[inaudible conversations] good afternoon everyone and welcome. E. This is a joint hearing of two subcommittees a committee on oversight and accountability. The subcommittee i chair the subcommittee on Cybersecurity Information Technology and government innovation at the others a subcommittee on Economic Growth and Energy Policy and regulatoryh, affairs. Its chaired by my esteemed colleague from texas. We will have Opening Statements from the chairng and Ranking Member of both subcommittees. Thats a total of four Opening Statements so ill keep mine brief. Cybersecurity has beenor a major focus of power since i became the subcommittee chair and im concerned that we are not prepared for the increased sophisticated cyberattacks that will be fueled by ai. Businesses and Government Entities in my district and across the country cafe cyberattacks and were forced to pay a huge sum of money and ransom for the federal government itself sets of data tens of millions of dollars its decades older than myself and we have a shortage across the country of 700,000 cybersecurity professionals at Job Vacancies across the public and privatesector. We need all hands on deck to fill the gap and if i sponsored legislation to eliminate the unnecessary to bring degree hurdles and separates a child for the government cant turn away people with mys kids cyberaxios because they up for a degree. Cyberattacks come in different forms for today weac are focusig on Ransomware Attacks. These are thes pledge to restore access to the ransom is paid and charge an additional ransom for not disclosing sensitive stolen data. These sorts of attacks are nothing new. They have existed for decades. Back then they were unsophisticated and often unsuccessful in locking down systems. Amateur hackers would try to get small francis for individual users. The field is that the came clear and made 2020 onto hackers likely based in russia were used in the brought a pipeline to stands up at the corner pipeline went offline briefly causing the federal department of transportation to declare an emergency in 17 states and here in d. C. To keep lines open and in fact when that hack happened was when we saw my home state of South Carolina, thats when gas prices started to increase and they never went back down. The problem shows no sign of going away and we are costly searching for areas of vulnerabilities. The highdef covid they were targets like hospitals and schools and even the ransomware supplychain was expanded. Hackers offer ransomware as a service for other criminal enterprises. The bottom line is malicious actors can do too much damage and make too much money with too few consequences. We need to engage in this fight at all levels. The camp by the battle against adversaries launching attacks from m a enemy states like china and russia and elsewhere. It will take partnerships including federal Law Enforcement andaw that includes findingw out how to better collect and share information about these attacks and the attackers. Ac as youll hear today the institutions victimized by ransomware has options and all of them are bad. They either declare ransom or they are unable restore their normal t operations. In the case of schoolsn and hospitals School ChildrensSchool Records and medical records. Well hear from the cybersecurity expert his current works includes Counseling Companies that are targets and victims of these attacks. I hope this hearing today will help educate us onod the problem and will service a step toward better testing it and with that i get to the Ranking Member of the subcommittee mr. Connolly. Nick thank you madam chairwoman and thank you for having us here thank you to witnesses. In discussing the threats of ransomware we cant ignore it costs by some a Government Shutdown for the Cybersecurity Agency for temple will be forced to furlough more than 80 of its workforce. We are concerned about that cyber trend. Without funding our cyber defenses will be reduced and yet still hold responsibility to respond to attacks on her networks and Critical Infrastructure. We cant allow this to happen when we are to know the innumerable Malware Attacks constantly threatening our economy and schools, Public Health, Critical Infrastructure and National Security. Ransomware is a multimillion dollar criminal enterprise. And 2020 went the estimated cost of ransomware examined globally covered around 20 billion. This year that number is 30 billion to 50 increase in just two years. The United States is a major target. Between january and december of 2022 known Ransomware Attacks on private networks United States increased by 27 and more troubling these include only those incidences that the counterpart to the recent received considerable public attention these kinds of Ransomware Attacks targeted Critical Infrastructure. And 2020 when the United States government had to declareto regional emergency as you noted madam chairwoman after the Colonial Pipeline was taken down. The largest pipeline of a system in the country. That was just one frightening reminder of what is at stake. State and local governments are particularly vulnerable because they are storing much of our personally identifiable information that they the protections as billiondollar conglomerate to criminals also do not discriminate between large areas and small towns. Communities of all sizes have been victims including dallas, texas g oakland, california and lowell massachusetts. In 2023 a ransomware report found that nearly 70 of the surveyed i. T. Leaders in and state and local governments reported Ransomware Attacks. Just as troubling report on educational systems are the most likely. I ask unanimous consent madam chair to submit this report into the record. Up without objection. I think the chair. Of this firsthand from the ransomware that detect the Public School systemnt the 10th largest in america. Members of this committee are well aware about a coronavirus pandemic abruptly revealing how illprepared for state and local governments were at delivering Vital Public Services securing the i. T. Platforms. Direct check payments to families and Small Business loans and on and on. We held hearings on the i. T. Infrastructure and rising cybertaxes to state and localn governments. We need to accelerate i. T. Modernization. In response of hearing we introduced house companion toom the senate state and local Digital Service act. This import legislation provided guidance andis critically fundig to state and local governments to perform Digital Service teams focusing on secure Public Services. I certainly hope this congress will continue that work and furthermore we hope to champion the bipartisan infrastructure bill providing more than a billion dollars in public and private employees who fall victim to Cyber Attacks every year. Earlier this year that Biden Harris Administration published its National Cybersecurityec strategy which addresses these among other issues headon by laying out plan to disrupt ransomware criminals that lays out four key pillars to disrupt them. One Leverage International corporations ecosystem of their ransomware ecosystem benefits and isolate safe havens and investigating ransomware crimes by using Law Enforcement and other authorities a to disrupt t and them and third bolstering Critical Infrastructure resilience to withstand such acts and forth addressing the use of to launder ransom ware. Apartment justice continues to hold criminals accountable and most recently the quack. Network seizing more than 8. 000000 in cryptocurrency. While these are important first steps much more has begun and i know we will hear that from our witnesses today. I look forward to hearing your testimony working with you madam chairwoman and others in trying to crack into terror and prevent Ransomware Attacks and i back. Thankhi you. I recognize chairman fallon. I want to thank everyone for being here and grateful to the subcommittee and subcommittee on cybersecurity teaming up to talk about this very important problem. America relies on everything than you rely on something and when it goes down it has a farreaching consequence when its jeopardized. While Ransomware Attacks are digital files and held an ransom until the ransom is paid the true cost of cyberattacks go well beyond them money surrendered. He havoc on normal operating receipt jars of a company, a school, a hospital in and forcing reallocation of staff, lost revenue and damage to reputations. Following an attack they may have two bury out that their entire i. T. Infrastructure. Scary costly in scrambling to redirect funds earmarked for other investments. Mountain dew could get a cyber attack and where would our colleague from tennessee beat . You might be making investments in teachers and personnel are most valuable natural resource. Congress should be very concerned about these attacks and where they originate. The vast majority are coming from russia country that clearly doesnt have her best interest atwh heart and with these attacs target essential sectors like the electric grid or Hospital System or the pipeline are jvs a couple of years ago they endanger Public Health quite frankly putting american lives p at risk. We saw they can have an impact well beyond the original attack into the larger economy again with Colonial Pipeline that reverberated and was very dangerous and very chilling. As our world becomes more reliant on technology unfortunately the opportunities for bad actors to use that technology for their own monetary and political gain becomes more often but we must prevent hackers from being able to use ransomwaree to up and american institutions at risk our nations prosperity and health and safety. Im grateful for our witnesses who are here today to share their story and help us examine the ongoing threat of Ransomware Attacks. During this hearing i hope to help prevent further attacks and punishing those that would go after our Critical Infrastructure. With the government provides resourcess for better protecting our own system i look forward to discussing how the Security Agency the fbi and other federal agencies can better protect the American People enter data. Thank you madam chair night back. I now recognizeorre congressn thank you chair and Ranking Member connolly and thank you to the witnesses for joining us today. Her hearing today addresses an issue threatening american far too frequently Ransomware Attacks. Criminals both foreign and domestic use ransomware to target everything and everyone, private businesses, state and local governments, hospitals, School Districts and Critical Infrastructure. Care and Safety Net Services for our nations most vulnerable. But before i go any further we cannot sit at this hearing without addressing terrible dangers we face with the Government Shutdown. A Government Shutdown, much like a ransom or attack would be dangerous, destructive, and disastrous. The cybersecurity and infrastructure Security Agency, the agency, that leads federal cybersecurity efforts as the National Coordinator for National Coordinator for Critical Infrastructure security and resilience, would have to i furlough 80 of its employees as a result of the republican shutdown. We are talking thousands of critical workers, people with families and that is just one agency. The department of justice, the Agency Responsible for investigating and taking down criminal ransom were networks would also be forced to furlough thousands of employees. With a shut down extreme republican members would undercut organizations and state and local governments relying on federal funds to prevent the crippling ransom or attacks we are a discussing in this very hearing. All over the country ransom or attacks directly affect peoples lives. Hospitals have to turn away patients. 911 calls are unable to dispatch ambulances and fire trucks. Small businesses have to slow down. In some instances people are unable to pay their water bills because the city website have been paralyzed by a hacker demanding ransom and those late fees add up. And my home state ransom or is targeted to ohio unemployment system in julym preventing and n march the Lakeland Community college in ohio in my district was the victim of a cyber attack that compromise the personal data of nearly 3000 individuals. Now the Bidenharris Administration has made defending against these kind of attacks a top priority. Thanks to the state, local and territorial governments with Cyber Capabilities they need. But on sunday at 12 01 a. M. These dollars are at risk of not making it out at all. It is just one more reason the maga shutdown is harmful to everyday people, our National Security and our standing in the world. And with that madam chair i yield back. Thank you please introduce our witnesses for todays hearing our first witnesses mr. Grant schneider senior director Cybersecurity Services art second witness is doctor lacey gosch superintendent of technology at Judson Independent School district our third witness dr. Stephen leffler president chief operating officer university of Vermont Medical Center our last witness today mr. Sam rubin Vice President will head of operations that Networks Unit 42. Welcome everyone were pleased to have you this afternoon. Pursuant to Committee Rule 90 the witnesses will please us to stand and raise the right hand. All right do you solemnly swear or affirm the testimony you are about to give g is the truth, te whole truth and nothing but the truth so help you god . Let the record showed the witnesses all answered in the affirmative. Thank you. We appreciate all of you for being here today look forward to your testimony. Let me remind the witnesses we have read your written statements they will hear in full in the hearing record please limit your oral introductory statements to five minutes as a reminder please press the button on the microphone in front of you so it is on and o members can hear yo. When you begin to speak the light in front of you will turn green but after four minutes the light will turn yellow when the red light comes on your five minutes have expired will ask you to please wrap it up. First recognize mr. Schneider to please begin your Opening Statement. Thank you very much. Chairwoman mace, chairman found Ranking Member bush, members of the committee and your staff. Thank you for the privilege to appear before you today. Ive spent my entire 30 year career focus our nation security. This includes over 20 years Defense Agency seven of which i served as a chief Information Officer in six years the executive office of the president serving as a senior director for cybersecurity policy on the National SecurityCouncil Staff most recently as a federal chief Information Security officer. For the past three years ive been senior director Cybersecurity Services at a law firm i hurt our clients both large and small from all sectors enhance their cybersecurity programs through the development and implementation of Risk Management strategies. My time and government i have supported numerous organizations with the preparation response and recovery from various Cyber Incidents including ransom or attacks. Some of these include leading the Response Recovery for Regional HealthCare Delivery Organization that was the victim of ransom ware. Creating playbooks and decision matrices to help clients consider the actions they may need to take in the event of a significant incident. Working with Law Enforcement and the Intelligence Community and other interagency partners on ways to disrupt malicious cyber actorsyb when they think the committees for taking up the important issues related to ransom our. As has event mentioned it ransom her as a form of cyber attack were malicious actor typically steals Sensitive Information, encrypts a victims file and system demands a payment eight ransom to return services to operation. To be clear its malicious actors to make money. Its really about Foreign Policy or espionage like we see from nation state actors. However policy discussions are complicate it by the fact many ransom or actors are protected sometimes endorsed and encouraged for which they operate. Malicious cyber activity and ransom ware have been around for decades several factors which have been mentioned have come hetogether in recent years to expand the frequency, scale and Public Awareness of ransom or events. Organizations today are dependent on o technology to develop and deliver their services. This includes organization and education, Healthcare Financial Services energy and every other Critical Infrastructure sector. These enhancements provide increased productivity,pr convenience broad delivery of services to customers. At the same time more Critical Services and Sensitive Data have moved to an internet accessible environment and are at risk. Concurrently ransom or actors have increased access to malicious tools, anonymous Payment Systems safe havens from which to operate. Government organizations have published alerts and guides to help educate private organizations and individuals are defensive Cyber Security controls they can put in place. Some of these include implementing efficient resistant multifactor often for Digital Identity robust set of backup tools and procedures encryption of data at rest and transit fishing emails social engineering attempts. Policymakers ransom has devastating operational and reputational impact on its victim organizations. During eight ransom or event organizations including Law Enforcement can provident a very limited amount of support. Victims are left with an unsavory set of options having to choose between restoring Services Quickly by paying a ransom working to reconstitute systems and restore on their own. Often paying a ransom cannd be e most time and Cost Effective approach to getting an organization up and running again. Given these dynamics ransom ware remains a threat to large and Small Businesses, Public Sector entities and Critical Infrastructure organizations. In short it is bad. But there isrg hope. International partners have invested heavily in disrupting ransom or activities across the globe including the takedown of the height ransom workgroup earlier this year. Cyber Security Experts have partnered with policy professionals toy propose confessionals to propose legal and policy updates that will empower Law Enforcement officials and other cyber defenders to pursue these malicious actors and build resilience across art ecosystem for it we must continue to develop these ideas but working with companies and Public Sector entities to harden their networks in data protect their, data. Thank you again for the opportunity to speak with you today and i look forward to your questions. Becks think it mr. Schneider i will not recognize doctor for her Opening Statement. Thank you chairwoman mace, Ranking Member bush, Committee Members and staff are allowed me too speak with you today. I represent the jeppesen School District and the Technology Im here to share our experience with ransom r. My primary professional role the events related to the testimony from my experience as a leader of the Technology Department serving over 24000 students in 4500 employees. Across seven municipalities was San Antonio Texas area. It also serves elected School Board Member for the my passion for seeking on june 2021 i received a call stating our system have been affected by written somewhere. Briefly investigated the depth of thens attack and confirm the rants of notes content. The ransom note stated allnd daa and all devices and all servers was encrypted including her backup system. We immediately contacted Law Enforcement federal bureau of investigation. The threat actors were identified eight variant of the strain of mall are commonly leveraged highpaying assaults victim selection based on their ability to pay. In 2021 was the third most prevalent ransom were strained. With primary targets of Higher Education and k12 schools. The group was most notably known for their double extortion involving publicizing stolen information should victims refuse to comply with their demands. From a single vector with two pivot points the entry vector first pivot point was one of my employees computers. The second pivot point was a video streaming server that was designed to have no outside was used for internal video streaming only. From these points threat actors were able to penetrate the backup system data stores and devices connected to the network. A full investigation a total of 428,761 individuals were affectedar and those individuals are living in all 50 states. The recovery of our network iswe not our concert with ample resource to restore our systems, our concern was security of the data by the threat actors in preventing the release of the information to our constituents. Consequently the district made the difficult decision to pay the negotiated amount of it ransom to link five at a 47000 on june 29. Her recovery took more than a year. That district continues to make improvements. The restoration was only possible for the efforts of my Technology Teams perseverance, key vendor partners and some School District friends that assisted us in communications and Business Operation function. Would others were too scared to even take our calls. Thankfully their companies and School District partners who saw our situation as an opportunity to learn. We learned that calvary does noy come on we must rely on our own resources. State or federal agency ever visited or offered recovery assistance to us. Insurance coverage was h helpful but those go predominately to attorneys fees, data mining and identity protection. It does not cover ransom payments or cost for n upgradeso mitigate the damage. The costs for repair exceeds the limits of the policy forcing district to make difficult decisions about funding allocations. The costs are not limited to data loss or data breach to extend to monetary loss and recovery replacement efforts, security efforts at mental and physical health that are rarely discussed or considered because of these events. I was hired only 34 days prior to this attack in the School District stated the District Technology was not unlike thousands of School Districts across theth nation. It was outdated out of supports and antiquated systems and hardware. That included outdated infrastructure that could not support the changes brought about by covid19. These factors attributed to vulnerability and continued concern for many k12 leaders. Schools are often forced to balance thehe need for student curriculum, personal resources, abilities and other operations are limited budgets. Therefore fighting for solutions but to prevent attacks and protect data and have critical equipment for more visible items. Mitigation efforts were cybersecurity have not been formally developed for schools. We would recommend potentially discount programs like the rate at other federally supported programs. Additionally there are other measures such as stands for network security, requirements for making Social Security numbers and matching all systems training Educational Programs social emotional programs are affected individuals involved or needed. I would like too thank the committee today providing the structure to hear these issues. Im honored to be able to present this information to you and to have you hear our story and recommendation. Thank you chairwoman mace, chairman fallon, Ranking Member conley and all the staff involved. Its a privilege to be here for thank you doctor like to recognize for his Opening Statement. Thank you. University Medical Center and academic Medical Center for the state of vermont. We are the only one in vermont for local patients but all vermonters across the state who have lifethreatening illnesses. In october 28 of 2020 we were seven months into the pandemic we suffered a ransom work cyber attack. We were extremely fortunate that when the attack first started beforeve our it team knew what s occurring they made the decision to shut down our system. Thatat was a critically importat move to do that before contacting the leaders because they realize something was wrong. That single mover protected our information. From patient care information being released in the employee information being released with key to our overall action during the pandemic. Over the next month we had two major initiatives for the first what was it initiative to restore our network back to normal. The cyber attack while it did not affect patient information did in fact 1300 servers at the Medical Center 5000 desktop computers. Every single computer needed to be wiped clean and reimaged. Everye server had to be wiped clean and reimaged it was a 24 hour a day seven days a week job for our it staff. We are very fortunate the state of vermont realize how important this was gave us the National Guard workers to help with the reimaging. The second major focus for us was patient care. With the sole hospital in our state not yet have the option of stopping care, shutting down and going on diversion. We knew we were going to have to take care of people. The cyber attack impactor Electronic Medical record for more than 28 days. Im so under two of the cyber attack we stood up to Incident Command Teams and it team focus on restoring our it systems there were 600 applications and had to be clean and brought back online. In a clinical Incident Command Team was completely focus on how we provide care on paper. The extent of the attack was broadly do not have internet. We did not have phones. It impacted radiology imaging, Laboratory Results on because it had been r shut off appropriatey we did notmr have the emr for 28 days. We were back to paper for it for an older dr. Like me paper was pretty familiar that many of our known young new doctors had never written paper orders. They had to go back and teach them how to do that for we brought together clinical leaders from surgery, anesthesia, trauma, emergency medicine, obstetrics, medicine, and sometimes twice a day seven days a week for 28 days decide how they can safely provide care for patients who we knew would be showing up. What care could be safely delayed what care could be transferred out of state to other academic amount Medical Centers who could helpic us. Over the course of that month we delivered hundreds of babies to trauma surgery. Surgery but we did multiple other cancer staging operations, alt safely with high quality on paper. You did have toe deliver k care for some patients we use the extra providers to provide extra set of eyes and hands to make sure the paper system is working. Over the course of the month we did not have our emr every day we were focused on what and how the major issues we face is in 2020 best practice was to save three days of forwardlooking information your Electronic Medical records for a cyber attack happened on a thursday. On monday morning our clinics did not know who was going to show up in the clinic that day but did not have your medical information. Did not have the problem list for did not know what time they were coming or for what. Hajek on the news if youre coming for the appointment today bring everything you have with you to help us take care of you. Early in the cyber attack the first two days we didnt have a phone system our phone is on the internet. We literally went to best buy and bought every walkietalkie they had. I asked ouris administrators to run lab results of the floors are critical lab results were down. On day two we had a pile of paper lab results and our pathology Conference Room about 6 inches thick of lab results for our patients we had medical students to file those results. Over the course of our monthly took care of hundreds of patients safely but it was hard. I could been in emergency an emy medicine doctor for 30 years i have been the hospital present for four years cyber attack was a much harder than the pandemic by far. Thank you very much. Thank you are not to recognize mr. Rubin for your Opening Statement. Chairs mason, Ranking Members conley, distinguished member of the committee. Tuthank you for the opportunityo testify in combating around ransom ware attack my name is sam rubin Vice President of Global Operations at unit 42 whichh is parallel to Incident Response and threatened intelligence division. For those not familiar with the networks where american headquartered Cybersecurity Company founded in 2005 that is since grown to protect tens of thousands of organizations around the world. We support Critical Infrastructure operators, u. S. Federal government, universities and other educational institutions in a wide range of state and local partners. This means we have a deep and broad visibility into the cyber Threat Landscape we are committed to using visibility to be good cyber citizens and National Secure departments with the federal government. We look at our roles a cybersecurity leader at with great humility we envision a world were each day is safer more secure than the day before this takes all of usor working together. The current cyber Threat Landscape to me office posture. Bite written testimony clues concerning numbers and trends many of which we heard here today. We are seeing the ransom ware a threat grow as well attackers raise increasingly sophisticated methods to distort money. Mike written testimony highlights up would look at her Global Attack service through the eyes of the adversary it looks porous and far too inviting. Entities of all sizes are struggling to understand and manage the digital infrastructure. Their computers, their servers, their mobile devices and all the rest the connected to the Global Internet or despite the sobering backdrop we remain confident we are wellequipped to combat the cyber incursions of today and tomorrow for several reasons. First, important advances in technology especially Artificial Intelligence to automation are ourabsolute force multipliers ad cybersecurity defense. For it too long defenders have been inundated with triage of manually creating inefficient game of whack a mole while critical alerts go unmet and vulnerabilities remain exposed. We sit at strategic Inflection Point to flip this paradigm. Second, cybersecurity is increasingly being recognized as entities of all sizes public and private is a critically important issue. Ps we need to take the next steps now. Every enterprise must recognize cybersecurity not just an iced tea concern but as a core part of the enterprise Risk Management strategy. Third, policymakers are showing sustained desire to support cyber s defenders. Thank you for that. That is just one example the state and local Cybersecurity Grant Program t is arty showing potential to increase resilience to ransom her tax across all corners of the country. Cybersecurity matters to all of us. Ransom her attacks are daily lives from disruptions to Public Service like hospitals to interruptions in supply chain to critical pipelines been taken offline. My team specializes in helping organizations respond and recover in their darkest hours when they been hit by a cyber incident. Our mission goes beyond just recovery. We aim to elevate cybersecurity posture when they come outut oft they are stronger than before. That is what makes the work so fulfilling for me personally. That spirit of partnership and the Cyber Community the notion we are all in this together must remain and our collective dna. As a company we are proud to participate in a number of forms not to sell our products but to share our Situational Awareness and our understanding of the cyber Threat Landscape. Critically forms like these commercial competitors becomes threaten partners. I wanted to thank you for the opportunity to testify today and i look forward to your questions. Think it mr. Rubin i like to recognize myself for five minutes. And i have a few questions for everyone will have five minutes ill try to be as quick as possible and ask for as brief ananswer as possible as well. Im going to start with you. Ai and cyber criminals are they using ai to deploy ransom her attacks . Thank yougr congresswoman. This is a threat we are watching very closelyt. We are also doing testing at our own labs to try to recreate some of the potential capabilities. At this point we are not seeing any new or novel attack techniques generated by ai. Do we have defenses . What kind of defenses do we have against ai at powered attacks . Works we have the ability to use ai to our benefit to help protet organizations as absolutely what we are doing is to create capability that leverages ai for our defenses. I apologize i want to ask everyone a few questions. The atlantic that publish an article earlier this years egg was 144 increase in ransom ware from 20 to 21 that is massive. Isos this across any specific sector as a government private large or small, Certain Industries as it spread evenly throughout . For our data and are threatened intelligence and Incident Response work we do we see these a primarily as crimesf opportunity. F the threat actors are leveraging automated scanning capability to find vulnerabilities and attack intact asorganizations that are vulnerable. Action mr. Schneider in the same reportrt an average ransom paymt i cant lives on was 5 million. Given the concentration are in hostile nations is it safe to assume some of theseti might be used by criminal enterprises . To line the pockets of our adversaries . Works all of l it is being used by criminal enterprises. It is funding and further fueling, additional ransom or investments in ai. And other technologies. What country is the worst . Which one of our adversaries is the absolute leading the world in these kind of ransom attacks . In the research ive seen generally russia is where the majority mike is a safe haven and a lot of ransom or actors they are. Thank you. I have a few questions for the doctors and ill ask them evenly if you can both respond. In some cases ransom is paid some it is not part if you all could sort of generally say its not just eight ransom a fee if it was paid that be the cost of this. There is a much larger cost to an Organization School or hospital. What do you estimate cost when this happened or the hospital . From our experience was very similar to what was shared from the hospital side. Upwards of potentially three, four, 5 million. Ask for it you beat Medical Center 65 million inn costs. Three 5 million for a forl sometimes a schools budget. Depending upon the size of theep educational et cetera. Do you feel what you have seen in the experience that you have learned from it you think other people should be aware of this should be doing right now to help protect the organization or institution . I am a physician that an it t expert. I do understand we put things in place since the attack happened but when the bad actors got into our system were able to move around at will inside the system. Make it harder for our administrators thats a multifactor authentication which didnt have before. It will get much harder when they get it again. We assume is going to happen again there some people trying. We have done similar. We use ai to monitor our systems. Using multifactor authentication. Technologies we did not have before, everything is cloud based. Provide that extraro layer of protection for extra password pieces and other components we have been told the protection and recovery. We have added those at a high cost. Rate that is always a a concern as we look at School Budgets in terms of maintaining it. But we were able to upgrade to i what is needed to combat it. How will that take . We are still working on those initiatives now. It took us a full year to get all the systems back online. We continue to make in improvementsur within our netwok and additional security measures on the back end on the infrastructure. Thank you so much i yield back i yield to my colleague for mr. Virginia baker excellent to thank the chair and welcome mr. Schneider who is my neighbor. We live in the same neighborhood so welcome. Speaking at mr. Schneider, i begin my Opening Statements by noting that showed the Government Shutdown as it almost certainly is going to on saturday, 80 of the employees will be furloughed. What could go wrong with that . L go furloughed. I dont know which 20 of cisa is going to be retained and what functions. I would hope that they would continue to do the operational pieces and put out alerts as they see emerging threats start to evolve. But, i guess we both agree 20 cant really handle what 100 normally handle, something is going the very least theres a risk. Yes. Yeah, in terms of our i was really struck by the story in vermont an i have images when we were doing health care i did a lot of tours of health . Rsrs and hospitals and i had in my mind a dialysis unite with many, many patients and around and you have a central computer screen monitoring their progress likewise oncology unit same thing with chemo and so i was particularly thinking well on those patients and those units particularly vulnerable in a attack because you have got 20 or 30 patients at a time often either on dialysis or on chemo therapy was your hospital affected with respect to those patients sh . So we kept both those units open because those patients needed to stay allye so dialysis is people are life dependent on dialysis we added staff is what we did we switched a paper added more staff members. But it was the did affect it. It affected every single part of our function everything that we do. Unbelievable. Ith think thats really important because in addition to the story of schoolings an my School System was also attacked but were talking life and death and the criticality of a hospital cant be overstated and the vulnerability of hospitals. You said something really profound. Im not a tech expert im a doctor. And we cant expect everybody in their field of endeavor to be tech experts and yet thats the vulnerability. T and it affects directly your ability to perform your functions and to serve your clients. Your patients. So mr. Ruben i was struck by the fact you used term trying to create a new paradigm what strikes me about ransomware everything about our response is reaction their. Arthe paradigm is highly defense either youel do or dont pay ransom and then after the fact we shore up our assets and resources torc prevent from reoccurring is seems to me if it is ago paradigm it is more proactive and preemptive rather than a reactive give you an opportunity to comment on that. Yes thank you congressman. I completely agree with you. We need to move the focus into taking steps ahead of time sort of in peacetime, so to speak, and organizations public and private need to invest in their cybersecurity posture in their awareness, and in their essentially defenses to take steps ahead of time. Absolutely. To what extent would you say that the vulnerability today offer because finger on it and really resonates with me, after the pandemic experience, that an awful lot especially state and local levels we just not newscasting in the platforms to keep them robust and cybersecure. To what extent do you think thats a big part of the problem . I do think that this is a big part of the problem. And investing in cybersecurity is a exercise in myckings it is the all lo keyrings of scarce resources we heard about objecting bumentses so theres cost benefit decisions about where tohe put money and sometis investing inf a cybersecurity resource or tool might mean Something Else goes unfunded an so it is hard for state and local organizations so thats why i think programs like the state and local Cybersecurity Graduate Program are phenomenal resource for state and local entities to unveil us to gets more resources to help themselves out there. Couldnt agree with you more. I think it is an overlooked part of vulnerabilities spectrum, and we sawne that reflected in pandemic. Because take unemployment insurance, vulnerability 50 different systems not one and you know, lots of them are building. I yield back thank you madam chair. K, thank you so much. Ir. Would now like to recognize mr. Fallon from texas for five minutes. Ening thank you madam chair. Mr. Snyder when theres a government shut down to clear something up, it is up to the administration is it not to use exceptions for folk to come in to work . Yes. There are several exceptions allowed like for authorized by law to protect human leaf or protection of property . Correct. So wouldnt have to furlough but all of them come into work if you so chose. I dont know what decisions this is making about who it is t up to the administration. But it is up to the administration everybody come into work i wantbo to point that out. And it is as far as the shutdown goes as far as well well save that for our close thank you for making the trip all the way from lone star state, texas. Your school was hit with the Ransomware Attack and can you just describe and did you pay the rent . We did. And how much did you have to pay . 547,000 was the final amount. I think you touched upon this with chairman mays but what are your best and greatest take awayske from the experience as r as from it happening again ppg our best and greatest attack aways is that it is not a matter of if youre going to be hit by some attack its going to do job ability to mitigates and to defend and to recover we cannily and our in our situation, one of the things that stuck outck for us was the needt to continually maintain te upgrade to make sure systems in the back end and to be able to promote that informationmo to other School District lead ergs. Because in similar situations, i am supposed to be the tech expert in this and in many cases leaders of the School Districts are not i the tech experts, ando making sure that message is heard and to be proactive and multiple ways in which to monitor and to actually utilize i know a. I. Can be seen as the danger in terms of ransomware but at the same time it can also provide so much Additional Support for identifying a potential threat. Because there are simply not enough man hours in the day and theres not enough people to look at all of the codes coming in. Just say on average six years ago if a Medium Size Company was hit with and a attack what was the usual asking price . What was the ransom . I was in government at the time im not sure i have a great number. But the numbers have certainly certainly increased ruben will have go ahead. M yes. So weve seen the numbers grow almost exponentially year over year and five or six years ago it was in the low six figures. Ifes breaking 100,000 dollars ad data varies. But right now, you know,s our average from our data was over 650,000 on average. Thats king the with what someone when we got the the idea after the colonia pipeline gbs and Sub Committee chair got the idea to have this Committee Hearing and those in texas i found it very interesting that the average ask it seems in that neighborhood was about that 50 grand range years ago and now ten, 12 times that and thats frightening and then a lot of people we say oh it is x amount of attacks. We dont know really how many because theres so many folks that pay and embarrassed they pay or in a case a friend of mine who will remain not to be a continued target he got hit but he had a backup system good enough to not pay and he rolled into that and then they worked on you knowe basically securing te well if you will moving forward. Doctor lest lester it was hit in 2020 andyo did you pay the ransm we didnt. We had w a good backup. But you said still cost you 65 million. Where was that it was in cleaning and recruiting the system it was in care that was deferred, it was in extrara staff to care for the patients that we cared for. It was across the board. Well being originally from massachusetts right down route 7, you know, hill for you, go vermont. Mr. Snyder, weve heard from doctor loeffler about impacts with ransom and 65 million can you explain how cyberattacks on krit cat infrastructure like one wett have with colonia pipeline can affect industries and communities beyond what the victimized operation . Yeah thank you for the question certainly cologne yall pipeline is a great example where the pipeline was shuts down. I think by all reporting it was not actually impacted by the ransomware but they had to shut it down out of abundance of caution and then the Ripple Effect on the entire east coast if you were trying to get any fuel, you could not there were long lines certainly at gas station and that just has a trickle down effect on or, you know, exponential impact or broader impact on the economy at large. Expired thank you madam chair i yield back. Thank you now i would like to recognize congressman brown. Thank you and the Bidenharris Administration release National Cybersecurity first of its kind effort to combat Ransomware Attacks. This comprehensive government effort prioritizes the protection of our nations economy, infrastructure, National Security, and Public Health. The administration sophisticated strategy addressing longterm solutions to cybersecurity challenges including need for a work force prepared to deal with the 21st century issues like complex elaborate and longrunning ransomware threats. The next generation of our work force those who are in college, trade schools or newly reentering the work force, are often our first line of a sense against cyberattacks. And todays integrated economy all sectors have critical, technology components, which are vulnerable to ransomware. That is why a prepared work force is essential to our national response. So mr. Ruben in what ways has the Bidenharris AdministrationNational SecurityCybersecurity Strategy expanded Educational Programs to defense if grow and equip Cybersecurity Work Force . . Thank you congresswoman we applaud new Cybersecurity Strategy. Theres much in there that really aligned with our vision for how to keep organizations safe. And enhance visibility, focusing on zero trust, talking about preparedness and ir plans but with respect to the training and ndeducating individuals, theres also a lot there as well. Something that Network Supports as well. We have a program that we call the Cybersecurity Academy that provides free curriculum to middle school to College Students to help train and bring up the work force of the future. Up thank you for that. Now when conducting hiring a initiative from the Bidenharris Administration it is important to highlight disparities in the cyberwork force this seeks to the 2021 report from the Aspen Institute found only 4 of cybersecurity workers identify as hispanic. 9 as black and 24 as women. Mr. Ruben, how can we incentivize hiring more diverse cyberwork force and what best practices have you seen to recruit tech talent from communities which are currently underrepresented . Thank you again congresswoman and one is inclusion and we work hard to make sure that we do have diversity in the work force, and so i think that first step is awareness and being conscience ofnd this is somethig thats important, and that we all do better when we have people from different backgrounds and different perspectives. Another program that Palo Alto Networks is recruiting College Graduates into a program we call a academy their College Graduates that join our work force and proud to say this current class is actually 80 female. But that includes, you know, broad diversity as well. Thank you for that. Additionally as a member of the collect committee between the United States and the Chinese Communist party, i am committed to working with our International Partners to protect these United States from Malicious Foreign attacks it is extremely doshes we have harris groups as well as nations leak russia, north korea, and china. Working to disrupt our cybersystems and our strategic alliances in the west. So mr. Ruben or mr. Snyder, in what ways can the United States work more closely with our International Partners to combat the threat of Ransomware Attacks and other cybersecurity challenges . I mean, thank you for the question. Maam i think to your point we have to do this as international, you know, collaboration in order to in order to put an amount of pressure on ransomware actors a and on nation states from which theyre operating and theres a variety of tools they can be used for that whether theyre diplomatic tools, but were going to have to Work Together in order to make any Real Progress on this area. Thank you mr. Ruben. I agree. I think i would put them in the disruption and deterrence. Onde the disruption side it is leveraging that diplomating pressure using keratin 6 where we can influence Law Enforcement action and take down and we have seen some of that. More recently, but i think theres a long way to go. En and thank you very much clearly president comprehensive cybersecurity plan thatco invols everything from an expanded and better Trained Work Force to cooperation with our International Partners is already paying off. Im ready to work in a bipartisan manner to strengthen and support the president s initiative and with that madam chair i yield back. Thank you i would now call on my colleague from tennessee congressman dont screw it up. Thank you chair lady ill try not to. Thank you all of the good questions have been asked pretty much but down the line what can we do to fix this . Thank you for the question. I think that is the question of the day. Right, and it is something that t thats not going to get you anywhere complimenting me more insult and attack and everybody else will agree with you but go ahead. I probably wont go down that rout sir. Wee, have to approach both froma differencive stand point and what defensive measures cybersecurity measures can companies and organizations put in place in order to protect their systems to have good backups to their systems to encrypt their own data so not encrypted by someone else and taken from them and as we were just discussing we need to be able to disrupt and deter actors in cyberspace and we really need to find a way to shift the Value Proposition for ransomware actors today theyre able to do this with almost impunity to make money at it and we have to find a whole of government and a whole of working with our allies to make Real Progress here. Are any of our ally countries have people involved in this . I mean always seems like every time we come out and say youre not going to break into this system ando some 12 kid somebodys garage gets into the system. He now, i think we have a reay Good International cooperation on this, you know, as this hearing notes it is a really big challenge. So it doesnt always feel like were makingik the progress buti think we are, you know, building those interactions across nations with a lot of our key allies. All right doctor how do you say your last name, gosh gosh, good glad go ahead. So from the educational stand point i think a lot off the things that could happen School Districts really has to do with funding and some discount programs things like that. But additionally, there really needs to be additional standards set for schools because theres not a lot of equipment so outdated youre talking to us when a. I. When i remember mays asked me to be on this committee i thought a bunch of guys out here in powder blue leisure listening to eight track and gremlins were ones making decisions on that. So i can appreciate that. In and theres other aspects of that, you know, we spend a lot of time on Emergency Operations plans. Pe but at least in texas theres not any particular guidance or requirements to deal request cybersecurity its just not talked about. And within education it is not something that supposed to necessarily happen. I know in our case a lot of times people think that due to lack of backup things like that is why we went the way we went and we have backups that wasnt the issue but we have to and theres regulatory things that help in sub security piece as far as student data in having some regulations even on software companies. Doctor loeffler. I agree with my colleague that from a hospital perspective a lot of is funding and graduates, so in every budget that we build as a doctor, i want to spend all of the money on patient care, technology, new equipment there, prior to cyberattack usually cybersecurity stuff fall down the budget oftentimes come off so having ways to more cheaply buy programs and have those programs be current in new and upgraded or grants to bring hospital up to standards have a strong backup so you dont have to pay ransom would make huge difference i believe. Im surprised often how medical records and things photographs, things like that are taken out of specifically doctors. Yes. Mr. Ruben. Thank you, sir. So i break it up into what we can do in the Public Sector side and within private sector organizations on the Public Sector side i think bring continue awareness to the problem c were doing like today is important. I think continued support for local and state governments a as we discuss programs like that are providing resources on private sector side i think it is a lot of the adoption of technology that we heard about here today. Getting visibility across your stateit both externally leveragg a. I. And technology to separate noise to respond and see to whats important because no organization can fund the staff and the expertise they need to do that without the help ofhe technology. And then its adopting best practices theres a program called paradigm called zero trust which is defense indepth aligned with essentially what you need to know and lastly, having a plan to respond. All right well im bout out of time and state as elected officials something we ought to be very much aware of if theyre reaching into these systems to take something out they can reach in and put something in. And theres elected officials that something we need to worry about and i worry very much about mays pointing out her timinger a giving me the look my time is over. Thank you. [laughter] thank you i would like to recognize congresswoman norton. Thank you. Madam chair, mr. Snyder, every year since 1997, Information Security and cybersecurity has been on gaos government wide highs risk list meaning it is extremely vulnerable to waste fraud, abuse, or mismanagement or in great need of transforms. This herera is no different. And this years update, however, noted that the Bidenharris Administrations continue commitment to making sure our nation works to remain ahead on ransom attackers. As always, though, more work can be done especially as federal agencies remain high value targets on foreign adversary for foreign adversaries like russia and china mr. Snyder why are settle agencies right targets for ransomware . I think federal agencies are right targets for cyberincidents in january. And because of the information that federal agencies have and so i think nation state actors look at federal Public Sector organizationsc as having the hih value assets and therefore they are, high value targets as well so theyre seeking to get the information from those organizations. Well if thats so mr. Snyder what steps can federal Agencies Agency leaders take to mitigate their risk of falling victim to ransomware . Maam theres certainly defensive steps they can put in place. You know, my colleague mentioned zero trust which is a movement towards, you know, further hardening your infrastructure. I mention in my opening testimony implementing multifactor authentication inkripghting your own data ensuring you have backups. There are a lot of ways very basic steps that need to be done patching your systems they have to be done very, very consistently and continuously. Federal agencies are not going to get to a point where theyre quote unquote done or theyre safe. Theyre going to have to continue to exercise to stay hopefully one step ahead of the malicious actors. Youve previously highlighted to this committee the need to update federal Information Security and cybersecurity laws. Such as fism how could Congress Update cybersecurity laws to help agencies better defense againstd ransom attacks . Yes. Thank you for the question. I think an update to fisma is timely certainly something that would help drive the at administration to have and codifying would be helpful inside of the office of managementof and budget to help really oversee the implementation of the various standards that the National Institute of standards and technology and others put in place. So there is some governess and oversight that i think an update to fisma would be helpful for. Earlier this year in february u. S. Marshal service fell victim to a ransomware they can required a month long recovery in june. In june criminal ransomware perpetrators targeted several other federal agencies including the department of energy. I dont think it takes much of imagination to envision the detrimental asktses of an attack on the Agency Responsible for our Nuclear Resources so mr. Snyder how can federal agencies prevent Ransomware Attacks . So maam i think that is the question of the day. Of what both federal agencies and private sector organizations can do to adequately protect themselves. And again, there are a lot of basic cybersecurity controls that they o need to maintain fos on. Y all organizations need Adequate Funding and able to implement those. And they need leadership that is highlyth focused on the risks ad threats that their Technology Environment brings to them. Yeah. And the case of the june Ransomware Attacks, i talked about the ransomware criminals were able to explore a commonly used file transfer program called a move it. So mr. Snyder why am are these criminals with Third Party Software if their target is the federal government . T . Maam, if malicious actor is trying to get towards whatever their target organization in the sense of federal agency, theyre going to seek for the easiest quickist most efficient path to that. And so theyre not just gong to look at the federal systems theyre going look at all of the systems a connected to the fedel systems of where can they get, get into the information that theyre trying to t get to. Thank you i yield back. Thank you chair now recognizes my good friend from north carolina, mr. Edwards. Thank you. Thank you mr. Chair. Mr. Snyder i apologize if this question has been asked before i got back i i just came in from another committee meeting, and its probably so obvious someone has to have asked it. Who is behind the majority of the Ransomware Attacks . Based on the information im seeing the majority of that threat actors are house coming out of russia. Are who coming out . Russia. Is there any evidence that these attacks are government sponsored orer are they just bad actors inside of other countries . I think theres mixed on that i think a large significant portion of them probably the majority of them are criminals. And criminal actors, now i think many of those are endorsed by and perhaps even supported by the nations states within the where they reside to include russia. I think in general, my personal opinion is nation state actors that are looking for espionage or other Foreign Policy octaves are less likely to use ransomware as an attack factor. So followup to that, ill ask this to the panel if anyone has any information, is there any evidence that youre aware of that these bad actors are supported by a Government Entity of which we should be aware in our interaction with other other governments, i mean, it seemsov like if theyre governmt sponsored we should hold them accountable or refuse Different Levels of cooperation. Theres certainly evidence of some countries supporting ransomware actors north korea certainly a very good example where they have, you know, as a nation state will use ransomware to get around sanctions and try to bring money into the economy. Does anyone else have a opinion . Or an insight on that questionsome congressman i would add that i agree request my colleague. Yep. And and thank you. So my understanding of ransomware is bad actors trying to just lock up a computer or encrypt information in return for money. Is there any evidence that these bad actors are trying to capture information or are they just trying to encrypt someone elses information for extortion . I think more and more were seeing kind of multiextortion event where is they will both steal the information and try to inkripght it and prevent own or of the information having access and ransom on two fronts. First is pay me money in order to have access to your systems again and then a second approach is you know, maybe you organization has good backups and says i dont need you to restore my services then, they will threaten the were going publicly disclose or sell or otherwise compromise the Sensitive Information so seeing more and more actors that are also stealing information. And coming being part of the private sector and also having served on the board of directors of a bank, i know that one of the things that keeps us awake at night is awake at night is protected. Have you found that for the private sector there is any commercial software out there that adequately protects workstations and offices and that homes . Im not going to ask you for a recommendation. I would just like to know your opinion on how well we are prepared with these thirdparty packages to protect americans. But in general the cybersecurity tools continue to get better. The malicious actors are an arms race if you will. You get on the defensive side malicious actors are able to leverage new technologies where they talk a little bit about ai earlier as a ways to advance and increase their capabilities too. It is a continuous battle. The last question for any of you. Are you aware is our government cooperating in any way or interacting with these thirdparty Software Solutions on what we find to help build better packages for the private sector . Congressman i can speak to that. We are a manufacturer of Many Software programs. We still a work regularly with the federal government and other organizations to share the Threat Intelligence we see as well as the capability of our software to help protect those organizations. Thank you, ben terry yieldedo projects thank you i would like to recognize mr. Lynch for five minutes. Thank you very much first i want to thank chairwoman maze and Ranking Member for conveniently joint hearing. Want to thank the witnesses for your willingness to help the committee with this work. Weve been at this a while and not sure things are getting any better. We recently had a sizable ransom or attack very high impact in massachusetts, my home state. On. 32 health which is the the second Largest Health insurance providers its the Parent Company and health plan. That affects a lot of people. April the sure the Company Announced it had been targeted by eight ransom or attack the force to shut down severalt Critical Systems used to Service Members accounts, brokers, and also healthcare providers. The attack also involve the theft very Sensitive Information. As mr. Schneider was saying they could simply sell the information. That compromise the personal information morerm than 2. 5 million current former subs subscribers. The stolen data include Social Security number, medical history data, Health Insurance account information taxpayerur id numbes appeared very, very tough situation. Importantly the american hospitaln association has a sene once a frequency sophistication ransom her attacks against our healthcare sector is dramatically escalating with organized military units replacing rogue individual actors is the primary perpetrators. The First Six Months of 2023 alone more than 2020 Cyber Attacks targeted hospitals and Healthcare Systems with over 30 Million People affected. Speaking directly, healthcare is different in some ways is a vulnerabilityli there. It is not present and some others. The impact was on beyond the institution to private Health Information thats out there. From your experience from the way you look at this are there certain steps Healthcare Institutions seem to be taking right now and you have taken perhaps to your experience in vermont that might make the system more secure . Think of for the question for it have a strong protected a backup critically important. Have it separate from your normal system and updated every single day. Next make sure the it team is empowered to shutdown the system immediately if necessary dont make them go up the chain of command. This is something unusual shut it down immediately. The emr down for two days things you do are vastly different. I would recommend all hospitals or Health Care Assistance healte tabletop exercised to imagine what it would be like to be down for a month you didnt have phones, schedules, how to get lab results to the floor how would you handle that is critically important, thank you. The widerwi impact in the massachusetts we are seeing classaction lawsuits against the institutions because of the poor handling of the information. There is a followon problem there. That it was what mine is called by hospital. Moving to mobile applications for all of this information is there some way that we might close that gap . There was an article in the journal of medicine like a month ago or two months ago that says we should treat these as regional disasters almost because of thehe communitywide impact it is having. Not just on the Healthcare Institution of healthcare in general. I like to get your thoughts on that. Those longerterm impacts on the credibility of the Insurance Company or the hospital. How you clean that up even of the trend is moving toward greater mobility easier access to the digital information. In vermont this was a disaster. Our entire estate impacted all 14 hospitals expected patients across the region was a disaster we are grateful our governor and National Guard stepped in to help us. In terms of better protection right now with the edge of my knowledge the best we can do if they get in somewhere and they have itha very hard time getting in everywhere. We have added steps of multiple identification to protect the system. I appreciate your courtesy thank you. Thank you very much madam chair to both of our chairs and Ranking Members for putting this together put into our witnesses paid for the long time the United States has enjoyed a reputation of being impervious to foreign threats on our soil. Cyber attacks is a prime example of a contemporary form of warfare and espionage we have to be ready for in vigilant against. Even our wealthiest corporations are Financial Institutions or hospitals, art organizations with cutting edge cybersecurity itprotocol can fall prey to the cyber threats. The potential harm that can be inflicted on our Rural Community s such as those in my district n the 23rd Congressional District we are home to many rural hospitals, School Districts, educational institutions theyre very vulnerable to the challenges with that being said you highlighted as experienced several Cyber Attacks in the past. Could you identify any current patterns among the perpetrators . Were these typically orchestrated by cyber criminals seeking financial gain or are these foreign actors primarily interested in obtaining sensitive patient information . Thank you. Gratefully we only suffered one cyber attack he was in october 2020. I did affect every part of our system. We did t not contact the cyber criminals or pay ransom but im sure they wanted both payment to reopen our systems likely wouldve sold the information we are fortunate they are unable to get into our system to gain patient information. We suffered one attack. At the time it was during the pandemic we had many people working from home for it we did that very quickly we added a lot of security around our computer systems, laptops thats the way theyd gotten so many gone home with her laptop and entered from a home use when they plug it back into our system that is how it got into our network. Thank you. We are all familiar with the financial ramifications of rents of our attacks from cyber criminals. Theen losses could be in tens of millions of dollars or more. For a Major Hospital that is perhaps a manageable even if its not ideal. With document situations or perpetrators are seeking data dr. Kagan what specific purposes did they have in mind for acquiring this information what threat is the data leak to patients . It is a very significant threat to patients. Patient information is protected by hip but we take it very seriously. Debate cyber criminal is able to get into the Electronic Medical record they can sell that information on the internet and access to both the patient financial information, insurance information, and cause huge issues for our patients. Thank you. There is no doubt hospitals have heard this information to get negative spotlight. The primary focus for any hospital is undoubtedly patient care. I understand ransom herer attacs result in unauthorized access to Sensitive Information. Could you elaborate how they would affect quality patient care . Basically in healthcare right now your Electronic Medical record is your connection to everything you do print everything runs through that for your lab information, radiology, all run through that. That was down is a huge impact on patient care. Right now to order medication for patient Electronic Medical record toshi if you pick the correct dose. If its right for the intended purpose if there is an allergy free of it safe to give this particular patient based on their side size and age when the system goes down all of those revert back to a system but in t but inour doctors are no longer trained on. And so we had to go back to paper and make sure someone, the person goes to the steps may impact how the operating room. How lab resorts are sold how imaging is done we had to buy drives to store imaging while we were down. It has a huge impact on patient care every day the impact was greater than the pandemic. It seems a cap tremendous impact on workforce as well. What resources is the federal government offered to experiences that experience ransom her attacks . Are there any specific recommendations or standards you would propose to this committee . Particular in context of rural hospitals . Fbi was hugely helpful and provided great insight and help. Beyond that, i said before hospital budgets are very tough and typically Hospital Leaders want to spend money on patient care issues so grants for funding have the most current cybersecurity protection will be very useful. Guidance and training on how to prepare for a 30 outage is critically important helping make sure they have the current people training will make aa difference. Thank you very much for think of your testimony and he yelled back at. Thank you all recognize congressman for five minutes. Think it madam chair thank you to chair fallon and the Ranking Members. Thank you for being here for the ransom were attacks we talked about this a today are becoming increasingly frequent in our Society Paper tickly as we write more and more in technology for my home state of southborough and is not an interim that we are subject to very serious and costly attack in october 2012 south khmer department of revenue was hacked by cyber criminals use encrypted mauer to steal the income tax return to 6. 4 million south carolinians residents and businesses. The attacks impacted were the three quarters of our population. 3. 6 million Social Security numbers third 87000 credit and debit card members the financial cost when as a member of the General Assembly it was over 20 million to protect south carolyns at the time this was considered to be theim biggest d largest attack on a state agency not only in South Carolina but across the country. Just this year south carolyns are subject to numerous attacks. It does not seem to have an end in sight. Bart witnesses agents hospitals businesses people individually who have run into this problem. So the question i have for you is, of the cyber criminals youve encountered in your 30 years of experience, who are these people . Are they young, old, domestic, foreign actors . What type of people do you see that engage in this practice . Thank you for the question congressman. I think it has evolved over time. Sosorted the stereotypical from0 years ago was a kid in their garage on a big couch. I think it has really moved on to what we are seeing today art ran somewhere actors and cyber criminals. They are thinking likesi a business people. They are setting up help desk of a victim does not know how to pay them appropriately they can help them that up and an apprope wallet and send them money. Chairwoman mace mentioned earlier ransom or as a service. This is becoming a Business Enterprise for malicious actors who are very, very a organized. They are typically in nationstates that are allowinges them to act pretty freely. Sometimes theyre probably encouraging them as t well. We hear all the time cyber criminals adapt their tactics to infiltrate. How your eyes become involved in this activity how did they get engaged in their craft . Congressman i do not have much data or information on how they get into this. Part of my speculation they are probably in countries if they have some skills this is a place rick but their skills to unfortunately work in a malicious manner. We would much rather see them sn a defensive side of the cyber trade. Has it change at all in the era of work from home or drink the pandemic, how has the landscape shifted . The landscape has shifted in the way our threat surface is connected. We discussed earlier we interconnect more and more systems, more and more data. Every time we interconnect more systems we introduce potential vulnerabilities that give the actors more places to attack from her. Thank you for that. Our recent 42 report found Social Security tames nearly six days to resolve an alert according to the report the amount of time it takes adversaries to move from compromised to data is nearly a few hours per do you expect six days remain the average in the future given cyber criminals are increasingly sophisticated and effective . Thank you congressman. Ourk goal is to help organizatn reduce the time to respond. Combination of training for a combination of technology recombination dedicated resources. Our goal is to help organizations move that from six days down to hours or even minutes. When a threat actor gets into an organization they might have a system. One what they t are trying to do is elevate privileges to break out of that system and moved to other parts of the network. If you can catch them when they are on the first the system and canou contain it and take white might otherwise be a crippling ransom ware attack and make that something much smaller per. Thank you for that. Within that sixday. How disruptive is that to businesses and employees . Of course a congressman and absolute berries on a casebycase basis. But what i can so a recent response investigation that we did we saw for a Major Tech Company within a matter of 15 hours the threat actor it went from a phishing attack to escalating privileges to moving laterally. To a terabyte of information and walking up 10,000 systems 15 hours. Thank you. Enclosing out to c thank our panelists this afternoon once again for the testimony today. Especially for those who talked about their ransom ware attack. Very few organizations and institutions and agencies will actually see speak publicly about these experiences out of fear. I appreciate the collaboration but to my colleagues on this and everyone having the courage to be here today. I would doubt like to yield to miss her closing remarks. Correct thank you madam chair. First i want to share the concern my colleagues expressed earlier about these attacks on Critical Infrastructure. That is why we conducted a comprehensive investigation providing new insight from the findings are only going to thank my colleagues for calling this important hearing on ransom were today. Went to highlight the paradox to combat ransom her and cyberer attacks. At the same gender driving headfirst into a shut down. They shut down will have real world effects both mr. Conway image brown indicated in their Opening Statement the Cyber Security infrastructure Security Agency for Critical Infrastructure security and resilience will furlough the department of justice the Agency Responsible those are just two agencies shutdown hursley committees nationwide and at their core. While we think all federal employees are in the nations capitol here, the Congressional Research service has found that every single Congressional District is home to at least 2600 civilians under employees. All who will not know when they will receive the next paycheck. Are working everyday to keep our country safe 1. 3 million active service troops. They will receive a paycheck until the government reopens. That includes 11000 Service Members in my districts 114,000 Service Members in texas. Thirtyeight Service Members in South Carolina. Many of these military families will struggle to pay rent, afford groceries or get their prescription medication. I suppose there is one way to thank those who put their lives on the line for their nation. Democrats arent the only ones horrified by the magnet Republican Holding our nations hostage. Take forg example my colleague mr. Bacon told the reporters republicans are currently the dysfunction caucus at work. My colleague mr. Gray from louisiana said republican hold on appropriation government are holding victims. Said of the maga extremist quotes they just handed a win to the Chinese Communist party. If my colleagues really cared about National Security, cybersecurity, the health of thishe nation they would be funding the federal government right now. Republican callings are holding inthe nation and i yield back. Thank you pronounced yield for closing remarks. Thank you madamha chair. Just a couple of things. A one, it is amazing to think Something Like combating a ransom ware it would not beo partisan. Some of our colleagues didnt pamake it partisan some did calling it maga extremists and people who want to shut down. I dont know anybody wants to shuti down. When you talk about resources there are limited resources spread that is why in the cr we are trying to workt out to attah a Border Security that we desperately need. It may be a modest cut of Discretionary Spending will we are spending six and a 63 billion on debt service just this year alone s. Over the next decade is 11 trying additional1 dollars to service the debt. A decade or now that equal birthing stays the same about half of the total Discretionary Spending. It is time to do something. We also know and so it is sad to see that. But if you want to talk truth and fact . Thee senate which is controlled by the democrats had to pass all of their brokerage and bills out of committee before the august recess. It sat on their hands, Chuck Schumer for two months and didid nothing. You want to call it something you can call the schumer shutdown. Lets hope it doesnt happen im not rooting for it but it does seemed like some people are. Hinow on ransom ware we want to deal the specificity. The best thing anybody can do ive a friend right now who i mentioned earlier an anonymous friend he text me now so dont forget to tell them to have really good backups. Have multi factored all thing. You need help to get after these guys as well. One of the things we can do to get after them set filed a bill last congress which is protecting Critical Infrastructure act. Which would expand the penalties for fraud and related activities on these kind of attacks on the Critical Infrastructure a Colonial Pipeline would be something along those lines. And expand the penalties but i know its hard to get her hands our handson these most of them n countries that would protect them. Or at least look the other way russia and china come to mind but sometimes they get careless. We need to also make sure clearly define the statute of physical infrastructure to be critical. Will be cyberspace infrastructure. The laws are were 30 years ago and my bill would direct to have the sanctions on form first to attempt to harm the National Security by accessing and compromising Critical Infrastructure. There are those things ass well. Im glad we had theo. Opportuniy to get partially a bipartisan meeting on these issues. Mr. Schneider you mention the mentioned thebattle between hace organization we give a lot of weight two. Denounce the threat and imposed on america by russia. We have heard these attacks are originally mostly there. Small medium and large interest. I hope that in the future we can have it maybe someday, it may be i am naive. Have a hearing that is something that has nothing to do with partisanship. On the specific date of the press. We have a lot believe it or not we have some smart people in congress. We have got some dumb people too. But weve got some smart ones. Maybe we could Work Together but having service for eight years that everything was partisan then. We need to bring a little more in texas to washington d. C. Madam chair yelled back but i think you will recognize myself for a few minutes in closing. I didnt what to say that because the white house did such a good job in the event there is a shutdown the 80 and the employees who will not be showing up as a decision by the president of the United States and his administration to decide what percentage of its employees are deemed essential or not i will be showing up in the work in the event there is a shutdown for in the event there is a shutdown its up to the president of the United States and his administration to prioritize who is and who is not essential for they could make it as painful as they want or as painless as they want too. They are furloughed are going to get back to paint. That is something that should be very clear. If we could just tell the gods honest truth in this thing we would not be pointing fingers at either side because guess what, both sides are to blame if there is a Government Shutdown. Just this week we saw 33 trillion added to our nations debt. That sham of a debt ceiling deal the American People were sold a bet of lies on its 18. 8 trillion to the debt over othe next 10 years. We are talking 50 trillion in debt. Over the next decade and they just want to blame each other. No, both republicans and democrats are at fault. The less emily balanced a budget in this place was in the 90s under president clinton the democrat president and republicancontrolled house. They had a decade plan to balance the budget. They did in four years because that surplus tax revenue. Wewe cannot get a plan to balane out here in the next 20 years. When the American People get pissed off about a Government Shutdown, blame republicans and blame democrats who are at fault and refused to get to the table to make the spending cuts that are necessary to get this country turned around in the heright direction. So with that and without objection im going to ask unanimous consent to enter a letter from the electric Reliability Council of texas into the record without objection it is so ordered now we are back to ransom ware on spending without objection all members will five legislative days within which to submit materials and submit t additionl for the witnesses thisue week forwarded to the witnesses for their response that there is no further business without objection the subcommittee standsss adjourned. [background noises] [inaudible conversations] cspan is your unfiltered view of government. Funded by these Television Companies and more including comcast. Are you thinking this is just a Committee Center . It is way more than that. Comcast is part of the 1000 Committee Centers to great wifi enabled list so students from lowincome families can get the tools they need to be ready for anything