Minutes. [inaudible conversations] [background noises] good afternoon everyone and welcome. This is a joint hearing of two subcommittees a committee on oversight and accountability. What is the subcommittee i chaired the subcommittee on Cybersecurity Information Technology and government innovation. The other is a subcommittee to economic growth, Energy Policy and regulatory affairs. Which is chaired by my esteemed colleague from texas. Since this is a joint hearing will have Opening Statements of the chair and Ranking Member of both subcommittees. Thats a total of four Opening Statements i will tend to keep mine brief. Cybersecurity spent a major focus of our since it became a subcommittee chair and confirmed we as a nation are not prepared for the increasing the for cicada and Cyber Attacks that will be fueled by ai. Businesses and Government Entities in my district and across the country to face Cyber Attacks him and forced to pay huge sums of money and ransom the federal government itself still store Sensitive Data intensive minds of americans on century old legacy systems running on cobalt of all languages which i learned at the age of 21 over 20 years ago. Decades older than myself and chairman. Weve got a shortage across the country of 700,000 cybersecurity professionals with Job Vacancies strewn across the public and private sector. We need all hands on deck to fill the gap for thats white sponsored legislation eliminating unnecessary hurdles to see federal cybersecurity jobs, the government cannot be turning white people with much cyber skills just because they lack a fouryear degree. Cyber attacks come in different forms but today were focusing on ransom were attacks for these are intended to deny users access to files or entire Computer Systems for the perpetrators pledge to restore access of a ransom is paid off and charged additional ransom for not disclosing sensitive stolen data. These sorts of attacks are nothing new for they have existed for decades. But back then they were unsophisticated often unsuccessful in locking down systems. Immature hackers were trying to squeeze small ransoms from individual users. The field has now matured and grown. That became clear and may of 2021 when the hackers likely dn russia or Eastern Europe brought one of the major Gas Pipelines of this country to a standstill. The Colonial Pipeline went entirely offline briefly cost the federal department of transportation to declare emergency in 17 states and here in d. C. In order to keep a fuel supply lines effect when that hack happened when we saw the southeast in my home state of South Carolina that its in gass prices really start to increase and then they never went back down. The problem shows no sign of malicious actors are costly searching for errors of vulnerability at the height of covid truly demented actors targets like hospitals and schools. Even the ransom or supply chain has expanded. Hackers now off offer ransom or as a service to other criminal enterprises. The bottom line its too easy today for malicious actors to do too much damage make too much money with too few consequences. We need to engage in this fight at all level schools, hospitals, businesses cannot fight a battle alone against adversaries launching attacks from enemy nation states like russia and china and elsewhere prints going to take effective partnerships including federal Law Enforcement. That includes of figuring out how to better collect and share information about these attacks and of the attackers. As we will hear today the institutions victimized by ransom or has options but all of them are bad to either pay ransom of their unable to restore their normal operations the attackers threaten to release sensitive personal data that is installed in the case of schools and hospitals that include School Childrens education records and patient medical records but will hear today from representatives of the school and a hospital victimized by ransom or attacks per boston from cybersecurity expert whose current works include Counseling Companies that are targets and victims of these attacks i hope this hearing today will help educate us on the problem and it will serve as a step toward better addressing up her with that i ideal to the Ranking Member of the subcommittee mr. Connelly picnics think it madame chairwoman thank you for having this hearing a welcome tour witnesses. Were discussing the threats of ransom ware we cannot ignore the much greater cause by some Government Shutdown. The Cybersecurity Infrastructure will be forced to furlough more than 80 of its workforce. As we say we are concerned about cyber hacking and cyber threats. Without funding are crucial cyber defenses will be reduced and yet still hold responsibilities to respond to attacks internetworks and Critical Infrastructure. We cannot allow this to happen will be already know of the innumerable Malware Attacks costly threatening our economy, schools, Public Health, Critical Infrastructure and National Security. Ransom or is it burgeoning multibilliondollar criminal industry. In 2021 the estimated cost of ransom were damaged globally hovered around 20 billion. This year that numbers 30 billion 50 increase in just two years. The United States is a major target. Between january and december of 2022 known ransom or attacks on public and private networks in the United States increased by 47 . More troubling, these tallies include only those incense victims report. The recent resorts international hacks received considerable public attention these kinds of ransom or attacks also target Critical Infrastructure. 2021 the nicest government had to declare a regional emergency as noted madame chairwoman after the Colonial Pipeline was taken down. The largest fuel Pipeline System in the country. That instance was just one frightening reminder of what is at stake. State and local governments are particular vulnerable. They are responsible for storing much of our personally identifiable information. But they lack the cybersecurity resources protection. And funding as billion dollar conglomerates. Criminals also do not discriminate between a large metro areas and small towns. All sizes have been victims including mcallen texas, oakland, california and lowell, massachusetts. 82023 ransom or report found nearly 70 of the surveyed it leaders in state and local governments reported ransom were attacks. Just as troubling the report found educational systems are the most likely to be targeted. I ask unanimous consent madame chair to insert this report into the hearing record picnics without objection progress i think that sharper i know this firsthand from a ransom or attack in 2020 targeted the Fairfax Public School system the tenth largest School System in america which i represent. Members of this committee are well aware of how the coronavirus pandemic abruptly revealed how illprepared many state and local governments were did delivering Vital Public Services securely and remotely through their it platforms. Criminals took advantage of that in direct checks payments to families and Small Business loans and on and on. That is why during my tenure as chairman of the subcommittee which included the subcommittee we held hearings on the outdated it infrastructure raising Cyber Attacks on state and local governments. The hearing exam of the role of congress and the federal government and accelerating it modernization initiatives in response to the hearing we introduced house companion to the senate, state, local Digital Service act. This important legislation providing guidance and critically funding state and local government to form Digital Service teams focused on delivering fair effective secure public service. I certainly hope this congress will continue that work. Furthermore we help champion the bipartisan bill provided more than a billion dollars in investments to assist in public and private entities who fall victim to Cyber Attacks every year. Earlier this year the Biden Harris Administration also published its National Cybersecurity strategy which addresses these among other issues head on by laying out an action plan to disrupt ransom or criminals. It lays out four key pillars to disrupt them by one, lurching International Cooperation to disrupt the ecosystem the isolate those countries that provide safe havens. Two, investigating ransom ware crimes using Law Enforcement and other authorities to disrupt it and them. Third, bolstering Critical Infrastructure resilience to withstand such acts and forth addressing the abuse to wander ransom payment. The department of justice also continues hold ransom or criminals accountable most recently he is handling the network and more than 8. 6 million in crypto currency. Quick that is great but its a mock modern start important first steps. Much more has to be done i know will hear that from her witnesses today. I look forward to hearing the testimony working with you. Madame chairwoman and others and of course mr. Brown trying to crack and ultimately prevent ransom or attacks and i think your yield works thank you i will not recognize chairman for the purpose of this Opening Statement. Quick thank you. I do want to thank everyone for being here today as well i am grateful the subcommittee on Cyber Security are teaming up to talk about this very important problem. America relies on Technology Every day. When you rely on something when it goes down you become very vulnerable when it is gone. It has eight farreaching consequence when it is jeopardized. While ransom or attacks are digital files and hold data hostage until ransom is paid there to cost of Cyber Attacks go well beyond simply the money surrendered to perpetrators. Those wreak havoc on normal operating procedures of a company, a school, a hospital, forcing relocation of staff, lost revenue and damaged reputation per the following attack the institutions may have to completely re outfit their entire it infrastructure. Costly scrambling to redirect funds, earmarked for other investments or more investment in personnel mountain dew could get a cyber attack and were in our colleague from tennessee be . You might be making investments in teachers and other personnel to most Natural Resource thats going to be preventing new hires and making more efficient enough guilt ransom or attacks. Congress should be very concerned about the attacks where they originate from. The vast majority are coming from russia a country that could clearly does not have our best interest at heart. When these sort of attacks target essential sectors like the electric grid or Hospital System was south of high point or gbs a couple years ago they endanger Public Health safety and quite frankly put american lives at risk. We saw they can even have impacts far beyond the original attack into the larger economy again with Colonial Pipeline that reverberated and was very dangerous and very chilling for it as our world becomes more reliant on technology and unfortunately the opportunities for bad actors to use that technology for their own monetary political gain become more and more abundant. But no matter what the size of the attacker must prevent hackers from being able to use ransom or two up in american institutions and risk our nations prosperity and health and american lives but im grateful for her witnesses who are here today to share their story to help us examine the ongoing threat of ransom or attacks. During this hearing i hope to explore the role of government in helping prevent further attacks and punishing those that would go after our Critical Infrastructure. Where the governments providing resources for private organizations undergoing attacks of learning how to better protect our own systems i look forward to discussing potential ways congress can enable the Cybersecurity InfrastructureSecurity Agency the fbi and other federal agencies to better protect American People correct statement. And Ranking Member and thank thu to the witnesses. An issue threatening americans far too frequently, ransom or attacks. Criminals both foreign and domestic use ransom or to target everything and everyone private businesses, state and local government, hospitals, School Districts, and Critical Infrastructure. We have seen these attacks disrupt access to primary health care and Safety Net Services for our nations most vulnerable. But before i go any further we cannot sit at this hearing without addressing the terrible dangers we face with intending republican Government Shutdown. A Government Shutdown much like eight ransom or attack would be dangerous, destructive, and disastrous. The cybersecurity and infrastructure Security Agency, the agency that leads federal cybersecurity efforts as a National Coordinator for Critical Infrastructure security and resilience would have to furlough 80 of its employees as a result of a republican shutdown. We are talking thousands of critical workers, people with families and that is just one agency. The department of justice, the Agency Responsible for investigating and taking on criminal ransom were networks would also be forced to furlough thousands of employees. With a shut down extreme republican members would undercutorganization state and l governments relying on federal funds to prevent the crippling ransom or attacks we are discussing in this very hearing. And those late fees, they add up. In my home state ran some ware thieves targeted the Ohio Employment system in july preventing thousands of ohioans from receiving benefits and in march the lakeland county Lakeland CommunityCollege Next Door to my district was victim of cyberattack that compromised data of nearly 3,000 individuals. Now the Bidenharris Administration has made defending against these kinds of attack a top priority. Thanks to the bipartisan bill, the administration is currently providing 1 billion in cybersecurity grants to state, local and territory governments to build the Cyber Capabilities that they need but on sunday, at 12 01 a. M. , these dollars are at risk of in the making it out at all. And with that, madame chair, i yield back. Our second witness is dr. Lacy at Judson Independent School district. Our last witness today is mr. Sam ruben, Vice President and global head of operations at palo alto. Welcome, everyone. We are pleased to have you this afternoon. Pursuant to committee 9g, witnesses will please stand and raise their right hands. All right, do you solemnly swear or affirm that the testimony that youre about the give is the truth, the whole truth and nothing but the truth to help you god. Let the record show that the witnesses answered in the affirmative. Thank you. Let me remind the witnesses that we have read your written statement and theyll appear in full in the hearing record, limit our oral introductory statements to 5 minutes, as reminder please press the microphone so it is on and members can hear you for the past 3 years ive been a senior director after cyber and helped enhance Cybersecurity Programs through development and implementation of Risk Management strategies. Between my time, i supported numerous organizations with the preparation, response and recovery from various Cyber Incidents including Ransomware Attacks. Some including leading recovery for Delivery Organization that was victim of ransomware creating playbooks to help clients consider the actions they may need to take of a cig nick antibiotic incident and working with Law Enforcement, the Intelligence Community and or inner Agency Partners on ways to disrupt malicious cyber actors. I want to thank the committees. As has been mentioned. Ransomware is a cyberattack where a malicious actor steals Sensitive Information, encrypts files and systems and demands in order to return operation. It is rarely about Foreign Policy or espionage objectives like those we see from nation state actors. However, discussions are complicated by the fact that many ransomware actors are protected and sometimes endorsed an encouraged by the nation which is they operate. Malicious cyber actor activity and ransomware have been around for decades, several factors which have been mentioned have come together in recent years to expand the frequency, scale and public awareness, organizations today are dependent on technology to develop and deliver services, this includes organization and education, Healthcare Delivery financial services, energy and any other Critical Infrastructure sector. The enhancement provide increased product it, convenience and broad delivery of services to customers at the same time more Critical Services and Sensitive Data have moved to an internet accessible environment and are at risk. Concurrently ransomware actors have increased access to malicious tools, safe havens from which they operate. Some of these include implementing fishing resistance, protect identity, robust set of system backup and recovery tools and procedure and training for employees to recognize fishing emails and social engineering attempts. Policymakers cannot lose sight of the fact that ransomware has devastating operational and reputational. Including Law Enforcement can provide limited amount of support. Victims are left with unsavery set of operations having to choose between restoring Services Quickly or restore operations on their own. Often paying a ransom can be the most time and Cost Effective approach to getting an organization up and running again. Given these dynamics for victims, ransomware remains a prevalent threat to Public Sector entities and Critical Infrastructure organizations. In short it is bad. But there is help, federal government has invested heavily across the globe including takedown of high Ransomware Group this year. Cybersecurity experts have partnered with policy professionals to are pose sorry. Propose legal and policy updates that would empower Law Enforcement officials and other cyber defenders to pursue malicious actors and build resilience across our digital ecosystem. We must continue to develop these ideas while working with companies and Public Sector entities to harden their networks and data, protect their data, thank you again for the opportunity to speak with you today and i look forward to your questions. Thank you, mr. Schneider, i will now recognize doctor for her Opening Statements. Thank you, chairwoman mace, Ranking Member connolly, committee members, staff for allowing me to speak with you today. I represent the Judson School district. I also serve as an elected School Board Member for the navarro Independent School district therefore my passion for seeking School Support and combating cyber crime runs very deep. On june 17th, 2021i received a call from matthew stating that our system had been affected by ransomware. He briefly investigated and ransomware note stated that it was encrypted. We contacted the federal bureau of investigation. Victim selectionses based on ability to pay. Pysa, the primary targets of Higher Education and k12 school. The attack initiated from a single vector with two pivot points, entry vector and first pivot point was one of my employees computers and the second point was video server to have no outside connectivity and used for internal streaming only. They were able to penetrate data stores and devices connected to the network. The full investigation, total of 428,760 individuals were affected and those individuals are living in all 50 states. Recovery of our network was not primary concern. We had ample resources to restore systems. Our concern with security of the data and by the threat actors and preventing the release of that first identifiable information of our constituent thankfully there are companies and School District partners who saw our situation as an opportunity to learn. We learned that the call valley does not come and we must rely on our own resources, in state or federal agency ever visited or offered recovery assistance to us. Insurance coverage was helpful but those go predominantly to attorneys fees, data mining and Identity Protection and does not cover to mitigate the damage. The cost exceeds the limited of the policy forcing to make difficult decisions of funding allocations and costs are not limited to data loss or data breach. I was hired only 34 days prior to this attack in this School District. The state of the districts technology was not unlike thousands of School Districts across the nation. It was outdated out of system and including antiquated system and hardware that included infrastructure that could not support changes brought about covid19. Factors contributed to vulnerability and in the continued concern for many k12 leaders. Schools are forced to balance needs facilities and other operations on limited budgets therefore funding for solutions to prevent attacks and protect data for more visible and tangible items. Recovery and mitigation programs have not been formally developed for schools but we would recommend potentially discount programs similar to things like erate and federally supported programs. Additionally there are other standards for network security, requirements for making Social Security numbers masked in all systems training Educational Programs and social emotional programs were affected individuals was also needed. I would like to thank the committee today. Im honored to be able to present this information to you and have you hear our stories and recommend allegations, thank you chairwoman mace, chairman fallon, Ranking Member connolly and all the staff involved. Im honored an privileged to be here. Thank you, dr. Gosch. Is the hospital in Academic Center in vermont. For all vermonters who have illnesses. We were 7 months into the pandemic and we suffered a ransomware cyberattack. We are extremely fortunate that when the attack first started before itt team even knew who was occurring they made the decision to shut down our system. That crews critically important move. They realized something was wrong. The single move protected the information. Any patient care information from being released. Any employee information being released and was key to our overall action during the pandemic. Over the next month we had two major initiatives, first one was an i was t initiative to restore our network back to normal. The cyberattack while it did not affect our patient information, did infect servers in Medical Center and 5,000 desk top computers. Every single computer needed to be wiped clean and reimaged. Every server had to be wiped clean and remanueled. It was a 24hour a day, 7day a week job for our it staff. The second major focus for us was patient care. We are the sole hospital in our state. We knew we would have to take care of people. The cyberattack impacted record for more than 21 days. On day, two we have two incident command teams, it focused on restoring our it systems, 100 0 applications. Attack was broad. We didnt have internet, we didnt have phones. Impacted radiology imaging, Laboratory Results and we didnt have the emr for 28 days. We were back to paper. Many of your young new doctors had never written paper orders. We had to go back and teach them how to do that. We brought together our clinical leaders from surgery, trauma, emergency medicine, medicine and they met sometimes a day 7 days a week for 28 days the decide how to safely provide care for patient who is we knew would be showing up and what care could be delayed and what care could be transferred out of state to other Medical Centers that could help us. Over the course of that month we delivered hundreds of babies, did trauma certainly, we did heart surgery, we did multiple other cancer staging operations all safely, highquality on paper. We did have to delay care for some patients. We used those extra providers to provide extra set of eyes and hands to make sure the paper system was working. Over the course of the month that we didnt have our emr, every day we were focused on what needed to come up first and how. A major issue that we faced is in 2020 best practice was the safe 3 days of forward looking information in your Electronic Medical record. Our cyberattack happened on thursday, on monday morning our clinics did know know who was going to show up in the clinic that day, didnt have the medical information, didnt have their problem list, didnt know what time they were coming or for what. Had to go on the news, if you are coming to an appointment, bring everything that you have with you to help us take care of you. Early in the cyberattack we didnt have internet. We went to best buy and bought every walkietalkie they had. I asked administrators to run lab results to the floor. Our lab results system was down. On day two, we had pile of paper lab results in our pathology conference room. About 6inches thick. These are medical students that file all those results. Over the course of our month, we took care of hundreds of patient safely but it was hard. Ive been an emergency medicine doctor for 30 years, ive been hospital president for four years, cyberattack was much harder than the pandemic by far. Thank you very much. Thank you, i would like to recognize mr. Ruben for your Opening Statement. Chair mace, distinguished members of the committee, thank you for the opportunity to testify in combating Ransomware Attacks. My name is sam ruinen, unit 42 which is Palo Alto Networks, internet response an Threat Intelligence division. For those in the familiar with Palo Alto Networks founded in 2005 that hags since grown to protect thousands of organizations around the world. This means that we have a deep and broad visibility into the cyber landscape. We are committed to using visibility to be good cyber citizens. We look at our role with great humility. We envision a world where each day is safer and more secure than the day before and takes all of us working together. The current cyber Threat Landscape demands this posture. Written system my written system also my highlights if we look through eyes of advisory looks porous and inviting. Despite the back drop at Palo Alto Networks we remain confident that we are well equipped to combat today, tomorrow and for several reasons. First, advance in technology especially artificial technology. For too long defenders have been inundated with triage manually while critical alerts go unmissed. Second, cybersecurities increasingly being recognized by entities of all sizes private and public. We need to take the next steps now. Every interfor price must recognize cybersecurity. Third, policy makers are showing sustained desire to support cyber defenders. Thank you for that. Thats just one example the state and local Cybersecurity Grant Program is showing the potential to increase resilience to Ransomware Attacks across all corners of the country. Cybersecurity matters to all of us. Ransomware attacks impact daily lives disruption, interruptions to the supply chain, my team at Palo Alto Network specials when they have been hit with cyber incident. Our mission is beyond recovery. When they come out of it, they are stronger than before. Thats what makes the work so fuss filling for me personally. That spirit of partnership in the cyber community, the notion that we are all in this together must remain in our collective dna. As a company we are proud to participate in the number of forums like j cdc not to sell our products but to share our Situational Awareness and our Threat Intelligence and understanding of the cyber Threat Landscape. Critically in forms like this commercial competitors become threat partners. I wanted to thank you for the opportunity to testify today and i look forward to your questions. Mr. Rubin, i will start with you. Ai and cyber criminals. Are they using ai to deploy Ransomware Attacks . Thank you, congresswoman. This is a threat that we are watching very clearly at Palo Alto Network. Threat intelligence standpoint, we are also doing testing in our own labs to recreate potential capabilities. At this point we are not seeing any new or novel attack techniques generated by ai. What kind of defenses do we have against ai powered attacked . Right, we have the able to use ai to our benefit to help protect our organization. And then i want to ask everybody a few questions. Atlanta fed published early this year theres 144 increase in ransomware from 2021 thats massive. Is this across any specific sector, government, private, large or small, Certain Industries or evenly spread throughout . We see these primarily as crimes of opportunity where the threat actors find vulnerabilities and attack those vulnerable. They said that their average ransom payment, i cannot believe this, 5 million. Given the concentration of the attackers are in hostile nations, some of the money might be used by criminal enterprises and line up projects of adversaries . It is all used by criminal advisor arrest. What country is the worst, which adversary is leading the world in these kind of ransom attacks . Generally russia is where the majority safe haven in a lot of ransomware actors there. Yeah. Thank you. I have a few questions for dr. Gosch and leffler. In some cases ransom is paid and some it is not. Its not just the ransom fee if it was paid this would be the cost of this, theres a much larger cost to an Organization School or a hospital. What do you estimate cost when the attack happened cost the school and or the hospital . We had to replace, 5 million. For uv Medical Center 65 million in cost. 3 to 5 million for school, sometimes its the schools budget depending on the size of the educational, local school, et cetera. Do you feel what you have seen that you learned from it and what other steps other people should be aware of to help protect the organization or institution . Im a physician not it expert. I understand we put things in place since that attack happened. When the bad actors got into our system, they were able to move at will, they added a lot of steps to sub segment into pieces and make it harder for administrators to make changes. We added multifactor authentication to administrators who didnt have before. We assume its going to happen again. Theres so many people trying. We have done similar, we are using ai to monitor email protection systems. We are using multifactor authentication and moved to backups and a lot of technologies that we did not have before, everything is cloud based and provides the extra layer of protection, extra password and other components that had been told, end point protection and recovery. We added those at a high dos and that is always a concern as we look at School Budgets in terms of maintaining it but we were able to upgrade to what is needed to combat it. How long did that take . We are still working on some of those initiatives now. It took us a full year to get all of our systems back online and we continue to make improvements by adding thing like security within our network and additional security measures on the back end of the infrastructure. Thank you so much, i yield back. I began my Opening Statement that should the government shout down 10 of the employees will go furloughed. I dont know which 20 of cisa is going to be retained and what functions. I would hope that they would continue to do the operational pieces and put out alerts as they see emerging threats start to evolve. But, i guess we both agree 20 cant really handle what 100 normally handle, something is going to give and at least at the very least theres a risk. Yes. Yeah, in terms of our mission. Thank you. Dr. Leffler i was struck by the hospital in vermont. I had images i did a lot of tours of Health Centers and hospitals and you know, i had in my mind dialysis unit and you had computer screen Monitoring Progress like wise oncology unit, same thing with chemo. And so information particularly thinking, well, those patients and those are particularly vulnerable because you have 20 or 30 patients that are time often either on dialysis or on chemo, therapy, was your hospital affected with respect to those patients . So we kept both units opened because those patients needed to stay alive. Dialysis obviously people are life dependent on dialysis. We added staff is what we did. We switched to paper. We added more staff members. But the ransomware did affect it affected every single part of our function, everything that we do. Unbelievable. I think thats really important because in addition the story of schools, my School System was attacked, we are talking life and death and the criticality of a hospitality cant be overstated and the vulnerability of hospitals. You said something profound. Im not a tech expert, im a doctor and we cant expect everybody in their field of endeavor to be tech experts and yet thats the vulnerability and it affects directly your ability to perform your functions and to serve your clients, your patients, so mr. Rubin i was struck by the fact trying to create paradigm and what struck me about ransomware, everything about the response is reactionary. The paradigm is entirely defensive. Either you do or you dont pay the ransom and then after the fact we try to sure up our assets and resources to prevent it from recurring. It seems to me that if we are going to have a new paradigm its going to be more proactive and preemptive rather than reactive. I will give you an opportunity to comment on that. Yes, thank you, congressman. I completely agree with you. We need to move the focus into taking steps ahead of time, sort of in piece time so to speak and organizations public and private need to invest in their cybersecurity posture in their awareness and in their essentially defenses to take steps ahead of time, absolutely. To what extent would the vulnerability today because dr. Gosch put the finger on it, resonates with me after the pandemic experience that an awful lot especially state and local levels, we are just not investing in the it platforms to keep them robust and cyber secure, to what extent do you think thats a big part of the problem . I do think that thats a big part of the problem. Investing in cybersecurity is an exercise in economics. Its the allocation of scarce resources and we heard about operating budgets and theres cost benefit decisions being made of where to put money and sometimes investing in cybersecurity resource or tool might be mean Something Else goes unfunded and so it is hard for state and local organizations. So thats why i think programs like the state and local Cybersecurity Program are phenomenal resource for state and local entities to avail us and try to get more resources to help themselves out there. I couldnt agree with you more. I think as an overlooked part of the vulnerability spectrum and we saw that reflected in pandemic because take unemployment insurance, vulnerable. 50 different systems, not one. And, you know, lots of vulnerabilities. I yield back, thank you, madame chair. Thank you so much, i would now like to recognize mr. Fallon for five minutes. Thank you, madame chair. Mr. Schneider, when theres Government Shutdown, its up to the administration to use exemptions for folks to come into work . Yes, there are several exemptions. Like the antideficiency act exception . Correct. You wouldnt have furloughed 80 , you can have all of them come to work if you so chose . I dont know the decision that cisa is making. Its up to the administration. Its up to the administration. We could have everybody. Just wanted to point that out. And as far as shutdown goes, as far as we will save that for a close. Dr. Gosch, thank you for making the trip all the way from texaslone star state. Your school was hit with ransomware attack, describe. Did you pay the ransom . Yes, we did. How much did you have to pay . 547,000 was the final amount. Yeah. I think you touched upon this with chairman mace. What were your best and greatest takeaways from the experience as far as preventing it from happening again . Our best and greatest takeaways is that it isnt a matter if youre going to be hit by some attack, its your ability to mitigate and to recover quickly and in our situation one of the things that stuck out for us was the need to maintain upgrade and make sure the systems in the back end and be able to promote that information to other School District leaders because in similar situations i am supposed to be the tech expert in this but in many cases the leaders are not the tech experts and making sure that the message is heard and how important it is to be proactive in the process and put in multiple ways in which to monitor and to actually utilize. I know ai can be used as danger in terms of ransomware but at the same time can provide so much Additional Support for identifying a potential threat because there are not simply man hours in the day and look at the code thats coming in. Mr. Schneider, on average, six years ago, if a mediumsize company was hit with an attack, what was the usual asking price . What was the ransom . I was in government at the time, im not sure i have a great number but the numbers have certainly certainly i think mr. Rubin can help us out. Go ahead. We have seen the numbers grow almost exponentially year over year. I think 5 or 6 years ago it was in the low 6 figures. Its breaking a hundred thousand dollars. And the data varies but right now, you know, our average from our data was over 650,000 on average. And thats consistent with what when we got the i reached out to Business People in texas and i found it interesting that the average ask it seems in that neighborhood was the 50 grand range and now its ten times that, 12 times that. Thats frightening. A lot of people we say its x amount of attacks. We dont know really how many because there are so many folks that are pay and embarrassed that they pay or in a case a friend of mine who will remain unanimous because i dont want him to be continued target. He got hit but he had a backup system that was good enough where he rolled into that and worked on basically securing the wall, if you will moving forward. Dr. Leffler, university Medical Center was hit in 2020, is that correct . Did you all pay the ransom. We did not pay the ransom. We had a good backup. The good backup cost 65 million. 65 million. Where was that . Cleaning and rebooting the system, care that was deferred, extra staff to care for the staff that we cared for and it was across the board. Being originally from massachusetts, route 7, go vermont. We heard from dr. Leffler and effects with ransom, can you explain how cyberattacks in a Critical Infrastructure like Colonial Pipeline 2021 can affect industries and communities beyond what the victimized operation . Thank you for the question. Colonial pipeline is a great example where the pipeline was shut down. It was not actually impacted by the ransomware but they had to shut it down down out of abundance of caution and the Ripple Effect on the entire east coast if you were trying to get any fuel you could not and long lines certainly at gas stations and that has trickle down effect or, you know, exponential impact or broader impact on the community at economy at large. March of this year the Bidenharris Administration released National Cybersecurity strategy, first of its kind efforts to combat ransomware attack. Prioritized the nations economy, infrastructure, National Security and Public Health. The administration sophisticated strategy addresses longterm solutions in cybersecurity challenges including the need for a workforce prepared to deal 51st century issues like complex elaborate and longrunning ransomware threats. The next generation of workforce, those who are in college, trade schools or newly reentering the workforce are often first line of defense against cyberattacks and todays integrated economy all sectors have Critical Technology components which are vulnerable to ransomware. That is why a prepared workforce is essential to our national response. So mr. Rubin, in what ways has the Bidenharris AdministrationNational Security kind ore Security Strategy expanded Educational Programs to diversify, grow and equip the Cybersecurity Workforce . Thank you, congresswoman. We applaud that the new cyberSecurity Strategy, theres much in there that really aligns with our vision for out how to keep organizations safe, enhance visibility, focusing on zero trust, talking about preparedness and ir plan but with respect to training and educating individuals, theres a lot there as well something that Palo Alto Networks works as well. We have a program that we call the Cybersecurity Academy that provides free curriculum to middle school through College Students and help train and help bring up the workforce of the future. Thank you for that. When conducting new hiring initiative promote bid the Bidenharris Administration its important to highlight the demographic disparities in the workforce this plan seeks to address, 2021 report from the Aspen Institute found only 4 of cybersecurity workers identify as hispanic, 9 as black and 24 as women. Mr. Rubin, how can we incentivize hiring a more diverse Cyber Workforce and what best practices have you seen to recruit tech talent from communities which are currently underrepresented . Thank you, again congresswoman. One of Palo Alto Networks core values is inclusion and we work hard to make sure that we do diversity in the workforce and so i think the first step is awareness and being conscious of this as something thats important and that we all do better when we have people from different backgrounds and different perspectives. Another program that Palo Alto Networks has is recruiting College Graduates into a program we call the unit 42 academy. College graduates that join our workforce and this current class is actually 80 female but that includes broad broad diversity as well. Thank you for that. Additionally as a member of the select committee on strategic competition between the United States and the Chinese Communist party i am committed to working with our International Partners to protect the United States from Malicious ForeignCyber Attacks. It is extremely disturbing we have as well as nations like russia, north korea and china working to disrupt our Cyber Systems and our strategic alliances in the west. So mr. Rubin or mr. Snyder, in what ways can the United States work closely with International Partners to combat the threats of Ransomware Attacks and other cybersecurity challenges . Yeah, i mean, thank you for the question, maam, to your point i think we have to have this as international, you know, collaboration in order to in order to put an amount of pressure on ransomware actors and on the nation states from which they are operating and theres a variety of tools that can be used for that, whether they are diplomatic tools but we will have to Work Together in order to make any Real Progress on this area. Thank you, mr. Rubin. I agree. I think that i would put them in the categories of disruption and deterrence on the disruption side its leveraging that diplomatic pressure using carrots and sticks where we can influence Law Enforcement action and takedowns and we have seen some of that more recently but i think theres a long way to go. Thank you very much. Clearly the president s comprehensive cybersecurity plan which involves everything from an expanded and better trained workforce to cooperation with our International Partners is already paying off. Im ready to work in a bipartisan manner to strengthen and support the president s initiative and with that, madame chair, i yield back. Thank you. I would now call on my colleague from tennessee. Dont screw it up. Thank you, chair lady. I will try not to. Thank you yall for being here. All the good questions have been asked pretty much. Het me ask down the line, what can we do to fix this . Thank you for the question. I think that is the question of the day and it is something thats not going to get you anywhere complementing me up here. Its better if you attack me, insult me and everybody else will agree with you but go right ahead. I probably wont go down that route, sir. We have to approach both from defensive standpoint and what defensive measure cybersecurity controls can companies and organizations put in place in order to protect their systems, to have good backups of their systems, encrypt to their own data so they cant be encrypted by someone else and taken from them and as we were just discussing we need to be able to disrupt and deter actors in cyberspace and we really need to find a way to shift the Value Proposition for ransomware actors, today they are able to do this with almost impunity and make a lot of money atate. We have to find a whole of government and a whole of working with our allies to make Real Progress here. Are any allied countries have people involved with this . It always seems like every time we come out and say youre not going to break into this system, theres 12yearold kid in somebodys garage gets into the system. I think we have a really god International Cooperation on this as this hearing notes its a really big channel so it doesnt always feel like we are making the progress but i think we are, you know, billing those interactions across nations with a lot of our key allies. All right. Doctor, how do you say your last name . Gosch. Good, im glad, go ahead. From the educational standpoint i think a lot of the things that could help School Districts really has to do with funding and discount programs and things like that but additionally there really needs to be additional standards set for schools, there really isnt any right. A lot of the equipment is outdated. Correct. Youre sitting here talking to us when i was asked to be on the committee, a bunch of guys listening to a track players. We are the ones that are going to be making decisions on that so i can appreciate that. Theres other aspects of that. We spend a lot of time in emergency plans at least in texas theres not any particular guidance or requirements to deal with cybersecurity. Its just in the talked about. Within education its not something thats necessarily supposed to happen. I know in our case a lot of times people think due to lack of backups is the why we went the route that we went. We do have to and then theres a lot of regulatory things that would help in the cybersecurity piece as far as student data just in having regulations even in software companies. Dr. Leffler. I agree with my colleague that from a hospital perspective a lot of it is funding in grants, so in every budget that we build as a doctor, i want to spend all the money on patient care, technology, new equipment there, prior to the cyberattack, usually cybersecurity stuff would fall down the budget oftentimes come off. And so having ways to cheaply buy programs and have those programs be current and new and upgraded and grants to bring up to standards, strong backup so you dont have to pay the ransom would make a huge difference, i believe. Im surprised quite often how often medical records and things, photographs and things like that are taken out of specifically doctors. Yeah. Yes. Mr. Rubin. Thank you, sir. So i will break it up into what we can do in the Public Sector side and within privatesector organizations. On the Public Sector side i think bringing continued awareness to the problem like today is very important. Continued support for local and state governments as we discuss the local grant program, they provide a lot of resources. On the privateersector side, i think a lot of the adoption of technologies that we heard about today, getting visibility across the state externally and internally with different tools, leveraging ai and other technology to separate the sickal from the noise so you can see and respond to whats important because no organization can fund the staff and expertise that they need to do that without the help of technology and then its adopting best practices theres a program call paradigm called zero trust which is defense indepth and aligned with essentially what you need to know and lastly having a plan to respond. All right, im about out of time. I would state to the committee as elected official is something that we ought to be aware of. If they are reaching into these systems to take something out, they can reach and put something in and theres elected officials that something that we need to were about and i worry very much about ms. Mace pointing out her timer and giving me the look. Youve over. My time is over. Thank you. I would like to recognize congresswoman norton. Thank you, madame chair. Mr. Schneider, every year since 1997 Information Security and cybersecurity has been on ga of courses government wide highrisk list meaning it is extremely vulnerable to waste, fraud, abuse or mismanagement or in great need of transformation. This year is no different. In this years update, however, gao noted that the Bidenharris Administrations continued commitment to making sure our nation works to remain ahead on ransom attackers. As always, though, more work can be done especially as personal agencies remain high value targets on foreign adverse for foreign adversaries like russia and china. Mr. Schneder why are federal agencies ripe targets for ransomware . Nation state actors look at federal Public Sector organizations as having the high value assets and, therefore, they are highvalue targets as well. They are seeking to get the information from those organizations. Well, if thats so, mr. Schneider, what steps can federal agencies, Agency Leaders take to mitigate their risk of falling victim to ransomware . Maam, there are certainly defensive steps that they can put in place. My colleague mentioned zero trust which is a Movement Towards further hardening your infrastructure. I mentioned in my opening testimony implementing multifactor authentication, encrypting your own data and ensuring you have backups. They are in a lot of ways basic steps, patching your systems, they just have to be done very consistently and continuously if federal agencies are not going to get to a point where they are, quote, unquote done or they are safe, they will have to continue to exercise to stay hopefully one step ahead of the malicious actors. Well, mr. Schneider, you have previously highlighted Information Security and cybersecurity laws such as cism affects and so briefly how could Congress Update other cybersecurity laws to help agencies that defend against Ransomware Attacks. Yes, thank you for the question. I think an update to fisma would be timely. Its something that would help drive the administration to have some updates i think codifying the role of the federal chief Information Security officer would be helpful inside of the office of management and budget to really help oversee the implementation of the the various standards that the National Institute of standards and technology and others put in place, so there is governance and oversight that i think an update to fisma would be helpful for. Mr. Schneider earlier this year the u. S. Marshal service fell victim and in june criminal so mr. Schneider, how can federal agencies prevent Ransomware Attacks . Maam, thats the question of the day of what federal agencies and privatesector organizations can do to adequately protect themselves. Again, there are a lot of basic cybersecurity controls that they need to maintain focus on. All organizations need Adequate Funding to be able to implement those and they need leadership that is highly focused on the risks and threats that their Technology Environment brings to them. Yeah, in the case of the june Ransomware Attacks, i talked about the ransomware criminals were able to exploit a commonly used file transfer program called move it, so mr. Schneider why might criminals target contractors and thirdparty software if their target is the federal government . Maam, if a malicious actor is trying to get to whatever target organization in this instance federal agency, they will seek the easiest, quickest, most efficient path to that and so they are not just going to look at the federal system, they are going to look at all of the systems connected to the federal systems, where can they get into the information that they are trying to get to. Thank you, i yield back. Thank you, chair. Now recognizes mr. Edwards. Thank you, mr. Chair. Mr. Schneider, i apologize if the question has been asked before i got back. I just came from another Committee Meeting and its probably so obvious someone has to have asked it. Who is behind the majority of the Ransomware Attacks . Based on the information im seeing the majority of that threat actors are housed or coming out of russia. Are who coming out . Russia. Is there any evidence that these attacks are government sponsored or are they just bad actors inside of other countries . I think theres mix on that. I think a large significant portion of them probably the majority of them are criminals and criminal actors now. I think many of those are endorsed by and perhaps supported by the nation states within where they reside to include russia. I think in general, my personal opinion is nation state actors that are looking for espionage or other Foreign Policy objectives are lets likely to use ransomware vector. If anyone has any information, is there any evidence that youre aware of that these bad actors are supported by a Government Entity of which we should be aware in our interaction with other other governments . It seems like if they are government sponsored, we should hold them accountable or refuse to have Different Levels of cooperation. I think theres certainly evidence of some countries supporting ransomware actors. North korea is certainly a very good example where they have, you know, as a nation state will use ransomware to get around sanctions and try to bring money into the economy. Does anyone else have an opinion or an insight on that question . Congressman, i would add that i agree with my colleague. And and thank you, so my understanding of ransomware typically some bad actors trying to just lock up a computer or encrypt information in return for money. Is there any evidence that these bad actors are trying to capture information or are they just trying to encrypt someone elses information for extortion . I think more and more we are seeing kind of multiextortion events where they will both steal the information and try to encrypt it and prevent the owner of the information having access and then they can ran some them on two fronts, right. The first ransome pay me money to have access to your systems again and second, the organization has good backups and says i dont need you to restore my services and then they will threaten we will publicly disclose or sell or otherwise compromise the Sensitive Information so we are seeing more and more actors that are also stealing information. And coming being part of the private sector and also having served on the board of directors of a bank, i know that one of the things that keeps us awake at night is protecting our data. Have you found that for the private sector theres any commercial software out there that adequately protects workstations in offices and at homes . And im not going to ask you for a recommendation. I just like to know your opinion on how well we are prepared for the thirdparty packages to protect americans. Thank you very much. First of all i want to thank the chairwoman and chair fallon as well as the Ranking Member conley and Ranking Member bush for convening this joint hearing. I also want to thank the witnesses for your willingness to help the committee with this work. Weve been at this a while. I dont know if things are getting any better. We recently had a sizable ransom where attack, very high impact in massachusetts, my home state on. 32, the second Largest Health insurance provider in massachusetts. Its the Parent Company of Pilgrim Health and tops Health Care Plan so affected an awful lot of people. In april of this year the Company Announced it had been targeted by a ransom where attack and forced to shut down several Critical Systems used to servicemembers accounts, brokers and also healthcare providers. The attack also involved the theft of a very Sensitive Information, so as mr. Snyder was saying, this is one of those cases they could have a denial of service or simply sell the Sensitive Information. So it compromised the personal information of more than 2. 5 million current and former subscribers, providers, and unfortunately the stolen data included Social Security numbers, medical history data, Health Insurance account information and taxpayer id numbers. So, very, very tough situation. Importantly, the American HospitalAssociation Since warned that the frequency sophistication and severity of ransom where attacks against our healthcare sector is dramatically escalating with organized criminal gangs and military units replacing rogue individual actors as the primary perpetrators. As a matter of fact, in the First Six Months of 2023 alone, more than 220 Cyber Attacks targeted hospitals and Healthcare Systems with over 36 Million People affected. So, doctor, speaking directly, healthcare is different in some ways as a vulnerability there. That is not present in some others. The impact goes beyond just the institution of all those people whose private Health Information is out there. From your experience and the way you looked at this, are there certain steps that Healthcare Institutions need to be taking right now and that youve taken perhaps through your experience in vermont that might make the system more secure . Thank you for the question. First, have a strong, separate protected back up. A critically important, from the normal system and updated every single day. Next, make sure your it team is empowered to shutdown the system immediately if necessary. Dont make them go up the chain of command. If they see something unusual, shut it down immediately. From Critical Care to this point before the cyber attack, we typically did a drill we would have our emr down for two days which seemed like a long time. We were down for 28 days. The things you do over 28 days are vastly different, so i would recommend all hospitals were Healthcare Systems at least do a tabletop exercise to imagine what it would be like to be down for a month. You didnt have phones, schedules, didnt get lab results to the floors; how would you handle that . Its critically important. Thank you. The wider impact is, in the massachusetts case we are seeing classaction lawsuits against the institutions because of the poor handling of the information, so theres a followon problem there. Given the fact that we are all on the patient gateway system, that is what mine is called with my hospital, so all my medical records. So we are moving to mobile applications for all this information. Is there some way that we might close that gap . And again, there are some there was an article in the journal of medicine a month ago, two months ago that said we should treat these as sort of regional disasters almost because of the communitywide impact its having not just on the Healthcare Institution but on the community in general. Id like to get your thoughts on that and about those longerterm impacts on the credibility of either the Insurance Company or the hospital and then how you clean that up, even though we are moving, the trend is moving to greater mobility and easier access to this digital information. In vermont, this was a disaster. Our entire state impacted all 14 hospitals. It affected patients across the region. It was a disaster and we are grateful our governor and National Guard stepped in to help us. In terms of better protection, i think the best, and once again im at the edge of my knowledge, but the best we can do is break the system up into lots of little pieces so if someone gets in somewhere, they have a hard time getting in everywhere. Weve added a lot of steps of multiidentification to protect the system. And weve done a huge amount of education to make it harder for people to penetrate. Madam chair, i appreciate the courage. I yield back. I would like to yield back mr. Langworthy. Thank you very much, madam chair. And to both of the chairs and the Ranking Members for putting this together and to the witnesses. For the longest time, the United States enjoyed a reputation being impervious to foreign threats on our soil, but Cyber Attacks stand as a prime example of this contemporary form of welfare and espionage that we all have to be ready for and vigilant against. Even our wealthiest corporations and financial institutions, hospitals and civic organizations with cuttingedge Cyber Security protocols can fall prey to these cyber threats. As we witnessed breaches in the major urban centers, we must consider the potential harm that can be afflicted in the Rural Communities such as those in my district in new yorks 23rd Congressional District. We are home to many rural hospitals, School Districts, educational institutions and they are very vulnerable to these challenges. With that being said, doctor leffler, you highlighted uvm Medical Center has unfortunately experienced several Cyber Attacks in the past. Can you identify any recurring patterns among the perpetrators . Were these instances typically orchestrated by cyber criminals seeking financial gain or are these foreign actors primarily interested in obtaining sensitive patient information . Thank you. Gratefully we only suffered one cyber attack. It was in october 2020. It did affect every part of our system. We didnt contact the cyber criminals were pay ransom, but im sure they wanted both payment to reopen the system and likely would have sold the information if they got it. We are fortunate they were unable to get into the system to gain patient information. So we suffered one attack. At the time, it was during the pandemic. We had many people working from home, and we did that very quickly. And so, weve added a lot of security around our Computer Systems, laptops. That is the way they got in. Someone had gone home with their laptop and entered from home using when they plugged it back into our system, thats how i got into our network. Thank you. We are familiar with the financial ramifications of ransom where attacks from cyber criminals. The losses could be tens of millions or more. For a Major Hospital that is perhaps manageable, even if its not ideal, but lets talk about situations where perpetrators are seeking data and not a dollar value. Doctor leffler, when actors target our constituents medical records and data, what specific purposes do they have in mind for acquiring this information, and in what threat is the data leaked to patients . Its a significant threat to patients. Patient information is protected by hipa and if they are able to get into the record of a consulting information on the internet and access both patients financial information, Insurance Information and cause huge issues for our patients. Thank you. Theres no doubt hospitals have heard the situations. The reputation and Community Get negative public spotlight the primary focus for any hospital is undoubtedly patient care. I understand ransom where attacks can result in unauthorized access to Sensitive Information, but could you elaborate on how such attacks might potentially affect the quality of patient care . Basically in Health Care Healthcare rightnow, the electrl record is your connection to everything that you do. Everything runs through that. All your lab information, radiology information, patient care transfers run through that. When the system goes down it has a huge impact on patient care. Right now if youre going to order a medication for a patient, the Electronic Medical record tells you if you picked the correct dose and if it is right for the intended purpose. If there is an allergy, if its safe to give this particular patient all those go back to the system many doctors are no longer trained on. And so, we had to go back to paper and make sure that someone, the person was going through and doing those steps every time we ordered something. It impacts how you run your operating room, how labs are stored, how imaging is done. We had to buy a bunch of drives. It has a huge impact on patient care every day. And for the university Medical Center, the impact was greater than the pandemic. It seems like that would have a tremendous impact on the workforce as well. What resources has the federal government offered to hospitals that have experienced ransom where attacks, and are there any recommendations or standards that you would propose to this committee, particularly in the context of rural hospitals . The fbi was hugely helpful in the cyber attack and provided insight and help. Beyond that, i said before, hospital budgets are very tough and typically Hospital Leaders want to spend money on patient care issues, so grants or funding to help have the most current Cyber Security protection would be very useful. Guidance and training around how to prepare for a 30 day outage i think was critically important. And helping to make sure that they have the most current emr people training will make a difference. Thank you very much for your testimony and i yield back. I recognize the congressman for five minutes. Thank you, madam chair and thank you to the chair and the Ranking Members. I thank you for being here. Ransom where attacks, of course we talked about this today, are becoming increasingly frequent in our society particularly as we rely more on technology. South carolina is not immune from that. We are subject to very serious costly attacks in october when the South Carolina department of revenue was hacked by cyber criminals who used encrypted malware to steal the income tax returns of 6. 4 million south carolinian residents and businesses. The attacks impacted more than three quarters of our population. 3. 6 million Social Security numbers, 387,000 credit and debit card numbers. The financial cost when i was a member of the General Assembly was over 20 million to protect self carolinians. At the time this was considered to be the biggest and largest attacks on the state agency, not only in South Carolina, but across the country. Just this year, south carolinians have been subject to numerous attacks and it doesnt seem to have an end in sight. Weve all witnessed agencies, hospitals, businesses, people individually whove run into this problem. And so, the question that i have for you, mr. Snyder, is of the cyber criminals youve encountered in your 30 years of experience, who are these people . Are they old, young, domestic, are they foreign actors . What type of people do you see that engage in this practice . Thank you for the question, congressman. I think its evolved over time. Sort of the stereo typical from 30 years ago is a kid in the garage on a big couch. And i think its really moved on to what we are seeing today are ransom where actors, cyber criminals thinking like businesspeople. They are setting up health desks so if the victim doesnt know how to pay them appropriately, that they can help them set up inappropriate wallet and be able to send them money. So, the chairwoman made mention earlier ransom where is a service, so this is becoming a Business Enterprise for the malicious actors that are very organized. They are typically at least in nationstates that are allowing them to act pretty freely, and sometimes they are probably encouraging them as well. We hear all the time that cyber criminals adapt their tactics to infiltrate. How do, in your eyes, the cyber criminals become involved in this activity . How do they get engaged in their craft . Congressman, i dont have much data or information on how they get into this. Part of my speculation is that they are probably in countries where this is a relatively if they have some skills, this is a place where they can put their skills to unfortunately work in a malicious manner. We would much rather see them on the defensive side of the cyber equation someplace. Has the approach changed all in kind of this era of work from home or during the pandemic . How has the landscape shifted . I think the landscape has shifted in the way that our Threat Service is connected. We discussed earlier we continue to interconnect more and more systems, more and more data and every time we interconnect more systems, we introduce potentially additional vulnerabilities that give the actors more places to attack from. Thank you for that. In your testimony you cited that a recent report found that the security teams took nearly six days to resolve and alert according to the report the amount of time it takes adversaries to move from compromised to Data Exfiltration is merely a few hours. Do you expect to six days to remain the average in the future given that cyber criminals are becoming increasingly sophisticated and effective . Thank you, congressman. So, our goal is to help organizations reduce the time to respond. Some accommodation training and technology, combination of dedicated resources, our goal is to help organizations move that from six days down to hours or even minutes. When a threat actor gets into an organization, they might have a foothold on one system and what they are trying to do is elevate privileges to break out of that system and move into other parts of the network. So if you can catch them on that first system and you can contain it and take what might otherwise be a crippling ransom where attack and make that something much smaller. Think you for that. In that sixday period, how disruptive is that to the businesses and employees . Of course, congressman. It varies on a casebycase basis, but what i can tell you a recent Incident Response investigation that we did, we saw for a Major Tech Company within a matter of 15 hours the threat actor went from a phishing attack to escalating privileges to moving laterally to exfiltrate in over a terabyte of information and locking up 10,000 systems, 15 hours. Thank you, mr. Frye. In closing i want to thank the panelists this afternoon once again for their testimony. Especially for those who talked about the ransom where attack they had. Very few organizations and institutions and agencies will actually speak publicly about these experiences out of fear and appreciate the collaboration between my colleagues on this his andeveryone having the couro be here today. I would now like to yield to ms. Thank you, madam chair. First, i want to share the concern my colleague expressed earlier about these attacks on Critical Infrastructure. Thats why we conducted a comprehensive investigation with regard to new insight and into hell ransom where attacks unfold. I would like to submit to the record some of the findings we released in a memo to congress. Finally, i want to thank my colleagues who called this important hearing on ransom where today. But i want to highlight the paradox of their efforts to combat ransom where and Cyber Attacks. At the same time they are driving us headfirst into a Government Shutdown. A shutdown will have realworld effects, both in cyberspace and our communities. As both mr. Conley and ms. Brown indicated in their Opening Statements, the Cybersecurity InfrastructureSecurity Agency, the agency that needs federal cybersecurity efforts and serves as a National Coordinator for Critical Infrastructure security and resilience, will furlough thousands of its employees. 80 of its workforce in fact. The department of justice, the Agency Responsible for investigating and taking down criminal ransom where attacks will also be forced to furlough thousands of employees. Those are just too agencies. A shutdown hurts our communities nationwide and at their core. While we think all federal employees are in the Nations Capital here, the Congressional Research service has found that every single Congressional District is home to at least 4600 civilian federal employees, all of whom do not know when they will receive their next paycheck. Military Service Members would continue working every day to keep our country safe, including our 1. 3 million active service troops, but they wont receive a paycheck until the government reopens. That includes 11,000 servicemembers in my district. 414,000 servicemembers in texas and 38 servicemembers in South Carolina. Many of these military families who struggled to pay rent, afford groceries or give their prescription medications. I suppose that is one way to thank those that put their lives on the line for their nation. Democrats arent the only ones horrified by the Republicans Holding the nations hostage. Take for example, my colleague who told reporters that the republicans are currently, quote, the dysfunction caucus. My colleague, mr. Graves from louisiana said of the republican hold on appropriation government work, quote, holding the victims hostage. And mr. Garcia said of the extremists, quote, they just handed a wind to the Chinese Communist party. If my colleagues really cared about National Security, cybersecurity and the health of the nation, they would be funding the federal government right now. Like the ransom where attack that we examine throughout this hearing, our republican colleagues are holding the nations and i yield back. I now yield to chairman fallon for closing remarks. Thank you, madam chair. Just a couple things. One, its amazing that you think Something Like combating ransom where what into being partisan. Anna some of the colleagues did not make it partisan and some did, calling folks extremists and people that want to shut down. I dont know anybody that wants a shutdown. And when you talk about resources, there are limited resources. Thats why in the cr that we are trying to work out to attach some security that we desperately needed, and may be a modest code of 8 Discretionary Spending when we are spending 663 billion on data service just this year alone and according to cbo over the next decade its going to be 11 trillion additional to go to service the debt. Debt and a decade from now, the Interest Payments on the debt could equal if everything stays the same, about half of our total Discretionary Spending. Its time to do something. We also know and it is sad to see that, but we want to talk truth and facts. The senate, which is controlled by the democrats, had passed all their Appropriations Bills out of committee before the august recess. Anna sat on their hands, Chuck Schumer did, and did nothing so you want to covid something you call it the schumer shutdown. Im not rooting for it but it does seem some people are and thats sad, playing politics on Something Like this. On ransom where we want to deal with this with specificity. I think the best thing anybody can do i have a friend of mine right now that i mentioned earlier, an anonymous friend texted me saying dont forget to tell them they have really good backups. Have healthy authentication. And help from the government to get after these guys as well and one of the things we can do, i followed the bill last congress, hr 3388 that is protecting the Critical Infrastructure act, to expand penalties for fraud and related activities on these kind of attacks and the Critical InfrastructureColonial Pipeline, gbs would be something along those lines that would fit into that. And expanded the penalties. I know its hard to get our hands on these in countries that would protect them or at least look the other way, russia and china come to mind. But sometimes they get careless and we need to also make sure to clearly define and statute that it doesnt need to be physical infrastructure to be critical. It can be cyberspace infrastructure. The walls were written 30 years ago in the cyberspace or 40 years ago. Then it also, my bill would direct the president to impose sanctions on persons that attempt to harm by accessing and compromising the Critical Infrastructure. So there are those things as well that we can do. So im glad we had the opportunity to have partially a bipartisan meeting on these issues. Mr. Schneider, you mentioned that the battle between hackers and organizations in bad actors of targeting has become, you know, an arms race in a term that i think we should really think about and you give a lot of weight to. And why you think that is accurate, the threat posed upon america by russia. And weve heard these attacks are originally mostly there and something that we need to protect small, medium and large interests. So i hope that in the future we can have maybe someday have a hearing that is something that has nothing to do with partisanship that we can look into focus directly on the specificity of the threat and come up with some solutions. Because believe it or not, we have some smart people in congress. We have some dumb people too but we have smart ones and hopefully we can Work Together because having served for eight years in the Texas Legislature not everything was partisan. Madam chair, i will yield back. I recognize myself for a few minutes in closing. I did want to say that because the white house did such a good job about sending their talking points to this hearing this afternoon that in the event that there is a shutdown that 80 the white house is pushing its employees who wont be showing up to work that is the decision by the president of the United States and his administration to decide what percentage are deemed essential and showing up to work in the event that theres a shutdown and in the event there is, it is up to the president of the United States and his administration to prioritize who is and who is not essential. They can make it as painful as they want or as painless as they want. And by law, any federal employees who are furloughed are going to get back pay. So, thats something that should be very clear. If we could just tell the gods honest truth in this thing, we wouldnt have, we wouldnt be pointing fingers at either side because guess what, both sides are to blame if there is a Government Shutdown. Just this week we saw 33 trillion added to our nations debt. And that sham of the debt ceiling is going to add 18. 8 trillion to the debt over the next ten years. So we are talking about 50 trillion in debt. Over the next decade they just want to blame each other. Both republicans and democrats are at fault. The last time we balance the budget in this place was in the 90s under president clinton, a democratic president , and republican controlled house. They had a plan to balance the budget. They did it in for years because of surplus tax revenue. We cant even get a plan to budget in the next 20 years so when the American People get mad about a Government Shutdown, blame republicans and democrats who are at fault and refused to get to the table to make the cuts necessary to get this country turned around in the right direction. With that and without objection im going to ask unanimous consent to enter a letter from the electric Reliability Council of texas into the record without objection, so ordered. We are back to ransom where on spending and without objection all members have five legislative days within which to submit materials and additional written questions for the witnesses that will be forwarded for their response. And if theres no further business, without objection, the subcommittee stands adjourned