311 Cannon House Office Building

Introduction Chairman Meehan, Ranking Member Clarke, and distinguished Members of the Committee, it is a pleasure to appear before you today to discuss the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Specifically, I will discuss the NCCIC’s role, responsibilities, and future planning to protect our Nation’s critical infrastructure from cyber attacks, secure Federal networks, and coordinate private sector cyber threat information sharing.

Before I begin, I would like to thank the Committee for its leadership during the recent legislative debate over the Cyber Intelligence Sharing and Protection Act, especially in support of passing an amendment to designate DHS as the lead civilian Federal entity to receive cyber threat information. Cybersecurity threats put the confidentiality, integrity, and availability of critical services at risk. DHS, along with its government and private sector partners, works to counter these threats while supporting a cyber ecosystem that is open, transparent, and less vulnerable to manipulation. The NCCIC supports this effort by providing comprehensive and robust information sharing, incident response, technical assistance, and analysis capabilities to private sector, government, and international partners.

Current Threat Landscape Cyberspace is woven into the fabric of our daily lives. According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country – and around the world – it also has increased the importance and complexity of our shared risk. Our daily life, economic vitality, and national security depend on cyberspace. A vast array of interdependent IT networks, systems, services, and resources are critical to communicating, traveling, powering our homes, running our economy, and obtaining government services. No country, industry, community or individual is immune to cyber risks.

The United States confronts a dangerous combination of known and unknown vulnerabilities in cyberspace and strong and rapidly expanding adversary capabilities. Cyber crime also has increased significantly over the last decade. Sensitive information is routinely stolen from private sector and government networks, undermining the integrity of the data contained within these systems. The Department currently sees malicious cyber activity from foreign nations and non-state actors engaged in intellectual property theft and information operations, terrorists, organized crime, and insiders. Their methods range from distributed denial of service (DDoS) attacks and social engineering to viruses and other malware introduced through remote access, thumb drives, supply chain exploitation, and leveraging trusted insiders’ access.

The Department has seen motivations for attacks vary from intellectual property theft to criminals seeking financial gain and hackers who may seek bragging rights in the hacker community. Industrial control systems also are targeted by a variety of malicious actors who may have intentions to damage equipment and facilities or steal data. Foreign actors also are targeting intellectual property with the goal of stealing trade secrets or other sensitive corporate data from U.S. companies in order to gain an unfair competitive advantage in the global market.

Successful response to dynamic cyber threats requires leveraging homeland security, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and national defense. DHS, the Department of Justice (DOJ), and the Department of Defense (DOD) each play a key role in responding to cybersecurity incidents that pose a risk to the United States. To achieve a whole-of-Government response, DHS, DOJ, and DOD coordinate continuously to effectively respond to specific incidents. While each agency operates within the parameters of its authorities, the U.S. Government’s response to cyber incidents of consequence is coordinated among these three agencies such that “a call to one is a call to all.”

NCCIC’s Cybersecurity Mission DHS coordinates the overall Federal effort to promote the security and resilience of the Nation’s critical infrastructure by ensuring maximum coordination and partnership with the private sector while ensuring that privacy, confidentiality, and civil rights and civil liberties are not diminished by its security initiatives. Accordingly, the Department has implemented rigorous privacy and civil rights and civil liberties standards, which apply to all of its cybersecurity programs and initiatives. In order to protect privacy while safeguarding and securing cyberspace, DHS institutes layered privacy responsibilities throughout the Department, embeds fair information practice principles into cybersecurity programs and privacy compliance efforts, and fosters collaboration with cybersecurity partners.

Within DHS’s National Protection and Programs Directorate (NPPD), the Office of Cybersecurity and Communications (CS&C) focuses on managing risk to the communications and information technology infrastructures and the sectors that depend upon them, as well as enabling timely response and recovery of these infrastructures under all circumstances. CS&C executes its mission by supporting 24x7 information sharing, analysis, and incident response; facilitating interoperable emergency communications; advancing technology solutions for private and public sector partners; providing tools and capabilities to ensure the security of Federal civilian executive branch networks; and engaging in strategic level coordination for the Department with private sector organizations on cybersecurity and communications issues.

To better manage and facilitate cybersecurity information sharing efforts, analysis, and incident response activities, the Department established the NCCIC, a round-the-clock information sharing, analysis and incident response center where government, private sector, and international partners all work together. The NCCIC is comprised of four branches: the United States Computer Emergency Readiness Team (US-CERT), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the National Coordinating Center for Telecommunications (NCC), and Operations Integration (O&I). As mutually supporting and integrated elements of the NCCIC, these branches provide the unique authorities, capabilities, and partnerships needed to drive a whole-of-nation approach to addressing cybersecurity and communications issues at the operational level.

• US-CERT provides advanced information sharing, incident response, and analysis expertise for malicious cyber activity targeting private sector and government networks. US-CERT’s global partnerships allow it to work directly with analysts from across multiple sectors and international borders to develop a comprehensive picture of malicious activity and mitigation options. US-CERT’s mission focuses specifically on computer network defense, and it is able to apply its full resources to supporting prevention, protection, mitigation, response, and recovery efforts.
• ICS-CERT reduces risk to the Nation’s critical infrastructure by strengthening the cybersecurity of systems that operate our Nation’s critical infrastructure. It carries out this mission by performing incident response to support asset owners with discovery, analysis and recovery efforts as well as providing situational awareness through training, alerts, and advisories to warn of cyber based threats and vulnerabilities affecting critical infrastructure assets. In addition, ICS-CERT conducts assessments and technical analysis of malware, digital media, system vulnerabilities, and emerging exploits and partners with the control systems community to coordinate risk management activities.
• NCC leads and coordinates the initiation, restoration, and reconstitution of the National Security/Emergency Preparedness (NS/EP) telecommunications services or facilities during any human-caused or natural event where physical communications infrastructure is damaged or vulnerable. NCC leverages partnerships across government, industry and international partners to gain situational awareness and determine priorities for protection and response. NCC’s presence in the NCCIC allows DHS to synchronize operational processes supporting both the physical and the virtual components of our Nation’s information and communications technology infrastructure.
• O&I applies planning, coordination, and integration capabilities to synchronize analysis, information sharing, and incident response efforts, ensuring effective synchronization across the NCCIC.

Strategic Goals The NCCIC works to proactively analyze cybersecurity and communications threats and vulnerabilities and coordinate their findings with partners to manage risks to critical systems; create shared situational awareness among public sector, private sector, and international partners by collaboratively developing and sharing timely and actionable cybersecurity and communications information; and rapidly respond to routine and significant cybersecurity and communications incidents and events to mitigate harmful activity, manage crisis situations, support recovery efforts, and assure NS/EP.

To accomplish its strategic goals, NCCIC relies on the voluntary coordination, collaboration, capabilities, and resources of its partners. The center works closely with those Federal agencies most responsible for securing the Government’s cyber and communications systems, including the Departments of Treasury and Energy. The NCCIC also actively engages with the appropriate private sector entities, information sharing and analysis centers, state, local, tribal, and territorial governments, and international partners. As integral parts of the cyberspace and communications community, these groups work together to protect the portions of critical information technology that they interact with, operate, manage, or own. These groups of stakeholders represent natural communities of practice providing the foundation for effective information sharing and response.

Threat Analysis
 NCCIC collaborates with private sector, government, and international partners toentify, research, and verify suspicious, malicious, or potentially harmful cybersecurity and communications activity, events, or incidents. For example, US-CERT operates NCCIC’s Advanced Malware Analysis Center, which receives malware samples and other potentially malicious files from around the world. The Advanced Malware Analysis Center analyzes those files, shares that analysis broadly to alert partners to malicious activity, and provides them with actionable indicators and recommendations to improve their ability to protect themselves.

By understanding the nature of attacks, vulnerabilities, and risks, NCCIC is able to determine possible impacts, set priorities, and proactively develop and share effective mitigation strategies. NCCIC strives to anticipate potentially harmful activity and provide actionable alert and warning information to partners before they are impacted. NCCIC’s analysis efforts, whether focused on a new piece of malware or a tropical storm with the potential to damage critical communications systems, contribute directly to its information sharing, response, and protection and prevention capabilities.

Situational Awareness
 The success of the NCCIC’s mission is heavily reliant on its ability to establish shared situational awareness of potentially harmful activity, events, or incidents across multiple constituencies to improve the ability of diverse and distributed partners to protect themselves. To do this, NCCIC integrates analysis and data received through its own analysis, intelligence community and law enforcement reporting, and data shared by private sector and international partners into a comprehensive series of actionable information products, which are shared with partners in easy to digest machine-readable formats.

Multidirectional sharing of alerts, warnings, analysis products, and mitigation recommendations among Federal, state, local, tribal, and territorial governments, private sector, including information sharing and analysis centers, and international partners is a key element of NCCIC’s cyber and communications protection and prevention framework. The NCCIC continuously works with a broad range of partners to explore and innovate new ways to enhance information sharing and move closer to network speed communications.

Rapid Response
 The NCCIC applies the collective capabilities of its partners and constituents toentify, prioritize, and escalate confirmed cybersecurity incidents in order to minimize impacts to critical information infrastructure. To ensure a 24x7 capability, NCCIC maintains cross functional incident response teams, which draw from the capabilities of NCCIC’s branches, along with expertise from elsewhere in DHS such as the United States Secret Service (USSS) and Immigration and Customs Enforcement (ICE). Working under a voluntary request for technical assistance, these incident response teams analyze malware, review network logs, and assess security posture toentify possible malicious activity, its impacts, as well as mitigation and recovery options.

Recognizing the possibility of a cyber incident with physical impacts or a physical incident with cyber implications, NCCIC works increasingly closely with NPPD’s National Infrastructure Coordinating Center (NICC). This collaboration, directed by Presidential Policy Directive 21 (PPD-21), helps to ensure strong synchronization between DHS’s infrastructure protection efforts in both the cyber and physical realms. In addition, the NCCIC assists in the initiation, coordination, restoration, and reconstitution of the NS/EP telecommunications services or facilities under all conditions, crises, or emergencies including executing Emergency Support Function 2 – Communications responsibilities under the National Response Framework.

These efforts provide a whole-of-nation approach to incident response, efficiently and effectively leveraging capabilities from across DHS’s partner base while implementing key policies.

Protecting Critical Infrastructure Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS actively collaborates with public and private sector partners every day to improve the security and resilience of critical infrastructure while responding to and mitigating the impacts of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems.

DHS coordinates the national protection, prevention, mitigation, and recovery from cyber incidents and works regularly with business owners and operators to take steps to strengthen their facilities and communities, and through collaboration between the NCCIC and the NICC, integrates efforts across the physical and cyber domains. The Department also conducts onsite risk assessments of critical infrastructure and shares risk and threat information with state, local and private sector partners. NCCIC enhances situational awareness among stakeholders, including those at the state and local level, as well as industrial control system owners and operators, by providing critical cyber threat, vulnerability, and mitigation d