Of them, that it remains a challenge area. Dhs has taken a number of steps. The secretary earlier mentioned about the nkeg. That is an area in which it has started improve the sharing of information, through that mechanism. I also heard where dhs has issued a relatively large number of security clearances, which can help facilitate some of the sharing of information. But challenges still remain. We still find that, for example, it has not yet developed a predictive analysis capability, which would help lead to providing threat information, alert information, to private industry. As mr. Kepler indicated in his prior remarks, it seems like that is still an area of improvement that can be made on the part of dhs and other federal partners. Mr. Kepler, do you feel you have timely and relevant information from the government . We do not get specific information. When we get to the point that we can mitigate something, to get back to who it was and where it was, and how we can address it in the future, that is rarely, if ever, given or known. We talked about industrial espionage. There is clearly, from the governments viewpoint, nationsponsored espionage going on. I need the help of the government to address that. That type of information, and how to deal with that collaboratively, we do not get. Let me add an element to a comment that is probably missing, aching sure that dhs and federal partners have a Feedback Mechanism or loop where they can solicit and receive feedback from private sector partners on how well they are doing and providing cyber information. How important is information sharing appear among others in the industry . How is that working today . What is needed to improve it . Most of the industries in Critical Infrastructure the challenge is to start to work across industries. Obviously, you look at cascading issues with power, with i. D. , to be able to share information. To bridge those stovepipes needs to be improved. What is your biggest concern about the executive order implementation process . One concern is, to my point a minute ago, this is cascading. When you think about a significant failure, which is part of the risk the executive order is supposed to address to me, the thing we have to rely on is the ip suppliers and government, to make sure the Communications Networks work. That means we are focusing more downstream than upstream on what the fundamental issue is. Most of the area needs to be around cyber, the infrastructure we are building around the internet, and how that is being managed. We all rely on that, including the government, to work. The standards have been talked about a lot. Transparency and how we are going to do Risk Assessment or is the gross risk of what could happen, but understanding what has been mitigated. I am concerned about how you develop a list of highpriority risk, to identify and start to apply the resources you are going to apply. You can create an environment where you create a list of generic issues, and risk things. We do not know how to get off that risk list. We have been under the physical side, and we have yet to get sites authorized, in terms of getting assessment against their authority. You add cyber into that. I think in the next half a year to a year, to try to get all that Risk Assessment done that is an area that can have unintended consequences, unless we think through that clearly. Let me follow up on that. As far as i am concerned, so far, it has been a failure. We have spent billions of dollars. We have very limited accomplishments there. It is not because we do not intend to. Cyber is five or six times more complex than that. If dhs cannot implement, and there has not been the same type of cooperative work in terms of standards in other words, one of the great things about the executive order is, the president did have the staff say, bring industry and tell us what to do. There was upward communication. That was somewhat lacking, in terms of the cetap, and is still lacking, in my opinion. What is your confidence level on dhs on cyber . I guess that is my point. If you look at the way it is laid out and put together, i think it is a sound thought process. We support the concept of cetap. Do you have the personnel to work on that . As it relates to realities out there in cyber, we have process control systems, technology, report cards. The issue is, do we have a confident structure to evaluate those risks, and then do the assessment and government to collaborate with it . That is where we need to improve. My impression is, it is more an oversight issue than a legislation issue. Mr. Wilson, i made, in my opening statement, a comment that we have not seen a report on fisma, or whatever you want to call it. You all found that only eight of 22 agencies are in compliance with that. That is a decline from 13 agencies in 2010. What is the problem . We are also looking forward to receiving ombs fisma report. It usually provides a lot of information, especially where the igs conduct overviews. That is one of the issues where, we have found, over the years and why we have been designating federal Information Security as a high risk area since 1997, because of agencies i wont say inability, but lack of success in meeting the requirements for securing their systems. Let me explain what that means, so everybody understands. Only eight federal agents, at this time, out of 22, meet the guidelines for securing their network. One of the statistics for assessing the risk, which kind of gets to mr. Keplers point. Agencies that is one of the challenge areas. It is not an easy job, in terms of implementing security over time. The environment is constantly changing. New technologies are being implemented into the computing environment. The threats are becoming more sophisticated. And Business Practices are changing. At the same time, it is important that the processes that agencies implement the appropriate processes. Based on that risk, cost effectively reduce those risks to an acceptable level. Make sure they are tested and remain appropriate. If we do not assess the risk appropriately for the very beginning, has a cascading effect, in terms of other controls. Plus, it wastes a ton of money. In the federal government, we spent 64 billion a year on i. T. , and essentially 60 is wasted, because we do not contract appropriately. President bush issued hpsd7 pertaining to critical information and cybersecurity, including information sharing with the cyber sector. This was 2003, 10 years ago. It assigns dhs similar tasks to those the agency was given in 2003. What is different . A couple of differences is that hspd7 primarily focused on counterterrorism, whereas this particular executive order is looking at a more broadbased threat vector, if you will, including resiliency, and the like. The other difference is that niv has responsibility for creating the cybersecurity framework. Actually, they are responsible for creating voluntary standards that are going to be maybe not so voluntary after they are created. That are labeled voluntary for a cybersecurity framework. I believe it is up to dhs and sectorspecific agencies to develop a program to help encourage adoption of that framework. I am over my time, mr. Chairman. I would like for you to make a recommendation to senator carper and i on what you would see as the best oversight function we could have, in looking how the president ial executive and the executive order is carried out. This is a complex area. None of us are computer engineers or electrical engineers. And having that guidance from you would be very helpful for this committee. I would be happy to talk to your staff to do that. Thank you. We share that information as well with senator rockefeller. Next in order senator cowan is next in order, followed by the senator from new hampshire, senator ayotte. Thank you for your appearance and testimony today. My first couple of questions are to you, mr. Kepler. Thank you for coming in. I hope you did not mind me referring to you having a platinum system in place. A couple of things. I wonder if you would tell me if you agree. It has been said that 85 of our Critical Infrastructure is owned by the private sector. If that is the case, would you agree that if the owners of that Critical Infrastructure fail to harden their systems, and we are subject to a cyber attack, that disruption or destruction of those systems could carry catastrophic consequence not just to private industry, but to governmental sectors . Do you agree with that . Yes. There has been a lot of talk, and i think a lot of agreement, that there is a need for more and better information sharing, and issues surrounding that. Do you think are you satisfied, from your perspective you look at these issues not just for dow, but for private industry as a whole. You think if we have better information sharing, and some of those protections, we will have done enough to ensure that, at least at a minimum level, we are doing enough in the government and private sector to thwart Cyber Threats . I think the information sharing is the one that lacks the most. The reality is, if you think about how you mitigate risk in general, it is around applying technology, creating disciplines with standards and Management Systems, and having information sharing about what is going on externally. Over the last 10 years, we have built up capability, and the standards have evolved and not. The industry developing operating discipline around this is healthy. What is missing is a willingness to share technical information. We are getting attacked. We do not know who will. The threat has changed in the last five years. There are resources that need to be addressed. I think information sharing is a key area. I think the Management System around this we have a lot of rules. I think the Management System i think government has to help step up and address. In my prior job in state government, one of the things i had to do was to oversee the regulatory process. It used to tell the team that the agency has two, before you regulate, hesitate. Think about the cost and the impact on businesses and others. When you think about overly prescriptive, what most concerns you that legislation might do . When you talk to Companies Like ours, big companies, you go to some of these sectors, and there are more than 50,000 companies you have to deal with. Muni structures, if you are in water. One size does not fit all. You have to be able to assess the risk. The infrastructure is not all winked. You have to prioritize this. For me, that is the key area you have to work with the sectors on. What enemy are we trying to fight . What problem are we trying to solve . What are the highest risks to work on . That is the key area that needs to be addressed, or we will be applying standards to areas with low priority risk in that approach. Do you have a viewpoint of whether if we had a floor, a baseline that everyone could look to or try to adhere to, that might better aid us to address the concerns . That is my point. You have to have some commitment, some base floor, on the product to provide people, and how they get configured, and a responsibility and operating base on how you work on it. Dow can bring these technologies in. But a Small Business that may be linked into a supply chain of Critical Infrastructure cannot do that. I think that is where some of the industries who supply those products have to be involved, because they are smaller businesses with the same technologies that consumers use. A question to you in the first instance, and maybe you can answer as well. Ticking up off the executive order the president issued last month, you spoke about the collaborative effort between industry and government to come together and Work Together on some issues. I wonder if either of you have an opinion about how useful it might be to create a task force composed of government, Cyber Security experts, researchers, and tech vendors to contribute to a database of Cyber Threats that could be accessed by industries in real time, or issue alerts . And you talk about information sharing, is that something you are thinking of conceptually . Conceptually, we have us cert. We have nyack. We have the standard committees to work through. I think there is a cultural issue on information sharing. Government does not want to share it. And business is reluctant to share it. I think the legislation passed to go with the cultural aspect, and deal with the issues that have been excuses and on our side. And the ip protection, and those things. Government, from an Enforcement Point of view, you are nervous about giving up your percent of the criminal. Government is nervous about trying to manage secrets. We have to create an environment where we can share Key Information on these threats. That is the critical issue. I would say there is precedence, to some extent, in that there is a database called the National Vulnerability database. It is not a database of threats, but it is a database of vulnerabilities that include, for example, software defects, defective software, and misconfigurations. Many tools are used to scan devices. Draw from that database to look for configurations and systems. Thank you. Forgive my indulgence for going over my time. Thank you for coming early and staying late. Thank you, mr. Chairman. I want to thank the witnesses for being here today on such an important issue. I wanted to ask i have served on the Armed Services committee as well. Bae systems are one company and our state, and they have invested over 100 million in their cyber defenses, which compared to dow is probably small. One thing they brought to my attention is that they believed that the interaction they had in the pentagon, with the pentagon, that they believed they had a worldclass ability to share information. They are a defense contractor, so that is a natural partnership, that there was a good collaborative model. One of the worries i have had, in thinking about this i am new to this committee, and learning. I know there has been a lot of work done by others, and i certainly want to understand that work. As i look at the gao report that was issued, i appreciate the work you did on that. You talk about information sharing difficulties in dhs. We have been talking about some of the concerns we have about dhss capabilities. Are we trying to use any models from the pentagon . Also, it worries me that we are going to have to replicate something that apparently, in the pentagon, we are doing fairly effectively. How do we take those lessons . Can dhs get to a point where it is, frankly, as effective as some of the work being done at the pentagon . That is an excellent question. Indeed, the Pilot Programs you are referring to, called the dib Pilot Program, meaning the Defense Industrial base, we issued a report over that program. As it happens, we have also made a recommendation in a report that will be coming out soon, so i cannot really talk about it yet the executive order has a line in it, i think under the information sharing section, to look at that program, the Defense Program and expand it to the other sector, or the other Critical Infrastructure sectors. That is one of the activities that is planned. Do you think that dhs will have the current capability to do that . The pentagon is obviously in a situation where they are dealing with a National Security threat, but Industries Like dow art dealing with interNational Security threats. What is your assessment on dhss ability . I understand there is a command to do that in the executive order, but how can we help them do that . What is your opinion on what the difficulties will be with that . I do not think any of us want to invest in replicating things that already exist in the government, given the physical constraints we find ourselves in. It is Good Practice to learn from the efforts of others. What did not work, as well as what did work, and apply those lessons as you perform your own. Certainly, there is a lot of in a fit to doing this, including for that particular Pilot Program from dod. In terms of dhss capability to do that, i guess we will actually find out. I must say that i cant really give you a clear answer on that, as we have not examined that particular issue. Their success in other programs previously has been, they have made some progress in several areas. As gao often reports, more needs to be done. That worries me. I hope that is something we talk about more in this committee. This is such an important threat to our country. It cannot just be, we are not sure. We obviously need to Work Together to make sure we can prevent the threats facing the country, and also our businesses, our economic growth. And i would say, mr. Kepler, one thing that i certainly, in reviewing the executive order, want to understand my prior life, i was an attorney general. Thinking about Liability Protection for the private sector, how does any executive order fully get at the type of Liability Protection that the private sector needs, in light of the fact that, presumably, it is not just Liability Protection between the government and the industry that is being regulated, but also the Liability Protection of third parties . I think that is the challenge. In my comments, i said that is an area where legislation may be needed to address that. If you think about major things like terrorism, i think there are vehicles you can use. I think there are a lot of issues around intellectual property and legal things that are not really defined, and you start looking at issues around espionage and na