ANSWERS TO POST-HEARING QUESTIONS Responses by John S. Leggate, Chief Information Officer and Group Vice President, Digital & Communications Technology, BP Plc., United Kingdom Questions submitted by Chairman Sherwood L. Boehlert Q1. Measuring Cyber Security Qla. How do you measure your company's cyber security? Ala. We assess our capability to manage security vs. the risk, assessed through a combination of assessment of threats against the company, the potential weaknesses in systems and processes and the impact that such exposures could have. Q1b. How do determine if your company's level of cyber vulnerability is being reduced? Alb. The assessment approach stated above measures risk reduction activities such as device patching and the relevance of such actions. Q1c. How do you decide what is "secure enough"? Alc. The impact assessment, measuring financial and non-financial impact (such as safety, environment, effect on society, regulatory compliance and reputation) determines whether something matters to the company. The likelihood of the event, assessed by threat intelligence and effectiveness of controls determines how much action needs to be taken. Qld. Are there specific metrics you use in evaluating the cyber security of your company? Ald. We use specific metrics relating to the effectiveness of particular controls or the trend of threats. We have a scale used for assessing impact for the most significant risks. (Broader concepts such as value at risk have as yet proved illusory in the case of operational risks). Qle. How should the Department of Homeland Security (DHS) determine if the Nation is making progress? Ale. Firstly, through risk assessment of security-what is at risk and how well is it protected, the capabilities deployed, measured in the form of skilled people, deployed security technologies and processes. Secondly through the number of security events being reported. Q1f. Are government mandates needed to increase the progress and get to "secure enough"? Alf. The government should always avoid mandating specifics, as true knowledge of the most appropriate control always exists within the sector (no matter which sector). However, government should mandate processes and actions that ensure that cross-sector risks are identified and picked up and that sectors measure themselves against their own standards. Business Case for Cyber Security Q1g. Within your company, how do you make the business case for the costs associated with more secure information technology products? What can the Federal Government do to help you make this case and make investment in cyber security more attractive? Alg. The security requirements for information technology products are generally little more than the basics of good integrity, i.e., no vulnerabilities. The addition of simple security measures like frrewalls and anti-virus and next generation protection of data is just good business. No special action is required outside normal good business practice. The government need take no additional action. Q2. Information Sharing Q2a. What information would you find most helpful to receive from the government (especially DHS) or from other companies when you are making decisions related to what cyber security you need. When responding to an attack or an incident? A2a. Threat information about new risks and problems being encountered in near real-time. Q2b. What information have you been asked for by DHS that you feel uncomfortable providing and why? A2b. Detail of security events and known vulnerabilities. We have no assurances as to the protection of our information, who has access to it and how it will be used. Additionally we are concerned that there will be demands put on the individuals dealing with the incident that are no in the best interest of our company. Q2c. What are the principal barriers to information sharing: Are changes in the legislation or regulations needed to overcome these barriers? A2c. Simple trust between one person and another. It takes time to build and needs processes to bed in before it works. Changes in process such as a move from ISACS to central DHS actions was a backward step in this fragile trust model. Government funding to help the information sharing infrastructure is invaluable in getting over the lead time between starting and seeing value (which is a barrier for company funding). Q3. Responding to Cyber attacks Q3a. If the information systems of a critical infrastructure company were attacked today, is the U.S. prepared to detect the attack and repel it or repair the systems quickly? A3a. It depends on the industry, the nature of the attack and the company itself. Response would range from excellent to poor. As a whole the U.S. Government would probably not be of much help in helping critical infrastructure companies; however, the company themselves may be prepared to handle the majority of attacks. Q3b. What about if it were an attack on the Internet? A3b. There is no coordinated response to an Internet attack. Recovery would be by adhoc action and if unlucky could be catastrophic if the impact spread across sectors. Lots of very good technical people work on an adhoc basis but there is NO strategic plan or coordinated effort. Q3c. What role can and should DHS and other public and private organizations play in these response activities? A3c. DHS itself can do little in the response, this has to be done by the companies that own the infrastructure itself. DHS can help best in analysis, preparedness and planning. Q3d. What are the barriers to DHS, companies or other organizations providing a quick, effective and coordinated response? A3d. Poor planning and lack of understanding of interdependencies and weak points but most of all TRUST. DHS has done little to foster trust with the critical infrastructure companies. Q4. International Cyber Security Q4a. In your experience working with multiple Federal Governments on cyber security, what notable differences exist between the approach of the U.S. and that of other countries? A4a. The U.S. approach is paradoxical, there seems to be good funding in total but this is not integrated into a focused program. The lack of continuity and lack of seniority in the cyber security part of DHS has led to fragmentation of the program with many activities being started but few big wins to point at. Cyber Security has taken a back seat especially in R&D-DHS S&T is only spending about $15 million on cyber security. Q4b. Are other countries supporting activities that the U.S. should be doing too? A4b. Delivery of specifics such as practical solutions from funded research, novel cyber-intelligence, and user-led security solutions fora have all been seen to add great value in the programs of some other countries. Q5. What is the Department of Homeland Security doing to foster private sector efforts in cyber security and what could the agency do that it is not doing now? A5. The ISACS presented a great opportunity for private sector engagement, but DHS has programmatically eliminated independent ÎSACs. The initiatives should be given focus and direction to have specific rather than generic work programs. Q6. Are effective practices procedures and technologies now available to guard against the adverse impacts of cyberspace vulnerabilities? A6. As we digitize more and more we need to have a significant improvement in software engineering to create systems of adequate integrity. This philosophy is still not present in the IT industry. Q7. Are there shortcomings for particular critical infrastructure areas? A7. As traditional process control technologies such as SCADA/DCS continue to integrate with Commercial Off The Shelf IT systems we see vulnerabilities and threats being introduced into environments that cannot be changed to deal with them. A new class of co-existing security protection is required to address legacy systems until such time as new, built-secure technologies can take their place. ANSWERS TO POST-HEARING QUESTIONS Responses by David E. Kepler, Corporate Vice President of Shared Services and Chief Information Officer, The Dow Chemical Company Questions submitted by Chairman Sherwood L. Boehlert Q1. Measuring Cyber security • How do you measure your company's cyber security? • How do determine if your company's level of cyber vulnerability is being reduced? • How do you decide what is "secure enough”? • Are there specific metrics you use in evaluating the cyber security of your company? • How should the Department of Homeland Security (DHS) determine if the Nation is making progress? • Are government mandates needed to increase the progress and get to “secure enough"? A1. Dow Chemical has a disciplined process to manage risk and address cyber security in our company. The metrics established in this framework allow us to analyze our effectiveness against priorities, understand internal support for addressing these priorities, and identify strengths and areas for improvement in our efforts. This framework also provides a valuable mechanism to compare our own priorities and self-assessments against those of peer companies. Our processes are based on industry standards and best practices. Today's world requires us to maintain constant vigilance and effort to ensure our security. There is no foreseeable point where we as a company can declare we are "secure enough." We must continue to assess our risk and vulnerabilities applying the necessary investments, resources and management systems to effectively manage risk and mitigate vulnerabilities on an on-going basis. The Department of Homeland Security (DHS) cannot be everything to everyone. Instead, it is in our national interest for DHS to place a priority and focus on cyber threats of significant consequence that could interrupt our nation's critical information and communications infrastructure or cause significant disruption to our economy. DHS should be measured by how well they plan, defend, and respond to such threats of national consequence. Q2. Business Case for Cyber Security Within your company, how do you make the business case for the costs associated with more secure information technology products? What can the Federal Government do to help you make this case and make investment in cyber security more attractive? A2. Information systems are critical to Dow Chemical's business operations and are integral to the competitive advantage of our company. Ensuring the reliability and security of our systems, processes, and information is of the utmost importance. The business case for cyber security is very simple for us. If our critical information systems or manufacturing control systems are compromised, our ability to conduct business is compromised. Investments are based on impact to our current operations and stakeholders, not for benefit return. Q3. Information Sharing • What information would you find most helpful to receive from the government (especially DHS) or from other companies when you are making decisions related to what cyber security you need. When responding to an attack or an incident? • What information have you been asked for by DHS that you feel uncomfortable providing and why? • What are the principal barriers to information sharing: Are changes in the legislation or regulations needed to overcome these barriers? A3. DHS should strive to provide specific information regarding pending threats, likely attacks, and recommended response plans where possible. Although understanding this is not always feasible, it is necessary to have an ongoing, two-way dialogue with critical infrastructure sectors on the current threat environment, likely trends, and potential mitigation options. We believe DHS has established programs, such as PCII, and continues to revise theses programs as necessary to enable the effective sharing of information from the private sector to DHS. However, we believe DHS and the private sector communications need to be protected in both directions to enable dialogue on highly sensitive areas. PCII only protects information we submit, it does not promote reverse sharing. An additional concern is the growing number of requests from federal agencies outside DHS and State agencies for security and proprietary sensitive information that could otherwise be protected as PCII. If requested under broad authority granted by various laws and statutes, the information would be considered "independently obtained," and would not be protected under existing DHS programs. Further, even programs within DHS, such as protection of SSI, are not consistent with PCII and do not offer equivalent protections. Efforts must be taken to harmonize the protection of information within DHS and across all governmental agencies to ensure that critical security information is not compromised and that development of important security information and sharing of such information is encouraged. We believe that DHS should be empowered as the central agency responsible for the protection of security sensitive and proprietary sensitive information. Redundant requests from other agencies should be limited, and if information sharing is required across federal, state and local agencies, it must have the same level of protections provided by PCII. Q4. Responding to Cyber attacks • If the information systems of a critical infrastructure company were attacked today, is the U.S. prepared to detect the attack and repel it or repair the systems quickly? • What about if it were an attack on the Internet? • What role can and should DHS and other public and private organizations play in these response activities? • What are the barriers to DHS, companies or other organizations providing a quick, effective and coordinated response? A4. The U.S. must be prepared to address high consequence cyber attacks to our nation's critical information and communications infrastructure. Research and development efforts need to be focused on how best to anticipate and model, detect, defend, and respond to significant interruptions to the Internet and communications infrastructure. More needs to be done to focus attention on these high risk concerns ensuring adequate planning, resources, and management structure are in place to respond to these high-risk scenarios. Less engagement in security and reliability solutions is needed as this is being addressed by marketplace forces. Questions submitted by Representative Eddie Bernice Johnson Q1. What is the Department of Homeland Security doing to foster greater private sector efforts in cyber security and what could the agency do that it is not doing now? A1. DHS is currently initiating a number of projects they believe will increase cyber security in the private sector. However, these efforts are not well coordinated with the private sector and appear to lack coordination within the agency itself. A chartered engagement with the Chemical Sector's Security Program is needed to understand and address the highest areas of risk to our country as it relates to the chemical sector. Q2. Are effective practices, procedures, and technologies now available to guard against the adverse impacts of cyberspace vulnerabilities? Are there shortcomings for particular critical infrastructure areas? A2. Speaking for the chemical industry, we have established the Chemical Sector Cyber Security Program to create guidance and reference procedures as well as best practices across our industry. For over three years, this program has actively engaged to educate large and small chemical companies and to build guidance into industry programs such as the Responsible Care Security Code. Although technology is improving, the current approach of releasing software and infrastructure with security vulnerabilities that requires patching later must be addressed. Information technology providers must more thoroughly test their products for existing security threats and apply necessary protections against anticipated future_threats. The market appears to be working-incenting companies to provide much more secure software and systems. However, if this trend does not continue, government intervention may be needed to ensure information technology is fully |