that fewer than half of the 96 agencies
surveyed can detect encrypted exfiltration of information at target
levels, or that only 27 percent can detect and investigate attempts to
access large volumes of data.
I knew that resource challenges have stunted the maturation of
programs designed to protect Federal networks, but I was troubled to
learn that agencies are not equipped to make strategic investment
decisions with the money Congress provides.
And, while I could have assumed that agencies could improve their
cyber incident response procedures or how cyber risks are communicated,
I could not have predicted that just over half of the agencies surveyed
had validated cyber incident response roles in the past year and only
59 percent of agencies have a mechanism to issue enterprise-wide cyber
threat alerts.
We have to do better than this.
The Federal Cybersecurity Risk Determination Report identified
important actions the Federal Government should undertake to resolve
existing capability gaps.
Many of the proposed solutions leverage CDM tools, some of which
have yet to be fully implemented or may not be deployed any time soon.
Yesterday, this committee approved legislation Chairman Ratcliffe
introduced, and which I cosponsored, to make the CDM program more
robust and more accountable.
I will be interested to hear from our witnesses about how the
Federal Government can optimize the potential of CDM and improve its
implementation.
Additionally, I would be interested to know if the witnesses
disagree with any of the action items identified by the Risk
Determination Report or if there are issues critical to risk management
that the report failed to address.
Finally, I will be interested in hearing the witnesses' thoughts
about the importance of leadership from the White House when it comes
to improving the cybersecurity of our Federal networks.
Before I close, I want to point out that we are heading into August
recess without making any progress toward reauthorization of the
Chemical Facility Anti-Terrorism Standards (CFATS) program.
Ranking Member Thompson and I have repeatedly asked the Majority to
hold oversight hearings with the Department and begin work on
negotiating informed CFATS reauthorization legislation.
Neither has happened, and I am concerned that we may not have
enough legislative days left to get reauthorization past the finish
line.
I hope the Majority will make CFATS a priority when we return from
August recess so we can avoid a temporary extension.
With that, I thank the witnesses for being here today, and I look
forward to their testimony.
I yield back the balance of my time.
Mr. Ratcliffe. I thank the gentleman.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
July 25, 2018
Good morning. I want to thank Chairman Ratcliffe and Ranking Member
Richmond for holding today's hearing on the ``State of Federal
Cybersecurity Risk Determination''.
At the outset, I would like to echo Ranking Member Richmond's
disappointment that we are heading into August recess without making
any meaningful progress on reauthorizing the Chemical Facility Anti-
Terrorism Standards Program (CFATS), which expires in less than 6
months.
As far as I know, the CFATS program has bipartisan support on this
committee. It is also popular with the regulated community, and, most
importantly, makes our communities safer.
Given the limited number of legislative days left, I hope this
committee acts quickly when we return in September to fulfill our
obligations as authorizers and put CFATS on the track to
reauthorization.
Turning to the subject of today's hearing--although I am pleased
that OMB and DHS have undertaken a review of the risk determination and
acceptance choices across the Federal Government, I am troubled that
many of our cybersecurity capabilities are not as mature as they ought
to be.
When I joined the Select Committee on Homeland Security in 2003,
every expert I heard from told me that the Federal Government was 10
years behind where it should in with respect to cybersecurity.
Despite the investments we have made since then, it seems we are in
the same boat--10 years behind where we need to be.
Federal agencies still struggle to access timely, actionable threat
information and share it enterprise-wide.
Agencies still do not have full visibility of what is happening on
their networks or who has access to different pieces of information.
And we still have not figured out how to strategically allocate
funding to address risk.
Despite the devastating data breaches like the 2015 Office of
Personnel Management heist of the personal information of 22.1 million
people, non-defense agencies spent less than $51 million encrypting
data rest in fiscal year 2017.
Meanwhile, of the $80 billion we spend annually on IT systems
across the Federal Government, 80 percent is spent maintaining legacy
systems that are more vulnerable and less secure.
We need to start putting our money where the risk is.
This is not the first time we have heard these recommendations.
So, there is one thing I would like to know from our witnesses
today: How can the Federal Government finally jump the 10-year gap
between where we are and where we should be?
I know it will take technology. I know it will take money. And,
importantly, I know it will take leadership.
I am concerned that the White House has limited its ability to lead
as effectively as it could in this space by eliminating the
Cybersecurity Coordinator position and dragging out the appointment of
the Federal CIO and CIOs and large agencies.
Nevertheless, as Members of Congress, we will continue our rigorous
oversight to hold the administration accountable for the action items
outlined in the Federal Cybersecurity Risk Determination Report and
Action Plan.
With that, I look forward to hearing from our witnesses, and I
yield back the balance of my time.
Mr. Ratcliffe. We are pleased to have a distinguished panel
of witnesses before us today on this very important topic.
Mr. Ken Durbin is a senior strategist of global government
affairs for Symantec. Mr. Durbin has been providing compliance
and risk management solutions to the public sector for over 25
years and has authored multiple articles on CRM issues. Thank
you for being here this morning.
Ms. Summer Fowler is the technical director for the
cybersecurity, risk, and resilience in the Software Engineering
Institute at Carnegie Mellon. In this role Ms. Fowler is
responsible for executing the strategic plan for a research
portfolio focused on improving the security and resilience of
organizational assets. Ms. Fowler, thank you for being here to
provide your insights today.
Finally, Mr. Ari Schwartz is the managing director of
cybersecurity services in the risk management group of Venable.
Mr. Schwartz is testifying today on behalf of the Cybersecurity
Coalition and Center for Cybersecurity Policy and Law.
Prior to his time at Venable, Mr. Schwartz served on the
National Security Council as a special assistant to the
President, and senior director for cybersecurity. Thank you for
being here today Mr. Schwartz.
I would now ask the witnesses to stand and raise your right
hand, so I can swear you in to testify.
[Witnesses sworn.]
Let the record reflect that each of the witnesses has been
so sworn. You may be seated.
The witnesses' full written statements will appear in the
record.
The Chair now recognizes Mr. Durbin for 5 minutes for his
opening statement.
STATEMENT OF KEN DURBIN, SENIOR STRATEGIST, GLOBAL GOVERNMENT
AFFAIRS, SYMANTEC
Mr. Durbin. Chairman Ratcliffe, Ranking Member Richmond,
thank you for the opportunity to testify.
I would like to start by setting the stage with regards to
the current threat landscape. Attackers continue to evolve; to
avoid detection, attackers are employing what we call living-
off-the-land--using operating system features or legitimate
network administration tools to compromise victim's networks.
Using good programs to do bad things is difficult to detect
because it is disguised as normal operations. We recently
discovered one such attack that had compromised satellite
operators, telecommunications companies, and a defense
contractor.
We identified the attack using an advanced hunting tool we
call ``Targeted Attack Analytics'' which crawls through massive
datasets looking for minute indicators of malicious activity.
Cryptojacking is another common attack. We have seen the
rise of a new category of web-based coin-miner attacks that use
an individual's browser to hijack their computer's processing
power to mine cryptocurrency. Detections of coin-miners on
endpoint computers increased by 8,500 percent in 2017.
We saw an uptick in supply chain attacks where attackers
hijacked software updates to gain entry to well-guarded
networks. The Petya outbreak was the most notable example of a
supply chain attack. Attackers used accounting software as the
point of entry.
Now turning to the Federal Cybersecurity Risk Determination
Report and Action Plan, the report is a tough but fair
assessment of the current state of the Executive branch's
cybersecurity posture and it looks to build on existing
security frameworks to make improvements.
I want to take a moment to commend OMB for recognizing the
value of the NIST Cybersecurity Framework or CSF as a tool to
improve the current state of the Executive branch's risk
management efforts.
Typically, an agency collects data from over 200 FISMA
controls, across 10 control families, to evaluate cybersecurity
readiness. That same data can be consolidated into the 5 CSF
functions for a clearer view into their cyber readiness. The
report made several recommendations.
In the first the report notes that 38 percent of Federal
cyber incidents did not have an identified attack vector and
recommends implementing the Cyber Threat Framework or CTF to
help categorize cybersecurity risks. However, it is not clear
how categorizing attacks would have helped protect against the
cyber events that compromised information and systems.
To reduce the number of identified attacks, I recommend
that along with implementing the CTF, OMB put a strong emphasis
on cybersecurity solutions that automate the detection and
remediation of cyber events through communication between
strategic control points, hunting for indicators that are
compromised.
I commend OMB's efforts to develop a risk-based budget
process to direct IT purchases to reduce identified risk.
Another way to reduce identified risk would be to require
agencies to add recommendations contained in IG FISMA audits as
line items in their budget requests to ensure they receive
adequate prioritization.
The report also recommends standardizing IT and
cybersecurity capabilities. This can be achieved through the
Continuous Diagnostics and Mitigation or CDM program. CDM
achieves the same goals by focusing on standardized
capabilities rather than a standardized vendor. However, the
CDM program needs to be accelerated: 5 years after CDM was
launched, phase 1 to 4 has still not been fully deployed.
The third recommendation is to consolidate agency security
operation centers to improve overall incident detection and
response. While this is part of the solution, detecting the ex-
filtration of data requires more than consolidation, which
brings me to the fourth recommendation, accountability.
I want to focus on the data-level protection's aspect of
this recommendation. Far too often we see the Government equate
data-level protection with the encryption of data. While
encryption is important, the Government's focus needs to be
expanded to include prevention, specifically data loss
prevention or DLP. DLP can discover and categorize sensitive
data and can enforce policies about what can be done with that
data. DLP can automatically encrypt data before it is
transmitted even if the end-user forgot to encrypt it
themselves.
I recommend that DHS advance the data protection phase of
CDM which would have the added benefit of protecting the high-
value assets identified by agencies during the 2015 Cyber
Sprint.
I hope these observations build on OMB's recommendations
and maximize their ability to improve our Government
cybersecurity posture.
Thank you for the opportunity to testify.
[The prepared statement of Mr. Durbin follows:]
Prepared Statement of Ken Durbin
July 25, 2018
Chairman Ratcliffe, Ranking Member Richmond, my name is Ken Durbin,
CISSP, and I am a senior strategist for Symantec Global Government
Affairs and Cybersecurity. I have been providing solutions to the
public sector for over 30 years. My focus on compliance and risk
management (CRM) and the critical infrastructure sector has allowed me
to gain insights into the challenge of balancing compliance with the
implementation of cybersecurity solutions. Additionally, I focus on the
standards, mandates, and best practices from NIST, OMB, DHS, SANS, etc.
and their application to CRM. I spend a significant amount of my time
on the NIST Cybersecurity Framework (CSF)\1\, the DHS CDM Program and
the emerging EU Global Data Protection Regulation (GDPR.)
---------------------------------------------------------------------------
\1\ NIST Cybersecurity Framework (CSF): Provides guidance to
private companies on how best to prevent, detect, and respond to cyber
attacks.
---------------------------------------------------------------------------
Symantec Corporation is the world's leading cybersecurity company
and has the largest civilian threat collection network in the world.
Our Global Intelligence NetworkTM tracks over 700,000 global
adversaries, records events from 126.5 million attack sensors world-
wide, and monitors threat activities in over 157 countries and
territories. Additionally, we process more than 2 billion emails and
over 2.4 billion web requests each day. We maintain 9 Security Response
Centers and 6 Security Operations Centers around the globe, and all of
these resources combined give our analysts a unique view of the entire
cyber threat landscape. On our consumer side, we combined Norton
Security with LifeLock's Identity and Fraud Protection to deliver a
comprehensive cyber defense solution to a growing consumer base of
nearly 4.5 million people.
In my testimony I will provide:
an overview of the current threat landscape, including
highlights of our 2018 Internet Security Threat Report
(ISTR),\2\
---------------------------------------------------------------------------
\2\ https://www.symantec.com/security-center/threat-report.
---------------------------------------------------------------------------
an assessment of the Federal Cybersecurity Risk
Determination Report and Action Plan that was released in May,
high-level recommendations on addressing some of challenges
highlighted in the report.
the threat landscape
From the recent Thrip attack on satellite and telecommunications
systems to the spread of WannaCry and Petya/NotPetya, to the rapid
growth in coinminers, the past year has provided us with many reminders
that digital security threats can come from new and unexpected sources.
With each passing year, not only has the sheer volume of threats
increased, but the threat landscape has become more diverse, with
attackers working harder to discover new avenues of attack and cover
their tracks while doing so. Symantec's annual ISTR provides a
comprehensive view of the threat landscape, including insights into
global threat activity, cyber criminal trends, and motivations for
attackers. Below are some key highlights from this year's report and
our recent work.
Attackers are Evolving
Last month, we issued a report about a previously unknown attack
group known as Thrip.\3\ Thrip is a sophisticated attacker that used a
technique we call ``living off the land''--using operating system
features or legitimate network administration tools to compromise
victims' networks. Simply put, they use good programs to do bad things.
These types of attacks are difficult to detect because malicious
activity is disguised as normal system operations. This continued a
trend we reported on in the ISTR, that attackers are relying less on
malware and zero-day vulnerabilities. Instead, they are looking for new
attack vectors that make less ``noise'' and can be hard for some
defenders to detect.
---------------------------------------------------------------------------
\3\ https://www.symantec.com/blogs/threat-intelligence/thrip-hits-
satellite-telecoms-defense-
targets?om_ext_cid=biz_social_NAM_twitter_Asset%2BType%2B%2B-
%2BBlog,Campaign%2B-%2BThreat%2BAlert.
---------------------------------------------------------------------------
When we discovered Thrip, they had already compromised satellite
operators, telecommunications companies, and a defense contractor. We
identified this malicious activity using an advanced hunting tool we
call Targeted Attack Analytics, which crawls through massive data sets
looking for minute indicators of malicious activity. When we find
something--like Thrip--we update our protections to stop it in the
future. Thrip was not the first living off the land attack, and it will
not be the last, and defenders must evolve to stay ahead of the next
attack.
Cryptojacking
During the past year, an astronomical rise in cryptocurrency values
triggered a cryptojacking gold rush with cyber criminals attempting to
cash in on a volatile market. This gave rise to a new category of
malware called ``coinminers'' that attach to an individual's browser
and utilizes their computers processing power to mine cryptocurrency.
Detections of coinminers on endpoint computers increased by 8,500
percent in 2017. With a low barrier of entry--only requiring a couple
lines of code to operate--cyber criminals are harnessing stolen
processing power and cloud CPU usage from consumers and enterprises to
mine cryptocurrency. Coinminers can slow devices, overheat batteries,
and in some cases, render devices unusable. For enterprise
organizations, coinminers can put corporate networks at risk of
shutdown and inflate cloud CPU usage, adding cost. Macs are not immune
either, with Symantec detecting an 80 percent increase in coinmining
attacks against Mac OS. By leveraging browser-based attacks, criminals
do not need to download malware to a victim's Mac or PC to carry out
cyber attacks.
IoT
IoT devices continue to be ripe targets for exploitation. Symantec
found a 600 percent increase in overall IoT attacks in 2017, which
means that cyber criminals could exploit the connected nature of these
devices to mine en masse.
Targeted Attack Groups
The number of targeted attack groups is on the rise with Symantec
now tracking 140 organized groups. Last year, 71 percent of all
targeted attacks started with spear phishing--the oldest trick in the
book--to infect their victims. As targeted attack groups continue to
leverage tried and true tactics to infiltrate organizations, the use of
zero-day threats is falling out of favor. Only 27 percent of targeted
attack groups have been known to use zero-day vulnerabilities at any
point in the past. The security industry has long discussed what type
of destruction might be possible with cyber attacks. This conversation
has now moved beyond the theoretical, with 1 in 10 targeted attack
groups using malware designed to disrupt.
Supply Chain Attacks
Symantec identified a 200 percent increase in attackers injecting
malware implants into the software supply chain in 2017. That's
equivalent to 1 attack every month as compared to 4 attacks the
previous year. Hijacking software updates provides attackers with an
entry point for compromising well-guarded networks. The Petya outbreak
was the most notable example of a supply chain attack. After using
Ukrainian accounting software as the point of entry, Petya used a
variety of methods to spread laterally across corporate networks to
deploy their malicious payload.
Ransomware for Profit
In 2016, the profitability of ransomware led to a crowded market.
In 2017, the market made a correction, lowering the average ransom cost
to $522 and signaling that ransomware has become a commodity. Many
cyber criminals may have shifted their focus to coin mining as an
alternative to cashing in while cryptocurrency values are high.
Additionally, while the number of ransomware families decreased, the
number of ransomware variants increased by 46 percent, indicating that
criminal groups are innovating less but are still very productive.
assessment of the federal cybersecurity risk determination report and
action plan
The Office of Management and Budget (OMB), in response to
Presidential Executive Order (EO) 13800, Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure, produced
a report that provides a tough but fair assessment of the current state
of the Executive branch's Cybersecurity Posture. The EO and the report
builds upon the efforts of previous administrations and works within
existing frameworks, including FISMA,\4\ FITARA,\5\ CDM,\6\ and CSF.
While none of these are perfect, OMB sees their value and seeks to
improve them. The EO held OMB to a tight time line in which to produce
the report and OMB held agencies to a similarly aggressive time line.
This alone sent a strong message, both about the seriousness of the
situation and about the administration's commitment to improving the
Executive branch's cybersecurity posture.
---------------------------------------------------------------------------
\4\ Federal Information Security Management Act: Requires
Government agencies to implement security systems to protect
information and information systems.
\5\ Federal Information Technology Acquisition Reform Act: Changed
the way the Federal Government buys and manages its computer
technology.
\6\ Continuous Diagnostics and Mitigation: Four-phase program that
monitors what is on a network, who is on a network, what is happening
on a network, and how data is protected for Federal agencies.
---------------------------------------------------------------------------
As a threshold matter, I would like to commend the administration
and OMB for recognizing the value of the CSF as a tool to improve the
current state of the Executive branch's risk management efforts. The
CSF's power is its ability to take a complex set of cybersecurity data
and present them in a clear, logical, and simplified way such that one
does not need to be a cyber expert to gain valuable insight and make
important decisions. For example: An agency now needs to collect data
from over 200 FISMA controls across 10 control families to evaluate
cybersecurity readiness. That same data can be consolidated into the 5
CSF functions (identify, protect, detect, respond, and recover) for a
clearer view into their cyber readiness.
Recommendation No. 1: Increase Cybersecurity Threat Awareness
To highlight the need for increasing cybersecurity threat
awareness, the report points out that ``38 percent of Federal cyber
incidents did not have an identified attack vector.'' This equates to
11,802 cyber incidents that ``led to the compromise of information or
system functionality in fiscal year 2016.'' To improve this situation
the report recommends implementing the Cyber Threat Framework (CTF)
with the idea that it will help prioritize and manage cybersecurity
risks. The CTF was developed to enable consistent characterization and
categorization of cyber threat events; in other words, to provide a
common lexicon to describe and understand threats. This, of course is a
worthwhile pursuit, but it is not clear how the CTF would have helped
protect against the 11,802 cyber events that compromised information
and systems.
I recommend that, along with implementing the CTF, OMB put a strong
emphasis on cybersecurity solutions that can automate the detection and
remediation of cyber events. Automated cybersecurity solutions that can
communicate between strategic control points hunting for indicators of
compromise (IoCs) will help to reduce the number of unidentified
attacks, and reduce the burden caused by the shortage of qualified
cyber professionals.
I applaud OMB's efforts to develop a risk-based budgeting process
to help direct IT purchases toward products, solutions, and services
that will have a direct impact on reducing identified risk. OMB may
want to consider taking this effort one step further to address one
long-standing issue around agency IG Report recommendations. IG Reports
regularly contain risk-based recommendations that are carryovers from
previous year's reports, and often they remain unresolved due to budget
or staffing issues. Adding IG recommendations as line items in an
agency's budget request could be a way to ensure the recommendations
receive adequate prioritization. Additionally, DHS has modified the CDM
program to allow agencies to submit Requests for Service (RFS) to
fulfill specific needs. Known as CDM DEFEND, this may be another
vehicle to address risk-based procurement.
Recommendation No. 2: Standardize IT and Cybersecurity Capabilities
This recommendation harkens back to the massive GSA ``desktop''
contracts of the 1980's and 1990's. For the most part those contracts
mandated a standardized PC platform with specific software
preinstalled. (The original contract required a Zenith 286 with DOS,
Harvard Graphics, Lotus123, and WordStar.) This did have some of the
same advantages spelled out in the report, including consistent
software versions, ease of patching, known configurations, and
simplified troubleshooting. The downside was that even if a competitor
of Zenith had a better PC it was next to impossible to justify not
using the desktop contract.
I believe the Continuous Diagnostics and Mitigation (CDM) concept
achieves the goals set forth in this recommendation by focusing on
standardized capabilities rather than a standardized vendor. However,
in order to be effective in meeting this goal, the CDM Program will
need move faster--5 years after CDM was launched Phase 1 has still not
been fully deployed. DHS has taken steps to accelerate the program,
launching CDM DEFEND, which utilizes the GSA Alliant Contract and
extends the period of performance of awarded Task Orders.
Recommendation No. 3: Consolidate Agency SOCs
Redundant Security Operation Centers (SOCs) working in silos are
ineffective when trying to defend an enterprise. Consolidating SOCs and
coordinating their efforts will improve overall incident detection and
response. OMB states that only 47 percent of agencies can detect
encrypted exfiltration incidents, and only 27 percent have the ability
to detect an exfiltration attempt. Consolidation is part of the
solution but detecting the exfiltration of data by a SOC across an
agency, especially a Federated agency requires more than consolidation.
A SOC must have the right tools in place to tag and monitor the
activity of sensitive data on an endpoint, server, data center, in
storage, or in the cloud. A SOC also needs the ability to look into
encrypted traffic and scan for sensitive data and malware. If a SOC
does detect a data exfiltration threat, the SOC needs to have a
solution in place to mitigate the threat, preferably utilizing
automation.
Recommendation No. 4: Drive Accountability Across Agencies
I would like to focus on the ``data-level protections'' aspect of
this recommendation. OMB acknowledges the call from industry, privacy
advocates, and the GAO for an increased focus on data-level
protections. However, the Government must expand the scope of data-
level protection to include data-level prevention as well. Far too
often we see the Government equate data-level protection with the
encryption of data, both in transit and at rest. Encryption is
important, but its focus is limited to data ``protection.'' This
thinking needs to be expanded to include prevention--specifically
``data-loss prevention'' (DLP) capabilities that prevent the misuse of
data in the first place. DLP solutions can discover where sensitive
data lives, categorize the data based on its sensitivity and control
who has access to the data. DLP can also enforce policies that describe
what can be done with data. For example, DLP can block data from being
copied to a thumb drive, emailed to a personal email account, block
access to data from certain locations, or during certain times. DLP can
even automatically encrypt data before its transmitted even if the end-
user forgot to encrypt it themselves.
CDM is slated to address Data Protection in Phase 4 of the Program.
I recommend that DHS advance Data Protection so it is implemented
concurrently with on-going and planned CDM Task Orders. This would have
the added benefit of maximizing the effort undertaken by agencies
during the OMB mandated Cyber Sprint of 2015 and its follow-on
components. Under the Cyber Sprint agencies were to identify their
``high-value'' assets but were not provided with solutions to protect
those assets. The Data Protection capabilities of CDM, along with CDMs
funding would go a long way toward protecting high-value assets in a
timely manner.
conclusion
This committee understands as well as anyone that cyber threats are
growing in number and complexity at an alarming pace and that
Government agencies continue to be an attractive target. The OMB report
takes a clear-eyed and unbiased look at the current state of our
cybersecurity preparedness and does not shy away from pointing out
areas that need significant improvement, and makes recommendations that
build upon proven efforts of previous administrations. I hope my ideas
can build on OMB's recommendations and maximize their ability to
improve our Government's cybersecurity posture. Thank you for the
opportunity to testify before this committee, and I would be happy to
take any questions you may have.
Mr. Ratcliffe. Thank You, Mr. Durbin.
The Chair now recognizes Ms. Fowler for 5 minutes.
STATEMENT OF SUMMER FOWLER, TECHNICAL DIRECTOR, CYBERSECURITY
RISK AND RESILIENCE, SOFTWARE ENGINEERING INSTITUTE, CERT,
CARNEGIE MELLON UNIVERSITY
Ms. Fowler. Good morning.
Thank you, Chairman Ratcliffe, Ranking Member Richmond, and
all subcommittee Members for this opportunity. On behalf of my
team at Carnegie Mellon University's Software Engineering
Institute CERT Cybersecurity Program or SEI, I am excited to
contribute today and share our research and experience in cyber
risk determination.
OMB's May 2018 report as has been noted contains four core
recommendations that we believe are excellent steps to
improving Federal cybersecurity posture.
Our work at the SEI can build on and enhance these
recommendations. Cyber risk management requires analysis and
mitigation of two sides, both the threat and of the consequence
or impact of risks that occur.
We know that our cyber exposure is increasing as software
is embedded in more aspects of our lives and Government
operations and our adversaries are using these exposures to
launch more frequent and more sophisticated attacks.
Understanding these threats is important but cyber risk
management is not only about managing cyber attack--failures of
technology, breakdowns in governance or process, human errors,
and even physical phenomena like natural disasters, are also
cyber risks.
Addressing cyber risks holistically requires a resilience
approach, a word I was very happy to hear Mr. Ratcliffe using,
and that approach focuses on mitigating the impact of any type
of disruptive event. Operational resilience is the ability to
achieve mission objectives before, during, and after any
disruptive event, whether it is a cyber attack or a system
failure. Fundamental to operational resilience is identifying
and prioritizing assets that are critical to each
organization's mission.
Our team at the SEI has codified operational resilience in
the CERT Resilience Management Model. We have applied this
model in partnership with DHS by assessing over 600
organizations across all 16 critical infrastructure sectors.
These voluntary assessments provide organizations with the
baseline understanding of their cybersecurity capabilities. The
assessment team also provides the organization with resource
guides and recommendations on how to make improvements.
The CERT RMM is used as a way to measure capabilities
against the NIST Cybersecurity Framework and other industry
standards but the operational resilience approach moves beyond
checklist compliance, to enable organizations to make
demonstrable steps to improve cybersecurity posture.
Most importantly CERT RMM does not require an organization
to start a new cybersecurity program. It allows an organization
to baseline capabilities and build a road map for improvement
that is both complimentary to and improves organization's
inputs to Federal programs like the DHS CDM program. CERT RMM
also provides a structured way for organizations to identify,
analyze, and mitigate the risks of older, or legacy,
information technology as was noted in the OMB report as a
major concern.
In many cases as the report recommends, depreciated legacy
systems will be modernized or moved to platforms like the
cloud. The asset management practices in CERT RMM ensure that
the highest-priority assets for each organization are addressed
first but introducing new capabilities like the Cloud also
introduces new cyber risks.
CERT RMM provides structured guidance on the management of
supply chain including new ways to continuously measure and
manage the risks of third-party dependencies. A holistic
resilience approach is especially important as the Government
integrates cyber physical systems into the Federal landscape.
Cyber physical systems are often built with functionality as a
primary goal and cybersecurity as a secondary or tertiary goal
at best.
The military and Federal Government are adopting cyber
physical systems in areas like medical devices, in VA
hospitals, and census collection capabilities.
To mitigate cyber risks, we must address both threats and
consequences in a balanced way with the focus on prioritization
of assets that are most critical to our mission.
Thank you for the opportunity to participate today and to
discuss how we can advance cyber risk determination and
management through operational resilience practices.
[The prepared statement of Ms. Fowler follows:]
Prepared Statement of Summer Fowler
July 25, 2018
Chairman Ratcliffe and Ranking Member Richmond, thank you for the
opportunity to participate in this hearing on assessing cybersecurity
risk. I am the technical director of cybersecurity risk and resilience
for the CERT division, part of Carnegie Mellon University's Software
Engineering Institute (SEI)\1\, a Department of Defense (DoD)
Federally-Funded Research and Development Center (FFRDC). The SEI
conducts research and development in software engineering and
cybersecurity, working to transition new and emerging innovations into
Government and industry. The SEI holds a unique role as a FFRDC
sponsored by the DoD that is also authorized to work with organizations
outside of the DoD, including engagement across the Federal Government,
the private sector, and academia. As such, we have been working with
Department of Homeland Security's critical infrastructure protections
since they were established in 2013. Our research, prototyping, mission
application, training, and education activities are heavily
interrelated and are relevant to a broad range of problem sets, such as
protection of the Nation's critical infrastructure and improved
software engineering for large-scale systems of systems.
---------------------------------------------------------------------------
\1\ https://www.sei.cmu.edu/.
---------------------------------------------------------------------------
Disruptions of critical functions that are reliant on computer
systems are inevitable. No organization, government, or agency can
anticipate every disruption or prevent every cyber attack. Agencies
must be able to anticipate and respond to changes in their risk
environment at a moment's notice. Furthermore, despite these
disruptions, organizations should be capable of continuing operations
and meeting mission goals.
We at the SEI applaud the work of the Office of Management and
Budget, detailed in the May 2018 report ``Federal Cybersecurity Risk
Determination Report and Action Plan.'' As a high-level assessment of
Government cybersecurity risks, the report identifies four core actions
that I believe will indeed, done correctly, mitigate a significant
number of cyber risks across the Federal agencies.
Notwithstanding, there are some finer points, not included in the
report that are worth discussing and implementing. First, the report
concentrates on only one half of cyber risk management. In order to
successfully execute cyber risk management, agencies must ensure they
analyze and manage cyber risk or threats as well as the potential
impact of the cyber risks and threats on their organization. While the
report concentrates on the threat of cybersecurity and proposes better
understanding of the cyber risk, outlining the potential effect of any
realized threat requires just as much effort.\2\ If agencies are to
achieve the ability to complete their mission no matter the cyber
threat, it is imperative that we manage both the cyber threat and the
consequences of the attacks.
---------------------------------------------------------------------------
\2\ As reinforced in NIST 800.39, Managing Information Security
Risk Organization, Mission, and Information System View and NIST
800.37, Guide for Applying the Risk Management Framework to Federal
Information Systems A Security Life Cycle Approach.
---------------------------------------------------------------------------
Accomplishing this continuity of operations requires a resilience
approach to cybersecurity--an integrated, holistic way to manage
security risks, business continuity, disaster recovery, and IT
operations, executed in the context of each organization's mission and
strategy.
Second, by the report's own admission, it does not cover older,
legacy information technology (IT) or workforce challenges. Both legacy
IT and the workforce shortage are significant and must be addressed if
the Federal enterprise is to understand the current cyber risk
environment and credibly prepare for the future.
The SEI's Enterprise Risk and Resilience research includes
advancing cyber risk management and enhancing it via the planning,
integration, execution, and governance of operational resilience. We
leverage our research to develop best practices, resilience management
models, tools, and techniques for measuring and improving enterprise
risk management and operational resilience in the form of actionable
guidance for the DoD and Federal civilian agencies.
operational resilience
Operational Resilience is the ability to continue to operate, and
to meet the organization's mission, in the face of evolving cyber
conditions. In the ever-changing cyber and technological landscape,
organizations need techniques that allow people, processes, and systems
to adapt to changing patterns. These patterns include the incessant
introduction of both unique threat actors and the means by which
systems are exploited. Operational resilience is obtained by ensuring
your cyber risk management takes into account both the threat and the
consequences of cyber risk.
Cyber risk management, as proposed by the report, is a process to
identify, analyze, dispose of, monitor, and adjust approaches to
handling threats. Yet we know cyber risk management alone is not enough
to ensure that we are prepared to address current and emerging threats.
The concept of risk management must adhere to formula between
likelihood of threat and consequence of impact.
At the SEI we have found cyber risk is best managed by determining
potential impact first. This requires articulation of mission,
enumeration of critical services or activities to achieve mission, and
asset management.\3\ Once critical assets are identified, then we can
walk back toward a list of specific threat types and threat actors.
Cyber professionals whose efforts are concentrated in the assessment of
threats are often doing very good cybersecurity work; however, without
consideration of impact and asset management, they may not be
protecting the assets most critical to that particular organization.
Focusing on mission objectives and critical assets creates operational
resiliency in an organization regardless of the source or type of
threat. This focus on mission context also improves the ability to
communicate risk, ultimately helping to address finding No. 4 in the
OMB report.
---------------------------------------------------------------------------
\3\ Asset management is a collection of practices to identify and
prioritize the people, processes, data, technology, and facilities
required to execute the activities.
---------------------------------------------------------------------------
Examining consequences helps organizations to identify and mitigate
operational risks that could lead to service disruptions before they
occur. Organizations can then prepare for and respond to disruptive
events in a way that demonstrates balance of command and control of
threat mitigation, incident response, and service continuity. Finally,
by establishing a robust understanding of assets, agencies can
prioritize investments needed to protect, respond, recover, and restore
mission-critical services and operations after an incident and within
acceptable time frames.
Considering impact is key for comprehensive cyber risk management
leading to resilience. If an agency looks only to malicious threats to
operations, it risks missing 17 percent (1 in 5) of overall data
breaches, which are the result of human error. In the health care and
information industries, these errors are much higher at 35 percent and
26 percent respectively.\4\ Organizations cannot overlook the role of
humans in the management of cyber risks. A malicious act of deliberate
sabotage or the unintentional actions of a confused system operator can
both lead to a profound disruption. A resilience approach is agnostic
of the type of disruption and enables the organization to plan for,
avoid, detect, respond to, and recover from incidents including natural
disasters, human error, or malicious cyber attacks.
---------------------------------------------------------------------------
\4\ Verizon 2018 Data Breach Investigations Report, https://
www.verizonenterprise.com/resources/reports/
rp_DBIR_2018_Report_execsummary_en_xg.pdf.
---------------------------------------------------------------------------
Furthermore, in today's ever-increasing global economy, many
organizations depend on external entities for information and
technology, increasing the potential risk to their missions and key
services. These third-party entities are an extension of the
organization and are often given a trusted place in the management of
systems and processes. When trust in an external entity is misplaced or
misused, the consequences can be significant. Examples include breaches
due to a third party's failure to protect data, poor integrity of
hardware and software deployed within an organization, or malicious use
of trusted extrinsic relationships to gain access to or harm the
organization. Agencies must approach the management of supply chain,
also called third-party or external dependencies, with a risk-based
approach. This approach includes adopting new ways of continuously
measuring and managing the risk from external dependencies.
Additionally, agencies can and should determine the maturity of
their external dependencies-management practices. Guided by specific
service-level agreements, which establish meaningful measures of
cybersecurity performance, agencies can better understand and manage
the capabilities of their external dependencies, thus increasing
organizational resiliency. For example, external dependencies
management is especially critical as the Government continues to
modernize its IT capabilities using cloud service providers.
Last, for true operational resilience, agencies must move beyond
simplistic checklist compliance or penetration testing and take
demonstrable steps to improve cybersecurity posture. Our team at
Carnegie Mellon University has codified operational resilience in the
CERT Resilience Management Model (CERT-RMM).\5\ Developed by deriving
practical tools and methods from the best concepts that academia has to
offer and best practices from the public and private sectors, CERT-RMM
has been applied to measure and evaluate organizations of all sizes and
compositions. Developed initially in collaboration with members of the
financial services community, CERT-RMM has been used more than 600
times by the Department of Homeland Security to measure the cyber
resilience across all 16 critical infrastructure sectors. CERT-RMM can
also be used as a way to measure capabilities against the NIST
Cybersecurity Framework. Enabling agencies both to ensure compliance
and to show measurable improvement in cybersecurity posture, CERT-RMM
provides a resource guide mapped to several industry and Government
standards.
---------------------------------------------------------------------------
\5\ https://resources.sei.cmu.edu/library/asset-
view.cfm?assetid=508084.
---------------------------------------------------------------------------
Most importantly, CERT-RMM is a framework that does not require
agencies to start over, but allows every organization, whatever its
current competence, a way to assess baseline capabilities and develop a
roadmap for improvement as an enhancement to cyber risk management.
This also enables a way to address the next topic of legacy information
technology (IT).
legacy it
Organizations do not have unlimited resources with the option of
replacing older systems and software en masse to help mitigate new
cybersecurity threats. Most, in both Government and the private sector,
have a mix of old and new systems all connected to each other and most
likely accessible to threat actors via the internet. While layers of
safeguards are placed between these systems and the outside world,
legacy IT remains a serious concern and has led to many notable cyber
breaches despite these defenses. Knowing where the most fragile legacy
IT systems are located is essential. Consequently, at a minimum an
organization must engage in effective asset management to gain a
detailed inventory of IT. Without a valid inventory, accompanied by a
network map, it is unlikely any organization could adequately defend
itself or have appropriate continuity plans in place. Moving these
deprecated legacy systems to a more secure platform, like the cloud, is
a valid and appealing option. Asset management practices enable us to
prioritize what needs to be moved in order to ensure that our highest-
priority assets are addressed first. Asset management practices are key
ingredients that allow an analysis of the risk and reward of migrating
legacy IT to new operating models such as third-party cloud service
providers.
workforce development
It is not a secret; there is a shortage of experienced and capable
cybersecurity personnel. Some studies indicate that the global
workforce shortage will reach almost 2 million by 2022.\6\ Furthermore,
Federal agencies face stiff competition from private industry for the
limited supply of cyber professionals that do exist. Consequently,
organizations need a long-term plan for amplifying their cybersecurity
capabilities. Agencies would benefit from an accurate and objective
evaluation of their cyber workforce, and with the right methods and
technologies, organizations can identify gaps in essential competencies
that are unique to their workforce. This allows agencies to make
better, targeted, hires as well as continuing education decisions for
current employees, resulting in more efficient use of taxpayer dollars.
It will take a combination of strategic hiring and developing staff in
parallel to meet the need for qualified resources. Programs like
Scholarship for Service,\7\ which provides tuition and stipends to
students studying cybersecurity and related fields, represent a vital
pipeline of cybersecurity professionals for the Federal Government.
Agencies should leverage these options, along with partnerships and
training such as the Carnegie Mellon University CISO Executive
Certificate Program or incident handling courses, to maximum advantage
in their workforce development strategies.
---------------------------------------------------------------------------
\6\ https://iamcybersafe.org/gisws/.
\7\ https://www.sfs.opm.gov/--CMU-SEI is a participating
institution.
---------------------------------------------------------------------------
Additionally, we need to make cybersecurity an integrated part of
our educational curricula starting with our youngest students.
Following the 2007 cyber attacks that crippled dozens of its government
and corporate sites, Estonia evolved its approach to cybersecurity to
include robust educational programs at all age levels and is now
recognized as having the best cybersecurity in Europe. In 1961 our
Nation committed to a dramatic expansion of our space program with a
goal of being the first nation to land a human on the moon. Similarly,
addressing our cyber risks with the goal of a Federal Government that
is resilient against current and future cyber disruptions requires a
National initiative to prepare our workforce. It is essential that we
commit to research in emerging areas like artificial intelligence,
autonomy, and data analytics methods, and the corresponding training,
that will advance our cyber risk management practices in the future.
conclusion
Cyber risks are not unlike other risks that organizations face.
Constrained by limited resources, we must mitigate cyber risks by
addressing both threats and consequences in a balanced way. The goal is
to ensure that we are operationally resilient, preserving the ability
to achieve our mission, despite any disruptions, such as cyber attacks.
To be resilient requires us to understand and prioritize our assets,
including technology, data, facilities, as well as people and
processes, so that we can invest in the protection and continuity of
the assets most critical to our mission. This is a fundamental concept
in operational resilience practices that will enhance Federal cyber
risk management capabilities.
Addressing these challenges and the actions listed in the report is
even more necessary as we address the integration and risks of cyber
physical systems (CPS) in the Federal landscape. Cyber physical systems
already exist in manufacturing, health care, automotive systems, and
financial services to name a few. These CPS systems were often built
with functionality as a goal and cybersecurity as a secondary or
tertiary consideration at best. The U.S. military and Federal
Government are also integrating CPS in areas like medical devices in VA
hospitals, internet of things capabilities in the U.S. Mint, or census
collection activities. These capabilities present new attack surfaces
for our adversaries and require that we advance our cybersecurity risk
management practices with a focus on operational resilience.
Thank you again for the opportunity to participate in this hearing
and to discuss how we can better address cyber risks through
operational resilience practices.
Mr. Ratcliffe. Thank you, Ms. Fowler.
The Chair now recognizes Mr. Schwartz for 5 minutes for his
opening statement.
STATEMENT OF ARI SCHWARTZ, MANAGING DIRECTOR OF CYBERSECURITY
SERVICES, CYBERSECURITY RISK MANAGEMENT GROUP, VENABLE LLP,
TESTIFYING ON BEHALF OF THE CYBERSECURITY COALITION AND CENTER
FOR CYBERSECURITY POLICY AND LAW
Mr. Schwartz. Chairman Ratcliffe, Ranking Member Richmond,
and Members of the committee, thank you for the opportunity to
appear before you today to discuss our views on the Federal
Cybersecurity Risk Management.
I do so in my role as coordinator of the Cybersecurity
Coalition, the leading policy coalition of companies that
develop cybersecurity products and services.
These issues before us today are not new. Twelve years ago,
I was on an advisory board, the Information Security Privacy
Advisory Board that NIST hosts, and at that time the chairman
of the Government Reform Committee was Tom Davis at the time,
would give grades to Cabinet agencies on how they were doing on
cybersecurity.
We had before our advisory board the deputy CIO of one
agency that had consistently failed for the past 8 years and so
I took this time, and this deputy CIO was actually retiring
from Government service at that time, so I thought that this
was a good opportunity to hear from him directly as to why
Government agencies continued to fail. I asked the question you
know, what would it take for you to do to succeed?
He said, ``Well you know, one time many years ago I got a
D, right? We got a D and no one paid attention to that at all,
so we are better off failing, right? We can get resources if we
fail. If we use the resources that we are given, the best we
are going to do is a D or a D-minus. So what good is it for us
to try and play to the tests and try and pass these tests as
opposed to fail, right?''
This was a security expert that knew what he was talking
about in the security space but had no incentive to do what
Government was pushing him to do. I think those incentives have
changed in terms of the policy space but not in terms of the
leadership space and not in terms of getting the attention and
getting the resources needed to actually fix the problems.
We have seen that the move to risk management I think helps
agencies to tailor the test themselves so that it is based more
on risk to the particular agency as opposed to the basic
checkbox that we used to have, much more so and under the old
FISMA guidance before the reform FISMA of 2014 came forward.
OMB suggests in their report that came out in May that the
goal should be to empower the CIO. This has been done for years
and years and has not succeeded. Instead we should do exactly
what Mr. Chairman, you suggested in your opening statement,
which is to make sure that we hold the leadership accountable.
The Trump administration in their Executive Order says that
that is their goal to hold Secretaries and deputy secretaries
directly responsible for what happens at the agency in terms of
cybersecurity but the CIOs themselves have many, many jobs to
do and security is only a small part of what they do.
Instead we should move to do what has been happening in the
private sector which is to have the CISOs report to the
leadership directly themselves and make sure that the CISOs
have some ability to influence the policy and make sure that
then the leadership when they are asked questions from above
that they have the ability to go to the CISO and hear things
directly from them.
The question is now, how do we hold that agency leadership
accountable and we make it so that there is a reason to pass
and to do the right thing in this space? From my experience I
would suggest that having the director of OMB responsible for
making sure that agency heads are paying attention this issue
as a central mission issue, right? When people don't become the
Secretary of the Interior or the Secretary of Agriculture or
others, in order to do cybersecurity but you still have to make
it part of their mission to do so.
That is going to take OMB, that is going to take the White
House chief of staff, making these calls and making sure that
it is not just an incident that gets the attention of the
Secretary but that it is on the radar all the time. You can
also do this at the deputy director level with a deputy
director of management and making sure that they are the ones
making the calls.
Of course, Congress in your regular oversight of agencies,
when you have those Secretaries and deputy secretaries in front
of you, you can ask these questions, at other hearings as well
and make sure that they are being held responsible for what is
happening at the agencies.
Now, is the time to make sure that the agencies are being
held responsible for their failures and rapidly addressing
these known risks.
I thank you for again for having me today. I look forward
to your questions.
[The prepared statement of Mr. Schwartz follows:]
Statement of Ari Schwartz
July 25, 2018
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, I am Ari Schwartz. Thank you for the opportunity to appear
before you today to discuss our views on the Federal Cybersecurity Risk
Determination Report and Action Plan. I do so in my role as coordinator
of the Cybersecurity Coalition, the leading policy coalition of
companies that develop cybersecurity products and services.\1\
---------------------------------------------------------------------------
\1\ About the Center for Cybersecurity Policy and Law and the
Cybersecurity Coalition: The Center for Cybersecurity Policy and Law is
a nonprofit (501(c)(6)) organization that develops, advances, and
promotes best practices and educational opportunities among
cybersecurity professionals. The Center provides a forum for thought
leadership for the benefit of those in the industry including members
of civil society and Government entities in the area of cybersecurity
and related technology policy. The Center seeks to leverage the
experience of leaders in the field to ensure a robust marketplace for
cybersecurity technologies that will encourage professionals,
companies, and groups of all sizes to take steps to improve their
cybersecurity practices. The Center hosts several initiatives focusing
on a range of critical cybersecurity issues, including the
Cybersecurity Coalition, Better Identity Coalition, and the Hardware
Component Vulnerability Disclosure Project. The Cybersecurity Coalition
brings together industry-leading companies to share their expertise and
unique perspective on critical policy issues, both in the United States
and internationally. The Coalition is focused on several active and
critical policy issues that require close alignment and coordination to
protect the vital interests of the cybersecurity products industry,
including: Promoting responsible vulnerability research and disclosure;
promoting effective privacy processes within cybersecurity policy;
establishing Government requirements for agency systems; increasing
information sharing and threat intelligence; and promoting sound
cybersecurity practices in government at all levels. Coalition members
include Arbor Networks, AT&T, CA Technologies, Cisco, Citrix,
Cybereason, Intel, McAfee, Mozilla, Palo Alto Networks, Rapid7, Red
Hat, and Symantec.
---------------------------------------------------------------------------
Over the past decade, the Federal Government has steadily moved
away from ``check box compliance'' mandates to a risk management
approach to address cybersecurity issues. Major steps in this move have
included:
The Cybersecurity Cross Agency Priority (CAP) goals,\2\
which ensured that agencies would receive individualized review
of their risk management plans;
---------------------------------------------------------------------------
\2\ See Obama Admin. Archives, Cross-Agency Priority Goal
Cybersecurity, available at https://
obamaadministration.archives.performance.gov/content/
cybersecurity.html.
---------------------------------------------------------------------------
The Federal Information Security Modernization Act of
2014,\3\ which provided authorities to increase risk
assessments of agencies;
---------------------------------------------------------------------------
\3\ Pub. L. 113-283.
---------------------------------------------------------------------------
The Cybersecurity National Action Plan, which created a
Federal chief information security officer (CISO) at the Office
of Management and Budget (OMB); and
Perhaps most notably, the Presidential Executive Order on
Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure,\4\ which required Federal agencies to
utilize the NIST Cybersecurity Framework \5\ to establish a
process to manage risk and holds agency heads accountable for
doing so.
---------------------------------------------------------------------------
\4\ Executive Order 13800.
\5\ Nat'l Inst. of Standards and Tech., Framework for Improving
Critical Infrastructure Cybersecurity, Version 1.0 (2014).
---------------------------------------------------------------------------
A risk management approach offers each agency the ability to focus
on their specific needs and enables them to demonstrate growth in their
cybersecurity efforts while taking steps to address the most critical
threats to their mission.
OMB's May 2018 Federal Cybersecurity Risk Determination Report and
Action Plan shows that, despite some limited progress, agencies have a
lot more to do to effectively manage cybersecurity risk.
This is not an unexpected result. Agencies are not adequately
resourced to manage cybersecurity risk, and do not have proper cross-
departmental coordination processes to identify and resolve any
barriers to achieving this goal. The Federal Government has not
prioritized cybersecurity risk management and simply changing policies
to help agencies measure risk will not change their policies on its
own.
So what will change agencies' approaches to cybersecurity risk
management and drive real improvement? The May 2017 Executive Order had
the right idea. It is up to OMB and the President to hold agency
leadership accountable to improve.
The OMB Report suggests that chief information officers (CIOs) are
not empowered to make the necessary changes and suggests that
leadership should empower them to do so. While that is one approach
that seems to have worked for some agencies, we would recommend that to
really make a change in agencies, senior leadership needs to oversee
cybersecurity risk management. In other words, security officers should
not be reporting to the CIO, but to the deputy secretary or the
Secretary. A similar move has started to take place in private
companies where CISOs are no longer reporting to CIOs but to CEOs or
COOs or directly to the Board of Directors. This shift in thinking has
happened because CEOs and Boards of Directors have felt pressure to
improve cybersecurity at companies as the result of countless breaches
and incidents that have created real and material risk that simply
cannot be ignored or delegated to only the information technology
teams.
For this to work in the U.S. Government, the director of OMB, the
White House chief of staff, and the President must hold the Secretaries
directly accountable for cybersecurity risk management at the agencies.
Similarly, the deputy director for management at OMB must hold the
deputy secretaries accountable. Congress must adequately resource
agencies and hold the leadership at all levels accountable for managing
risk through public oversight. Without this accountability, other
measures, however well-intended and necessary, will not be able to
succeed to the extent needed to secure our Government.
At this point, every agency's leadership has been told that they
are responsible for the cybersecurity of their agencies. Agencies have
now been measured and have not fared well.
Now is the time to hold the agency leadership responsible for
failures and to rapidly address these known cybersecurity risks.
Mr. Ratcliffe. Thank you, Mr. Schwartz.
I now recognize the gentleman from New York, Mr. Donovan
for 5 minutes.
Mr. Donovan. Thank you, Mr. Chairman.
Thank you all for sharing your expertise with us but to
show you how I lack expertise I have a VCR back home it still
flashes 12 and you cannot see because you are facing us but all
the young people behind you now, Googling, ``What is a VCR?''.
So just so I can understand the problem properly, if we are
protecting our gold in Fort Knox and there is only one entrance
in there, we have a good chance of making sure anybody who gets
through there is a person that ought to get through unless they
are disguising themselves as someone else and I guess in your
field you would call that just looking like a friendly user to
get into a network when you are actually an infiltrator.
The difficulty is when you have more than one entrance I
guess or if you have secured your entrance but there are other
people who have entrances and are not securing it as well as
you are, that causes vulnerabilities in Fort Knox and causes
vulnerabilities in systems I suspect because it was hard for me
to grasp before I joined this committee on like, why cannot we
just protect this?
If we know, as much as the bad guy, do we anticipate what
they are going to do? I think Ms. Fowler you used word
resiliency and the Chairman used the word resiliency.
Before we have a tragedy or an intruder so could you kind-
of like frame the problem for me so I could understand it
because I think I have to understand the problem before we
could actually come up with or understanding what your
suggested solutions are?
Mr. Durbin. OK. Thank you for the question. It is a complex
situation, a lot of it has to do with the diversity of the
Federal Government, the diversity of the agencies, how they are
organized, some are more flat, some are federated, some have
more resources than others do so it is coming up with a common
baseline of what is it that we have and what is it that we are
trying to protect.
I believe that the CDM program in their Phase 1 certainly
is trying to fix that situation by doing that definition. Phase
1 the goal is to go out and identify all hardware and software
assets because some have made the comment and it is very true,
you cannot defend what you cannot see.
So now that we are closing in on the end of Phase 1, we
will have a much better look at what it is we are trying to
defend so that we know, what all those different entry points
are that you referred to and then we can work on providing
protections against all of those different attack vectors.
The other issues are legacy systems that we have talked
about. You have a disparity between different people's products
and solutions that they are using for access management or for
determining who is qualified, who has privileges to access a
certain system and should they have those accesses so a lot of
this needs to be discovered and baselined so that we have an
understanding of what the problems are and then we can come up
with solutions to solve them.
Mr. Donovan. Thank you.
Ms. Fowler.
Ms. Fowler. Yes. I am excited to hear you use the word
resilience because it really is about resilience. When you use
the example of gold that needs to be protected, it is not even
just against someone who trying to steal that gold but when we
think about the fact that the gold is housed somewhere, it is
in a container could it be impacted by a natural disaster,
could someone who is working there make a mistake, and that
would also cause us to lose our ability to access or use that
gold.
So we really want to look at this from a holistic
standpoint of not just trying to figure out what it is that an
adversary is trying to do but to understand what it is that is
most important to us and how we can ensure that it will not be
impacted in any negative way, right? From any sort of
disruption.
That really even starts before understanding what our
assets are and that is related to what we talked about with
having leadership have a real skin in this game. It is being
able to articulate and communicate what it is that we are
trying to achieve from a mission standpoint so you know,
organizations like Health and Human Services and Department of
Energy have different missions that they need to achieve, they
have different services that they are going to provide to
achieve those missions, and then the assets that support those
services are what we really need to protect. So it is the
identification of the assets that are important to each
mission.
The way we can use the limited resources that we have best
is to be able to articulate our risk appetite against those
assets that are in our organizations and make sure that
programs like CDM are focused on those.
So you know, my way of explaining this to you would be, let
us not just look at this in terms of a threat from a cyber
attack but a holistic, how do we protect against the impact of
any negative consequence?
Ms. Fowler, thank you.
Mr. Schwartz.
Mr. Schwartz. You talked about protecting the gold in Fort
Knox but that reminds me of a saying that they use in the
military about ``protecting diamonds and toothbrushes'' which
is, if we were to protect diamonds the same way as we protect
our toothbrushes, we would have a lot of toothbrushes and not
very many diamonds.
That is part of what both Mr. Durbin or Ms. Fowler are
discussing here, which is how do we do risk management in this
space, in a way where we can identify the assets and then do
the risk profile in a way that makes sure that we are
protecting that information in the right way that it needs to
be protected?
Prior to the NIST framework, the NIST Cybersecurity
Framework, which Mr. Durbin mentioned, the Federal Government
actually pretty much just had a list of the things you need you
for every system and did not really take the less important
systems or more important systems and kind-of do that balancing
test of how should we be protecting this particular system.
Now we are moving toward a time when we are doing that
kind-of risk management and that is what this OMB report's
really about, is how agencies are looking at risk in this
space; how are they identifying it, how do they do these
different pieces, right?
I break the NIST profile into identify, protect, detect,
respond, recover, which I break up into two pieces, one is the
defense side so the identify and protect, and then the other
side detect, respond, recover I think of as a resilience side,
as Ms. Fowler has been saying right?
So that is the how do you get to do both sides of that and
make sure you are doing it the right way for each system and
that is the kind of approach that now agencies are taking for
the most part but they still have problems in terms of actually
putting the protections in place, actually making sure that
they are resilient in the way that they need to be even for the
most critical systems.
Mr. Donovan. I thank you all again for your expertise.
Mr. Chairman, I yield back, which time I don't have any
more.
Mr. Ratcliffe. Well, thank the gentleman.
The Chair recognizes the Ranking Member, Mr. Richmond--the
Chair recognizes my friend and colleague from Rhode Island, Mr.
Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I thank the Ranking
Member.
Thank the panel also for their testimony today, the
expertise, the insights that you bring to these challenging
topics.
Let me begin if I could with Mr. Schwartz, you spoke of the
need to hold Secretaries, not CISOs accountable for the
security of their agencies' networks and I certainly would
agree.
I remember what happened when a Secretary of Defense Ash
Carter started taking a deeper interest in this topic and doing
a deep-dive requiring weekly reports being given to him and
even on the issue of establishing a Bug Bounty Program when he
said, ``We are going to make this happen,'' he started telling
people and programs to get out of their way and make it happen,
it did.
So I can see the why it is so important to have Secretary
buy-in but you know, it seems that for years poor results on
FISMA scores have not been enough in other agencies though to
motivate action.
So my question is what could the administration do to
encourage real action to address these continued deficiencies
and ensure cybersecurity leadership at the highest levels and
again from your perspective why is it so important to have
Secretarial buy-in?
Mr. Schwartz. Thank you, Mr. Langevin. Thank you for your
continued leadership on these issues too.
I think there is a lot in that question in terms of, how do
we get leadership to actually focus on this?
I do think that the executive--or the Trump Executive Order
that came out in May 2017 actually put us in the right place,
which is before the Secretaries had all of their goals in place
they were told that cybersecurity was a major issue.
But it takes staying on top of that to do that. That means
holding Cabinet meetings around cybersecurity and the President
going around and asking each agency what they are doing,
holding up the report card from OMB and asking them, ``What are
you doing to do more,'' right? That is what really taking the
Executive Order and actually implementing it means in this
space.
I realize that there are a lot of other things going on but
that is what is going to make a difference in this area, is
making sure that the Secretary knows that they are going to be
going into a meeting and that they have to prepare for it and
the 50 people that follow them around and do every day and do
that thing for that day, this is going to be the thing that we
are doing today, right?
Therefore, everything needs to be in line and we need to
get the CISO in front of us so he can give us the answers of
what we need----
Mr. Langevin. Yes.
Mr. Schwartz. Rght? That is the only way that it is going
to change.
This is the same thing that is happening in the private
sector too, not every company is doing this, those that are,
are more successful.
Mr. Langevin. Yes. Yes, I would agree. I mean, if the top
people are not paying attention to this then clearly it becomes
a secondary priority but the President or the Cabinet
Secretaries are the ones that are driving this then clearly
everyone's going to stand up, shine the shoes, and get this
done the right way.
So, Mr. Schwartz, on another issue with small- and medium-
sized businesses have largely resorted to outsourcing not just
their IT but also the security of their IT given their limited
budgets. In a similar vein the OMB report suggests that shared
services are key to addressing risk management issues, yet we
have made little progress to that end.
So Mr. Schwartz, if you could, what barriers do agencies
face in getting to shared or outsourced services and how do we
overcome them?
Mr. Schwartz. Yes. The shared services one is a tricky
problem for a lot of agencies. Part of it is just the culture
of the fact that they have had been doing internal security for
years and years and they have to move away from that and spend
the money on the cloud company doing the protections for them
rather than keeping that same security in-house.
The small agencies in particular, those that don't even
have a large IT department are never going to be able to have
enough security professionals and technology to protect
themselves, whereas the cloud companies specialize in that, the
managed security services specialize in that so there is a need
to move in that way.
I think the main challenges that they face are really
procurement challenges though because you know, you want to do
oversight of the agencies that you are in charge of doing
oversight over. If they are turning over a lot of their budget
to other agencies in order to run their services, you lose
oversight over their IT, right?
I understand that from a Congressional point of view but
that is how we are going to improve with the small- and medium-
size agencies, is by Members of Congress understanding that and
being willing to take the risk of saying, ``OK, we understand
that you are going in someone else's purview, we are losing
some control here.''
But we know, that that agency has security in place and
that they have oversight over what they are doing as well, and
our information being held by that agency and being overseen by
companies in that space that run the managed services in that
space is going to be acceptable.
Mr. Langevin. Very good.
Thank you for those answers. As you can imagine I have
several more but time is expired.
So I will yield back. I will have some questions to submit
for the record unless we go to a second round.
Thank you. Thank you all.
Mr. Ratcliffe. I thank the gentleman.
The Chair now recognizes the gentleman from Nebraska, Mr.
Bacon for 5 minutes.
Mr. Bacon. Thank you, Mr. Chairman. I appreciate it. Thank
you for coming in here and sharing your expertise.
I used to work in the cyber offensive side a little bit,
cyber intelligence side, and we have some of the best
capabilities in the world there but we were also the most
vulnerable when it comes to defense and other people cyber
attack. I heard a cyber leader once describ us as living in a
big glass house and we had the biggest rocks, not very
comforting at times.
One of the things that the OMB and DHS report calls for is
the consolidations of the Security Operations Center and
instead of each one having their own by consolidating it to one
big one, do you see that as a significant advantage or does
having this does it make everybody equally vulnerable if you
get into one, you get in everybody?
So I would like to have your thoughts on that. Thank you.
Mr. Durbin. Yes. Thanks for the question. So having a SOC
for the sake of having a SOC may not be the best strategy. It
comes down to your ability to stand up a SOC that has the right
tools and capabilities to accomplish what it is you are trying
to do.
So if you are in a position where it would be better for
you to merge with somebody else's SOC that has proven
technologies and has the access capability that might be the
better way to go so I agree with the recommendation of the
report, the consolidation of SOCs will improve some
efficiencies.
Mr. Bacon. So it gives the best capabilities available for
everybody----
Mr. Durbin. Exactly. Yes. Now----
Mr. Bacon. It standardizes the best----
Mr. Durbin. Yes.
Mr. Bacon. OK.
Mr. Durbin. Yes and of course you need to make sure that
you consolidate to a SOC that does have the excess capacity and
that does have the tools in place----
Mr. Bacon. Right.
Mr. Durbin. That are going to accomplish the mission.
This recommendation was also made around the idea of
improving the ability to detect data ex-filtration and simply
consolidating SOCs may not accomplish that. You know, the SOC
has to have the right tools and to be able to discover where
the data lives and tag that data as sensitive so that you can
then monitor----
Mr. Bacon. But by consolidating we can invest in that one
and make sure that we have the best capabilities----
Mr. Durbin. Exactly.
Mr. Bacon. I would say, but would you all just agree?
Mr. Schwartz. Agreed.
Mr. Bacon. OK.
Ms. Fowler. Yes.
Mr. Bacon. Are we doing better Mr. Schwartz, when it comes
to sharing intel data because we don't have a lot of silos. I
mean, you touch on this with Mr. Langevin a little bit but are
we doing better making progress?
Mr. Schwartz. There is some progress there. I think a lot
of the private sector is still really frustrated. A lot of it
comes down to getting security clearances and the right people
getting the information so I still hear a lot of frustration.
I think internally inside the Government it has gotten a
lot better though----
Mr. Bacon. It seems to be having a combined security
operation center allows you to share that data faster because
you can see where there is infiltration or ex-filtration.
I had a just a question Mr. Durbin because this fascinates
me. Evidently, you have talked about a group, well, let me just
read it here, ``Symantec has engaged regarding a new attack
group known as `Thrip','' and the ways in which they are living
off the land in order to get info systems,'' can you talk about
this new threat and living off the land, what does that mean
and what kind of a cyber threat is this?
Mr. Durbin. So living off the land is how we are describing
a technique where if an attack group creates a complex
sophisticated piece of malware that they use to infiltrate a
system, it is going to be relatively easier to detect that
because we haven't seen it before, it doesn't look right, it
raises a flag so if an attack group can utilize a network
administration tool that administrators commonly used to scan
networks to see what they have and somebody sees that activity
inside the network it is not going to raise a flag----
Mr. Bacon. It's camouflaged?
Mr. Durbin. Yes, they could say, OK, well somebody's just
scanning the network because that is part of what they do----
Mr. Bacon. Right.
Mr. Durbin. So that--and that is just one example using
PowerShell scripts and things, is just ways to mask their
abilities so it is not as easy to detect.
Mr. Bacon. It makes sense.
One last question, I know, the Russians use a lot of
phishing techniques, that is how they entered the DNC server.
It seems to me that makes us the most vulnerable, is that
technique. What can we do to better defend against these
phishing techniques that are going on?
I will just open up to whoever feels like they have the
best answer.
Ms. Fowler. Go ahead.
Mr. Schwartz. I would say getting better identity
management is really the key to the phishing techniques. I
mean, right now, a lot of times we still rely on username,
passwords, and moving toward techniques that move beyond that.
They talk about that a bit in the report that there has
been a move toward use of cards sort-of which I think does help
to some degree inside the Government but it is really about the
credential and whether you can secure that credential.
Ms. Fowler. We absolutely do see phishing as one of the
most common vectors for having attacks occur. A couple of
things that we need to do.
One is training although we know, that no matter how much
we train people over and over it takes just one person to hit
the link and cause the issue to occur so thinking about
advances in terms of automation and analytics and the things
that we are doing in the areas of Machine Learning.
So this is going to take us advancing past our adversaries'
capabilities and investing in the research that will get us
there.
Mr. Bacon. Thank you, Mr. Chairman.
Mr. Ratcliffe. The Chair now recognizes my friend from
Louisiana, Mr. Richmond.
Mr. Richmond. Thank you, Mr. Chairman. I think you touched
on it a little bit but from my perspective, when it comes to
Federal network security I see at least two systematic problems
but they stem directly from the White House, one of which is
the tendency to undercut or diminish the role of authority
figures, eliminating the cybersecurity coordinator is a good
example.
Second, it is taking far too long to fill senior positions
like chief information officers and at the end of last year
nearly one-third of the agencies were still operating without a
permanent CIO and the Federal CIO was not named until January
and the Federal CISO was selected just last week.
How important is strong, clear leadership structures when
it comes to cybersecurity particular for an agency trying to
instill a culture of risk awareness? I know, Mr. Schwartz you
mentioned having a chief executive that will hold people's feet
to the fire, the question becomes can that be delegated and
without a cybersecurity coordinator, where do we find
ourselves?
So anyone can answer that, let us start with Mr. Schwartz.
Mr. Schwartz. Yes. I have always felt that the
cybersecurity coordinator should be I mean, it should be
brought up to be a deputy level.
There was a commission, the Obama Commission that was
preparing for the next President, suggested that it be raised
to an assistant to the President but I actually think it makes
sense to have it at the deputy level particularly for the
reason of being able to call out deputy secretaries on these
kinds of issues and make sure that they are held accountable.
Getting rid of that position totally I think is a step
backward from being able to do that. I mean, you can have a
deputy play that role but they are going to have 90 other jobs,
right? So how much time can they actually spend calling up
deputies and asking them how they are doing on cybersecurity or
if you are supposed to be having someone dedicated toward just
doing, offensive capabilities, defensive capabilities inside
the Government as well as critical infrastructure protection
too but having this one piece be part of their job as a deputy
at the level of deputies I think makes a lot of sense.
So again, I think that they took a major step backward by
getting rid of the position totally rather than elevating it
the way they should have.
Ms. Fowler. I agree that governance and leadership are the
most critical first step in establishing good cyber risk
management practices. It is also a matter of making sure that
the work force itself who is in those positions are trained in
these areas and understand how to manage cyber risk like other
risks are managed.
We often look at cybersecurity as something that is special
or not understood and really, we need to manage cyber risk like
we manage other risks inside of the organization and that is a
matter of using those limited resources in the best way
possible.
So the leaders that we do put in place it is incumbent that
they set that risk appetite and understand what the tolerance
ranges are for that organization and communicate those to the
work force.
The work force is doing the absolute best that they can to
do all of the right technical things, it is just ensuring that
they are provided the guidance that it is going in the right
step so the governance aspect of this is that most important
first step.
Mr. Durbin. I would just simply add that no matter what
cybersecurity program you are trying to set up, it is key to
get buy-in from all levels of the organization and that is no
different with the Federal Government.
Mr. Richmond. Let me ask this because I think that it also
came up but the Federal Government's always lagging behind the
times and we are about 10 years back from where we should be in
terms of our cybersecurity.
How can Congress empower or provide the resources for our
Federal agencies to actually be proactive and better prepared
for the future and then anticipate the risk as opposed to
always been on the back end?
Ms. Fowler. So I will speak to that in terms of what I
think is required for us as a Nation to move forward and you
will see in the written testimony, I think this requires a
National initiative to address cybersecurity as a need across
all sectors.
You know, in 1961 we made this goal to put a human being on
the Moon and that sparked interest in a whole lot of different
science and technology that was developed. We need to have a
similar initiative which goes down into our education levels at
all levels starting very early which makes this a part of every
level of education so that the work force in the future is
prepared for this.
We saw this with Estonia when Estonia experienced their
crippling attacks, that Government decided to really put the
initiative forward to educate across all levels of their
citizenship and now, they are recognized maybe arguably but as
the No. 1 in cybersecurity in all of Europe.
I see that we need to put forth an educational initiative
that will prepare our work force for this in the future.
Mr. Richmond. Thank you. Thank you. I see that my time has
expired so I will just yield back.
Mr. Ratcliffe. Yes. Let me give you all--first of all, the
Chair recognizes himself for questions.
Ms. Fowler, I very much appreciated your remarks there and
I agree. I have talked about a cyber moonshot and identifying
an approach that will address some of the concerns that you
related and if you believe as I do that cybersecurity risks
present perhaps our greatest National security threat right now
and going forward then we need to have some sort of a cyber
moonshot to address those threats.
But I want to give each of the witnesses a chance to weigh
in on the Ranking Member's very good question, one that I had
as well.
So Mr. Durbin.
Mr. Durbin. If you were to take a look at the original CDM
documents 5 years ago and look at the projections of where they
thought they would be by now, we would be in much better shape.
There are reasons why we are not there yet. Phase 1 is a
critical phase, it builds the foundation. We basically had told
the agencies let us know, give us an inventory of all of your
assets so that we can then turn around and provide you with a
tool that is going to give you an accurate inventory count.
So there was no shock when after Phase 1 was deployed and
that tool was turned on, the number of assets in the agencies
was found to be severely under-reported.
That is a good thing. It is a good thing that we now have
visibility into what it is we are trying to protect so that
took more time than they originally thought.
So if we were to accelerate the other phases and let us get
to the point where we can automate the authority to operate
process, every 72 hours we are doing a scan, so an organization
knows you know, am I able to operate, do I have some
deficiencies that need to be repaired in kind-of real-time, I
think that would put us in a much better position.
They did add Data Protection as a Phase 4. I applaud them
for that but that is what the bad guys are after. They are
after the data so while we are trying to figure everything else
out, let us protect the data, let us lock that down.
Mr. Ratcliffe. Perfect. Thank you.
Mr. Schwartz.
Mr. Schwartz. Thank you, Mr. Chairman. This you know,
responding directly to your comments on this issue about the
cyber moonshot and the threat that comes from cyber and the
space compared to other threats. I mean, look at what we have
done on terrorism, right?
We have done a pretty good job in terms of trying to
resource-out how we protect this country from terrorism but we
have been told for the past 7 years that cyber is overtaking
terrorism as the most major threat to this country and we are
not getting the resources to cyber that we have for terrorism.
So I am not sure that that is a moonshot or what you call
it but there is this question of paying as much attention to
this problem as to address it in the way that we think of it as
the size problem that it actually is.
That is why I focus on you have to have Cabinet-level
meetings in order to do that, you have to put the resources
toward it that are commensurate with it and we are not doing
that now, so we cannot expect to get the results particularly
at small agencies in order to protect themselves when we are
not helping them out to do that.
Mr. Ratcliffe. Terrific. Thank you.
As I mentioned in my opening, the OMB and DHS report that I
think the specific number was 71 of 96 Federal agencies have
cybersecurity programs that are either at risk or at high risk
and a statistic that really jumped out at me as being
particularly disturbing and I am wondering if the number
surprised you as you read that and whether it does or not.
When we talk about reversing the trend there, I mean, I
mentioned CDM as a solution there but I want to make sure that
that we are talking about all the potential solutions to
reversing that trend and give you all the chance to weigh in on
making those points.
Mr. Durbin. So I guess the percentage did not surprise me
all that much given the fact that CDM is behind and that some
of the recommendations made in last year's Executive Order are
just now starting to take hold so again it did not surprise me.
I do see CDM as a way to fix a lot of what is in that
report instead of creating a new program, let us utilize what
is already there and let us improve it, let us empower it so
that we can target those specific issues and bring that
percentage down as quickly as possible.
Mr. Ratcliffe. Terrific. Thank you.
Ms. Fowler. I would agree that the 71 is not surprising. It
is also consistent with what we have seen through our work with
DHS, what the SEI has done with DHS in looking at the private
sector with the owners and operators of critical
infrastructure.
I would say that CDM in accelerating that program will be
help in terms of giving us visibility into what our
capabilities are.
Again, I do want to see us move toward an operational
resilience approach where even before we start thinking about
what it is in terms of a threat actor that we need to worry
about that we think about the most critical assets inside of
each organization.
Mr. Ratcliffe. So can I stop you there Ms.----
Ms. Fowler. Sure.
Mr. Ratcliffe [continuing]. Fowler because you talk about
that in terms of the resilience factor. Are there key metrics
that we can be looking at to determine how effective we are
being in terms of making progress on resilience?
Ms. Fowler. Absolutely. We do have something called the
``Cyber Resilience Review'' which is a set of questions that
look across 10 domains of cybersecurity and that can help give
a maturity measure of how you are doing in terms of the
completeness of the practices and also the institutionalization
or sophistication of the practices that you have in place.
The third element of that is something that you yourself
mentioned sir, which is efficacy of practice and that is
something that has been a concern and continues to be a concern
back at the SEI because we can be doing a lot of things very
well and they might not be the right things to do.
Much like we do in the medical industry, we set up very
scientifically rigorous tests and we do a lot of data analysis
behind whether or not those tests work in very specific ways.
We don't have a lot of those practices occurring in
cybersecurity to say, ``Does this control actually do what we
want it to do in the face of this threat?'' That is something
that I think that the Government could invest research in to
make sure that the efficacy of the practices is as good as the
completeness of the practices.
Mr. Ratcliffe. Great point. Thank you.
Mr. Schwartz I will give you the last word.
Mr. Schwartz. Sure. So I mean, I addressed this in my oral
testimony but just to take it a little bit further. I mean,
what do we do with agencies that are a high risk? Do we spend
more money there? Do you give them more money to continue to
fail? Do you fire people? So they have less people there to do
the job that they need to do.
I think each agency is a sort-of its own case and what we
need to do is give people a reason to succeed and make sure
that the leadership understands what they need to do to
succeed.
Sometimes there are a lot of barriers in the way to
success, OK, then you have got to tackle this one at a time and
get the right people from the entire agency in order to do that
and to address those one at a time but it involves digging in,
in each of those agencies and figuring out what the right path
to success is.
It is part of what risk management is but it is also just
management at an agency at this point.
Mr. Ratcliffe. Well I want to thank all of our witnesses.
This has been incredibly insightful and valuable for all of
us. Thank you all for being here today.
I also want to thank the Members of the committee for their
questions and remind them that they can submit additional
questions for the witnesses and it sounds like at least one of
the Members will and we will ask the witnesses to respond to
those in writing.
Pursuant to Committee Rule VII(D), the hearing record will
be held open for a period of 10 days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 11:40 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Honorable Jim Langevin for Summer Fowler
Question 1. You spoke in your testimony about the importance of
understanding the potential effect of realized cyber threats. The 2015
OPM breach exposed a gap in OPM's understanding of the damage that
could result from the loss of security clearance records--a risk more
consequential to other Federal agencies.
What can the administration do to address cyber risk management
holistically, rather than agency by agency?
Answer. The Federal Government is an enterprise comprising
departments and agencies with specific objectives and missions that
support the larger Federal objective of serving the public. Addressing
cyber risks at this level requires an enterprise risk management (ERM)
approach. Carnegie Mellon University's Software Engineering Institute
developed an ERM process that is targeted at not only managing risks
but at ensuring organizational and mission resilience. Organizational
resilience is the ability for a department or agency to achieve its
mission before, during, and after a disruptive event (such as a cyber
attack) and to return to normal operations as soon as possible. Our 10-
step ERM process is shown in Figure 1.
figure 1: ensuring organizational resilience via erm
The process must begin by establishing governance, risk appetite,
and risk tolerance ranges. This should be done at the top levels of the
Federal Government and communicated down to all departments and
agencies so that they have an understanding of targets/goals for their
cybersecurity programs. This can be daunting at the enterprise level,
but it is a best practice that large private companies use to ensure
alignment of cybersecurity activities to overall business objectives.
While the cyber risks will still be owned and managed at the
department/agency level, this also provides a standardized way for
cross-agency dependencies and risks (e.g., risk of OPM data breach to
other agencies) to be communicated and managed.
Enterprise risk management addresses cyber risks holistically by
first focusing on mission objectives, critical assets, and requirements
before leaping to technical solutions. This process also provides a
structured way to develop measures and metrics to monitor performance
of cybersecurity and cyber risk management practices at an enterprise
level.
Unfortunately, if we were to comprehensively answer the question of
cyber risk management, detailing each step, our response would likely
be too long to be appropriate for this forum. However, both the CERT
Resilience Management Model (CERT-RMM) handbook \1\ and ``The 3 Pillars
of Enterprise Cyber Risk Management,''\2\ from the Insider Threat Blog,
are readily available on-line. Additionally, the SEI is more than happy
to schedule discussions with Rep. Langevin and his staff. This
invitation is of course extended to any Member and his/her staff.
---------------------------------------------------------------------------
\1\ https://resources.sei.cmu.edu/asset_files/Handbook/
2016_002_001_514462.pdf.
\2\ https://insights.sei.cmu.edu/insider-threat/2017/11/the-3-
pillars-of-enterprise-cyber-risk-management.html.
---------------------------------------------------------------------------
Question 2. One continuing challenge with prioritizing Federal
expenditures on cybersecurity controls is the lack of viable metrics
for assessing the effectiveness of those controls in reducing
cybersecurity risks.
What are the obstacles to closing that gap so that we can measure
the relative value of various cybersecurity controls? How is SEI
working to overcome those obstacles?
Answer. Thank you for recognizing and articulating this challenge.
Although cybersecurity is viewed as a technically advanced field of
study, we are still in our infancy when it comes to measuring efficacy
of capabilities. Other scientific fields such as medicine perform
rigorous studies following the scientific method with a hypothesis and
control groups to determine the efficacy of capabilities. In
cybersecurity, we are still relying on subject-matter expertise and
compliance as our primary tools for ``measuring'' capabilities.
The challenge in applying the scientific method is that in any
given instance of measuring a cybersecurity capability, there are
several factors to consider:
1. The operating environment and its configuration (e.g., a
computer server).
2. The cybersecurity control being applied and its configuration
(e.g., a firewall).
3. Potential threat(s) and/or threat actor(s) (e.g., criminal
hacker).
Each of these factors has multiple possible states that must be
tested. This means that testing the NIST 800-53 controls, for example,
would require tens of thousands of test cases to account for the
various operating environments, control configurations, and potential
threats. I have written more about measuring cybersecurity performance
in the CERT blog ``Cybersecurity Performance: 8 Indicators.''\3\
---------------------------------------------------------------------------
\3\ https://insights.sei.cmu.edu/insider-threat/2018/03/
cybersecurity-performance-8-indicators.html.
---------------------------------------------------------------------------
Carnegie Mellon University's Software Engineering Institute is
investing a portion of its Congressional Line Item research funding to
develop and validate a methodology for measuring the efficacy of a
cybersecurity practice. If successful, the community will have a new
methodology for measuring the cybersecurity of a system and be able to
rank order the importance of the controls needed to protect it. This is
a nascent concept and will require additional investment into research
and transition into practice, but it is an important step in making
scientifically valid improvements in cybersecurity. Future work will
use emerging artificial intelligence concepts to automate the
methodology and simplify the process.
Questions From Honorable Jim Langevin for Ari Schwartz
Question 1. Having served on the National Security Council, can you
speak to the cross-agency issues that are likely to emerge without a
Cybersecurity Coordinator at the White House?
Answer. In 2008, a Center for Strategic International Studies
(CSIS) bi-partisan Commission led by Chairman McCaul and Representative
Langevin called for:
``An assistant to the President for cyberspace, who directs and is
supported by a new office in the EOP--the National Office of
Cyberspace. This office would be small (10 to 20 people) and would
provide programmatic oversight for the many programs that involve
multiple agencies . . .
``Because cybersecurity requires coordination of activities across
agencies, the White House is the best place to locate this function. It
alone has the authority to ensure coordination. The most appropriate
place in the White House is the NSC.''\4\
---------------------------------------------------------------------------
\4\ ``Securing Cyberspace for the 44th Presidency: A Report by the
CSIS Commission on Cybersecurity for the 44th President'' December 2008
https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/
media/csis/pubs/081208_securingcyberspace_44.pdf. See page 36.
When the Obama administration took office, it created a cyber
policy office in the NSC and put a special assistant to the President
in charge of this office with the title, White House Cybersecurity
Coordinator, reporting to the assistant to the President for Homeland
Security and Counterterrorism.\5\ At the time, several commentators
suggested that this role was ranked too low in the NSC structure given
the current and anticipated importance of cybersecurity for the Nation.
Nevertheless, this office grew to 10 to 15 people and became an
effective structure to coordinate and provide oversight and direction
for a wide range of programs and initiatives involving multiple
agencies. The office also became a focal point for interaction with the
private sector on high-level issues of policy and National security.
---------------------------------------------------------------------------
\5\ In my time at the White House, it was explained to me that for
the NSC: An assistant to the President is the Presidential Commissioned
Officer that could run meetings at the level of an agency head or
Secretary; a deputy assistant to the President could run coordination
meetings at deputy secretary; and a special assistant to the President
could run meetings at under secretary or assistant secretary. There
were exceptions to this rule but it gives a sense of overall hierarchy
in relation to the rest of the Executive branch.
---------------------------------------------------------------------------
Listing all of the successes of the cyber office since its
inception would be a considerable effort, but during my 2\1/2\ years at
NSC Cyber under the leadership of then-Cybersecurity Coordinator
Michael Daniel, we coordinated a number of important policies and
actions:
Creation and promotion of the NIST Cybersecurity Framework;
Creation of the Cyber Threat Intelligence Integration
Center;
The Executive Order on Cyber Sanctions;
Development of a working Vulnerabilities Equities Process;
Creation of a standards body for Information Sharing and
Analysis Organizations;
The remediation of the Heartbleed vulnerability and greatly
increased speed in patching critical vulnerabilities in
Government agencies;
Agreement with the Chinese government on norms related to
corporate espionage through cyber means;
Agreement among agencies on roles in cyber incident
response;
Implementation of U.S. Cyber Operations Plan (PPD-20), which
was drafted by NSC Cyber prior to my arrival;
Reconstituting the interagency Cyber Response Group (CRG);
Working with Congress to draft the Cybersecurity Information
Sharing Act (CISA), which passed and had implementation
coordinated by NSC Cyber after my departure; and
Sponsoring the successful White House Cybersecurity Summit
at Stanford University in February 2015, where companies
pledged to move forward on several important joint
cybersecurity projects with Government.
While the cybersecurity policy coordination in the U.S. Government
is by no means perfect, it improved demonstrably from where it was when
the CSIS Commission first made its recommendation.
In fact, in 2016 the bi-partisan President's Commission on
Enhancing National Cybersecurity \6\ again recommended that the
President elevate the current position of Cybersecurity Coordinator to
an assistant to the President. The report explains that the position
should have responsibility for bringing together the Federal
Government's efforts to protect its own systems and data and to secure
the larger digital economy, and as well as for informing and
coordinating with the director of the Office of Management and Budget
on efforts by the Federal chief information officer and chief
information security officer in order to secure Federal agencies.
---------------------------------------------------------------------------
\6\ https://www.nist.gov/sites/default/files/documents/2016/12/02/
cybersecurity-commission-report-final-post.pdf.
---------------------------------------------------------------------------
In general, I agree with both commissions that the special
assistant role was too low level to be as effective as possible.
However, instead of raising the level to an assistant to the President.
I would split the difference and suggest that the cyber coordinator be
a deputy assistant to the President. This would allow the NSC to work
closely with the deputy secretaries to make cybersecurity a lead issue
for every Cabinet agency and better create areas of consensus around
important new cyber policy, while still providing the ability to raise
major policy issues to a higher level when disagreement occurs.
The current administration has decided against all of these
approaches. It has demoted the role of NSC Cyber by not replacing the
cybersecurity coordinator and removed the related commissioned officer
position entirely. It also has demoted the Homeland Security and
Counterterrorism advisor to a deputy. While this may still provide a
tenuous hold onto the increased coordination among agencies that was so
hard-earned over the last decade, I am concerned that eventually this
coordination will decline and the result will be a de-prioritization of
cybersecurity as a National security issue. Either there will be a
cybersecurity incident that causes confusion among agencies, or the old
rivalries and petty squabbles among agencies will return at a time when
the White House leadership is not able to organize and offer a
consensus path forward.
I find the decision to demote the NSC Cyber particularly
frustrating because at the beginning of this administration there
seemed to be the possibility that greater progress could be made toward
increased coordination.
Question 2. Having been intimately involved with a very successful
cybersecurity Executive Order, EO 13636, and the NIST Cybersecurity
Framework that came out of it, what is your impression of how agencies
are making use of the CSF now that they are mandated to?
Answer. The NIST Cybersecurity Framework (``CSF'') was designed to
provide standards, guidelines, and best practices to help entities
manage cybersecurity-related risk. Conversely, the CSF was not designed
to provide a prescriptive set of requirements that must be satisfied in
order to achieve a desired outcome. This risk-management approach can
be distinguished from the checklist-oriented compliance style that many
agencies have historically relied upon. Following the implementation of
EO 13636, which created the CSF with a focus on critical infrastructure
organizations, it has been encouraging to see that the current
administration required agency use of the CSF with EO 13800.
Agencies are clearly adapting to the risk-management approach and
incorporating it into agency practices. However, risk management as an
approach must permeate beyond the IT departments and must have buy-in
more broadly among other parts of Government in order for the CSF to
have the desired impact.
In particular, the inspector generals (IGs) must begin to
understand how to audit properly to a risk-based approach. Too often
the IGs seem to want to return to the checklist of cybersecurity
controls. Under a risk-based approach like those encouraged under the
CSF, an auditor must not only make a determination if the organization
is implementing controls, but if the organization is prioritizing the
implementation of controls properly.
To be fair, measuring a risk-based approach to cybersecurity
management is more challenging than simply running through a list of
things to determine whether they are being done or not. However, we
should not allow that challenge to deter progress. Risk-based
management is a well-understood approach, and is used extensively by
the most sophisticated organizations in both the public and private
sectors, with demonstrable results.
[all]
| MEMBERNAME | BIOGUIDEID | GPOID | CHAMBER | PARTY | ROLE | STATE | CONGRESS | AUTHORITYID |
|---|---|---|---|---|---|---|---|---|
| Smith, Lamar | S000583 | 8177 | H | R | COMMMEMBER | TX | 115 | 1075 |
| Thompson, Bennie G. | T000193 | 8020 | H | D | COMMMEMBER | MS | 115 | 1151 |
| Langevin, James R. | L000559 | 8140 | H | D | COMMMEMBER | RI | 115 | 1668 |
| Rogers, Mike D. | R000575 | 7788 | H | R | COMMMEMBER | AL | 115 | 1704 |
| McCaul, Michael T. | M001157 | 8166 | H | R | COMMMEMBER | TX | 115 | 1804 |
| Richmond, Cedric L. | R000588 | 7960 | H | D | COMMMEMBER | LA | 115 | 2023 |
| Keating, William R. | K000375 | 7975 | H | D | COMMMEMBER | MA | 115 | 2025 |
| Barletta, Lou | B001269 | 8129 | H | R | COMMMEMBER | PA | 115 | 2054 |
| Payne, Donald M., Jr. | P000604 | 8373 | H | D | COMMMEMBER | NJ | 115 | 2097 |
| Perry, Scott | P000605 | H | R | COMMMEMBER | PA | 115 | 2157 | |
| Vela, Filemon | V000132 | H | D | COMMMEMBER | TX | 115 | 2167 | |
| McSally, Martha | M001197 | H | R | COMMMEMBER | AZ | 115 | 2225 | |
| Watson Coleman, Bonnie | W000822 | H | D | COMMMEMBER | NJ | 115 | 2259 | |
| Rice, Kathleen M. | R000602 | H | D | COMMMEMBER | NY | 115 | 2262 | |
| Katko, John | K000386 | H | R | COMMMEMBER | NY | 115 | 2264 | |
| Ratcliffe, John | R000601 | H | R | COMMMEMBER | TX | 115 | 2268 | |
| Hurd, Will | H001073 | H | R | COMMMEMBER | TX | 115 | 2269 | |
| Donovan, Daniel M., Jr. | D000625 | H | R | COMMMEMBER | NY | 115 | 2293 | |
| Barragan, Nanette Diaz | B001300 | H | D | COMMMEMBER | CA | 115 | 2311 | |
| Demings, Val Butler | D000627 | H | D | COMMMEMBER | FL | 115 | 2320 | |
| Higgins, Clay | H001077 | H | R | COMMMEMBER | LA | 115 | 2329 | |
| Bacon, Don | B001298 | H | R | COMMMEMBER | NE | 115 | 2337 | |
| Fitzpatrick, Brian K. | F000466 | H | R | COMMMEMBER | PA | 115 | 2345 | |
| Garrett, Thomas A., Jr. | G000580 | H | R | COMMMEMBER | VA | 115 | 2353 | |
| Gallagher, Mike | G000579 | H | R | COMMMEMBER | WI | 115 | 2355 | |
| Estes, Ron | E000298 | H | R | COMMMEMBER | KS | 115 | 2358 | |
| Lesko, Debbie | L000589 | H | R | COMMMEMBER | AZ | 115 | 2368 | |
| Jackson Lee, Sheila | J000032 | 8174 | H | D | COMMMEMBER | TX | 115 | 588 |
| King, Peter T. | K000210 | 8064 | H | R | COMMMEMBER | NY | 115 | 635 |
Disclaimer:
Please refer to the About page for more information.