Rep. Darrell Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, held the first in a series of hearings today on cybersecurity. The hearing focused on the role of Homeland Security in addressing the vulnerability of the nation’s infrastructure to cyber attacks and was held at 9:30 AM ET.
The following is a live blog of what was said during the hearing:
9:35 AM ET Rep. Darrell Issa reads opening remarks. In his statement he notes potential US losses of intellectual property could exceed $240 billion and says, “If you leave your door open, you can lose the contents of your house.” Through working with private enterprise, government will work to provide “master locks and keys” to protect contents of “our house.”
Issa would like to ensure information is “a two-way street and that this not simply be a way to empower trial lawyers” so that small businesses are not victimized by a lawsuit for not reporting threats from hackers in a timely fashion.
Issa concludes, ““Not since the end of WWII has America seen a great throw great looming for so long.” He compares the threat to fascism.
9:45 AM ET Ranking member Rep. Elijah Cummings (D-MD) gives his opening remarks. He says Leon Panetta called cybersecurity battleground for the future. He notes that Obama issued a cybersecurity proposal on May 12 that makes key changes to Federal Information Security and Management Act (FISMA). [For proposal, go here.]
Cummings hopes there will be a Senate confirmable official, who will work to set national cybersecurity policy.
Private industry owns approximately 85% of the nation’s critical infrastructure. Proposal allows for industry to set up own frameworks for addressing threat. But we should have government oversight ensuring that they were adequately protecting the nation from threats, Cummings adds.
He continues, the administration proposal would allow any entity to share with DHS personal identifiable information that would not be allowed under law. Must be careful that pii is shared with govt only when necessary
On criminal penalties for hackers, Cummings says, “Law enforcement should have every tool necessary to go after hackers.” And he recommends that mandatory minimum sentencing not unduly interfere with judges ability to set their own penalties for sentencing.
9:47 AM ET Rep. Jim Langevin (D-RI), who has previously pressured the GOP to be included in hearings on cybersecurity, says digital connectivity has made us more vulnerable. Bad actors scour the web for things like intelligence secrets, politicians’ plans and intentions, etc. He says they use advanced persistence threats, social engineering and spearfishing. He notes an example of a most devastating attack: the WikiLeaks incident.
9:50 AM ET First witness addressing committee is Mr. Greg Schaffer, Acting Deputy Undersecretary National Protection and Programs Directorate U.S. Department of Homeland Security. He says, “Adversaries are capable of targeting elements of our critical infrastructure.” This is the reality. “Hackers probe critical infrastructure companies on a daily basis.” Requires engagement of the entire society.
He describes the cybersecurity proposal on the table saying that there would be programs for public-private partnerships. Homeland Security would seek to provide assistance such as risk assessments or incident response.
9:55 AM ET Schaffer says information sharing barriers would be removed, eliminating the issue of getting data to help the community.
10:00 AM ET Second witness, Mr. James A. Baker, Associate Deputy Attorney General U.S. Department of Justice. Baker discusses data breaches and data thefts saying Obama Administration’s data breach proposals would replace 47 state laws with a federal law that would set a standard that companies inform consumers immediately when a breach of data occurs. Establishes rules on what must reported to law enforcement when there’s an intrusion so that FBI and other agencies could find the culprits.
10:13 AM ET Rep. Issa hopes that the cybersecurity plans for America’s future will include California because policy is, according to him, usually 49 states plus 1.
10:15 AM ET Rep. Issa & Baker going back and forth on sharing of information between private sector and government. There would be voluntary sharing protections. They are discussing implied immunity versus an explicit immunity. Issa says, “We don’t want someone to voluntarily provide information in order to gain immunity that they wouldn’t have.”
10:20 AM ET Schaffer continues conversation on voluntary sharing of information. He continues to address the possibility that information, which can address cybersecurity issues, might be made public in a way that is not in “good faith.”
10:21 AM ET Baker suggests that if persons in companies voluntarily share information they need “clarity” and they need privacy. There should be Freedom of Information Act exemptions so that what they provide does not end up public.
10:28 AM ET Rep. Jason Chaffetz (R-UT) pushing Schaffer to address the issue of what is known as the “supply chain,” which is the idea of faulty mechanisms or malware being embedded in foreign technology coming into the US for use and purchase. Schaffer hesitates, pauses and doesn’t really have an answer. He has Rep. Chaffetz restate question.
10:30 AM ET Rep. Chaffetz sees problems arising between public and private sector, when it comes to dialogue.
10:31 AM ET Rep. Scott DesJarlais (R-TN) asks, “At what do cyber attacks carried out by foreign governments become cyber war?
10:32 AM ET The answer from Baker: If effects were kinetic enough, they could be considered an act of cyber war. But, legally, murky.
10:34 AM ET No single way to estimate what costs of cyber attacks would be. There is more and more attachment of critical infrastructure to Internet to increase efficiency, says Schaffer.
10:35 AM ET On weaknesses in our IP supply chain? Schaffer cannot identify most signficant weaknesses. The issue is complex because we do have a global economy.
10:37 AM ET Rep. Gerry Connolly (D-VA) asks if we are working with right metrics when we measure cybersecurity. He also asks about uniformity among agencies to handle measurements. His question particularly has to do with FISMA.
10:38 AM ET Schwartz answers that there should be focus on making it possible for the inspector general to look at information and determine what is critical to agencies. Butler says as we work to improve “cyber hygiene practices” there will be updating of metrics.
10:39 AM ET Is there a mechanism for engaging best practices, a form for tapping into the private sector? Rep. Connolly’s question.
10:42 AM ET Hobby hackers, terrorists, organized criminals are all trying to attack, Rep. Blake Farenthold (R-TX) says. “Not a day goes by that I don’t have to install some kind of security update on my computer.” He adds, do we need to focus on hardening systems to attack? Do we need more prosecution? “Where’s the best bang for the buck?”
10:44 AM ET Schaffer says we need to be doing it all.
10:45 AM ET Concerned that as you see closer cooperation between private companies and government and by accident my private communications are accessible to government and become public. Rep. Farenthold asks, “How are we addressing those concerns?”
10:46 AM ET We have to have measures in place to protect “legitimate privacy expectations” of the public. There are variety of laws that need a close look, says Baker.
10:47 AM ET Schaffer says that DHS is working closely with private sector. Schwartz says NIST is designed to work closely with the private sector. He talks about government developing standards the private sector can use.
10:49 AM ET Butler explains the DoD is consulting on service and products and heavily engaged with security firms with regards to ensuring that we have the latest and greatest products installed. HBSS [host-based security systems] is an example as we kind of work through the WikiLeaks mitigation.” There’s continued work on threat mitigation.
10:52 AM ET Schwartz says there are numerous working groups on cybersecurity proposal development in agencies in government and there is no problem with closing some of them down if necessary cause we all have many meetings to attend.
10:53 AM ET Rep. Langevin asks about cost of moving to an IT infrastructure of constant monitoring and reporting.
10:54 AM ET Schaffer says compliance today can buy down risk. The work we do with agencies to improve cybersecurity can… He doesn’t have a dollar amount but says over the long run built-in security will be more cheaper than just bolting it on.
10:55 AM ET Rep. Langevin wants to know why a strengthened White House office for handling cybersecurity was not considered.
10:57 AM ET Schaffer says that budget would be handled by OMB, DHS would handle other aspects. That’s how it would be. Doesn’t answer the question.
10:58 AM ET US Chamber of Commerce has rejected proposal as layering regulation that will hamper private sector. They are concerned measures are overly broad. Rep. Chaffetz wants to know what Schaffer thinks.
10:59 AM ET Schaffer doesn’t really accept premise of questio. He believes that industry will be protected and transparency will engage market forces.
11:00 AM Rep. Chaffetz wonders if Homeland Security will be going out and saying “here are the weak of the weak”
11:02 AM ET Here’s a good back and forth —
Chaffetz: We have to follow this more closely. We know this is happening.
Butler responds, we would look closely and determine if we have a right to respond.
Chaffetz asks again, “When you know it’s an actual country what are you doing about it?” Do we just put it under the rug to not be embarrassed?
The International Cyberspace Strategy lays out norms as we move to engage, says Butler. We will work with nations to determine what is going on in their territory.
You’ve got some kid in a van down by the river doing this stuff but you also have state sponsors. What are you doing about that?
11:04 AM ET Rep. Cummings concludes: In 9/11, which should be seared in our memories, they wanted to disrupt our way of life. When you think about terrorists, and we’ve killed OBL, when you think about trying to bring harm to the US, someone can sit at a computer and do all kinds of harm.
11:05 AM ET We need to not overreach into what private companies are doing and protect people’s civil liberties, concludes Rep. Chaffetz. The committee is adjourned. End of hearing.