COMMISSION ON ENHANCING NATIONAL CYBERSECURITY

COMMISSION ON ENHANCING NATIONAL CYBERSECURITY

MeetingoftheCommissiononEnhancingNationalCybersecurity

PANELISTANDSPEAKERSTATEMENTS

AmericanUniversity

Washington,DCSeptember19,2016

CommissiononEnhancingNationalCybersecurityPanelistandSpeakerStatements Pageii

TableofContents

DanChenok..............................................................................................................................................................................1EvanCooke..............................................................................................................................................................................5AlanDavidson.........................................................................................................................................................................8KarenEvans..........................................................................................................................................................................12EricFischer...........................................................................................................................................................................14RickGeritz.............................................................................................................................................................................20EricMill..................................................................................................................................................................................22ChrisPainter........................................................................................................................................................................25MarkRyland.........................................................................................................................................................................28MikeWalker.........................................................................................................................................................................31GregoryC.Wilshusen.......................................................................................................................................................32NealZiring.............................................................................................................................................................................40

CommissiononEnhancingNationalCybersecurityPanelistandSpeakerStatements Page1

DanChenokGoodmorning.IamDanChenok,ExecutiveDirectoroftheIBMCenterforTheBusinessofGovernment.TheIBMCenterconnectsresearchtopractice,applyingscholarshiptorealworldissuesanddecisionsforgovernment.TheCenterfacilitatesdiscussionofnewapproachestogovernmenteffectivenessacrossmultipledomains,includingtechnologyandcybersecurity.

IalsoserveastheChairfortheCybersecuritySubcommitteeoftheDHSDataPrivacyandIntegrityAdvisoryCommittee,asamemberoftheCenterforStrategicandInternationalStudies’CommissiononCybersecurity,andformerlyservedasChairoftheNISTInformationSecurityandPrivacyAdvisoryBoard.InmyFederalGovernmentcareer,IservedasChiefoftheInformationPolicyandTechnologyBranchintheOfficeofManagementandBudget(OMB).Inadditiontoitsbudgetrole,OMBoverseesmultiplemanagementfunctionsacrossgovernment;myofficeledworkoninformationandITpolicyandbudgetactivityincludingcybersecurity.

IamverypleasedtojoinyoutodaytodiscussthepolicyframeworkforFederalIT.IwillprovidebriefperspectivesontheevolutionofFederalITpoliciesthatimpactcybersecurity,andthenofferafewideasastowhatpolicyapproachesmightdrivecontinuedimprovementforFederalITandcybersecurity.Iwillfocusprimarilyoncivilianagencycybersecurity,whichworksunderadifferentpolicyframeworkthanisthecasefornationalsecuritysystems.

Background

ThepolicyframeworkthatgovernsFederalITwithrespecttocybersecurityhasmanypieces.Itisrootedinlaw,ExecutiveOrders,OMBCircularsandMemoranda,NISTGuidance,DHSDirectives,andothervehicles.Somemajorlawsandpoliciesareoutlinedbelow.

KeyStatutes• PaperworkReductionActof1980–authorizedOMBtooverseeagencyactivityacrossabroad

rangeofITactivities,andestablishedtheOfficeofInformationandRegulatoryAffairs(OIRA)toleadthateffort.ThePRAwasinpartaresponsetonumerousreportsofITsystemsfailuresinthelate1970s,andestablishedaframeworkforintegratedIToversightincludingprivacyandsecurity(thePrivacyActof1974wasalreadyunderOMB’spurview).

• ComputerSecurityActof1987–gavetheOMBDirectorauthorityovercivilianagencycomputersecurity,withauthorityfornationalsecuritysystemsdelegatedtotheSecretaryofDefenseandDirectorofCentralIntelligence.ThisdivisionresultedafteradebateoverseveralyearsaboutwhetheroversightforcivilianagencyITsecurityshouldbeledoutoftheintelligencecommunityorbyacivilianagency.

• ClingerCohenActof1996–establishedChiefInformationOfficersinagenciestooverseeinformationresourcesandITmanagement,includingcomputersecurity.ClingerCohenbroughttheemergingprivatesectorbestpracticeofastrategicCIOtogovernment.

• E-GovernmentActof2002–codifiedOMB’sOfficeofE-GovernmentandInformationTechnology(E-Gov),andchargedtheE-GovAdministratorwithleadershipforITsecurity,aswellasoverallITandE-governmentleadership.TheE-GovActcameafteryearsofdiscussionabouttheneedforaFederalCIOorsimilarpoliticallyappointedITleaderatOMB,andcontainedprovisionsthatcodifiedmultipleITpoliciesandpracticesincludingprivacy.TheleaderofthisofficewasdesignatedasFederalCIObythisAdministration.

• FederalInformationSecurityManagementActof2002(TitleVoftheE-GovAct).FISMAupdatedtheComputerSecurityAct.FISMAwasreauthorizedandupdatedin2014toenactprovisionsthatdriveagenciesmoretowardoperationalsecurity.

• FederalInformationTechnologyReformActof2015–enhancedauthoritiesforChiefInformationOfficerstooverseeITactivities,especiallywithrespecttobudgetandacquisition.FITARAupdatedClingerCohentogiveCIOstoolstocontrolIT,followinghigh-profilesystemsfailureslikehealthcare.gov.


Inadditiontothesegeneralstatutes,DHS’leadershipforcybersecuritywasauthorizedintheHomelandSecurityActof2002.

KeyPolicies

Thesestatutesareimplementedthroughabroadarrayofpolicyissuances.Severalmajorpoliciesfollow,andagenciesalsomustcomplywithamanyadditionalguidancedocuments–amongthosearethepoliciesgoverningFederalacquisition,whichplaysakeyroleinhowITandcybersecurityareimplementedthroughcontractswithprivatesectorproviders.• OMBCircularA-130–OMB’soverallpolicydirectivethatintegratesFederalinformationandIT

policy.A-130wasfirstissuedin1985andrevisedsince(witharecentupdatethissummer);otherOMBCircularsalsohaverelevanceforITandcybersecurity,includingtherecentreissuanceofCircularA-123withitsfocusonEnterpriseRiskManagement(ERM).

• OMBCircularA-11Exhibit55–TheannualrequirementforagenciestoreportITspending.TheITBudgetbecameaseparateexhibitunderA-11,whichistheoverallannualbudgetguidanceforagencies,inthelate1990s.

• FISMAGuidance–Theannualrequirementforagenciestoreportonsecurityactivities,issuedeachyearsinceFISMAwasimplementedin2004.FISMAguidancedrivesagencyprioritiesandagencyInspectorGeneralreviews.

• NISTGuidance–Fordecades,NISThasissuedmultipleguidancedocumentsonsecurity,privacy,andidentitymanagement.TheseincludebindingFederalInformationProcessingStandards(FIPS),SpecialPublicationsthatagenciesleveragetomakerisk-basedsecuritydecisions,andothernon-bindingdocuments(suchasthe2014NISTCybersecurityFrameworkcalledforbyExecutiveOrder13636).

• PrivacyGuidance–OIRAworkswiththeE-GovOfficeonpolicytoimplementthePrivacyAct,PrivacyImpactAssessmentsundertheE-GovAct,andotherstatues.Ingeneral,OIRAhastheleadforprivacypolicy,whileE-GovhastheleadforprivacyinITsystems.

• IdentityManagementGuidance–Forseveraldecades,OMBhasworkedwithNIST,GSAandDHSonvariouspoliciesandprogramsregardingidentitymanagement,including:

o MultipleGSAprogramstoimplementelectronicsignaturesandcredentialingingovernment,startinginthe1990sandcontinuingtodaywiththeFederalIdentity,Credential,andAccessManagement(FICAM)program;

o theE-AuthenticationprogramledbyOMBstartingin2001,nowpartofFICAM;o HSPD12issuedin2004,ledbyOMBandtheWhiteHouseandimplementedineachagency

foremployeeandcontractorphysicalandlogicalcredentialing;ando TheNationalStrategyforTrustedIdentitiesinCyberspace(NSTIC),ledbyNISTand

introducedin2011,whichcallsforgovernmenttoworkwithindustryindevelopingidentitymanagementapproachesthataresecure,resilient,andprivacy-protective.

KeyAgencies

Theselawsandpolicieshaveledtoadiversesetofleadcybersecurityorganizations,including:• theCybersecurityCoordinator,housedintheNationalSecurityCouncil;• theOfficeofManagementandBudget,ledbytheOfficeoftheFederalCIO--inwhichanew

positionofFederalChiefInformationSecurityOfficer(CISO)overseesaCyberUnit--andalsoinvolvingotherOMBoffices;

• theDepartmentofHomelandSecurity,ledbytheNationalProtectionandProgramsDirectorate(NPPD)andinvolvingmultipleadditionalDHSoffices;

• theCommerceDepartment’sNationalInstituteofStandardsandTechnology(NIST);• theGeneralServicesAdministration,forauthenticationandcloudcomputingsecurity;• theDepartmentofJusticeformattersinvolvingcybercrime;• AgencyInspectorsGeneral,whoconductreviewsunderFISMA;and• theFederalCIOCouncil,andspecificallytheCouncil’sInformationSecurityandInformation

ManagementCommittee(ISIMC)whosemembersincludeagencyCISOs.


PerspectivesonEnhancingPolicyforImprovedFederalCybersecurity

Inaworldwherethreatsemergeinfasterthanpoliciesandacquisitionscanreacttothem,agilityisessential.Policiescanpromoteapproachesandtechnologiesthroughwhichgovernmentpredictandpreventcyberthreats.ThisAdministrationhastakenimportantstepsforwardindevelopingandcoordinatingITandcybersecuritypolicies,leveragingprogressmadeinpreviousAdministrations.Followingaresomeideastocontinueenhancingthispolicyobjective.• Rationalizegovernancearoundkeypriorities–Agenciesmustmanagetheircyberassetsunder

thebroadpolicyandoversightstructuredescribedabove.Clearlyidentifyingrolesandresponsibilities,andfocusingcollectiveeffortonkeyprioritiesforimprovingcyberinandacrossagencies,canhavegreatbenefit–especiallyforanewAdministrationthatmayneedtotakerapidactioninresponsetoacyberincident.Developingashortsetofkeygoalsandobjectivesconsistentwiththisstructure,andmakingexplicitresponsibilityandaccountabilityforhowthesegoalswouldbeachievedandmeasured,wouldensurethatstakeholdersinandwithgovernmentwouldhaveaguideposttoalignsecurityactions.Thisneednotbealonganddetailedstrategicplan–multiplecyberstrategiesalreadyexistacrossthegovernment.Rather,anewAdministrationcouldoutlinegovernmentwideprioritiesandleadorganizations,aclearbaselinearchitecturefortechnicalprotectionsacrossagencies,andpathwaysfordeeperengagementwiththeprivatesector.SuchapolicycouldbeissuedbythePresidentviaExecutiveOrderorDirectivetobuildoncurrentprogress.Thisapproachwouldgarneragencyheadattention,strengtheningfocusoncybersecurityacrossthegovernment’sC-SuiteandstressingrapidactionbymissionleadersworkingwithCIOs.

• Driveinnovation–Giventhemultipleplayers,lawsandpoliciesthatagenciesmustcomplywith,manycybersecurityresourcesnecessarilygotocomplianceandreporting.Therearerelativelyfewincentivesinthesystemtointroduceinnovation,makingitdifficultforgovernmenttotapintoevolvingcommercialbestpractice.Onepathtoaddressthisconcerncouldbethroughtheprocurementsystem.Mostagencycybersecurityproductsandservicesareactuallyproducedbyindustrythroughgovernmentcontracts,underasetofcomplexrulesthattoooftenfocusresourcesoninputsandtendtoimpedenewideas.Recentinitiativesingovernmenthaveattemptedtoleverageinnovationbyhiringoutsidetechnicaltalent,butcybersecurityexpertiseisnotcommonintheseinitiatives;nordoesthisapproachhavemuchimpactacrossthe$90BspentonITbytheUSgovernmenteachyear.Policiesthatcanacceleratetechnologyprocurementswillallowagenciestokeeppacewithinnovation.Andeffectiveprocurementrequirementscanincentivizesoundcybersecuritypractices,allowingcompaniestobringinnovativeideasforward–suchashowagenciescanbestleverageleading-edgecommercialitems,orharnesstheenormouspotentialofBlockchain--asanexpectedcontractactivity.ThiscouldenablegovernmenttoleveragetheenormousITinvestmentstoattractinnovation,fromcompaniesthatalreadycarryouttheseinvestmentsthroughprocurements.

• Integratesecurityandprivacy–TherecentreissuanceofOMBCircularA-130addressedprivacyandsecurityinamorecoordinatedfashion.Safeguardingpersonallyidentifiableinformationisakeyelementofcyberprotectionforgovernmentsystemsgenerally–yetteamsacrossgovernmentthatimplementprivacyareoftenorganizationallyseparatefromcybersecurityteams.Moreintegrationofpolicies,programs,andorganizationscanhelpaligneffortsaroundendgoalsfortheprotectionofsensitivedatathatgovernmentholdsinstewardshiponbehalfofitscitizens.Thisintegrationcanbereinforcedbypoliciesthatcallforagenciestoaccountsecurityandprivacyspending.

• EnhancePublic-PrivateCollaboration–Inadditiontoleveraginginnovation,policycanpromoteenhancedengagementacrosssectorstoleveragebestpractice.Someideasinclude:

o Expandreal-timethreatinformationsharingatscale,buildingontheCybersecurityInformationSharingActof2015;

o Matureagencyriskmanagementprogramstoenableinformedcyberchoices,workingwithindustrytounderstandtherisklandscaperelativetomissionachievementbyagencies–theNISTCybersecurityFrameworkpromotessuchanapproach,andintegrationof


governmentCIOandCFOresponsibilitiesaspartofanenterpriseriskmanagementwouldalsobenefitfromadaptationofindustryERMmodels;

o DevelopanapproachtoleveragecommercialbestpracticeforcybersecurityingovernmentadoptionoftheInternetofThings;and

o Workwithindustrytospeedtheprocessforapprovingcloud-basedcybersecurityundertheFedRAMPprogramatGSA.

ThankyoutotheCommissionfortheopportunitytosharetheseperspectives,andIlookforwardtothepaneldiscussion.


EvanCookeGoodafternoonChairmanDonilon,Vice-ChairmanPalmisanoandDistinguishedMembersoftheCommission.Thankyoufortheopportunitytoparticipateinthisdiscussion.

I’dliketostarttodaybycommendingtheCommissiononexploringthetopicofinnovationingovernmentandpreparingforthefuture.AsIhopeourdiscussionthisafternoonwillhighlight,therearewaystomovefastingovernment,solvehardtechnicalproblems,anddelivermeaningfulchangequickly.ThispastJune,theWhiteHousepublished“100ExamplesofPresidentObama’sLeadershipinScience,Technology,andInnovation”summarizingthecapacitybuildingeffortsofthisAdministrationtosupportinnovationandtransformationincludingthePresident’sworkcreatingthreenewhigh-levelscience,technology,andinnovationpositionsintheWhiteHouse—aU.S.ChiefInformationOfficer,aU.S.ChiefTechnologyOfficer,andaChiefDataScientist.TheseleadershaveworkedwithcolleaguestocreatetheU.S.DigitalService,18FattheGeneralServicesAdministration(GSA),andthePresidentialInnovationFellowsprogram—whichhavebroughtmorethan450engineers,designers,datascientists,andproductmanagerswhohavesignedonforatourofdutytoserveinover25agenciesalongsidededicatedcivilservantstoimprovehowgovernmentdeliversmoderndigitalservicestotheAmericanpeople,andhavefurtherbeguncapacitybuildingworktotrainexistingfederaltechnicaltalent.ThePresidentalsoreinvigoratedthePresident’sCouncilofAdvisorsonScienceandTechnology(PCAST).ThebackgroundwediscusstodaywillbeontheU.S.DigitalServicewhichwillhopefullyprovideusefullessonsandexamplesforyourdeliberations.

OnAugust11,2014,thePresidentdirectedhisAdministrationtoaccelerateeffortstoimproveandsimplifythedigitalexperiencebetweenindividuals,businesses,andthegovernmentthroughthecreationoftheU.S.DigitalServiceorUSDS.Overthepasttwoyears,morethan170engineers,designers,datascientists,andproductmanagershaveansweredthePresident’scallandsignedonforatourofdutywithUSDS.Iwasoneofthoseengineersthatdroppedeverything,movedacrossthecountry,andjoinedup.

Overthepasttwoyearsthisteamhasdeliveredmorethan20projectsandinitiatives.I’lltouchquicklyonthreetogiveyousenseforthework.

• MakingiteasierforVeteranstoaccesshealthcare.TheDepartmentofVeteransAffairsandU.S.DigitalServiceintroducedanewdigitalapplicationforhealthcareupgradingalegacyapplicationthat70percentofvisitorshadtroubleaccessing.Followingthelaunchofthenewdigitalapplication,morethan10,000Veteransusedittoapplyforhealthcare,withmanyreceivingcoverageinlessthan10minutes.

• Helpingstudents,parents,andfamiliesmakemoreinformeddecisionsaboutcollegeselectionthroughtheCollegeScorecard.TheDepartmentofEducation,18F,andU.S.DigitalServicelaunchedthenewCollegeScorecardtooltogivestudents,parents,andtheiradvisorstheclearest,mostaccessible,andmostreliablenationaldataoncollegecost,graduation,debt,andpost-collegeearnings.Withinthefirstyear,theCollegeScorecardhadnearly1.5millionusers,morethan10timestheusersitspredecessorhadinayear.Inaddition,bygivingdevelopersaccesstoadeveloperapplicationprograminterface(API),dozensofotherorganizationshaveusedtheScorecarddatatolaunchnewtoolstosupportstudentsintheircollegesearchandapplicationprocesses.

• StrengtheninginformationsecurityattheDepartmentofDefense(DoD).TheDefenseDigitalServicelaunchedaprogramcalledHackthePentagon,thefirstbugbountyprograminthehistoryoftheFederalGovernment,tostrengthenthesecurityoftheDoD’sdigitalassets.Morethan1,400outsideresearchersparticipated,andmorethan250submittedatleastonevulnerabilityreport.Ofallthesubmissionsreceived,138weredeterminedtobelegitimate,unique,andeligibleforabounty.Thesevulnerabilityreportswereremediatedinnear-realtime.


TheU.S.DigitalServicewascreatedbasedonasimpletheoryofchange:bringtoptechnicaltalentintopublicserviceanddeploysmallempoweredteamsthatpartnerwithcareercivilservantsandagencyleadershiptosolvehigh-priorityproblems.USDSisorganizedasafederatedsetofconnectedbutautonomousagencyteamsthatworkhand-in-handwithagencyseniorleadershipusingavarietyofengagementmodelsincludingtwo-week“discovery-sprints”tosurfacechallenges,scopeproblems,andquicklydeliversolutions.TheconceptofoperationsisbestillustratedthroughtheUSDScorevalues.

• Hireandempowergreatpeople–Technologyalonedoesn’tchangethings — it’sthepeoplewhopushourmissionforward.StrongEQ(emotionalquotient),compassion,andtenacityarejustasimportantasbeingagreattechnologist.

• Gowheretheworkis–Byworkingshouldertoshoulderwithagencies,we’reabletoinspirechange.TransforminggovernmentisnotuptotheU.S.DigitalService.It’suptoallofus,together.

• Findthetruth.Tellthetruth–Weexpectourpeopletobehumble,notquiet,andchallengethestatusquowhereverdatasupportsit.Ashasbeensaidbefore,everyoneisentitledtotheirownopinion,butnottheirownfacts.

• Designwithusers,notforthem–Todeliverproductsandservicesthatprovidevaluetousers,it’sessentialthatweexperiencetheirexperiences.Thebestproductsandservicesaren’tcreatedbehindcloseddoors.

• Optimizeforresults,notoptics–Weworkforthepeople — notcredit,prestige,orheadlines.Thismeanstacklingthehardstuff,evenwhensuccessisn’tguaranteed.

• Createmomentum–TheAmericanpeopleneedbetterdigitalservices,today.Weworkwithabiasforaction,focusingondeliveryaboveallelse.

Together,thesevaluesdefineacultureofdelivery.Thatis,changeisaccomplishedbyfocusingdirectlyonresultsthatimprovethelivesofcitizensandcustomers.

Thismodelhasbeensuccessfulinimprovingcitizen-facinggovernmentservices,achallengethathasseveralparallelstotheproblemofimprovingFederalcybersecurity.IsharethefollowingfewthoughtsasanimplementerwhohasworkedonU.S.DigitalServicedeliveryteamsandfromapolicyperspectiveinmycurrentroleintheOfficeofScienceandTechnologyPolicy.

Cybersecurityhasaninherentlytechnicalbasisandwewon’thaveafullunderstandingoftheissueswefaceortheavailablesolutionsunlesswebringtechnicalexperienceandunderstandingtoourmostseniordiscussions.Wehaveobservedtimeandtimeagainhoworganizationscannotmanagetheirwayoutofbadtechnicalarchitectures.Weneedtechnologistsatthetable.OnewayinwhichUSDSseekstoaddressthisproblemisbyensuringthatpositiondescriptionsforjobopenings---evenforseniorroles---requireacertainleveloftechnicalandoperationalexperience.Inaddition,USDSworkstoensureadiverserangeofcandidatesthatcomefromdifferentbackgroundsandexperiencestoenableavarietyofproblemsolvingapproachesandperspectives.

TheUSDSmodelofbringingtechnicaltalenttodotoursofdutyintheFederalGovernmentmayalsobeahelpfultoolintacklingimportantcybersecuritychallenges.AfewkeyfeaturesoftheUSDSmodelaretheopportunitytoworkdirectlywithsenioragencyleadershiponcriticallyimportantproblems,themandatetomakedifficultdecisionsthatmaychallengethestatusquo,andtheautonomytobuildandmaintainauniqueculturewithleadershipthatistechnicalandhasprivate-sectoroperationalexperience.Thesecanbedifficultrequirementstorealizebuttheyhaveprovedimportantcomponentsofsuccess.

InadditiontotheengagementmodelandorganizationalstructureourworkonprojectshasalsosurfacedexperiencesthatmaybehelpfuldatapointsfortheCommission.First,manypoliciesandprocessesdesignedwithgoodintentionstoimprovecybersecurityinpastyearsdonotnecessarilyachievetheenvisionedsecurityoutcomes.ThereisoftenlimitedevidenceofmeasurableoutcomesformanyFederalcybersecuritypoliciesandtechnologies.Forexample,rulesputinplacetostrengthen


theprocessofobtaininganauthoritytooperate(ATO)cansometimesleadtoinconsistentsecurityoutcomes,longreviewtimelines,andsignificantduplicationofeffortacrossandevenwithinagencies.AnotherexampleisFederalguidancetodepartmentsandagenciesonTrustedInternetConnections,apolicythatwasoriginallyputinplacebeforethewideadoptionofcloudandmobiletechnologiesandthatcouldbemodernizedtosupportnewmoresecuretools.

Learningfromtheseexperiences,asweconsideramoreagileFederalpolicyframeworkforcybersecurity,compatibilitywithcontinuallyevolvingtechnicalarchitecturesandaccountabilitytorealsecurityoutcomesmaybehelpfulguidelines.Policyforcybersecurityshouldbetiedtomeasurableresultswherepossibleanddesignedtoevolveorsunsetastechnologymatures.

Finally,ourworkhasillustratedhowdifficultitisforahighlyfederatedsystemtoconsistentlyimplementalargenumberofcomplexchangesquickly.TheexistingfederatedanddistributedapproachtoagencyITandtechnologyisbecomingmoredifficulttomanageandupgradeastherateofchangeintechnologyincreases.Consolidationofcriticalcommonservicesandplatformssuchasemailandproductivityapplicationswillhelpprovidethevisibilityandcontrolnecessarytopositionthefederalgovernmentforamoreautomatedworldofadvancedmachinelearningandartificialintelligenceanddefendagainstanextgenerationofthreats.

Together,theselessonsandexperiencesofferseveralopportunitiesincludingbringingmoretechnicaltalentintoseniorcybersecurityroles,leveragingtheUSDSengagementmodelandstructurewhereappropriate,upgradingFederalcybersecuritypolicytobemoreaccountabletoresultsanddesignedtoevolveastechnologymatures,andconsolidationofcriticalcommonservicesandplatformssuchasemailandproductivity.

TheU.S.DigitalServicehasshownusonemodelforchangeandinnovationandalsodemonstratedanimportantpoint,howchangecanbeachievedcouldbejustasimportantasthequestionofwhatneedstobechangedinanorganizationaslargeandcomplexastheFederalGovernment.Thereisnosimpleanswerbutempoweringthosewhoareclosetotheproblemandunderstandthetechnologywillgetyoualongways.

Thankyoufortheopportunitytospeakwithyoutoday.


AlanDavidsonGoodafternoon.IwanttothanktheCommissionforinvitingmetospeaktoday,andforthetremendouseffortthathasbeenputintothisundertakingalready.

Iwouldliketoexplorethreekeythemestodayforyourconsideration:

• Thedigitaleconomyisnowacentralfeatureofourbroadereconomicprosperity.TheInternetandotherdigitaltechnologieshaveinshortordertransformedtheabilityofpeopleacrosstheglobetoaccessknowledge,toexpressthemselves,tosupportsocialgood,andtoincreasecivicengagement.Thedigitaleconomyisempoweringfutureentrepreneursandtransformingexistingindustries.Anditisstillearly:Inmanywayswehaveonlyjustbeguntorealizethepotentialofthedigitaleconomy.

• Thedigitaleconomywillnotthriveifpeoplecannottrusttheirsecurityonline.Ifwearetoreapthebenefitsofanopenandglobaldigitaleconomyinthefuture,wemustworktogethertobuildtrustforconsumers,businesses,andgovernment.

• Atthesametime,anysolutionswepursuemustbeconsistentwithourvaluesandthestrategicgoalswearepursuinginthedigitaleconomy.Aroundtheworld,badactorsareexploitingcybersecurityweaknessesforeconomicorpoliticalgain.Thenaturalreactionfromsomewillbetorestrictaccessandseekcontrol–anapproachthatalonecouldunderminetheprogressneededtobuildthistrustandsecurity.Weneedtogetcybersecurityright,orriskunderminingtheopendigitaleconomyasatoolforsocialandeconomicgood.

Thistestimonybeginswithalookattheopportunitiesandchallengesofferedbythedigitaleconomytoday,andourstrategicgoalsinpursuingthem.Thenweexaminecybersecurityinthatcontext.

I.TheDigitalEconomy:AStrategicImperative

Itisessentialtounderstandcybersecurityinthebroadercontextofournation’sstrategicapproachtothedigitaleconomyandInternetpolicy.

OurownworkinthisspaceattheDepartmentofCommerceisdrivenbyaconvictionthattheInternetandthebroaderdigitaleconomyareacriticalpartofthefuturesuccessofthebroaderAmericaneconomy.Theyareasourceofjobs;anenablerofglobaltrade;andakeyelementofU.S.competitiveness.Theyalsoenablepeopleathomeandaroundtheworldtoaccessknowledge,buildcommunities,andparticipateinciviclifeinunprecedentedways.

• ConsidertheICTsectoralonecurrentlyrepresentsover5percentofGDP.In2014,theU.S.exported$385billioninpotentiallyICT-enabledservices,imported$231billion,andhadatradesurplusof$154billionfortheseInternetrelatedservices.Globaldataflowshavebeenestimatedtoadd$2.8trilliontoannualglobalGDP.

• Thosenumbersdon’tcapturethedigitaleconomy’strueimpactorpotential.Today,everycompanyisadigitalcompany.FromwebsitestobackendsystemstotheInternetofThings,technologyischanginghowevenmainstreetbusinessesconnectwithconsumersandruntheircompanies.ExpertsestimatethatthisbroaderdigitizationhasthepotentialtoboostannualU.S.GDPupto$2.2trillionby2025.ThiswouldincreaseGDPby6-8percentabovebaselineprojections.

Thissuccessisinmanywaysafunctionofthearchitectureofthemoderndigitaleconomy.Atitsheartistheopen,decentralizedInternet.Thisgatekeeper-freenetworkofnetworkshasallowedinnovationwithoutpermission,andaccessbyanyonewithaconnectiontoinformationandglobalcommerce.Andithasallowedgrowthatscale–adigitaleconomytodaythatencompassesmillionsofcompaniesandorganization,hundredsofmillionsofUSconsumers,billionsofusersworldwide,andnow10sofbillionsofconnecteddevices.


Butwecannottakethissuccessforgranted.

• Technologyischangingrapidly.Weanticipatecontinuedgrowthincomputingpower,connectivity,anddatausagealongwithdevelopmentssuchasartificialintelligenceandtheInternetofThings.Thesewillimpacttheeconomiclandscape(anddirectlyimpactcybersecurity.)

• U.S.businessfacesanintensecompetitionglobally.Americanleadershipisnotguaranteed.

• WehavealsoseentheriseofnewformsofregulationovertheInternet–includingdatalocalization,limitsondataflows,andproposalsmadeinthenameofprivacyorsecurity–thatwouldunderminetheopenandglobalnatureoftheDigitalEconomy.Someofthesepoliciesaremotivatedbyculturaldifferences,andsomebyheartfeltconcernsabouttheneedtoprotectconsumersandbusiness.Butsomeraiseseriousquestionsaboutaccesstoforeignmarkets.Andsomeseemdesignedtounderminetoday’sopenexchangeofinformationandcommerce.

Ifthedigitaleconomyistocontinueonitscurrentcourse,weneedtomakethenormativecasetopeoplearoundtheworldthatafreeandopenInternetisgoodforthemtoo–andthattheywillbesafeandsecurewhentheyuseit.Weneedtoalsoensurethatourownpolicies–includingourapproachtosecurity--donotundermineourvaluesorthesekeyarchitecturalfeaturesorgiveaidandcomforttothoseclosedsocietieswhowould.

Toaddressthesegrandchallengesandopportunities,theCommerceDepartmenthaspursuedaDigitalEconomyagendabasedonfourpillars.

• Thefirstisprotectingcross-borderdataflows,thelynchpinofthedigitaleconomy’ssuccess.TheDepartmentisworkingtopromoteafreeandopenglobalInternet,combatdatalocalization,andpromotemultistakeholderInternetgovernancemodels.

• Thesecondgoalistrust.Thedigitaleconomywillnotsucceedifpeoplecannottrusttheirsecurityandprivacyonline.Inadditiontoitsmanyeffortsaroundcybersecurity,theDepartmentisdeeplyengagedinprivacyprotectionaswellasongoingconversationsaboutgovernmentaccesstodata.

• Thethirdpillarisaccessandskills.Americanbusinessesneedbroadbandinfrastructureandaskilledworkforcetocompete.High-speednetworksareessentialtoeconomicsuccessinthe21stcentury.Yet,aboutaquarterofU.S.householdsstilldonothaveInternetaccessathome.

• Ourfinalpillarisinnovation.Thisincludesourworktopromotesmartintellectualpropertyrulesathomeandabroad.Wealsowanttoengagewithnewtechnologiesearlyinthedevelopmentlifecycle.Thisisoftenthebesttimetosupportnewbusinessopportunitiesandaddresslong-termpolicyconcerns.

TheDOCispursuingthesedigitaleconomyinitiativesinparallelwithavarietyofrelatedworktopromoteuseofgovernmentdata,innovation,andeconomicmeasurement.WealsopartnercloselywithotheragenciesandtheWhiteHouseinpromotingthesegoals.Overall,wearepursuingapolicyapproachtothedigitaleconomythathasevolvedsuccessfullyovertwodecades.Itscoretenetsincludeopenness,decentralization,technologyneutrality,industryleadership,humilityaboutregulation,andappreciationforglobalscopeandscale.ItisanapproachhasbeenembracedbyconsecutiveAdministrationssincethe1997FrameworkforGlobalElectronicCommerce,andenshrinedininternationaldocumentssuchasthe2011OECDPrinciplesforInternetPolicy-Making.

Itisinthiscontextthatweneedtoconsiderourpolicyapproachtocybersecurityandthedigitaleconomy.

II.CybersecuritytoPromotetheGlobalDigitalEconomy

AsthisCommissionwellknows,wefaceagrowingnationalcybersecuritycrisis,withbroadimplications.Thestringofhigh-profileattacksonpopularbrandsandgovernmentinstitutionsfeeda


narrativethatunderminestrust.Andtheglobalreactions,howeverwell-intentioned,mayultimatelythreatenkeyfeaturesofouropendigitaleconomy,orbeusedbythosewhoseektocontroltheflowofinformationandservices.

Ourgreatchallengeistoaddressconcernsaboutcybersecurityinawaythatisconsistentwithourvaluesandeconomicinterests.Ifwedonotaddresstheseconcerns,weriskunderminingtheopen,decentralizedInternet.

Weknowthatanycomprehensiveefforttoimprovecybersecuritywillhavemanyfacets.Thereisnosilverbulletthatwillfixourproblems.Buttherearemajorareasofapproachorinitiativethatcouldeachmakeasubstantialdifference,andtogethercoulddecisivelyimprovesecurityovertime.WhileIamsurethatatthispointtheCommissionisfamiliarwithmuchofthis,letmecommendtoyouafewareasworthyofyourattention.

• Risk-BasedApproaches:TheCommerceDepartment–alongwithourpartnersacrossgovernment–havefocusedonpublic-privatepartnershipsandmultistakeholderprocesses-workingarm-in-armwiththeprivatesectorinprogramsthattheCommissionhasheardquiteabitabout,includingtheCybersecurityFramework.Intheseapproacheswetakeaframingthatisremovedfromsolelypreventinganybadthingsfromhappeningtoanorganization,towardsarisk-basedapproachthatconsidershowanorganizationcankeepdoingwhatitneedstodoafterasuccessfulattack.Responseandrecoverycapabilitiesarecriticalnow.

Thisapproachalsohelpsserveasamodelforothercountries,allowingthemtoalsoworktoaligntheirbusiness’perspectiveswiththeirgovernmentneeds–andpreventingsilosthatthreatenthegrowthoftheDigitalEconomy.

• OpennessandInnovation–Thesolutionsweneedwillcomefromafreeandopenmarket,buildingonthepowerofourresearchanddevelopmentinfrastructure.Thepowerinthedigitalinfrastructuregrewfromamodelof‘permission-lessinnovation,’wherenewideascouldbeimplementedandbuiltuptoscalewithouthavingtoconformtoexistingexpectationsortop-downtechnicalrequirements.Wewillneedthisapproachinthesecurityworld,tohelpidentifynewsolutions,newusesofdata,andnewwaysoflookingatourexistingsystemstoaddressevolvingthreats.

• Private-SectorEngagementandPartnership:AsSecretaryPritzkerhassaid,westilllackeffectivemechanismsforfosteringmeaningfulgovernment-industrycooperationacrossthefullspectrumofcybersecurityissues.Onlybyworkingtogethercanbusinessandgovernmentreapthebenefitsofinnovationandeffectiveriskmanagement.

• SecurityByDesign–Buildingsecurityintooursystems,andintegratingsecuritythinkingintotheentirelifecycleofproductsandservicesiscritical.‘Securitybydesign’cansometimesfeellikeahollowmantra.Everyoneisforit,butevenwhentherearesuccessful,adaptable,scalabletoolsforbuildingsecurityin,wefindtheiradoptionslow.Weneedtofindincentivesandpoliciestohelpthemarketmeetthedemandforsecurity.

• PublicEducation–Breachesandattacksdominateheadlines,butmoreisneededtohelptechnologyusersprotectthemselves.Weneedtofostergreaterawareness,andgivebothconsumersandbusinessesthetoolstounderstandandmanagetheirrisks.Wehaveseenturningpointsinotherpublichealthandeducationcampaigns–aroundseatbelts,littering,forestfires.Whatwillbetheturningpointforcybersecurity--wherecitizensbegintounderstandapersonalconnection?Howdowehelp?

• HarnessNewDevelopmentstoDrivetheMarket–TheInternetofThingsandotherdevelopmentsofferaturningpointtoimproveSMEandconsumerawarenessofsecurityissuesandproducts–thestakesarehigher.Wecancaptureattentionofthemarketandseeadditionalinnovationinthisarea,butgovernmentalsohastoincentivizeprivatesector


playerstocollaborateonsystem-wideissues.Andthisiswherepublic/privatepartnershipscanfillthegap.

• BuildingtheWorkforce-Weneedahighlyskilledandadaptivecybersecurityworkforcetodesign,develop,implement,maintain,andcontinuouslyimprovecybersecurityacrossthedigitaleconomy.WeneedtobuildoninitiativesliketheNationalInitiativeforCybersecurityEducation(NICE),whichasyouknowseekstopromoteacybersecurityworkforcethatmatchestheneedsofbusinessestoday,equipsworkersfor21stcenturycareers,andkeepstheUnitedStatesontheleadingedgeofcompetitivenessworldwide.Itisdesignedtofosterandpromoteanecosystemofcybersecurityeducation,training,andworkforcedevelopment.

III.Conclusion

Inclosing,weknowprogressinthisareawillbelongandhard-fought.Improvingcybersecuritywillrequireustolookbeyondpoint-in-timesolutionsandfocusondevelopingasetofbroadinitiativestostayaheadofanevolvingthreatinaverydynamicbusinessandtechnicalenvironment.Togetitrightwillrequiretheinterplayoftherightsetofactivitiesfromboththepublicandprivatesectors.

Iencourageyou,asyouthinkaboutyourrecommendations,toconsiderthebroadercontextofdigitaleconomypolicy-makingthatweareengagedin.Weneedtoensurethatourownpolicies–includingourapproachtosecurity–donotundermineourvalues,orgiveaidandcomforttothoseclosedsocietieswhowould.Ifthedigitaleconomyistocontinueonitscurrentcourse,weneedtomakethecasetopeoplearoundtheworldthatafreeandopendigitaleconomyisgoodforallofus.

Itisforumslikethese–whereweopenlydiscusstheseissues–thatgivesusanadvantagetoestablishthetrustweneedforthisprogress.Thankyouforyourtimeandattentiontoday,andforyourservice.


KarenEvansGoodMorningChairmanDonilon,Vice-ChairmanPalmisanoandDistinguishedMembersoftheCommission.IamKarenEvans,theNationalDirectoroftheUSCyberChallenge,whichisaprogramwithintheCenterforInternetSecurity,anot-for-profitorganization.However,Iamheretodayrepresentingmypreviousrole,AdministratorforE-GovernmentandInformationTechnology.ThisroleisnowknownastheChiefInformationOfficerforUSGovernment.IheldthispositionfornearlysixyearsduringtheGeorgeW.BushAdministration.Priortothisappointment,Iwasacareerfederalemployeeservinginmultiplepositionsatvariousdepartmentsandagencies,culminatinginmyappointmentintotheSeniorExecutiveService(SES)astheChiefInformationOfficer(CIO)attheDepartmentofEnergy.

IwouldliketothankyoufortheopportunitytosharewiththeCommissionmyviewsonthetopic,“Howdidwegettohere?ThePoliciesthatShapeToday’sFederalITLandscape.”

AswearefocusingonfederalIT,Iwilllimitmycommentsspecificallytopoliciesand/orlegislationdirectlyaffectingthefederallandscape.However,thatsaid,thereareothermajorlegislativereformsthatdoneedtobeaddressedthatdirectlyaffectdepartmentandagenciessuchasdataownership.

Veryearlyinmycareer,ImanagedthefirsthackingincidentofthefederalgovernmentattheDepartmentofJusticewhichoccurredAugust1996.Sincethen,thelandscapehaschanged,thethreatsareeverincreasing,statutesandpolicieshavebeenupdated.Iwillfocusmyrecommendationsinthreemajorareas:procurement,workforceandleadershipwithaccountability.

1. Procurement:Agenciesalreadyhavethetoolstheyneedtoaddresscybersecuritygaps.

ManyanalystsassertthefederalprocurementrulesknownastheFederalAcquisitionRegulations(FAR)needtochange.Conversely,Irecommendfederaldepartmentandagenciesshouldactuallyenforcethetermsandconditionsoftheircontractstoproducebetterresults.Forexample,thefollowingisalreadyrequiredtobeincludedincontracts:

AllinformationtechnologyacquisitionsmustmeettherequirementsoutlinedintheFederalAcquisitionRegulation(FAR)Part39.101(d)policyensuringtheuseofcommonsecurityconfigurationchecklistsinthemanagementofrisk.NationalInstituteofStandardsandTechnology(NIST)definesasecurityconfigurationchecklist(alsocalledalockdown,hardeningguide,orbenchmark)asadocumentthatcontainsinstructionsforsecurelyconfiguringanITproductforanoperationalenvironmentorverifyingthatanITproducthasalreadybeensecurityconfigured.TheNationalChecklistProgram(NCP)thatenablesnumerousSecurityControlsActionProgram-validatedsecuritytoolstoautomaticallyperformconfigurationcheckingusingNCPchecklists.Wheneverfeasible,organizationshouldapplycheckliststooperatingsystemsandapplicationstoreducethenumberofvulnerabilitiesthatattackerscanattempttoexploitandtolessenthepotentialimpactofsuccessfulattacks.

Thistextbegsthequestions:howmanyagenciesareactuallyusingtheNCPchecklistsandenforcingthisprovision?Aretheyusingthetoolsdeveloped?Aretheyrequiringbenchmarks?Areagencieseffectivelyusingtheresourcestheyalreadyhave?

2. Workforce:Agenciesneedleaderswhohavetheskillstousethetoolsandproducedesired

results.Thefederalgovernmenthasmuchworktodoinimprovingskillsandcapabilitiesatmanylevelsofthetechnologyworkforce.MyeffortswiththeUSCyberChallengearefocusedonincreasingthenumbersofqualifiedcybersecuritypersonnelwhohavetheappropriatetechnicalskills.WeestablishedtheportalCyberCompEx.org(http://www.cybercompex.org),whichservesas“socialnetworking”siteforindividualsinterestedinpursuingcybersecuritypositionsaswellasforemployers.Thisworkisaresultofajointeffortbetweenthefederal


government(DepartmentofHomelandSecurity,ScienceandTechnologyDirectorate)andourprivatesectorpartnersincludingSANS,AmazonWebServicesandMonster.com.

However,IwouldliketospecificallycommentonthechangingskillssetsneededbyCIOs.ManyCIOsarguetheydon’t“haveaseatatthetable.”Iwouldarguethat“aseatatthetable”isearnedbyhavingtheskillsandabilitiestocontributetotheagency’smissionincludingprotectingtheagencyfromthreats.Iamhopefulthis“excuse”willgoawaywiththepassageoftheFederalInformationTechnologyReformAct(FITARA)1andwiththeupdateoftheFederalInformationSecurityModernizationAct(FISMA)of20142.TheskillssetneededbytheCIOsincludesmorethanjustunderstandingpolicy.Inmyopinion,CIOswhohavetechnicalskillsandunderstandingcombinedwiththegoodcommunicationsandinterpersonalskillswillbesuccessful.CIOsarethestrategicadviserstotheheadstheFederaldepartmentsandagenciesregardingtheuseandmanagementofinformationwhilemanagingtheriskassociatedwithuseoftechnologytoprovidethedepartmentandagencymissionservices.MyrecommendationtotheCommissionwouldbetourgerigorousenforcementoftherequirementthatCIOspossessBOTHthetechnicalandpolicyskillstoservetheiragencies.WhethertheCIOispoliticalorcareer,thejobdescriptionshouldbeconsistentwithOMBassistingboththeOfficeofPersonnelManagementandWhiteHousePresidentialPersonnelwiththeselectionsasenvisionedbytheClinger-CohenActof19963.

3. Leadershipwithaccountability:Weknowwhatneedstobedone.Wehaveanalyzedthis

challengeoverandoveragain.Thedepartmentsandagencieshaveplansuponplanswiththemostrecent,CybersecurityNationalActionPlan(CNAP).Weneedtoexecuteofthoseplans.Theexcuseshavebeenaddressed:CIOauthorities,FISMAupdated,theOfficeofManagementandBudget(OMB)CircularA-130hasbeenupdated.Weneedtheleadershipandthewilltogetthehardworkdone.TheleadershipcomesfromExecutiveOfficeofthePresidentandtheappropriateorganizationssuchasOMBandtheNationalSecurityCouncil.Withinthedepartmentsandagencies,theleadershipneedstobethesecretaryortheheadoftheagency.TheCIOsupportstheagencyheadbutallthelegislationisclear,itistheagencyheadwhoisresponsibleandaccountabletothePresident.Intheprivatesector,theCEOisresponsibleandaccountable.TheCEOhasresponsibilityforallaspectsincludinginformationtechnology,cybersecurityandtheassociatedrisks.Itisnecessaryforthesametooccurwithinthefederalgovernment.

ThankyouagainMr.Chairmanforallowingmetoprovideinputintothisprocess.Iwillcontinueassistyoureffortsasyoumayneed.Iamhappytoanswerquestionsyouortheothermembersmayhaveatthistime.

1 TitleVIII,SubtitleDoftheNationalDefenseAuthorizationAct(NDAA)forFiscalYear2015,P.L.No.113-2912 P.L.No.113-2833 Pub.L.No.104-106,NationalDefenseAuthorizationActforFiscalYear1996.


EricFischerChairmanDonilon,ViceChairmanPalmisano,anddistinguishedMembersofthePresident'sCommissiononEnhancingNationalCybersecurity:Thankyoufortheopportunitytodiscusswithyoutodayissuesrelatedtotheroleoffederalinformationtechnologypoliciesinshapingthecybersecuritylandscape.MynameisEricFischer,andIamtheSeniorSpecialistinScienceandTechnologyattheCongressionalResearchService(CRS).

CRSisalegislativesupportagencyfortheU.S.CongressandispartoftheLibraryofCongress.AmajorpartofthemissionofCRSistoprovideCongresswithnonpartisan,objectiveinformationandpolicyanalysisonlegislativeissues.Inkeepingwiththatmission,CRSstaffdonotadvocateforortakepositionsonpolicy.Consequently,thisstatementdoesnotincludeanyrecommendationsandshouldnotbeinterpretedtoreflectanyassociationwithrecommendationsmadetoorbytheCommission.

Thefederalroleincybersecurityiscomplex,andthatincludestheroleoflegislation.Nosingleoverarchingframeworklegislationisinplace,butmanyenactedstatutes—morethan50—addressvariousaspectsofcybersecurity.Somenotablelawswithprovisionsrelatingtofederalinformationsystemsincludethese:

• TheNationalInstituteofStandardsandTechnology(NIST)Act(15U.S.C.§271etseq.),asoriginallyenactedin1901,createdtheNationalBureauofStandards(renamedNISTin1988)andgaveitresponsibilitiesrelatingtotechnicalstandards.Lateramendmentsestablishedacomputerstandardsprogramandspecifiedresearchtopics,amongthemcomputerandtelecommunicationsystems,includinginformationsecurityandcontrolsystems.

• TheBrooksAutomaticDataProcessingAct(P.L.89-306),enactedin1965,gavetheGeneralServicesAdministration(GSA)authorityoveracquisitionofautomaticdataprocessingequipmentbyfederalagencies,andgaveNISTresponsibilitiesfordevelopingstandardsandguidelinesrelatingtoautomaticdataprocessingandfederalcomputersystems.ItwasrepealedbytheClinger-CohenActof1996.

• ThePrivacyActof1974(P.L.93-579)limitedthedisclosureofpersonalinformationheldbyfederalagencies.Itestablishedacodeoffairinformationpracticesforcollection,management,anddisseminationofrecordsbyagencies,includingrequirementsforsecurityandconfidentialityofrecords.

• TheComputerSecurityActof1987(P.L.100-235)requiredNISTtodevelopandtheSecretaryofCommercetopromulgatesecuritystandardsandguidelinesforfederalcomputersystemsexceptnationalsecuritysystems.Thelawalsorequiredagencyplanningandtrainingincomputersecurity(thisprovisionwassupersededbytheFederalInformationSecurityManagementActof2002).

• TheHighPerformanceComputingActof1991(P.L.102-194)establishedafederalhigh-performancecomputingprogramandrequiresthatitaddresssecurityneedsandprovideforinteragencycoordination.Amongitsactivitiesisproductionofanannualbudgetsupplementonfederalresearchanddevelopment(R&D)onnetworkingandinformationtechnology,whichhasincludedcybersecurityasaprogramareasinceFY2007.

• ThePaperworkReductionActof1995(P.L.104-13)gavetheOfficeofManagementandBudget(OMB)authoritytodevelopinformation-resourcemanagementpoliciesandstandards,requiredconsultationwithNISTandGSAoninformationtechnology(IT),andrequiredagenciestoimplementprocessesrelatingtoinformationsecurityandprivacy.

• TheClinger-CohenActof1996(P.L.104-106)requiredagenciestoensureadequacyofinformation-securitypolicies,OMBtooverseemajorITacquisitions,andtheSecretaryofCommercetopromulgatecompulsoryfederalcomputerstandardsbasedonthosedevelopedbyNIST.Itexemptednationalsecuritysystemsfrommostprovisions.


• TheFloydD.SpenceNationalDefenseAuthorizationActforFiscalYear2001(P.L.106-398)establishedaninformationassurancescholarshipprogramintheDepartmentofDefense(DOD).Italsosetcybersecurityrequirementsforfederalsystems,butwassupersededbyFISMAin2002.

• TheFederalInformationSecurityManagementAct(FISMA2002,P.L.107-296andP.L.107-347)createdacybersecurityframeworkforfederalinformationsystems,withanemphasisonriskmanagement,andrequiredimplementationofagency-wideinformationsecurityprograms.ItgaveoversightresponsibilitytoOMB,revisedtheresponsibilitiesoftheSecretaryofCommerceandNISTforinformation-systemstandards,andrequiredOMBtopromulgatemandatorycybersecuritystandardsdevelopedbyNISTforfederalsystems.FISMAisarguablythestatutewiththebroadestapplicationspecificallytothecybersecurityoffederalcivilianinformationsystems.

• TheHomelandSecurityActof2002(P.L.107-296)establishedtheDepartmentofHomelandSecurity(DHS)andtransferredtheFederalComputerIncidentResponseCenter(nowUS-CERT)fromGSAtoDHS.In2006,theDepartmentofHomelandSecurityAppropriationsAct(P.L109-295)createdthepositionofAssistantSecretaryforCybersecurityandCommunicationsinDHSbutdidnotspecifyresponsibilities.

• TheE-GovernmentActof2002(P.L.107-347)guidesfederalITmanagementandinitiativestomakeinformationandservicesavailableonline;establishedtheOfficeofElectronicGovernmentwithinOMB,theChiefInformationOfficers(CIO)Council,andagovernment/private-sectorpersonnelexchangeprogram;andcontainsvariousotherrequirementsforsecurityandprotectionofconfidentialinformation.

• TheCybersecurityWorkforceAssessmentAct(P.L.113-246),enactedin2014,requiredanassessmentbyDHSofitscybersecurityworkforceanddevelopmentofaworkforcestrategy.

• TheCybersecurityEnhancementActof2014(P.L.113-274)providedstatutoryauthorityforanexistingNSFscholarshipandrecruitmentprogram(calledScholarshipforServiceorCybercorps)tobuildthefederalcybersecurityworkforce.

• TheBorderPatrolAgentPayReformActof2014(P.L.113-277)providedadditionalDHShiringandcompensationauthoritiesandrequiredaDHSassessmentofworkforceneeds.

• TheFederalInformationSecurityModernizationAct(FISMA2014,P.L.113-283)retained,withsomeamendments,mostprovisionsofFISMA2002.ChangesincludeprovidingstatutoryauthoritytoDHSforoverseeingoperationalcybersecurityoffederalcivilianinformationsystems,requiringagenciestoimplementDHSdirectives,andrequiringOMBtoestablishproceduresfornotificationandotherresponsestofederalagencydatabreachesofpersonalinformation.

• TheCybersecurityActof2015(P.L.114-113)establishedinstatutetheDHSintrusion-protectionprogramknownasEINSTEIN,requiresagenciestoadoptitandimplementadditionalcybersecuritymeasures,andgaveDHSadditionalauthorityintheeventofanimminentthreatoremergency.Italsofacilitatespublic-andprivate-sectorsharingofinformationoncyberthreatsanddefensivemeasuresandrequirestheOfficeofPersonnelManagement(OPM)toestablishandimplementanemployment-codestructureforfederalcybersecuritypersonnel.

Theselectionoflawsdescribedabovearelargelydesignedtoaddressseveralwell-establishednear-termneedsinprovidingcybersecurityforfederalsystems,includingagencyresponsibilitiesandprograms,developmentandapplicationofstandards,informationsharing,andworkforcedevelopment.Thegapincybersecuritylegislationbetween2002and2014illustratesthecomplexitiesanddifficultiesassociatedwithlegislatinginthisarea.AfterenactmentofFISMA2002,Congressdidnotturnagaintosignificantlegislativeactivityincybersecurityuntil2009.Despitemanycallsand


attemptstoupdateFISMA,itwasnotsuccessfullyamendeduntiltheendof2014.Similarly,attemptstopasslawstoaddresslongstandingissuessuchasinformationsharingwereunsuccessfuluntiltheendof2015.

Thenear-termneedsexistinthecontextofmorefundamentalanddifficultlong-termpolicychallengesthat,whiletheymightbeaddressedinpartthroughlegislation,alsoarguablyexacerbatethedifficultiesofenactingeffectivepolicythroughlegislationandothermeansinthisarea.Theexistenceofsuchchallengeshasbeenrecognizedbyvariousobserversovermanyyears.Theycanbecharacterizedinmanydifferentways.Anapproachthatmaybeusefulistocharacterizeaparticularsetthatcouldbeusedtoinformlonger-termgovernmentandprivate-sectoractivities.Onesuchsetconsistsoffourinterdependentchallenges:design,incentives,consensus,andenvironment(DICE).Legislationcanpotentiallyhaveanimpactonallfour,andsomerecentlyenactedstatutesarguablyaffectaspectsofthem.Whilethechallengesapplybroadlyacrosssectors,theyhavesignificantimplicationsforthecybersecurityoffederalsystems.

Design.Expertsoftensaythattobeeffective,securityshouldbeanintegralpartofhardwareandsoftwaredesign,notsomethingthatisaddedontowardtheendofthedevelopmentcycle.Securitythatisaddedonisoftencriticizedasbeinglesseffectiveandmorecumbersomethansecuritythatisbuiltin.Yet,traditionally,developersappeartohavefocusedmoreonfeaturesotherthansecurity,largelyforeconomicreasons.Totheextentthatinvestmentinsecurityisperceivedtoimpedeinvestmentinotherfeaturesortoextendthetimerequiredtodevelopanewproductorservice,itmaynotberegardedascost-effective.Also,securityrisksthatmayariseinthefuturecanseldombepredictedwithcertainty,posingadifficultchallengefordesigners.

Harmonizingsecuritywithusabilityisalsopartofthischallenge.Ifcyberspacehasnotbeendesignedwithsecurityinmind,itcanalsobesaidthatsecurityhasnotbeendesignedwithusabilityinmind.Poorusabilitycanmakesecuritymuchlesseffective.Astherecentdebateoverpasswordshasillustrated,userswilloftenfindwaystoworkaroundusabilityproblemswithsecurityfeatures,evenifsuchworkaroundscompromisetheeffectivenessofthosesecuritymeasures—forexample,byusingthesamepasswordfordifferentpurposesorrecordingpasswordsinwaysthatcouldbeaccessedbyothers.Investmentsineducationandawarenessseemunlikelytobesufficientbythemselvestosolvethatproblem.Educatingpeopleabouttheimportanceofgoodpasswordsecuritydoesnotsolvetheusabilityproblem.

Whatcanbedonelegislativelyaboutthedesignchallenge?OneoptionisthroughfederalinvestmentinR&D.TheCommissionmightwishtoaskifthecurrentdegreeofemphasisondesignR&D,includingusability,issufficienttomeetthischallenge,orwhetherfederalresearchprioritiesneedtoberevised.AnotheroptionwouldbetodetermineifsecurityisasufficientlyintegralpartoftheeducationandtrainingofITengineersandprogrammersatpresent,orifcurriculaneedtoberevisedtoensurethatthosereceivingdegreesunderstandtheimportanceofcybersecurityandhowtoimplementitinsystemdesign.

Athirdoptionistoexaminehowthefederalgovernment,asoneofthelargestusersofITproductsandservicesintheworld,canuseitsacquisitionleveragemoreextensivelytoadvancedevelopmentandimplementationofcybersecurity.(WhilethetermITisusedinthisstatement,theoriginalITindustryhasalsoincreasinglyconvergedwiththecommunicationsindustryintoacombinedsectorcommonlycalledinformationandcommunicationstechnology,orICT,towhichmanyofthepointsmadeinthisstatementmayalsoapply.)Forexample,EPEATisagreenelectronicslabelbasedonarecognizedmultifactortechnicalstandard(IEEEStandard1680).Itwasdevelopedbyaprivate,nonprofitorganizationwithpartialfundingfromtheEnvironmentalProtectionAgency(EPA).ExecutiveOrders13423(StrengtheningFederalEnvironmental,Energy,andTransportationManagement)and13514(FederalLeadershipinEnvironmental,Energy,andEconomicPerformance)requireagenciestoacquireEPEAT-labelledelectronicproducts,ifavailable,inmostinstances(48C.F.R.23.704).EPAalsodevelopedtheFederalElectronicsChallenge(FEC),apartnershipaimedatfacilitatinggreenpracticesinpurchase,use,anddisposalofelectronics.Suchexamplesofmultifactorapproachestocomplex


issuesmightbeworthexaminingfortheirpotentialapplicabilitytoimprovingthecybersecurityoffederalinformationsystems.

Incentives.Thestructureofeconomicincentivesforcybersecurityhasbeencalleddistortedorevenperverse.Cybercrimehaslongbeenregardedbymanyobserversascheap,profitable,andcomparativelysafefortheperpetrators.Incontrast,cybersecuritycanbeexpensive,isbyitsnatureimperfect,andtheeconomicreturnsoninvestmentsareoftenunsure.Akeyquestionis,howdoesoneincreasethenetcostofcybercrimeandmakecybersecuritymoreeffectiveandaffordable?Therearevariouspotentialwaysthatbothofthosegoalscanbeapproached,suchasincreasingpenaltiesforcybercrime,improvementsinsystemandprocessdesign,anddevelopmentofthecybersecurityinsurancemarket.

AnadditionalconsiderationisthedegreetowhichusersdemandgoodcybersecurityasanessentialfeatureofITsystemsandservices.Itcanbearguedthatthisproblemwillpersistuntiluserstreatgoodcybersecurityasanessentialpartofthevaluepropositionwhenconsideringtheacquisitionofgoodsandservices.Sothequestionbecomes,howdoesoneshiftthedemandcurveforcybersecurityinthedesireddirection?Changesinconsumerattitudesaboutautomobilesafetyillustratethatsuchshiftingispossible.Inthe1950s,consumersdidnotrespondwelltoattemptsbymanufacturerstoadvertisethesafetyfeaturesoftheirvehicles.Avarietyoffactors,includingcampaignsbyactivistgroups,mediaattention,technologyinnovations,andfederalandstatelegislationsettingsafetystandardsanddriverrequirements,amongothers,ledoverthefollowingdecadestoashiftinconsumerdemandforsafetyfeatures,whicharenowcommonlypromotedinautomobileadvertisingcampaigns.

Thedemandcurveforcybersecurityvariesamongsectors.Forthegovernmentsector,withitsinherentlymonopolisticfeaturesandpowersofcompulsion,trustisanimportantexpectationforconsumers,sothedemandforsecurityshouldarguablybemuchhigherthanformanyothersectors.Fromthatperspective,onecanarguethatgovernmentshouldbealeaderinensuringthecybersecurityofitsinformationinfrastructure.Thatdoesnot,however,appeartobeawidelyheldviewatpresentamongobservers.AquestionfortheCommissionmaybewhatshouldthefederalgoalbewithrespecttonationalandevengloballeadershipincybersecurityoffederalinformationsystems,andhowcanitbeachieved?Similarargumentscanbeappliedtononfederalgovernmentsystems.

Consensus.Cybersecuritymeansdifferentthingstodifferentstakeholders.Thereareoftendisagreementsonitsmeaning,implementation,andrisks.Substantialculturalimpedimentstoconsensusalsoexist,notonlybetweensectorsbutwithinsectorsandevenwithinorganizations.EffortssuchasthedevelopmentoftheNIST-ledcybersecurityframeworkappeartobeachievingsomeimprovementsinsuchconsensus.OneoptionforaddressingthischallengewouldbetobuildontheNISTeffort.Itmightalsobepossibletousethestandards-developmenteffortestablishedforinformationsharingandanalysisorganizationsbyExecutiveOrder13691(PromotingPrivateSectorCybersecurityInformationSharing)asaleverforbuildingconsensuswithinandacrosssectors.

Thereisalsoafundamentalconceptualproblemthatmayimpedethedevelopmentofausefulconsensus.Theincreasingeconomicandsocietalprominenceandgrowthofcyberspacearisestoasignificantdegreefromitsabilitytoconnectthingsandapplycomputingpowertotheminunprecedentedandusefulways.Incontrast,securitytraditionallyinvolveskeepingthingsapartbyisolatingprotectedassetsfrompotentialthreats.Thatarguablycreatesafundamentalconflictwithrespecttohowtheneedforsecuritycanbereconciledwiththebenefitsofconnectivityincyberspace.Increasingly,cybersecurityexpertsandotherobserversarearguingthattraditionalapproachessuchasperimeterdefenseareinsufficient,butconsensusonanewconceptualframeworkhasyettoemerge.OneoptionfortheCommissionwouldbetodetermineifR&Dandothereffortsshouldbeacceleratedtodevelopsuchanewframework.

Theconsensuschallengeiscomplex,andanessentialstepinresolvingitislikelytobeidentifyingthekeyareaswhereconsensusislacking.Itmightbeworthconsideringwhethermoreeffortshouldbe


giventoexpresslyidentifyingthoseareas,andwhatcanbedonetoresolvethosedifferences.EffortssuchastheNISTframeworkmightserveasusefulmodelstoconsider.

Environment.Cyberspacehasbeencalledthefastestevolvingtechnologyspaceinhumanhistory,bothinscaleandproperties.Thisrapidevolutionposessignificantchallengesforcybersecurity,exacerbatingthespeedofthe“armsrace”betweenattackersanddefenders,andarguablyprovidingasignificantadvantagetotheformer.Newandemergingpropertiesandapplications—especiallysocialmedia,mobilecomputing,bigdata,cloudcomputing,andtheInternetofThings—furthercomplicatetheevolvingthreatenvironment,buttheycanalsoposepotentialopportunitiesforimprovingcybersecurity,forexamplethroughtheeconomiesofscaleprovidedbycloudcomputingandbigdataanalytics.Inasense,suchdevelopmentsmayprovidedefenderswithopportunitiestoshapetheevolutionofcyberspacetowardastateofgreatersecurity.However,anysuchattemptswouldpresumablyneedtotakeintoaccounttheinertiacreatedbythesubstantialpresenceoflegacysystems.ThathasbeencitedasaprobleminparticularforfederalIT.

Atthesametimethatcyberspaceisevolvingsorapidly,therearecorecomponentsthatarehighlyconserved.Forexample,thefundamentalmodelusedforInternetcommunicationshasbeeninusefordecades.

Suchacombinationofobservedandevolvedfeaturesisanalogousinsomewaystotheevolutionofbiologicalorganisms.AsthegeneticistFrancoisJacobpointedoutmanyyearsago,theevolutionaryprocessactsmorelikeatinkererthananengineer.Asaspeciesevolves,newfeaturesoftenevolvefromoldones(aclassicexampleisthehistoricalrelationshipbetweenthegillarchesoffishesandthebonesofthehumanmiddleear),andevennewonescanonlyfunctioneffectivelyinconjunctionwithexistingcomponents.Whileitiseasytotakesuchanalogiestoofar,itmaybeusefultopointoutthatattemptstoshapetheevolutionofcyberspacetowardgreatercybersecurityneedtoconsiderthewholecyberspace“organism,”notjustindividualcomponents.

Thecontinuingevolutionofcyberspacealsoimpliesthatitisnotyetamaturetechnologyspace.Thatcharacteristiccreatesuncertaintiesthatcanaffecttheabilityofgovernmentstocreatestableandeffectivepoliciesandsuggeststhatattemptingtoapplypolicyapproachesdesignedforstableandmaturetechnologiesmaynotbeoptimal.

ElectionSecurity.Cybersecurityasappliedtotheadministrationoffederalelectionsisanexamplethat,whileitdoesnotdirectlyinvolvefederalIT,illustratestheroleofallfourchallenges.Itmightbeconsideredaspecialcase,giventheroleofstategovernmentsinrunningelections,butitisanissueofnationalconcern,anditmaynotbeasatypicalasitappears,giventhatmostofthecomponentsofthenation’scriticalinfrastructureareownedandoperatedbytheprivatesector.

Thesecurityofcomputertechnologyusedinelectionshasreemergedthisyearasasignificantissue.Ithaslongbeenarguedthatelectronicvotingsystemshavenotbeendesignedwithadequateconsiderationofsecurity.ThefederalrequirementsintheHelpAmericaVoteActof2002broughtnewfocustothisissuebyfacilitatingtheuseofvotingsystemsbystatesthatrecordvotesdirectlytoacomputermemory.Whenexpertsandadvocatesraisedconcernsabouttherisksposedbyattemptstotamperwithsuchsystems,acommonresponsebyelectionofficialswastoaddsecuritylayers,whichinmanycasesdecreasedusability.

Addressingthoseissuesisdifficultinpartbecausethevotingsystemmarketisfragmentedandepisodic,withafixedcustomerbase.Thosefeaturescancreatesignificantbarriersforentryintothemarketbyentrepreneursandreduceincentivesforinnovation.Theshort-termfundingthatHAVAprovidedinFY2003andFY2004helpedstatesreplaceantiquatedequipment,butitdidnotappeartostimulatemuchinnovation,withafewexceptionssuchasthedevelopmentofelectronicpollbooks.EvenwiththeattentionpaidtosecurityaftertheenactmentofHAVA,thereisalackofconsensusoverallaboutthesecurityofourelectionsystem.Someobserversexpressconcernsthatcyberattacksonvotingsystemscouldaffectvotecountsandthatattacksonregistrationsystemscoulddisruptvotingorpreventlegitimatevotersfromcastingballots.Othersarguethatthedecentralizationand


diversityofthenationalelectioninfrastructure,alongwiththerangeofsecuritymeasuresthatstateandlocalelectionofficialshavealreadyimplemented,posessufficientbarrierstopreventacoordinatedattackfromhavingsignificantimpact.

ConcernshavebeenexacerbatedbothbytheincreaseduseofITbystateandlocalelectionoffices—stimulatedinpartbyanotherHAVArequirementforcomputerizedstatewidevoterregistrationlists.Thethreatenvironmenthasalsochanged,asdemonstratedbyevidenceofattemptedinterferencebynation-statesthroughcyber-intrusions.Whileelectionsarerunbystates,thefederalgovernmentplaysanimportantrole,especiallythroughHAVA,anditmightbeworthwhiletoconsiderhowaconsensuscanbereachedonwhetherthefederalroleshouldchangegiventhecurrentandanticipatedthreatenvironment.


RickGeritzTheshortageofcybersecuritytalenthasbecomeoneofthemostvisibleandpressingissuesintheUnitedStatesascybersimpactseveryaspectoftheeconomyfromfinance,energyandhealthcare,totelecommunicationsandcriticalinfrastructure.Thishasadirectimpactonournation’sabilitytocreatethecybersecurityskillsneededtoprotectourcountryandinnovateourfuture.

Meetingthischallengeinasustainablewaymustbeginwitheducation.

Highschoolsanduniversitiesarebeingchallengedtointroducecybersecuritytothenation’snextgenerationinordertocreateasubstantialpipelineofinspired“cyberstudents”.Therealityisthathighschoolsandteacherslackcybersecurityskillsandtraining.Cybersecurityisthemodernequivalentofthespacerace.Theneedforcybersecurityalreadyimpactscultureandeducationinmuchthesamewaythespaceracedid.Technologyisthenewalphabetandthefoundationfordigitalopportunities.

Policymakersarefocusedontheimperativetocreatethe“cybergeneration,”assoprescientlystartedbytheObamaAdministration,whichiscontinuingtomakecybereducationapriorityonanationwidebasis.ThisisbeingdonewiththecreationandfullsupportoftheNationalInitiativeforCybersecurityEducation(NICE),theNationalScienceFoundation(NSF)andDoC...andbyappointingaCommissionthatreliesprimarilyonprivatesectorexpertisetoaddresstheimportantquestionsofwhathastobedonetoimproveandensureourcollectivecybersecurity.

Policymakersseekplatformswhichoperateasacceleratorsandforcemultipliersforstudentstotestdrivecybersecuritycareeroptionsthroughscalablementorshipprograms.Evidence4informsusthatmentoringiscritical--tobothstudentsandteachers--toimpartingup-to-dateknowledgeaboutthefield,themarketplaceneeds,andcareeropportunities.Theseplatformsmustbedesignedtofacilitatethespiritofcollaborationamongallparticipantscommittedtotheuniversalgoal--tooptimisethenational,andultimatelytheplanetaryhumancapitalbase.

Ourtaskisto:

• makecybersecurityrelatableforstudentssotheyareeagertolearn;

• showcasetherewardingandindemandcareersincybersecurity;and

• improvetheknowledgeandcapabilityofeducatorsinordertoinspirestudentstobecomepartofAmerica’sdigitaleconomy.

WeherewithsubmitrecommendationsthatwouldpositivelyimpactAmerica’spipelineofqualifiedstudents--theNextCyberGeneration--enteringourworkforce:

(1)A“DayofCyber“exposureofcybersecurityskillstoallstudentssotheyunderstandtheopportunity;

(2)Anat-scalementoringsystemthattapsintoindustry’scurrentexpertsandspecialists;

(3)Cybersecuritytrainingforallteachersinthenation,irrespectiveofbackgroundorcurrentcourse/teachingassignments;and

(4)Anationwidecybersecurityinformationalandpromotionalframeworkforuniversityuseinattractingandmotivatingstudentstoenter,andremainincybersecurityprograms.

4 2008studybyNIH:DoesMentoringMatter?AMultidisciplinaryMeta-AnalysisComparingMentoredand

Non-MentoredIndividuals.LillianT.Eby,TammyD.Allen,SarahC.Evans,ThomasNg,andDavidDuBois.Ourfindingsaregenerallyconsistentwithpreviousreviewsfocusingonaspecifictypeofmentoring(youth,academic,workplace).BothAllenetal.(2004)andUnderhill(2006)foundsignificantrelationshipsbetweenworkplacementoringandcareerattitudes,workattitudes,andsomecareeroutcomes.Reviewsofyouth(DuBoisetal.,2002)andacademic(Sambunjaketal.,2006)mentoringfoundanassociationbetweenmentoringandbothcareerandemploymentoutcomes.


ThankyouMr.Chairman,forallowingmetocontributetothisimportantprocess.Weremaincommittedtoassistingfurtherasneeded.I’mhappytoansweranyquestionsthatyouorothermembersmighthaveatthistime.


EricMillThankyoutoChairmanDonilon,ViceChairmanPalmisano,andtheotherdistinguishedmembersoftheCommissionforinvitingmetoappearheretoday.

IworkattheGeneralServicesAdministration,whereIhaveservedasapolicyadvisorforGSA’sTechnologyTransformationServiceandasoftwareengineeronits18Fteam.Mycommentstodayaremyown,anddonotnecessarilyrepresenttheentiretyofGSA,butIhopethattheycanoffertheCommissionsomepracticalperspective.

MyworkatGSAincludesastrongfocusoninformationsecuritypolicyandpracticeinthefederalgovernment.Thismeansnotonlydevelopingpoliciesthatimprovefederalinformationsecurity,butdevelopingnewsoftwaretoolstosupportpolicyimplementation,andworkingdirectlywithagenciestoidentifyandresolvetechnicalissues.

Today,Iwanttoshareafewsuggestionsfrommyworkinthefederalgovernment.Theyareeachsimpleinconcept,butalsochallengecoreassumptionsandoperationsinfederalagencies.5

First,federalagenciesmustrecruitandelevateactivetechnicalpractitionerswithintheirorganization.Employingstaffwithactivetechnicalskillsisabsolutelynecessaryinorderforagenciestocontrolfundamentalaspectsoftheirinformationsecurityposture.

Thismeanshiringengineers,penetrationtesters,andothertechnicalspecialiststoperformtechnicalfunctionsin-house.Today,thisissomethingthatmanyfederalagencies--evenagencyIToffices--oftensimplydonotdo.Instead,manyagencieslargelyoutsourcetechnicalanalysis,engineering,anddeploymenttasks.Thegrowthof“digitalservices”teamsinfederalagencieshasmadeapositiveimpactonbringingtechnologistsintogovernment,buttheseteamsarenotusuallytaskedwithperformingkeyagencyITmanagementorinformationsecurityfunctions.

However,simplyhiringtechnicalspecialistsisnotenough.Forthepublicservicetogetthemostvaluefromitstechnicalstaff,andforitstechnicalstafftogetthemostvaluefromtheirpublicservice,practitionersmusthavetheautonomytosetagencystrategyandtoimplementmodernsolutions,andmustbegivenavoiceonagency-wideandgovernment-widedecisions.

Thisrequiresagenciestomakerealinvestmentsintheirtechnicalstaff,andfortheirformalhierarchytocontemplateplacingpractitionersinseniorpositionswithbroadmandatestodirectlyimproveagencyITandinformationsecurity,withoutnecessarilyrequiringthesepositionstobesupervisory.Italsorequiresthatagenciesintegratetheirtechnicalstaffintointernalandgovernmentpolicy-makingprocesses.Justasagenciescallupontheirlegalstafftoprovidemorethanroteanalysesoflegalrisk,agenciesshouldbecomeaccustomedtorelyingontheirtechnicalstaffwhenmakingstrategicdecisions.

Second,thefederalgovernmentmustdrasticallychangeitsapproachtoinformationsharing.Overwhelmingly,federalagenciesdefaulttosevererestrictionsonsharingdocumentation,policies,data,andsoftwarewiththepublic--and,ineffect,withotheragencies.

Thefederalgovernmentisterrificallylarge,andeffectingrealchangeisnotalwayspossiblethroughtop-downpoliciesandchain-of-commandcoordinationalone.Tochangehowthefederalgovernmentoperates,itisnecessarytoshareinformationandtechnologyinthewidestandmostorganicwayspossible.Inpractice,themosteffectiveway,byfar,forinformationtohavegovernment-wideimpactisforittobedistributedpublicly.

5 Theserecommendationsalsoapplytopolicy-makingandoversightbodies,suchasexecutiveoffices,

legislativeagencies,andofficesofinspectorsgeneral.


InitscommentstotheWhiteHouseonitsthen-proposedsourcecodepolicy,18Fdescribedthisproblemasitrelatestosoftwarecode2(emphasisadded):6

Wehaveconsistentlyseenthatthemosteffectivewaytoshareinformation,software,andexperienceamongagenciesistheongoingpublicreleaseofdata,code,anddocumentation.Managingandguardingaccessto“private”softwareandinformationconsistentlyentailssignificantoperationaloverheadwhencomparedtosharingpublicinformation.Thebureaucraticoverheadofsecrecycansometimesbeextreme,dependingonthescaleandtemperamentofthecollaborators.However,thisoverheadisfrequentlydiscountedorunobservedbyteamsthatdefaulttoworkinginprivate.

Sourcecodeisjustoneexample.Agenciescansharetheirtechnologyandsecuritypracticeswithoutreleasingsensitiveinformation.Thisincludesreleasingsoftwaredocumentation,sharingagency-widesecuritypolicies,publishingtechnicalblogposts,andspeakingatconferencesaboutinternalpractices.Aspartofthis,agenciesshouldbecomecomfortablespeakingabouttheirfailuresandincidents,andhowtheyrespondedandlearnedfromthem.Thesearesomeofthecriticalmechanicsthatallowthetechnologyindustrytorapidlyevolveandtohaveitslessonsandbestpracticesspreadthroughoutitscommunityofpractice.

Thiswillrequiregreatertrustbetweenagencycommunicationsandlegislativeaffairsteamsandotheragencycomponents.Oversightbodies,suchasinspectorgeneralofficesandcongressionalcommittees,shouldencouragethisinformationsharingandshouldworkcollaborativelywithagenciestoresolvesecurityincidentsandinternalizetheirlessons.

Thismaybeanuncomfortabletransitionforsomeagenciesatfirst.However,ifthefederalgovernment’ssecuritypracticesaretokeeppacewithachangingworld,thismustbecomethenormforthefederalgovernment.

Third,federalagenciesneedtobereducingtheirdependenceontheirnetwork“perimeter”,andtoavoidunnecessarilycentralizingtheirresources.

Increasingly,maintainingandrelyingonatrustednetwork--whetherforasingleagencyorformultipleagencies--isinstarkconflictwithbroadertrendsinthetechnologyindustryandtheinformationsecuritycommunity.Thisconflictcancreatemajorinefficienciesingovernmentoperations,aswellasmisalignmentofsecurityresources.

Themostobviousconflictisthatthefederalgovernmentisunderstrongpractical,policy,andeconomicpressurestomoveto“thecloud”--thatis,torelyoncomputingresourcesthatarebeyondtheirdirectcontrol.Thebenefitsofcommercialcloudservicesarenumerous,buttheiruserequiresplacingtrustinthirdparties.Thesecloudservicesthemselvesoftenhavemanyoftheirownbusinessrelationshipswithothercloudserviceproviders.Trustismanagedthroughlegalagreements,andthroughsoftwareandsecuritymechanismsthatlimittheamountoftrustthatneedstobeplacedinconnectedthirdparties.Thistrendmovesagencyresourcesoutofagency-controlledlocations,whilemakingiteasiertosupportamobilefederalworkforcethatcanaccessagencyresourcesfromanynetwork.Thismakesrelianceonaperimeterincreasinglylessnecessaryandlessworthwhile.

Thereisalsoacleartrendintheinformationsecuritycommunitytowardsassumingthatcomponentswillsuffercompromises,relyingonprivilegeseparationtolimittheeffectofcompromise,andgenerallyavoidinglargecentralpointsoffailure.Unfortunately,thereisastrongtendencyinthefederalgovernmenttocentralizeresources,suchasbycreatingsmallnumbersofentryandexitpointsinnetworks.Limitingthenumberofnetworkentrypointsinthisway,whileconceptuallystraightforward,placesunrealisticsecurityexpectationsonthoseentrypoints.Thesecanleadto

6 https://github.com/WhiteHouse/source-code-policy/issues/73,“Opensourcebydefault”.Apublic

commentby18Fonwhateventuallybecamehttps://sourcecode.cio.gov.


unrealisticsecuritymodelsinsidefederalagencies,leadingstafftorelytooheavilyona“trustednetwork”andfailingtorequireproperprivilegeseparation.

Fundamentally,thepathforwardfortechnologyandsecuritytoscaleinthemodernworldistorelyonlogicalbarriers(software)ratherthanphysicalbarriers(theperimeter).Thismeansthatagenciesshouldbroadlybemovingawayfromintranets,andinvestinginsoftware-basedsolutionstoprivilegemanagement.

Theserecommendationsdescribeapublicservicethatis:

• Supportedbyacommunityoftechnicalpractitionerswiththemandateandabilitytomaketheiragenciesleadersininformationsecurity,

• Acceleratingitscollectiveprogressbyroutinelyandpubliclysharingtheworkofitsstaffamongthefederalcommunity,and

• Hasthetechnicalskillstobuildamoderndecentralizedinfrastructurebasedonrealisticthreatmodelsandanembraceofcontemporarysecuritytrends.

Ibelievethattheabovecaptureshowtoday’smostsuccessfultechnologyorganizationsfunction,anddescribesafederalgovernmentthatcantakecareofitself.

Thankyouagainfortheopportunitytocomment,andfortheCommission’simportantworkonimprovingournation’ssecurity.


ChrisPainterChairmanDonilon,ViceChairmanPalmisano,andmembersofthePresidentialCommissiononEnhancingNationalCybersecurity,thankyoufortheopportunitytospeaktoyou.

Throughitsdiplomacy,theStateDepartmentworksenergeticallytostrengthenourcollectivecybersecurity.Oureffortstocoordinate,consult,andnegotiatewitharangeofcountriesandinternationalorganizationscomplementthepractical,day-to-dayworkofourinteragencycolleagueswhomaintainnetworksecurity.Ourcyberdiplomatsworktoreduceriskandenhancestabilityincyberspace.Theseeffortsincludebutarenotlimitedtoworkingwithourinteragencypartnerstopromoteinternationallyaframeworkforcyberstability;buildingthecapacityofforeigngovernmentstopromotecybersecurityandrespondtocyberthreats;usingdiplomaticchannelstosupportcyberincidentresponse;andpartneringwithothercountriestocombattransnationalcybercrimeandpromotemembershipintheBudapestConvention.Ineachoftheseareas,wetakecaretoensurethatourpolicyrecommendations,capacitybuildingefforts,andforeignassistanceprogramsrespectandreinforcetheruleoflaw,thefreeflowofdata,andhumanrights,includingfreedomofexpression.Iwilldiscusseachoftheselinesofeffortandofferafewpolicyrecommendations.

EnhancingaFrameworkforInternationalStabilityinCyberspace

Tostrengthencybersecurityontheinternationallevel,theDepartmentofState,workingwithourinteragencypartners,isguidedbythePresident’s2011InternationalStrategyforCyberspace,whichsetsoutastrategicframeworkofinternationalcyberstabilitydesignedtoachieveandmaintainapeacefulcyberspacewhereallstatesareabletofullyrealizeitsbenefits,wherethereareadvantagestocooperatingagainstcommonthreatsandavoidingconflict,andwherethereislittleincentiveforstatestoengageindisruptivebehaviorortoattackoneanother.

Thisframeworkhasthreekeyelements:(1)affirmationthatexistinginternationallawappliestostatebehaviorincyberspace;(2)developmentofaninternationalconsensusonandpromotionofadditionalvoluntarynormsofresponsiblestatebehaviorincyberspacethatapplyduringpeacetime;and(3)developmentandimplementationofpracticalconfidence-buildingmeasures(CBMs)amongstates.

Since2009,theUnitedNationsGroupofGovernmentalExpertsonDevelopmentsintheFieldofInformationandTelecommunicationsintheContextofInternationalSecurity(UNGGE)hasservedasaproductiveandgroundbreakingexpert-levelvenuefortheUnitedStatestobuildsupportforthisframeworkthroughthreeconsensusreportsin2010,2013,and2015.

Theconclusionscapturedinthesereportshavebeenendorsedbypoliticalleadersinarangeofsettings,includingduringtheG20summitinAntalya,Turkey,in2015,andreaffirmedatthe2016G20summitinHangzhou,China.PerhapsthemostprominentbilateralstatementofsupportforthisframeworkcameduringChinesePresidentXiJinping’sstatevisittoWashingtoninSeptember2015,whenboththeUnitedStatesandChinacommitted,interalia,that“neithercountry’sgovernmentwillconductorknowinglysupportcyber-enabledtheftofintellectualproperty,includingtradesecretsorotherconfidentialbusinessinformation,withtheintentofprovidingcompetitiveadvantagestocompaniesorcommercialsectors.”

CapacityBuilding

TheUnitedStatescanmoreeffectivelyrespondtoforeigncyberthreatsandtransnationalcrimewhenourinternationalpartnersthemselveshavestrongincidentresponseandcybercrimefightingcapabilities.Therefore,theDepartmentofStateisworkingwithdepartmentsandagencies,allies,andmultilateralpartnerstobuildthecapacityofforeigngovernments,particularlyindevelopingcountries,tosecuretheirownnetworksaswellastoinvestigateandprosecutecybercriminalswithintheirborders.TheDepartmentalsoactivelypromotesdonorcooperation,includingbilateralandmultilateralparticipationinjointcybercapacitybuildinginitiatives.


In2015,forexample,theUnitedStatesjoinedtheNetherlandsinfoundingtheGlobalForumonCyberExpertise,aglobalplatformforcountries,internationalorganizations,andtheprivatesectortoexchangebestpracticesandexpertiseoncybercapacitybuilding.TheUnitedStatespartneredwithJapan,Australia,Canada,theAfricanUnionCommission,andSymanteconfourcybersecurityandcybercrimecapacitybuildinginitiatives.TheDepartmentalsoprovidedassistancetotheCouncilofEurope,theOrganizationofAmericanStates,andtheUnitedNationsGlobalProgramonCybercrime,amongothers,toenabledeliveryofcapacitybuildingassistancetodevelopingnations.Manytraditionalbilaterallawenforcementtrainingprograms,includingthosefocusedoncounterterrorism,increasinglyincludecyberelements,suchastraininginvestigatorsandprosecutorsinthehandlingofelectronicevidence.Muchofourforeignlawenforcementtrainingoncombattingintellectualpropertycrimefocusesondigitaltheft.

RespondingtoCyberIncidents

Overthepasttwoyears,wehavewitnessedanumberofhigh-profilecyberattacks–athomeandabroad–onfinancialinstitutions,privatecompanies,governmentagencies,criticalinfrastructure,andpoliticalorganizations.

TheUnitedStatesusesawhole-of-governmentapproachtorespondtoanddetermaliciousactivitiesincyberspacethatbringstobearitsfullrangeofinstrumentsofnationalpowerandcorrespondingpolicytools–diplomatic,lawenforcement,economic,military,andintelligence–asappropriateandconsistentwithapplicablelaw.

TheStateDepartmentplaysakeyroleininteragencydeliberationsonmajorcyberevents,anditengagesthroughdiplomaticchannelswhenneeded.Forexample,duringthe2012-2013distributeddenial-of-service(DDoS)attacksagainstfinancialinstitutions,diplomaticchannelswereusedasasupplementtoincidentresponseeffortsthroughmoretechnicalchannels,ensuringthatpolicymakersinforeigngovernmentswereawareofU.S.requestsforassistance.Wealsohaveuseddiplomaticchannelstoraiseconcernsregardingthecyber-enabledtheftoftradesecretsforcommercialgain.

CombattingTransnationalCrime

TheUnitedStatesisagloballeaderinthecampaignagainsttransnationalcrime.Inpartnershipwithkeyalliesandmultilateralpartners,theU.S.helpscountrieseffectivelyutilizeexistinglegaltools,funddevelopmentofmodernlegalframeworks,providetrainingoncybercrimeinvestigations,andstrengtheninternationalcooperationtocombatmodern,high-techcrimethreats.

TheStateDepartment,withitsinteragencypartners,activelypromotesmembershipintheCouncilofEuropeConventiononCybercrime,knownastheBudapestConvention,supportstheGroupofSeven(G7)24/7Network,andoffersrewardsforinformationleadingtothearrestorconvictionofmembersoftransnationalcybercrimeorganizations.

Recommendations

Aswelookahead,cybersecuritywillcontinuetobeachallengefortheUnitedStateswhenwetakeintoconsiderationtherapidlyexpandingenvironmentofglobalcyberthreats,theincreasingrelianceoninformationtechnology,therealitythatmanydevelopingnationsarestillintheearlystagesoftheircybermaturity,andtheongoingandincreasinglysophisticateduseofinformationtechnologybyterroristsandothercriminals.

Therefore,weofferthefollowingrecommendationsfortheCommission’sconsideration.

• Effortstofurtherstrengthenthestrategicframeworkofinternationalcyberstabilityshouldcontinuethroughpromotionofcertainvoluntarynormsofresponsiblestatebehaviorincyberspacethatapplyduringpeacetime;expansionofglobalaffirmationthatinternationallawappliestostatebehaviorincyberspace;anddevelopmentandimplementationofadditionalconfidencebuildingmeasurestoreducerisksofmisperceptionandescalation.


• TheUnitedStatespursuesavisionofopennessandcollaborative,multi-stakeholdergovernanceforcyberspace,instarkcontrasttoalternative,state-centricconceptsofcyberspacegovernancepursuedbysomecountries,principallyChinaandRussia.Therefore,theUnitedStatesshouldcontinuetoadvocateinbilateralandmultilateralfora,includingtheUnitedNations,towardmulti-stakeholdergovernanceforcyberspace.

• TheabilityoftheUnitedStatestorespondtoforeigncyberthreatsandpromoteinternationalcyberstabilityisgreatlyenhancedbythecapabilitiesandstrengthofourinternationalpartnersinthisarea.Itisessential,therefore,tocontinuetobuildthecapacityofforeigngovernments,particularlyindevelopingcountries,tosecuretheirownnetworks,andtopromotedonorcooperationinjointcapacitybuildinginitiatives.

• GiventhetransnationalnatureoftheInternetandrelatedcommunicationsinfrastructure,internationalcooperationisessentialtoeffectivelyaddresscyberincidents.Thisisespeciallytrueforthemostseriouscyberincidentsofstrategicconcernthatrequireanimmediateresponseandthosewithsignificantcross-borderimplications.Therefore,theUnitedStatesshouldcontinueeffortstoenhanceitsunderstandingofothercountries’cyberincidentresponseandcoordinationcapabilitiesandtoformalizecommunicationschannels,includingnetworkdefense,lawenforcement,diplomatic,military,andothers.

• Tofurthercombattransnationalcybercrime,theUnitedStatesshouldcontinuetoexpanditspartnershipswithalliesandmultilateralpartners,promotemembershipintheBudapestConvention,enlargetheG724/7Network,andtargettransnationalcybercrimeorganizations.

• Hereathome,theStateDepartmentshouldcontinuetomainstreamcyberspaceissuesintoourforeigndiplomaticengagementsandbuildthenecessaryinternalcapacitytoformulate,coordinate,andimplementcyberpolicyandexecuteourcyberdiplomacy.

Lastly,toprovideadditionalbackgroundinformationfortheCommission’sconsiderationontheStateDepartment’sworkinthisarea,IamincludingwiththisstatementtwodocumentswesubmittedtoCongressearlierthisyear–mySenateoversighttestimonyandtheDepartmentofStateInternationalCyberspacePolicyStrategy.

Inclosing,IwouldliketothanktheCommissionforgivingmethisopportunitytospeaktoday,andIlookforwardtoansweringanyquestionsyoumayhave.

Note:Mr.Painteralsoprovidedlinkstothefollowingexternaldocuments:

• TestimonybeforetheSenateForeignRelationsSubcommitteeonEastAsia,thePacific,andInternationalCybersecurityPolicy,Hearingon“InternationalCybersecurityStrategy:DeterringForeignThreatsandBuildingGlobalCyberNorms,”May25,2016.http://www.foreign.senate.gov/imo/media/doc/052516_Painter_Testimony.pdf

• PublicLaw114-113,DivisionN,TitleIV,Section402,“DepartmentofStateInternationalCyberspacePolicyStrategy,”March2016.http://www.state.gov/documents/organization/255732.pdf


MarkRylandGoodafternoon,ChairmanDonilon,Vice-ChairPalmisano,andesteemedmembersoftheCommission,mynameisMarkRyland.IserveastheseniortechnologistfortheworldwidepublicsectorforAmazonWebServices(AWS),awhollyownedsubsidiaryofAmazon.com.OnbehalfofAWS,thankyouforgivingmetheopportunitytospeakatthisCommissionsessiononhowtoembraceITinnovationinthegovernmentinordertoenhancecybersecurity,whichiswhatIwasaskedtospeakabouttoday.

AWSandtheUtility-basedModelofCloud

Justover10yearsago,AWSbeganofferingaccesstocloud-basedinfrastructureservicesbasedonAmazon'sexpertiseinhighlyscaledinfrastructureandservice-orientedsoftware.Adecadelater,avastrangeoforganizationsfromthesmalleststart-upstothelargestenterprisesandgovernmentagencieshavetakenadvantageofthisflexible,secure,powerful,andhighlyefficientwayofaccessingITresources.

Beforethecloud,businessesandgovernmentagenciesspentalotoftimeandmoneymanagingtheirowndatacentersandco-locationfacilities,whichmeanttimenotspentontheircoreorganizationalmissionsofprovidingproductsandservicestotheircustomersandcitizens.Withcloud,organizationslikegovernmentagenciescanfunctionmorelikestartupsthatmoveatthespeedofideas,withoutupfrontcostsorworryaboutunknownfuturecapacityneeds.Previously,organizationsonlyhadanoptionofeithermakingmassivecapitalinvestmentstobuildtheirowndatacenterandserverinfrastructure,orofenteringintolong-termcontractswithavendorforafixedamountofdatacentercapacitythattheymightormightnotuse.Thischoicemeanteitherpayingforwastedcapacitysittingidlewhilewaitingforrareoccasionsofpeakdemand,orworryingaboutshortages,i.e.,thatthecapacitydeployedwasinsufficienttomeetpeakdemands.

Today,AWShasmorethanamillionactivecustomersin190countries,includingmorethan2,300governmentagencies,7,000educationinstitutionsand22,000nonprofitorganizations.AWScustomersrangefromsomeoftheworld’smostsuccessfulstartupslikePinterestandAirbnb,tolargeenterprisesineverykindofindustry:companiessuchasShell,BP,Johnson&Johnson,Pfizer,Merck,Bristol-MeyerSquibb,CapitalOneBank,GE,SchneiderElectric,Netflix,Samsung,Adobe,Time,NewsCorp,theWashingtonPostandtheNewYorkTimes.Inthepublicsector,ourcustomersincludefederal,state,andlocalgovernmentorganizationssuchasNASA,theU.SSecuritiesandExchangeCommission,U.S.DepartmentofHomelandSecurity,theStateofTexas,theU.S.DepartmentofHealth&HumanServices,theStateofArizona,NewYorkCityDepartmentofTransportation,theCityofLosAngeles(CA),KingCounty(WA),andtheFinancialIndustryRegulatoryAuthority(FINRA).Inaddition,thousandsofeducationalinstitutionsfromHarvard,MIT,UCBerkeley,andStanfordtosmallschooldistrictslikeoneinFishCreek,WisconsinallutilizeAWSforweb-basedITservices.

ModernizingGovernmentTechnology/SecurityBenefitsofCloudComputing

Inthebeginning,therewasacertaindegreeofreluctancetotrustthelarge-scale,utility-style,multi-tenanted,so-called“public”cloud.ThiswasunderstandableconsideringthatanytimeapowerfulnewabstractionappearsintheITindustry,ittakestimeforuserstounderstandandbecomecomfortablewithit.Fiftyyearsagocompilerswerenewandraisedquestions;just10yearsagoitwasvirtualization.Morerecently,itwascloud.

ButascustomersandITprofessionalshavelearnedaboutthecloudanditscapabilities,theinitialconcernshaveturnedaroundcompletely.NowthereisagrowingrealizationthatcommercialcloudserviceprovidersofferfundamentalsecuritybenefitsovertraditionalITinfrastructure.AsU.S.FederalCIOTonyScotthasstated,“IseethebigcloudprovidersinthesamewayIseeabank.Theyhavetheincentive,theyhaveskillsandabilities,andtheyhavethemotivationtodoamuchbetterjobofsecuritythananyonecompanyoranyoneorganizationcanprobablydo.[...]Ithinktodaythebetter


betisgettothecloudasquickasyoucanbecauseyou'reguaranteedalmosttohavebettersecuritytherethanyouwillinanyprivatethingyoucando.”7

Thefollowingare“SevenReasonsfortheSystemicSuperiorityofCloudSecurity”thatIwouldliketoemphasizefortoday’ssession:

(1)theintegrationofcompliance(whichyoucanthinkofassecuritypolicy)andactual,operationalsecurity(somethingseldomaccomplishedintraditionalsystems);

(2)economiesofscaleapplytosecuritypersonnelandprocesses,somethinglargescalecloudserviceprovidersareuniquelyabletodeliver;

(3)withthecloudprovidertakingonamajorportionofthesecurity“surfacearea,”andexecutingthatwithprofessionalfocusandskillbeyondalmostanycustomeronearth,customerscanrefocustheirsecurityprofessionalsandresourcesonamuchsmallerpartofthechallenge(specifically,applicationsecurity);

(4)thecloudprovidesvisibility,homogeneity,andautomationneverseenbeforeintraditionalsystems,allofwhichmassivelybenefitsecurity;

(5)commercialcloudservicesare“systemscontainers”thatsurroundtraditionalsystemsandprovidefarmoreinsightintotheirbehaviorandfunctioning,includingsecurityissues,therebyprovidinganewkindof“defenseindepth”;

(6)witheasyandcheapaccesstomassiveamountsofstorageandprocessingcapacity,ourcustomersusethecloudtosecurethecloud,i.e.,theyrunbigdataanalyticsonsecuritydataandlogdatawhichprovidesfarmoreinsightintotheirsecuritypostureandresultsinamuchfasterremediationofissues;and

(7)finally,withthespeedofinnovationandincreasingscale,thecloudsecuritystorywillonlygetbetter,anddosoquickly!

Inshort,thecommercialcloudanditsaccompanyingautomationandagilityprovideauniqueopportunitytoenhancesystemssecurityandprivacy.Asaformerseniorgovernmentsecurityofficialsaid,whenaskedaboutthegrowingcybersecuritythreatstogovernmentnetworksatarecentclosed-doorcybersecurityeventattheAmericanEnterpriseInstitute,“Cloudgivesusa‘mulligan’;achancetodoitoveranddoitright.”Insum,webelievetheevidencefullysupportsthepropositionthatsecurityshouldnolongerbeseenasabarriertocloudadoption,butanargumentinfavorofit.

ThatiswhytheU.S.theintelligencecommunityhasturnedtothecloudtoservecustomersacrossthe17intelligenceagencies,8thatiswhycommercialcompanieswithsensitiveinformationrangingfromfinancialinstitutionstohealthcareprovidersareleveragingcloudtomeettheirdigitalinfrastructureneeds,andthatiswhygovernmentagenciessuchastheFederalAviationAdministration(FAA),theDepartmentofHealthandHumanServices(HHS),theStateofColorado,theSeattlePoliceDepartment,theStateofMinnesota,theCaliforniaDepartmentofJustice(DoJ),andtheU.S.DepartmentofHomelandSecurity(DHS)arealsomovingmission-criticalandsensitiveworkloadsthatserveandprotectAmericanstothecommercialcloud.

Herearewhatsomeofourmostsecurity-consciouscustomershavesaidaboutsecurityintheAWScloud:

“Fromaphysicalandlogicalsecuritystandpoint,Ibelievethat,ifdoneright,publiccloudcomputingisasormoresecurethanself-hosting.”–SteveRandich,EVPandCIO,FinancialIndustryRegulatoryAuthorityintheUSA

7 http://www.cio.com/article/2996268/cloud-computing/us-cio-tells-it-leaders-to-trust-the-cloud.html8 http://www.govexec.com/magazine/features/2014/07/daring-deal/88207/


“Andofcourse,securityiscriticalforus.Thefinancialservicesindustryattractssomeoftheworstcybercriminals.SoweworkedcloselywiththeAWSteamtodevelopasecuritymodelwhich,webelieve,allowsustooperatemoresecurelyinthepubliccloudthanwecaneveninourowndatacenters.”RobAlexander,CIO,CapitalOneBank

“Basedonourexperience,IbelievethatwecanbeevenmoresecureintheAWScloudthaninourowndatacenters.”-TomSoderstrom,CTO,NASA’sJetPropulsionLab

Recommendations

WeapplaudtheAdministration’semphasisoncybersecuritywithaspecificfocusonsecuringfederalnetworksandplanningforbuildingsecurityintoemergingtechnologiessuchasIoT.TheAdministration’s“CloudFirst”policyshouldcontinuetoserveasthefoundationofimprovingthefederalgovernmentcybersecurityposture.Butwebelievethereismoretobedone.

TofullyrealizethegoalsofthePresident’sCybersecurityNationalActionPlan(“CNAP”),AWSrecommendsthefollowing:First,theCommissionshouldrecognizethatthemostimportantstepforwardintheefforttosecuregovernmentcommunicationsnetworksandITsystemspertheCNAPisthrougheffectiveandlastingtechnologymodernization.AsnotedjustafewdaysagobyFederalCIOTonyScott,thegovernmentmuststopusinga“bubblewrap”approach,puttingfragilesecuritylayersaroundinherentlyinsecurelegacysystems.9Intheprivatesector,ITmodernizationishappeningbecausebusinessesofallsizes,andacrossallsectorsoftheeconomy,aremovingtheirapplicationsandworkloadsintothecommercialcloud.Yetpolicy,regulatory,procurement,andculturalblockersstillremainthatpreventfederaldepartmentsandagenciesfrommigratingtocloud.WethinktheCommissionshouldcallontheOMBtofullyenforcethe“CloudFirst”policy,andcloselyscrutinizecurrentandfuturegovernmentdatacenterutilization.

Second,theCommissionshouldcallonboththeAdministrationandCongresstofullyenforcetheFederalInformationTechnologyAcquisitionReformAct(FITARA)toensurethatagencychiefinformationofficershavetheprocurementresourcestomodernizeITsystemsasquicklyaspossible.Additionally,theCommissionshouldsupportthepassageoftherecentlyintroducedModernizingGovernmentTechnology(MGT)Act,whichwasapprovedbytheHouseOversightandGovernmentReformCommitteelastweek.TheMGTActprovidesamandateforITmodernizationthroughcommercialcloudadoptionandthereplacement/retirementofoutdatedlegacysystemsthatarevulnerabletocyber-attacks.ThisimportantlegislationcouldalsoprovidethenecessaryfundingflexibilityforagenciestomorequicklyleverageasecureITinfrastructuresuchascommercialcloudcomputingservices.

Third,giventheimportanceofFedRAMPtoensuringabaselineofsecurityforgovernmentorganizations,werecommendthatCongressrequirethatcloudserviceproviders(CSPs)orcontractorsdeliveringcloudservicestofederalagenciescompleteasecurityassessmentunderFedRAMP.ThatwillgivefederalagenciesclarityonwhatsecuritybaselineCSPsandcontractorsshouldbecompliantwith.

Finally,justasFedRAMPhasprovidedasecuritybaselineforthefederalgovernment,theCommissionshouldencouragestateandlocalgovernmentstoleveragetheFedRAMPrequirementsandprocessesastheirprimarysecuritycertificationframeworkforITsystems.DoingsowillhelpstateandlocalgovernmentagenciestobuildasecureITecosystem.

Thankyouforholdingthismeetingtodayandinvitingustoparticipate.Ilookforwardtodiscussingthesecriticalissueswithyouandtheotherpanelists.

9 http://fedscoop.com/tony-scott-cybersecurity-billington-september-2016


MikeWalkerLargebreachesofconfidentialrecordsarearegularoccurrenceontoday'sinternet.ThisisnotduetostructuralfailuresoftheInternetprotocolsthemselves,norisitduetopooruserchoices,noreventoinsufficientdemandforeffectivesecurity.Thevastmajorityofbreachesoccurduetoastructuralfailureofsoftware,oftensoftwarethathandlesemaillinksorattachments,butmanyotherformsofsoftwareaswell.Structuralfailuresofsoftwarearecommonamongstallmarketsectorswherewecurrentlyexperiencealackoftrust&confidence:SCADA,thedesktop,vehicles,lifesafetymedicalappliancesandcriticalinfrastructure.Inordertorebuildcybertrustinthesesectors,wemustcreateawaytoengineersoftwaresystemsinatrustworthymanner,measureresidualcyberrisk,andaccuratelypriceinsuranceofthesesoftwaresystems;thisrequires:

1>anabilitytocreateandmanagesystemsthatareengineeredtobestrongerbydesign

2>theabilitytomeasurethevulnerabilityofsoftwaresystems

Thesetwothrustsarecomplimentary:moresecuresystemscanonlybedevelopedorselectedwhenthemarketcaneasilyappraisethesecurityofsoftwaresystems;withoutmeasurementitisimpossibleforamarkettofindandfundamoresecureapproach.Universallyacceptedmeasurementofvulnerabilityisthereforeaprerequisiteforsecuritystandardsthatcansurviveoperationalscrutiny.Measurementofvulnerabilityoccursthroughexhaustiveinvestigationratherthanthesatisfactionofchecklists.Exhaustiveinvestigationisanexperttaskcurrentlyprocuredthroughbugbounties.Revolutionaryautomatedapproachesonthehorizonmaysoondemocratizesuchexhaustiveinvestigationandallowforauniversal,independentlytestablestandardforsoftwaresafety.


GregoryC.WilshusenChairmanDonilon,ViceChairPalmisano,anddistinguishedmembersoftheCommission,thankyoufortheopportunitytoappearbeforeyoutoday.Asrequested,Iwilldiscusslawsandpoliciesshapingthefederalgovernment’sinformationtechnology(IT)securitylandscapeandtheactionsneededtoaddresslong-standingchallengestoimprovingthegovernment’scybersecurityposture.

MynameisGregWilshusenandIserveastheDirectorofInformationSecurityIssuesfortheU.S.GovernmentAccountabilityOffice(GAO).GAOisanindependentagencyinthelegislativebranchofthefederalgovernment.OurmissionistohelpCongressimprovetheperformanceandaccountabilityofthefederalgovernmentforthebenefitoftheAmericanpeople.Inotherwords,weexaminehowtaxpayerdollarsarespentandadviselawmakersandagencyheadsonwaystomakegovernmentworkbetter.Inmyposition,Iamresponsibleforleadingauditsandstudiesofthesecurityoffederalinformationsystemsandcybercriticalinfrastructureandtheprivacyofpersonallyidentifiableinformation.Mystatementtodayisbasedonourpreviouslypublishedworkaddressingfederalcybersecurityefforts.10

Ascomputertechnologyhasadvanced,federalagencieshavebecomedependentoncomputerizedinformationsystemsandelectronicdatatocarryoutoperationsandtoprocess,maintain,andreportessentialinformation.Thesecurityofthesesystemsanddataisvitaltopublicconfidenceandthenation’ssafety,prosperity,andwell-being.Virtuallyallfederaloperationsaresupportedbycomputersystemsandelectronicdata,andagencieswouldfinditdifficult,ifnotimpossible,tocarryouttheirmissionsandaccountfortheirresourceswithouttheseinformationassets.Hence,ineffectivecontrolscanresultinsignificantrisktoabroadarrayofgovernmentoperationsandassets.Forexample:

o Resources,suchaspaymentsandcollections,couldbelostorstolen.

o Computerresourcescouldbeusedforunauthorizedpurposes,includinglaunchingattacksonothers.

o Sensitiveinformation,suchasintellectualpropertyandnationalsecuritydata,andpersonallyidentifiableinformation,suchastaxpayerdata,SocialSecurityrecords,andmedicalrecords,couldbeinappropriatelyaddedto,deleted,read,copied,disclosed,ormodifiedforpurposessuchasespionage,identitytheft,orothertypesofcrime.

o Criticaloperations,suchasthosesupportingnationaldefenseandemergencyservices,couldbedisrupted.

o Datacouldbemodifiedordestroyedforpurposesoffraudordisruption.

o Entitymissionscouldbeunderminedbyembarrassingincidentsthatresultindiminishedconfidenceintheirabilitytoconductoperationsandfulfilltheirresponsibilities.

Federalinformationsystemsandnetworksareinherentlyatrisk.Theyarehighlycomplexanddynamic,technologicallydiverse,andoftengeographicallydispersed.Thiscomplexityincreasesthedifficultyinidentifying,managing,andprotectingthemyriadofoperatingsystems,applications,anddevicescomprisingthesystemsandnetworks.Compoundingtherisk,systemsusedbyfederalagenciesareoftenriddledwithsecurityvulnerabilities—bothknownandunknown.Forexample,thenationalvulnerabilitydatabasemaintainedbytheMitreCorporationhasidentified78,907publicly

10 Thereportscitedinthisstatementcontaindetaileddiscussionsofthescopeoftheworkandthe

methodologyusedtocarryitout.Alltheworkonwhichthisstatementisbasedwasconductedinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformauditstoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.Webelievethattheevidenceobtainedprovidesareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.


knowncybersecurityvulnerabilitiesandexposuresasofSeptember15,2016,withmorebeingaddedeachday.11FederalsystemsandnetworksarealsoofteninterconnectedwithotherinternalandexternalsystemsandnetworksincludingtheInternet,therebyincreasingthenumberofavenuesofattackandexpandingtheirattacksurface.

Inaddition,cyberthreatsandincidentstosystemssupportingthefederalgovernmentareincreasing.Thesethreatscomefromavarietyofsourcesandvaryintermsofthetypesandcapabilitiesoftheactors,theirwillingnesstoact,andtheirmotives.Forexample,advancedpersistentthreats—whereadversariespossesssophisticatedlevelsofexpertiseandsignificantresourcestopursuetheirobjectives—poseincreasingrisks.Furtherunderscoringthisriskareincreasesinincidentsthatcouldthreatennationalsecurityandpublichealthandsafety,orleadtoinappropriateaccesstoanddisclosure,modification,ordestructionofsensitiveinformation.Suchincidentsmaybeunintentional,suchasaservicedisruptionduetoequipmentfailureornaturalevent,orintentional,whereforexample,ahackerattacksacomputernetworkorsystem.

ThenumberofinformationsecurityincidentsreportedbyfederalagenciestotheU.S.ComputerEmergencyReadinessTeam(U.S.CERT)hascontinuedtoincrease—from5,503infiscalyear2006to77,183infiscalyear2015,anincreaseof1,303percent(seefig.1below).

Figure1:IncidentsReportedbyFederalAgencies,FiscalYears2006through2015

Since1997,wehavedesignatedfederalinformationsecurityasagovernment-widehigh-riskarea,12andin2003expandedthisareatoincludecomputerizedsystemssupportingthenation’scriticalinfrastructure.Mostrecently,intheFebruary2015updatetoourhigh-risklist,wefurtherexpanded

11 ThenationalvulnerabilitydatabaseistheU.S.governmentrepositoryofstandardsbasedvulnerability

managementdata.Thisdataenablesautomationofvulnerabilitymanagement,securitymeasurement,andcompliance.

12 GAOdesignatesagenciesandprogramareasashigh-riskduetotheirvulnerabilitiestofraud,waste,abuse,andmismanagement,orwhentheyaremostinneedoftransformation.


thisareatoincludeprotectingtheprivacyofpersonallyidentifiableinformation(PII)collected,maintained,andsharedbybothfederalandnonfederalentities.13

Overthelastseveralyears,wehavemadeabout2,500recommendationstoagenciesaimedatimprovingtheirimplementationofinformationsecuritycontrols.Theserecommendationsidentifyactionsforagenciestotakeinprotectingtheirinformationandsystems.Forexample,wehavemaderecommendationsforagenciestocorrectweaknessesincontrolsintendedtoprevent,limit,anddetectunauthorizedaccesstocomputerresources,suchascontrolsforprotectingsystemboundaries,identifyingandauthenticatingusers,authorizinguserstoaccesssystems,encryptingsensitivedata,andauditingandmonitoringactivityontheirsystems.WehavealsomaderecommendationsforagenciestoimplementtheirinformationsecurityprogramsandprotecttheprivacyofPIIheldontheirsystems.However,manyagenciescontinuetohaveweaknessesinimplementingthesecontrols,inpartbecausemanyoftheserecommendationsremainunimplemented.AsofSeptember16,2016,about1,000ofourinformationsecurity–relatedrecommendationshavenotbeenimplemented.

FederalLawandPolicyEstablishaFrameworkforProtectingFederalSystemsandInformation

Severalfederallawsandpolicies—predominantlytheFederalInformationSecurityModernizationActof2014anditspredecessor,theFederalInformationSecurityManagementActof2002(bothreferredtoasFISMA)—provideaframeworkforprotectingfederalinformationandITassets.

Thepurposeofbothlawsistoprovideacomprehensiveframeworkforensuringtheeffectivenessofinformationsecuritycontrolsoverinformationresourcesthatsupportfederaloperationsandassets.14Thelawsestablishresponsibilitiesforimplementingtheframeworkandassignthoseresponsibilitiestospecificofficialsandagencies:

o TheDirectoroftheOfficeofManagementandBudget(OMB)isresponsiblefordevelopingandoverseeingimplementationofpolicies,principles,standards,andguidelinesoninformationsecurityinfederalagencies,exceptwithregardfornationalsecuritysystems.Since2003,OMBhasissuedpoliciesandguidancetoagenciesonmanyinformationsecurityissues,includingprovidingannualinstructionstoagenciesandinspectorsgeneralforreportingontheeffectivenessofagencysecurityprograms.Morerecently,OMBissuedtheCybersecurityStrategyandImplementationPlaninOctober2015,15whichaimstostrengthenfederalciviliancybersecurityby(1)identifyingandprotectinghigh-valueinformationandassets,(2)detectingandrespondingtocyberincidentsinatimelymanner,(3)recoveringrapidlyfromincidentswhentheyoccurandacceleratingtheadoptionoflessonslearnedfromthesprint,(4)recruitingandretainingahighlyqualifiedcybersecurityworkforce,and(5)efficientlyacquiringanddeployingexistingandemergingtechnology.OMBalsorecentlyupdateditsCircularA-130onmanagingfederalinformationresourcestoaddressprotectingandmanagingfederalinformationresourcesandonmanagingPII.16

o Theheadofeachfederalagencyhasoverallresponsibilityforprovidingappropriateinformationsecurityprotectionsfortheagency’sinformationandinformationsystems,includingthosecollected,maintained,operatedorusedbyothersontheagency’sbehalf.Inaddition,theheadofeachagencyisrequiredtoensurethatsenioragencyofficialsprovide

13 SeeGAO,High-RiskList:AnUpdate,GAO-15-290(Washington,D.C.:Feb.11,2015).14 TheFederalInformationSecurityModernizationActof2014(FISMA2014)(Pub.L.No.113-283,Dec.18,

2014);largelysupersededtheFederalInformationSecurityManagementActof2002(FISMA2002),enactedastitleIIIoftheE-GovernmentActof2002(Pub.L.No.107-347,116Stat2899,2946(Dec.17,2002)).Asusedhere,FISMArefersbothtoFISMA2014andtothoseprovisionsofFISMA2002thatwereeitherincorporatedintoFISMA2014orwereunchangedandcontinueinfullforceandeffect

15 OMB,CybersecurityStrategyandImplementationPlanforFederalCivilianGovernment,M-16-04(Washington,D.C.:Oct.30,2015).

16 OMB,RevisionofOMBCircularA-130,ManagingFederalInformationasaStrategicResource(Washington,D.C.:July28,2016).


informationsecurityfortheinformationandsystemssupportingtheoperationsandassetsundertheircontrol,andtheagencychiefinformationofficer(CIO)isdelegatedtheauthoritytoensurecompliancewiththelaw’srequirements.TheassignmentofinformationsecurityresponsibilitiestosenioragencyofficialsisnoteworthybecauseitreinforcestheconceptthatinformationsecurityisabusinessfunctionaswellasanITfunction.

Eachagencyisalsorequiredtodevelop,document,andimplementanagency-wideinformationsecurityprogramthatinvolvesanongoingcycleofactivityincluding(1)assessingrisks,(2)developingandimplementingrisk-basedpoliciesandproceduresforcost-effectivelyreducinginformationsecurityrisktoanacceptablelevel,(3)providingawarenesstrainingtopersonnelandspecializedtrainingtothosewithsignificantsecurityresponsibilities,(4)testingandevaluatingeffectivenessofsecuritycontrols,(5)remedyingknownweaknesses,and(6)detecting,reporting,andrespondingtosecurityincidents.

Asdiscussedlater,ourworkhasshownthatagencieshavenotfullyoreffectivelyimplementedtheseprogramsandactivitiesonaconsistentbasis.

o FISMArequirestheNationalInstituteofStandardsandTechnology(NIST)todevelopinformationsecuritystandardsandguidelinesforagencies.Tothisend,NISThasdevelopedandpublishedfederalinformationprocessingstandardsthatrequireagenciestocategorizetheirinformationandinformationsystemsaccordingtotheimpactormagnitudeofharmthatcouldresultiftheyarecompromised17andspecifyminimumsecurityrequirementsforfederalinformationandinformationsystems.18NISThasalsoissuednumerousspecialpublicationsthatprovidedetailedguidelinestoagenciesforsecuringtheirinformationandinformationsystems.19

o In2014,FISMAestablishedtheDepartmentofHomelandSecurity’s(DHS)oversightresponsibilities,including(1)assistingOMBwithoversightandmonitoringofagencies’informationsecurityprograms,(2)operatingthefederalinformationsecurityincidentcenter,and(3)providingagencieswithoperationalandtechnicalassistance.

Othercybersecurity-relatedlawswererecentlyenacted,whichincludethefollowing:

o TheNationalCybersecurityProtectionActof2014codifiestheroleofDHS’sNationalCybersecurityandCommunicationsIntegrationCenterasthefederalcivilianinterfaceforsharinginformationaboutcybersecurityrisks,incidents,analysis,andwarningsforfederalandnon-federalentities,includingownersandoperatorsofsystemssupportingcriticalinfrastructure.20

o TheCybersecurityEnhancementActof2014,amongotherthings,authorizesNISTtofacilitateandsupportthedevelopmentofvoluntarystandardstoreducecyberriskstocriticalinfrastructureand,incoordinationwithOMB,todevelopandencourageastrategyfortheadoptionofcloudcomputingservicesbythefederalgovernment.21

17 NIST,StandardsforSecurityCategorizationofFederalInformationandInformationSystems,FIPSPublication

199(Gaithersburg,Md.:February2004).18 NIST,MinimumSecurityRequirementsforFederalInformationandInformationSystems,FIPSPublication200

(Gaithersburg,Md.:March2006).19 Forexample,NIST,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:A

SecurityLifeCycleApproach,SP800-37,Rev.1(Gaithersburg,Md.:February2010)andSecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,SP800-53,Rev.4(Gaithersburg,Md.:April2013).

20 Pub.L.No.113-282,Dec.18,2014.21 Pub.L.No.113-274,Dec.18,2014.


o TheCybersecurityActof2015,amongotherthings,setsforthauthorityforenhancingthesharingofcybersecurity-relatedinformationamongfederalandnon-federalentities,givesDHS’sNationalCybersecurityandCommunicationsIntegrationCenterresponsibilityforimplementingthesemechanisms,requiresDHStomakeintrusionanddetectioncapabilitiesavailabletoanyfederalagency,andcallsforagenciestoassesstheircyber-relatedworkforce.22

ActionIsNeededtoAddressOngoingCybersecurityChallenges

Ourworkhasidentifiedtheneedforimprovementsinthefederalgovernment’sapproachtocybersecurity.Whiletheadministrationandagencieshaveactedtoimprovetheprotectionsovertheirinformationandinformationsystems,additionalactionsareneeded.

Federalagenciesneedtoeffectivelyimplementrisk-basedentity-wideinformationsecurityprogramsconsistentlyovertime.SinceFISMAwasenactedin2002,agencieshavebeenchallengedtofullyandeffectivelydevelop,document,andimplementagency-wideprogramstosecuretheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragencyorcontractor.Forexample,infiscalyear2015,19ofthe24majorfederalagenciescoveredbytheChiefFinancialOfficersActof199023reportedthatinformationsecuritycontroldeficiencieswereeitheramaterialweaknessorsignificantdeficiency24ininternalcontrolsoverfinancialreporting.Inaddition,inspectorsgeneralat22ofthe24agenciescitedinformationsecurityasamajormanagementchallengefortheiragency.Thefollowingactionswillassistagenciesinimplementingtheirinformationsecurityprograms.

o Enhancecapabilitiestoeffectivelyidentifycyberthreatstoagencysystemsandinformation.Akeyactivityforassessingcybersecurityriskandselectingappropriatemitigatingcontrolsistheidentificationofcyberthreatstocomputernetworks,systems,andinformation.In2016,wereportedonseveralfactorsthatagenciesidentifiedasimpairingtheirabilitytoidentifythesethreatstoagreatormoderateextent.25Theimpairmentsincludedaninabilitytorecruitandretainpersonnelwiththeappropriateskills,rapidlychangingthreats,continuouschangesintechnology,andalackofgovernment-wideinformation-sharingmechanisms.Addressingtheseimpairmentswillenhancetheabilityofagenciestoidentifythethreatstotheirsystemsandinformationandbeinabetterpositiontoselectandimplementappropriatecountermeasures.

o Implementsustainableprocessesforsecurelyconfiguringoperatingsystems,applications,workstations,servers,andnetworkdevices.Weroutinelydeterminethatagenciesdonotenablekeyinformationsecuritycapabilitiesoftheiroperatingsystems,applications,workstations,

22 TheCybersecurityActof2015wasenactedasDivisionNoftheConsolidatedAppropriationsAct,2016,Pub.

L.No.114-113,Dec.18,2015.23 The24majordepartmentsandagenciesaretheDepartmentsofAgriculture,Commerce,Defense,Education,

Energy,HealthandHumanServices,HomelandSecurity,HousingandUrbanDevelopment,theInterior,Justice,Labor,State,Transportation,theTreasury,andVeteransAffairs;theEnvironmentalProtectionAgency,GeneralServicesAdministration,NationalAeronauticsandSpaceAdministration,NationalScienceFoundation,NuclearRegulatoryCommission,OfficeofPersonnelManagement,SmallBusinessAdministration,SocialSecurityAdministration,andU.S.AgencyforInternationalDevelopment.31U.S.C.§901(b).

24 Amaterialweaknessisadeficiency,orcombinationofdeficiencies,thatresultsinmorethanaremotelikelihoodthatamaterialmisstatementofthefinancialstatementswillnotbepreventedordetected.Asignificantdeficiencyisadeficiency,orcombinationofdeficiencies,ininternalcontrolthatislessseverethanamaterialweakness,yetimportantenoughtomeritattentionbythosechargedwithgovernance.Acontroldeficiencyexistswhenthedesignoroperationofacontroldoesnotallowmanagementoremployees,inthenormalcourseofperformingtheirassignedfunctions,topreventordetectandcorrectmisstatementsonatimelybasis.

25 GAO,InformationSecurity:AgenciesNeedtoImproveControlsoverSelectedHigh-ImpactSystems,GAO-16-501(Washington,D.C.;May18,2016).


servers,andnetworkdevices.Inmanyinstances,agencieswerenotawareoftheinsecuresettingsthatintroducedrisktothecomputingenvironment.Establishingstrongconfigurationstandardsandimplementingsustainableprocessesformonitoringandenablingconfigurationsettingswillstrengthenthesecuritypostureoffederalagencies.

o Patchvulnerablesystemsandreplaceunsupportedsoftware.Federalagenciesconsistentlyfailtoapplycriticalsecuritypatchesinatimelymannerontheirsystems,sometimesyearsafterthepatchisavailable.Wealsoconsistentlyidentifyinstanceswhereagenciesusesoftwarethatisnolongersupportedbytheirvendors.Theseshortcomingsoftenplaceagencysystemsandinformationatsignificantriskofcompromisesincemanysuccessfulcyberattacksexploitknownvulnerabilitiesassociatedwithsoftwareproducts.Usingvendor-supportedandpatchedsoftwarewillhelptoreducethisrisk.

o Developcomprehensivesecuritytestandevaluationproceduresandconductexaminationsonaregularandrecurringbasis.Theinformationsecurityassessmentsperformedforagencysystemswereoftenbasedoninterviewsanddocumentreviews,limitedinscope,anddidnotidentifymanyofthesecurityvulnerabilitiesthatourexaminationsidentified.Conductingin-depthsecurityevaluationsthatexaminetheeffectivenessofsecurityprocessesandtechnicalcontrolsisessentialforeffectivelyidentifyingsystemvulnerabilitiesthatplaceagencysystemsandinformationatrisk.

o StrengthenoversightofcontractorsprovidingITservices.AsdemonstratedbytheOPMdatabreachof2015,cyberattackerscansometimesgainentreetoagencysystemsandinformationthroughtheagency’scontractorsorbusinesspartners.Accordingly,agenciesneedtoensurethattheircontractorsandpartnersareadequatelyprotectingtheagency’sinformationandsystems.InAugust2014,wereportedthatfiveofsixselectedagencieswereinconsistentinoverseeingtheexecutionandreviewofsecurityassessmentsthatwereintendedtodeterminetheeffectivenessofcontractorimplementationofsecuritycontrols,resultinginsecuritylapses.26In2016,agencychiefinformationsecurityofficerswesurveyedreportedthattheywerechallengedtoalargeormoderateextentinoverseeingtheirITcontractorsandreceivingsecuritydatafromthecontractors,therebydiminishingtheCISOs’abilitytoassesshowwellagencyinformationmaintainedbythecontractorsisprotected.27Effectivelyoverseeingandreviewingthesecuritycontrolsimplementedbycontractorsandotherpartiesisessentialtoensuringthattheorganization’sinformationisproperlysafeguarded.

Thefederalgovernmentneedstoimproveitscyberincidentdetection,response,andmitigationcapabilities.Evenagenciesororganizationswithstrongsecuritycanfallvictimtoinformationsecurityincidentsduetopreviouslyunknownvulnerabilitiesthatareexploitedbyattackerstointrudeintoanagency’sinformationsystems.Accordingly,agenciesneedtohaveeffectivemechanismsfordetecting,respondingto,andrecoveringfromsuchincidents.Thefollowingactionswillassistthefederalgovernmentinbuildingitscapabilitiesfordetecting,respondingto,andrecoveringfromsecurityincidents.

o DHSneedstoexpandcapabilities,improveplanning,andsupportwideradoptionofitsgovernment-wideintrusiondetectionandpreventionsystem.InJanuary2016,wereportedthatDHS’sNationalCybersecurityProtectionSystem(NCPS)hadlimitedcapabilitiesfordetectingandpreventingintrusions,conductinganalytics,andsharinginformation.28Inaddition,adoptionofthesecapabilitiesatfederalagencieswaslimited.ExpandingNCPS’scapabilities

26 GAO,InformationSecurity:AgenciesNeedtoImproveOversightofContractorControls,GAO-14-612

(Washington,D.C.:Aug.8,2014).27 GAO,FederalChiefInformationSecurityOfficer:OpportunitiesExisttoImproveRolesandAddressChallengesto

Authority,GAO-16-686(Washington,D.C.:Aug.26,2016).28 GAO,InformationSecurity:DHSNeedstoEnhanceCapabilities,ImprovePlanning,andSupportGreater

AdoptionofItsNationalCybersecurityProtectionSystem,GAO-16-294(Washington,D.C.:Jan.28,2016).


fordetectingandpreventingmalicioustraffic,definingrequirementsforfuturecapabilities,anddevelopingnetworkroutingguidancewouldincreaseassuranceofthesystem’seffectivenessindetectingandpreventingcomputerintrusionsandsupportwideradoptionbyagencies.

o Improvecyberincidentresponsepracticesatfederalagencies.InApril2014wereportedthat24majorfederalagenciesdidnotconsistentlydemonstratethattheyhadeffectivelyrespondedtocyberincidents.29Forexample,agenciesdidnotdeterminetheimpactofincidentsortakenactionstopreventtheirrecurrence.Bydevelopingcompletepolicies,plans,andproceduresforrespondingtoincidentsandeffectivelyoverseeingresponseactivities,agencieswillhaveincreasedassurancethattheywilleffectivelyrespondtocyberincidents.

o Updatefederalguidanceonreportingdatabreachesanddevelopconsistentresponsestobreachesofpersonallyidentifiableinformation(PII).AswereportedinDecember2013,eightselectedagenciesdidnotconsistentlyimplementpoliciesandproceduresforrespondingtobreachesofPII.30Forexample,noneoftheagenciesdocumentedtheevaluationofincidentsandlessonslearned.Inaddition,OMB’sguidancetoagenciestoreporteachPII-relatedincident—eventhosewithinherentlylowrisktotheindividualsaffected—within1hourofdiscoverymaycauseagenciestoexpendresourcestomeetreportingrequirementsthatprovidelittlevalueanddiverttimeandattentionfromrespondingtobreaches.Updatingguidanceandconsistentlyimplementingbreachresponsepracticeswillimprovetheeffectivenessofgovernment-wideandagency-leveldatabreachresponseprograms.

Thefederalgovernmentneedstoexpanditscyberworkforceplanningandtrainingefforts.Ensuringthatthegovernmenthasasufficientnumberofcybersecurityprofessionalswiththerightskillsandthatitsoverallworkforceisawareofinformationsecurityresponsibilitiesremainsanongoingchallenge.Theseactionscanhelpmeetthischallenge:

o Enhanceeffortsforrecruitingandretainingaqualifiedcybersecurityworkforce.Thishasbeenalong-standingdilemmaforthefederalgovernment.In2012,agencychiefinformationofficersandexpertswesurveyedcitedweaknessesineducation,awareness,andworkforceplanningasarootcauseinhinderingimprovementsinthenation’scybersecurityposture.31Severalexpertsalsonotedthatthecybersecurityworkforcewasinadequate,bothinnumbersandtraining.Theycitedchallengessuchasthelackofrole-basedqualificationstandardsanddifficultiesinretainingcyberprofessionals.In2016,agencyCISOswesurveyedreportedthatdifficultiesrelatedtohavingsufficientstaff;recruiting,hiring,andretainingsecuritypersonnel;andensuringsecuritypersonnelhaveappropriateskillsandexpertiseposechallengestotheirabilitiestocarryouttheirresponsibilitieseffectively.32

o Improvecybersecurityworkforceplanningactivitiesatfederalagencies.InNovember2011,wereportedthatonlyfiveofeightselectedagencieshaddevelopedworkforceplansthataddressedcybersecurity.33Further,agenciesreportedchallengeswithfillingcybersecuritypositions,andonlythreeoftheeighthadadepartment-widetrainingprogramfortheircybersecurityworkforce.

29 GAO,InformationSecurity:AgenciesNeedtoImproveCyberIncidentResponsePractices,GAO-14-354

(Washington,D.C.:Apr.30,2014).30 GAO,InformationSecurity:AgencyResponsestoBreachesofPersonallyIdentifiableInformationNeedtoBe

MoreConsistent,GAO-14-34(Washington,D.C.:Dec.9,2013).31 GAO,Cybersecurity:NationalStrategy,Roles,andResponsibilitiesNeedtoBeBetterDefinedandMore

EffectivelyImplemented,GAO-13-187(Washington,D.C.:Feb.14,2013).32 GAO-16-686.33 GAO,CybersecurityHumanCapital:InitiativesNeedBetterPlanningandCoordination,GAO-12-8(Washington,

D.C.:Nov.29,2011).


Insummary,federallawandpolicysetforthaframeworkforaddressingcybersecurityriskstofederalsystems.However,implementationofthisframeworkhasbeeninconsistent,andadditionalactionisneededtoaddressongoingchallenges.Specifically,agenciesneedtoaddresscontroldeficienciesandfullyimplementorganization-wideinformationsecurityprograms,cyberincidentresponseandmitigationeffortsneedtobeimprovedacrossthegovernment,andestablishingandmaintainingaqualifiedcybersecurityworkforceneedstobeapriority.

ChairmanDonilon,ViceChairPalmisano,anddistinguishedmembersoftheCommission,thisconcludesmypreparedstatement.Iwouldbehappytoansweranyquestionsyouhave.

ContactandAcknowledgments

Ifyouhaveanyquestionsaboutthisstatement,pleasecontactGregoryC.Wilshusenat(202)512-6244orwilshuseng@gao.gov.OtherstaffmemberswhocontributedtothisstatementincludeLarryCroslandandMichaelGilmore(assistantdirectors),ChrisBusinsky,FranklinJackson,KennethA.Johnson,LeeMcCracken,ScottPettis,andAdamVodraska.


NealZiringChairmanDonilon,Vice-ChairmanPalmison,anddistinguishedmembersofthecommission,thankyouforthisopportunitytoparticipatetoday,andprovideinputonthisveryimportanttopic.MynameisNealZiring,andIserveastheTechnicalDirectorforCapabilitiesattheNationalSecurityAgency.Priortothatjob,IservedfiveyearsasTechnicalDirectorforInformationAssuranceatNSA.NSAhastheresponsibility,underNationalSecurityDirective42,toprotectanddefendU.S.NationalSecuritySystems(NSS).I’veworkedinthatmissionatNSAfor28years.NSAdefendsourcountry’smostsensitiveinformationandnetworksfrommotivatedandpersistentadversaries,andassistsotherelementsoftheU.S.federalgovernmentwithtechnicalchallengesspanningallaspectsofcybersecurity.I’veenjoyedafront-rowseatforagreatdealofthat,andtheobservationsandrecommendationsI’llofferthisafternoonarefoundedonthoseexperiences,andondiscussionswithmypeersinNSAandacrossthecommunity.ImustnotethatmyremarkstodaydonotrepresentNSA’sofficialposition,butaremerelymyownviewsasatechnicalpractitionerandleader.Thetopicforthispanelis“growingandsecuringthedigitaleconomy”.Thiswillbevitalforthefutureofourcountryandworld,asthedigitaleconomyiswoventhroughouttheentireeconomy.Unliketheearly1990s,whereactivityonthenascentInternetwaslargelyindependentoftherestofthesocialandeconomicactivity,today,wedependonournetworksforeverythingincludingcriticalinfrastructure,finances,andnationaldefense.Growingandenrichingthedigitaleconomycanonlybeachievedbysustainingandbuildingupallstakeholders’confidenceintheunderpinningsofthateconomy,i.e.,confidenceincyberspace.Therearealotofkeystakeholderstoconsider:businesses,consumers,serviceproviders,governmentagencies,investors,lawenforcement,criticalinfrastructureoperators,andmore.AspartofmyworkforNSA,I’veparticipatedinpartnershipsacrossgovernment,industry,academiaandinternationalallies.Basedonmyinteractionswiththesevariouspartners,itisclearthatwe’reallworkingtowardthesameconfidenceincyberspacegoal.ThecommonpurposeisalsoevidentinthestatementsofferedbyparticipantsinpreviousopenmeetingsofthisCommission.Inmyremarkstoday,I’llcoverafewaspectsofthecurrentsituationthatIthinkaremostcritical,andthenoffersomegeneralrecommendationsforactionthatwecouldtakeasanation,bothshort-termandlong-term.Then,ofcourse,I’llbehappytoaddressanyquestionstheCommissionmaypose.SomeAspectsoftheCurrentStateofCybersecurityPreviouspanelistsforthiscommissionhavecoveredcurrentthreatsandrisksquitethoroughly;tosavetime,I’mgoingtoreviewjustafewitemsthatwillhelpleadintomyrecommendations.Firstandmostcritical:weallsharethesamecyberspace.Thetrendofconvergenceoverthelastcoupleofdecadeshasbroughtnearlyallnetworkstogether.Evennetworksthatareostensibly“standalone”havesomeconnectionordirectdependenceontheglobalInternet.Thisdirectlyaffectsthereliabilityandsecurityofserviceswealldependon,includingcriticalinfrastructures.Justtociteoneexample:considertheglobalSignalingSystem7(SS7)network.NetworkoperatorsconnecttoitwithsystemsthatarealsoconnectedtotheInternet;SS7trafficcrossesthesamefibersasothertraffic,andattheendpoints,SMSmessagesthatcrosstheSS7networkcancausesmartphonestotakeInternetactions.Therearemanymoreexamples.ThepointI’dliketomakeisthatisolatedislandsarerarelyactuallyisolated,butmanyofthemaresecuredanddefendedasiftheywere.


Next,maliciousactorsandcriminalsfollowvalue.AstheU.S.andothercountrieshaveshiftedmoreofoureconomic,governmental,andsocialactivitiesintocyberspace,themotivationsincreaseforthreatactorstoshifttheiractivitiestheretoo.We’veseenendlessexamplesofthis.Valuecanbefoundinsomethingassimpleasmoney,orasabstractasgeopoliticalinfluence.Third,today’ssecurityfeatures,standards,andpracticesarebetterthantheyeverwere.Inmostareas,they’veprogressedenormouslysinceIenteredthisfieldinthelate1980s.Thatshouldmakeexploitationofconnectedsystemsharder.Severalfactorshavepreservedtheexploitabilityofsystems,evenasthecomponentsthatcomprisethemhavegottenmoresecure.Someimportantfactorsareasfollows.

• Securityisnotconsistent.Someportionoftheindividualcomponentsthatmakeupoursystemsareinsecure,badlyconfigured,oroutofdate.Therefore,mostsystemshavepointsofvulnerability,andattackershavedevelopedeffectivetradecrafttofindthem.Itisnotpossibletoeliminateallpointsofvulnerability,butcurrently,theyarefartoocommon.(Notealso,whilesecurityhasimprovedformanyelementsofcyberspace,therapidgrowthofcyber-physicalsystems,aka“InternetofThings”,seemstoberecapitulatingoldmistakes).

• Trustrelationshipsareeverywhere.Theycriss-crosseverypartofcyberspace,offeringattackersavenuesforleveraginginitialaccessintoexploitationofvalue.Trustrelationshipsareessentialtothedigitaleconomy,buttheyarecurrentlysubjecttoinadequatecontrol.

• Defenseofcyberspaceislargelyexecutedonanindividualbasis,personbypersons,enterprisebyenterprise.Thisallowsattackerstogainrepeatedbenefitfromeachtradecraftortoolinvestmentbecauseeachenterpriseorcommunitymustindependentlylearntorecognizeanddefeatit.thisisanareawherewe’vemadesignificantprogressinrecentyears,anddetectionofsometradecraftelementshasbecomemoreofasharedendeavor,mediatedbysecuritycompanies,sectorcouncils,andconsortia.Betterdetectionisusefulbutnotsufficient.

• State-sponsoredactorsdonotlimittheiractivitiestostatetargets,butinstead,exploitanyentitythatmightaffordapathtotheirgoals.Thisisafundamentallyasymmetricsituation-stateactorshaveresourcesandaccessesthatindividualprivatesectorcompaniescannotmatch.Thisasymmetryisfataltotheconfidencenecessaryforgrowingthedigitaleconomy.

• Scale.Asournetworkshavegrown,andallsectorsofoursocietyhavetakenupcyberspace,thescaleofthisproblemhasexploded.Andyet,agreatdealofdefenseofthesenetworksisstillperformedmanually.Thisiscostlyorimpossibletoscaleup,anditistooslow.(Abasicgoalofcyberdefenseistorespondtoanintrusionorcompromisebeforetheattackercangainvalueofit,manualoperationscannotoftenaccomplishthis).

• Finally,wefaceashortageofskilledandeducatedworkerstotakeonrolessecuringanddefendingthedigitaleconomy.Thisshortageisreflectedateverylevel,frombasicentry-levelnetworkmanagerstoseniorresearchers.Thetechnologiesofcyberspacewillcontinuetogrowandchange,andattackerswillcontinuetodevelopnewtradecraft.Withoutasolidworkforce,wewillnotbeabletomaintainorimprovesecurityinthelongterm.

Recommendations

HardeningandHygiene

Thehardestthingweneedtodoistoraisethebasiclevelofsecurity,bothsecurityfunctionalityacrossproductsandservices,andthesecurityhygieneofconnectedsystems.Componentsandsystemscanneverbeperfectlyhardenedagainstintrusions,buttheycanandmustbebetterthanwhatwehavetoday.

Productsandservicesmustimplementcoresecurityfunctionality,andusersofthosesystemsmusthaveconfidencethatthefunctionswerevalidatedandaremaintained.FormostenterpriseITcomponents,suchasserveroperatingsystems,networkdevices,andofficeapplications,suppliersare


largelygoodatincorporatingthesefunctions.Thenextchallengeisensuringthatthey’reenabledbydefault,andaremaintainedoveraproduct’slifetime.

Inotherareas,evenbasicsecurityfunctionalityisnotyetconsistentlyavailable,anddefaultconfigurationsareofteninsecure.Afewoftheareaswherethishasbeenreportedandindependentlyconfirmedindustrialcontrolsystems,vehicletelemetricsystems,andmobileapplications.Certificationprogramscanbeeffectiveatpromotingindustryimprovement,suchastheNationalInformationAssurancePartnership(NIAP)forITcomponents,andtheFederalRiskAssessmentandManagementProgram(FedRAMP)forcloudservices.Butpressurefromconsumerandbusinesscustomersismoreeffective,whetherdrivenbyregulationorincentiveprograms.Further,itisuptogovernmentandindustrytocollaboratetosetthestandardsagainstwhichproductsandservicesshouldbecertified-mostrecentNIAPProtectionProfilerequirementshavebeendefinedbytechnicalcommitteeswithmembershipfromgovernmentagencies,industryleaders,andofteninternationalpartnerships.Thisapproachhasworkedwellandshouldbeextended.

Enterprisesmustimprovetheconsistencyofsecurityconfigurationandpractice.Thischallengeiswidelyunderstood,andmanyenterpriseshaveundertakenprogramstoimprovetheirowncyberhygiene,justastheDepartmentofDefenseisdoingrightnow.Onecriticalfactorforsuccessisforanenterprisetoreallyunderstandtheriskstheyface,sotheyaremotivatedtoactivelymanagethem.ThecybersecurityframeworkpublishedbyNISTin2014isonemeansofdoingthis,andhasproveneffectiveinmanyindustrysectors.Drivingwideradoptionoftheframeworkwouldboostcybersecurityacrossmultiplepartsofthedigitaleconomy.

Individualconsumers,however,donothavetheresourcestoundertakeriskanalysesandinvestinsecuringtheirnetworkservices.Boostingsecurityinthisrealmwillrequireacoordinatedstrategyofawareness,productimprovement,andincentivestokeepsystemsmaintained.Thereareseveralthingswecandointheshortterm;herearetwospecificrecommendations:

• CredentialProtection:On-lineserviceprovidersshouldofferbasicfrauddetection,notification,andresponseservicesforconsumeraccounts.Manyofthelargerprovidersalreadydothis,buttherearenostandardsorrecognitionforit.Thisisanareawheregovernmentcanandmustworkwithindustrytoestablishstandards,andthenpromoteadoptionofthosestandardsthroughconsumerprotectionmechanisms.

• ImprovedDomainNameServices:TheDomaineNameService(DNS)isafoundationalserviceforallconsumerInternetusers,anditisfrequentlyabusedbythreatactorstosupporttheirmaliciousactivities.Theseabusesarewell-knownandtrackedbysecuritycompaniesandnetworkserviceproviders.AllconsumersshouldbeprovidedDNSwhichprotectsthembydefaultfromknownmalicioussitesandmappings(opt-outshouldalwaysbeofferedtoo,butmostconsumerswon’tneedit).

SharedDefense

Hardeningwillneverbeperfect,andevenahighlysecuresystemmaybeexposedthroughtrustrelationships.Therefore,weshouldalwaysbepreparedtodefendsystemsduringattacks,andrecoverthemifattackssucceed.AsInotedearlier,mostdefensetodayisconductedonanindividualbasis,thuspermittingthreatactorstoleveragetradecraftinvestmentacrossmanytargets.Informationsharingisapartofthis,andwithincertainindustrysectorsitisalreadyprovidinggreatbenefit.Butwemustworktowardpracticesandtechnologiesthatwillpermitcooperative,integratedshareddefense.TherearethreeelementsofshareddefensethatI’dliketodescribetoday.

• First,broadinformationsharingisnecessary,andatmachinespeeds.Thiswillrequirebothtechnicalsupports,suchasdataformatsandtransportservices,andlegalsupports,suchasclearauthorities,rightsandprotections.Somesolidtechnicalstandardsalreadyexist,suchastheSecurityContentAutomationProtocol(SCAP)specificationsfromNIST,andtheStructuredThreatInformationeXpression(STIX)requirementsfromDHS.U.S.governmentagenciesare


leadingthewayonprovidinginformationintheseformats,butthereisfarmorewecoulddo.Mostimportantly,governmentmustsettheexamplebybeingafullparticipantincyberthreatinformationsharing.

• Second,weneedarobust,trusted,instrumentednetworkinfrastructure.Thisisanessentialpartofcreatingadefensiblecyberspace.NetworkoperatorsintheU.S.protecttheirowninternalsystems:themainexposureisattheseamsbetweenthem.Securitybestpracticesexistformanycoreinfrastructureservices,suchasBorderGatewayProtocol(BGP)routingandSS7messaging.Theseneedtobecomprehensivelyapplied,ideallyasaconditionofofferingcarrierservicesintheU.S.market.TheDNSinfrastructuremustalsobetrusted,andamatureDNSSecurity(DNSSec)standardexists.GovernmentandindustrywillneedtoworktogethertomakethatDNSSecubiquitous.Oncethisisdone,therewillbetremendousbenefitstodigitaleconomy,becauseDNSwillbeabletoserveasabaseforothersecureservices.

• Third,weneedtobuildmechanismsforautomated,orchestratedandtimelynationalresponsetocyberattacks.Today,theprimarymechanismisforcoordinatingdefensiveresponsesamonggovernmentandindustrystakeholdersisthroughholdingvideoteleconferencesandpublishingadvisories.Thosewhoarenotfastenoughriskimpactsfromacatastrophicnewvulnerabilityorlargescaleattack.Thisisasituationwheregovernmentmusttakethelead,initiallywithnetworkoperatorsandthenwithabroaderspectrumofcyberspaceserviceproviders.Together,stakeholdersmustworkoutacommonresponsecourseofaction,triggermechanisms,andsecurecommunicationchannelsforcoordinatedaction.itwilltakealotofhardwork,butluckilysomeofitisalreadyinprogress.

IdentityandTrust

Trustrelationshipsarebuiltonidentityandauthentication,andtheyareessentialtoconfidenceincyberspace.Toenablethegrowthanddiversificationofthedigitaleconomy,wewillneedanarrayofservicesforidentity,authentication,andassociatedservices.TheNationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)wasstartedinApril2011,withtheintentofkickstartingthedevelopmentofsuchanidentityandtrustecosystem.Ithasmadesomeprogress,butmuchmoreneedstobedone.

Animportantaspectoftheidentityecosystemmustbetheabilitytosecurelyassociateattributeswithidentities.Forexample,Ihaveanidentityasafederalemployee,embodiedbyapublickeycertificateandanassociatedprivatekeystoredonmyDoDCommonAccessCard.Thisallowsme,forexample,tosendasignedemailthatallowsarecipientanywhereintheworldtovalidatethattheemailcamefromme.(Individualconsumersdon’thavethiseasilyavailabletothem,andthatisoneofthemanychallengesthattheNSTICsetouttoaddress).ButIneedtobeabletodomorethanassertmyidentity,Ineedtobeabletosecurelyassertattributes,suchasmyemploymentstatuswiththeNSA,orthatI’mauthorizedtoworkonaparticularprogram,orthatIhaveacertaininsurance.Requirementsforthesekindsofassertionscropupthroughoutdigitaleconomy,butmeansforsupportingthemvarywidely.

ThisisanareawheretheU.S.governmentcanleadbyexample,byendorsingandthenusingrelevantstandards,andsupportingcapabilitiesforpartiestomakesecureassertions,initiallyaboutemployees,butperhapseventuallyaboutanycivilian.

Finally,anyidentityecosystemmustsupportrapid,trustedresponsetocompromiseofidentitycredentials.Thereareafewtechnicalstandardstohelpsupportthis,butafewcommonpracticesorpolicies.Thisisanareawhereindustrywillprobablyhavetolead,butgovernmentcouldhelptobringstakeholderstogetherandpromoteacommonbaseline.

InternationalPartnering

TheU.S.willrealizethegreatestbenefitwhenweenhanceourowncybersecurityinconcertwithothernations.TherearemanystepsthattheU.S.cantakeonitsown,butmostofthosearemoreeffectivewhenthey’reglobal.Inparticular,thetrustrelationshipsthatactasthetopographyofthedigitaleconomyoftencrossnationalboundaries.


First,informationsharingandcybersituationalawarenesscanandshouldbeextendedtoU.S.allies,bothgovernment-to-government,andwithinvariousindustrysectors.Thishasalreadybeguninsomeareas,suchasviatraditionalintelligenceandlawenforcementpartnerships,butitneedstobecomethecommonpractice.Cyberthreatactorsthriveonignoranceamongtheirtargets;bysharinginformationtocreateacommon,multi-nationalviewofcyberspace,weimproveallparticipantsdefense.

Realizingthisbenefitwillprobablyrequireseveralsteps.Wecanbeginwithbi-lateralagreementstosharethreatindicators,malwaresamples,andnetworktrafficstatisticsdirectly(machine-to-machine).Laterstepscouldincludepoolingofdatawithinexistingtreaties.Muchoftherelevantinformationisheldbyprivatesectorentitiessuchasnetworkoperators,butpolicyandlegalbarrierspreventthemfrompoolingtheirknowledge.Thismaybeacasewheregovernmentsneedtoactasthehubsforsharedvisibilityandthreatawareness.

Next,we’reallawareoftheworktowardtheestablishmentofinternationalnormsforbehaviorincyberspace.Therehasbeenalotofgreatworkinthatareasofar,suchasChristopherPainter’sworkattheStateDepartment,andprivategroupssuchastheDigitalEquilibriumProject,justtociteafewexamples.ThisisanareawheretheU.S.anditsalliesmustcontinuetopush,throughdirectengagementandininternationalfora.Acriticalaspectofthismustberespectforfinancialandeconomicintegrity.

Beyondinformationsharingandboundingegregiousbehavioriscoordinateddefense.Oncewehavesufficientinternationalsharedvisibilitytoidentifymajorthreats,thenextstepiscoordinatingmulti-nationresponsestothem.Asimpleexamplewouldbelargedistributeddenialofservice(DDoS)attacks.Thesourcesthatcontributetosuchattacksarefrequentlydistributedacrossseveralcountries.Coordinatedresponsecanshutdowntheseattacksmoreeffectivelythanpiecemealefforts,andactasamoreeffectivedeterrentagainstthreatactorswhousethem.Creatingthemechanismsandpracticesforinternationallycoordinateddefensewillbehard,butwecanstartsmall.TheU.S.mightchoosetostartwithourFVEYSpartners,buildingonthemanyareasofwherewealreadycooperate.

TheU.S.anditsallies,together,candrivetheinternationalagendaforenhancingkeyaspectsofglobalcybersecurity.Weshouldseizethatopportunity.

WorkforceandPreparingfortheLongTerm

ManyoftheareasI’vedescribedinthisstatementareabouttechnicalmeasureswecantaketoimproveourcontemporarycybersecurityposture.Buthowcanwecreateconditionsforlong-termsuccess?Howcanweprepareforsustainingconfidenceascyberspacecontinuestogrowandchange?

Welacksufficientworkforcetofillcybersecurityanddefenseroles.Theshortagewillcontinueindefinitelyunlesswetakeactiontoalleviateit.Automationwillhelpsome,byincreasingdefenders’scopeandefficiency.Ibelieveweneedtopursuethreeparallellinesofeffort:

• Buildupeducationalcapacityincyberspaceareas,withemphasisonsecurityanddefense• Supportstudentspursingdegreesandcertificatesintheseareas,bothdirectlythrough

scholarships,andindirectlythroughinternshipprogramsandindustryincentives.(TheNSFCybercorpsScholarshipforServiceprogram,forexample,hasbeenverysuccessfulindrawingtalentedundergraduatesandgraduatestudentsintocybersecurity,andthenplacingthemingovernmentpositionsatthestartoftheircareers).

• Extendeducationincybersecuritybasicsdowntoasecondaryschoollevel.Thebestmechanismforthis,sofar,hasbeeneducationforteachers,butcompetitionsandsummerprogramsforstudentshavealsobeeneffectiveatsmallscales.

I’vebeeninvolvedinNSA’seffortstofosterinformationassuranceandcyberdefenseeducationsinceabout2003,andtogetherwithDHS,wehavemadeadifference-theU.S.nowhasasolidbasefromwhichtobuild.Butthecurrentprogramsareverysmall.Wecandomorefromgovernment,andevenbetterweneedtogettheprivatesectormoreinvolvedinsupportingstudentsandbuildingcapacity.


Preparingtheworkforcefortomorrow’schallengesisalong-terminvestment,butonethatwillyieldsustainedreturnforthedigitaleconomy.

Besidesthecorefoundationoftheworkforce,futurecybersecurityalsodependsonvitalandinnovativeresearchanddevelopmentcommunity.TheU.S.isinprettygoodshapeonthedevelopmentside;we’vehadmanynimblecompaniesandinvestorstosupportthem.Buttheydependonasteadystreamofnewideasandinnovativeresearchers.Theprimarysourceforthoseareourresearchuniversities.Studentsupportmustextenduptothedoctorallevel,becausethosegraduatesarethenextgenerationofresearchleadersandprofessors.Directresearchfundingisalwaysgood,butgovernmentmaybeabletocreategreaterimpactbyfacilitatingtechtransfer.Therefore,Irecommendsettingupaprogramforimprovingdisseminationofgovernment-fundedcybersecurityresearchresults,andencouragingindustrytotakeadvantageofit.

TheU.S.hasastrongfoundationineducationandresearchforcybersecurity.Ifwecanleverageit,wecansustaintechnologicalleadershipinthiscriticalarea,andbebetterpreparedforfuturecybersecuritychallenges.

Conclusions

I’veoutlinedafewofthechallengesIthinkaremostimportanttoaddressinthecurrentcybersecurityenvironment.Noneofthemareunsurmountable.Wehavethebasenecessarytoaddressthem,bothinthepublicandprivatesectors,weneedtoapplysomefocusedefforts.

• Promotesecurityimprovementsincommercialproductsandservicesbysettingstandards,testingagainstthem,anddrivinguseofproductsthatpass

• Driveconsciousassessmentandmanagementofrisk,throughuseofwell-structuredframeworks

• Hardenfoundationalservicesthatsupportsecureactivityincyberspace,especiallythedomainnameservice,servicesforidentity,andInternetrouting

• Aggressivelyadvanceinformationsharing,throughautomatedmeans,throughbothtechnicalandpolicymechanisms

• Buildthefundamentalsforshareddefense,includingtechnicalstandardsfororchestratedresponseandpracticesforexecutingit

• Continuetobolstertheecosystemfortrustworthyidentity,andstandardizingthemeansforsecureattributeassertions.Governmentmustleadbyexampleinthisspace

• Extendinformationsharingacrossinternationalallies,tocreatebroadervisibilityofcyberspaceactivity,andthebasisforcoordinatedinternationalresponseforcyberattacks

• Buildupeducationalcapacityandsupportstudentspursuinganeducationincybersecurity• Sustainnationalcybersecurityresearchcapacity,andpromotetransferofresearchresultsto

themarket

Byundertakingthesemeasures,IbelievethattheU.S.cancreatetheconfidencethatisessentialforgrowingthedigitaleconomy.

Documents

COMMISSION ON ENHANCING NATIONAL CYBERSECURITY