The committee on Homeland Securitys subcommittee on Cyber Security and Infrastructure Protection will come to order. First of all im sure i speak to for all of us here on the day as expressing our deepest condolences to all of the family members and all of the victims of yesterdays tragedy in las vegas. Events liking the one yesterday demand the utmost humanity in response to such blind hate and eevlt and hopefully it will give us all a renewed senses of purpose as we approach the tasks of the day. The subcommittee is meeting today to receive testimony regarding the department of homeland securities Cyber Security mission. I recognize myself for an Opening Statement. Were here today at the start of national Cyber Security Awareness Month to discuss what i believe is one of the defining policy challengings. The Cyber Security posture of the United States. Weve seen Cyber Attacks hit nearly every sector. And it is our shared duty to insure that were doing our very best to defend against the very real threat our cyber adversaries are posing. But make no mistake, the Cyber Security challenges we face are about much, much more than connecting bottom lines or intellectual property or the most classified information. They also impact the personal and often irreplaceable information of every american. This year we have seen on a grand scale just how much damage can be done by a single individual or entity looking to conduct a cyber attack. The Equifax Breach shows that it takes only one bad actor and only one exploitable vulnerability to do something to compromise the information of 145 million americans. This is not the first cyber attack that has garnered national attentions and unfortunately it almost assuredly will not be the last. As the members of this panel and as our witnesses here today know well, there is no Silver Bullet for guaranteed technology to fix the Cyber Security problem. Rather we need to be part of an ongoing sustained, dedicated persistent and comprehensive campaign to insure the United States remains the worlds Cyber Security superpower. We will continue to need a sharp work force and collective efforts in Public Private partnerships and the leadership of our Government Agencies to leverage our resources and to counter our highly sophisticated cyber adversaries. Today the subcommittee meets to hear from the government officials that are charged with meeting these Cyber Threats. These are the folks on the front lines day in and day out. Dhs is the federal governments lead civilian agency for Cyber Security and within it the National Protection and programs director where nppd leads our National Effort to safeguard and enhance the resilience of the nations physical and cyber infrastructure, helpling federal agencies and when requested, the private sector harden their networks and respond to Cyber Security incidents. They partner with critical intrastructure owners and operators and other enterprise stake holders to offer a wide variety of capabilities, such as system assessments, Incident Response and mitigation support. And the ability to hunt for malicious cyber activity. This collaborative approach to mitigating Cyber Incidents is meant to prioritize meeting the needs of dhss partners and is consistent with the growing recognition among government, academic and Corporate Leaders that Cyber Security is increasingly interdependent across sectors and must be a core aspect of all management strategies. This committee has been wurlking hard to insure nppd and dhs in its entirety has the neglectssary authorizations and organization it needs to combat growing Cyber Threats. Dhs needs a strong and sharp work force. And in an efficient organizational structure to support Cyber Security and Infrastructure Protection missions. Earlier this year the committee marked up and passed hr 3359, the agency act of 2017 to reorganizeinize and to strengthen nppd. As the cyber Threat Landscape continues to evolve, so should dhs and in doing that, hr 3359 is the tool well use to bring nppd to a more visible role in Cyber Security of this nation. As a committee and a congress we have taken important steps in the right direction with legislation on information sharing, on modernizing the federal government pfsz Information Technology and in getting our state and local officials the Cyber Security support that they need. Some of these programs have been years in the making. Realtime collaboration between the government and the private sector is a lofty and worth while goal. Through the automated sharing frogram, dhs has been partnering with industry to create and enhance that broader information sharing environment and weve made progress in the right direction. While we know proactive information sharing is only as good as the information being provided, that type of relationship can only be made possible with a Strong Foundation of trust. Im looking forward to a robust discussion today, not only how the government can be best organized and equipped to insure we are leveraging the resources of the federal government but how the government it can forge and grow the necessary partnerships to achieve the greater Cyber Security for our nation. We have to get this right. Because new tech flaulgs, the internet of things, driverless cars, Artificial Intelligence and quantum computing, they are all rapidly evauvlting. So we need to be securing at the speed of inovation and not that speed of bureaucracy. Were at an era that requires flexibility, resiliency and discipline. And i hope i will hear those values operationalized in the coming testimony. Cyber space plays an increasingly dominate role and it will take continued collaboration across the international and domestic spaces to keep making the advancements needed to prioritize Cyber Security for our country. I know its something everybody on the subcommittee takes seriously. The chair now recognizes the ranking minority leader for his Opening Statement. Thank you, mr. Chairman. Im pleased were kicking off Cyber Security Awareness Month by talking to the department of Homeland Security about the Cyber Security mission and how congress can help insure dhs is well positioned to prevent from Cyber Attacks. Before i begin i would like to send my condolences to the families of the victims of sundays deadly shooting. To the survivors, youre in our thoughts and prayers noop brave first responders, we are grateful. The democrats on this committee have said this before but it it bares repeating. At some point were going to have to come together and enact sensible Gun Legislation and as the congressman representing new orleans, i cannot sit silently as the president insults the hurricane survivors of puerto rico and the san juan mayor whos trying to help them. Ive been through katrina and i know what its like when youre at your most vulnerable moment and youve lost everything and what youre looking for is assistance because its beyond your capacity to respond to a storm of that magnitude. So having seen the people greave the loss of their homes and businesses and struggle to piece their lives back together, i can tell you the last thing the people in puerto rico and the virginile bds need are insults. I urge the president to take a break from twitter, roll up his sleeves and get to work. I represent new orleans which has Significant Energy sector assets. Last month we heard disturbing reports of a new way to breach Energy Sector networks in the United States. In some cases hackers achieve unprecedented access to operational systems. In light of these reports, im interested to know how the department offomeland security are working together to secure Energy Sector networks and make them more resilient. As a member of this committee, i am eager to hear about dhss activities to secure our election systems. Although the administrations commitment to the critical inhad frustructure designation appeared to waver earlier this year, i was encouraged when duke told dmps last month that there are no plans to resthind designation. With that comment, i look forward to hearing the progress dhs is making to secure election infrastructure and whether the department has adequate resources to carry out its responsibilities in that space. For example. I understand theres a nine month wait for a prask and vulnerability assessment. And some have complained about the lengthy clearance process for Election Officials. Im concerned they may deter 14 some states from taking full at vantage of the resources dhs can bring the bear. From that poirngts dhs has struggled to get the relationships necessary to executing its security commission. Although i hear dhs is making progress, im concerned mistakes made notifying certain secretaries of state that their election infrastructure had had been targeted may have undermined the trust that dhs has sought to build. I will be interested in learning what do you need from congress to address more quickly. Finally,s when ms. Manferred testified in march, i asked when i could expect the dhss Cyber Security strategy. Eit was due march twerd. It still has not been submitted to congress. I ntsds ptd did not fill dhs positi positions. But the strategy is sixing months over due and that is not acceptable. With that, i yield back the balance of my time. The chair now welcomes and recognize 2z chairman of the full committee. Mr. Mccall for any Opening Statement he mighting have. I also would like to extend my thoughts and prayers to the victims and family members of the horrible trag d. A. Pleased to dee here at this important hearing today with our distinguished guest here at this hearing. Americas National Security continued to be threatened by islamic terrorists. Human traffickers, transnational gang members, these threats are well known and we need do everything weical to stop them. We also find ourselves in the cross hairs of sustained cyber war from uth nation states and other hackers. And as we come become more reliant, everyone is a potential target and satly many of us have already been victims. Weve seen many successful large scale Cyber Attacks steak place. In Early September hackers were able to breach equifax, a Credit Reporting Agency gaining access to Sensitive Information on as many as 143 million people. In 2016 we know russia tried to undermine our electoral system and dj process and in 2015 we learned they told clurt clierens. These kinds of violations are simply unacceptable. Im proud to say over the last few years this committee has recognized these threats and lelt the charge in the congress to d strengthen the defense of our networks. We empowered dhs to bolster its work force. A year later the Cyber Security act became law which enhances information sharing and makes dhs the lead conduit for defensive measures within the federal government. It ransomwier just last week the Cyber Security coordinator at the white house noted we need to find a way to prostlied private sector with more expa e expansive access to however, issues relating to the sharing of classified information with the private sector like granting security clearances to keep personnel and enabling consistent twoway commune indications. In other words weve made great progress but i no. Earlier this year i was pleased to see President Trump issue an executive order to strengthen the Cyber Security of federal networks and critical 4 frustrur chur. To etis sfe supports a Cyber Security mission at dhs. This is national sooun Cyber Security Awareness Month. A chance to offer ideas on how we can best secure thevlselves. While weaver had had some success, we must do more. In fofrp had thely this is an issue i believe transcends party lines. So lets work toorgd together to make our Cyber Security strong and keep the American People safe. And thank you for your fuvs. Porous and a very important component of the department we focus a lot on counterterrorism on the border and other thijs. But i conitdb this mission probably the most imimportant of the day. And how we can work as leadards in the private sector to enhance the nations Cyber Security. So id like to yield back and if i may submit my questions for the record. The chair now welcomes and relk uginizes the ranking mine ortd leader of the full committee from rnchn are. Thank you very much. Good morning. For holding today pft hearing to examine the work dhs is doing to shore up our nations cyber defenses. Theres no doubt our country is facing an evolving array of pups theyre thinking of new and marvel ways to treek at everything from thapgz, to hos. Erse last year we learned that our nations election system served as a new frontier for Cyber Attacks. With every passing day we learn of new ways cyber operatives are looking to exploit everything from the yeedia we consume to the daylightau bases. Theres nothing nor relationship than a book. And theyre seek to first degree mean demaung mockeracy. As i watch the dechb station unfold, im reminded of the fridgility of our systems. Disrupting the systems we rely on for pour, foot and water can be dead lewhether its caused by psychoer attack or national desirer. In thakt u the daily net wrrk facing a multitit of threat tos. Congress has put its trins dhhs. Congress has consistently expanded d hrksz ss Cyber Security mission. Giving the department a key rin submitting clever metworks. The department made huge strides in implementing these authorities, including by standing up an Automated System to share cyber threat datedau and advising the new infrastructure subsector on how to promote cyber hygiene throughout the country . We cannot however, expect ths to carry out both thesis lespondsabilities. Thal Department Needs adequate resoorszs, squf a clear strategy. Unfofrp thetly thissed a mip stragz has been grafly unfoeshsed. He plaumsed to deliver a comprehensive plan to protect the vital infrastructure from Cyber Attacks. It took months for the president to get arand to issuing an executive order on Cyber Security. Also a quarter of the ass havery councils resigned in response to the inefficiency to respond to Cyber Threats. An impenerable cyber unit at the time pipe they were consideringing and ultimately deciding whether to ban that on federal networks. The chief Information Officer resigned after only if you were month sdwhz National Programs and protection the departments main cyber arm is still operating without a permanent undersecretary. Whether theyre willing to acknowledge that they are struggling without this leadership, we can be certain these gaps are making their jaup harder. I look forward to hears about how its clear ragout the tierp nelshz with and if there are areas with you need Additional Resources or legislative clarity. Im special eager oo hear from hoffman about how one works with its key internerred. The Department Energy. With that i field back. Thank the gentleman. Other members of the committee are reminded Opening Statements may be submitted for the record. Were pleased to have a distinguished panel of witnesses on this important topic. Mr. Christopher crab sthz senior official performing the duty that United States department of home lnt security. Great to see you today and in your new roles at dhs. Ms. Genet is the assistance in the National Protection and prokbrms director. And great to have you back before our subcommittee. And finally ms. Patricia hoffman is acting for the aufls of activity at the u. S. Department energy. Thank you for being with us today id like now to act the witnesses to stand, raise your right hand so i can swear you tine testify. Do each of you swear or afirm the testimony you will give today will be the truth, the whole truth and nothing but the truthd so help you god . Each witness has answered in the afirmative. The chair now reg uginizes mr. Chaps. Tharm rad cliff, thompson, members of the committee. Good morning and thank you for todays hooer hearing. We recognize national Cyber Security month. The department of Homeland Security serves a Critical Role insecuring cyber space. I want to begin the committee by thanking them for taking action on the Security Agency act of 2017. This would pruture and streamline the National Programs directerate and reorganizeinize the organization to clearly select our mission. It encourages swift action by the full house and senate. The Mission Statement is clear. We insthur security and resilience of our Cyber Security infrastruckder. And of course the private sector. Our three goals are as follows. Identify and mitigate Critical Infrastructure at risk. Broadly enable Cyber Security practices. No question this is an expansive mission. Im proud to share with you the tireless efforts of so many at nppd. The targeting of our elections, intrusions into energy and nuclear serkt. Harvey, irma and, maria. As threats to our Critical Infrastructure evolve, were partnerring with owners and operators throughout the country. The security is truly a shared responsibility. Todays hearing is about dhss Cyber Security mission. Earlier this year the president signed an executive order on strengthsen the Cyber Security on Critical Infrastructure. This set in motioning a searase of of undeliverables to lower our risk. Dhs working with federal and stieb oar partners. Across the federal Government Agencies have been implementing the agency standard. Agencies are reporting to dhs and the office of management and budget on the Cyber Security risk management. Dhs and omb are investigating. In addition to our efforts to protect federal government networks, were focussed on how government and industry Work Together to protect the nations Critical Infrastructure. Were developing an inventory of authorities and capabilities. Were prioritizing entities at greatest risk of attack that could result in catastrophic consequences. We call this our section nine efforts. Let me discuss our continuing efforts. Facing the threat by Foreign Government during the 2016 elections, dhs conducted unprecedented outreach and Cyber Security assistance to state and local Election Officials. It included indicators of compromise, technical data and best practices. Before and after election day, we declassified and shared information related to russian malicious cyber activity. These steps have been critical to enhancing awearness among election ofilthszs and educating the american public. The designation of Critical Infrastructure is Critical Infrastructure provides a foundation to institutionalize services and supported. Were working to develop local information, sharing protocols in establish key working groups. Yet, there is more to be done and we shall not waver. In the face of increasingly sophisticated threats, nppd is focussed on defending our nations critical inhad frustructure. Technological advances such as the internet of things. However, they also increase Access Points that could be leveraged to gain unauthorized access to networks. We must integrate cyber and physical risk in order to effectively secure our nation. Expertise around Cyber Security risk and interdependentancies is where it brings unique expertise and capabilities. I look forward to your questions. Ms. Manford you are recognized for five minutes. Chairman rad cliff, Ranking Member richland, tomson, members of the committee, thank you for holding todays hearing. I want to begin by thanking this committee for taking ad action earlier this summer on the Security Agency act of 2017. Its essential to our work force, recruitment efforts. We must also insure its appropriately organized to address Cyber Security threats both now and in the future and we appreciate this committees leadership. Cyber threats remain one of the most strategic risks for the United States. They threaten our National Security, and Public Health and safety. Our adversaries cross boarders over the speed of light. They saw hackers, criminals and nation states increase in frequency, complexity and sophistication. In my role i had the Departments Office of Cyber Security and communications, which includes our 24 7 watch center. Our role goes along three work streams. Assessing and measuring agency vulnerabilities and risk as well as critical infrastruck dhr and directing and advising actions that they can take to better secure their net brks. As you know its the civilian governments hub for asset Incident Response in coordination for both Critical Infrastructure and the federal government. As my colleague noted were emphasizing the security of federal networks. The asins includes first providing tools to safeguard executive networks through our National Cyber Protection System and the diagnostics and mitdigation programs. And third serving as a hub for information sharing and Incident Reporting and finealty providing operational and technical asins. Einstein refers to the federal governments suite of intrusion detection and capabilities that protects agency ung classified networks. It takes action on known malicious activity. Our nonsnuff based are yielding positive results. We are dwemen straighting the ability to capture data that can rap utley be nominized using technologies from a commercial government and open sources. Theyre defining future operational needs as well as the skillsets and personal required to the nonapproach to Cyber Security. Einstein is our tool but it will not detect or block every threat. Therefore, we must compliment it with sishms and 25089s inside the Agency Networks. These tools are enabling agencies to manage risks across their entire enterprise. At the same time these tools are going to proprime dhs. Through a common federal dashboard. Nppd is working with our interagency partners. Are those systems going to cause a Significant Impact in the United States. We conduct vulnerability assessments. To determine how an adversary would penetrate a sism to access Sensitive Data and without being detected. Protecting them before an incident occurs. When necessary the department is also taking targeted action to address specific Cyber Security risk through the issuance of finding operational directives. Were working to enhance cyber across the globe. They prokekt ursystem. By bringing together all levels of government, International Partners and the public, were taking action to protejt against Cyber Security risks, enhance information sharing on best practices and Cyber Threats and to strengthen resilience. I look forward to any questions you may have. Ms. Hoffman. Chairman rad cliff and members of the subcommittee, thank you for the opportunity to discuss the infrastructure. Its one of the secretarys Top Priorities and a major focus of the department. The Department Energy is the Sector Specific Agency for Cyber Security of the Energy Sector. Doe works with dh srksz and jointly with other agencies. The private sector organizations for a whole government response to Cyber Incidents by protecting assets and countering threats. In adition, the department serves as lead agency for support function 12, which is energy under the National Response framework. As a lead, esf 12 is responsible for facilitating restoration of damaged energy and infrastructure. They facilitate response and recovers. Defining does role with National Response activity in sures incidents both cyber and physical impacts are coordinated in the Energy Sector. At this moment in 250i78 i would like to acknowledge the secretary does express his support for the victims. And i would like to express my gratitude for all the utility workers that have been wurlking very hard for restoring power. In extreme cases, the department can also use its legal authorities as amended by the transportation act to assist in response and recovery operations. Congress enacted several Important Energy measures as it relates to Cyber Security. The Secretary Energy was provided a new athortd toward the by the president to issue emergency orders to protected or restore critical electric infrastructure or defense critical electric infrastructure. This alloweds doe to respond as needed to the threat of cyber and physical attacks to the grid. Doe has private, Public Partnerships that engage at all levels. Technical, operational and executive. To 1y0i6 and mitigateiper risk to the inerj second sectors. And the oil and gas coordinating counsel. In these meetings, interagency partners states International Partners come together to cis cusresilience issues. The electric sector, specifically, has been very forward leaning and trielg address Cyber Security issues. Doe plays a Critical Role by building in skurtd. Specifically we have been looking at building capabilities in the sector in three areas. Enhancing the visibility and Situational Awareness in operational networks, as well as it networks. Increasing the alignment across multiple states and federal jurisdictions. Discussing the whole government effortsl and drive Cyber Security in that way. Frrsz the solution is an echo system of resilience that works in partnership with state, local and industry stake hold rtz to advance best prangtss, strategies and tools. To ak5u678lish this we must accelerate investment sharing, encourage innovation and use of best practices to help raise the Energy Sector and strengthen local response and recovery activities. Especially through the participationing Training Programs and exercises. I appreciate the opportunity to be here before the subcommittee and represent one of the serkt specific agencies and the Energy Sector cyber capabilities. However, i would be remiss nautd to take a moment and stress the independent dependent nature of our infrastructure so doe looks forward to continue to working with the federal agencies to share best practices and build a defend in debt. Look forward to answering your questions. Recognize myself for five minutes of questions. I want to start with you. You mentioned einstein and cdm and the role that they play insecuring federal networks. Im going to give you opportunity to provide public clarity on cdm specifically. Give us an idea how many have fully implemented phase one and how many agency dash bords are up and running. And give us some perive on a that. Yes, sir. Thank you for the question. Cdm were in the process of deplaying both faces one and two. Face one being focusted on hardware, soft Ware Management and phase two looking at mooz rr on the network. So issues like access and identity management. We can get back to you with the specific numbers. Theyre in various stages of deployment. We have imit apair veilable. We are nearing 20 ages that have an agency dashz boertd up and running. This mungs friday so that will bow receiving feeds from those agency dashboards. Al that will allow us to have more near real time understanding of that sensor what those sernss are identifying on the Agency Networks and allow us to better prioriti prioritize. Thanks. So one of the other points i want to cover today was last week the gao came out with a fairly critical report one that would appear to be most troubling said only 7 of the 24 csf agencies have programs with any functions considered effective per the niche standards for Cyber Security control. That doesnt sound very good. I want to give you the opportunity to as we talk about the Cyber Security posture of the dot guv, reconcile that with the report. Sir, i think that we have weve learned a lot over the years about agency capac tattoo manage Cyber Security risks and the resources they have to do so. I can say theyve prioritized across the highest level of government. What weve learned through engagement in partnership and measuring agencies is there remains significant gaps and we have built over the last couple of years and are continuing to build Technical Assistance capabilities. Things like design and injufearing. Helping agencies get much more indepth insight into those networks and providing them with a greater level of assistance both engineering and on the government side to help them address the often complicated networks with the resources we have. But we see a lot of potential for cdm in the ability to deliver tools at lower cost across agencies and this is the firsz time many agencies have had access to this level of automated data to understand what is on their network and so we see a lot of potential for this. But for many age aensz theres lot of capability that hads to be built and were continuing to take advantage of things like shared service. More capability of dhs to deploy to agencies. So you comment about shared services and resources i want to follow up because i think its important to look where we are and where were going. So looking forward, how do you see dhss federal Network Protection tools evauvlting past say a signaturebased Threat Detection tools and particularry where my conversations with the administration and Cyber Security advisors really putting an emphasize on Cloud Computing and shared it services and resources. So i guess in a sense what is einstein future generations, 10. 0 look like . Well, im not exactly sure what einstein 10. 0 will look like yet but i can tell you where were looking to evolve. The president s Key Initiative around modernizing our it. There are large challenges with legacy technology. But we need to modernize the way we governor and procure. Were working very cleesly to modernize our security processes. We insure that we are modernizing our security approach but not losing the inside that we have into traffic, either traversing inhadternal or in and out of Agency Networks. Importantly we have learned on cdm some key lessons from the first faces of good d ploimd. We have a new contract vehicle in place that will enable cloud and noble technologies in additioning to the oun premise capability we have right now. We are buildling on what industry is learning from behavioral based detection method and we have had successful pilots and look forward to continuing to build that capability. My time pfszects pired. The chair now recognizes mr. Chair for his questions. You all know i authored legislation to dpraul a Department Wide Cyber Security strategy within dhs. That strategy and report was due in march. We still dont have it. So bhaults rr the status of it and if youre running into problems getting it done, what are those problemsed . Sir, thank you for the question. The office of policy has the pen, so to speak. It rolls in components across the department between secret service, i ice, Homeland Security investigations, u. S. Coast guard, as well as nppd. So while we dont necessarily leave the investment of that strategy, we are a significant player. My understanding of where it sits is thefluenced by the president s executive order, 138hung released earlier in the spring. That reports puts dhs at the front or in the lead for almost all of the reports, particularly in the first two and fourth work stream. Federal net wrkz, critical infrastrurture and private work forts. They are anticipated to have severe impacts on some of the priorities of the department including nppd. So i believe the decision on finalizing the strategy has been lets get through the sthuper asecurity assessments as well as the administrations anticipated national. Security strategy that are expected in the next several months and when we have a broughter understanding of where the department is going, that will fwiet that said, it is still as a priority to finalize that report. Frrts that said, as a department, we are moving forward with a number of our priorities. I do want to touch on a couple things you did early. As the senior official performing the duties, while we do not have a permanent nem tep saesh reitary to move out and execute authorization by secretary duke. While we do not have a permanent undersecretary now i believe i have every authority i believe i need to execute the mission within nppd. In terms of strategy and we talk about report, let me take that aside. Do we have a departmentwide strategy how we deal with cybersecurity and our needs and challenges we continue to face in the near future. Sir, my understanding there is a departmentwide Cybersecurity Strategy in draft form, yes, sir. Again, i dont want to get into the weeds. Are you operating on a catastroph comprehensive strategy on a daytoday basis . Were in the lead for insuring the nations physical infrastructure of cybersecurity and threats. Our top goal is securing federal networks and facilities for me and with the assistant secretary manfra, that is at the very top our minds every single day. The second piece is identifying mitigating systemic risks across the nations infrastructure. When i think about that, im thinking about the section 9 Critical Infrastructure greatest risks and also putting election infrastructure in there. As i mentioned in my opening comment that, for me, this is number one priority for nppd. We cannot fail there and third and finally incentivizing better practices across the community to include, state, local, medium sized businesses. Miss hoffman, theres been a great deal of concern among National Security experts russias goal of disrupting ukraines Power Supplies in 2015 and 2016 was to test its capabilities for a larger attack on the United States. Last month we learned russia may have been responsible for dragonfly 2. 0 which exploited and targeted some of our increasing sector. How is the Energy Sector surviving and what is the capability widespread with that at your back . Thank you, congressman. The ukraine attack was very much an eye Opening Event for the Energy Sector, specifically the electronic sector got very organized recognizing we had to step up our Continuous Monitoring capabilities, ability to detect behavior on the system and also building inherent protections as we develop new technologies, recognizing the core of anything is protecting agooens sphere fishing and pass words and credentials and starting to go after where we need to be to prevent an attack on the system. Weve been working very actively on the sector to build tools and capabilities for protections of their system. The chair now recognizes the gentleman from new york, mr. Donovan for five minutes. Thank you. Id like to ask a question of all of you. In 2015, Congress Passed the cybersecurity act and in 2017 we passed the cyberinfrastructure security act and the president also issued an executive order back in may to strengthen our abilities. What do you guys need . What can congress do to help you protect our nation . Our federal agency, our private entities, as mr. Richmond said, our Energy Industries . What do you guys need from us to help you protect our nation better than were able to do now . Sir, thank you for the question. The very first thing i would start with, as you mentioned the cybersecurity and infrastructure Security Agency act of 2017, passing out of the full committee was a significant step forward. What we need as i mentioned in my opening comments, quick action by the full house and senate. Let me give you a little antidote why thats important. That bill will give us three things, one, it will allow us to introduce some operational efficiencies, looking at Common Infrastructure across the organization, push them together so we are more streamlined how we engage and deliver services from Customer Service oriencation. Second, it will help with our branding and clarify roles and responsibilities not just within nppd but more importantly with our federal, state and local partners and private sector. I will come back to that in a second. Finally, what that will do is give us the ability to attract talent. We talked a little bit about workforce and hiring and partnership. On that clarity of roles and responsibilities, let me talk about that for just a second. Ive been down to puerto rico twice in the last week. I was there last monday with administrator long and the president s Homeland Security advisor, tom boss sert and i was there last friday with acting secretary duke. On friday, meeting with acting secretary duke, the governor and his key staff we were discussing a number of the Critical Infrastructure challenges in puerto rico. When it came around to me, i talked about the communications infrastructure. You know the National Communication center resides within the manfrose organization. And we talked about whether were assisting at t, sprint, tmobile, help them get back in to prioritize capabilities, cell on wheels, cell on lite truck, things like that to help temporarily pop up the Communications Service and help get communication is in for cell towers. As i briefed out where we were helping those Companies Get introduced back in i introduced myself as the official performing the duties of the undersecretary National Program doctorate rat. Try repeating that back out its not easy. Someone who has never heard that before immediately went onto a press interview alongside the tsa administrator, vice commandant of coast guard, department of Homeland Security said we have 93, tsa, coast guard and the comes guy. She doesnt know how to describe me, when im out engaging my stakeholders, they dont understand the mission i deliver. I need help clarifying that and providing very up front clear what i do and what my team delivers. That is a significant advancement. Any help i can get there, please help me out. More broadly in terms of additional authorities and clarification of authorities we are in the process of running that kind of stock taking of where the department sits in cybersecurity. Department of energy in the fast act got significant authorities that could come to bear in the event of a grid incident. Dhs has authorities in terms of Incident Response information sharing, thank you for those authorities. Going forward, were not quite sure just yet what we need. I will tell you this, the cybersecurity threat is not going away, our adversaries are getting faster, more agile. We need to be resourced and staffed and positioned to respond to that. I know one more thing we will not use Less Technology going forward. As you indicated earlier we are going to the cloud, to shared services and relying upon these crosscutting Technology Capabilities in the Information Technology sector. We need to insure from a digital defense perspective we have what we need. We welcome that conversation. You can believe that youll see me again and we will be talking about that. I have two seconds left. Would ow contribute, please . Yes, sir. Very briefly, just to compliment what chris talks about, were working within the federal government to understand what is the full braet of our authorities, how to lean into the authorities we have to deploy more capability within the Critical Infrastructures were working to understand now that weve identified these most critical assets at greatest risk, are there legal and operational and policy hurdles we need to address in order to assure we have appropriate prevention and response and recovery capability is in place and we look forward to working with you. Please dont wait until another hearing. Let us know how we can help. Absolutely. I yield back the time i have left. The chair recognizes the gentleman from mississippi. Mr. Thompson. Thank you, mr. Thompson. The last two speakers have talked about being resourced and staffed from an agency standpoint. Last march, we held a hearing talking about staffing at the department. Can you give us the number of unfilled position is in the Cyber Division right now . Sir, we are currently staffed at 76 of our fully funded billets. So we are 24 under. Can you tell us why we are understaffed at this point . Yes, sir. There are a variety of reasons. The first, largely thanks to the work of this committee and our appropriations staff in congress in building the billets that are allocated to my organization, we have grown significantly. We have worked very hard to build according to that growth in billets. We have had some challenges. Weve worked with our management colleagues and Human Capital colleagues to identify areas we can reduce the time to hire. I can say looking at the statistics from fiscal year 16 higher to fiscal year 17 hire weve been able to reduce the time to hire by 10 . Many of these requirements have to do with security clearances. It does take a long time to process people through that security clearance process. Weve made significant progress. Were continuing to work through our Security Office to continue to shorten that. Were diversifying our recruitment paths looking at scholarship for Service Cyber core program has been a great pipeline after the government funded scholarships, bringing these individuals in as interns and hiring them full time, theyre already fully qualified for our direct Hire Authority and looking at other programs such as pathways, president ial fellows and other programs. Were looking at partnerships with industry yes, sir. I dont mean to cut you off. Is the problem we have too many programs to attach people to or im just trying to find out why, when weve give you the authority to hire, why weve not been able to come closer to whatever that authority is. Is there something we need to do to get you to that point . Sir, separate the authority that we were given by congress to build an accepted Service Program. What i was referring to was i did not believe a couple years ago we were fully leveraging the authorities we already had and the programs we already had to bring people in and tightening the timeline that it takes to bring people on. The accepted Service Program is led by our chief Human Capital officer. I know this is a high priority for her. We did not probably appropriately expedite the development of that program four years ago. We have now done so. My understanding that we will now be able to hire against that Program Beginning in fiscal year 19 but theres a regulatory process we do have to undergo as a part of that. Just for the sake of the committee, can you provide us with a timeline between when somebody whos considered for employment and when that is completed . Is it not just get back to us yes, sir. Three months, six months, a year . I think that would be instructive for us, so we can kind of see if theres something involved . Yes, sir. The reason i say that, mr. Chairman, i think all of us are constantly bombarded by people looking for employment opportunities. If we have potential opportunities here, is it something we are not doing . Are we not going out recruiting in a broader view or just what . We just need to kind of figure something out. Right. If i could, sir, just clarify the 76 is just indicating people that are on board right now. If you includie the people in te full pipeline, that brings us to 85 . For virginia we are at about 224 days to hire. That sounds long but that is to include a top secret sci clearance process actually for the benchmark of the rest of the government, were actually doing quite well. We want to continue to work with you, sir, we will come back with you. Please get back with us. Mr. Krebs, we have a Congressional Task force on Election Security and we made requests of the department to provide us a classified briefing around this issue and weve been told that it has to be bipartisan, that you cant just brief democrats. Are you aware of that . Im not aware of any existing policy. Let me say this. I share your concern on election infrastructure. I made that clear today wanted to say directly to you as well it is my top priority at the department. If we cant do this right and dedicate every single asset we have to assisting our state and local partners frankly im not sure what were doing daytoday. In terms of what weve done, in terms of engagements we are prioritizing delivery of those briefings information sharing to our state and local partners. We are doing it in a bipartisan manner because my opinion is that this does Transcend Party lines and we should be doing this all pulling the same direction. Going forward, i would encourage any additional briefings, we have provided a series of bipartisan briefings to the house and Homeland Security committee both classified and unclassified. The real crux of this issue, the underpinning issue here is a trusted relationship. Now, did we have i appreciate it. But we have established a working group within the democrats on the committee and were just trying to get a briefing. Its nice to say i dont want to brief you because there are no republicans but were members of congress and all were trying to do is get access to the information. If your interest is there, im convinced you will provide it. Thats the spirit in which the request was made. Well make it again. Yes, sir. And look forward to you coming back. Just bring us what information you have, as members of congress. Thats all we are asking. Thank you. I the field back, mr. Chair. I thank the Ranking Member. The chair recognizes jim from virginia. Mr. Garrett. I hit my talk button, my voice sounds better with the microphone on. I want to piggyback on what my Ranking Member thompson said i would agree with you election infrastructure vircybersecurity it comes to conducting elections is a priority that crosses and transcends the aisle and i would ask any briefings you give to democrats to you invite me or give the exact same briefings to republican members i think is inconsiderate of your time. I cant fathom why one party should be briefed in the absence of elections outside the presence of another in the United States of america. If you do and i hope you do respond to the Ranking Members request to brief on kribs as to cyber issues please invite me. I cant fathom one party has a monopoly on hoping we get Fair Elections and i cant think my colleague doesnt mean it that way and people from both parties should be invited or make the same briefing twice i think is inconsiderate and shortsighted. Having said that transitioning to russian cybersecurity particularly with relationship to stony and the ukraine, my understanding the bulk of the platforms used to infiltrate infrastructure, i say platforms, malware, it would appear, based on my ability to speak in this forum, were off the shelf, if you will, kill this for example, black energy were known interrogation discovered as it relates to these attacks as part of a coordinated attack. How well do we stay ahead or try to stay online with it . I understand its a moving target. The malware that might be implemented to the extent theres any hope, again, i understand the format were in might limit the conversation we have, a lot of the malicious activity to this point conducted, we presume and data would indicate by the russians has used off the shelf technology. I guess the question there is how quickly can we pick up on advancements in malware and inculcate them into our preventive measures . Thats wide open to which ever one of you wonderful folks would like to address it. Thank you, sir. If i may, ill start and provide a bit of broader approach and defer to my expert colleague from the department of energy to anything specific to the grid and electricity. Im subject to a time limit. I apologize but ill do this quickly. Yes, sir. Generally speaking we already talked about advanced persistent threat here. We think about threats, its not necessarily speaking advanced, its just persistent. Folks are still organizations are still not doing the basic blocking and tackling you think about want to cry or not pet ya, some of those were based on open known vulnerabilities, they just werent patched. The concept of a zero day e exploit while its out there its not the common one we see in the wild. Let me interrupt you. I ham a big fan of limited government but the entire nation hangs in the balance, everything as it relates to our grid, might it not be effective to hit the particular Power Providers where it counts and essentially make it cost something perhaps metaphorically and literally for companies that dont patch those open known threats . And that is something that will be within the purview of the government, you will be up to date by x, y and z or it will cost you . My colleague can talk to the government piece. You guys are great. Five minutes. We were trying to reduce the time to patch critical vulnerabilities to five days. We are seeing a change in that and seeing the government highly prioritizing patching those critical vulnerabilities. I want to throw that out there. Theres a carrot and a stick . Id rather the carrot but im glad to hear you say youre addressing that. I dont mean to cut you short, miss hoffman. I want to speak to the nature of nurk and the fact its a semiprivate autonomous pseudo entity compromises tactic, procedures, et cetera. I dont think it as an organization compromises any sort of intelligence and has Information Sharing Center which is sharing information at large and has capabilities to compel and look at the industry to respond so we can get the information we need. Thank you all and i apologize for going briefly over. Thank the gentleman and the chair recognizes my friend from rhode island. Thank you. I want to thank the witnesses for your testimony. Before i go into my questions, i just want to mention, for publicly, and take you to mr. Garrett, im a member of the Elections Task force that the democrats put together on how to go forward in improving Election Security. I would say to my colleague there was an initial effort and outreach to republicans to make this a bipartisan effort, which was not accepted, there was no we didnt find anyone that was receptive. I would say this, the task force means are open to the public, my colleague, mr. Garrett, is welcome to participate fully with that, and with respect to the Ranking Members question on the classified briefing, both on russian interference in our elections and how were better securing our election systems, that is a democrats only or democrats and republicans, i would prefer it as a democrat and republican briefing, however we get the briefing, unless im misunderstanding what the Ranking Member was asking we just want the briefing. Wed ask that you provide that to us. Yes, sir, thank you. I do believe we have provided a classified briefing in the past and welcome the full committee and subcommittee briefing on that as well. The other thing i want to mention mr. Krebs, i appreciate your comments you have all the authorities in your acting role to do the job necessary in cyber. I would reiterate it is vitally important we get key people appointed and in place permanently. I respect the work youre doing and your team and but we need permanent people in place, both inspires confidence and clarity to what the mission is. Let me get into my questions very quickly. I will try to go through them. For ones you cant answer fully because of time constraints i request a followup in writing. So on september 13th, dh issued binding operations 1701 directing federal agencies to remove products from within the system in the next 90 days. In doing so dhs for the first time issued a statement to coincide with the establishment. I id like to commend the agency. My question is what analysis led to the removal from federal networks. I understand this answer may be classified in which case i request you and your team provide a briefing to members on whats behind it. Its very important both members on both sides of the aisle understand what went into that. Next, mr. Krebs, the sec was breached late in 2016. We now know the attackers had access to corporate filings prior to their public release. The announcement of this breach was made nearly a year after it was first discovered. My question was when was dhs informed of the breach and what was dhss involvement in detecting, responding and recovering from this attack . And finally, how can dht improve its integration with federal agencies to insure these types of attacks are detected and notified quicker in the future. Thank you. Congressman langevin. Let me touch on the disbursement piece. It was based on the totality of evidence including the most part open source information. In terms of a classified briefing i believe we are on the schedule for some point in the next month or so with the full committee monthly intel briefing. With that, id like to turn it over to miss maneva. Sir, welcome. We are happy to come in and have a more full conversation with you about that. They notified us last year and the extension of the issue was not misunderstood and given the time limits it might be better if we sat down with you and other Staff Members as appropriate to walk through specific details. What do you think that what was the dhs involvement in detecting and responding to the recovery . Sir, we have very limited involvement with the sec. They did not request our follow on assistance for a response. The issue of how they can work better in the future . Sir, in addition to this incident as well as several others we are reviewing our procedures to insure that its clear that when an incident happens what role the Department Needs to play in response not just at the request of an agency. If were looking at specific Critical Services and functions the Department Needs to have a more active role in that response regardless whether the Agency Requests it. Thank you. In august, congressman will hurt and i traveled to a bipartisan trip to the Security Congress and were impressed with the willingness to report for overall internet security. What is established for a reporting process for dhs sites and software. One of the things i found with the pentagons Bounty Bug Program was very helpful identifying security vulnerabilities and getting the attention of the right individuals to close those vulnerabilities, talking to researchers one of the things that impressed me most was they just want to make the internet work better but they want to know when they find a vulnerability there is a path forward they can report it and somebody will do something about it and they will be heard. What progress has dhs made in this respect . We have a long Standing Program on operational vulnerability and Industrial Control Systems as well as enterprise technologies. Weve been working with security researchers in both communities for years to provide them a space for them to identify that vulnerability and also to evacua advocate with security researchers. We have our own organization within my group that conducts Penetration Testing and risk and vulnerability assessments across the government to include dhs network. While Bug Bounty Programs can be useful we need to insure theyre supplemented with a broader risk and vulnerability risk and testing my organization does to insure organizations are appropriately prioritizing what theyre addressing. What about dhss specifically owned systems . My Organization Also supports Penetration Testing and slublt assessments within the dhs particularly high value assets dhs owns. I do know our leadership and management is interested in learning from what the department of defense has done in their Bug Bounty Program and how that might apply to dhs and were continuing to work through how that might be applied for our organization. I had one more on Election Security. Can i ask that . I know weve touched on this a bit. For the record i wanted to dive a little deeper into this. Very interesting, insuring state and local Election Officials have access to resources from dhs to protect the vital systems that represent the cornerstone of our democracy. Can you further describe how dhs is working with Election Officials to protect networks . Do you believe dhs response to the unprecedented interference in our elections lasts year has been sufficient . How can we improve the relationship and access to resources . Are there additional funds or resources the Department Needs in this respect . So, thank you for those questions. Let me start at the end with your improving relationships. While i was not at the Department Last summer as this all manifested, i can speak to generally the relationships with state Election Officials. That was not an existing relationship between the department of Homeland Security and the state and locals. However, we do have strong relationships with the Homeland Security advisors and chief Information Officers and chief information Security Officers. But to square the circle on this specific threat we need to develop partnerships that are three or four legs on the stool within each specific state. Each state is going to be a little bit different in terms of how who they designated as the chief election official and vendors of technology. It will take a lot of effort and a little bit of time. Those are things we are working on right now. We dont have much time but are dedicating resources. Just this morning i sent across my organization and ppd reflectsing changes we made organizationally last week by establishing an Election Task force. Previously it had been held within the office of infrastructure as a program. Matching my words with our execution, were elevating it as a task force, bringing pieces across the dhs components including the office of intelligence analysis and resourcing it appropriately. This is speaking to a lot of resources. Were pulling the resources together in recognition we dont have a lot of time given there are three elections this year. And the number of ftes and money committed to this . I dont have the ftes on hand. I can get back to you on it. I believe miss man fra has. And Funds Available as well . I want to point to the resources, Ranking Member richmond indicated there was a nine month wait on risk and vulnerability assessments. I dont know if thats the exact current number but that speaks to the high demand that were experiencing for our a Assessment Services everything from hygiene programs we participate in and in depth vulnerability assessments. We are growing that Program Building resources and Building Infrastructure to more scale that. But our services were providing not just to federal agencies but also to state and local governments as well as Critical Infrastructure. Were experiencing much more demand for those services and were continuing to look for ways to scale that capability. Thank you for your answers. If there is a followup you can provide to us in writing or briefings, i appreciate that. Mr. Chairman, thank you for your indulgence. Youre welcome. The gentleman yields back. I want to thank all three of our Witnesses Today for your valuable and insightful testimony and questions of the members today. If they do have additional questions of witnesses respond in writing. Pursuant to Committee Rule 7d the record will be held open for a period of 10 days and without objection, the subcommittee stands adjourned. Cspan washington journal live wednesdays with policy issues that impact you. Representative lance talks about the tax plan. Democrat delegate from the Virgin Islands on hurricane efforts and bureau chief john blessna hanzuss congressional gun control efforts. Be sure to watch washington journal cspan wednesday morning. Join the discussion. This week, former equifax chairman testifies before several committees about the hacking that exposed 145 million consumers. Wednesday, his second day on the capitol hill in front of the Senate Banking Committee Live here at 10 00 a. M. Eastern. And the Financial Services Committee Live at 9 30 a. M. Eastern and here on cspan3 and you can coverage a live coverage of both hearings online at cspan. Org or our free cspan radio app. The cspan bus is traveling across the country on our 50 capitals tour. We recently stopped in annapolis, maryland, asking folks, whats the most important issue in their state. Hi. Im zena, i live in indianapolis at maryland and teach at st. Johns college where were filming now. The issue a lot of us in maryland are concerned with is our heritage, heritage of slavery and heritage of the civil war. Im sure many of you heard theres a statute of rog tiny, the justice who wrote the dred scott decision was taken down in front of the statehouse. My real concern is how do we have conversations about our past . Here at st. Johns, we read frederick douglass, read the dred scott decisions and speeches of lincoln and try to have real conversations with one another about the issues and different points of view you might have on them. I suppose thats one of the things i care about most deeply how can we as americans and marylanders have real conversations where everyone is respected but also where real understanding can be reached about issues that really matter for our heritage, our history and whats happening today. Thats what im hoping for, not just fighting, not just arguing, not just, you know, power struggles but real communion conversation and building real community. My name is javon. I believe that a major issue in the state of maryland is incarceration. Most importantly when people come out of prison walls, i believe that employment and housing and just the support system is very vital to people staying out of prisons and keeping recidivism down. I believe that if the people who are formerly incarcerated get employment, something substantial to their families, that will keep them and the state safe. Hi. Im the president of st. Johns college. I think the issue that is most critical for us to address today is the issue of civil discourse. At st. Johns college, we offer young people the opportunity to sit around a table and to discuss in our seminars the most important issues pertaining to what it means to be a human being, what Human Flourishing is, what it takes to have a flourishing society. I think if we all had the opportunity to do that, sit around the table and look each other in the eyes and first address one anothers humanity and then begin our conversations about important things it would be a much stronger nation, a Better Society and wed come much closer to finding solutions to the problems that we face. I encourage everybody out there to think about that model of civil discourse, to address each other first as human beings and then ask tough questions together. My name is eathan, a junior at st. Johns college and supervisor at the mitchell art gallery and currently there is the fall collection. My responsibility being a student advisor is to teach people about the art and get them involved in the workshops we offer here and the community of annapolis. I think its really important for somebody to understand art, history, literature and culture of the art youre looking at. Its really important because if you can understand history you can understand yourself and where you want to go in the future. Voices from the states on cspan. Defense secretary, james mattis and joints chief staff chair join together to talk about the president s strategy in afghanistan. And covers the role of other areas the Iran Nuclear Agreement and defense departments role for relief efforts in puerto rico. This is 2 1 2 hours
comparemela.com © 2020. All Rights Reserved.