Cyber Threats Facing America: an Overview of the Cybersecurity Threat Landscape
Total Page:16
File Type:pdf, Size:1020Kb
S. Hrg. 115–298 CYBER THREATS FACING AMERICA: AN OVERVIEW OF THE CYBERSECURITY THREAT LANDSCAPE HEARING BEFORE THE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION MAY 10, 2017 Available via the World Wide Web: http://www.fdsys.gov/ Printed for the use of the Committee on Homeland Security and Governmental Affairs ( U.S. GOVERNMENT PUBLISHING OFFICE 27–390 PDF WASHINGTON : 2018 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman JOHN MCCAIN, Arizona CLAIRE MCCASKILL, Missouri ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware RAND PAUL, Kentucky JON TESTER, Montana JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire STEVE DAINES, Montana KAMALA D. HARRIS, California CHRISTOPHER R. HIXON, Staff Director GABRIELLE D’ADAMO SINGER, Chief Counsel COLLEEN BERNY, Professional Staff Member MARGARET E. DAUM, Minority Staff Director JULIE KLEIN, Minority Professional Staff Member LAURA W. KILBRIDE, Chief Clerk BONNI DINERSTEIN, Hearing Clerk (II) C O N T E N T S Opening statements: Page Senator Johnson ............................................................................................... 1 Senator McCaskill ............................................................................................ 2 Senator Lankford .............................................................................................. 15 Senator Daines ................................................................................................. 18 Prepared statements: Senator Johnson ............................................................................................... 31 Senator McCaskill ............................................................................................ 32 WITNESSES WEDNESDAY, MAY 10, 2017 Jeffrey E. Greene, Senior Director, Global Government Affairs and Policy, Symantec Corporation ......................................................................................... 4 Steven R. Chabinsky, Global Chair of Data, Privacy, and Cyber Security, White and Case LLP ............................................................................................ 6 Brandon Valeriano, Ph.D., Donald Bren Chair of Armed Politics, Marine Corps University, and Adjunct Fellow, Niskanen Center ................................ 8 Kevin Keeney, Captain, Missouri National Guard, and Director, Cyber Inci- dent Response Team, Monsanto Company ........................................................ 10 ALPHABETICAL LIST OF WITNESSES Chabinsky, Steven R: Testimony .......................................................................................................... 6 Prepared statement .......................................................................................... 42 Greene, Jeffrey E.: Testimony .......................................................................................................... 4 Prepared statement .......................................................................................... 34 Keeney, Kevin: Testimony .......................................................................................................... 10 Prepared statement .......................................................................................... 69 Valeriano, Brandon Ph.D.: Testimony .......................................................................................................... 8 Prepared statement .......................................................................................... 58 APPENDIX Center for Strategic and International Studies report submitted by Senator Johnson ................................................................................................................. 73 EPIC statement for the Record .............................................................................. 97 Kaspersky Lab statement for the Record .............................................................. 99 Responses to post-hearing questions for the Record Mr. Greene ........................................................................................................ 106 Mr. Chabinsky .................................................................................................. 115 Mr. Valeriano .................................................................................................... 124 Mr. Keeney ........................................................................................................ 133 (III) CYBER THREATS FACING AMERICA: AN OVERVIEW OF THE CYBERSECURITY THREAT LANDSCAPE WEDNESDAY, MAY 10, 2017 U.S. SENATE, COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS, Washington, DC. The Committee met, pursuant to notice, at 10:06 a.m., in room SD–342, Dirksen Senate Office Building, Hon. Ron Johnson, Chair- man of the Committee, presiding. Present: Senators Johnson, Lankford, Daines, McCaskill, Carper, Tester, Heitkamp, Peters, and Hassan. OPENING STATEMENT OF CHAIRMAN JOHNSON Chairman JOHNSON. Good morning. This hearing will come to order. I apologize for my tardiness. I thought the vote was actually scheduled for 10. I want to welcome the witnesses. I want to thank you for your thoughtful testimony. I think this will be an excellent hearing based on reading the testimony. This Committee has four primary goals: border security, we have held, I think, 23 or 24 hearings on it now; cybersecurity, the sub- ject of this Committee hearing; protecting our critical infrastruc- ture, which has a lot of cybersecurity components to that as well, and combating Islamist terror, any type of extreme violent behav- ior, also definitely has a cyber component to it as well. So, this is going to continue to be a focus. I really do appreciate the way we are going to discuss this today. Again, based on the tes- timony, it is going to be a very good presentation of a variety of views in terms of what we need to do. What I am hoping to certainly get out of this is what we have gotten out of some earlier hearings. We held a hearing on agents on the front line trying to secure our border and enforce our immi- gration laws, and out of that hearing, I think, we developed a con- sensus and a process for trying to give those agencies the authority to fix their personnel issues so they can actually hire the people and treat them with parity. Last week we had a hearing on the Government Accountability Office (GAO) duplication, and I think we also developed a con- sensus that we need to take GAO’s recommendation to actually produce legislation to force the agencies to actually implement their recommendations. (1) 2 What I am hoping we get out of this hearing, because I think this is really the crux of what we need to do in government, is we have to figure out how we can employ, engage, utilize the absolute best and brightest minds when it comes to dealing with this enor- mously difficult, enormously complex issue of how do we protect the Internet, the Internet of Things (IOT), our cyber assets from the relentless and incredibly destructive attacks that are just ongo- ing virtually every second of the day. It was General Keith Alexander, the former National Security Agency (NSA) Director, who said that cyber attacks represent the greatest transfer of wealth in history. I have a report here, I guess by the Center for Strategic and International Studies.1 They did an estimate. Somewhere between $375 and $575 billion per year is what they are estimating is the global economic cost of all these cyber attacks. Again, this is an important hearing. It is just going to be one in a series as we try and grapple with this. But, again, what I am hoping is we all recognize we have to figure out how to break through the bureaucratic rules, our pay scales, or how do we en- gage the private sector so we literally do have the best and bright- est. And, by the way, we have some really fabulous patriots who are working at way below what they can make in the marketplace al- ready working in different agencies here addressing this. We just need to make sure we get as many bright minds as possible work- ing on such a difficult issue. I do ask unanimous consent that my written statement be en- tered in the record.2 Without objection, so ordered. Chairman JOHNSON. And, with that, I will turn it over to Senator McCaskill. OPENING STATEMENT OF SENATOR MCCASKILL3 Senator MCCASKILL. Thank you, Chairman Johnson. This hearing is an important opportunity for us to focus on the threats we face and to begin talking about how to address our Na- tion’s cybersecurity needs. We have critical vulnerabilities in cybersecurity, and they impact our Nation and countries around the globe. The Federal Govern- ment, States, and the private sector have all experienced cyber breaches with devastating outcomes. Just last week, a candidate in the French Presidential race had electronic messages and documents from his campaign hacked and posted online in an attack that looks remarkably similar to the at- tack on the Democratic National Committee (DNC) just prior to the party’s summer convention, nominating convention, and prior to the Presidential elections. The perpetrators of these types of attacks are trying to under- mine our democracy by tarnishing particular candidates. In this in- stance, those attacks were, in fact, carried out by Russia to influ- ence voters and portray our electoral system as flawed. 1 The report referenced