Cybersecurity Concerns

of the U.S. Government

Compiled and Edited by

Michael Erbschloe
Connect with Michael on LinkedIn

©2018 Michael Erbschloe

 Table of Contents
Page
Section
Number
About the Editor 2
Introduction 4
NIST Testimony on Computer Security Issues 2000 6
FBI Testimony on the National Infrastructure Protection Center
12
2002
FBI Testimony on Cyber Terrorism 2005 26
FBI Testimony on Cybersecurity Issues 2011 33
DHS Testimony on Understanding Risks and Building
45
Capabilities 2014
NIST Testimony on WannaCry 2017 55
Examining DHS’s Cybersecurity Mission 2017 64
SEC Statement on Cybersecurity 2017 73
About the Editor
Michael Erbschloe has worked for over 30 years performing analysis of the economics of
information technology, public policy relating to technology, and utilizing technology in
reengineering organization processes. He has authored several books on social and management
issues of information technology that were published by McGraw Hill and other major
publishers. He has also taught at several universities and developed technology-related
curriculum. His career has focused on several interrelated areas:

• Technology strategy, analysis, and forecasting

• Teaching and curriculum development
• Writing books and articles
• Publishing and editing
• Public policy analysis and program evaluation

Books by Michael Erbschloe

Threat Level Red: Cybersecurity Research Programs of the

U.S. Government (CRC Press)
Social Media Warfare: Equal Weapons for All (Auerbach Publications)
Walling Out the Insiders: Controlling Access to Improve Organizational
Security (Auerbach Publications)
Physical Security for IT (Elsevier Science)
Trojans, Worms, and Spyware (Butterworth-Heinemann)
Implementing Homeland Security in Enterprise IT (Digital Press)
Guide to Disaster Recovery (Course Technology)
Socially Responsible IT Management (Digital Press)
Information Warfare: How to Survive Cyber Attacks (McGraw Hill)
The Executive's Guide to Privacy Management (McGraw Hill)
Net Privacy: A Guide to Developing & Implementing an e-business
Privacy Plan (McGraw Hill)
Introduction
The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas
adversaries, and terrorists. The threat is incredibly serious—and growing. Cyber intrusions are
becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical
infrastructure, including both private and public sector networks, are targeted by adversaries.
American companies are targeted for trade secrets and other sensitive corporate data, and
universities for their cutting-edge research and development. Citizens are targeted by fraudsters
and identity thieves, and children are targeted by online predators. Just as the FBI transformed
itself to better address the terrorist threat after the 9/11 attacks, it is undertaking a similar
transformation to address the pervasive and evolving cyber threat. This means enhancing the
Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and
private computer networks. Key Priorities:

Computer and Network Intrusions

The collective impact is staggering. Billions of dollars are lost every year repairing systems hit
by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of
hospitals, banks, and 9-1-1 services around the country.

Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging
rights…to businesses trying to gain an upper hand in the marketplace by hacking competitor
websites, from rings of criminals wanting to steal your personal information and sell it on black
markets…to spies and terrorists looking to rob our nation of vital information or launch cyber
strikes.

Today, these computer intrusion cases—counterterrorism, counterintelligence, and criminal—are

the paramount priorities of our cyber program because of their potential relationship to national
security.

Combating the threat. In recent years, we’ve built a whole new set of technological and
investigative capabilities and partnerships—so we’re as comfortable chasing outlaws in
cyberspace as we are down back alleys and across continents. That includes:

A Cyber Division at FBI Headquarters “to address cyber crime in a coordinated and cohesive
manner”;

Specially trained cyber squads at FBI headquarters and in each of our 56 field offices, staffed
with “agents and analysts who protect against investigate computer intrusions, theft of
intellectual property and personal information, child pornography and exploitation, and online
fraud”;
 New Cyber Action Teams that “travel around the world on a moment’s notice to assist in
computer intrusion cases” and that “gather vital intelligence that helps us identify the cyber
crimes that are most dangerous to our national security and to our economy;”

Our 93 Computer Crimes Task Forces nationwide that “combine state-of-the-art technology
and the resources of our federal, state, and local counterparts”;

A growing partnership with other federal agencies, including the Department of Defense, the
Department of Homeland Security, and others—which share similar concerns and resolve in
combating cyber crime.

Ransomware

Hospitals, school districts, state and local governments, law enforcement agencies, small
businesses, large businesses—these are just some of the entities impacted by ransomware, an
insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to
release them.

The inability to access the important data these kinds of organizations keep can be catastrophic
in terms of the loss of sensitive or proprietary information, the disruption to regular operations,
financial losses incurred to restore systems and files, and the potential harm to an organization’s
reputation. Home computers are just as susceptible to ransomware and the loss of access to
personal and often irreplaceable items— including family photos, videos, and other data—can be
devastating for individuals as well.

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and

may click on an attachment that appears legitimate, like an invoice or an electronic fax, but
which actually contains the malicious ransomware code. Or the e-mail might contain a
legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects
their computer with malicious software.

One the infection is present, the malware begins encrypting files and folders on local drives, any
attached drives, backup drives, and potentially other computers on the same network that the
victim computer is attached to. Users and organizations are generally not aware they have been
infected until they can no longer access their data or until they begin to see computer messages
advising them of the attack and demands for a ransom payment in exchange for a decryption key.
These messages include instructions on how to pay the ransom, usually with bitcoins because of
the anonymity this virtual currency provides.

This volume presents important testimony provided by various government agencies addressing
threats to computers systems and networks.
NIST Testimony on Computer Security Issues 2000

March 09, 2000

Witness

Karen H. Brown

Deputy Director, National Institute of Standards and Technology

Technology Administration

U.S. Department of Commerce

Venue

Committee on Government Reform

Subcommittee on Government Management, Information, and Technology

Mr. Chairman and members of the subcommittee thank you for the invitation to speak to you
today about computer security issues. I am Karen Brown, Deputy Director of the National
Institute of Standards and Technology of the Department of Commerce's Technology
Administration.

Computer security continues to be an ongoing and challenging problem that demands the
attention of the Congress, the Executive Branch, industry, academia, and the public. Computer
security is not a narrow, technical concern. The explosive growth in Electronic Commerce
highlights the nation's ever increasing dependence upon the secure and reliable operation of our
computer systems. Computer security, therefore, has a vital influence on our economic health
and our nation's security and we commend the Committee for your focus on security.

Today I would like to address NIST's computer security activities that contribute to improving
computer security for the Federal Government and the private sector. I also would like to briefly
describe for you our proposed new program activities for next year as requested in the President's
budget.
Under NIST's statutory federal responsibilities, we develop standards and guidelines for agencies
to help protect their sensitive unclassified information systems. Additionally, we work with the
information technology (IT) industry and IT users in the private sector on computer security in
support of our broad mission to strengthen the U.S. economy, and especially to improve the
competitiveness of the U.S. information technology industry. As awareness of the need for
security grows, more secure products will be more competitive in the marketplace. Addressing
security will also help ensure that Electronic Commerce growth is not limited because of security
concerns.

In meeting the needs of our customers in both the public and private sector, we work closely with
industry, Federal agencies, testing organizations, standards groups, academia, and private sector
users. Cooperation and collaboration are essential to tackle many common problems facing
users throughout the country.

What does NIST do specifically? To meet these responsibilities and customer needs, we first
work to improve the awareness of the need for computer security. This helps increase demand
for secure and reliable products. Additionally, we research new technologies and their security
implications and vulnerabilities and develop guidance to advise users accordingly. We work to
develop security standards and specifications to help users specify security needs in their
procurements and establish minimum security requirements for Federal systems. We develop
and manage security testing programs, in cooperation with private sector testing laboratories, to
enable users to have confidence that a product meets a security specification. We also produce
security guidance to promote security planning, and secure system operations and administration.
I will briefly discuss the need and benefits of each.

First, there is a need for timely, relevant, and easily accessible information to raise awareness
about the risks, vulnerabilities and requirements for protection of information systems. This is
particularly true for new and rapidly emerging technologies, which are being delivered with such
alacrity by our industry. We host and sponsor information sharing among security educators, the
Federal Computer Security Program Managers' Forum, and industry. We seek advice from our
advisory board of computer experts (Computer System Security and Privacy Advisory Board).
We meet regularly with members of the Federal computer security community, including the
Chief Information Officers' Security Committee, and the Critical Infrastructure Assurance
Office. We actively support information sharing through our conferences, workshops, web
pages, publications, and bulletins. Raising awareness helps ensure appropriate attention is
accorded security and helps increase the demand for secure products and security services.

A second need is for research on information technology vulnerabilities and the development of
techniques for the cost-effective security. When we identify new technologies that could
potentially influence our customers' security practices, we research the technologies and their
potential vulnerabilities. We also work to find ways to apply new technologies in a secure
manner. The solutions that we develop are made available to both public and private users.
Some examples are methods for authorization management and policy management, ways to
detect intrusions to systems, and demonstrations of mobile agents. Research helps us find more
cost-effective ways to implement and address security requirements.

Third is the need for standards, and for ways to test that standards are properly implemented in
products. For example, cryptographic algorithms and techniques are essential for protecting
sensitive data and electronic transactions. NIST has long been active in developing Federal
cryptographic standards and working in cooperation with private sector voluntary standards
organizations in this area. Moreover, in the standards area we have been working with the
private sector in preparing for the future. We are leading a public process to develop the
Advanced Encryption Standard (AES), which will serve 21st century security needs. Another
aspect of our standards activities concerns Public Key and Key Management Infrastructures.
The use of cryptographic services across networks requires the use of "certificates" that bind
cryptographic keys and other security information to specific users or entities in the network.
We have been actively involved in working with industry and the Federal government to
promote the security and interoperability of such infrastructures.

Standards help users to know what security specifications may be appropriate for their needs.
Testing complements this by helping users have confidence that security standards and
specifications are correctly implemented in the products they buy. Testing also helps reduce the
potential that products contain vulnerabilities that could be used to attack systems.

For over five years, we have led the Cryptographic Module Validation Program, which has now
validated about 90 modules with another 50 expected this year. This successful program utilizes
private sector accredited laboratories to conduct security conformance testing of cryptographic
modules against a Federal standard we develop and maintain. More recently, we have been
working with the international security community to define security criteria in an international
standard that can be used to develop security specifications for products, such as firewalls or
operating systems. We are actively working with industry partners in the smart card, health care,
and telecommunications fields to accomplish such development of specifications.

Many of these activities are being done in cooperation with the Defense Department's National
Security Agency in our National Information Assurance Partnership. Private sector laboratories
are being accredited under our National Voluntary Laboratory Accreditation program to conduct
such testing. The effort involves developing testing competencies and a process for accrediting
testing organizations. The goal is to enable product developers to get their products tested easily
and voluntarily, and for users to have access to information about tested products. Under this
program we have also led the development of an international mutual recognition arrangement
whereby the results of testing in the U.S. are recognized by our international partners, thus
reducing the costs to industry.

Advice and technical assistance for both government organizations and private sector users is the
fourth need. For example, we have issued guidance including telecommuting and security,
security concerns inherent in PBX technology, security requirements in Public Key Infrastructure
(PKI) implementation, use of firewalls, and intrusion detection in networks. We also provide
program guidance to agencies and are working to complete a document on security program
metrics and self-assessment. The information and guidelines that we have developed are
available to all users free-of-charge via our web site. We also support agencies on specific
security projects on a cost-reimbursable basis when NIST expertise is required.

While I have given you a few examples of NIST's work, I obviously have not covered
everything. I want to emphasize that there is still much more to be done to address the continuing
challenges of computer security. To put our program in perspective, please keep in mind that
approximately $6 million of direct Congressional funding supports both our Federal and industry
computer security responsibilities. (In addition, we receive approximately $2 million in outside
agency funding to provide technical assistance on particular projects.) This is plainly not
enough.

As reflected in the requests made in the President's FY 2001 budget, NIST needs additional
resources to help improve the security posture of the Federal government. Looking at the critical
information infrastructures of the nation, we also need substantial investments in security
research to find ways to protect our infrastructures.
To address the need for additional research to protect our critical infrastructures, the White
House has proposed establishing a $50 million Institute for Information Infrastructure Protection
(IIIP), which was initially recommended by the President's Committee of Advisors on Science &
Technology (PCAST). The IIIP will identify and fill the gaps not being met by private sector
market demands or Government agency mission objectives in critical infrastructure protection
and provide a strong and secure foundation to protect the various critical infrastructures upon
which the Nation's security and economy rely. IIIP's R&D, which will aim to help prevent
security problems will include work that can be applied to protect multiple sectors'
infrastructures, and thus will complement sector-specific R&D underway elsewhere in the
government and private sector. This initiative will help strengthen the focused existing and
planned security architectures within the critical infrastructure sectors and help prepare the
owners/operators of those infrastructures to survive potential hostile activities. The IIIP will not
have any direct role in support of law enforcement or deterring attacks, but will fund R&D to
develop new generations of IT security solutions that would be made available for DoJ/FBI,
other agencies, and the private sector can use to prevent and respond to future cyber-threats. The
IIIP will be a partnership among industry, academia and the government (including both state
and local governments). At the core of the partnership is IIIP's selection of information
infrastructure protection R&D focus areas, which will rely heavily on advice and guidance
obtained from outside experts.

The security of Federal systems must also be improved. These systems contain sensitive
information about our citizens and provide services upon which our citizens' safety and well-
being depend. The government should exert leadership and set an example for the nation in
protecting against risks and vulnerabilities. Two of the budget proposals focus primarily upon
the security of Federal systems. Specifically, we propose to establish an Expert Review Team
(comprised of eight FTE's) to advise agencies of their vulnerabilities, help prioritize and develop
strategies for security fixes, assist agencies in preparing for future security threats, and help
agencies plan for security in new system developments. This preventative approach will
complement the reporting activities of programs such as FedCIRC. Secondly, we seek a five
million dollar increase to enable additional critical activities in the area of cryptography, security
management and best practices guidance, and the protection of supervisory control systems.

So let me close by again emphasizing that our national commitment to improve security must be
increased. NIST stands ready to play a key role through supporting the proposed Institute,
leading the Expert Review Team, and conducting additional work to developing needed security
guideline and standards, research in security technology, leading testing programs, and raising
awareness and demand for security products and services. This will augment the already
important activities we have underway. We look forward to continuing this work, and believe
that your support of the critical new activities would help us to do so.

I will be pleased to answer any questions.

Source: https://www.nist.gov/speech-testimony/computer-security-issues
FBI Testimony on the National Infrastructure Protection Center 2002

Ronald L. Dick

Director, National Infrastructure Protection Center, FBI

Federal Bureau of Investigation

Before the House Committee on Governmental Reform, Government Efficiency, Financial

Management and Intergovernmental Relations Subcommittee

Washington, DC

June 24, 2002

Mr. Chairman and members of the Subcommittee, thank you for inviting me here today to testify
on the topic, "Cyber Terrorism and Critical Infrastructure Protection." Holding this hearing
demonstrates your individual commitment to improving the security of our Nation's critical
infrastructures and this Committee's leadership on this issue in Congress. Our work here is
vitally important because the stakes involved are enormous. We have seen how a terrorist attack
can have immediate simultaneous impact on several interdependent infrastructures. The terrorist
attacks in New York directly and seriously affected banking and finance, telecommunications,
emergency services, air and rail transportation, energy and water supply. My testimony today
will address the improvement of infrastructure protection through two-way information sharing
and the challenges we face in the future.

Since our last testimony before this Subcommittee on September 26, 2001, the National
Infrastructure Protection Center has seen increases in personnel, funding, and interagency
participation, allowing us to make great progress in accomplishing our mission. As set forth in
Presidential Decision Directive 63 (PDD-63), the mission of the NIPC is to provide "a national
focal point for gathering information on threats to the infrastructures" and to provide "the
principal means of facilitating and coordinating the Federal Government's response to an
incident, mitigating attacks, investigating threats and monitoring reconstitution efforts." The
Directive defines critical infrastructures to include "those physical and cyber-based systems
essential to the minimum operations of the economy and government," to include, without
limitation, "telecommunications, energy, banking and finance, transportation, water systems and
emergency services, both governmental and private." Our combined mission supports
information and physical security, law enforcement, national security, and the military.
To accomplish this mission, we have had to build a coalition of trust amongst all government
agencies, between the government and the private sector, amongst the different business interests
within the private sector itself, and in concert with the greater international community. We have
begun to earn that trust, and two-way information sharing has increased considerably since our
last testimony here.

OUTREACH EFFORTS

To better share information, the NIPC has spearheaded an aggressive outreach effort.

NIPC officials have met with business, government, and community leaders across the United
States and around the world to build the trust required for information sharing. Protection of
business information and privacy interests are both stressed in NIPC internal deliberations and
with business, government and community leaders. Most have been receptive to information
sharing and value the information received from the NIPC. Others have expressed reservations
due to a lack of understanding or perhaps confidence in the strength of the disclosure exceptions
found in the Freedom of Information Act, concerns about whether the Justice Department would
pursue prosecutions at the expense of private sector business interests, and simple reluctance to
disclose proprietary information to any entity beyond their own control or beyond the direct
control of the NIPC.

CRITICAL NEED FOR OUTREACH

The annual Computer Security Institute/FBI Computer Crime and Security Survey, released in
April, indicated that 90% of the respondents detected computer security breaches in the last 12
months. Only 34% reported the intrusions to law enforcement. On the positive side, that 34% is
more than double the 16% who reported intrusions in 1996. The two primary reasons for not
making a report were negative publicity and the recognition that competitors would use the
information against them. Many respondents were not aware that they could report intrusions to
law enforcement. We have moved aggressively to address these concerns and go out of our way
to reassure businesses that their voluntarily provided information will remain secure, and that we
are always sensitive to protecting the interests of victims who report crime.
Infragard: The Most Extensive Network of Federal and Private Sector Partners in the World for
Protecting the Infrastructure

The InfraGard program is a nationwide initiative that grew out of a pilot program started at the
Cleveland FBI field office in 1996. Today, all 56 FBI field offices have active InfraGard
chapters. Nationally, InfraGard has over 5000 members. It is the most extensive government-
private sector partnership for infrastructure protection in the world, and is a service the FBI
provides to InfraGard members free of charge. It particularly benefits small businesses which
have nowhere else to turn for assistance. InfraGard expands direct contacts with the private
sector infrastructure owners and operators and shares information about cyber intrusions and
vulnerabilities through the formation of local InfraGard chapters within the jurisdiction of each
of the 56 FBI Field Offices. The InfraGard program received the 2001 World Safe Internet
Safety Award from the Safe America Foundation for its efforts.

InfraGard is an information sharing and analysis effort serving the interests and combining the
knowledge base of a wide range of members. At its most basic level, InfraGard is a cooperative
undertaking between the U.S. Government (led by the FBI and the NIPC) and an association of
businesses, academic institutions, state and local law enforcement agencies, and other
participants dedicated to increasing the security of United States critical infrastructures.
InfraGard provides a mechanism for the public and private sectors to exchange information
pertaining to cyber intrusion matters, computer network vulnerabilities and physical threats on
infrastructures. All InfraGard participants are committed to the proposition that the exchange of
information about threats on these critical infrastructures is an important element for successful
infrastructure protection efforts. The goal of InfraGard is to enable information flow so that the
owners and operators of infrastructure assets can better protect themselves and so that the United
States government can better discharge its law enforcement and national security responsibilities.

Private sector members and an FBI field representative form local area chapters. These chapters
set up their own boards to govern and share information within the membership. The chapter
members include representatives from the FBI, State and local law enforcement agencies, other
government entities, private industry and academia. The National Infrastructure Protection
Center and the Federal Bureau of Investigation play the part of facilitator by gathering
information and distributing it to members, educating the public and members on infrastructure
protection, and disseminating information through the InfraGard network.
InfraGard is responsible for providing four basic services to its members: secure and public web
sites, an alert and incident reporting network, local chapter activities, and a help desk. Under this
program the FBI provides a secure electronic communications capability to all InfraGard
members so that the NIPC can provide threat information to private industry owners and
operators, and encourage private industry coordination with law enforcement, and each other, on
cyber and related physical incidents. This will be accomplished by expanding the established
separate website and electronic mail system. The program anticipates approximately 4,000 new
members expected in calendar year 2002. A number of the larger field divisions have initiated
additional chapters in larger cities located in their respective geographic area of responsibility.
The warnings that are provided to our InfraGard members improve the relationship between
private industry and the local FBI offices due to the increased level of trust that is often
established. It should be noted that the InfraGard program is not responsible for producing
NIPC's alerts and warnings. These alerts and warnings are produced and disseminated by NIPC's
Analysis and Warning Section.

Information Sharing and Analysis Centers (ISACs)

The NIPC has recently initiated the establishment of an Information Sharing and Analysis Center
(ISAC) Support and Development Unit, whose mission is to enhance private sector cooperation
and trust, resulting in two-way sharing of information and increased security for the nation's
critical infrastructures. The ISAC Development and Support Unit has assigned personnel to each
ISAC to serve as NIPC's liaison to that sector. When an ISAC receives information from a
member, they forward the information to their NIPC liaison, who then works with NIPC's
Analysis and Information Sharing Unit and Watch and Warning Unit to coordinate an
appropriate response. The NIPC now has information sharing agreements with nine ISACs,
including those representing energy, telecommunications, information technology, banking and
finance, emergency law enforcement, emergency fire services, water supply, food, and chemical
sectors. Several more agreements are in the final stages, including one to be signed on July 25th
with the National Association of State Chief Information Officers. Just as important, the NIPC is
receiving reports from member companies of the ISACs. The NIPC has proven to these
companies that it can properly safeguard their information and can provide them with useful
information. It is because of such reporting that NIPC's products are improving.

Three examples bear discussion. The North American Electric Reliability Council (NERC)
serves as the electric power ISAC. The NIPC has developed a program with the NERC for an
Indications and Warning System for physical and cyber attacks. Under the program, electric
utility companies and other power entities transmit incident reports to the NIPC. These reports
are analyzed and assessed to determine whether an NIPC alert, advisory, or assessment is
warranted to the electric utility community. Electric power participants in the program have
stated that the information and analysis provided by the NIPC back to the power companies
make this program especially worthwhile. NERC has recently decided to expand this initiative
nationwide. This initiative will serve as a good example of government and industry working
together to share information and the Electrical Power Indications and Warning System will
provide a model for the other critical infrastructures. Additionally, some information available to
the NIPC may be classified or law enforcement sensitive and, thus, unavailable to many in the
industry. A group of NERC officials have been granted security clearances in order to access
classified material on a need-to-know basis. Once the NIPC has determined that a warning
should be issued, cleared electric power experts will be available as needed to assist the NIPC in
sanitizing and finalizing warning notices so as to provide members of the industry with
unclassified, nonproprietary, timely and actionable information to the maximum extent possible.

One of our most recent agreements was with the ISAC for Emergency Services - Fire, the US
Fire Administration, an organization which has been a model for the mutual benefits of two-way
information sharing. Since that agreement, we have shared intelligence on diver threats to
waterfront facilities, suspicious attempts to purchase an ambulance in New York, and the theft of
a truck with 10 tons of cyanide in Mexico. In turn, they have told us of suspicious foreign
nationals visiting fire stations to gather information and of foreign nationals calling fire and EMS
departments and visiting their web sites to gather information on capabilities, watch schedules
and manning levels. Such two-way information sharing provides significant safety and
infrastructure protection benefits to the public we serve.

The telecommunications ISAC provides a good example of positive, two-way information

sharing. In his July 9, 2002 testimony before the House Committee on Energy and Commerce,
Subcommittee on Oversight and Investigations, Bill Smith, Chief Technology Officer, BellSouth
Corporation, stated: "With respect to FOIA (Freedom of Information Act), many companies are
hesitant to voluntarily share sensitive information with the government because of the possible
release of this information to the public." He further noted that BellSouth does share information
with the Telecommunications ISAC, but it is "done on a limited basis, within trusted circles, and
strictly within a fashion that will eliminate any liability or harm from FOIA requests for
BellSouth information." He adds that BellSouth has benefited from advance warnings of worms
and viruses. The telecommunications ISAC provided BellSouth with their first notification of the
NIMDA worm, resulting in the successful defense of their networks. BellSouth, in turn, was the
first to notify the ISAC of problems associated with the simple network management protocol.
Although this is an example of two-way information sharing, it is also an example of reluctant
sharing resulting from legal, economic and trust barriers. Smith goes on to list BellSouth's
concerns about information sharing, including: "liability under the Freedom of Information Act,
third-party liability (e.g., sharing suspected problems about a piece of equipment before
thoroughly tested and verified), the lack of a defined antitrust exemption for appropriate
information sharing concerning infrastructure vulnerabilities, possible disclosure of information
under state sunshine laws, disclosure of sensitive corporate information to competitors,
declassification of threat/intelligence information to a level that can be acted upon by company
personnel, and the natural inclination of law enforcement, DoD, and intelligence agencies to
dissuade the sharing of information related to criminal investigations."

The NIPC routinely shares information with the public and private sectors to help them better
protect themselves. That does not mean that information is broadcast across the news media in
every instance. While public statements are the best alternative in some cases, in other cases the
NIPC has approached victim companies as to a specific investigation, and Information Sharing
and Analysis Centers (ISACs) or government agencies privately to help evaluate uncorroborated
information in order then to provide public comment. In many cases, a tiered approach is taken
so that information with the appropriate level of detail is pushed to the right audiences. If the
NIPC finds that despite issuing an advisory, a widespread problem persists or grows, then we
will raise the volume, and a more public advisory will be issued to reach a wider audience.

NIPC INFORMATION SHARING PRODUCTS

The NIPC has a variety of information products to inform the private sector and other domestic
and foreign government agencies of the threat, including: assessments, advisories and alerts; a
Daily Report; biweekly CyberNotes; monthly Highlights; and topical electronic reports. These
products are designed for tiered distribution to both government and private sector entities
consistent with applicable law and the need to protect intelligence sources and methods, and law
enforcement investigations. For example, Highlights is a monthly publication for sharing
analysis and information on critical infrastructure issues. It provides analytical insights into
major trends and events affecting the nation's critical infrastructures. It is usually published in an
unclassified format and reaches national security and civilian government agency officials as
well as infrastructure owners. CyberNotes is another NIPC publication designed to provide
security and information system professionals with timely information on cyber vulnerabilities,
hacker exploit scripts, hacker trends, virus information, and other critical infrastructure-related
best practices. It is published twice a month on the NIPC website (www.nipc.gov) and
disseminated via e-mail to government and private sector recipients. Although the NIPC can and
does issue limited distribution products that are classified or law enforcement sensitive (for
example, because they reflect non-public sources and methods), it attempts to issue most reports
at the unclassified level and to the widest audience possible.

WATCH AND WARNING

The NIPC Watch maintains a round-the-clock presence in the FBI's Strategic Information and
Operations Center (SIOC). The Watch serves as the main portal into and out of the NIPC. Our
recent advisory regarding the Klez.h worm was issued after the Watch received a voluntary
report from a major telecommunications company. Following an analysis and consultations with
our security partners, the NIPC issued Alert 02-2002: "W32/Klez.h @ mm Worm and Variants."
Through the Watch, the Center produces and disseminates three levels of infrastructure warnings
which are developed and distributed consistent with the FBI's National Threat Warning System.
Collectively, these warning products will be based on material that is significant, credible,
timely, and that address cyber and/or infrastructure dimensions with possibly significant impact.
If a particular warning is based on classified or proprietary material that includes dissemination
restrictions and contains information deemed valuable and essential for critical infrastructure
protection, the NIPC will then seek, as required by law, to develop a sensitive "tear-line" version
for distribution, including to critical sector coordinators, ISACs, InfraGard members, and law
enforcement agencies. The three specific categories of NIPC warning products are as follows:

(1) "Assessments" address broad, general incident or issue awareness information and analysis
that is both significant and current but does not necessarily suggest immediate action.

(2) "Advisories" address significant threat or incident information that suggests a change in
readiness posture, protective options and/or response.

(3) "Alerts" address major threat or incident information addressing imminent or in-progress
attacks targeting specific national networks or critical infrastructures.

The main "audiences" that NIPC products can reach include: DOD, Federal civil agencies, the
Intelligence Community, the Law Enforcement Community (including the state and local levels),
FBI field offices and international Legal Attache offices, computer incident response centers,
domestic and foreign cyber watch centers, private sector Information Sharing and Analysis
Centers (ISACs), InfraGard members, and the general public.

Since its inception, the NIPC has issued over 120 warning products. A number of warning
products have preceded incidents or prevented them entirely by alerting the user community to a
new vulnerability or hacker exploit before acts are committed or exploits are used on a
widespread basis. The Center has had particular success in alerting the user community to the
presence of Denial of Service tools on the network and has in some cases provided a means to
discover the presence of tools on a network.

The NIPC is integrated into national level warning systems both through structures established
by the National Security Council and by other agencies. Of particular note is the fact that the
NIPC has been fully engaged in the planning and implementation of the interagency Cyber
Warning Information Network (CWIN) a network through which the watch centers from
FedCIRC, NSA, JTF-CNO, National Communications System (NCS) and NIPC exchange
information daily.

INTRA-GOVERNMENT INFORMATION SHARING

PDD-63 mandates that government agencies will share information with the NIPC. The NIPC
has established effective information sharing relationships across the US Government. These
arrangements are not always codified in formal interagency agreements or Memoranda of
Understanding, but the important point is that they are working.

The NIPC has formed an Interagency Coordination Cell (IACC) at the Center which holds
monthly meetings regarding ongoing investigations. To date, the IACC's growing membership
has risen to approximately 35 government agencies that meet on a monthly basis, and as needed,
to address specific threats and vulnerabilities. The IACC include representation from NASA , US
Postal Service, Air Force Office of Special Investigations (AFOSI), US Secret Service, US
Customs, Departments of Energy, State and Education, and the Central Intelligence Agency, to
name a few.
The IACC's accomplishments to date include the formation of several joint investigative task
forces with member agencies participating, and over 30 separate instances of joint investigations
of member agencies being initiated as a direct result of IACC meetings, information sharing and
participation. In one case, an IACC member agency provided timely sensitive source information
to the appropriate authorities which prevented the planned intrusion and compromise of another
government agency's computer system and the preservation of critical log data used for the
ensuing investigation.

The IACC's members are currently working on the establishment and development of a database
which would serve as a source of computer intrusion information compiled from member agency
investigations to facilitate other investigations. It is also working on the establishment and
administration of a dedicated virtual private secure network for member agencies to
communicate vital infrastructure protection and computer intrusion information for immediate
emergency response situations, in addition to dissemination of routine but sensitive information.

The Department of Defense has the second largest (after FBI) interagency contingent in the
NIPC. The Deputy Director of the NIPC is a two-star Navy Rear Admiral; the Executive
Director is detailed from the Air Force Office of Special Investigations; the head of the NIPC
Watch is a Naval Reserve officer; and the head of the Analysis and Information Sharing Unit is a
National Security Agency detailee. There are also liaison representatives from the National
Imagery and Mapping Agency and the Joint Programs Office. A contingent of DOD reservists
serves in the Center to provide additional critical infrastructure expertise and emergency surge
capabilities. NIPC works particularly closely with the DOD through liaison with the Joint Task
Force-Computer Network Operations (JTF-CNO). NIPC members stay in close contact with
their JTF-CNO counterparts, providing mutual assistance on intrusion cases into DOD systems,
as well as on other matters. NIPC alerts, advisories, and assessments are routinely coordinated
with the JTF-CNO prior to release to solicit JTF input. On several occasions, the NIPC and JTF-
CNO have coordinated and issued joint cyber warnings on the same matter. There is also
significant interaction with the military services, the Joint Staff, the Office of the Secretary, and
other major DOD agencies.

Interagency managerial participation is by no means limited to DOD For example, the Section
Chief for Analysis and Warning is detailed from the Central Intelligence Agency, and the
Assistant Section Chief for Computer Investigations and Operations is detailed from the US
Secret Service.
The NIPC also has an excellent cooperative relationship with the Federal Computer Incident
Response Center (FedCIRC). The NIPC's Director and principal legal advisor sit on FedCIRC's
Senior Advisory Council, and a FedCIRC representative participates in NIPC's Senior
Interagency Partners Group. FedCIRC is operated by the General Services Administration as the
central coordinating point on security vulnerabilities and lower level security incident data. In
addition, the NIPC sends draft alerts, advisories, and assessments on a regular basis to FedCIRC
for input and commentary prior to their release. NIPC and FedCIRC information exchange
assists both centers with their analytic products. The NIPC and FedCIRC are currently discussing
ways to improve the flow of information between the two organizations and encourage federal
agency reporting of incident information. On several occasions, the two organizations have
coordinated and issued joint cyber warnings.

More recently, in October of 2001, President Bush issued Executive Order 13231, which
establishes the President's Critical Infrastructure Protection Board to "recommend policies and
coordinate programs for protecting information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that support such systems."
EO 13231 expressed the current Administration's continued support of the NIPC's mission under
PDD 63 and distinguishes the interagency entity from any particular Department by separately
designating the Director of the NIPC to serve as a member of the newly created President's
Board. The President also designated the Director of the NIPC to serve on the Board's
Coordination Committee, and recognized the NIPC's significant roles in, among other things,
outreach to the private sector and state and local governments, as well as in the area of
information sharing.

Since 1998, the NIPC has been developing the FBI's Key Asset Initiative, to identify those
entities that are vital to our national security, including our economic well-being. The
information is maintained to support the broader effort to protect the critical infrastructures
against both physical and cyber threats. This initiative benefits national security planning efforts
by providing a better understanding of the location, importance, contact information and crisis
management for critical infrastructure assets across the country. We have worked with the DOD
and the Critical Infrastructure Assurance Office (CIAO) in this regard.

FEDERAL, STATE AND LOCAL INFORMATION SHARING

Emergency Law Enforcement Services Sector

The NIPC has been designated by the Department of Justice/FBI to fulfill their responsibilities as
the Sector Lead Agency with regard to Emergency Law Enforcement Services (ELES). The
NIPC's efforts in this regard have served as a model for all other Sector Lead Agencies. More
than 18,000 federal, state and local agencies comprise the ELES Sector. The NIPC serves as
program manager for this function at the request of the FBI. Last year the NIPC completed the
Emergency Law Enforcement Services Sector Plan; this was the first completed sector report
under PDD-63 and was delivered to the White House in March 2001. Working with law
enforcement agencies across the United States, the NIPC conducted a sector survey and used the
results of this survey to draft a sector report. Responses from more than 1500 of these agencies to
a sector-commissioned information systems vulnerability survey revealed that these
organizations have become increasingly reliant on information and communications systems to
perform their critical missions. The NIPC has also sponsored the formation of the Emergency
Law Enforcement Services Sector forum, which meets quarterly to discuss issues relevant to
sector security planning.

State Infrastructure Protection Center (SIPC) efforts

The NIPC, with its extensive experience in the areas of multi-agency and multi-disciplinary
support to infrastructure protection efforts, is actively engaged in supporting similar models
being created at the state and local level. The States of Texas and Florida are leaders in this area,
and the NIPC, together with significant Department of Defense involvement, is actively
facilitating their efforts. Over time, the NIPC expects to meet the challenge of serving as the US
hub for infrastructure protection efforts not only in terms of full Federal government support, but
also in terms of bringing together State and Local governments for a fully coordinated national
response.

FEDERAL GOVERNMENT AND THE PRIVATE SECTOR

CERT/CC (a federally funded research and development corporation)

The NIPC and the Computer Emergency Response Team/Coordination Center (CERT/CC) at
Carnegie Mellon University have formed a mutually beneficial contractual relationship. The
NIPC receives information from the CERT (including advance Special Communications about
impending CERT advisories, which CERT seeks NIPC input on, and weekly intrusion activity
information) that it incorporates into strategic and tactical analyses and utilizes as part of its
warning function. The NIPC's Watch and Analysis units are routinely in telephonic contact with
CERT/CC and the anti-virus community for purposes of sharing vulnerability and threat
information on a real-time basis. CERT/CC input is often sought when an NIPC warning is in
production. The NIPC also provides information to the CERT that it obtains through
investigations and other sources, using CERT as one method for distributing information to
security professionals in industry and to the public. The Watch also provides the NIPC Daily
Report to the CERT/CC via Internet e-mail. On more than one occasion, the NIPC provided
CERT with the first information regarding a new threat, and the two organizations have often
collaborated in disseminating information about incidents and threats.

INTERAGENCY COORDINATION: FEDERAL GOVERNMENT AND INTERNATIONAL

PARTNERS

The ability of the United States to assure homeland security clearly relies on the full participation
and support of its international partners. It is with this in mind that the NIPC has promoted a
wide array of international initiatives.

On the information infrastructure side of the equation, a typical cyber investigation can involve
victim sites in multiple states and often many countries, and can require tracing an evidentiary
trail that crosses numerous state and international boundaries. Even intrusions into US systems
by a perpetrator operating within the US often require international investigative activity because
the attack is routed through Internet Service Providers and computer networks located outside
the United States. When evidence is located within the United States, the NIPC coordinates law
enforcement efforts which might include: subpoenaing records by FBI agents, conduct of
electronic surveillance, execution of search warrants, seizing and examining of evidence. We can
not do those things ourselves to solve a US criminal case overseas. Instead, we must depend on
the local authorities to assist us. This means that effective international cooperation is essential to
our ability to investigate cyber crime. The FBI's Legal Attaches (LEGATs) provide the means to
accomplish our law enforcement coordination abroad, and are often the first officials contacted
by foreign law enforcement should an incident occur overseas that requires U. S. assistance.
NIPC personnel are in almost daily contact with LEGATs around the world to assist in
coordinating requests for information.
International investigations pose special problems. First, while the situation has improved
markedly in recent years, many countries lack substantive laws that specifically criminalize
computer crimes. This means that those countries often lack the authority not only to investigate
or prosecute computer crimes that occur within their borders, but also to assist us when evidence
might be located in those countries. Moreover, the quickly evolving technological aspects of
these investigations can exceed the capabilities of local police forces in some countries. Finally,
even when countries have the requisite laws and have developed the technical expertise
necessary to conduct cyber investigations, successful investigation in this arena requires a more
expeditious response than has traditionally been the case in international matters, because
electronic evidence is fleeting and, if not secured quickly, can be lost forever.

The NIPC is working with its international partners on several fronts. The first area consists of
outreach activities designed to raise awareness about the cyber threat, encourage countries to
address the threat through substantive legislation, and provide advice on how to organize to deal
with the threat most effectively. The Center often hosts foreign delegations to discuss topics
ranging from current cases to the establishment of NIPC-like entities in other nations. Since the
NIPC was founded, Australia, Japan, Israel, the United Kingdom, Canada, Germany, South
Korea and Sweden have all formed interagency entities like the NIPC. The Center has
established watch connectivity with similar centers in Australia, Canada, the United Kingdom,
Sweden, and New Zealand; additionally, the Canada and the United Kingdom have each detailed
a person full-time to the NIPC, and Australia detailed a person for 6 months in 2001. Currently,
the Center is working jointly with the Department of State to develop and implement an
international strategy for information sharing in the critical infrastructure protection arena.
Finally, over the past year, the NIPC has briefed visitors from the United Kingdom, Australia,
Canada, Germany, France, Georgia, Norway, New Zealand, Singapore, Bulgaria, Estonia,
Latvia, Japan, Denmark, Sweden, South Korea, Israel, Italy, India, and other nations regarding
critical infrastructure protection issues. These nations have all looked to the NIPC in order to
create Critical Infrastructure Protection Centers of their own and to promote liaison on a bilateral
basis between themselves and the United States, as well as with one another.

DEPARTMENT OF HOMELAND SECURITY

Homeland Security legislation currently being considered calls for certain NIPC functions
relating to watch and warning, and private sector outreach to be transferred consistent with the
new department's overall mission. The operational remainder of NIPC, including the field
investigative functions, will remain at the FBI, under the new Cyber Division.
CONCLUSION

At the NIPC we continue to seek partnerships which promote two-way information sharing. As
Director Mueller stated in a speech on July 16th, "Prevention of terrorist attacks is by far and
away our most urgent priority." We can only prevent attacks on our critical infrastructures by
building an intelligence base, analyzing that information, and providing timely, actionable threat-
related products to our public and private sector partners. We welcome the efforts of your
Committee in improving information sharing, and I look forward to addressing any questions
you might have.

Source: https://archives.fbi.gov/archives/news/testimony/cyber-terrorism-and-critical-
infrastructure-protection
FBI Testimony on Cyber Terrorism 2005

Steven M. Martinez

Deputy Assistant Director, Cyber Division

Federal Bureau of Investigation

Subcommittee on Crime, Terrorism, and Homeland Security Committee on the Judiciary U.S.
House of Representatives

Washington, DC

April 21, 2005

Good morning Mr. Chairman, Ranking Member Scott, and members of the subcommittee.

My name is Steven Martinez, and I am the Deputy Assistant Director of the FBI's Cyber
Division. The primary mission of the Cyber Division is to supervise the Bureau's investigation of
federal violations in which computer systems, including the Internet, are exploited by terrorists,
foreign government intelligence operatives, and criminals. In short, our mission is to protect the
American public against a host of significant and potentially deadly high-tech crimes.

The uses of technology in our society are innumerable and their value immeasurable. The state of
technology has been advancing rapidly over the past twenty years, much of it to the benefit of
people living in all corners of the world. Unfortunately, the picture is not always so bright.
Technology has also been used to harm people, while offering a particularly effective escape
route. In this digital age, crimes can and do occur within seconds without the perpetrator ever
getting anywhere physically close to the victim. In such a setting, law enforcement must be
equipped with the investigative tools necessary to meet, locate, and incapacitate this growing
threat. Law enforcement must be prepared to face sophisticated enemies and criminals who are
known to exploit technology because of its ability to keep them far away from the scene of the
crime, spread apart even from one another, and who have the ability to delete any digital
evidence of their actions at the push of a button.

With this background in mind, I want to thank you for the opportunity to appear before you
today to discuss certain sections of the USA PATRIOT Act which are scheduled to expire at the
end of this year, specifically sections 209, 217, and 220.
When Attorney General Gonzales testified before the House Judiciary Committee on April 6,
2005, he shared his firm view that each of the provisions of the USA PATRIOT Act that are
scheduled to sunset at the end of this year must be made permanent. Director Mueller provided
the FBI's perspective in a hearing before the Senate Judiciary Committee on April 5, 2005, and
he too spoke of the crucial need to renew these provisions. Based on my knowledge of the
interests, capabilities, and motives of those who, day in and day out, are attempting to do us
harm by means of the Internet, I want to express my full agreement about the importance of the
PATRIOT Act and the provisions I plan to address today. I believe that the Act's substantial
merit can be demonstrated by what we already have experienced as a nation; still, it is equally
true that the Act is essential so that we are prepared to confront the ever-evolving threat that no
doubt will come.

SECTION 209--SEIZURE OF VOICE MAIL WITH A SEARCH WARRANT

Going in numerical order, allow me to start with section 209. Section 209 permits law
enforcement officers to seize voice mail with a search warrant rather than a surveillance, or Title
III, order. Section 209 provides a very good example of how the USA PATRIOT Act simply
updated the law to reflect recent technological developments. The drafters of the Act determined
that obtaining voicemail stored on a third party's answering system is more similar to obtaining
voicemail stored on a home answering machine (which requires a search warrant) than it is to
monitoring somebody's telephone calls (which requires a TIII order). In passing this portion of
the Act, Congress made the statutory framework technology-neutral. Privacy rights are still well
accounted for, since section 209 allows investigators to apply for and receive a court-ordered
search warrant to obtain voicemail pursuant to all of the pre-existing standards for the
availability of search warrants, including a showing of probable cause. With privacy rights left
firmly intact, there is a distinct advantage to the public's safety when law enforcement can obtain
evidence in a manner that is quicker than the Title III process.

The importance of this provision is best understood in the context of how often terrorists and
other criminals rely on technology to relay their plans to each other instead of risking face-to-
face in-person meetings. Attorney General Gonzales gave a good sense of the diversity of those
who would rely on the simple convenience of leaving voicemail in furtherance of their illegal
activities when he pointed out that section 209 has already been relied upon to acquire messages
left for domestic terrorists, foreign terrorists, and international drug smugglers.
Allowing section 209 to expire would once again lead to different treatment for voicemail
messages stored on a third party's system than for the same message stored on a person's home
answering machine. Doing so would needlessly hamper law enforcement efforts to investigate
crimes.

SECTION 217--THE HACKER TRESPASSER EXCEPTION

I would like to move next to section 217, the hacker trespasser exception. Like section 209
before it, section 217 also makes the law technology-neutral. Section 217 places cyber-
trespassers--those who are breaking into computers--on the same footing as physical intruders.
Section 217 allows the victims of computer-hacking crimes voluntarily to request law
enforcement assistance in monitoring trespassers on their computers. Just as burglary victims
have long been able to invite officers into their homes to catch the thieves, hacking victims can
now allow law enforcement officers into their computers to catch cyber-intruders. Think for a
moment how odd it would be if a homeowner yelled out to a police officer "Hey, there's a
burglar in my house right now, help!", only to have the police respond, "Sorry, I have to apply
for a court order first, try not to scare him off." The homeowner would be dumbfounded, and the
burglar would be long gone by time the police returned. This, in essence, is what was occurring
prior to the PATRIOT Act.

It can be said that section 217, in a very significant way, enhances privacy. First, it is carefully
crafted to ensure that law enforcement conducts monitoring against trespassers in a manner
entirely consistent with protecting the privacy rights of law abiding citizens. Second, the essence
of the section-- o help catch hackers--serves a vital function in the FBI's ability to enforce data
privacy laws.

With respect to the first point, the narrowly crafted scope of this legislation, section 217
preserves the privacy of law-abiding computer users by sharply limiting the circumstances under
which the trespasser exception may be used. At its most fundamental level, section 217 requires
consent. Law enforcement assistance is by invitation only. The computer crime victim is actually
seeking the FBI's help. In addition, a law enforcement officer may not conduct monitoring based
solely on the computer owner or operator's consent unless the law enforcement officer is engaged
in a lawful investigation; has reason to believe that capturing the communications will be
relevant to that investigation; and can ensure that the consensual monitoring will acquire only
those communications that are transmitted to or from the hacker. On top of these requirements,
section 217 then goes one step further. Based on the definition of a "computer trespasser,"
section 217 does not allow law enforcement to come to the immediate aid of victims who are
being hacked by one or more of their own customers. In those cases the owner or operator of the
computer system cannot provide sufficient consent to monitor the trespasser, even if the
hacker/customer broke into areas of the computer he has no authority to see (including other
customer account information).

Still, despite this last limitation, the hacker trespasser exception has been an important tool for
law enforcement to obtain evidence based on the consent of the victim, much of which involves
protecting people's privacy.

A diverse array of real-world examples from our criminal investigations demonstrate that this
provision has been significant in order for the FBI to protect the privacy rights of individuals and
businesses whose computers are being broken into for the purpose of stealing the personal data
stored on their computers. Hackers have no respect for your privacy or mine. When hackers
break into a computer network and obtain root access they get to look at, download, and even
can make changes to, whatever information is on that network. Hackers can and do routinely
steal social security numbers, credit card numbers, and driver's license numbers. Depending on
the systems they break into, they can look at health care information and can change it at will.
There has been an outpouring of concern from the American public to protect them from identity
theft and to ensure that their personal records are secure. Congress has responded with a
powerful array of laws that are designed to impose serious consequences on computer hackers.
However, if law enforcement does not have the ability to quickly spot and then locate hackers,
then the victim toll will mount and only the hackers themselves, remaining anonymous, will be
left with privacy. The FBI understands the importance of preventing criminals from stealing and
selling our information, and we are resolved to catch those who do. Section 217 is of enormous
help in this regard.

For example, under this provision, the FBI was able to monitor the communications of an
international group of "carders" (individuals that use and trade stolen credit card information).
The group used chat rooms and fraudulent websites to commit identity theft, but managed to
provide themselves with privacy by using false names to get e-mail accounts. The most
important tool in their bid to remain anonymous was their use of a proxy server they broke into
and then reconfigured. The identity thieves used the proxy server to disguise where all of their
Internet communications were coming from. The owner of the proxy server was himself a victim
of the crime, his computer having essentially been hijacked and transformed into the hub of a
criminal operation. When he determined that his computer had been hacked he provided the FBI
with consent to monitor the intruder and hopefully to catch him. The computer owner's ability to
bring in the FBI paid off, not just for him but for the countless other victims of the identity thief.
By taking advantage of hacker trespasser monitoring, the FBI gathered leads that resulted in the
discovery of the true identity of the subject. The subject was later indicted and is now awaiting
trial.

Since its enactment, section 217 has played a key role in a variety of hacking cases, including
investigations into hackers' attempts to compromise military computer systems. Allowing section
217 to expire at the end of this year would help computer hackers avoid justice and prevent law
enforcement from responding quickly to victims who are themselves asking for help.

SECTION 220--SEARCH WARRANTS FOR ELECTRONIC EVIDENCE LOCATED IN

ANOTHER DISTRICT

Lastly, I would like to turn to section 220 of the USA PATRIOT Act. Section 220 enables
federal courts--with jurisdiction over an investigation--to issue a search warrant to compel the
production of information (such as unopened e-mail) that is stored with a service provider
located outside their district. The practical effect of this section is that our FBI Agents are no
longer limited to applying for a search warrant solely from the court that sits where the service
provider happens to be located.

Before discussing this section in depth, I think it is helpful to point out that the borderless nature
of Internet crime means that more often than not the victim of a crime, the person who
committed the crime, and the evidence of that crime are all located in different parts of the
country (or indeed the world). Applying this fact in the context of a search warrant will
demonstrate the utility and the necessity of section 220.

Prior to the PATRIOT Act, if an investigator wanted to obtain the contents of unopened e-mail
from a service provider located in the United States, he or she needed to obtain a warrant from a
court physically located in the same federal district as the service provider was located. To
accomplish this, the FBI Agent working on the case (this Agent typically would be located where
the victim is located) needed to brief another FBI Agent and prosecutor who were located in the
ISP's jurisdiction (where the evidence happened to be electronically stored). The second FBI
Agent and prosecutor then would appear before their local court to obtain the search warrant.
This was a time and labor consuming process. Furthermore, because several of the largest email
providers are located in a few districts, such as the Northern District of California and the
Eastern District of Virginia, these FBI Agents, Prosecutors, and Judges were faced with a
substantial workload dealing with cases in which neither the victim nor the criminal resided, and
they had to be brought up to speed about the details of an investigation which, both beforehand
and afterwards, they had no need to know.

Section 220 fixed this problem. It makes clear, for example, that a judge with jurisdiction over a
kidnaping investigation in Pittsburgh can issue a search warrant for e-mail messages that are
stored on a server in California. As a result, the investigators in Pennsylvania can ask the judge
most familiar with the investigation to issue the warrant rather than having to ask an Assistant
United States Attorney in California, who is unfamiliar with the case, to ask a district judge in
California, who also is unfamiliar with the case, to issue the warrant. Lest you think this is
merely a hypothetical example, it's not. Using section 220, our FBI office in Pittsburgh was able
to obtain a warrant for information residing on a computer in California that ultimately led to the
rescue of a teenage girl who was being sexually tortured in Virginia while being chained to a
wall in somebody's basement. The man who held her hostage is now in prison, serving close to
20 years. The girl's life was saved.

Other FBI Field Offices also have repeatedly stated that section 220 has been very beneficial to
quickly obtain information required in their investigations. The value of this provision in
terrorism cases already has been demonstrated time and again. In his April 6 testimony, Attorney
General Gonzales pointed to its important application during investigations into the Portland
Terror Cell, the "Virginia Jihad", and the Richard Reid "shoebomber" case.

It is imperative that section 220 be renewed. The provision expedites the investigative process
and, in doing so, makes it more likely that evidence will still be available to law enforcement
after it executes a court-authorized search warrant and obtains further leads; the provision frees
up FBI, U.S. Attorney, and judicial personnel to more efficiently pursue other time-sensitive
investigative matters; and, section 220 in no way lowers the protections that apply to the
government's application for a search warrant.

CONCLUSION
Mr. Chairman and Members of the Committee, the provisions of the USA Patriot Act I have
discussed today have proven significant to a number of our successes and I have every reason to
believe that the need to retain these provisions in the future is also significant. By responsibly
using the statutes provided by Congress, the FBI has made substantial progress in its ability to
enforce the law and protect lives, while at the same time protecting civil liberties. In renewing
those provisions scheduled to "sunset" at then end of this year, Congress will ensure that the FBI
will continue to have the tools it needs to combat the very real threats to America and our fellow
citizens. Thank you for your time today.

Source: https://archives.fbi.gov/archives/news/testimony/computer-provisions-of-the-usa-patriot-
act
FBI Testimony on Cybersecurity Issues 2011

Gordon M. Snow

Assistant Director, Cyber Division

Federal Bureau of Investigation

Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism

Washington, D.C.

April 12, 2011

Good afternoon Chairman Whitehouse, Ranking Member Kyl, and members of the
subcommittee. I’m pleased to appear before you today to discuss the cyber threats facing our
nation and how the FBI and our partners are working together to protect United States
government and private sector networks.

Countering efforts by foreign countries to steal our nation’s secrets, evaluating the capabilities of
terrorists in a digital age, and fighting cyber crime are the FBI’s highest priorities. It is difficult
to overstate the potential impact these threats pose to our economy, our national security, and the
critical infrastructure upon which our country relies.

The Cybersecurity Threat

As the subcommittee is aware, the number and sophistication of cyber attacks has increased
dramatically over the past five years and is expected to continue to grow.

The threat has reached the point that given enough time, motivation, and funding, a determined
adversary will likely be able to penetrate any system that is accessible directly from the Internet.

It is difficult to state with confidence that our critical infrastructure—the backbone of our
country’s economic prosperity, national security, and public health—will remain unscathed and
always be available when needed.
The recent security breach by unauthorized intruders into the parent company of NASDAQ is an
example of the kind of breaches directed against important financial infrastructure and illustrates
the difficulty of determining clear attribution. As we would in response to any such breach, the
FBI is working to identify the scope of the intrusion and assist the victim in the remediation
process.

The FBI has identified the most significant cyber threats to our nation as those with high intent
and high capability to inflict damage or death in the U.S., to illicitly acquire assets, or to illegally
obtain sensitive or classified U.S. military, intelligence, or economic information.

As both an intelligence and law enforcement agency, the FBI can address every facet of a cyber
case—from collecting intelligence on the subjects in order to learn more about their networks to
dismantling those networks and prosecuting the individual perpetrators. The ability to take action
on the information we collect is critical because what may begin as a criminal investigation may
become a national security threat.

In addition, the FBI’s presence in legal attachés in 61 cities around the world assists in the
critical exchange of case-related information and the situational awareness of current threats,
helping to combat the global scale and scope of cyber breaches. The FBI is also changing to
adapt to the ever-evolving technology and schemes used by cyber criminals. Intelligence now
drives operations in the FBI. The Bureau is working in new ways with long-standing and new
partners to address the cybersecurity threat.

Cyber Threats Against the Private Sector

Cyber criminal threats to the U.S. result in significant economic losses. But the threat against
financial institutions is only part of the problem. Also of serious concern are threats to critical
infrastructure, the theft of intellectual property, and supply chain issues.

Cyber Threats to U.S. Critical Infrastructure

U.S. critical infrastructure faces a growing cyber threat due to advancements in the availability
and sophistication of malicious software tools and the fact that new technologies raise new
security issues that cannot always be addressed prior to adoption. The increasing automation of
our critical infrastructures provides more cyber access points for adversaries to exploit.

New “smart grid” and “smart home” products, designed to provide remote communication and
control of devices in our homes, businesses, and critical infrastructures, must be developed and
implemented in ways that will also provide protection from unauthorized use. Otherwise, each
new device could become a doorway into our systems for adversaries to use for their own
purposes.

Industrial control systems, which operate the physical processes of the nation’s pipelines,
railroads, and other critical infrastructures, are at elevated risk of cyber exploitation.

The FBI is concerned about the proliferation of malicious techniques that could degrade, disrupt,
or destroy critical infrastructure. Although likely only advanced threat actors are currently
capable of employing these techniques, as we have seen with other malicious software tools,
these capabilities will eventually be within reach of all threat actors.

Intellectual Property Theft and Supply Chain Risks

Intellectual property rights violations, including theft of trade secrets, digital piracy, and
trafficking counterfeit goods, also represent high cyber criminal threats, resulting in losses of
billions of dollars in profits annually. These threats also pose significant risk to U.S. public
health and safety via counterfeit pharmaceuticals, electrical components, aircraft parts, and
automobile parts.

Cyber crime that manipulates the supply chain could pose a threat to national security interests
and U.S. consumers. Poorly manufactured computer chips or chips that have been salvaged and
repackaged infringe on intellectual property rights and could fail at critical times, posing a
serious health and safety threat to U.S. citizens. Malware could be embedded on the chips to
exfiltrate information from computers and result in the theft of personally identifiable
information (PII) that could then be used in future cyber crimes. As the quality of counterfeit
goods increases, U.S. consumers may be challenged to tell the difference between authentic and
fraudulent goods.

Operation Cisco Raider is a joint initiative between the U.S. and Canada that targets the illegal
distribution of counterfeit network hardware manufactured by private entities in China. The use
of counterfeit network components can lead to exploitation of cyber infrastructure vulnerabilities
and even network failure. Since 2006, Operation Cisco Raider has seized over 3,500 network
components amounting to $3.5 million of Cisco retail products. Ten individuals have been
convicted as a result of the joint initiative.

The Booming Business of Botnets

Botnets are networks of compromised computers controlled remotely by an attacker. Criminals

use botnets to facilitate online schemes that steal funds or data, to anonymize online activities,
and to deny access by others to online resources. The botnets run by criminals could be used by
cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber
attacks, or disrupt access to critical national infrastructure. Today’s botnets are often modular
and can add or change functionality using internal update mechanisms.

Today’s cyber criminals are business savvy. These criminals are building businesses based on
the development, management, and sale of botnets. These criminal groups have programmers
who write the malicious software, salespeople who sell the code or lease out botnet services, and,
in some instances, dedicated support personnel. These criminals are working to make botnets
easier to deploy and more difficult to detect.

Successful botnet development and operations use techniques similar to legitimate businesses,
including the involvement of personnel with various specialties, feature-based pricing structures,
modularization, and software copy protection. The development and sale of kit-based botnets has
made it easier for criminals with limited technical expertise to build and maintain effective
botnets. Botnet development and management is approached in a business-like fashion. Some
criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal
organization. At least one botnet kit author implemented a copy protection scheme, similar to
major commercial software releases, which attempts to limit unauthorized use of the botnet kit.
Botnets that specialize in data exfiltration are able to capture the contents of encrypted webpages
and modify them in real time. When properly configured, criminals can ask additional questions
at login or modify the data displayed on the screen to conceal ongoing criminal activity.
Criminals purchase the base kits for a few thousand dollars and can pay for additional features to
better target specific webservices.

The “Not for Profit” Cyber Criminal

Hacktivist groups such as Anonymous undertake protests and commit computer crimes as a
collective unit. Anonymous does not have a leader or a controlling party, but instead relies on the
collective power of individual participants. Its members utilize the Internet to communicate,
advertise, and coordinate their actions. Anonymous has initiated multiple criminal Distributed
Denial of Service attacks against the Recording Industry Association of America, the Motion
Picture Association of America, the Church of Scientology, and various businesses in support of
WikiLeaks.

Just last month, Anonymous hacked into the website of a U.S. security firm with U.S.
government contracts and stole approximately 72,000 e-mails from the company and posted
them online. This attack was in response to the claim that a researcher at the company had
identified key members of Anonymous.

Financial Estimates of Damages

Cyber criminals are forming private, trusted, and organized groups to conduct cyber crime. The
adoption of specialized skill sets and professionalized business practices by these criminals is
steadily increasing the complexity of cyber crime by providing actors of all technical abilities
with the necessary tools and resources to conduct cyber crime. Not only are criminals advancing
their abilities to attack a system remotely, but they are becoming adept at tricking victims into
compromising their own systems. Once a system is compromised, cyber criminals will use their
accesses to obtain PII, which includes online banking/brokerage account credentials and credit
card numbers of individuals and businesses that can be used for financial gain. As cyber crime
groups increasingly recruit experienced actors and pool resources and knowledge, they advance
their ability to be successful in crimes against more profitable targets and will learn the skills
necessary to evade the security industry and law enforcement.
The potential economic consequences are severe. The sting of a cyber crime is not felt equally
across the board. A small company may not be able to survive even one significant cyber attack.
On the other hand, companies may not even realize that they have been victimized by cyber
criminals until weeks, maybe even months later. Victim companies range in size and industry.

Often, businesses are unable to recoup their losses, and it may be impossible to estimate their
damage. Many companies prefer not to disclose that their systems have been compromised, so
they absorb the loss, making it impossible to accurately calculate damages.

As a result of the inability to define and calculate losses, the best that the government and private
sector can offer are estimates. Over the past five years, estimates of the costs of cyber crime to
the U.S. economy have ranged from millions to hundreds of billions. A 2010 study conducted by
the Ponemon Institute estimated that the median annual cost of cyber crime to an individual
victim organization ranges from $1 million to $52 million.

According to a 2011 publication released by Javelin Strategy and Research, the annual cost of
identity theft is $37 billion. This includes all forms of identity theft, not just cyber means. The
Internet Crime Complaint Center (IC3), which aggregates self-reported complaints of cyber
crime, reports that in 2010, identity theft schemes made up 9.8 percent of all cyber crime.

Addressing the Threat

Although our cyber adversaries’ capabilities are at an all-time high, combating this challenge is a
top priority of the FBI and the entire government. Thanks to Congress and the administration, we
are devoting significant resources to this threat. Our partnerships within industry, academia, and
across all of government have also led to a dramatic improvement in our ability to combat this
threat.

The FBI’s statutory authority, expertise, and ability to combine resources across multiple
programs make it uniquely situated to investigate, collect, and disseminate intelligence about and
counter cyber threats from criminals, nation-states, and terrorists.
The FBI is a substantial component of the Comprehensive National Cybersecurity Initiative
(CNCI), the interagency strategy to protect our digital infrastructure as a national security
priority. Through the CNCI, we and our partners collaborate to collect intelligence, gain
visibility on our adversaries, and facilitate dissemination of critical information to decision
makers.

The FBI has cyber squads in each of our 56 field offices, with more than 1,000 advanced cyber-
trained FBI agents, analysts, and forensic examiners. We have increased the capabilities of our
employees by selectively seeking candidates with technical skills and enhancing our cyber
training.

In addition, as part of the FBI’s overall transformation to an intelligence-driven organization, the

Cyber Division has implemented Threat Focus Cells, which bring together subject matter experts
from various agencies to collaborate and address specific identified cyber threats.

Partnerships

However, one agency cannot combat the threat alone. Through the FBI-led National Cyber
Investigative Joint Task Force, we coordinate our efforts with 20 law enforcement and
intelligence community (IC) entities, including the Central Intelligence Agency, Department of
Defense, Department of Homeland Security (DHS), and the National Security Agency. The FBI
also has embedded cyber staff in other IC agencies through joint duty and detailee assignments.

We have also enhanced our partnership with DHS, forming joint FBI-DHS teams to conduct
voluntary assessments for critical infrastructure owners and operators who are concerned about
the network security of their industrial control systems. DHS has provided more than 30 FBI
agents and intelligence analysts with specialized training in these systems.

In addition, because of the frequent foreign nexus to cyber threats, we work closely with our
international law enforcement and intelligence partners.
We currently have FBI agents embedded full-time in five foreign police agencies to assist with
cyber investigations: Estonia, the Netherlands, Romania, Ukraine, and Colombia. These cyber
personnel have identified cyber organized crime groups targeting U.S. interests and supported
other FBI investigations. We have trained foreign law enforcement officers from more than 40
nations in cyber investigative techniques over the past two years.

We have engaged our international allies, including Australia, New Zealand, Canada, and the
United Kingdom, in strategic discussions that have resulted in increased operational coordination
on intrusion activity and cyber threat investigations.

Government and Private Sector Information Sharing

The FBI has developed strong relationships with private industry and the public. InfraGard is a
premier example of the success of public-private partnerships. Under this initiative, state, local,
and tribal law enforcement, academia, other government agencies, communities, and private
industry work with us through our field offices to ward off attacks against critical infrastructure.
Over the past 15 years, we have seen this initiative grow from a single chapter in the Cleveland
Field Office to more than 86 chapters in 56 field offices with 42,000 members.

The exchange of knowledge, experience, and resources is invaluable and contributes

immeasurably to our homeland security. Notably, DHS has recognized the value of the program
and recently partnered with the InfraGard program to provide joint training and conferences
during this fiscal year.

With outside funding from DHS, the newly formed Joint Critical Infrastructure Partnership will
host five regional conferences this year along with representation at a number of smaller venues.
The focus of the program is to further expand the information flow to the private sector by not
only reaching out to the current InfraGard membership but also reaching beyond current
members to local critical infrastructure and key resource owners and operators. The goal is to
raise awareness of risks to the nation’s infrastructure and to better educate the public about
infrastructure security initiatives. This partnership is a platform which will enhance the risk
management capabilities of local communities by providing security information, education,
training, and other solutions to protect, prevent, and respond to terrorist attacks, natural disasters,
and other hazards, such as the crisis currently facing Japan. Ensuring that a country’s
infrastructure is protected and resilient is key to national security.

Experience has shown that establishing rapport with the members translates into a greater flow of
information within applicable legal boundaries, and this rapport can only be developed when FBI
personnel have the necessary time and resources to focus on the program. This conduit for
information results in the improved protection of the infrastructure of the U.S.

In addition to InfraGard, the FBI participates in other activities with the private sector, like the
Financial Services Information Sharing and Analysis Center (FS-ISAC). A good example of this
cooperation is the FBI’s identification of a bank fraud trend in which U.S. banks were unaware
that they were being defrauded by businesses in another country. As a result of FBI intelligence
analysis, a joint FBI/FS-ISAC document was drafted and sent to the FS-ISAC’s membership,
alerting them to these crimes and providing recommendations on how to protect themselves from
falling victim to the same scheme.

In the last few years, there has been a push to partner FBI intelligence analysts with private
sector experts. This is an opportunity for the intelligence analysts to learn more about the
industries they are supporting. They then can better identify the needs of those industries as well
as FBI information gaps. Additionally, they develop points-of-contact within those industries
who can evaluate and assist in timely analysis, and the analysts mature into subject matter
experts.

Other successful cyber partnerships include the IC3 and the National Cyber-Forensics and
Training Alliance (NCFTA). Established in 2000, the IC3 is a partnership between the FBI and
the National White Collar Crime Center that serves as a vehicle to receive, develop, and refer
criminal complaints regarding cyber crime. Since it began, the IC3 has processed more than two
million complaints. Complaints are referred to local, state, federal, and international law
enforcement and are also the basis for intelligence products and public service announcements.
The FBI’s IC3 unit works with the private sector, individually and through working groups,
professional organizations, and InfraGard, to cultivate relationships, inform industry of threats,
identify intelligence, and develop investigative information to enhance or initiate investigations
by law enforcement.
The NCFTA is a private, non-profit organization composed of representatives of industry and
academia which partners with the FBI. The NCFTA, in cooperation with the FBI, develops
responses to evolving threats to the nation’s critical infrastructure by participating in cyber-
forensic analysis, tactical response development, technology vulnerability analysis, and the
development of advanced training. The NCFTA work products can be provided to industry,
academia, law enforcement, and the public as appropriate.

The FBI also partners with the U.S. private sector on the Domestic Security Alliance Council
(DSAC). This strategic collaboration enhances communications and promotes effective
exchanges of information in order to prevent, detect, and investigate criminal acts, particularly
those affecting interstate commerce, while advancing the ability of the U.S. private sector to
protect its employees, assets, and proprietary information.

The DSAC is in a unique position to speak on behalf of the private sector because the DSAC
members are the highest ranking security executives of the member companies, who directly
report to the leaders of their organizations.

Successes

Our partnerships and joint initiatives are paying off, especially in the national security realm. In
2010, the FBI strengthened our efforts to counter state-sponsored cyber threats, increasing the
number of national security computer intrusion cases by 60 percent.

While we increased our emphasis on national security, we continued to see successes on the
criminal side. In 2010, we arrested a record 202 individuals for criminal intrusions, up from 159
in 2009. We obtained a record level of financial judgments for such cases of $115 million,
compared to $85 million in 2009. Those arrests included five of the world’s top cyber criminals.
Among them were the perpetrators of the Royal Bank of Scotland WorldPay intrusion. Due to
our strong partnership with the Estonian government on cyber matters, the case resulted in one of
the first hackers extradited from Estonia to the United States.

Conclusion
As the subcommittee knows, we face significant challenges in our efforts to combat cyber crime.
In the current technological environment, there are numerous threats to private sector networks,
and the current Internet environment can make it extremely difficult to determine attribution.

We are optimistic that by strengthening relationships with our domestic and international
counterparts, the FBI will continue to succeed in identifying and neutralizing cyber criminals,
thereby protecting U.S. businesses and critical infrastructure from grave harm.

To bolster our efforts, we will continue to share information with government agencies and
private industry consistent with applicable laws and policies. We will continue to engage in
strategy discussions with other government agencies and the private sector to ensure that
American ingenuity will lead to new solutions and better security. We will continue to build a
skilled workforce to operate in this challenging environment.

We look forward to working with the subcommittee and Congress as a whole to determine a
successful course forward for the nation that allows us to reap the positive economic and social
benefits of the Internet while minimizing the risk posed by those who would use it for nefarious
purposes.

Source: https://archives.fbi.gov/archives/news/testimony/cybersecurity-responding-to-the-threat-
of-cyber-crime-and-terrorism
DHS Testimony on Understanding Risks and Building Capabilities 2014

Written testimony of NPPD Deputy Under Secretary for Cybersecurity Dr. Phyllis Schneck for a
Senate Committee on Appropriations, Subcommittee on Homeland Security hearing titled
“Investing in Cybersecurity: Understanding Risks and Building Capabilities for the Future”

Release Date:

May 7, 2014

192 Dirksen Senate Office Building

Introduction

Chairwoman Landrieu, Ranking Member Coats, and distinguished Members of the

Subcommittee, let me begin by thanking you for the strong support that you have provided the
Department of Homeland Security (DHS) and the National Protection and Programs Directorate
(NPPD). We look forward to continuing to work with you in the coming year to ensure a
homeland that is safe, secure, and resilient against terrorism and other hazards.

Thank you for the opportunity to appear before the Committee today to discuss NPPD’s efforts
to strengthen the Nation’s critical infrastructure security and resilience against cyber events and
other catastrophic incidents. The President’s Fiscal Year (FY) 2015 Budget Request for NPPD is
$2.9 billion, offset by $1.3 billion in collections for the Federal Protective Service. This request
includes $746 million for cybersecurity capabilities and investments.

America’s national security and economic prosperity are increasingly dependent upon physical
and digital critical infrastructure that is at risk from a variety of hazards, including attacks via the
Internet. I view integrating cyber and physical security as integral to the larger goal of
infrastructure security and resilience. DHS approaches physical security and cybersecurity
holistically; both to better understand how they integrate and how best to mitigate the
consequences of attacks that can cascade across all sectors of critical infrastructure. This risk
management approach helps drive the discussion at the executive level in organizations of all
sizes across government and industry, where it can have the most impact on resources and
implementation.

Leveraging Integrated Capabilities: Implementing PPD-21 and EO 13636

On February 12, 2013, the President signed Executive Order (EO) 13636, Improving Critical
Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21, Critical Infrastructure
Security and Resilience, which set out steps to strengthen the security and resilience of the
Nation’s critical infrastructure, and reflect the increasing importance of integrating cybersecurity
efforts with traditional critical infrastructure protection. Taken together EO 13636 and PPD-21
are foundational efforts for helping drive the security market and provide a framework for
critical infrastructure to increase their cybersecurity efforts. To implement both EO 13636 and
PPD-21, the Department established an Integrated Task Force to lead DHS implementation and
coordinate interagency, public and private sector efforts, and to ensure effective integration and
synchronization of implementation across the homeland security enterprise.

The FY 2015 budget request reflects targeted enhancements to continue implementation of the
EO and PPD. Enhancements of $14 million, including 48 positions, is requested for the Critical
Infrastructure Cyber Community (C3, or “C-Cubed”) Voluntary Program; Enhanced
Cybersecurity Services (ECS); Regional Resiliency Assessment Program; National Coordinating
Center (Communications) (NCC) 24x7 communications infrastructure response readiness. NPPD
has partially offset these enhancements with $9 million in reductions to realign resources to
support these key EO and PPD initiatives. The following EO and PPD initiatives in the FY 2015
Budget specifically enhance cyber capabilities:

C3 Voluntary Program

The C3 Voluntary Program is a public-private partnership aligning business enterprises as well

as Federal, State, local, tribal, and territorial (SLTT) governments to existing resources that will
assist their efforts to use the National Institute of Standards and Technology Cybersecurity
Framework to manage their cyber risks as part of an all-hazards approach to enterprise risk
management. The program emphasizes three elements: converging CI community resources and
driving innovation and markets to support cybersecurity risk management and resilience through
use of the Cybersecurity Framework; connecting CI stakeholders to the national resilience effort
through cybersecurity resilience advocacy, engagement and awareness; and coordinating CI
cross-sector efforts to maximize national cybersecurity resilience. The $6 million enhancement,
including 10 positions, is requested to manage and support this program and increase the number
of evaluations completed.

Enhanced Cybersecurity Services

The ECS capability enables owners and operators of critical infrastructure to enhance the
protection of their networks from unauthorized access, exfiltration, and exploitation by cyber
threat actors. The requested enhancement of 24 positions and $3 million allows ECS to execute
the operational processes and security oversight required to share sensitive and classified cyber
threat information with qualified Commercial Service Providers that will enable them to better
protect their customers who are critical infrastructure entities.

Regional Resiliency Assessment Program (RRAP)

The $5 million, including 11 positions, is requested to complete five additional cyber-centric

RRAPs. Through these RRAPs, NPPD will identify cross-sector physical and cyber
interdependencies and better understand the consequences of disruptions to lifeline sectors. We
often observe that physical consequences can have cyber origins and anticipate that the findings
will provide valuable data about the energy, water, and transportation sectors and their reliance
on cyber infrastructure.

National Coordinating Center for Communications Operations

The proposed increase of three positions and $1 million in funding to the NCC will maintain
24x7 communications infrastructure response readiness and requirements coordination between
FSLTT and industry responders. Due to the loss of staff previously provided to DHS from the
Department of Defense on a non-reimbursable basis, the NCC will no longer be able to provide
24x7 readiness without these additional resources.

Heartbleed

The Department recently responded to a serious vulnerability, known as “Heartbleed,” in the

widely-used OpenSSL encryption software that protects the electronic traffic on a large number
of websites and devices. Although new computer “bugs” and malware crop up almost daily, this
vulnerability is unusual in its pervasiveness across our infrastructure, its simplicity to exploit,
and the depth of information it compromises.

While the Federal government was not aware of the vulnerability until April 7th, DHS responded
in less than 24 hours, utilizing the National Cybersecurity and Communications Integration
Center (NCCIC) to release alert and mitigation information to the public, create compromise
detection signatures for the EINSTEIN system, and reach out to critical infrastructure sectors,
federal departments and agencies, SLTT governments, and international partners. Once in place,
DHS also began notifying agencies that EINSTEIN signatures had detected possible activity, and
immediately provided mitigation guidance and technical assistance. Additionally, DHS worked
with civilian agencies to scan their .gov websites and networks for Heartbleed vulnerabilities,
and provided technical assistance for issues of concern identified through this process.

Of note, the Administration's May 2011 Cybersecurity Legislative Proposal called for Congress
to provide DHS with clear statutory authority to carry out this operational mission, while
reinforcing the fundamental responsibilities of individual agencies to secure their networks, and
preserving the policy and budgetary coordination oversight of OMB and the EOP. Even with the
rapid and coordinated Federal government response to Heartbleed, the lack of clear and updated
laws reflecting the roles and responsibilities of civilian network security caused unnecessary
delays in the incident response.

Integrated Cybersecurity Operations

Along with our operational assistance, DHS has several programs that directly support federal
civilian departments and agencies in developing capabilities that will improve their own
cybersecurity posture. Through the Continuous Diagnostics and Mitigation (CDM) program, led
by the NPPD Federal Network Resilience Branch, DHS enables Federal agencies to more readily
identify network security issues, including unauthorized and unmanaged hardware and software;
known vulnerabilities; weak configuration settings; and potential insider attacks. Agencies can
then prioritize mitigation of these issues based upon potential consequences or likelihood of
exploitation by adversaries.

Available to all Federal civilian agencies, the CDM program provides diagnostic sensors, tools,
and dashboards that provide situational awareness to individual agencies and at a summary
federal level. This allows agencies to target their cybersecurity resources toward the most
significant problems, and enables comparison of relative cybersecurity posture between agencies
based upon common and standardized information. The CDM contract can also be accessed by
defense and intelligence agencies, as well as by State, local, tribal, and territorial (SLTT)
governments. 108 departments and agencies are currently covered by Memoranda of Agreement
with the CDM program, encompassing over 97 percent of all federal civilian personnel. In FY
2014, DHS issued the first delivery order for CDM sensors and awarded a contract for the CDM
dashboard. The $143 million and 15 staff requested in FY 2015 will support deployment of the
federal dashboard and capabilities to federal agencies.
In addition, the National Cybersecurity Protection System (NCPS), a key component of which is
referred to as EINSTEIN, is an integrated intrusion detection, analytics, information sharing, and
intrusion-prevention system utilizing hardware, software, and other components to support DHS
responsibilities for protecting Federal civilian agency networks. In FY 2015, the program will
expand intrusion prevention, information sharing, and cyber analytic capabilities at Federal
agencies, marking a critical shift from a passive to an active role in cyber defense and the
delivery of enterprise cybersecurity services to decision-makers across cybersecurity
communities.

In July 2013, EINSTEIN 3 Accelerated (E3A) became operational and provided services to the
first Federal Agency. As of February 2014, Domain Name System and/or email protection
services are being provided to a total of seven departments and agencies. Full Operational
Capability is planned for FY 2016. With the adoption of E3A, DHS will assume an active role in
defending .gov network traffic and significantly reduce the threat vectors available to malicious
actors seeking to harm Federal networks. In FY 2015, $378 million is requested for NCPS. We
will continue working with the Internet Service Providers to deploy intrusion prevention
capabilities, allowing DHS to provide active, in-line defense for all federal network traffic
protocols.

It is important to note that the Department has strong privacy, civil rights, and civil liberties
standards implemented across its cybersecurity programs. DHS integrates privacy protections
throughout its cybersecurity programs to ensure public trust and confidence. DHS is fully
responsible and transparent in the way it collects, maintains, and uses personally identifiable
information.

Operational Response

Increased connectivity has led to significant transformations and advances across our country
and around the world. It has also increased complexity and exposed us to new vulnerabilities that
can only be addressed by timely action and shared responsibility. Successful responses to
dynamic cyber intrusions require coordination among DHS, the Departments of Justice (DOJ),
State (DOS) and Defense (DOD), the Intelligence Community, the specialized expertise of
Sector Specific Agencies such as the Department of the Treasury, private sector partners – who
are critical to these efforts – and SLTT, as well as international partners, each of which has a
unique role to play.
DHS is home to the National Cybersecurity and Communications Integration Center (NCCIC), a
national nexus of cyber and communications integration. A 24x7 cyber situational awareness,
incident response, and management center, NCCIC partners with all Federal departments and
agencies, SLTT governments, private sector and, critical infrastructure owners and operators,
and international entities. The NCCIC disseminates cyber threat and vulnerability analysis
information and assists in initiating, coordinating, restoring, and reconstituting national
security/emergency preparedness (NS/EP) telecommunications services and operates under all
conditions, crises, or emergencies, including executing Emergency Support Function #2 -
Communications Annex responsibilities under the National Response Framework.

The NCCIC also provides strategic cyber-threat analysis, through its United States Computer
Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) in conjunction with the National Infrastructure Coordinating
Center (NICC), to reduce malicious actors exploiting vulnerabilities. Threat management
decisions must incorporate cyber threats based on technological as well as non-technological
factors, and consider the varying levels of security required by different activities. Since its
inception in 2009, the NCCIC has responded to nearly a half million incident reports and
released more than 37,000 actionable cybersecurity alerts to our public and private sector
partners. In FY 2013, NCCIC received 228,244 public and private sector cyber incident reports,
a 41 percent increase from 2012, and deployed 23 response teams to provide onsite forensic
analysis and mitigation techniques to its partners. NCCIC issued more than 14,000 actionable
cyberalerts in 2013, used by private sector and government agencies to protect their systems, and
had more than 7,000 partners subscribe to the NCCIC/US-CERT portal to engage in information
sharing and receive cyber threat warning information. .

Further demonstrating NPPD’s commitment to greater unity of effort in strengthening and

maintaining secure and resilient critical infrastructure against both physical and cyber threats, the
NICC has moved its watch operations center to collocate with the NCCIC. The NICC is the
information and coordination hub of a national network dedicated to protecting critical
infrastructure essential to the nation's security, health and safety, and economic vitality. In
accordance with and supporting the physical-cyber integration directives of PPD-21, this new
integration will enhance effective information exchange, and improve the alacrity of protection
with real-time indicator sharing. Concurrently, the NCCIC will refine and clarify the NICC-
NCCIC relationship to advance national unity of effort within NPPD and the Federal
Government.

Data Security Breaches

On December 19, 2013, a major retailer publicly announced it had experienced unauthorized
access to payment card data from the retailer’s U.S. stores. The information involved in this
incident included customer names, credit and debit card numbers, and the cards’ expiration dates
and card verification-value security codes. Another retailer also reported a malware incident
involving its point of sale system on January 11, 2014, that resulted in the apparent compromise
of credit card and payment information. A direct connection between these two incidents has not
been established.

During both incidents, NPPD’s NCCIC utilized its unique cybersecurity, information sharing and
mitigation capabilities to help retailers across the country secure their systems to prevent similar
attacks while simultaneously providing timely analysis to the United States Secret Service
(USSS). DHS’s ability to provide a cross-component response during this incident underscores
the importance of leveraging complementary missions at the Department. Working closely
together, elements with cyber capabilities such as the USSS, US Coast Guard, Immigrations and
Customs Enforcement’s office of Homeland Security Investigations, Office of the Chief
Information Officer, and NPPD are able to increase focus on not just responding to incidents but
also reducing vulnerabilities, protecting against future attacks, and mitigating consequences.

In response to this incident, NCCIC/US-CERT analyzed the malware identified by the USSS as
well as other relevant technical data and used those findings, in part, to create two information
sharing products. The first product, which is publicly available and can be found on US-CERT’s
website, provides a non-technical overview of risks to point of sale systems, along with
recommendations for how businesses and individuals can better protect themselves and mitigate
their losses in the event an incident has already occurred. The second product provides more
detailed technical analysis and mitigation recommendations, and has been securely shared with
industry partners to enable their protection efforts. NCCIC’s goal is always to share information
as broadly as possible, including by producing actionable products tailored to specific audiences.

While the criminal investigation into the these activities is on-going, NPPD, through the NCCIC
and other organizations, continues to build shared situational awareness of similar threats among
our private sector and government partners and the American public at large. At every
opportunity, the NCCIC and our private sector outreach program publish technical and non-
technical products on best practices for protecting businesses and customers against cyber threats
and provide the information sharing and technical assistance necessary to address cyber threats
as quickly as possible. DHS remains committed to ensuring cyberspace is supported by a secure
and resilient infrastructure that enables open communication, innovation, and prosperity while
protecting privacy, confidentiality, and civil rights and civil liberties by design.
Understanding Cyber and Physical Critical Infrastructure Interdependencies

One of NPPD’s top priorities is providing our government and private sector partners with the
information, analysis, and tools they need to protect our Nation’s critical infrastructure in the
face of physical and cyber risks. Key to this effort is understanding the consequences of potential
disruptions to critical infrastructure, including interdependencies and cascading impacts, from all
hazards to better equip and prepare our partners and stakeholders. Understanding consequences
helps identify potential mitigation measures and prioritize the allocation of limited resources for
both government and private sector.

In February of 2014, NPPD established the Office of Cyber and Infrastructure Analysis to
implement elements of PPD-21, which calls for integrated analysis of critical infrastructure, and
EO 13636, identifying critical infrastructure where cyber incidents could have catastrophic
impacts to public health and safety, the economy, and national security. An Integrated Analysis
Cell was established to provide near real-time information to NPPD’s two operational centers:
the National Infrastructure Coordinating Center (NICC) and National Cybersecurity and
Communications Integration Center (NCCIC). Similarly the work that has been done to
implement Section 9 of EO 13636 through the Cyber-Dependent Infrastructure Identification
Working Group exemplifies how the skills that have been developed in NPPD over the years
focused on critical infrastructure can similarly be applied to the analyzing cyber infrastructure.
$33 million is requested in FY 2015 to support these efforts.

Engaging with Federal, SLTT, and Private Sector Entities

NPPD is committed to engaging with Federal, SLTT, and private sector stakeholders. More than
1,100 participants were involved in the development of NIPP 2013, providing thousands of
comments reflecting our partners’ input and expertise. NPPD has become increasingly focused
on engaging stakeholders at the executive level, and working with the DOE, will implement a
sustained outreach strategy to energy sector Chief Executive Officers to elevate risk management
of evolving physical and cyber threats to the enterprise level. NPPD will also explore similar
efforts across the critical infrastructure community.

NPPD serves as a principal coordination point for stakeholder engagement for Cybersecurity
through the Cyber Security Evaluation Program (CSEP). CSEP which provides voluntary
evaluations intended to enhance cybersecurity capacities and capabilities across all 16 Critical
Infrastructure Owner/Operators, as well as SLTT governments through its Cyber Resilience
Review (CRR) process. The goal of the CRR is to develop an understanding and measurement of
key cybersecurity capabilities and provide meaningful maturity indicators to an organization’s
operational resilience and ability to manage risk to its critical services during normal operations
and times of operational stress and crisis.

Vision for the Future

DHS has a solid foundation upon which to build and enhance future cybersecurity capabilities to
ensure information resilience against an adversary that leverages the best of technology and
doesn’t lack for funding. DHS continues to strengthen trust and public confidence in the
Department through the foundations of partnership, transparency, and protections for privacy and
civil liberties, which is built in to all that we do. Our Department is the lead civilian agency
responsible for coordinating the national protection, prevention, mitigation, and recovery from
cyber incidents across civilian government, state, local, tribal, territorial (SLTT) and private
sector entities of all sizes. DHS leverages our interagency and industry partnerships as well as
the breadth of our cyber capabilities extending from NPPD, Immigration and Customs
Enforcement’s Homeland Security Investigations, U.S. Coast Guard and U.S. Secret Service, to
make our NCCIC the source for dynamic data aggregation of for global cyber indicators and
activity.

We are working to further enable the NCCIC to receive and disseminate information at “machine
speed.”1 This enhanced capability will enable networks to be more self-healing, as they use
mathematics and analytics to mimic restorative processes that are currently done manually.
Ultimately, this will enable us and our partners to better recognize and block threats before they
reach their targets, thus deflating the goals for success of cyber adversaries and taking botnet
response from hours to seconds in certain cases. We are working with the DHS Science &
Technology Directorate in many areas to develop and support these capabilities for NCCIC. The
science of decision-making is about seeing enough behavior to differentiate the good from the
bad, and that comes from the collective information of industry and government. That is
voluntarily provided to us because of underlying trust. This effort is currently being built in our
Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator
Information (TAXII™) programs that we have begun offering as a free method for machine-to-
machine sharing of cyber threat indicators to others in the government and private sector.

We must increase data exchange and information flow with industry through stakeholder
engagement to optimize the information shared voluntarily. This must be done in a manner that
promotes privacy and civil liberties protections, focusing on the sharing of cyber threat
information that is non-attributable and anonymized to the greatest extent feasible.

DHS’s extensive visibility into attacks on government networks must be fully leveraged to
protect all government networks as well as our critical infrastructure and local entities, in a way
that is consistent with our laws while preserving the privacy and individual rights of those we
protect. Legislation providing a single clear expression of DHS cybersecurity authority would
greatly enhance and speed up the Department's ability to engage with affected entities during a
major cyber incident and dramatically improve the cybersecurity posture of federal agencies and
critical infrastructure.

1 Automatically sending and receiving cyber information as it is consumed and augmented based
on current threat conditions, creating a process of automated learning that emulates a human
immune system and gets smarter as it is exposed to new threats.

Conclusion

Infrastructure is the backbone of our nation’s economy, security and health. We know it as the
power we use in our homes, the water we drink, the transportation that moves us, and the
communication systems we rely on for business and everyday life. We have an extremely
dedicated and talented workforce engaged in activities that advance our mission to protect that
information and their innovation will continue to propel NPPD and DHS forward in FY 2015
and beyond. Each employee is dedicated to a safe, secure, and resilient infrastructure that enables
our way of life to thrive.

Chairwoman Landrieu, Ranking Member Coats, and distinguished Members of the

Subcommittee, thank you all for your leadership in cybersecurity and for the opportunity to
discuss the FY 2015 President’s Budget Request for NPPD’s cybersecurity efforts. I look
forward to any questions you may have.

Source: https://www.dhs.gov/news/2014/05/07/written-testimony-nppd-deputy-under-secretary-
cybersecurity-senate-appropriations
Bolstering Government Cybersecurity Lessons Learned from WannaCry

June 15, 2017

Witness

Charles H. Romine, Ph.D.

Director, Information Technology Laboratory

National Institute of Standards and Technology

United States Department of Commerce

Venue

Committee on Science, Space, and Technology

Subcommittee on Oversight and Subcommittee on Research and Technology

United States House of Representatives

Introduction

Chairman LaHood, Chairwoman Comstock, Ranking Member Beyer and Ranking Member
Lipinski, and members of the Subcommittees, I am Dr. Charles Romine, the Director of the
Information Technology Laboratory (ITL) at the Department of Commerce’s National Institute
of Standards and Technology (NIST). Thank you for the opportunity to appear before you today
to discuss NIST’s key roles in cybersecurity. Specifically, today I will discuss NIST’s activities
that help strengthen the Nation’s cybersecurity capabilities.

The Role of NIST in Cybersecurity

With programs focused on national priorities from advanced manufacturing and the digital
economy to precision metrology, quantum science, biosciences and more, NIST’s overall
mission is to promote U.S. innovation and industrial competitiveness by advancing measurement
science, standards and technology in ways that enhance economic security and improve our
quality of life.
In the area of cybersecurity, NIST has worked with federal agencies, industry and academia
since 1972, starting with the development of the Data Encryption Standard, when the potential
commercial benefit of this technology became clear. NIST’s role, to research, develop and
deploy information security standards and technology to protect the federal government’s
information systems against threats to the confidentiality, integrity and availability of
information and services, was strengthened through the Computer Security Act of 1987 (Public
Law 100-235), broadened through the Federal Information Security Management Act of 2002
(FISMA; 44 U.S.C. § 35411) and reaffirmed in the Federal Information Security Modernization
Act of 2014 (Public Law 113-283). In addition, the Cybersecurity Enhancement Act of 2014
(Public Law 113-274) authorizes NIST to facilitate and support the development of voluntary,
industry-led cybersecurity standards and best practices for critical infrastructure.

NIST standards and guidelines are developed in an open, transparent and collaborative manner
that enlists broad expertise from around the world. While developed for federal agency use, these
resources are often voluntarily adopted by other organizations, including small and medium-
sized businesses, educational institutions and state, local and tribal governments, because NIST’s
standards and guidelines are effective and accepted globally. NIST disseminates its resources
through a variety of means that encourage the broad sharing of information security standards,
guidelines and practices, including outreach to stakeholders, participation in government and
industry events, and online mechanisms.

Recent Malware Attack

Since May 12, a cyberattack impacted more than 230,000 computers in over 150 countries,
including the United Kingdom, Russia and India. Major health systems, telecommunications
providers and railway companies across Europe felt the impact of the attack.

The cause of the attack is reported to be a ransomware called WannaCry. This type of malicious
software blocks access to systems and data until a ransom is paid. In this case, the ransomware
targets computers running Microsoft Windows operating systems by exploiting a vulnerability
specific to this system.

WannaCry has spread across local networks and the internet automatically and has infected
systems that have not been secured with recent software updates or are using an older and
unsupported operating system. Most of the systems that were infected by the ransomware were
running these unsupported operating systems. On March 14, Microsoft had issued a patch to
remove the underlying vulnerability for its supported systems. Later, Microsoft also took the
unusual step of providing security updates for those unsupported systems as well. 2

NIST provides resources to assist organizations in preventing, or at least quickly recovering from
ransomware attacks with trust that the recovered data is accurate, complete and free of malware
and that the recovered system is trustworthy and capable.

To address the issue of cybersecurity in general, and malware in particular, NIST has long
worked effectively with industry and federal agencies to help protect the confidentiality, integrity
and availability of information systems. Some of our most significant efforts are addressed
below.

Resources to Help Address Malware Incidents

NIST provides standards, best practices, tools, reference implementations and other resources to
help organizations protect assets and detect, respond to and recover from incidents to minimize
the impact of an incident to an organization’s mission. The WannaCry incident was new and
disruptive, and NIST intends to review the event and its aftermath to ensure that our resources
sufficiently address these types of events. Based on our initial review, we believe that many of
our past recommendations are applicable to these events, most notably recommendations that can
be found in the NIST Guide for Cybersecurity Event Recovery and the Framework for
Improving Critical Infrastructure Cybersecurity, among others.

Cybersecurity Event Recovery

Effective planning is a critical component of an organization’s preparedness for cyber event

recovery. As part of an organization’s ongoing information security program, recovery planning
enables participants to understand system dependencies; critical roles such as crisis management
and incident management; arrangements for alternate communication channels, services and
facilities; and many other elements of business continuity. NIST’s Guide for Cybersecurity
Event Recovery (NIST Special Publication 800-184) provides guidance to help organizations
plan and prepare recovery from a cyber event and integrate the processes and procedures into
their enterprise risk management plan.3 The guide discusses hypothetical cyberattack scenarios,
including a scenario focused on ransomware, and the steps taken to recover from the attack. It
provides a detailed description of the preconditions required for effective recovery, the activities
of the recovery team in the tactical recovery phase, and, after the cyberattack has been
eradicated, the activities performed during the strategic recovery phase.

NIST’s Guide for Cybersecurity Event Recovery assists organizations in developing an

actionable set of steps, or a playbook, the organization can follow to successfully recover from a
cyber event. A playbook can focus on a unique type of cyber event and can be organization-
specific, tailored to fit the dependencies of its people, processes and technologies. If an active
cyber event is discovered, organizations that do not have in-house expertise to execute a
playbook can seek assistance from a trustworthy external party with experience in incident
response and recovery such as the Department of Homeland Security (DHS), an Information
Sharing and Analysis Organization (ISAO) or a reputable commercially managed security
services provider.

Cybersecurity Framework

Three years ago, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity
(the Framework) in accordance with Section 7 of Executive Order 13636, “Improving Critical
Infrastructure Cybersecurity.” The Framework, created through collaboration between industry
and government, consists of voluntary standards, guidelines and practices to promote the
protection of critical infrastructure. The voluntary, risk-based prioritized, flexible, repeatable and
cost-effective approach of the Framework helps owners and operators of critical infrastructure to
manage cybersecurity-related risk. Although the Framework was originally designed to help
protect critical infrastructure, numerous business of all sizes and from many economic sectors
use the Framework to manage their cybersecurity risks.

Since the release of the Framework, NIST has strengthened its collaborations with critical
infrastructure owners and operators, industry leaders, government partners and other
stakeholders to raise awareness about the Framework, encourage use by organizations across and
supporting the critical infrastructure, and develop implementation guides and resources.

The Framework is a valuable tool to help organizations understand and manage cybersecurity
risk. It focuses on identifying and protecting key systems and assets and on implementing
capabilities to detect the occurrence of a cybersecurity event. The Framework also reinforces the
importance of capabilities necessary to respond to, and recover from, cybersecurity attacks,
including ransomware.
In the case of WannaCry and similar ransomware, the Framework prompts decisions affecting
infection by the ransomware, propagation of the ransomware and recovery from it. For example,
the Framework encourages users to understand “data flows”4 and configure systems minimally
to reduce potential vulnerabilities.5 The Framework identifies network monitoring to “detect
potential cybersecurity events,”6 including the presence of “malicious code,”7 and to compare
them to “expected data flows”8 in the network to help organizations quickly detect and contain
the malicious code and to determine the effectiveness of eradication measures.

WannaCry propagated using a specific operating system vulnerability. The operating system
vendor had released a patch nearly two months prior to the first observed instance of WannaCry.
The Framework states, “maintenance and repair of organizational assets is performed and logged
in a timely manner.”9 Organizations that performed “maintenance and repair” of their operating
systems within a two-month window would not have been subject to the spread of WannaCry.
Using the Framework, each organization determines its own definition of “timely” to align with
its risk tolerance. WannaCry and similar circumstances inform our perspectives on what “timely”
means.

An organization’s ability to prevent WannaCry from spreading is hinged on identifying systems

that are vulnerable and potentially infected and the incident response plans and actions to stop
the spread. Recovery is hinged on adequate backups,10 high-priority system patching,11 and
improvements made to user education and system-patching timelines based on lessons learned.12

While the Framework allows an organization to determine its priorities based on its risk
tolerance, it also prompts a sequence of interrelated cybersecurity risk management decisions,
which should prevent virus infection and propagation and support expeditious response and
recovery activities.

On May 11, President Trump signed Executive Order 13800, "Strengthening the Cybersecurity
of Federal Networks and Critical Infrastructure" that mandated federal agencies to use the
Framework. Under the Executive Order, every federal agency or department will need to manage
their cybersecurity risk by using the Framework and provide a risk management report to the
Director of the Office of Management and Budget and to the Secretary of Homeland Security.13
On May 12, NIST released a draft interagency report (NISTIR 8170), The Cybersecurity
Framework: Implementation Guidance for Federal Agencies, which provides guidance on how
the Framework can be used in the U.S. federal government in conjunction with the current and
planned suite of NIST security and privacy risk-management standards, guidelines and practices
developed pursuant to the Federal Information Security Management Act, as amended (FISMA).

This report illustrates eight cases in which federal agencies can leverage the Framework to
address common cybersecurity-related responsibilities. By doing so, agencies can integrate the
Framework with key NIST cybersecurity risk-management standards and guidelines already in
wide use at various organizational levels.

The goal of these efforts is to allow federal agencies to build more robust and mature agency-
wide cybersecurity risk-management programs. NIST will engage with agencies to add content
based on their implementation of the Framework, refine current guidance, and identify additional
guidance to provide information that is most helpful to government agencies.

National Software Reference Library

Another NIST resource that can assist system administrators in protecting against similar future
attacks is the most recent release of the NIST National Software Reference Library (NSRL). The
NSRL provides a collection of software from various sources and unique file profiles (computed
from this software), which is most often used by law enforcement, government and industry
organizations to review files on a computer by matching file profiles in the system.

To assist system administrators following the WannaCry attack, the most recent NSRL release
includes all Microsoft patches for end-of-life operating system software such as Windows XP,
and the current Windows 10 operating system software, which is a patched version of Windows.
NIST is adding a standalone data set to the NSRL, which will include patched versions of
supported Windows software that are not Windows 10 such as Windows Server 2016.

National Vulnerability Database

NIST maintains a repository of all known and publicly reported IT vulnerabilities such as the one
exploited by the WannaCry malware. The repository, called the National Vulnerability Database
(NVD),14 is an authoritative source of standardized information on security vulnerabilities that
NIST updates dozens of times daily. NIST analyzes and provides a common severity metric to
each identified security vulnerability.

The NVD is used by security vendors as well as tools and service providers around the world to
help them identify whether they have vulnerabilities. For example, the WannaCry malware
exploited a vulnerability that was well-documented in the NVD database. This vulnerability’s
impact score, which assesses the severity of a computer system’s security vulnerability, ranges
between 8.1 and 9.3 (with 10 being the most severe).

Organizations that use the NVD database to identify and address their computer systems’
vulnerabilities can better prepare against malware that exploit these vulnerabilities. The patch
issued by Microsoft on March 14 was meant to remove such vulnerabilities and allowed
computer systems to be protected from the WannaCry malware attack.

Data Integrity

NIST recently initiated a project at our National Cybersecurity Center of Excellence (NCCoE)
on data integrity, specifically focused on recovering from cyberattacks. This project will enable
organizations to answer questions like what data was corrupted, when was the data corrupted,
how was the data corrupted, and who corrupted the data? Organizations will be able to use the
results of NCCoE’s research to recover trusted backups, rollback data to a known good state,
alert administrators when there is a change to a critical system, and restore services quickly after
a WannaCry-like cyberattack.

Conclusion

NIST recognizes that it has an essential role to play in helping industry, consumers and the
government to counter cyber threats such as those from destructive malware like WannaCry, and
enhance the security of the Nation’s cyberinfrastructure and capabilities. The outputs from its
cybersecurity portfolio allow users to improve their cybersecurity posture, from small and
medium businesses to large private and public organizations, including the federal government
and companies involved with critical infrastructure.

From the NSRL software collection, which includes all Microsoft patches for end-of-life
operating system software, to the Cybersecurity Framework and the Guide for Cybersecurity
Event Recovery, which help organizations manage cybersecurity-related risks and prepare for
recovery, to the NVD database, which includes all known and publicly reported IT
vulnerabilities, NIST provides tools that help various organizations and the federal government
prepare for future ransomware attacks. By understanding IT vulnerabilities, protecting computer
systems against them, and being prepared to carry out plans that counter cyberattacks, we can all
significantly reduce harms that can result from such attacks.

NIST is extremely proud of its role in establishing and improving the comprehensive set of
cybersecurity technical solutions, standards and guidelines to address cyber threats in general,
and ransomware in particular. Thank you for the opportunity to testify today on NIST’s work in
cybersecurity and in preventing ransomware attacks. I would be happy to answer any questions
you may have.

1 FISMA was enacted as Title III of the E-Government Act of 2002 (Public Law 107-347; 116
Stat. 2899).

2 https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-
attacks/ (link is external)

3 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

4 Identify, Asset Management, Subcategory 3 (ID.AM-3)

5 Protect, Protective Technology, Subcategory 3 (PR.PT-3)

6 Detect, Security Continuous Monitoring, Subcategory 1 (DE.CM-1)

7 Detect, Security Continuous Monitoring, Subcategory 4 (DE.CM-4)

8 Detect, Anomalies and Events, Subcategory 1 (DE.AE-1)

9 Protect, Maintenance, Subcategory 1 (PR.MA-1)

10 Protect, Information Protection Processes and Procedures (PR.IP)

11 Protect, Maintenance (PR.MA)

12 Recovery, Improvements (RC.IM)

13 https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-
strengthening-cybersecurity-federal (link is external)
14 https://nvd.nist.gov/vuln/detail/CVE-2017-0145#vulnDescriptionTitle [Link to NVD
reference to the main vulnerability exploited by WannaCry]

Source: https://www.nist.gov/speech-testimony/bolstering-government-cybersecurity-lessons-
learned-wannacry
Examining DHS’s Cybersecurity Mission 2017

Written testimony of NPPD Office Cybersecurity and Communications Assistant Secretary

Jeanette Manfra for a House Committee on Homeland Security, Subcommittee on Cybersecurity
and Infrastructure Protection hearing titled “Examining DHS’s Cybersecurity Mission”

Release Date:

October 3, 2017

210 House Capitol Visitor Center

Chairman Ratcliffe, Ranking Member Richmond, and members of the Committee, thank you for
the opportunity to be here today. In this month of October, we recognize National Cybersecurity
Awareness Month, a time to focus on how cybersecurity is a shared responsibility that affects all
Americans. The Department of Homeland Security (DHS) serves a critical role in safeguarding
and securing cyberspace, a core homeland security mission. The Administration recognizes the
Committee’s work to provide DHS with the authorities necessary to carry out this mission. The
National Protection and Programs Directorate (NPPD) at DHS leads the Nation’s efforts to
ensure the security and resilience of our cyber and physical infrastructure. Earlier this year, this
Committee voted favorably on H.R. 3359, the “Cybersecurity and Infrastructure Security Agency
Act of 2017” If enacted, this bill would mature and streamline NPPD, and rename our
organization to clearly reflect our essential mission and our role in securing cyberspace. The
Department strongly supports this much-needed effort and encourages swift action by the full
House and the Senate.

NPPD is responsible for protecting civilian federal government networks and collaborating with
other Federal agencies, as well as State, local, tribal, and territorial governments, and the private
sector to defend against cyber threats. We endeavor to enhance cyber threat information-sharing
across the globe to stop cyber incidents before they start and help businesses and government
agencies to protect their cyber systems and quickly recover should such an attack occur. By
bringing together all levels of government, the private sector, international partners, and the
public, we are taking action to protect against cybersecurity risks, improve our whole-of-
government incident response capabilities, enhance information sharing on best practices and
cyber threats, and to strengthen resilience.

Threats
Cyber threats remain one of the most significant strategic risks for the United States, threatening
our national security, economic prosperity, and public health and safety. The past year has
marked a turning point in the cyber domain, at least in the public consciousness. We have long
been confronted with a myriad of attacks against our digital networks. But over the past year,
Americans saw advanced persistent threat actors, including hackers, cyber criminals, and nation
states, increase the frequency and sophistication of these attacks. Our adversaries have been
developing and using advanced cyber capabilities to undermine critical infrastructure, target our
livelihoods and innovation, steal our national security secrets, and threaten our democracy
through attempts to manipulate elections.

Global cyber incidents, such as the “WannaCry” ransomware incident in May of this year and
the “NotPetya” malware incident in June, are examples of malicious actors leveraging
cyberspace to create disruptive effects and cause economic loss. These incidents exploited
known vulnerabilities in software commonly used across the globe. Prior to these events, NPPD
had already taken actions to help protect networks from similar types of attacks. Through
requested vulnerability scanning, NPPD helped stakeholders identify vulnerabilities on their
networks so they could be patched before incidents and attacks occur. Recognizing that not all
users are able to install patches immediately, NPPD shared additional mitigation guidance to
assist network defenders. As the incidents unfolded, NPPD led the Federal government’s
incident response efforts, working with our interagency partners, including providing situational
awareness, information sharing, malware analysis, and technical assistance to affected entities.

Historically, cyber actors have strategically targeted critical infrastructure sectors including
energy, financial services, critical manufacturing, water and wastewater, and others with various
goals ranging from cyber espionage to developing the ability to disrupt critical services. In recent
years, DHS has identified and responded to malware such as “Black Energy” and “Havex,”
which were specifically created to target industrial-control systems, associated with critical
infrastructure such as power plants and critical manufacturing. More recently, the discovery of
“CrashOverride” malware, reportedly used against Ukrainian power infrastructure in 2016,
highlights the increasing cyber threat to our infrastructure.

In one recent campaign, advanced persistent threat actors targeted the cyber infrastructure of
entities within the energy, nuclear, critical manufacturing, and other critical infrastructure sectors
since at least May 2017. In response, NPPD led the asset response, providing on-site and remote
assistance to impacted entities, help them evaluate the risk, and remediate the malicious actor
presence. In addition, NPPD, the Federal Bureau of Investigation, and the Department of Energy
(DOE) shared actionable analytic products with critical infrastructure owners and operators
regarding this activity. This information provides network defenders with the information
necessary to understand the adversary campaign and allows them to identify and reduce exposure
to malicious activity. In addition, DHS has been working together with DOE to assess the
preparedness of our electricity sector and strengthen our ability to respond to and recover from a
prolonged power outage caused by a cyber incident.

Cybersecurity Priorities

Earlier this year, the President signed Executive Order (EO) 13800, on Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure. This Executive Order set in
motion a series of assessments and deliverables to understand how to improve our defenses and
lower our risk to cyber threats. DHS has organized around these deliverables, working with
federal and private sector partners to work through the range of actions included in the Executive
Order.

We are emphasizing the security of federal networks. Across the Federal government, agencies
have been implementing action plans to use the industry-standard Department of Commerce’s
National Institute of Standards and Technology Cybersecurity Framework. Agencies are
reporting to DHS and the Office of Management and Budget (OMB) on their cybersecurity risk
mitigation and acceptance choices. In coordination with OMB, DHS is evaluating the totality of
these Agency reports in order to comprehensively assess the adequacy of the Federal
government’s overall cybersecurity risk management posture.

Although Federal Agencies have primary responsibility for their own cybersecurity, DHS,
pursuant to its various authorities, provides a common set of security tools across the civilian
executive branch and helps Federal Agencies manage their cyber risk. NPPD’s assistance to
federal agencies includes (1) providing tools to safeguard civilian executive branch networks
through the National Cybersecurity Protection System (NCPS), which includes “EINSTEIN”,
and the Continuous Diagnostics and Mitigation (CDM) programs, (2) measuring and motivating
agencies to implement policies, directives, standards, and guidelines, (3) serving as a hub for
information sharing and incident reporting, and (4) providing operational and technical
assistance, including threat information dissemination and risk and vulnerability assessments, as
well as incident response services. NPPD’s National Cybersecurity and Communications
Integration Center (NCCIC) is the civilian government’s hub for cybersecurity information
sharing, asset incident response, and coordination for both critical infrastructure and the federal
government.
EINSTEIN refers to the Federal Government’s suite of intrusion detection and prevention
capabilities that protects agencies’ unclassified networks at the perimeter of each agency.
EINSTEIN provides situational awareness of civilian executive branch network traffic, so threats
detected at one agency are shared with all others providing agencies with information and
capabilities to more effectively manage their cyber risk. The U.S. Government could not achieve
such situational awareness through individual agency efforts alone.

Today, EINSTEIN is a signature-based intrusion detection and prevention capability that takes
action on known malicious activity. Leveraging existing investments in the Internet Service
Provider “ISP” infrastructure, our non-signature based pilot efforts to move beyond current
reliance on signatures are yielding positive results in the discovery of previously unidentified
malicious activity. DHS is demonstrating the ability to capture data that can be rapidly analyzed
for anomalous activity using technologies from commercial, government, and open sources. The
pilot efforts are also defining the future operational needs for tactics, techniques, and procedures
as well as the skill sets and personnel required to operationalize the non-signature based
approach to cybersecurity.

State, local, tribal, and territorial governments are able to access intrusion detection and analysis
services through the Multi-State Information Sharing and Analysis Center (MS-ISAC). MS-
ISAC’s service, called “Albert,” closely resembles some EINSTEIN capabilities. While the
current version of Albert cannot actively block known cyber threats, it does alert cybersecurity
officials to an issue for further investigation. DHS worked closely with MS-ISAC to develop the
program and considers MS-ISAC to be a principal conduit for sharing cybersecurity information
with state and local governments.

EINSTEIN, the Federal Government’s tool to address perimeter security will not block every
threat; therefore, it must be complemented with systems and tools working inside agency
networks—as effective cybersecurity risk management requires a defense-in-depth strategy that
cannot be achieved through only one type of tool. NPPD’s Continuous Diagnostics and
Mitigation (CDM) program provides cybersecurity tools and integration services to all
participating agencies to enable them to improve their respective security postures by reducing
the attack surface of their networks as well as providing DHS with enterprise-wide visibility
through a common federal dashboard.
CDM is helping us achieve two major advances for federal cybersecurity. First, agencies are
gaining visibility, often for the first time, into the extent of cybersecurity risks across their entire
network. With enhanced visibility, they can prioritize the mitigation of identified issues based
upon their relative importance. Second, with the summary-level agency-to-federal dashboard
feeds, the NCCIC will be able to identify systemic risks across the civilian executive branch
more effectively and closer to real-time. For example, the NCCIC currently tracks government-
wide progress in implementing critical patches via agency self-reporting and manual data calls.
CDM will transform this, enabling the NCCIC to immediately view the prevalence of a given
software product or vulnerability across the federal government so that the NCCIC can provide
agencies with timely guidance on their risk exposure and recommended mitigation steps.
Effective cybersecurity requires a robust measurement regime, and robust measurement requires
valid and timely data. CDM will provide this baseline of cybersecurity risk data to drive
improvement across the civilian executive branch.

DHS conducts a number of activities to measure agencies’ cybersecurity practices and works
with agencies to improve risk management practices. The Federal Information Security
Modernization Act of 2014 (FISMA) provided the Secretary of Homeland Security with the
authority to develop and oversee implementation of Binding Operational Directives (BOD) to
agencies. In 2016, the Secretary issued a BOD on securing High Value Assets (HVA), or those
assets, federal information systems, information, and data for which unauthorized access, use,
disclosure, disruption, modification, or destruction could cause a significant impact to the United
States’ national security interests, foreign relations, economy, or to the public confidence, civil
liberties, or public health and safety of the American people. NPPD works with interagency
partners to prioritize HVAs for assessment and remediation activities across the federal
government. For instance, NPPD conducts security architecture reviews on these HVAs to help
agencies assess their network architecture and configurations.

As part of the effort to secure HVAs, DHS conducts in-depth vulnerability assessments of
prioritized agency HVAs to determine how an adversary could penetrate a system, move around
an agency’s network to access sensitive data, and exfiltrate such data without being detected.
These assessments include services such as penetration testing, wireless security analysis, and
“phishing” evaluations in which DHS hackers send emails to agency personnel and test whether
recipients click on potentially malicious links. DHS has focused these assessments on federal
systems that may be of particular interest to adversaries or support uniquely significant data or
services. These assessments provide system owners with recommendations to address identified
vulnerabilities. DHS provides these same assessments, on a voluntary basis upon request, to
private sector and State, local, Territorial, and Tribal (SLTT) partners. DHS also works with the
General Services Administration to ensure that contractors can provide assessments that align
with our HVA initiative to agencies.

Another BOD issued by the Secretary directs civilian agencies to promptly patch known
vulnerabilities on their Internet-facing systems that are most at risk from their exposure. The
NCCIC conducts Cyber Hygiene scans to identify vulnerabilities in agencies’ internet-accessible
devices and provides mitigation recommendations. Agencies have responded quickly in
implementing the Secretary’s BOD and have sustained this progress. When the Secretary issued
this directive, NPPD identified more than 360 “stale” critical vulnerabilities across federal
civilian agencies, which means the vulnerabilities had been known for at least 30 days and
remained unpatched. Since December 2015, NPPD has identified an average of less than 40
critical vulnerabilities at any given time, and agencies have addressed those vulnerabilities
rapidly once they were identified. By conducting vulnerability assessments and security
architecture reviews, NPPD is helping agencies find and fix vulnerabilities and secure their
networks before an incident occurs.

In addition to efforts to protect government networks, EO 13800 continues to examine how the
government and industry work together to protect our nation’s critical infrastructure, prioritizing
deeper, more collaborative public-private partnerships in threat assessment, detection, protection,
and mitigation. In collaboration with civilian, defense, and intelligence agencies, we are
identifying authorities and capabilities that agencies could employ, soliciting input from the
private sector, and developing recommendations to support the cybersecurity efforts of those
critical infrastructure entities at greatest risk of attacks that could result in catastrophic impacts.

For instance, by sharing information quickly and widely, we help all partners block cyber threats
before damaging incidents occur. Equally important, the information we receive from partners
helps us identify emerging risks and develop effective protective measures.

Congress authorized the NCCIC as the civilian hub for sharing cyber threat indicators and
defensive measures with and among federal and non-federal entities, including the private sector.
As required by the Cybersecurity Act of 2015, we established a capability, known as Automated
Indicator Sharing (AIS), to automate our sharing of cyber threat indicators in real-time. AIS
protects the privacy and civil liberties of individuals by narrowly tailoring the information shared
to that which is necessary to characterize identified cyber threats, consistent with longstanding
DHS policy and the requirements of the Act. AIS is a part of the Department’s effort to create an
environment in which as soon as a company or federal agency observes an attempted
compromise, the indicator is shared in real time with all of our partners, enabling them to protect
themselves from that particular threat. This real-time sharing capability can limit the scalability
of many attack techniques, thereby increasing the costs for adversaries and reducing the impact
of malicious cyber activity. An ecosystem built around automated sharing and network defense-
in-depth should enable organizations to detect and thwart the most common cyber-attacks,
freeing their cybersecurity staff to concentrate on the novel and sophisticated attacks. More than
129 agencies and private sector partners have connected to the AIS capability. Notably, partners
such as information sharing and analysis organizations (ISAOs) and computer emergency
response teams further share with or protect their customers and stakeholders, significantly
expanding the impact of this capability. AIS is still a new capability and we expect the volume of
threat indicators shared through this system to substantially increase as the technical standards,
software, and hardware supporting the system continue to be refined and put into full production.
As more indictors are shared from other federal agencies, SLTT governments, and the private
sector, this information sharing environment will become more robust and effective.

Another part of the Department’s overall information sharing effort is to provide federal network
defenders with the necessary context regarding cyber threats to prioritize their efforts and inform
their decision making. DHS’s Office of Intelligence and Analysis (I&A) has collocated analysts
within the NCCIC responsible for continuously assessing the specific threats to federal networks
using traditional all source methods and indicators of malicious activity so that the NCCIC can
share with federal network defenders in collaboration with I&A. Analysts and personnel from the
Department of Energy, Treasury, Health and Human Services, FBI, DoD and others are also
collocated within the NCCIC and working together to understand the threats and share
information with their sector stakeholders.

Mitigating Cyber Risks

We also continue to adapt to the evolving risks to critical infrastructure, and prioritize our
services to mitigate those risks. Facing the threat of cyber-enabled operations by a foreign
government during the 2016 elections, DHS and our interagency partners conducted
unprecedented outreach and provided cybersecurity assistance to state and local election
officials. Information shared with election officials included indicators of compromise, technical
data, and best practices that have assisted officials with addressing threats and vulnerabilities
related to election infrastructure. Through numerous efforts before and after Election Day, DHS
and our interagency partners have declassified and publicly shared significant information
related to the Russian malicious cyber activity. These steps have been critical to protecting our
elections, enhancing awareness among election officials, and educating the American public. The
designation of election infrastructure as critical infrastructure serves to institutionalize prioritized
services, support, and provide data protections and does not subject any additional regulatory
oversight or burdens.

As the Sector-Specific Agency, NPPD is providing overall coordination guidance on election

infrastructure matters to subsector stakeholders. As part of this process, the Election
Infrastructure Subsector Government Coordinating Council (GCC) is being established. The
Election Infrastructure Subsector GCC will be a representative council of federal, state, and local
partners with the mission of focusing on sector-specific strategies and planning. This will include
development of information sharing protocols and establishment of key working groups, among
other priorities.

The Department also recently took action against specific products which present a risk to
federal information systems. After careful consideration of available information and
consultation with interagency partners, last month the Acting Secretary issued a BOD directing
Federal Executive Branch departments and agencies to take actions related to the use or presence
of information security products, solutions, and services supplied directly or indirectly by AO
Kaspersky Lab or related entities. The BOD calls on departments and agencies to identify any
use or presence of Kaspersky products on their information systems in the next 30 days, to
develop detailed plans to remove and discontinue present and future use of the products in the
next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS
based on new information, to begin to implement the agency plans to discontinue use and
remove the products from information systems. This action is based on the information security
risks presented by the use of Kaspersky products on federal information systems.

The Department is providing an opportunity for Kaspersky to submit a written response

addressing the Department’s concerns or to mitigate those concerns. The Department wants to
ensure that the company has a full opportunity to inform the Acting Secretary of any evidence,
materials, or data that may be relevant. This opportunity is also available to any other entity that
claims its commercial interests will be directly impacted by the directive.

Conclusion

In the face of increasingly sophisticated threats, NPPD stands on the front lines of the federal
government’s efforts to defend our nation’s critical infrastructure from natural disasters,
terrorism and adversarial threats, and technological risk such as those caused by cyber threats.
Our infrastructure environment today is complex and dynamic with interdependencies that add to
the challenge of securing and making it more resilient. Technological advances have introduced
the “Internet of Things” (IoT) and cloud computing, offering increased access and streamlined
efficiencies, while increasing our footprint of access points that could be leveraged by
adversaries to gain unauthorized access to networks. As our nation continues to evolve and new
threats emerge, we must integrate cyber and physical risk in order to understand how to
effectively secure it. Expertise around cyber-physical risk and cross-sector critical infrastructure
interdependencies is where NPPD brings unique expertise and capabilities.

We must ensure that NPPD is appropriately organized to address cybersecurity threats both now
and in the future, and we appreciate this Committee’s leadership in working to establish the
Cybersecurity and Infrastructure Security Agency. As the Committee considers these issues, we
are committed to working with Congress to ensure that this effort is done in a way that cultivates
a safer, more secure and resilient Homeland.

Thank you for the opportunity to testify, and we look forward to any questions you may have.

Source: https://www.dhs.gov/news/2017/10/03/written-testimony-nppd-house-homeland-
security-subcommittee-cybersecurity-and
SEC Statement on Cybersecurity 2017

Chairman Jay Clayton

Sept. 20, 2017

Introduction

Data collection, storage, analysis, availability and protection (including security, validation and
recovery) have become fundamental to the function and performance of our capital markets, the
individuals and entities that participate in those markets, and the U.S. Securities and Exchange
Commission ("Commission" or "SEC"). As a result of these and other developments, the scope
and severity of risks that cyber threats present have increased dramatically, and constant
vigilance is required to protect against intrusions. The Commission is focused on identifying and
managing cybersecurity risks and ensuring that market participants – including issuers,
intermediaries, investors and government authorities – are actively and effectively engaged in
this effort and are appropriately informing investors and other market participants of these risks.

I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that
enterprises face. That stark reality makes adequate disclosure no less important. Malicious
attacks and intrusion efforts are continuous and evolving, and in certain cases they have been
successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must
include, in addition to assessment, prevention and mitigation, resilience and recovery.

In today's environment, cyberattacks are perpetrated by identity thieves, unscrupulous

contractors and vendors, malicious employees, business competitors, prospective insider traders
and market manipulators, so-called "hacktivists," terrorists, state-sponsored actors and others.
Cyber intrusions can create significant risks to the operational performance of market
participants and of markets as a whole. These risks can take the form of denials of service and
the destruction of systems, potentially resulting in impediments to account access and transaction
execution, and disruption of other important market system functionalities. The risks associated
with cyber intrusions may also include loss or exposure of consumer data, theft or exposure of
intellectual property, and investor losses resulting from the theft of funds or market value
declines in companies subject to cyberattacks, among others. Market participants also face
regulatory, reputational and litigation risks resulting from cyber incidents, as well as the potential
of incurring significant remediation costs.
Ultimately, a large portion of the costs incurred in connection with these risks, including the
costs of mitigation, are borne by investors, consumers, and other important constituents.

Cybersecurity risks extend beyond data storage and transmission systems. Maintaining
reliability of data operations also depends on the continued functioning of other services that
themselves face significant cyber risks, including, most notably, critical infrastructure such as
electric power and communications grids.

In May 2017, I initiated an assessment of our internal cybersecurity risk profile and our approach
to cybersecurity from a regulatory and oversight perspective. Components of this initiative build
on prior agency efforts in this area and include establishing a senior-level cybersecurity working
group to coordinate information sharing, risk monitoring, and incident response efforts
throughout the agency. This Statement is one part of our effort to analyze, improve and
communicate our work in this area to market participants and the American public more
generally. In more detail below we provide an overview of our approach to cybersecurity as an
organization and as a regulatory body, including:

the types of data we collect, hold and make publicly available;

how we manage cybersecurity risks and respond to cyber events related to our operations;

how we incorporate cybersecurity considerations in our risk-based supervision of the entities

we regulate;

how we coordinate with other regulators to identify and mitigate cybersecurity risks; and

how we use our oversight and enforcement authorities in the cybersecurity context, including
to pursue cyber threat actors that seek to harm investors and our markets.

This Statement describes various specific cybersecurity risks that we and our regulated entities
face, as well as cybersecurity events that we have experienced. These descriptions provide
context, but are not exhaustive.
We also expect to provide a discussion of internal cybersecurity matters each year in our annual
Agency Financial Report.

I. Collection and Use of Data by the Commission

In support of its mission, the Commission receives, stores and transmits data falling under three
broad categories. These activities are critical to our tri-partite mission of investor protection, the
maintenance of fair, orderly and efficient markets, and the facilitation of capital formation.

The first category of data includes public-facing data that is transmitted to and accessed through
Commission systems. Since its creation in 1934, a critical part of the SEC's mission has been its
oversight of the system of public reporting by issuers and other registrants, and in 1984 the
Commission began collecting, and making publicly available, disclosure documents through its
EDGAR system. In 2017, on a typical day, investors and other market participants access more
than 50 million pages of disclosure documents through the EDGAR system, which receives and
processes over 1.7 million electronic filings per year.

The second category of data the Commission receives, stores and transmits includes nonpublic
information, including personally identifiable information, generally related to our supervisory
and enforcement functions. This data, which relates to the operations of issuers, broker-dealers,
investment advisers, investment companies, self-regulatory organizations ("SROs"), alternative
trading systems ("ATSs"), clearing agencies, credit rating agencies, municipal advisors and other
market participants, may be sensitive to individuals, organizations and our markets generally.

For example, staff in our Division of Trading and Markets often receive nonpublic drafts of
proposed rule filings by SROs, and staff in our Division of Investment Management and
Division of Corporation Finance often receive drafts of applications for exemptive relief under
the federal securities laws. Staff in our Office of Compliance Inspections and Examinations
("OCIE"), among other divisions and offices, receive nonpublic data, including personally
identifiable information, in connection with their ongoing oversight and examinations of broker-
dealers, investment advisers, and other regulated entities. Staff in our Division of Enforcement
receive nonpublic and personally identifiable information in connection with their investigations
into potential violations of the federal securities laws.
In addition, at this time it is expected that the Commission will have access to significant,
nonpublic, market sensitive data and personally identifiable information in connection with the
implementation of the Consolidated Audit Trail ("CAT"). CAT is intended to provide SROs and
the Commission access to comprehensive data that will facilitate the efficient tracking of trading
activity across U.S. equity and options markets. CAT, which is being developed and
operationalized by the SROs, is in the later stages of its multi-year development, and its first
stage of operation is scheduled to commence in November 2017. Cybersecurity has been and
will remain a key element in the development of CAT systems.

The third category of data includes nonpublic data, including personally identifiable information,
related to the Commission's internal operations. This includes, for example, personnel records,
records relating to internal investigations, and data relating to our risk management and internal
control processes. This category also includes materials that Commission staff generate in
connection with their daily roles and responsibilities, including work papers and internal
memoranda.

As required by the Privacy Act of 1974 (5 U.S.C. § 552a), the Commission discloses on its
website the types of personally identifiable information it receives, whether in connection with
its outward-facing or internal operations. The Commission also publishes privacy impact
assessments to inform the public about the information it collects and the safeguards that have
been put in place to protect it.[1]

II. Management of Internal Cybersecurity Risks

As described above, the Commission receives, stores and transmits substantial amounts of data,
including sensitive and nonpublic data. Like many other governmental agencies, financial
market participants and other private sector entities, we are the subject of frequent attempts by
unauthorized actors to disrupt access to our public-facing systems, access our data, or otherwise
cause damage to our technology infrastructure, including through the use of phishing, malware
and other attack vectors. For example, with respect to our EDGAR system, we face the risks of
cyber threat actors attempting to compromise the credentials of authorized users, gain
unauthorized access to filings data, place fraudulent filings on the system, and prevent the public
from accessing our system through denial of service attacks. We also face the risks of actors
attempting to access nonpublic data relating to our oversight of, or enforcement actions against,
market participants, which could then be used to obtain illicit trading profits. Similarly, with
respect to CAT, we expect we will face the risk of unauthorized access to the CAT's central
repository and other efforts to obtain sensitive CAT data.[2] Through such access, intruders
could potentially obtain, expose and profit from the trading activity and personally identifiable
information of investors and other market participants.

Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain
cases cyber threat actors have managed to access or misuse our systems. In August 2017, the
Commission learned that an incident previously detected in 2016 may have provided the basis
for illicit gain through trading. Specifically, a software vulnerability in the test filing component
of our EDGAR system, which was patched promptly after discovery, was exploited and resulted
in access to nonpublic information. We believe the intrusion did not result in unauthorized
access to personally identifiable information, jeopardize the operations of the Commission, or
result in systemic risk. Our investigation of this matter is ongoing, however, and we are
coordinating with appropriate authorities. As another example, our Division of Enforcement has
investigated and filed cases against individuals who we allege placed fake SEC filings on our
EDGAR system in an effort to profit from the resulting market movements.[3]

In addition, like other organizations, we are subject to the risk of unauthorized actions or
disclosures by Commission personnel. For example, a 2014 internal review by the SEC's Office
of Inspector General ("OIG"), an independent office within the agency, found that certain SEC
laptops that may have contained nonpublic information could not be located.[4] The OIG also
has found instances in which SEC personnel have transmitted nonpublic information through
non-secure personal email accounts.[5] We seek to mitigate this risk by requiring all personnel
to complete privacy and security training and we have other relevant risk mitigation controls in
place.

Similarly, we are subject to cybersecurity risk in connection with vendors we utilize. For
example, a weakness in vendor systems or software products may provide a mechanism for a
cyber threat actor to access SEC systems or information through trusted paths. Recent global
supply chain security incidents such as compromises of reputable software update services are
illustrative of this type of occurrence.

In light of the nature of the data at risk and the cyber-related threats faced by the SEC, the
Commission employs an agency-wide cybersecurity detection, protection and prevention
program for the protection of agency operations and assets. This program includes cybersecurity
protocols and controls, network protections, system monitoring and detection processes, vendor
risk management processes, and regular cybersecurity and privacy training for employees. That
said, we recognize that cybersecurity is an evolving landscape, and we are constantly learning
from our own experiences as well as the experiences of others. To aid in this effort, and
notwithstanding limitations on our hiring generally, we expect to hire additional expertise in this
area.

Governance

It is our experience, consistent with the President's Executive Order on Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure, that a focus by senior
management on cybersecurity is an important contributor to the effective identification and
mitigation of cybersecurity risks.[6] To that end, SEC Commissioners and senior management
have emphasized cybersecurity awareness and compliance. Senior management across the SEC's
offices and divisions are required to coordinate with respect to cybersecurity efforts, including
through risk reporting and the development and testing of agency-wide procedures and exercises
for responding to both internal and external cyber threats.

Although all SEC personnel are responsible for employing practices that minimize cybersecurity
risks, the SEC's Office of Information Technology has overall management responsibility for the
agency's information technology program, including cybersecurity. The Chief Information
Officer and Chief Information Security Officer lead cybersecurity efforts within the agency,
including with respect to maintaining and monitoring adherence to the agency's Information
Security Program Plan (described further below).

The SEC periodically assesses the effectiveness of its cybersecurity efforts, including through
penetration testing of internal and public-facing systems, ongoing monitoring by the Department
of Homeland Security, independent verification and validation, and security assessments
conducted by impartial third parties.

Policies and procedures

The SEC maintains a number of internal policies and procedures related to cybersecurity, as set
forth in the agency's Information Security Program and Program Plan. These documents, which
are developed in accordance with standards set forth by the National Institute of Standards and
Technology ("NIST"), delineate the roles and responsibilities of various agency officials, offices,
committees and system owners in carrying out the SEC's information security objectives,
including our training efforts.

The Commission also is in the process of implementing the NIST Framework for Improving
Critical Infrastructure Cybersecurity.[7] Among other things, the NIST Framework is expected
to help the agency define and achieve appropriate cybersecurity goals and outcomes, including
identifying key assets, protecting against intrusions, detecting incidents, containing impacts and
planning for recovery.

Independent audits and reviews

The SEC's cybersecurity program is subject to review from internal and external independent
auditors. The SEC's OIG audits the agency's information technology systems, and components
of these audits have included cybersecurity controls. The OIG also audits compliance with
applicable federal cybersecurity requirements in accordance with the Federal Information
Security Modernization Act of 2014 ("FISMA").[8]

In addition, the Government Accountability Office ("GAO"), an external audit agency, performs
annual audits of the effectiveness of the Commission's internal control structure and procedures
for financial reporting. In connection with these audits, the GAO has examined the effectiveness
of information security controls designed to protect the confidentiality, integrity, and availability
of key financial systems and information.[9] The Commission takes seriously identified
deficiencies, documents the corrective actions it undertakes, and provides documentation to
auditors to close out recommendations.

External reporting

The SEC submits reports on its cybersecurity performance to the Office of Management and
Budget. The agency also reports privacy and cybersecurity incidents to the Department of
Homeland Security's Computer Emergency Readiness Team ("US-CERT") in accordance with
established protocols. Further, the SEC has established relationships with the National
Cybersecurity and Communications Integration Center ("NCCIC"), the Financial and Banking
Information Infrastructure Committee ("FBIIC"), and Financial Services Information Sharing
and Analysis Center ("FS-ISAC") to share information regarding cybersecurity threats.

III. Incorporation of Cybersecurity Considerations in the Commission's Disclosure-Based and

Supervisory Efforts

Promoting effective cybersecurity practices by market participants is critical to all three elements
of the SEC's mission. As described in more detail below, the Commission incorporates
cybersecurity considerations in its disclosure and supervisory programs, including in the context
of the Commission's review of public company disclosures, its oversight of critical market
technology infrastructure, and its oversight of other regulated entities, including broker-dealers,
investment advisers and investment companies.

Promoting effective public company disclosures

With respect to U.S. public company issuers, the SEC's primary regulatory role is disclosure
based. To that end, the staff of the Division of Corporation Finance has issued disclosure
guidance to help public companies consider how issues related to cybersecurity should be
disclosed in their public reports.[10]

The staff guidance discusses, among other things, cybersecurity considerations relevant to a
company's risk factors, management's discussion and analysis of financial condition and results
of operations ("MD&A"), description of business, discussion of legal proceedings, financial
statements, and disclosure controls and procedures. The staff guidance is principles based and,
while issued in 2011, remains relevant today. Accordingly, issuers should consider whether their
publicly filed reports adequately disclose information about their risk management governance
and cybersecurity risks, in light of developments in their operations and the nature of current and
evolving cyber threats. The Commission also will continue to evaluate this guidance in light of
the cybersecurity environment and its impacts on issuers and the capital markets generally.

Oversight of market infrastructure

The Commission's regulatory role with respect to market infrastructure such as exchanges and
clearing agencies extends beyond compliance with applicable disclosure requirements and
includes ongoing supervision and oversight. In furtherance of its statutory objectives, the
Commission adopted Regulation Systems Compliance and Integrity ("Regulation SCI") and
Form SCI in November 2014 to strengthen the technology infrastructure of the U.S. securities
markets. The regulation applies to "SCI entities," a term which includes SROs (including stock
and options exchanges, registered clearing agencies, FINRA and the MSRB), ATSs that exceed
specified trading volume thresholds, disseminators of consolidated market data, and certain
exempt clearing agencies.[11]

Regulation SCI is designed to reduce the occurrence of systems issues, improve resiliency when
systems problems do occur, and enhance the Commission's ability to oversee and enforce rules
governing market infrastructure. In addition to requiring SCI entities to maintain policies and
procedures reasonably designed to ensure operational resiliency, the regulation requires SCI
entities to take corrective action with respect to systems disruptions, compliance issues and
intrusions (e.g., cybersecurity breaches). SCI entities are also required to provide notification,
including to the Commission, of such events. SCI entities are subject to examinations by OCIE,
and OCIE's Technology Controls Program reviews Regulation SCI filings as part of
CyberWatch, OCIE's internal program responsible for triaging all system events reported to the
SEC under Regulation SCI.

Oversight of broker-dealers, investment advisers and other market participants

The SEC also conducts supervisory oversight of broker-dealers, investment advisers, investment
companies, credit rating agencies and other market participants registered with the Commission.
Many of these entities act as the primary interface between the securities markets and investors,
including Main Street investors. Not only do their systems provide investors access to their
securities accounts, but those systems in many cases also hold customers' personally identifiable
information.

Certain SEC regulations directly implicate information security practices of regulated entities.
For example, Regulation S-P requires registered broker-dealers, investment companies and
investment advisers to adopt written policies and procedures governing safeguards for the
protection of customer information and records.[12] Similarly, Regulation S-ID requires these
firms, to the extent they maintain certain types of covered accounts, to establish programs
addressing how to identify, detect and respond to potential identity theft red flags.[13] In
addition, SEC staff engage with regulated firms to provide guidance on cybersecurity practices.
For example, in April 2015, the SEC's Division of Investment Management issued staff guidance
to highlight the importance of cybersecurity and discuss measures for funds and advisers to
consider when addressing cybersecurity risks.[14]

The risk-based examinations of registered entities conducted by OCIE staff have included
reviews of risk management programs and other operational components in order to evaluate
compliance with Regulations S-P and S-ID, as well as with other federal securities laws and
regulations. In recent years, OCIE has placed increasing emphasis on cybersecurity practices
and has included cybersecurity in its examination priorities.[15] In August 2017, OCIE
published a summary of observations from its second major initiative to assess cybersecurity
preparedness in the securities industry.[16] The initiative focused its review on the content and
implementation of firms' written cybersecurity policies and was part of a series of OCIE
publications on cybersecurity.[17] Recognizing that there is no single correct approach to
cybersecurity, the publication was not intended to provide a checklist of required practices, but
rather to share information about practices the staff identified that may be useful to firms as they
engage in cybersecurity planning.

IV. Coordination With Other Governmental Entities

Effective interagency coordination facilitates the identification, mitigation and remediation of

broad and potentially systemic cybersecurity risks, and it also can sharpen the focus by regulated
entities on risk management efforts. As a general matter, the Commission shares oversight
responsibility for large financial institutions with other financial regulators, which in the U.S.
include the Board of Governors of the Federal Reserve System, the Commodity Futures Trading
Commission, the Office of the Comptroller of the Currency and the Federal Deposit Insurance
Corporation, among others. Our oversight may also require coordination with other regulatory
agencies. For example, consumer protection matters with respect to SEC registrants are largely
overseen by other federal regulators, including the Federal Trade Commission and the Consumer
Financial Protection Bureau.

The Commission coordinates on cybersecurity matters with the Department of the Treasury and
other federal financial regulatory agencies within the framework of the FBIIC, an interagency
working group. The FBIIC was designed to improve coordination and communication among
financial regulators, enhance financial sector resiliency and promote private-public partnership.
In addition to being a vehicle for federal agencies to communicate timely alerts regarding cyber
threats or vulnerabilities in the financial sector, the FBIIC identifies and assesses critical
infrastructure assets and holds periodic cyber incident response simulations with the FBIIC
members, law enforcement and industry.

The FBIIC also engages with the private sector on regulatory harmonization and critical
cybersecurity and other infrastructure issues, primarily through industry groups such as the
Financial Services Sector Coordinating Council ("FSSCC").[18] FBIIC and FSSCC members
coordinate exercises to identify critical issues that could impact the resiliency of the U.S.
financial system and that may need to be addressed by private industry, the public sector, or
both.

With respect to cyber-related issues that could pose a systemic risk to our markets or U.S.
financial stability, we also coordinate with other financial regulators through the Financial
Stability Oversight Council. In addition, we seek to coordinate with non-U.S. regulators both
bilaterally and through international organizations such as the International Organization of
Securities Commissions.

V. Enforcement of the Federal Securities Laws

Issuers and other market participants must take their periodic and current disclosure obligations
regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.

In addition, the Commission has used its enforcement authority under the federal securities laws
to vigorously pursue cyber threat actors who seek to harm investors and our markets. The use of
innovative technology and analytical tools, many of which were developed internally, has
enabled the Division of Enforcement to increasingly identify suspicious trading activity across
multiple issuers, traders and geographic locations.

The Commission recently has brought several cases alleging the hacking and stealing of
nonpublic information in connection with illicit trading activity. For example, in December
2016, the Commission charged three traders for allegedly participating in a scheme to hack into
two prominent New York-based law firms to steal information pertaining to clients that were
considering mergers or acquisitions, which the hackers then used to trade.[19] The Commission
also brought charges against two defendants who allegedly hacked into newswire services to
obtain non-public information about corporate earnings announcements, as well as dozens of
other defendants who allegedly traded on the information.[20]

In another type of case, the Commission brought charges concerning a scheme to gain
unauthorized access to online brokerage accounts of U.S. investors and make unauthorized stock
trades, thereby driving up share prices and allowing those who allegedly perpetrated the scheme
to generate profits in other trading accounts.[21]

In an effort to proactively and efficiently address securities fraud in connection with

cyberattacks, the Division of Enforcement has developed substantial expertise in the detection
and pursuit of fraudulent conduct across the increasingly technological and data-driven
landscape, devotes substantial resources to this effort, and works closely with its law
enforcement counterparts.

VI. Looking Forward

The Commission will continue to prioritize its efforts to promote effective cybersecurity
practices within the Commission itself and with respect to the markets and market participants it
oversees. This requires an ongoing, thoughtful evaluation of the data we obtain. When
determining when and how to collect data, we must continue to thoughtfully evaluate our
approach in light of the importance to our mission of each type of data we receive, particularly in
the case of sensitive data, such as personally identifiable and nonpublic information.

There are certain types of sensitive data that we must obtain from market participants in order to
fulfill our mission. When determining when and how to collect data, it is important that we
regularly review whether our related data protections are appropriate in light of the sensitivity of
the data and the associated risks of unauthorized access. We should also continue to evaluate
whether alternatives exist that may allow us to further our mission while reducing the sensitivity
of data we collect. For example, one way in which we have reduced the market sensitivity of
certain data we collect has been to obtain it on a delayed basis when appropriate.

Cybersecurity is critical to investors, market participants, our markets, and the Commission
itself. By promoting effective cybersecurity practices in connection with both the Commission's
internal operations and its external regulatory oversight efforts, it is our objective to contribute
substantively to a financial market system that recognizes and addresses cybersecurity risks and,
in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.

[1] These disclosures and assessments can be accessed at https://www.sec.gov/about/privacy/

secprivacyoffice.htm.

[2] Although the CAT central repository is hosted and managed by the independent CAT plan
processor, not the Commission, the Commission and SROs will have means to access that data.

[3] See, e.g., Press Release 2017-107, SEC Charges Fake Filer With Manipulating Fitbit Stock
(May 19, 2017), available at https://www.sec.gov/news/press-release/2017-107.

[4] SEC Office of Inspector General, Controls Over the SEC's Inventory of Laptop Computers,
Rep. No. 524 (Sep. 22, 2014), available at https://www.sec.gov/files/524.pdf.

[5] Memorandum from Carl W. Hoecker, Inspector General, The Inspector General's Statement
on the SEC's Management and Performance Challenges, October 2016, at 8 (Oct. 7, 2016),
available at
https://www.sec.gov/files/Inspector%20General%27s%20Statement%20on%20the%20SEC%27
s%20Management%20and%20Performance%20Challenges.pdf.

[6] Exec. Order No. 13800, 82 Fed. Reg. 22391 (May 11, 2017).

[7] National Institute of Standards and Technology, Framework for Improving Critical
Infrastructure Cybersecurity, v. 1.0 (Feb. 12, 2014), available at
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-
021214.pdf.
[8] See, e.g., SEC Office of the Inspector General, Audit of the SEC's Compliance With the
Federal Information Security Modernization Act for Fiscal Year 2016, Rep. No. 539 (Mar. 7,
2017), available at https://www.sec.gov/files/Audit-of-the-SECs-Compliance-with-the-Federal-
Information-Security-Modernization-Act-for-Fiscal-Year-2016.pdf. FISMA provides a
comprehensive framework designed to ensure the effectiveness of security controls over
information resources that support federal operations and assets, as well as a mechanism for
oversight of federal information security programs. FISMA also requires federal agencies to
develop, document and implement an agency-wide information security program to protect the
data and information systems that support the operations and assets of the agency.

[9] See, e.g., Government Accountability Office, Information Security: SEC Improved Control
of Financial Systems But Needs to Take Additional Actions, Rep. No. GAO-17-469 (July 2017),
available at https://www.gao.gov/assets/690/686192.pdf.

[10] See SEC Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2—
Cybersecurity (Oct. 31, 2011), available at
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. In addition, the SEC
staff has regularly reviewed issuer disclosures to assess and comment on the information
provided and its consistency with the Division's guidance.

[11] 79 Fed. Reg. 72251 (Dec. 5, 2014). Regulation SCI applies primarily to the systems of SCI
entities that directly support any one of six key securities market functions – trading, clearance
and settlement, order routing, market data, market regulation, and market surveillance. It is
anticipated that the CAT central repository will be covered by the regulation as an SCI system.

[12] 17 C.F.R. part 248, subpart A.

[13] 17 C.F.R. part 248, subpart C.

[14] Cybersecurity Guidance, IM Guidance Update (Apr. 2015), available at

http://www.sec.gov/investment/im-guidance-2015-02.pdf.
[15] OCIE Examination Priorities for 2017 (Jan. 12, 2017) available at
https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf;
Examination Priorities for 2016 (Jan. 11, 2016) available at
https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;
Examination Priorities for 2015 (Jan. 13, 2015) available at
https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf.

[16] OCIE National Exam Program Risk Alert, Observations from Cybersecurity Examinations
(Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-
examinations.pdf.

[17] See, e.g., OCIE National Exam Program Risk Alert, OCIE Launching Cybersecurity
Preparedness Initiative (Apr. 15, 2014) available at
https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf;
National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015)
available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-
summary.pdf; National Exam Program Risk Alert, OCIE's 2015 Cybersecurity Examination
Initiative (Sept. 15, 2015) available at https://www.sec.gov/ocie/announcement/ocie-2015-
cybersecurity-examination-initiative.pdf; National Exam Program Risk Alert, Cybersecurity:
Ransomware Alert (May 17, 2017) available at https://www.sec.gov/files/risk-alert-
cybersecurity-ransomware-alert.pdf. In particular, the initiative focused on the areas of
governance and risk assessment, access rights and controls, data loss prevention, vendor
management, training and incident response.

[18] The FSSCC, established in 2002 by financial sector market participants, coordinates critical
infrastructure and homeland security activities within the financial services industry. Its 70
members consist of financial trade associations, financial utilities, and financial firms. See
http://www.fsscc.org .

[19] Press Release 2016-280, Chinese Traders Charged With Trading on Hacked Nonpublic
Information Stolen From Two Law Firms (Dec. 27, 2016), available at
https://www.sec.gov/news/pressrelease/2016-280.html.
[20] Press Release 2015-163, SEC Charges 32 Defendants in Scheme to Trade on Hacked News
Releases (Aug. 11, 2015), available at https://www.sec.gov/news/pressrelease/2015-163.html;
Litigation Release No. 23471, SEC Charges Nine Additional Defendants in Hacked News
Release Scheme (Feb. 18, 2016), available at
https://www.sec.gov/litigation/litreleases/2016/lr23471.htm.

[21] Press Release 2016-127, SEC Sues UK-Based Trader for Account Intrusion Scheme (June
22, 2016), available at https://www.sec.gov/news/pressrelease/2016-127.html.