Thursday, January 29, 2015

Thoughts from Senate Testimony

Yesterday I testified to the Senate Homeland Security and Government Affairs committee at a hearing on Protecting America from Cyber Attacks: The Importance of Information Sharing. I'd like to share a few thoughts about the experience. You may find these comments helpful if you are asked to testify, or want to help someone testify, or want to influence the legislative process.

This was my fifth appearance at a government hearing. In 2012 I apepared before the U.S.-China Economic and Security Review Commission, and in 2013 I appeared before the Senate Armed Services Committee, the House Committee on Homeland Security, and the House Committee on Foreign Affairs.

The process starts with a request from committee staff. They asked if I would be available and willing to testify. If I decide to decline, they would generally not force me to appear. The exception would be some sort of adversarial hearing. On the contrary, this sort of hearing is intended to educate the legislators and the public about a certain topic.

Two days prior to the hearing I had to submit written testimony, available here as a PDF. Writing this document wasn't easy. The committee staff asked me to address specific questions about adversaries and threat intelligence. I had to strike a tone and write in a way that would be accessible to the Senators and staffers, while conveying the right information.

I spoke in one of the conference rooms in the Dirksen Senate office building. The location is open to the public, but you have to pass through a metal detector. There was room for about 100 people in the chamber. The attendees are a mix of press, staffers, and interested citizens, along with the witnesses and our colleagues.

The hearing starts when the chairman decides to begin. Senators and staffs enter and leave as they wish. Votes were happening during the hearing, so Senators leave to vote. A camera, shown in the lower left of the picture above, records the event and broadcasts it to the Senator's offices. They can watch remotely, in other words. A court stenographer seated in the well creates a transcript in real time.

As you can see in the picture at left, I had to raise my right hand and swear to tell the truth before the committee. This was the first time I had to do that. Chairman Johnson said it was a committee tradition.

This was the first hearing of the new Congress, and some of the members were new to the Committee. The Chairman instructed them on the order for asking questions. Each got 5 minutes.

Witnesses had 6 minutes each for opening statements. In front of each witness is a microphone and an old-school digital timer. When you have a minute left, the light changes from green to yellow. When your time ends, the clock starts counting up from zero, and the light changes to red.

I had my statement ready to go, but the first witness ended about 2 minutes early. This set a possible expectation that we would all have to finish early. I started crossing out sections of my statement in order to limit the time I needed to finish.

When I spoke, I kept to my script, but I added color for certain points based on what I heard earlier. I also emphasized a few points based on my sense of the Senators' interest level.

After all the witnesses spoke, we answered questions from the Senators. I thought they asked good questions. They tended to stick with the content of the hearing, namely information sharing. At other appearances I have fielded questions on many aspects of "cyber security." I think the legislators are making progress trying to understand the issues.

One issue I didn't mention in my statement involved the Computer Fraud and Abuse Act (CFAA). I thought of the CFAA based on reactions from the security community, mainly in blog posts and Tweets. Chairman Johnson asked what obstacles he should expect when trying to pass threat intelligence sharing legislation. I responded that there is a trust deficit in the security community. I thought that reform of the CFAA to address some of the security community's concerns would help build goodwill and reduce opposition to other security-themed legislation. I reinforced this point after the hearing when Senators Johnson and Carper spoke privately with the witnesses.

It is important to know that legislators aren't just interested in complaints about their proposals. They are much more likely to want suggested language to change the proposal. That is the best case for both parties.

Sometimes it's not possible to identify a legislative solution to a problem. Sometimes legislation is not appropriate. I made this point when I said that we didn't need greater penalties for "hacking." I think we need reformed hacking laws that are enforced. I also said that it's better for the government to focus on inherently government functions, like law enforcement, that are denied to the private sector.

If you have any questions, please post them here or ask via Twitter to @taosecurity.

No comments: