The Threat Landscape is diverse, the best practices are changing, the information you get may not always be reliable. The task can seem overwhelming and the stakes are high. In this context, i have found myself thinking effective cybersecurity cannot move at, quote, the speed of government. By that i mean cybersecurity is a 21st century Public Policy program just not manageable by 20th century government means. Regulations, mandates and centralized action in general, these approaches are inadequate to match the pace of change. Congress needs to make sure that the governments role in detecting and responding to cyberattacks is clearly defined, that theyre focused first and foremost on the security of federal information networks. Today well hear from the department of Homeland Security and their cybersecurity work. How it is evolving about their approach to this complex range of threats. With respect to individual actors and industries that are at their greatest risk of cyberattack, health care, education, financial services, retail, Critical Infrastructure, the proliferation of Ransomware Attacks have made clear that these entities have to take on the responsibility themselves on a daytoday, minutebyminute basis. All cybersecurity is essentially local. Today well hear from experts in state government, the Health Care Sector, public education, on their experience with cyberthreats and incidents and see the state of cybersecurity in these industries. Fortunately for both government and the private sector, the marketplace for Cybersecurity Services is continuing to grow and mature. Well hear from one firm that consults with private and public entities and works with them to respond to cyber incidents. I would like to thank the Ranking Member for suggesting this hearing and i look forward to hearing from our panelists. Senator . Thank you very much, mr. Chairman, for working with me to arrange this hearing and for your opening comments. I deeply appreciate the opportunity to continue working on an issue that i believe is critical to our economic security. State and local governments have been prime targets for cyberattacks for a number of years. But the stakes have only grown as covid19 has forced millions of americans to migrate their everyday activities to the online world. Many students now learn from their teachers on a computer instead of in the classroom. Doctors treat many patients through telemedicine instead of in person. Governments handle many essential Services Online instead of at city hall. The massive increase in online activities over these past nine months means that the targets for cybercriminals have increased commensurately. Unfortunately, cybercriminals have taken advantage. One firm that tracks cyberattacks on schools and School Districts report that 44 attacks have occurred so far this school year and many more likely went unreported. We will hear from the superintendent of one of these schools today. In the spring, interpol warned that Ransomware Attacks against hospitals have grown significantly as hackers sensed an opportunity to extort money in ransom with hospitals overwhelmed with covid patients. About a month ago, a cyberattack hit the university of vermont medical center, forcing it to divert patients to other facilities, thereby jeopardizing the care of many patients, especially those in nearby rural areas who do not have the resources to travel to the next the federal government has ant. Responsibility to help protect our communities from these threats. The cybersecurity and Infrastructure Security Agency has done a commendable job helping our state and local governments, the number and severity of attacks on our communities continues to increase. This hearing will help us identify ways for congress and the federal government to better assist state and local governments set fending off these Cyber Attacks on our communities. We have great witnesses who can help us work through these challenges, including the acting director, who we are happy to have here today. We are missing our original federal witness, chris krebs, because he was fired abruptly by the president two weeks ago. In a nonpartisan manner, and approached the most important task, securing the u. S. Election infrastructure with professionalism and tenacity. Job,s fired for doing his and we are less safe because of it. Strong,perative we have independent leadership going forward. As the Biden Administration seeks to fill this position in 2021, i would encourage them to look to director krebs when considering his successor. Witnesses, i appreciate your willingness to testify. I want to thank you all for the role you play in keeping us safe. I look forward to learning from your experiences, as well as your expertise. Thank you, mr. Chairman. I will proceed with introductions. We will start in the first panel with our federal witness. Im pleased to introduce brandon wales, acting director for the cybersecurity and Infrastructure Security Agency at the United States department of Homeland Security. Person to serve as the executive director of the agency before being very recently elevated to acting director. In this role, he oversees cisas efforts to defend civilian networks, manage risk to National Critical functions and work with stakeholders to raise the security baseline of the nations cyber and physical infrastructure. Acting director wales, thank you for coming before the subcommittee today and i look forward to hearing your testimony. Chairman paul, Ranking Member hassan, and members of the subcommittee. Thank you for the opportunity to testify regarding the cybersecurity and Infrastructure Security Agency support to state, local, tribal and territorial stakeholders in mitigating a broad range of cyberthreats facing our nation. Whether focused on Election Security, responding to the digital transformation, or addressing the plague of ransomware, i believe sustaining capacity will be the defining cybersecurity challenge of the next decade. This is my first appearance before the committee and im honored to lead the men and women of our agency as we defend today and secure tomorrow. I want to begin by thanking the cisa workforce and the Election Security community for their work over the last four years, culminating in the november 3rd election. Our goal was simple, to make the 2020 election the most secure in modern history. We succeeded in building a Robust Community made up of state and local Election Officials, key federal agencies and private sector election vendors, in surging the technical capacity of cisa to improve defenses nationwide and harnessing the capabilities of cisa, the fbi, the National Security agency, the u. S. Intelligence community and the department of defense to identify threats, respond to incidents, and take action when necessary. As a result, layers of security measures are put in place by Election Officials and the community acted quickly. For example, we were able to rapidly share information on russian intrusions into state and local networks and attempts by iranian government actors to send spoofed voter intimidation emails were outed within 27 hours. Our Election SecurityMission Continues and cisa will remain in an enhanced coordination posture until after Election Results have been certified in every state. We also stand ready to support States Holding runoff elections in the coming months such as georgia and louisiana. This year has not only been focused on elections. Beginning in february we have been working to support the nations response to covid19, including helping to security the development and distribution of potential vaccines. Since the pandemics earliest day, we have seen cyberactors exploiting remote work. Cisa ramped up informationsharing efforts, established a telework resource hub and surged Cybersecurity Services to highrisk entities. Now under the hhs warp speed, were prioritizing service to companies to protect u. S. Vaccine development and distribution. Recently, hospitals across the country with hit with ransomware looking to profit from disruptions of health care delivery. This was appalling but not surprising given the growth of ransomware incidents. Ransomware is quickly becoming a national emergency. We are doing what we can to raise awareness, share best practices, and assist victims. But improving defenses will only go so far. We must disrupt the ransomware Business Model and take the fight to the criminals. While Election Security, a pandemic response, and ransomware may look different, the one thing they have in common is the reliance on the networks at the state and local level. These Networks Keep our communities running, despite global challenges. These are the networks that help us to respond to emergencies, these are the networks that run local hospitals and schools and they are in need of urgent assistance. Cisa is taking action by operationalg partnerships, hiring additional coordinators to boost engagement in state capitals across the country, supporting cyber proposals and the fema grant making process, and continuing to push cisa resources out from headquarters to our where our partners are in states and communities. In conclusion, i want to thank the committee for its leadership on legislation that has advanced the authorities on legislation, and for your support for legislations pushing through congress that will push cisa further. This committee has been an essential partner in our mission, and i look forward to continuing to work with you to defend today and secure tomorrow. Thank you, again, for the opportunity to appear before you and i look forward to your questions. Thank you. Senator hassan had to go vote. Shell be back in a few minutes. You mentioned russia and iran and it went by quickly. You said they were attempts to change votes or to interfere in the election somehow . What did you exactly say . Sure. The activity was different in both cases. In the case of russia, russia had launched a fairly Broad Campaign to target state, local, private sector, and federal Networks Using exposed vulnerabilities. Using what . Exposed vulnerabilities. Fairly well known vulnerabilities there were looking for to get inside of networks. Youre talking about election networks that count votes . Were talking about general networks, these could be private Sector Networks and things unrelated to elections. In one case, it did include where they compromised a local county network and downloaded information that had to do with the election. This was not tabulation of the election . Absolutely not. What did you say about iran . Spoofed voter intimidation emails. To your knowledge, there were no votes changed by a foreign actor, in fact, was that true . No votes were changed by a foreign actor that you know of . We have no evidence that votes were changed by a foreign actor. No attempts were directly stopped . Is there an existing Voting Network . You cant hack into a Voting Network that is sort of there . We have numerous advantages in part because we have a highly decentralized system. Theres not an election network. There are hundreds and thousands of election networks across the country. In addition, the actual vote tabulation systems, those are not networked on the internet. The places where we see the most activity tends to be those highly centralized internetenabled systems, Voter Registration or Election Night reporting. But in those cases, we did not see any adversary capable of compromising those systems it sounds like a general rule of thumb, if we are looking for advice on how to protect ourselves, the whole push of modern technology is to make us more connected and maybe part of the advice is we dont need to be too connected, having separate systems, is some of that advice taken within the federal government . You said were protected in the electoral system because we have states and counties and there isnt theyre not completely integrated. We probably dont want to integrate or federalize things with elections. Is it true within the federal government that theres compartmentalization on purpose to try to protect against hacking . One of the major recommendations to any entity is to be thoughtful about how you network your systems, where you should segment your systems, where you should air gap your systems. Theres a reason why the classified networks that are operated by the Intelligence Community are not accessible readily through the internet. You want to keep those things separate. Same thing for Industrial Control Systems that operate the most sensitive infrastructure in the country. You want to build additional barriers to prevent people from moving to small compromises onto parts of networks that could have more significant consequences. How much of the problem with attacking a network is coming through an email versus another way of attacking a network . Frankly, it varies. Coming through an email, that normally includes things like spearfishing where you get an email that says click on this and all of a sudden, its malicious payload comes and compromises your computer. Right now that has been one of the more significant ways we have seen networks compromised. Over the last year, we have seen a dramatic growth in people compromising networks by exploiting private network software. This is a result of the expansion of people teleworking, remote working, and a dramatic increase in the number what does that mean . You are not attacking it through email, you are attacking it through the cloud, somehow . Not necessarily the cloud, but if you are connecting through a virtual private network, which is the way that you call into your companys network, im at home on my laptop calling into my companys network, virtual private network, vpn software, and there are vulnerabilities in some of the more common vpn software, most of which have been patched. If a company has not patched the vulnerability, an actor may be able to exploit the vulnerability theyre not logging into your computer. Theyre logging into your network and bouncing back into your computer more importantly, they want to get into the network. Theyre exploiting that vulnerability to gain access. Once theyre inside, using a variety of other vulnerabilities, theyre trying to elevate their privileges. They have administrative capabilities, so they can create new accounts and they can do whatever they want. Whats a guess on the percentage . How much of this is an email problem . Is half of it email . 75 . 25 . I would say half is spearfishing related intrusions. It seems like there would be a technological solution in some of that in trying to protect email networks, maybe you have a separate network that never communicates. It communicates with each other, talks to each other, but never communicates with almost somehow complete separation of your email network from the rest of your network. Its hard today given the amount of interconnection between the various tools that you use, in terms of any business. But most of the ways in which networks are compromised today are exploiting vulnerabilities that where patches are available and where the solutions to mitigate these problems are readily available and theyre not being implemented by the i. T. Security professionals at companies. How rapidly does it change . How rapidly does someone have to figure out, you know, theres a brandnew phishing or, you know technology you need to stay on top of it. Every day, new patches are released for software. It may not be every single day for every piece of software. But on any given day, there are new patches that come out for software. I. T. Security professionals need to stay on top of that, understand the vulnerabilities, prioritize their efforts to close those vulnerabilities. The bigger the network you have, the more complicated it is. When you come up with a patch, are you able to keep that secret from the criminals are they can see the patch and respond to the patch . They can see it. These patches are made publicly available. As many individuals can protect their networks. Its a catandmouse game. Every change we make on the defensive side, offensive cyber actors are going to look to see what they need to do to get around that. When we have a state actor that is going after classified , and we have creative ways that state actors are using, are we able to share them with the private sector or are we too worried that getting that knowledge out reveals that we know how to combat certain things . Are we sharing on a consistent basis knowledge that you gain with the private sector . Absolutely. So the partnership that we have with the Intelligence Community , in particular, the National Security agency, is better than any time in my entire history with the department. We are getting a significant amount of information from them. Things they are seeing over seas, activity they are seeing from foreign nations, getting that information to be declassified so we can get it out to people, whether it is a specific incident at an individual location or more importantly, information that could benefit the entire community. A lot of the alerts that we are pushing out, alerting the community to different tactics that our adversaries are using, are based on intelligence sources we are severing from the Intelligence Community. That process is happening quickly. Does it work both ways as private industry getting back from private industry, as well . There was a vibrant Cybersecurity Community right now that has grown up over the past decade. Theres a lot of information out there for everyone. Rely upon information provided by private sectors, private security firms to help improve our defenses at the dot gov. Theres a benefit to this Community Sharing as much information as possible because thats the way we will have a more secure and more defended cyber ecosystem. As someone concerned with privacy, ive been concerned about having im all for telehealth and allowing the internet to allow us to see doctors remotely, i think its a good thing. But im concerned about having a unique patient identifier, where all of our data goes into one place and is stored in one place. It goes back to compartmentalization. Hacked, 22 million records were released. I know it was a big mistake, and hopefully we have learned from that. But there is a danger. I think from a Patient Point of view, and the point of view that there are sensitive things, whether youve got an Infectious Disease acquired sexually, psychiatric disorder you dont want the world to know about, theres a lot of things that can be private. Starting with my father 20 years ago and continuing today, we have been trying to get away from a unique patient identifier that the federal government has. I think it will be nice if people could equate that not only with privacy, but also the idea of hacking, that the more centralized your Health Care Records are, it might be easier , but it might be ezio easier for bad Health Actors to cause damage and any thoughts on Health Care Security with regard to unique patient identifiers . I think the challenges you are describing are the same challenges we deal with in every cybersecurity challenge, how you balance the need to create more efficient, more effective systems with the risk that poses because of the nature of connected systems being potentially vulnerable. We encourage people to be thoughtful and take a really risk based approach. How much information needs to be centralized. How much information needs to be network. Once you make the decision, go to the next step and ask how you defend the information that needs to be net worked to the maximum extent possible. If im going to have senseitive Sensitive Information that is accessible, i need to make sure my Cyber Security practices are going to be sufficient to defend that. I need to make sure my patch management is good. I need to make sure my Configuration Management is good. I would conclude by saying the moral i get from your discussion on elections is there is some advantage to disconnectedness, compartmentalization, having counties, states, and federal governments be separate, whether you can go to a county and verify an election. It doesnt go into some sort of mass network or computers. I think we are lucky to have this federal and state operation with regard to elections. But i think people need to think it through before the efficiency experts say it would be easy to have your medical records everywhere, at every doctor all the time, everywhere in the u. S. It will be easy until a hacker gets in and all of your private information is all over the internet. Be careful what you wish war wish for, some of those that want centralized things. Theres a danger of losing your privacy. Thank you very much. I thank you for what you just covered in your questions. I want to start with a question focusing on how we help state and local governments protect against Cyber Threats. Your agency is responsible for securing federal Information Technology infrastructure from a wide range of Cyber Threats. Its widely accepted your work to secure the space is critical. However, some might argue it is not the federal governments job or responsibility to also try and secure state and local governments from Cyber Threats. Just let me ask you, does the federal government have an obligation or responsibility to also protect state and local governments from Cyber Threats . Cybersecurity is a shared responsibility in multiple domains. Since it takes seriously the responsibility we have to utilize the information, knowledge, expertise on cybersecurity to help all aspects of our Critical Infrastructure, whether they are state and local governments, private Companies Operating on a power grid, hospitals, if they are chemical plants. We have a responsibility to help them. Again, every system owner bears some responsibility for managing the security on their networks. So i think its trying to figure out where their responsibilities and our responsibilities intersect. We understand that we have a lot of information and expertise we can provide. We can make sure they are armed with all of the information that we have been able to glean from the Intelligence Community, our own visibility into the cyber activity of our adversaries, and the tactics they are using. Its our job to provide that as broadly as possible to make sure they are prepared. Each of those individual asset owners needs to go to the process senator paul and i just discussed. The riskbased process to say how much security do i need in what parts of my network, and how can i put it in place to be as robust as is required by the risk im facing . Thank you. To followup, if a state or a community is vulnerable to cyber threat, how does that broadly impact the security of americans who do not live directly in that state or community . The state governments across the country, and local governments, operate some of our most Critical Infrastructure. Whether its operating Water Treatment facilities in some states and communities, municipal power authorities in others. At the state level, they also distribute significant amounts of funds through which federal programs funnel money through. States are a critical part of our fabric for our economic and Homeland Security. It is an important interest of the federal government that states have as much of our Cyber Security knowledge and expertise as possible to help safeguard those Critical Systems. Thank you. Various proposals have been introduced in congress that establish a stand alone federal Cyber SecurityGrant Program for state and local governments that would pay for Cyber Security upgrades at the state and local level. Without specifically evaluating each bill, can you please describe for me the elements and considerations that congress should be thinking about if we authorize a Grant Program of this nature . Are there any elements of a Grant Program you view as musthave items . We would be happy to work with congress on what a Grant Program would be, how it can be structured to serve the maximum value. Until that time, we have been working closely with fema over fema hasyear as required, as part of its last round of Homeland Security grants, that a portion go to a set of highpriority items, including state and cybersecurity. We spent the past year working with states, working with fema to review the proposals submitted. I think this will provide us a good baseline to understand how states are thinking about investing in Cyber Security, utilizing federal grants. How we can provide Additional Information to them to better shape and focus those grants on the highest risk aspects of their networks. Grantmaking is obviously a complicated topic, one cisa doesnt have direct responsibility for managing. So i would probably refer you to people at fema who know about the grantmaking sausage. But at the more macrolevel, i think we have a lot to help shape grants, so they target the things we need to protect most. It reflects the True Partnership that exists between the federal government and our state and local governments on Cyber Security. Thank you. Cyber insurance is an important tool that helps companies and entities prepare for, prevent, and respond to Cyber Attacks. However, an august 2019 report revealed if an entity has Cyber Security insurance, policy holders will use their Cyber Insurance policy to pay the ransom during a ransomware event, which is further incentive for hackers to launch Ransomware Attacks. The report shows that hackers target Cyber Insurance policy holders because the likelihood of the victim paying the ransom is much higher. During the covid19 pandemic, our increased dependency on island Services Online services may increase the incentive to pay ransom so Critical Services can be restored more quickly. Does cisa or your Partner Agencies know when an Insurance Company pays out a ransom . As a general rule, we have recommended against paying ransom, in part because it furthers the Business Model, as i indicated in my opening remarks. Ransomware will not go away as long as the Business Model is viable. As long as they can do it. We generally focus our efforts on ransomware before an event happens. Helping companies prepare themselves, states prepare themselves. We are generally not involved in decisions related to whether ransom is paid. That tends to be an individual decision, and they do not consult cisa. Generally speaking, you may not know if a ransom or Insurance Payment has been made . Thats correct. Are the Cyber InsuranceCompanies Working with you to tackle any of these negative incentives that drive more attacks . Im not aware of engagement with Cyber Insurance companies on that issue. Do you think theres a role for congress to play to help address this . I think it is an incredibly challenging problem. No one has cracked the code on what the answer is yet. Its going to take more work between congress and the executive branch to figure out the right tools we have to change the Business Model and disrupt the Business Model on ransomware, and make more progress in this space. Thank you. Im out of time. If we have a second round on this witness, ill have one more question. Senator rosen. For holding a hearing on protecting our communities from cyber attack. During the covid19 pandemic, the number of Cyber Attacks have significantly increased. Cyber attacks are expensive and debilitating, especially for small organizations like schools, hospitals, and local governments. Im glad were coming together in a bipartisan way to talk about how we can protect vulnerable communities in this challenging time. I want to focus on school Cyber Security, because elementary schools, secondary schools face many challenges as they transition to Online Learning during the pandemic, including the constraint budgets, bridging the digital divide, and continuing to educate and support our students. As they struggle to meet the challenges, they remain particularly vulnerable to hostile cyber actors. Earlier this spring, the fbi warned k12 institutions represent an opportunistic target to hackers. Many School Districts lack the budget and expertise to dedicate to network integrity. Last august, the Clark County School district, nevadas Largest School district, and our countrys fifth Largest School district, was the victim of a ransom ware attack. The hacker published documents online containing Sensitive Information, including Social Security numbers, students names, addresses, and grades. It is absolutely unacceptable. Government must to help schools obtain the tools and resources to protect and combat these kinds of Cyber Threats. Something i have raised with cisa and the department of education. Can you speak to what steps this is taking to prevent Cyber Attacks, including the Ransomware Attack like the Clark County School district, against k12 schools . How are you ensuring we are not having more of these in the future . Thank you you, senator. Cisaw some members of the team and department of education are planning on briefing you in your office later this week on this topic. In the meantime, the first thing i would say we have expanded our focus on k12 education from the beginning, putting out Additional Information on how schools can improve their cybersecurity with their distance learning. Encouraging we are schools to participate through the information sharing mechanisms that have been created. For example, the multistate information and Analysis Center, a free resource available that we have invested in from the department for state and local governments. District,0 school schools, and i. T. Service organizations are part of that. There are Additional Resources and tools states and School Districts can take part in that can help ensure their protection against ransomware and other attacks. For example, it offers malicious domain blocking so known malicious domains used by ransomware operators would be blocked from activity on those networks. But only about 120 schools are actively using that service that is offered for free today. What i want to see is much like we have done in the past four years in Election Security context, how do we build a National Community with the School Districts to get them focused on the security aspects related to their networks that is not going to go away even after the pandemic is over . We need to arm them with the same information, resources, and that will start with them taking advantage of the nocost Services Currently offered across the country to state and local governments and the entities that exist within them. This is obviously a big problem, there are over 13,000 School Districts across the country. It will take time, attention, and focus. I am confident if the executive branch and Congress Work together, we can find creative ways of leveraging the capabilities we have and getting more School Districts signed up for these services. I appreciate that, because i was going to ask you. I know there are school wects the 13,000 talk about malicious ransomware, the districts may not have the capacity or any expertise to even take advantage of the free services. Grants, that you can get to be sure the folks really sitting in those Administrative Offices can take advantage of the offer . But not all of them have technicallyso what are you doi, what kind of programs are you offering . What we had put in place theier this year, these are basic, bare minimum things you need to put in place to get from baseline level to cybersecurity. It is geared for the small and mediumsize businesses and also geared for Large Companies to send out to their smaller suppliers to get them to the level of baseline security. Stepbystep guides for how to baseline levele for cybersecurity. What are the things you can make sure you have challenging passwords, or to factor identification. How to set that up on your network to make it more clear and easy for you to walk through. Communitiess and push those out even to their smaller School Districts, this is a kind of information that is powerful in the hands of Small Companies because the reality is, random operators are looking to make money. If youve done the basics, it put in place the bare minimum levels of the security theres a good chance they will go onto the next victim and not target you. So at even a bear level you can have an impact and dividend for your overall level of security. I appreciate that, and my next question would be the same kinds of things for our Small Businesses around the country as well. I look forward to speaking with you offline about how we can get your message out for training and programs and all of these cyber to as many folks as possible. We cant afford not to communicate your hard work and what you have been doing. And people do need to take advantage of these programs. Any help we can get an amplifying the work that is out there the tools that congress is , invested in are available through all of the country to utilize. We want more people to take up and use them. So anything you can do to get the message out and amplify the work were doing, our agency is going to be grateful for. Thank you. Thank you, mr. Wells. I hope youll be willing to respond to any questions we have in writing. I want to thank you for reminding us that decentralization is a part of our defense against hacking of our elections and as a great fan of the federalist system we had set up from the very beginning , even in our modern age, decentralization compartmentization is part of our defense. And can make our elections more or more reliable. Thank you very much for your testimony. Thank you. I join the chairman in thanking you for your testimony and your service. Please to all the women and men you work with, take back our thanks as well. I appreciate that. Thank you. [inaudible] were ready for our other panel of whoever is in charge of that. [indiscernible] lets get started. Were doing the whole panel together. Everybody can come in. I misunderstood. These are virtual. Thank you. To all of our witnesses for the panel. Second thank you for being here today. I will introduce each witness directly before your testimony. I will start with your first witness, dennis gla. Im pleased to introduce you who serves as commissioner of the department of Information Technology from my home state of New Hampshire. The commissioner has served admirably since he was appointed in february of 2015. He also serves as president of the National Association of state cios. Thanks for joining us commissioner and thank you for your exemplary leadership to strengthen Cyber Security efforts in New Hampshire and across the country. I look forward to your testimony. Good afternoon and thank you. Thank you for inviting me on the to speak today on the Cyber Security challenges that are facing state government. These have been amplified during the covid19 pandemic. As commissioner for the department of Information Technology in New Hampshire and president of the National Association of state chief Information Officers, i am grateful for the opportunity to highlight the vital role that state Information Technology agencies have provided in Critical Services and ensuring the continuity of government throughout this health crisis. Cyber security has remained the top priority for nearly decade. Theres growing recognition in all levels of government that Cyber Security is no longer an i. T. Issue. Its a Business Risk that impacts the daily functioning of our society and economy as well as the potential threat to our nation security. State and local governments continue to be attractive target for Cyber Attacks as evidence by the high profile Cyber Attacks. Inadequate resources for cybersecurity have been most significant challenge facing state and local governments. Its straightforward. States are the primary agent for the delivery of a vast array of federal programs and services. According to our recent national survey, state Cyber Security budgets are less than 3 of their overall i. T. Budget. Half of states will have like a dedicated Cyber Security budgets as state cios are tasked with providing Cyber Security assistance to local government. They are asked to do so with shortages in funding and cyber talent. Almost all the cios have the authority and directly responsible for Cyber Security in their state and have taken multiple initiatives to enhance the status of their Cyber Security programs. These initiatives include creation of cyber disruption response plan. Obtaining Cyber Insurance and the implementation of Security AwarenessTraining Programs for employees and contractors. These initiatives are crucial as Congress Considers the implementation of a Cyber Security program for state and local governments. For the past decade nscio has advocated for a whole approach. A whole state approach to cybersecurity. We define it as collaboration among state and federal agencies, local governments, the National Guard, education, k through 12 and higher, Critical Infrastructure providers and private sector entities. By approaching Cyber Security as a team sport, information is widely shared abdomennd each and each stakeholder has a clearly defined role to play. I would like to reiterate my appreciation to this subcommittee for its attention to Cyber Security issues impacting state and local governments. If passed, these bills would greatly improve our Cyber Security posture and create new dedicated funding streams. The pandemic has exacerbated the Cyber Security challenges for state i. T. Since march, my colleagues and i have rapidly implemented technology to allow state lows state employees to tele work safely and effectively in this new environment. We have helped our state agency quickly deliver critical Digital Government services to citizens, including unemployment insurance. In New Hampshire, i worked closely with our Public Health agencies to ensure they have the necessary tools to improve capabilities in the area of testing, contact tracing, case management, Data Analytics and ppe inventory. My colleagues and i are honored to play a role in fighting covid19. We have taken on additional responsibilities and incurred new expenses while continuing to face unrelentsing cyber threat environments. I am truly concerned about how crucial i. T. And Cyber Security initiatives will remain funded in the coming months and years. States have seen significant declines in refrvenue and will be forced to make difficult, budgetary decisions. I know i speak for all of my colleagues around the country when i say that dedicated, federally funded Cyber SecurityGrant Program for state and local government is over due. Additionally, state and governments should follow the lead of the federal government and begin providing consistent and dedicated funding for Cyber Security which will also require them to match a portion of federal grant funds. I look forward to continuing to work with the members of this subcommittee in creation of a Grant Program to improve our Cyber Security posture. This concludes my formal testimony. Im happy to answer your questions. Thank you. I think we will move onto the next two witnesses, three witnesses and then we will return for questions. Is dr. Torres rodriguez available now . Shes back online. Dr. Torresrodriguez is the superintendent of hartford Public Schools, one of the largest urban School Districts in the state. Dr. Torresrodriguez was raised in hartford and attended hartford Public Schools. She has served as an education leader in the greater hartford area for more than two decades. In september the Hartford School district was the victim of a cyber attack. Dr. Torresrodriguez, thank you for coming before the committee today, and i look forward to your testimony. Doctor, you might need to unmute yourself. Ok. So shes having connectivity issues, so why dont i do the other introductions and see if shes ready in a minute or two. Our next witness will be john ridgy, Senior Adviser for cybersecurity and risk for the American Hospital association. Mr. Richy is the Senior Adviser for the cybersecurity and risk for the haa, and he brings nearly 30 years of experience for the fbi including serving as Senior Executive for the Fbi Cyber Division program developing missioncritical partnerships with the health care and other Critical Infrastructure sectors. Mr. Ridgy, i look forward to your testimony as well today, and i think we should probably proceed with that while superintendent torres is yes. So mr. Ridgy, please feel free to proceed. Good afternoon, and thank you members of the subcommittee. On behalf of our nearly 5,000 member hospitals and Health Systems, the American HospitalAssociation Thanks the subcommittee for the opportunity to testify on this important issue and we stand by ready to assist as needed. Aha has a unique national perspective, stemming with health care with the trusted relationships with the field and Government Agencies. The ongoing pandemic has resulted in a significantly increased cyber threat environment for health care providers. For example, this past october 28th, fbi and hhs issued an urgent warning of a Ransomware Threat to hospitals and this threat remains ongoing as of today. This threat also comes as hospitals and systems are dealing with the covidinduced cyber triple threat. The first threat is an expanded tech surface. In preparation and response to covid19 the Health Care Sector rapidly deployed and expanded networkconnected technologies such as telehealth, telemedicine and telework. Unfortunately, this also greatly expanded Network Access points and opportunities for the cyber criminals to attack. The second threat is increased Cyber Attacks in conjunction with the expanded attack surface, cyber criminals have launched increase in relentless attacks on hospitals and Health Systems. Hhs office of civil rights has reported a significant increase in hospital hacks since september 2020 september 1, 2020, impacting millions of patients. Foreign Intelligence Services from china, russia and iran have launched cyber campaigns targeting health care to steal covid19 related data and vaccine research. Of all of the attacks, Ransomware Attacks are of top concern. These attacks could disrupt patient care and deny access to medical records and resulting in canceled surgeries and the diversion of ambulances, thats putting patient lives and the community at risk. The third threat hospitals face is resource constraints as a result of canceled socalled Elective Services and those seeking medical treatment during the pandemic. It leaves limited Funds Available to recruit and retain scarce cybersecurity professionals. The above factors create the perfect storm for Health Systems. Regarding Ransomware Attack, we believe the ransomwear attack crosses the line from an Economic Crime and therefore to a threat to live crime and , therefore should be aggressively pursued as such by the government. Most times they reach for adversarial agents. Combined use of the intelligence capabilities along with economic sanctions to augment Law Enforcement efforts and reduce threats to the nation and the government can deter and disrupt these Cyber Attacks before they attack. We believe a hospital victim of cyber attack is a victim of crime and should be provided assistance, not assign blame. Despite Regulatory Compliance and implementing cyber best practices, hospitals and Health Systems will continue to be the targets of sophisticated attacks which will inevitably succeed and the government often repeats the phrase its not a matter of if, but when . Unfortunately, when a breach occurs a federal governments approach toward the victims of Cyber Attacks is sometimes inconsistent across agencies and may be counterproductive. For example, federal Law Enforcement agencies often request a need for the cooperation of victims of breaches to further their investigations to further disrupt a threat to the nation. Subsequently or concurrently a hospital or Health System may become the subject of an adversarial investigation by the hhs office of civil rights. This can be disruptive and confusing for the victim and stifle cooperation with federal Law Enforcement. Given the critical need to defend health care during the pandemic along with cyber threat , environment, we need strongly recommend that additional safe harbor protections from civil and regulatory liability we available to help victims of Cyber Attacks. In conclusion, hospitals, systems and patients are heavily targeted by cyber, criminal and sophisticated nation states. However, we cannot do it alone. Healthcare needs more active support from the government including consistent and automated threat information sharing to help us defend patients and their data from Cyber Threats. Conversely, the federal government cannot protect our nation from Cyber Attacks alone, either. They need the expertise and exchange of cyber threat information from the field to effectively combat Cyber Threats. What is needed is an effective and efficient Public PrivateCybersecurity Partnership and a truly allout nation approach. Thank you. Well, thank you so much, and i want to turn now back to dr. Torresrodriguez, if you are able to join us, doctor, we look forward to your testimony. Yes. Good afternoon. We hear you loudly and clearly. Good afternoon, chairman paulson and senators of the committee. I am dr. Leslie torresrodriguez, superintendent of hartford Public Schools. We are the third Largest School district in connecticut with approximately 18,000 students. I appreciate your invitation to address the committee in regard to the cyber attack that occurred september. The cyber attack had extremely disruptive effects on our School System, our students and our staff. We were forced to postpone our first day of school on september 8th following a month of intense planning for inperson learning amidst the covid19 pandemic. While our students have been attending school either in person or remotely for nearly three months now, we are still repairing and recovering from lingering effects of the attack. Hartford Public Schools and the city of hartford were informed by our shared i. T. Department and the Metro HartfordInformation Services that early in the Morning Hours of saturday september 5th, we experienced a severe cyber attack, specifically a Ransomware Attack, which aims to take control of targeted servers and sell access back to the owner, back to us. The attack was unsuccessful overall because Metro HartfordInformation Services regained control of its servers without complying with the attackers demands thanks to recent cybersecurity investments and quick work by the Metro HartfordInformation Services team. Based on initial analysis by the Connecticut National guard and the fbi, the attack was likely conducted by a highly sophisticated actor, and so in one sense we were fortunate that we avoided the worstcase scenario. So our district team, Metro HartfordInformation Services and our Mayors Office worked late into the night on labor day, and in the early hours on tuesday, september 8th to ensure that hartford Public SchoolsCritical Systems were restored so that the first day of school could proceed. Our student Information System was restored around midnight, but as of 3 00 a. M. Our Transportation System was still not accessible and our Transportation Company and our schools had no access to the student bus schedules, and so around 4 00 a. M. In the morning i did have to make a difficult call to postpone the first day of school. Fortunately, we were able to get our Transportation System back online the evening of september 8th and we opened schools for the First Time Since march on wednesday, september 9th. However, two weeks later our systems were still not yet fully operational and the costs to address the problem financially and in terms of resources and staff time have been significant. While we have regained control of servers and data, preventative measures are ongoing and present significant challenges to getting operations back to normal. So, for example, all of our servers needed to be taken offline and reimagined or restored from backups. The total amount of information that needed to be restored was over 70 terabytes across the city and School System which is a massive amount of information. Additionally, every computer that had connected to the District Network before the attack, just before the start of the school year had to be individually restored to Factory Settings before reconnecting with the network. So this required a very fast deployment of new laptops to hundreds of Staff Members which then depleted the stack of laptops that we had to provide to students at a very critical time in the school year. While we had ordered laptops with the intention of ensuring every student had a district device at the start of the school year that plan was set , back as a result of the cyber attack. This was an especially difficult consequence as the attack as many of the students as those who needed to engage in their learning. These preventative measures impeded our ability to operate normally and for teachers to provide student instruction or impairing basic functions like scanning and printing and having access to lesson plans. I am proud of the work that has been done by our i. T. Team and the support from the Connecticut National guard and the fbi. However, we do have to project protect our Critical Infrastructure by preventing such attacks in the future. And i thank you again for inviting me to participate. While it was unexpected and damaging in many ways, i am grateful for the way that our state and federal agencies collaborated to address the cyber attack and assisted with the restoration efforts. We are all committed to serving our constituents, our students in the best way possible. Thank you and ill be happy to answer any questions that you may have. Thank you, superintendent. Ill turn to the chairman for an introduction. Our final witness this afternoon is bill segal, ceo and cofounder of coveware. Mr. Segal founded coveware to provide services to small and mediumsized businesses threatened by ransomware. They offer a fullspectrum suite of services from identifying and closing vulnerabilities before an attack happens to decryption and navigation of an attack that has happened to recovery after an attack. Coveware and other private sector firms provide solutions that keep pace with the criminals. So we are excited to hear from mr. Segal about the state of cybersecurity marketplace and what to do if your organization is attacked and about lowcost steps that organizations of all sizes can take to enhance their Cyber Security posture. Mr. Segal, you are recognized. Mr. Segal, if you are with us, you are recognized. Is he disconnected . All right. Why dont we begin a round of questions with senator hassen and well get back to mr. Segals testimony when he gets back on . Thank you, mr. Chair, and i want to start with a question to commissioner goulet. Commissioner goulet, you and i know all too well the challenges of putting together a state budget, giving more funding to the states Information Technology budget might mean giving less funding to emergency services, education, Public Transportation or other critical priorities. Moreover, when sessions when recessions happen state , revenues decrease which leaves budget officials with even harder decisions to make. Commissioner goulet, can you talk about the challenges states face funding cybersecurity upgrades as they deal with reduced state revenues from the recent economic downturn. Do states have the ability to adequately fund budgets and better protect against Cyber Threats . Thank you for the question, senator. We had recent data on the cybersecurity study, and ill share with you the top five barriers to overcome cybersecurity challenges to the government. Number one, lack of sufficient Cybersecurity Budget. Number two, inadequate cybersecurity staffing which really relates to number one. Number three, legacy infrastructure and solutions to support emerging threats. The older systems tend to be much more vulnerable. A lack of dedicated Cybersecurity Budget and finally, inadequate availability of cybersecurity professionals. So i think that pretty well covers the gamut of the answer to that question. Thank you. I appreciate that. Ill go on to complete this round. So dr. Torresrodriguez, i want to thank you for participating in this hearing. All educators are facing challenges right now, but to suffer a Ransomware Attack on top of Everything Else you are contending with means that you are busier than most other educators. I want to start by getting a sense of where cybersecurity falls in the very long list of priorities that a School District like yours has. You mentioned in your testimony that there is a Metro Hartford information service. What sort of assistance do you get from them . Do you think that theres enough cybersecurity professionals to help the School District with the system you already have and what sort of assistance from the federal government would be helpful and did you receive before and after the attack . Yes. Just to give you a little more context, we have about 18,000 students in 3,400 Staff Members and here in the public School System and the shared i. T. Department, which is managed by the city of hartford has six field i. T. Technicians in all and there is one staff member assigned full time to cybersecurity, and that is across all of the city, you know, services. So there is an opportunity, if you will, for Additional Support there and with regard to the assistance from the federal government, Hartford Police and the fbi liaison there did investigate the attack and gather Additional Information and the Connecticut National guard provided assistance with the recovery effort for about four weeks, primarily helping to mitigate and reimage our district devices. That was prioritized and we are deeply, deeply grateful for that. The national National Guard was has a team that specializes in defense of Cyber Operations and their support was critical in assessing the attack and helping the Metro Hartford team recover operations and help ensure security. Overall, this was their assessment that this was a highly sophisticated and complex attack that the Information System team took a wide range of appropriate measures, but nonetheless did Impact School operations. Well, thank you for that. Im going to turn now to mr. Ridgy. Thank you for your work for our nations hospitals both in terms of your current position and from your time working for the fbi. As a cybersecurity professional who focuses on preventing Cyber Attacks to hospitals, can you please lay out for us the type of attack that most worries you . Thank you, senator. As i mentioned in my testimony, the attack that im most concerned about are Ransomware Attacks which have the ablity , ability to disrupt patient care and risk patient safety. These type of attacks can lead to medical records becoming inaccessible at critical moments and treatment, even understanding drug allergies for a patient may not be available and in certain instances weve , had ambulances being diverted to Emergency Rooms which were further away from the original intended destination. So in the medical field, obviously, any delay in urgent treatment increases the risk of a negative outcome. So Ransomware Attacks especially as we have seen the increase is the top concern that worries us at the moment. Well, thank you. If i have a chance, im going to return to you with one more question, but first i do want to turn back to commissioner goulet. Over the past decade, Cyber Attacks have increased in both their frequency and their ability to threaten our National Security. Just as we have experienced with terrorism, the impacts of these Cyber Threats are not confined to faroff battlefields, but to our states, our cities and communities. However, as the threat has increased, federal support for state and local governments has not increased commensurately. As you note in your testimony, only 4 of Homeland Security grant dollars have gone to support state and local cybersecurity over the past decade. Can you provide your analysis for why you think that federal funding for local efforts have not been commensurate with the threat. What do you recommend that congress do in order to address this . Thank you. I so wanted to address that question in more detail. Myself and my colleagues around the country have a queue of initiatives that we would do to help state and local governments and education and really all of the state if we had access to more funds. So weve done as much as we could with federal Homeland Security grant funds that we were able to access with increasing a building. In New Hampshire we built a nice Cyber Response program where we did a whole state approach, but we really could do so much more with dedicated Grant Funding that flowed in in a separate stream, and i think that although we are slowly improving our cyber posture in the state, we could very much accelerate the improvement of cyber posture with a dedicated Grant Funding. And i would also like to reiterate that any such funding should include in incentives to states to invest in a continuous manner. Thank you, mr. Chair. Introduction. At and if youre there, wed love to hear your testimony. Ok. Thank you. Thank you, mr. Chairman, Ranking Member, and members of the sub committee. Thank you for the opportunity to share the cybersecurity threats to state and local governments and Small Businesses. My testimony today is about a [indiscernible] cybersecurity incidents and the perspectives of handling thousands of these incidents have given us over the years. Before we can try and solve this problem after we founded the company, we saw something was missing and there was no clear data of being collected on these incidents and you cant build safe cars without visiting crash sites and measuring skid marks and figuring out what happened. The company was set out to build a large data center. It actually happens during these attacks. Right in the middle of these cybernts, we work with Insurance Companies and Law Enforcement branches of all kinds. Data is collected from these incidents and it has given us a fresh perspective. Contextualize the victims of these crimes. Second, we aggregate the data findings and try to publish our research to raise awareness of the common Attack Records that these actors used and lastly, we provide a large subset of our data to Law Enforcement for to augment their active investigations. A typical Ransomware Attack involves three phases are access. Theyre manually carried out. That means the threat actor is physically inside the network of the victim typically using harvested credentials and second is the Encryption Program that locks up computers, servers and delete and encrypt backup as part of the process and the third is extortion. This is where the company is not able to restore backups they are forced with a difficult decision of either having to pay a ransom or rebuild their network from scratch. This is the decision that hundreds of businesses faced every single day. So who are these criminals who carry out these attacks and afterat drives them thousands of cases and much study, we have a clear picture of who carries out these attacks and why . By and large the criminals that carry out Ransomware Attacks were financially motivated. Cyber extortion is their business and the manner in which they conduct their business, and they follow strategies that maximize the increase of the cost. Why is cyber crime proliferating so rapidly . We estimate that the given Ransomware Attack can earn a single criminal tens of thousands of dollars with almost no risk and a profit margin of 90 . Economics 101 dictates the more activity will occur when the margins are driven in this economy. Theyre too profitable and too low risk to be ignored by wouldbe criminals. The cyber crime industry has innovative and aims to attract new purchase lowering the barrier to entry for criminals. Ransom ware is a service [ indiscernible ] this combination of a highly profitable with low barriers to entry, and growing population is why these attacks are proliferating so much. There are various ways to apply pressure to cyber crime. We offer one that would be effective means of curtailing activity. When we look at our own data, one number stands out. Quarter after quarter for the last two and a half years, the Remote Desktop protocol is consistently the most used by ransomware actors. It is free and all it requires is a bit of time and effort. As an example, how effective closing the vulnerability can be and we cited in our written testimony where a group set out to proactively reduce the Ransomware Attacks that occurred. They contacted these companies after staying in network and advised them of the vulnerability with this issue. It was a 60 reduction in ransom a ware attacks. This is a free fix. All it took was a bit of elbow grease. The recommendation is just one example. We feel that there are further ways to attack economics of cyber crime while proactive security and new policy initiatives and relentless pursuit of these criminal Law Enforcement will never have substitutes in this fight. We think working big to small and reducing the profitability of cyber crime can produce immediate and material results. Thank you to the chairman, and i look forward to your questions. Thank you for your testimony, and i will turn it over to further questions to senator hassen. Thank you, mr. Chair. I do want to return to our witnesses with some followup questions, and dr. Torresrodriguez, id like to start with you. You talked about the Ransomware Attack that the Hartford School system experienced. Now that it has been a few months since the cyber attack. Could you please share with us what steps youve taken so far to prevent future attacks and what lessons have you learned . So prior to the attack, the city of hartford had invested 500,000 upgrading the Security System from the hartford Information Services which is the shared services. So that alone, you know, helped us actually not have as a significant of an impact as we would have had and since then new Endpoint Security software called carbon black has also been implemented and installed in approximately 4,000 of our devices and what carbon black does is to leverage predictive security and is designed to detect Malicious Behavior and help prevent malicious files from attacking an organization and can also assist with Rapid Restoration which was one of our Lessons Learned of Critical Infrastructure should an attack happen again in the future. Thank you. And i want to talk again to mr. Riggi as well. You mentioned in your testimony some of the critical need for information sharing. Can you please lay out for us your assessment of cyberthreat information sharing between the federal government and hospitals across the country and between hospitals, is it adequate or could there could more be done to improve cyberthreat information sharing . Thank you, senator. Well, i think i would characterize it as greatly improved compared to when one of , the functions that i ran at the fbi was to disseminate information as we were just understanding how vital that information sharing is. It is, i think, in one area that it has been improved has been the timely and actionable notices highlighting the october 28th notice. For that information to be declassified and come out so quickly, i think is very commendable and to come out jointly by all three agencies, very commendable. However, there needs to be more improvement in sharing of cyberthreat information, sharing it in a more automated and broad manner and also the sharing of the classified information where possible to trusted health care contacts. So it has improved but i think we still have a long way to go. Thank you. Can you also give us because i understand that you work with hospitals across the country to help secure them from cyberthreats. Can you give us the typical profile of a hospital cybersecurity staff and how do small and rural hospitals differ in terms of cybersecurity professionals and resources as compared with major metropolitan hospitals, for example. Yes. There is quite the range and spectrum of resources available. And the profile varies widely, generally from small to large, urban centers. Generally smaller hospitals have less resources in terms of less financial human and Technical Resources to devote to cybersecurity. In many instances, these smaller more financially challenged hospitals add on cybersecurity as the duty to, for instance, the chief Information Officer or i. T. Director, larger systems may have the luxury of having a very large staff. Some may have multistate systems may have hundreds of people devoted to cybersecurity. However, they have vastly many more complex systems and networks to protect and defend. So it varies widely. What i can say is that almost all hospitals now highly prioritize cyber risk as an enterprise risk issue and are seeking to bolster their defenses. But they do struggle under the reduced revenue that theyre facing as a result of covid19. And is that reduced revenue the major impact that youve seen with covid19 on this particular issue or are there other ways that covid19 has affected for instance, the , staffing for hospital security, cybersecurity. I think the reduced revenue has impacted staffing in the sense that certain hospitals may not have the Financial Resources to recruit and retain individuals. We have not seen a direct impact on covid19 reducing hospital cybersecurity staff. Although there have been scattered reports of just general reduction in staff. But ultimately i think that the i think that the staffing issue is a challenge for all sectors. Quite frankly theres a zero Unemployment Rate for cybersecurity professionals and hospitals are competing with other hospitals to recruit and retrain but other sectors in the government. Thank you. And i know that the Health Care Sector has an information sharing and Analysis Center. Can you provide an assessment of how effective its been in assisting hospitals and what are its limitations particularly for small and rural hospitals . I think theyve done a good job of getting information out. I know the folks over there. Good folks. They do a pretty good job. Some of the limitations may be in their reach because they are a memberdriven organization. They do require a membership fee. That fee is a sliding scale and may be fairly reasonable depending on the size of the organization. But, again, i think that the issue there is the reach in timely dissemination. Often they rely on the government for the threat caters indicators as well. So i think part of the mission is to increase automated sharing of threat indicators. Because the ability to share human to human and peer to peer is too slow. There still needs to be quite a bit of a work done there from both the government side and on the private sector side to increase that electronic bridge for cyberthreat information sharing. Thank you. I have a couple more questions, but i understand that one of my colleagues, senator sinema is online and ready to ask questions. Ill recognize you for your round of questions. Thank you very much, senator hassan. Thank you to our witnesses for participating today. Even before this pandemic, cybersecurity was a critical issue in arizona with Ransomware Attacks on arizona medical, education and government organizations. During the coronavirus pandemic, as more people go online for school, work and social interactions, weve seen an increase in system vulnerabilities across the country and in arizona. Spending has also gone up as state, local and tribal governments work to support their communities Information Technology needs. As such, federal cybersecurity support for state, local and tribal entities during this pandemic is critical. So today im going to direct my questions to mr. Riggi. Medical devices with connectivity features are coming more common in hospitals. In recent years, Ransomware Attacks on the medical community impacted not just hospital come computers but also storage and refrigerators. As coronavirus vaccines are approved hospitals and health , care systems across the country will be asked to accept shipments and store the vaccines under very precise conditions. Has the American Hospital association and its member hospitals created sound strategies to protect storage refrigerators and other systems that will be part of the storage and Distribution Plan . Thank you, senator. I think what we are our general guidance has been concern terms of protecting all medical devices and to ensure that when they are if they are in fact connected to networks that any potential vulnerabilities be identified and that they be network segmented. Well be closely monitoring the Vaccine Development and distribution and we will certainly offer guidance to the field on how to protect those refrigerated devices. One of the main ways to protect them is to ensure that theyre not networkconnected and that they if they are network connected, to ensure they are segmented and isolated from main networks and potential threats. Thank you. And in 2019, as you may or may not be aware, Wickenburg Community hospital was hit by a Ransomware Attack. It serves a community of 8,000 residents. The hospitals fourperson i. T. Staff did not contact the cybercriminals to hear their demands. Instead they began rebuilding , the Computer Systems from scratch using data the hospital had backed up onto physical tapes. The attack happened on a friday. By monday, the systems were almost fully functional again. They were unique for a small hospital in that it had an i. T. Team with the expertise to rebuild the system. You mentioned constrained resources and shortage of qualified personnel as challenges to hiring qualified help i. T. Security experts. What needs to be done to overcome these challenges and how can Congress Help . Thank you. I think further incentives perhaps for to recruit and retain cybersecurity professionals to work in health care, perhaps modeling other programs across government and offering incentives for Health Care Professionals for doctors to work in rural areas, perhaps, we need something similar to that for cybersecurity professionals. As i said, unfortunately, there is a zero Unemployment Rate for cybersecurity professionals. Increased training, perhaps, of folks displaced from other services, increased training perhaps, or retraining of veterans as cybersecurity professionals may also be a another plausible route to staff these positions. Thank you. The university of Arizona Medical School has studied the vulnerabilities of medical devices and theyve invited doctors, security experts, and Government Agencies to simulate an attack on an insulin pump in 2017. As you know, medical devices are regulated by the fda for both safety and effectiveness. What discussions have occurred between your hospital members, government regulators and Device Manufacturers to prioritize the medical Device Security needs . Weve been engaged quite a bit with the fda concerning their premarket and postmarket guidance. Although this still remains guidance, our position has been that we would like to see most of that, if not all of that, made mandatory so that the manufacturers would have to comply with some of the guidance involving security by design, making sure those features are built in, that a software bill of materials is provided by the manufacturer to the end user so they can understand what the potential vulnerabilities may be in there, and also to provide lifetime support for the medical device, especially in terms of security upgrades. So were constantly monitoring that. One of the things we advise our hospitals and Health Systems is to ensure that there is adequate communication between clinical engineering staff in the Information Security staff as well, to keep an accurate inventory of medical devices, identify vulnerabilities which may be present in those devices and ensure that they are network segmented and of course the most precious lifesaving support devices like ventilators are the ones that are most protected and segregated. Thank you. Thank you so much. Madam chair, i yield back the balance of my time. Thank you for taking the time to talk to me about these concerns in arizona. My pleasure, thank you. Thank you very much, senator. I have a couple of more questions and then assuming we dont have any other senators join us, we will adjourn. But i wanted to take the opportunity, dr. Torresrodriguez, to turn back to you, to get a sense about the impact that the recent Ransomware Attack has had on your community. As you discussed, it delayed the start of the school year. Can you share with us how teachers, support staff, parents, and the rest of the community have been impacted by this cybersecurity attack and how has the pandemic exacerbated these effects. Yes. In terms of the ongoing operational effect of the attack, shutting down functions and servers did have da did have debilitating consequences for a number of departments. For example, we did not have access to our Financial Management software for 17 days. So this caused delays in numerous financial processes including our supply orders, yearend filing with our state requirements, grant filings, payroll, among other operations. And, you know, when i think about the broader implications, the disruptions to your School District, including that sudden delay to the first day of school after weeks of preparation, was disruptive to our families given that already as part of our mitigation efforts regarding our covid mitigation, we did have a staggered, phasedin approach to return back to school. It caused disruption and confusion there. And the process of restoring well over 10,000 devices, right, laptops and desktops for both students, teachers, and support staff was tremendous. It did require a heavy lift in terms of Human Capital and time which is, you know, why the role of our i. T. Department and the National Guard and a Third Party Technical support that we had to contract out for because otherwise we could not have done it. It would have taken, you know, additional weeks to start our school year. And so during this time, our teachers did struggle to deliver quality instruction to both the 10,000 students that were learning online at home as well as the 8,000 in their classrooms. As part of the planning last spring and into the summer, we did make the decision to become a one to one district, meaning one device per each student. Meaning that every student would have a districtissued device. There were over 2,000 devices that were no longer available for our students at the beginning of the school year because we had to prioritize getting our teachers to have their devices to deliver the instruction. And as i think about those early weeks, some of our students kids some of our students did not have access to learning and we serve communities that have concentrated levels of need. And so every minute, every day matters to us in terms of having access to instruction and the other social and emotional supports that our students need to have. Thank you very much. Helpful. Eally i want to follow up on the issue of k12 schools with you. Can you give us your thoughts from the prospect of state governments on how to best protect k12 schools and hospitals . What role if any should state governments be playing . Thank you, senator. This is a great opportunity to highlight the whole state approach we advocate. Back to astart going constant that senator rosen brought up earlier, which was the concept of making our activities consumable by those folks we want to help. We have a smallstaff school. You cant throw sophisticated things for them to absorb and have to do. A have been working with multistate information sharing and Analysis Center on how we scale some of the programs originally designed for state governments, but may need to be tweaked to be absorbed by school and local governments. That is one area. I think it is really being collaborative, involving these entities. For example, New Hampshire on the schools side, it has really been involved in the rollout of the minimum standards for privacy and security in schools mandated by the state of New Hampshire. On the hospital side, we involved local hospitals in disruption planning, date hs disruptiond planning. When we heard what was going on at the university of vermont medical center, we were able to reach out to i. T. Professionals and find out what they were doing, and whether they were preparing for or watching carefully to avoid this cyber risk of ransomware in the hospital, which, as you heard, is horrendous. Those are small examples. I think really it is the collaborative wholestate approach. When i speak with people and try to bring them under the tent, there is no i in cyber. Thank you very much, for that, and thank you for your continued work for the people of New Hampshire. I have a short, closing statement and then i will go ahead at the chairmans request and adjourned the hearing. First, i want to thank chairman paul for working with me to organize this hearing, and i particularly want to thank his staff, adam and greg for their , work in making this happen. I want to thank all of our witnesses for their testimony today, and for the role that you will play in helping to secure our nation from cyberattacks. Cybersecurity at the state and local level has never been more important, and it is incumbent on all of us to Work Together to solve the unique challenges posed. Its clear to me that state and local governments, our k12 schools, and of a nations hospitals all need Additional Resources and support taolk too achieve their missions. In the face of Cyber Attacks. I look forward to working together with the witnesses and committee one solutions such as a statebystate Grant Program and improved information sharing. Again, thank you all for joining us today. Our witnesses, i know how busy you are at this challenging time , and your contributions make a world of difference, and we are very grateful to seeing that there are no other members seeking recognition, i will thank our witnesses again for their participation in this hearing. The committee record will remain open until december 16 for members to submit statements and questions for the record. And with that, this subcommittee stands adjourned. Thank you all very much. [captions Copyright National cable satellite corp. 2020] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy, visit ncicap. Org] [indistinct conversations] cspans washington journal. Every day we take your calls on the news of the day, and discuss policy issues that impact you. Coming up thursday morning, a discussion on next years 741 billion defense spending bill, with a reporter from defense news. And a Maryland Democratic congressman will talk about election legal challenges and the white house transition. A Tennessee Republican congressman, on congress and the Trump Administration coronavirus pandemic response. Watch cspans washington journal live at some 00 eastern. At 7 00 eastern, and be sure to join the discussion with your phone calls, Facebook Comments and tweets. Cspan, the house is back at 10 00 a. M. Eastern for general speeches, followed by legislatives nest at noon. Work on legislation that would decriminalize marijuana at the federal level, and expunge criminal level cases. And on cspan3, the senate Homeland SecurityCommittee Meets to review the fbi russia investigation, and other aspects of the f a i and justice department, with testimony from a former fbi official. In the afternoon, the Aspen Institute holds the summit with members of congress, and the acting director of the cybersecurity and infrastructure security. Agency youre watching cspan, your unfiltered view of government, created by americas Cable Television companies as a public service, and brought to you by your television provider. In a video posted on facebook, President Trump talked andt the 2020 election examples of what he view