There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus-based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy. Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. GAO recommends that the national Cybersecurity Coordinator address challenges including developing a comprehensive national global cyberspace strategy. The national Cybersecurity Coordinator and his staff generally concurred with the recommendations and stated that actions are already being taken.

Click here to read a full copy of the GAO report.

Narus employs approximately 150 people globally; its headquarters are in Sunnyvale, Calif. Once acquired, Narus will operate within Boeing’s Network & Space Systems business as a wholly owned subsidiary. In addition to supporting cyber activities within Network & Space Systems, Narus’ network-centric technology also will be applied to Boeing’s smart grid energy work, the secure networking of Boeing’s ground, air and space products, and the defense of the Boeing network.

Safe Harbor specializes in cyber security and networking infrastructure solutions, including systems design, cross-domain product development and deployment, enterprise network architecture and engineering, access controls, and common cross-domain framework solutions comprised of multilevel controlled interfaces.

The hearing will come to order. Good afternoon and thanks for being here today. Today, we’re going to take a closer look at legislation Senators Collins, Carper and I introduced last week - the Protecting Cyberspace as a National Asset Act. It provides a comprehensive framework to modernize, strengthen, and coordinate our cyber defenses across civilian federal networks and the networks of the most vital privately-owned critical infrastructure – including some real basics of American life; our electric grid, financial systems, and our telecommunications networks.

Today, we’re going to hear from the top cyber security official at the Department of Homeland Security, which of course has a critical role, responsibility, to play in protecting our cyber assets; and we’re also going to hear from security and industry experts. We have, in preparing this legislation, consulted extensively with members of the Administration, people in the private sector, and privacy groups as well.
In the 40 years since the Internet was created, it has developed into a necessity of modern life, source of remarkable information and entertainment and commerce, and, as we also have come to know, it is a target of constant attack and exploitation. We know have a responsibility to bring the public and private sectors together to secure the internet, cyberspace, and secure it well. We believe that our bill would do just that.
The idea of “cybercrime” is not really totally new to the American people. We all know about identity theft and about emails from a foreign “prince,” or “doctor,” or “government official” who desperately needs to move some money out of his or her country and who will reward you richly – if only you’ll give them your bank account number. Which some people actually do.

Identity theft and financial fraud are serious matters. But of course we need and we hope we through this bill to reorient our thinking about the risks inherent in the internet and cyberspace. Today we face much greater risks in cyberspace than crimes like identity theft. A sophisticated attacker could cripple most of our financial system, take down a lot of the electric grid, or cause physical devastation equal to or greater than conventional warfare. The fact is the threat of cyber attack is among the most serious threats America faces today.

President Obama has correctly described our sprawling government and private sector cyber networks as a “strategic national asset.” But our efforts to secure those networks and that national asset have been disjointed, understaffed, and underfinanced. So, what does our bill do?

First, we need leadership, we need focused and clear leadership, and our bill provides it in the form of a White House Office of Cyberspace Policy that would lead all federal efforts to defend cyberspace. That is civilian defense and private. The office would be led by a Senate-confirmed director, accountable to the public. We have previously asked, for instance, White House cyber coordinator Howard Schmidt to testify before this committee but we’ve always been turned down, apparently, on the grounds of executive privilege. Our legislation would change that by requiring Senate confirmation and thereby making Mr. Schmidt or whoever holds that position subject to the call of Congress and the public.

We also need a stronger agency to defend the dot-gov networks and oversee the defenses of our most critical infrastructure. The Department of Homeland Security Inspector General will issue a report tomorrow critical of many operational elements of the Department’s cybersecurity effort, citing a lack of clear authority as one of the issues that needs to be rectified. Our bill more than addresses these shortcomings by creating a National Center for Cybersecurity and Communications within the Department of Homeland Security which would have new, strong authorities to protect non-defense, public sector and private sector networks from cyber attack. DHS already has this responsibility through presidential directive, but, in our opinion, insufficient authority to carry it out.

The sound defense of our cyber networks will only be successful if industry and government work together, so our bill will set up a collaborative process where the best ideas of the private sector and the government would be used to meet a baseline set of security requirements that DHS would enforce for the nation’s most critical infrastructure.

Thanks to some excellent work by our colleague Senator Carper, our legislation reforms and updates the Federal Information Security Management Act to require continuous monitoring and protection of federal networks but do away with the paper-based reporting system that takes up time agencies really otherwise would be using and should be using to protect their networks.

Our legislation also would require the federal government to develop and implement a strategy to ensure that the almost $80 billion of information technology products and services that the federal government purchases each year–$80 billion–are secure and don’t provide our adversaries with a backdoor into our networks. And of course if the federal government uses that $80 billion of purchasing power to drive security add-ons and innovations in information technology products it’ll also be available and presumably bought by the private sector.

Finally, we would give special authority to the President to act in the event of a catastrophic cyber attack that could seriously jeopardize public safety or have disastrous effects on our economy or national security. In those instances, clearly defined in our legislation, the President could direct the National Cybersecurity and Communications Center at DHS to impose emergency measures on a select group of critical infrastructure to preserve those assets and the networks they rely on and protect the American people. These emergency measures would automatically expire within 30 days unless the President ordered an extension. I know there’s been some concern and controversy about that provision and we can speak to it I hope in the question and answer period. But it’s very important limitation on liability of private entities who take action in response to an order from the government and might otherwise incur liability. We protect them from that because the action the government is ordering them to take is in national security or economic interest.

So, freedom of expression and freedom to innovate are not inconsistent with greater security in cyberspace and that is exactly what we hope to combine and balance in this legislation.

The information revolution touches every aspect of our lives, from personal relationships and entertainment to commerce and the national security information. Cyberspace is a place of great, even unparalleled, power, but also of great vulnerability.

Cyberspace is under increasing assault on all fronts. The cyber threat is real, and the consequences of a major successful national cyber attack could be devastating. As former Director of National Intelligence Michael McConnell testified in February, “If we went to war today, in a cyber war, we would lose.”

Since the terrorist attacks of September 11, 2001, we have done much to protect potential targets such as ports, chemical facilities, and other vital assets. We cannot wait for a “cyber 9/11” before our government realizes the importance of protecting our cyber resources.

We are already under fire. Just this past March, the Senate’s Sergeant at Arms reported that the computer systems of Congress and the Executive Branch agencies are now under cyber attack an average of 1.8 BILLION times per month. Cyber crime already costs our national economy an estimated $8 billion per year.
We must move forward now with an aggressive and comprehensive approach to protect cyberspace as a national asset. The vital legislation that we introduced last week would do just that, fortifying the government’s efforts to safeguard America’s cyber networks. It would build a true public/private partnership to promote national cyber security priorities.

For too long, our approach to cyber security has been disjointed and uncoordinated. This cannot continue. The United States requires a comprehensive cyber security strategy and strong coordination among law enforcement, intelligence agencies, the military, and the private owners and operators of critical infrastructure.

Our bill would establish an essential point of interagency policy coordination within the White House. The Office of Cyberspace Policy would be run by a Senate-confirmed Director who would advise the President. This Director would develop a national cyber security strategy.

To be clear, the White House official would not be another unaccountable czar. The Cyber Director would have defined responsibilities and be accountable to Congress. The Cyber Director would be an advisor and coordinator - not an implementer.

That responsibility, for federal civilian systems and private sector critical infrastructure, would fall to a strong operational and tactical partner at the Department of Homeland Security – the newly created National Center for Cybersecurity and Communications.

For its day-to-day operations, the Center would use the resources of DHS, and the Center Director would report directly to the Secretary of Homeland Security.

On matters related to the security of federal networks, the Director would regularly advise the President – a relationship similar to the Director of the NCTC on counterterrorism matters or the Chairman of the Joint Chiefs of Staff on military issues.

These dual relationships would give the Center Director sufficient rank and stature to interact effectively with the heads of other departments and agencies. These relationships would be critical for the Center Director to set, monitor compliance with, and enforce security policies for federal civilian systems.
As we have seen repeatedly, from the financial crisis to the environmental catastrophe in the Gulf of Mexico, what happens in the private sector does not always affect just the private sector. The ramifications for government and for the taxpayers often are enormous.

This bill would establish a public/private partnership to improve cyber security across private sector networks. Working collaboratively with the private sector, the Center would produce and share useful warning, analysis, and threat information with the private sector, other federal agencies, international partners, and state and local governments.

Best practices developed by the Center would be based on collaboration and information sharing with the private sector. Information shared with the Center by the private sector would be protected.
In cases where owners and operators are responsible for assets whose disruption would cost thousands of lives in mere seconds or multiple billions of dollars, the bill would establish certain risk-based performance requirements to close security gaps.

These requirements, for example, would apply to vital components of the electric grid, telecommunications networks, financial systems, or other critical infrastructure systems that could cause a national or regional catastrophe if disrupted.

These owners and operators would be able to choose which security measures to implement to meet applicable risk-based performance requirements. This model would allow for continued innovation that is fundamental to the success of the IT sector.

The bill also would provide limited liability protections to the owners and operators of covered critical infrastructure that comply with the new risk-based performance requirements.

If a cyber attack were imminent or occurring, the bill would authorize the President to undertake emergency measures to protect the nation’s most critical infrastructure. The President would be required to notify Congress in advance of the declaration of a national cyber emergency, or as soon thereafter as possible. These emergency measures would be limited in duration and scope. The bill does not authorize any new surveillance authorities or permit the government to “take over” private networks.

The legislation also would take advantage of the federal government’s massive purchasing power to help bring heightened cyber security standards to the marketplace.

Finally, the bill would improve the recruitment and retention of a qualified federal IT workforce.

If hackers can nearly bring Estonia to its knees through cyber attacks, infiltrate a major defense program, and hack the computers owned and operated by some of the world’s most successful private sector computer experts, we must assume even more spectacular and potentially devastating attacks lie ahead. We cannot wait for a “cyber 9-11” before our government takes actions to protect these critical assets.
I look forward to moving our bipartisan, comprehensive cyber security legislation forward this Congress.

Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century

I want to start off my opening statement by thanking Chairman Lieberman and Ranking Member Collins for their leadership on this important national and economic security issue. This hearing to examine the various aspects of our comprehensive cyber security legislation is both timely and important.

As we all know, the Internet has certainly grown over the years – both in its complexity and in its impact on our everyday lives.

For the past three years, I have called for some of the very same reforms we will talk about today. In fact, I introduced cyber security legislation last spring in an effort to strengthen our Federal government – and our nation – against the kinds of attacks that we have seen seriously disrupt the nations of Estonia and Georgia.

One reform I am happy my colleagues accepted is the creation of a White House office that would be responsible for coordinating the security and resiliency of our nation’s cyber space. To date, Federal agencies’ efforts have been ad-hoc and duplicative. As the saying goes, the ‘left hand didn’t know what the right hand was doing.’ My hope is that this office will provide the needed strategic direction to more effectively deal with challenges in cyberspace before they become a crisis.

Another reform I am happy made it into the bill is the idea that agencies need to leverage their purchasing power to demand private vendors sell more secure products and services. For too long agencies have needlessly spent money cleaning up after a cyber attack because the technology was full of security holes. Like a door with no lock, hackers have used security holes that never should have been there in the first place to gain access to our sensitive networks. Our bill changes that.

I also commend my colleagues for joining me in reforming the Federal Information Security Management Act of 2002. As we all know, producing a plan that sounds good on paper is not the same as ensuring the plan is effective when implemented. That’s why our bill compels agencies to stop producing the reams of ineffective paperwork they currently do and instead focus their efforts on defending their systems in real-time.

Lastly, I thank my colleagues for accepting my language to create a nation-wide network of cyber challenges to help reduce the gap between the number of so-called “cyber warriors” that are produced in America and those being trained in China, North Korea, and Russia. Like a “farm system” in baseball, these cyber challenges will create a pipeline of talent that can be tapped by government agencies and private sector companies. If we want America to continue to be dominant in the century to come, we must invest in the skills of our youngsters.

In closing, I look forward to working with Chairman Lieberman, Ranking Member Collins, and other Senate colleagues who may have interest in this issue. My hope is that we can bring together a diverse group of stakeholders on all sides of the issue to produce a bipartisan bill that will enhance our nation’s cyber security and be signed by the President before the end of this year.

Protecting Cyberspace as a National Asset:Comprehensive Legislation for the 21st Century

Chairman Lieberman, Ranking Member Collins, Senator Carper and members of the Committee, thank you for the invitation to testify at this hearing and to offer my thoughts on the Protecting Cyberspace as a National Asset Act of 2010. I am here today in my role as the Chairwoman of the Board of the Intelligence and National Security Alliance (INSA). INSA is the premier not-for-profit private sector professional organization providing a structure and interactive forum for thought leadership, the sharing of ideas, and networking within the intelligence and national security communities. INSA has over 100 corporate members, as well as several hundred individual members who are leaders within the government, private sector and academia.

Through its Cyber Security Council, INSA has emphasized the importance of creating a strong public-private partnership that can provide meaningful recommendations to address this national and economic security threat. Today I would like to specifically speak to the importance of establishing a public-private partnership to promote national cyber security priorities, strengthen and clarify authorities regarding the protection of federal civilian systems, and improve national cyber security defenses.

Collective national cyber security can only be effectively addressed through a partnership approach between government and private industry. While the government has the legal and moral authority required to organize markets, enforce laws and protect citizens’ privacy and property, the vast majority of cyberspace infrastructure is privately owned and operated. As a result, industry is where most of the expertise in the fields of IT and cyber security reside. The private sector cannot protect privacy and address security while the government cannot dictate security regulations to networks systems it cannot control. Furthermore, attempts to do so could stifle innovation and profitability. Because of this dynamic, partnership is the only way forward.

INSA’s Cyber Security Council studied several different models of public-private partnerships during the preparation and research for its November 2009 report, Addressing Cyber Security Through Public-Private Partnership. Historically, effective public-private partnerships have inclusive private sector membership, unified in the pursuit of common goals, a single responsible and accountable government partner organization and clearly delineated roles for both public and private entities. We are very pleased to see these concerns and this organizational structure reflected in the legislation we are discussing today. This bill not only establishes a clearly responsible Center for the problem, but requires that a private sector advisory council be organized to advise the Center on their actions’ effects on industry.

Assuring that private sector concerns are heard within government is an important first step to the creation of a public-private partnership, but this alone is not sufficient to guarantee success. INSA’s Cyber Security Council has identified three key additional components, specific to a public-private partnership on cyber security, which would be required for a successful effort: a flexible or incentivized approach to regulation, robust information sharing and cooperation and communication on standards and best practices.

With regards to flexible and/or incentivized regulation, it is crucial that government, to the best of its ability, preserve and nurture the innovative and entrepreneurial environment that exists in information technology. A free flow of information and the use of an open source environment has created capabilities and driven the development of new business. Prescriptive or directive security standards, or one-size fits all approaches will limit innovation and erode industry support and participation if industry managers feel security mandates have made their business less competitive. Securing networks and the cyber environment while allowing businesses to remain dynamic in that space is a difficult needle to thread and we applaud the measured approach of this bill in allowing industry members to propose their own security solutions for approval by the regulatory body. This not only creates a true give-and-take security partnership, but also allows for innovation and growth with the development of new procedures and products.

Also critical to a strong public-private partnership is the creation of a shared awareness of the network environment. Information sharing is absolutely crucial and is an area in which we are presently falling short. Classification, concerns over liability and the present situation in which cyber security is not “owned” by anyone all contribute to this shortcoming and there are sections of this bill that do help. The liability protections afforded to those in compliance with government security measures do provide protection and incentive to private sector firms to increase their reporting, but until the private sector feels they are getting as much as they are giving with respect to information sharing and incident reporting, the system will remain insufficient. The bill calls for the establishment of plans for information sharing between public and private entities and industry should certainly watch this process closely and press for a commitment from the executive branch to share information with the private sector that is as strong as the private sector’s responsibility to report to the government.

The final component, cooperation in the development of standards and best practices, is perhaps the most crucial. Government must develop security standards and systems that deal with known threats and have the capacity to adapt to the rapidly changing cyber environment, and it must do so in concert with industry partners. Just as directive regulations can limit innovation, security standards that are not developed in partnership with businesses can have adverse and unplanned consequences. The vetting of proposed security standards through the industry community is necessary to avoid undue burden and hardship for American business. But the private sector cannot carry out this process entirely on its own; they need strategic-level threat information and cross-sectional situational awareness from the government to create standards which address actual threats and vulnerabilities and make the nation safer. In this bill, the new Center for Cyber security and Communications assesses and evaluates cyber security standards and guidelines, and makes recommendations recognizing existing NIST and industry standards, an important step toward joint production of security protocols. The second step must be carried out by the Center itself when creating its standards and bringing them to industry. They should embrace a true partnership approach, soliciting comments from industry on draft proposals, consulting closely with owners and operators and being open to revision of their rules in light of industry input.

The INSA Cyber Security Council recognizes that there are a number of ways to address cyber security and believes the effort to do so should begin right away on three fronts: private sector self-regulation, executive branch leadership and congressional action. Self regulation is not an unprecedented activity in the U.S private sector. There are multiple examples of where the private sector has self-organized to attain a goal. Examples are the North America Electric Reliability Corporation, volunteer Fire Departments, school boards, community associations, etc. Self regulation in cyber space can be achieved and self imposed based on a strong value proposition and value-based incentives. However, only the government, contained by law, can fully investigate the behavior of individuals or groups, apprehend, prosecute and punish those who violate the law or defend against and respond to threats and attacks against the nation’s interests. Hence a government role, within DHS like the one identified in the bill, is absolutely essential.

Finally, the role of Congress to enhance the security and resiliency of the cyber and communications infrastructure of the United States is critical to make well-informed decisions and respond to problems quickly. Congressional oversight is also important to ensure that the goals and objectives of the National Strategy are being met, particularly as they relate to use of legal authorities for cyber missions and the reasonable privacy expectations of U.S. persons.

With this bill, the Senate has taken the lead in identifying cyber security needs and organizing the government to address them. This measure relies on the executive branch for the establishment, implementation and development of new structures, protocols, plans and oversight. This Committee, as well as the private sector will have to engage with the executive branch and monitor the implementation of the provisions of this bill to ensure that this new organizational structure reflects the spirit of the law and does not place undue or unanticipated counterproductive burdens on both government agencies and private sector companies. The goal is to make a positive and meaningful contribution to the national security of the United States and this bill goes a long way towards achieving that goal.

Mr. Chairman and Members of the Committee:
My name is Steve Naumann, and I am Vice President for Wholesale Market Development for Exelon Corporation. I have participated on committees, task forces and working groups of the North American Electric Reliability Corporation (NERC) and recently completed serving as Chairman of NERC’s Member Representatives Committee. I appreciate your invitation to appear today to discuss securing the North American electric grid against cyber threats, and the opportunity to testify about the Protecting Cyberspace as a National Asset Act of 2010. At the outset I would like to thank Chairman Lieberman, Ranking Member Collins and Senator Carper for the thoughtful approach taken in the bill and for your leadership on this issue.

Exelon is a holding company headquartered in Chicago. Our retail utilities, ComEd in Chicago and PECO in Philadelphia, serve 5.4 million customers, or about 12 million people – more than any other electric utility company. Our generation subsidiary, Exelon Generation, owns or controls approximately 30,000 MW of generating facilities, including fossil, hydro, nuclear and renewable facilities. Our nuclear fleet consists of 17 reactors; it is the largest in the nation and the third largest in the world.

I am appearing today on behalf of the Edison Electric Institute (EEI) and the Electric Power Supply Association (EPSA). Exelon is a member of both. EEI is the trade association of U.S. shareholder-owned electric companies and has international affiliate and industry associate members worldwide. EEI’s U.S. members serve 95% of the ultimate customers in the shareholder-owned segment of the industry and represent about 70% of the U.S. electric power industry. EPSA is the national trade association representing competitive power suppliers, including generators and marketers. EPSA members own 40 percent of the installed generating capacity in the United States, providing reliable and competitively priced electricity from environmentally responsible facilities.

Both EEI and EPSA also are part of a broader coalition of electric power stakeholders. While I am not officially testifying on its behalf, this coalition includes several major trade associations representing the full scope of electric generation, transmission and distribution in the United States, as well as regulators, Canadian interests and large industrial consumers. Rarely do these groups find consensus on public policy issues, but in the case of securing the electric grid, there is near unanimous support for a regime that leverages the strength of both public and private sectors to improve cyber security.

My testimony focuses on the value of this cooperative relationship, the unique nature of threats to the power grid, and the ongoing efforts of the Nation’s electric sector to respond to those threats. I also will share observations related to the Committee’s bill, particularly appreciation for its adherence to three principles the industry believes are integral to successful cyber security policy. These include:

• Leveraging public and private sector expertise, while including robust information sharing between government and the private sector, as well as among other stakeholders;
• Limiting the scope of any new authority to emergencies that will affect truly critical infrastructure; and,
• Addressing threats and vulnerabilities in a comprehensive way, including a multi-sector approach that uses a government-wide coordinator to deal with the various critical infrastructure sectors.

Both the federal government and electric utilities have distinct realms of responsibility and expertise in protecting the bulk power system from cyber attack. The optimal approach to utilizing the considerable knowledge of both government intelligence specialists and electric utilities in ensuring the cyber security of the nation’s electric grid is to promote a regime that clearly defines these complementary roles and responsibilities and provides for ongoing consultation and sharing of information between government agencies and utilities.

Fundamentally, however, the private sector can sometimes be disadvantaged in assessing the degree and urgency of possible or perceived cyber threats because of limitations on its access to classified information. The government is entrusted with national security responsibilities and has access to volumes of intelligence to which electric utilities are not privy. Thus the government is able to detect threats, evaluate the likelihood of a malicious attack and the risk of an attack and utilize its expertise in law enforcement. On the other hand, electric utilities are experienced and knowledgeable about how to provide reliable electric service at a reasonable cost to their customers, and we understand how our complex systems are designed and operate. Owners, users, and operators of the electric grid are in a unique position to understand the consequences of a potential malicious act as well as proposed actions to prevent such exploitation, including ensuring against unintended consequences of remedial actions. It is critically important to establish a workable structure that enables the government and the private sector to work together in order to provide a more secure system for our customers.

Thus, the industry appreciates that greater cooperation, coordination and intelligence sharing between government and the private sector is built into the Committee’s legislation that we are discussing today.
I would add that simply creating mechanisms for information sharing is only part of the solution. Those lines of communication must be developed at the highest levels of both government and industry, and then drilled on a regular basis to ensure that, in times of crisis, those with relevant information and operational expertise can communicate seamlessly, quickly and when needed, securely.

Another important component is your legislation’s narrow scope; it focuses appropriately on the need to protect truly critical assets. There is a security axiom that states: if you try to protect everything, you protect nothing. Put another way, the risk-based prioritization reflected in the proposed bill ensures both government and private sector resources are allocated wisely.

Exelon, for example, is addressing the risks we know about through a “defense-in-depth” strategy while appropriately balancing considerations of potential consequences. This defense-in-depth strategy includes preventive monitoring and detection measures to ensure the security of our systems. We perform penetration tests where a contractor attempts to find and exploit vulnerabilities. The results of these regular penetration tests inform us about whether our preventive strategies are working so that we can enhance our protection as technologies and capabilities evolve.

Reinforcing the need for a private sector role in threat mitigation, these penetration tests, which allow us to practice and enhance our monitoring capabilities, also yield lessons learned that are unique to our system. Because no two power companies have identical network, hardware or logistical configurations, no single entity will know our system’s strengths or weaknesses quite like we do. The legislation recognizes these different characteristics of our systems by authorizing the Director of the National Center for Cybersecurity and Communications to approve alternative measures submitted by owners or operators to protect critical infrastructure against the threat.

The industry believes new emergency authority to address imminent cyber security threats is appropriate. I want to emphasize, however, that current law already provides the means to address many cyber security issues in the electric industry. Section 215 of the Federal Power Act (FPA), which was enacted by Congress as part of the Energy Policy Act of 2005, provides for mandatory and enforceable electric reliability rules, specifically giving the Federal Energy Regulatory Commission (FERC) oversight authority over cyber security rules.

The basic construct of the relationship between FERC and NERC, which FERC certified as the Electric Reliability Organization (ERO) under FPA Section 215, in developing and enforcing reliability rules is sound. In summary, NERC, using a well-defined stakeholder process that leverages the vast technical expertise of the owners, users, and operators of the North American electric grid (including those in Canada with whom we are interconnected) develops reliability standards, which are then submitted to FERC for review and approval. Once approved by FERC, these standards are legally binding and enforceable in the United States. NERC also submits these standards to regulatory authorities in Canada.

I applaud the Committee for addressing what additional authority is needed to promote clarity and focus in response to imminent cyber security threat situations. Legislation in this area should complement, not supplant, the mandatory reliability regime already established under FPA Section 215, and any new government authority should be appropriately narrow and focused only on unique problems that cannot be addressed under Section 215. The FPA Section 215 mandatory reliability framework reflects years of work and broad consensus reached by industry and other stakeholders in order to ensure a robust, reliable grid. It should not be undermined so early in its implementation.

The importance of government-industry cooperation and consultation cannot be overstated. Any cyber security legislation should promote consultation with industry stakeholders and owner-operators of the bulk power system on remediation measures. Consultation is critical to improving cyber security.

Furthermore, every power company operates different equipment in different regulatory environments, making it difficult to offer generalizations about the impacts to the bulk power system or costs and time required to mitigate any particular threat or vulnerability. Costs in particular are an important part of the equation, as the uncertainty associated with federally directed cyber security orders, where the scope of an attack and the required remedies are an unknown and thus cannot be planned for, creates an outstanding question related to economic feasibility and capability. This complexity underscores the importance of consultation with owners, users, and operators, as well as state and federal regulators, and where time permits, prior consultation, to ensure that any mitigation that may be required appropriately considers these factors to ensure an efficient and effective outcome.

For the foregoing reasons, any new legislation giving additional statutory authority should be limited to true emergency situations involving imminent cyber security threats where there is a significant declared national security or public welfare concern. In such an emergency, it is imperative that the government provide appropriate entities clear direction about actions to be taken, and assurance that those actions will not have significant adverse consequences to power operations or assets, while at the same time avoiding any possible confusion caused by potential conflicts or overlap with existing regulatory requirements.

Finally, I would like to extend thanks for your vision to address cyber security using a comprehensive, multi-sector approach. While EEI, EPSA and Exelon’s interests lie with protecting the electric grid, the interconnected nature of critical infrastructure prevents us from claiming victory unless a comprehensive approach is taken. Electric utilities, for example, rely on telecommunications systems to operate the grid, pipelines to fuel our generation, and wholesale markets to sell our product. Should any of these critical sectors be compromised, the electric grid would be impacted as well. Likewise, each of these sectors relies on the electric grid for the power they need to operate. Your bill recognizes this truth, as did the President’s “60-Day Cyber Review” completed last year. I would urge the Congress to follow your leadership and approach this issue in a holistic manner.

Conclusion
While many cyber security issues already are being addressed under current law, we believe it is appropriate for the government to address cyber security in a situation deemed sufficiently serious to require a Presidential declaration of emergency. In such a situation, the legislation should clarify the respective roles, responsibilities, and procedures of the federal government and critical infrastructure industries, including those for handling confidential information, to facilitate an expeditious response.

Any new authority should be complementary to existing authorities under Section 215 of the Federal Power Act, which rely on industry expertise as the foundation for developing reliability standards. Any new authority also should be narrowly tailored to deal with real emergencies; overly broad authority would undermine the collaborative framework that is needed to further enhance security.

Promoting clearly defined roles and responsibilities, as well as ongoing consultation and sharing of information between government and the private sector, is the best approach to improving cyber security. Each cyber security situation requires careful, collaborative assessment and consultation regarding the potential consequences of complex threats, as well as mitigation and preventive measures, with owners, users, and operators of the electric grid.

Exelon and other electric power stakeholders remain fully committed to working with the government and industry partners to increase cyber security and appreciate the efforts of this Committee to advance legislation that would create such a framework.

Thank you again for the opportunity to appear today; I would be happy to answer any questions.

Mr. Chairman, Ranking Member Collins, and members of the Committee, thank you for this opportunity to discuss the important topic of cyber security. My name is Sara Santarelli and as Verizon’s Chief Network Security Officer my primary responsibility is to ensure the integrity of Verizon’s network systems, including risk management, threat detection, and incident response.

The Committee’s interest in cyber security is timely and crucial to the security of our nation. As a provider of communications services to millions of customers around the world, Verizon addresses cyber attacks daily and has developed a wide range of measures intended to help protect our network and the networks of our customers. But this is not a fight that should be left solely to the private sector—there is a very important role for government in securing cyberspace and we applaud the Committee’s efforts to help bring clarity and definition to that role.

The legislation you have proposed represents a positive step forward in building a stronger bond between the public and private sectors with respect to cyber security. While we may not agree with some of the finer points in the bill and look forward to working with your staff to iron out those differences, we feel that the majority of the legislation supports the common goal of creating a much safer online environment for our customers and for the nation. We appreciate the difficulty you face in crafting legislation that is constructive and useful for increasing our nation’s security in cyberspace, while also not placing an undue burden on private companies, large and small, that are struggling in the current economic downturn.

My testimony gives you a brief background of what cyberspace looks like from our point of view and provides several examples of actions we’ve taken over the past few years to address and mitigate online threats. It identifies how we believe a strong partnership between the private companies that own and operate the networks that make up cyberspace can be established with government agencies that are responsible for providing for the security of our nation against all threats, including those in the virtual world.

Verizon manages thousands of voice, video, and data networks at the local, regional, national, and international level. Ours is a global backbone network that carries large volumes of the Internet’s traffic, one of the many thousands of independently owned and operated networks that make up today’s global Internet. Verizon’s data network includes more than 633,000 route miles of terrestrial and undersea cable, spanning six continents, and reaching customers in more than 2,700 cities and 150 countries. We provide communications services to tens of thousands of businesses and government agencies around the globe, including 97 percent of Fortune 500 companies and roughly 10 million residential broadband customers here in the United States.

Given the nature of our business, cyber security is vitally important to us. The Internet is not centrally controlled or managed. Rather, it is a globally distributed network‐of‐networks linked solely by implementation of a few common Internet protocols. It imposes virtually no barrier to any person seeking to reach a global audience.

But as with many technologies, the same capabilities that make the Internet a useful tool for those with good intent can also be used by those with harmful intent. The number of people connected to the Internet is estimated by some to exceed 1 billion, and not all of them have good intentions. The Internet allows for the rapid adoption of useful software applications that enhance users’ lives, but it also allows for the dissemination of harmful viruses that destroy and steal data. It allows for consumers and companies to interact more efficiently with one another, but it also could be used to attack and disrupt commercial transactions. The crossborder nature of the Internet magnifies its potential for good but also complicates law
enforcement.

This is the reality Verizon deals with every day. As a result, Verizon engages in a wide range of activities to enhance cyber security for ourselves, our customers, and other users of our network. These activities take place at many different layers within our organization. For example, before even deploying our network, we work closely with our vendors to help ensure that their products are able to meet our security requirements. Our network security group manages security on our networks using a variety of tools, security sensors, and other technologies to identify and mitigate threats on the Internet as they are emerging. We take action daily to address spam, phishing, denial‐of‐service and other malicious activity that threatens to disrupt our network or our customers’ use of it. We invest in advanced threat detection and mitigation technologies. We also make strategic R&D investments to develop new technologies that deal with emerging and future threats.

In addition to addressing cyber security issues in our network core, we offer a wide range of services to help customers secure their networks and data. Services such as managed firewall, intrusion detection, intrusion prevention, and encrypted virtual private networking help customers keep their networks safe. Verizon’s Government Network Operations and Security Center provides federal agencies with a single point of contact to obtain products and services to meet network operations requirements and related security matters, putting both network and security operations under one umbrella. Our security‐certified data centers offer enhanced security features for customer systems and data. For residential broadband customers we offer parental controls, anti‐spam features, and other security software to assist them in securing their computers.

Going beyond our network services, we offer a wide range of professional services to include security consulting, network analysis, incident response, and computer forensics. Our professional security engineers hold over sixty different certifications and federal clearances, and are available 24/7 around the world to assist customers in responding to breaking cyber security incidents.

When it comes to the security of critical networks and systems, we practice what we preach. Within our own enterprise, network‐connected systems are inventoried and assigned a criticality score based on the sensitivity of the data they contain. They are then scanned periodically to identify security vulnerabilities. The results of the scanning activity are correlated to threats and system value, and the results are automatically displayed in real time on our internal system security dashboard. This real‐time threat and vulnerability information about our own corporate systems has proved invaluable to our internal business leaders in helping them identify affected systems and establish priorities for remediation. Internal groups
actually compete against each other to see who can consistently maintain the cleanest scorecard!

Our backbone security activities redound to the benefit of all of our users at no charge. We spend thousands of hours each year analyzing data collected from our involvement in cyber security events which, after rigorous scrubbing to remove any attribution, we publish, free of charge, in our annual data breach investigation report (DBIR). This report, which uses a Verizon‐developed information‐sharing framework called VERIS that we have also published as an open‐source initiative, provides valuable advice and guidance for enterprise and government customers on tangible, effective steps they can take to better secure their networks today. The bottom line for Verizon is that unless our networks add value, our customers won’t use them.

Customers who are assailed by denial of service attacks, spam, phishing, identity theft, network scanning, hacking, and other criminal activity won’t be customers of ours for long. They will quickly move to a network that is better protected.

Finally, we view ourselves as being a leader in the larger cyber security community. Verizon and other companies within the communications sector have a long history of cooperation in emergency preparedness and assisting law enforcement, to the extent authorized by law. This history distinguishes the sector from most other critical sectors identified in the National Infrastructure Protection Plan and is a reflection of our relationship with the federal government and the public policy community. The sector personifies cooperation and trusted relationships, which has resulted in the delivery of critical services when emergencies and disasters occur. This strong bond between the private and public sectors exists today in large part because of several organizations that were created in response to earlier threats to the nation’s critical infrastructure. Some of the organizations that Verizon has a leadership role in or is a significant participant in include the President’s National Security Telecommunications Advisory Committee (NSTAC), the National Coordination Center for Telecommunications (NCC), the Communications Sector Coordinating Council (C‐SCC), the National Security Information Exchange (NSIE), and the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC).

Security events are a constant reminder that our networks and our customers’ networks are under a steady assault from individuals, groups, and organizations that intend to do harm. And it is important to note that these assaults are constantly changing and evolving as criminals and hackers develop new techniques to get around the latest defenses. Once launched, these assaults can escalate with astonishing speed. Improvements in computer processing power, memory, and bandwidth not only help support new lawful applications like VoIP and streaming video, but they also enable hackers to wield tremendous weapons in cyber space. Distributed virtual computer networks known as botnets can flood victims with vast amounts of traffic, send millions of spam messages to ensnare new victims, and serve as a virtual hosting network for illicit commercial activity. Government regulation of private sector network security activities must not diminish the flexibility, speed, and independence that network providers find essential in waging war on cyber crime.

In recent years, we have faced many cyberspace challenges as the four examples that follow demonstrate. In each of these cases, we have worked with other parties (providers, companies, the government, and others) to quickly address the issue at hand. Any new requirements must continue to afford us the flexibility and speed to continue resolving problems as we have in the past.

• Several years ago a major financial services institution was under a significant distributed denial of service attack that effectively disabled its ability to handle online transactions via the Internet. We worked closely with another large Internet backbone provider to quickly bring the attack under control and to help restore stability to the customer’s network. We would not have been able to address the issue at hand as quickly and successfully if we had been required to brief and share information with outside parties on a real‐time basis or wait for feedback on, or concurrence with, our plan of action.
• The SQL‐Slammer worm was launched on January 25, 2003, at approximately 12:30 a.m. EST, and began rapidly spreading across the Internet. At that time, this worm was the fastest spreading computer worm in history, doubling in size every 8.5 seconds. The scanning technique used by the Slammer worm was so aggressive that it quickly interfered with its own growth. Within three minutes the worm achieved its full potential (with more than 55 million computers being scanned per second), at which point its growth rate slowed. Slammer infected more than 90 percent of vulnerable hosts within 10 minutes. This rapid spread caused significant disruption to financial, transportation, and government institutions. Success in stopping the Slammer worm was predicated on the ability to take fast and decisive action without extraneous briefings, consultations, or declarations.
• The recent Conficker worm experience illustrates how important it is to maintain flexibility in any cyber regulatory regime. Conficker has spawned one of the most successful and robust criminal botnets in history. It was first released on November 21, 2008, just weeks after publicity about a critical software vulnerability affecting operating systems used in a large portion of the computing infrastructure on the Internet. In response to this threat, an international working group—the Conficker Working Group (CWG)—was formed. It consists of thirty named members and many more partners and contributors around the world, including Verizon. This global partnership involved industry, governments, and educational institutions. Its efforts have largely prevented the monetization of this criminal botnet and hampered its spread at key points in its evolution. It bought additional time for more sites to fix vulnerabilities by implementing additional security controls. This botnet remains a clear threat to the world’s networks and those responsible for releasing and controlling it are still at large after almost two years. Conficker is a good example of a complex and rapidly evolving threat for which existing information sharing activities have proved effective. The data and expertise needed to counter cyber threats such as this are distributed globally among companies, universities, and governments. When those groups work together, the result is greater than the mere sum of the parts. It is imperative that any government‐directed information sharing mechanism be nimble and flexible enough to accommodate any and all comers, and not otherwise place restrictions or requirements on the free flow of information about the Internet.
• The Rinbot incident in 2006‐2007 highlights the damage that can be caused when an average miscreant armed with powerful hacking tools that are widely and cheaply available on the Internet “black market” takes aim at just a few critical vulnerabilities in unpatched systems connected to the Internet. Security sensors deployed in Verizon’s Internet backbone network alerted our network security teams to an emerging outbreak. We disseminated this information quickly within the company, to customers, to the impacted vendor, and to numerous established cross‐industry groups. Verizon’s information helped prioritize the identification, mitigation, and ultimate takedown of the Rinbot botnet. Although the aggressive nature of this virus led to the complete shutdown of a regional hospital network in Canada and several enterprise networks in the United States, we believe that quick action by Verizon and others helped prevent far greater harm.

Headlines often make it appear that the Internet is so vulnerable and open to attack that nothing can be done or is being done to safeguard consumers and our country. But what these events illustrate is that public and private sector response and remediation activities and information sharing exist today in ways that are highly advanced and effective, and that speed and flexibility are essential for combating such cyber threats. Even without government mandated information sharing and oversight, private sector operators are—and have been for years—moving “full speed ahead” to expand their tools, expertise, and capabilities necessary to identify threats, address them, and preserve providers’ ability to serve their customers.

That’s not to say there is not a role for government—there is. The government is uniquely positioned to do things the private sector simply can’t. For example, the government has the power to:

• Share unique and valuable information resources that it possesses which might aid private sector cyber security efforts;
• Work with industry to define mutually‐agreeable plans for addressing potential incident scenarios before such incidents occur;
• Incent those who are slow in adopting cyber security best practices to improve their security posture, thus reducing the negative externalities that exist from the underinvestment by some in adequate network security;
• Secure its own networks and systems, thus protecting some of our nation’s most critical information assets;
• Facilitate the development of new security offerings by requiring best‐of‐breed security features in the products it purchases;
• Provide valuable incentives for desirable private action, such as limitations on liability for collateral damage flowing from otherwise desirable network security behavior;
• Clear away outdated legal barriers that impair some of today’s cybersecurity activities; and
• Work with other governments, to persuade regimes that are havens for cyber criminals to take a firmer stand in support of global Internet security.

With this in mind, we believe government efforts should be focused on the following key goals and objectives, most of which are addressed in the proposed legislation:

• Centralize and clarify government roles and responsibilities. The government needs to speak with one voice when setting national priorities and agendas. Proposals in this bill such as the Office of Cyberspace Policy and the National Center for Cybersecurity and Communications, for example, could streamline interactions and ensure consistency in the government’s view and in the security of its own infrastructure.
• Avoid duplication of cyber security initiatives. Given the wide‐spread level of concern across all government sectors on cyber security issues, it is not surprising that many different proposals exist for how to best address it. Unnecessarily duplicative or inconsistent initiatives threaten to drain scarce resources, and divert us from substantive cybersecurity activity. This bill takes several steps towards achieving the goal of reduced duplication of initiatives, and we appreciate the effort that this will take.
• Promote enhanced security for private sector infrastructure while maximizing private sector flexibility and preserving speed of response. Clearly, there will always be those who are slow in adopting best practices in the area of cyber security. It is appropriate for government to provide strong incentives for those enterprises to enhance their level of security. Given the wide range of networks and technologies, as well as the rapid pace with which cyber threats are ever‐evolving, it is imperative that we do not lock ourselves into a single regulated approach. Owners/operators of critical infrastructure must retain the freedom to implement any and all measures available to them to secure their infrastructure and critical systems. With respect to speed‐of‐response—speed that is often measured in seconds, not hours or days—it is essential that providers have the freedom to take decisive action to protect their critical cyber resources without being subject to regulatory secondguessing. Unfunded regulatory mandates and command‐and‐control type governance structures must be avoided. The most effective approach, which appears to be the direction that this bill is taking, is a public‐private partnership where government provides assistance and expertise to the private sector, coupled with incentives like confidentiality and liability protection to encourage the private sector to implement desired activities and with freedom to take decisive actions.
• Drive diplomatic efforts to reduce the number of countries that are havens for cyber criminals. While this legislation does not directly address international diplomacy, it does recognize that it is one of the key objectives of any national strategy to increase the securityof cyberspace.
• Remove outmoded legal barriers to appropriate information‐sharing. A number of outdated laws present barriers to the collection, use, and sharing of information by network operators and their customers, and the government. We urge you to update this patchwork of laws and provide a coherent legal framework that takes into account the current state of technology and strikes the appropriate balance between privacy and the need for information sharing among government and the private sector.

We look forward to working with you and your staff on further refining these mechanisms to ensure that network service providers and other private sector actors retain the freedom to act quickly as they see fit to address these ever‐evolving and rapidly spreading threats to our networks, our economy, and our way of life.

Mr. Chairman and members of the Committee, I again thank you for the opportunity to appear before the Committee to discuss the important topic of cyber security and the challenges of securing critical infrastructure information systems. I look forward to answering any questions you may have.