The House Homeland Security subcommittee on Cyber Security held a hearing with officials from the Homeland Security department and the Energy Department regarding the federal governments Cyber Security programs. The subcommittee looked into the security of election systems, the governments i. T. Systems, and the security of the nations electric grid. The committee on Homeland Securitys subcommittee on Cyber Security and Infrastructure Protection will come to order. First of all, im sure i speak for all of us here on the dais in expressing our deepest condolences to all of the family members and all of the victims of yesterdays tragedy in las vegas. Events liking the one yesterday demand the utmost humanity in response to such blind hate and evil and hopefully will give us all a renewed senses of purpose as we approach the tasks of the day. The subcommittee is meeting today to receive testimony regarding the department of homeland securities Cyber Security mission. I recognize myself for an Opening Statement. Were here today at the start of national Cyber SecurityAwareness Month to discuss what i believe is one of the defining Public Policy challenges of this generation. The Cyber Security posture of the United States. Weve seen Cyber Attacks hit nearly every sector. Of our economy with devastating impacts to both Government Agencies and the private sector alike. And it is our shared duty to insure that were doing our very best to defend against the very real threat our cyber adversaries are posing. But make no mistake, the Cyber Security challenges we face are about much, much more than simply protecting bottom lines or intellectual property or even our nations most classified information. They also impact the personal and often irreplaceable information of every american. This year we have seen on a grand scale just how much damage can be done by a single individual or entity looking to conduct a cyber attack. The Equifax Breach shows that it takes only one bad actor and only one exploitable vulnerability to do something to compromise the information of 145 million americans. This is not the first cyber attack that has garnered national attentions and unfortunately it almost assuredly will not be the last. As the members of this panel and as our witnesses here today know well, there is no Silver Bullet for guaranteed technology to fix the Cyber Security problem. Rather we need to be part of an ongoing sustained, dedicated persistent and comprehensive campaign to insure the United States remains the worlds Cyber Security superpower. We will continue to need a sharp work force and collective efforts in Public Private partnerships and the leadership of our Government Agencies to leverage our resources and to counter our highly sophisticated cyber adversaries. Today the subcommittee meets to hear from the government officials that are charged with meeting these cyber threats. These are the folks on the front lines day in and day out. Dhs is the federal governments lead civilian agency for Cyber Security and within it the National Protection and programs direct i cant tell director where nppd leads our National Effort to safeguard and enhance the resilience of the nations physical and cyber infrastructure, helpling federal agencies and when requested, the private sector harden their networks and respond to Cyber Security incidents. They partner with critical intrastructure owners and operators and other enterprise stakeholders to offer a wide variety of capabilities, such as system assessments, Incident Response and mitigation support. And the ability to hunt for malicious cyber activity. This collaborative approach to mitigating Cyber Incidents is meant to prioritize meeting the needs of dhss partners and is consistent with the growing recognition among government, academic and Corporate Leaders that Cyber Security is increasingly interdependent across sectors and must be a core aspect of all management strategies. This committee has been working hard to ensure that nppd and dhs in its entirety has the necessary authorizations and organization it needs to combat growing cyber threats. Dhs needs a strong and sharp work force. Both to protect its Cyber Security and Infrastructure Protection missions. Earlier this year, the committee marked up and passed hr 3359, the agency act of 2017 to reorganize and to strengthen nppd. As the cyber Threat Landscape continues to evolve, so should dhs and in doing that, hr 3359 is the tool well use to bring nppd to a more visible role in Cyber Security of this nation. As a committee and a congress we have taken important steps in the right direction with legislation on information sharing, on modernizing the federal governments Information Technology and in getting our state and local officials the Cyber Security support that they need. Some of these programs have been years in the making. Realtime collaboration between the government and the private sector is a lofty and worth while goal. Through the automated sharing program, or ais, dhs has been partnering with industry to create and enhance that broader informationsharing environment. And weve made progress in the right direction. While we know proactive information sharing is only as good as the information being provided, that type of relationship can only be made possible with a Strong Foundation of trust. Im looking forward to a robust discussion today, not only how the government can be best organized and equipped to insure we are leveraging the resources of the federal government but how the government it can forge and grow the necessary partnerships to achieve the greater Cyber Security for our nation. We have to get this right. Because new technologies, the internet of things, driverless cars, artificial intelligence, and quantum computing, they are all rapidly evolving. So we need to be securing at the speed of innovation, and not at the speed of bureaucracy. We are in an era that requires flexibility, resiliency and discipline. And i hope i will hear those values operationalized in the forthcoming testimony. Cyberspace plays an increasingly dominate role and it will take continued collaboration across the public, private, international and domestic spaces to keep making the advancements needed to prioritize Cyber Security for our country. I know this is a responsibility that everyone on this subcommittee takes extraordinarily seriously. The chair now recognizes the ranking minority leader for his Opening Statement. Mr. Richmond, from louisiana. Thank you, mr. Chairman. Good morning. Im pleased were kicking off Cyber SecurityAwareness Month by talking to the department of Homeland Security about the Cyber Security mission and how congress can help ensure dhs is well positioned to prevent from Cyber Attacks. Before i begin i would like to send my condolences to the families of the victims of sunday nights horrific shooting. To the survivors, youre in our thoughts and prayers. To the brave First Responders who were running into danger when everyone else was running away from it, we are grateful. The democrats on this committee have said this before but it it bares repeating. At some point were going to have to come together and enact sensible Gun Legislation and as the congressman representing new orleans, i cannot sit silently as the president insults the hurricane survivors of puerto rico and the san juan mayor whos trying to help them. Ive been through katrina and i know what its like when youre at your most vulnerable moment and youve lost everything and what youre looking for is assistance because its beyond your capacity to respond to a storm of that magnitude. So having seen the people greave the loss of their homes and businesses and struggle to piece their lives back together, i can tell you the last thing the people in puerto rico and the Virgin Islands need are insults. I urge the president to take a break from twitter, roll up his sleeves and get to work. Turning to the issue at hand, as i mentioned, i represent new orleans, which has Significant Energy sector assets. Last month we heard disturbing reports of a new way to breach Energy Sector networks in the United States. According tocy man tech, in some cases, hackers achieved unprecedented access to operational systems. In light of these reports, im interested to know how the department of houmd Homeland Security and the department of energy are working together to secure Energy Sector networks and make them more resilient. Additionally, as a member of this committee, and the Congressional Task force on Election Security, i am eager to hear about dhss activities to secure our election systems. Although the administrations commitment to the Critical Infrastructure designation appeared to waiver earlier this year, i was encouraged when acting secretary duke told Committee Democrats last month that there are no plans to rescind the designation. With that comment, i look forward to hearing the progress dhs is making to secure election infrastructure and whether the department has adequate resources to carry out its responsibilities in that space. For example, i understand theres a ninemonth wait for a risk and vulnerability assessment, and that some secretaries of state have complained about the lengthy clearance process for Election Officials. Im concerned that these kinds of challenges may deter some states, particularly those to the Critical Infrastructure designation from taking full advantage of the resources dhs can bring to bear. From that point, dhs has to build some. Relationships necessary to executing its security commission. Although i hear dhs is making progress, im concerned mistakes made notifying certain secretaries of state that their election infrastructure had had been targeted may have undermined the trust that dhs has sought to build. I will be interested in learning what do you need from congress to address more quickly. And build trust within the election infrastructure community. Finally, when ms. Manford testified in march, i asked when i could expect the dhss Cyber Security strategy. The strategy required pursuant to legislation i authored was due march 23rd. It still has not been submitted to congress. I understand the Trump Administration did not fill leadership positions relevant to the execution of dhs, Cyber Security strategy with any real sense of urgency. And ongoing vacancies may be contributing to the delays. But the strategy is six months overdue, and that is not acceptable. With that, i yield back the balance of my time. I thank the gentleman. The chair now welcomes and recognizes the chairman of the full committee, my colleague from texas, mr. Mccaul, for any Opening Statement he might have. Thank you, chairman wry cliff. I also would like to extend my thoughts and prayers to the victims and family members of las vegas. Im hopeful we can come together to prevent such tragedies from happening in the future. Im pleased to be here today with our distinguished guest here at this hearing. Americas National Security continued to be threatened by islamic terrorists. Tyrannical regimes. Building and proliferating weapons of mass destruction. Human traffickers, transnational gang members, like ms13, who stream across our border. These threats are wellknown, and we need to do everything we can to stop them as we see them coming. However, we also find ourselves in the crosshairs of invisible attacks and sustained cyber war from nation states and other hackers. And as we come become more reliant on computers and smartphones in both our personal and professional lives, everyone is a potential target, and sadly, many of us have already been victims. Over the past few years, we see many successful largescale cyberattacks take place. In Early September hackers were able to breach equifax, a Credit Reporting Agency gaining access to Sensitive Information on as many as 143 million people. In 2016 we know russia tried to undermine our electoral system and democratic process. And in 2015, we learned that china stole over 20 million security clearances, including mine. And probably some here at this dais. These kinds of violations are simply unacceptable. Im proud to say over the last few years this committee has recognized these threats and has led the charge in the congress to strengthen the defense of our nations networks. In 2014, we enacted several important bills that empowered dhs to bolster its work force, codified dhss cyber center and updated for the first time in 12 years. A year later, the Cyber Security act became law. Which enhances informationsharing and makes dhs the lead conduit for cyber threat indicators and defensive measures within the federal government. While informationsharing has come a long way, this illustrated just how important and beneficial these relationships are. Just last week, rob joyce, the Cyber Security coordinator at the white house, noted that we need to find a way to provide the private sector with more expansive access to cyber threat information in a controlled setting. Something i believe we need to strengthen. Moreover, issues relating to the sharing of classified information with the private sector, like crediting skf space, granting security clearances to key personnel and enabling consistent Twoway Communications are issues we are learning at closely. In other words, we have made great progress in the way indicators are shared. But i want to examine if we can do more regarding the overall sharing of classified information. Earlier this year, i was pleased to see President Trump issue an executive order to strengthen the Cyber Security of federal networks and Critical Infrastructure. Going forward, im hopeful that the house can advance legislation that i have introduced to elevate mppd as a Standalone Agency and better support the Cyber Security mission at dhs. This month is national Cyber SecurityAwareness Month. A time to learn more about these threats and offer ideas on how we can best secure ourselves against these growing threats. While weve had some success on this issue, we must do more. Our cyber enemies, including terrorists are always evolving, looking for new ways to carry out their next attack. Unfortunately, this is an issue that i believe transcends party lines. Its not a republican or democrat issue. So lets Work Together to make our Cyber Security strong and keep the American People safe. Again, id like to thank the witnesses for being here today. And thank you for your service. In a very important component of the department that often, as i mentioned in my opening, we focus a lot on counterterrorism and the border and other things. But i consider this mission that the department has to be one of the most important that this nation faces. So i look forward to the conversation and that congress and the executive branch can Work Together and how we can work with leaders in the private sector to enhance the nations Cyber Security. So with that, id like to yield back to the chairman. And if i may, submit my questions for the record. I thank the chairman. And the chair now welcomes and recognizes the ranking minority member of the full committee, the gentleman from mississippi, mr. Thompson, for his Opening Statement. Thank you, very much. Good morning. Id like to thank chairman radcliffe and Ranking Member richmond, for holding todays hearing to examine the work dhs is doing to shore up our nations cyber defenses. Theres no doubt that our country is facing an evolving array of cyber threats. As we stand here today, our enemies are thinking of new and novel ways to strike at everything from banks to hospitals and chemical facilities. Nefarious actors, even want to disrupt some of our most basic institutions. Last year, we learned that our nations election system served as a new frontier for cyberattacks. With every passing day, we learn of new ways cyber operatives are looking to exploit everything from the media we consume to the databases that store Voter Registration data. Databases that store Voter Registration data. In this country, theres nothing more sacred than the ability to engage in civic activity and cyber criminals are seeking to undermine our democracy. Further more, as i watch the devastation unfold in texas, florida, puerto rico and the Virgin Islands im reminded of the fragility of our systems. The systems we rely on can be deadly regardless of whether its caused by a cyberattack or a natural disaster. In short, the Digital Network we rely on for our daytoday life are facing a multitude of threats. To respond to these threats, congress has put its trust in dhs. Over the past few years, congress by way of this committee has consistently expanded dhss cybersecurity mission, giving the department a key role in securing federal networks as well as the systems that support our nations Critical Infrastructure. The department made huge strides in implementing these new authorities including by standing up an Automated System to share cyber threat data and advising the new election infrastructure subsector on how to promote cyber hygiene with Election Administrators throughout the country. We cannot, however, expect dhs to carry out these responsibilities with both hands tied behind its back. To be successful, the Department Needs adequate resources, a robust staff, strong leadership and a clear strategy. Unfortunately, this administration has been gravely unfocused when it comes to cybersecurity. President trump falsely promised to deliver a comprehensive plan to protect americas vital infrastructure from cyberattacks on the first day in office. It took months for the president to get around to issuing an executive order on cybersecurity. Also, a quarter of the 28 person National InfrastructureAdvisory Council resigned in protest of President Trumps insufficient attention to cyber threats. President trump floated the idea of an impenetrable cyber unit with russia at the same time members of his administration were considering and ultimately deciding to ban the use of the products on federal networks. Within dhs the chief Information Officer resigned after serving only four months and the National Programs and protection director the departments main cyber is still operating without a permanent under secretary. Whether the men and women in this room are willing to acknowledge in an open setting that they are struggling without this leadership, we can be certain these gaps are making their job harder. I look forward to hearing from the panel today about how the department is carrying out its Cyber Mission and i hope that youll be candid with us about the obstacles you face. If there are areas where you need Additional Resources or legislative clarity, tell us how we can help. Im especially eager to hear from ms. Hoffman about how dhs works with one of its key partners in securing Critical Infrastructure, the department of energy. With that, mr. Chairman, i yield back. Thank the gentleman. Other members of the committee are reminded that Opening Statements may be submitted for the record. We are pleased to have a distinguished panel of witnesses before us today on this very important topic. Mr. Christopher krebs is the senior official performing the duties of the under secretary of the National Protection and programs directorat at the United States of department of Homeland Security. Great to see you today mr. Krebs and great to see you in your new role at dhs. Ms. Gentleman net man fra is the secretary for Cyber Communications in the National Protections and program directorat. Also great to have you back with our subcommittee and finally ms. Patricia hoffman is the acting assistant director at the Us Department of energy. Thank you for being here with us today. Id now like to ask the witnesses to stand, raise your right hand so that i can swear you in to testify. Do each of you swear or affirm the testimony which you will give today will be the truth, the whole truth and nothing but the truth so help you god . Let the record reflect that each of the witnesses has answered in the affirmative. You may be seated. The witnesses full written statement. The chair recognizes mr. Krebs for his Opening Statement for five minutes. Chairman radcliffe, Ranking Member richman, thompson, members of the committee. Good morning and thank you for todays hearing. In this month of october we recognize National Cybersecurity Awareness Month, the time to focus on how cybersecuritys a shared responsibility that effects all americans. The department of Homeland Security serves a Critical Role in safeguarding and securing cyber space a core Homeland Security mission. I want to begin my testimony by thanking the committee for taking action earlier this summer on the cybersecurity and Infrastructure Security Agency act of 2017. If enacted, this legislation would mature and streamline the National Protection and programs dorrat and rename our organization to clearly reflect our essential mission. The departments strongly supports this much needed effort and encourages swift action by the full house and senate. The Mission Statement is clear we lead the nations efforts to ensure the security and we collaborate with other federal agencies, state, local tribal and territorial governments and of course the private sector. Our three goals are as follows. Secure and defend federal networks and facilities. Identify and mitigate Critical InfrastructureSystematic Risk, incentivize and broadly enable enhanced cybersecurity practices. No question this is an expansive mission. As we meet today, i am proud to share with you the tireless efforts of so many at mmppd. In coordination with our partners to accomplish this mission. The targeting of our elections, wanna cry, intrusions into energy and Nuclear Sector infrastructure, harvey, irma, maria. Selftarget attacks in london, barcelona, orlando and las vegas. As threats to our Critical Infrastructure evolve and in many ways remain the same our people are partnering with owners and operators across america. We are engaging the public to raise awareness because our security is truly a shared responsibility. Todays hearing is about dhss cybersecurity mission. Earlier this year the president signed an executive order on strengthening the cybersecurity of federal networks and Critical Infrastructure. This executive order set in motion a series of deliverables to improve our defenses and lower our risk to cyber threats. Dhs is organized around these deliverables by working with federal and private sector partners. Were emphasizing the security of federal networks. Agencies have been implementing the industry standardness cybersecurity framework. Agencies are reporting to dhs and the office of management and budget on their cybersecurity management in acceptance courses. Theyre evaluating the totality of these Agency Reports in order to comprehensively in addition to our efforts to protect federal Government Networks were focused on how government and industry Work Together to protect the nations Critical Infrastructure. We are prioritizing deeper more collaborative Public Private relationships and partnerships. In collaboratation with civilian, military and intelligence agencies were developing an inventory of authorities and capabilities. Were prioritizing entities at greatest risk of attacks that could result in catastrophic consequences. We call this section 9 efforts. Before closing let me also discuss our continue facing the threat of cyber enabled pragsz by a Foreign Government during the 2016 elections dhs and our interagency partners conducted unprecedented outreach and provided assistance to state and local Election Officials. Information shared included indicators of compromise, technical data and best practices. Through numerous efforts braen after election day, we declarified and share information related to russian malicious cyber activity. These steps have been critical to protecting our elections, enhancing awareness and educating the american public. Technological advances such as the internet of things and Cloud Computing increase access and streamlined efficiencies. However, they also increase Access Points that could be leveraged by adversaries to gain unauthorized access to networks. As new threats emerge and our use of technology evolves, we must integrate cyber in order to effectively secure our nation. Expertise around cyber physical risk and Critical Infrastructure is where we bring unique expertise and capabilities. Thank you for inviting me here today. I look forward to your questions. Chairman radcliffe, Ranking Member richman, thompson, members of the committee thank you for holding todays hearing. I also want to begin my testimony by thanking this committee for taking action earlier this summer on the cybersecurity and Infrastructure Security Agency act of 2017. A name for our organization that reflects our mission is essential to our workforce, recruitment efforts and effective stakeholder engagement. We must old ensure that mmpd is organized both now and in the future and we appreciate this committees leadership. Cyber threats remain one of the most significant strategic risks for the United States. Cyber risks threaten our National Security, Economic Prosperity and Public Health and safety. Our adversaries cross borders at the speed of light. Over the past year, americans saw advanced persistent threat actors including hackers, criminals and nation states increase in frequency, complexity and sophistication. In my role at dhs, i had the Departments Office of cybersecurity and communication which includes our 24 7 watch center and operations, the National Cybersecurity and communication and integration center. Our role goes along three work streams. Assessing and measuring agency eventual nerabilities and risks as well as Critical Infrastructure and directing and advising actions that federal agencies and Critical Infrastructure entities can take to better secure their networks. As you well know the end take is the civilian governments hub for cybersecurity information sharing and coordination for both Critical Infrastructure and the federal government. As my colleague noted we are emphasizing the security of federal networks. The assistance to federal agencies includes first providing tools to safeguard civilian executive Branch Networks through our National CyberProtection System and the continuous diagnostics and Mitigation Programs. Second, measuring and motivating agencies and third, serving as a hub for information sharing and Incident Reporting and finally providing operational and Technical Assistance. Einstein, the refers to the federal governments suite of intrusion detection that protects agencies unclarified networks. Today it takes action on known mishs activity. Our yielding positive results. These capabilities are essential to discovery of previously unidentified malicious activity. Were demonstrating the ability to capture data that can be analyzed for activity using technologies from commercial, government and open sources. The pilot efforts are also defining the future operational needs for tact ticks, techniques and procedures as well as the skill sets and personnel required to operationalize the nonsignature base approach to cybersecurity. Einstein is our tool to address Perimeter Security but it will not detect or block every threat therefore we must compliment it with systems and tools working inside agency networks. Our continuous diagnostics and Mitigation Program provides those tools and Integration Services to federal agencies. These tools are enabling agencies to manage risks across their entire enterprise. At the same time, those tools are also going to provide dhs visibility in to our enterprise risk across the federal government through a common federal dashboard. Mmpd is also working with our interagency partners to identify high assets. As part of this effort we conduct Security Architecture reviews to help agencies to assess their configurations, indepth vulnerability assessments to determine how an adversary would penetrate a system, move around an agencys network and exfiltrate such data without being diabeticed. We provide system owners with recommendations to address vulnerabilities protecting them before an incident occurs. When necessary the Department Also is taking targeted action to address specific cybersecurity risks through the issuance of binding operational directives. We are work toning hans cyber sharing across the globe. These actions help businesses and Government Agencies protect their systems and quickly recover should such an attack occur. By bringing together all levels of government, the private sector, International Partners and the public, we are taking action to protect against cybersecurity risks, improve our whole of government capabilities and to strengthen resilience. Thank you for the opportunity to testify and i look forward to any questions you may have. Thanks. Ms. Hoffman youre recognized for five minutes. Chairman radcliffe, Ranking Member richman and members of the subcommittee. Thank you for the opportunity to discuss the continuing threats facing our Nations Energy infrastructure and the department of energys role. Cybersecurity of the Energy Sector is one of the secretarys Top Priorities and a major focus of the department. The department of energy is the Sector Specific Agency for cybersecurity of the Energy Sector. Doe works with dhs to and jointly with other agencies, the private sector organizations for a whole of government response to Cyber Incidents by protecting assets and countering threats. In addition the department of energy serves as the lead agency for Emergency Support function 12 which is energy under the National Response framework. As the lead ef 12 is responsible for facilitating restoration of Damage Energy and infrastructure. The Department Works with industry, federal, state and local partners to facilitate response from recoveries. With National Response activity ensures that incidents both cyber and physical impacts are coordinated in the Energy Sector. At this moment in time i would like to acknowledge that the secretary does express his support for the victims of hurricane harvey, irma and maria and i would also like to express my gratitude for all the utility workers that have working very hard in the region for restoring powers. In extreme cases the department can also use its legal authorities as those in the federal power act as amended by the fixing american surface transportation act to assist in response to recovery actions. Congress enacted several important new Energy Measures in this act as it relates to cyb rr security. The secretary of energy was provided a new authority upon the declaration of a Grid Security emergency by the president to issue emergency orders, to protect or restore critical electric infrastructure or defense critical electric infrastructure. This Authority Allows d. O. E. To respond asneeded to the threat of cyber and physical attacks to the grid. D. O. E. Has collaborated for nearly two decades, that engage owners and operators at all levels. Technical, operational, and executive. Along with state and local governments to identify and mitigate physical and cyber risk to the energy systems. In the Energy Sector the core partnerships have consisted with the electric coordinating council and the oil and gas coordinating council. In these meetings, partners states International Partners come together to discuss important security and resilience issues for the Energy Sector. The electric sector specifically has been very forward leaning and aggressive in trying to address cybersecurity issues. D. O. E. Plays a Critical Role in supporting the Energy Sector by building in security. Specifically we have been looking at building capabilities in the sectors in three areas, the first area is preparedness, enhancing the visibility and Situational Awareness in Operational Networks as well as i. T. Networks. Increasing the alignment of cybersecurity preparedness across multiple states and federal jurisdictions. Response and recovery activities in supporting the whole of government effort and leveraging the expertise of the department of energys National Labs to drive cybersecurity innovation. Threats continue to evolve. D. O. E. Is working diligently to stay ahead of the curve. The solution is an ecosystem of resilience that works in partnership with state, local and industry stakeholders to advance best practices, strategies and tools. To accomplish this, we must accelerate information sharing to better inform local investment decisions, encourage innovation and the use of best practices. To help raise the Energy Sectors Security Maturity and strength and recovery activities. Especially through the participation and Training Programs and exercises. I appreciate the opportunity to be here before the subcommittee and represent one of the sector specific agencies and the Energy Sector cybersecurity capabilities. However i would be remiss not to take a moment and stress the inner dependent nature of our infrastructure and required all sectors to be focused on improving their cybersecurity posture. So d. O. E. Looks forward to continuing working with the federal agency to share best practices and build a defense indepth. So with that i would like to thank you you for being here today and look forward to answering your questions. I now recognize myself for five minutes of questions. Ms. Man fra. I want to start with you. You mentioned einstein and cdm in your testimony and the role they play. I want to give you some opportunity to provide some public clarity on the implementation of cdm specifically. Can you give us some idea of how many departments and agencies have fully implemented cdm phase one and how many Agency Dashboards are up and running . Is the dhs dashboard up and running and give us perspective on that . Yes, sir. Thank you for the question. Cdm we are in the process of deploying both phase one and phase two. Phase one being focused on hardware, software, asset management, sort of identifying what is on the networks internal to the agencies and phase two looking at whose on the networks. Dealing with issues like access and identity management. We can get back to you with the specific numbers of agency deployment. Theyre all in various stages of deployment. We have made it available to all agencies but each individual agency is in a different stage of deploying. We are nearing 20 agencies that have an Agency Dashboard up and running and this month, the department the department of Homeland Security will be standing up the federal dashboard so that will be receiving feeds from those Agency Dashboards. That will then allow us to have more near realtime understanding of that that sensor, what those sensors are identifying on those networks to allow us to better identify vulnerabilities. Thanks. One other points i wanted to cover today was last week the gao came out with a fairly critical report on the current state of cybersecurity. One of the most would appear to be at least troubling aspects of that was a statistic thats only seven of the 24 cfo act agencies have programs with any functions considered effective per the nis standard for cyber control. That doesnt sound very good. I want to give either you mr. Krebs or you ms. Manfra the opportunity as we talking about the cybersecurity posture of the dot gof reconcile that with the gao report. Weve learned a lot over the years about Agency Capacity to manage cyber risk and the prioritized the management of their cyber risk at their highest level across the government. What we have learned in the both the deployment of cdm, our engagement and partnership with omb is their remains significant gaps. We have built over the last couple years and are continuing to build Technical Assistance capabilities, things like design and engineering, architecture reviews, helping agencies getting much more indepth, insight into their networks and providing them with greater level of assistance both engineering and on the governance side to help them address the often very complicated networks with the limited resources we have. We see a lot of potential for cdm in the ability to deliver tools as lower cost across agencies and this is the first time that many agencies have had access to this level of automated data to understand what is on their network and so we see a lot of potential for this but for many agencies theres a lot of capability that has to be built and were continuing to take advantage of things like shared service, more capability from dhs to deploy to agencies who need it most. So you just you comment about shared services and resources. I want to follow up on that a bit because i think its important to look where we are but also look to where were going and so looking forward a bit, how do you see dhss federal Network Protection tools evolving past say signature based Threat Detection tools and particularly where my conversations with the administration and the cybersecurity advisers to the president really putting an emphasize on Cloud Computing, shared services and resources. So i guess in a sense, what is einstein future generations, einstein 10. 0 look like . Im not exactly sure what einstein 10. 0 will look like yet but i can tell you where were looking to evolve. As agencies and the president s Key Initiative around modernizing our ent. We need to modernize the way with govern and procure i. T. Services within the government. As we do that were working very closely to modernize our surety processes, so weighs take advantage of things like cloud services, we ensure that we are modernizing our security approach but also not using the insight that we have into traffic, either traversing or in and out of agency networks. Importantly we have learned on cdm some key lessons from the first phases of deployment. We now have a new contract vehicle in place that will enable the deployment of cloud and mobile Security Technologies in addition to the on premises sensing capability that we have right now. We are evolving. We are building on what industry is learning from behavioral based detection methods and we have had some successful pilots. We look forward to continue to build that capability. Thank you very much. My time is expired. The chair recognizes mr. Richman for his questions. Ms. Manfra or mr. Krebs, either one. The legislation called for Department Wide cyberSecurity Strategy within dhs. That strategy and report was due in march. We still dont have it so whats the status of it and if you run into problems in getting it done, what are those problems, how can we help . Sir, thank you for the question. The office of policy has strategy. It rolls in components across the Department Ten the secret service, i. C. E. , Homeland Security investigations, the u. S. Coast guard, Transportation Security Administration as well as mmppd. So why we dont lead the development of that strategy because it is a departmentwide strategy we are a significant player. To speak to the status of the strategy itself, my understanding of where it sits is influenced by the president s executive order, 13,800 that was released back earlier in the spring. Now that report puts dhs at the front or in the lead for almost all of the reports particularly in the first two with and fourth work stream. Federal networks, Critical Infrastructure and cyber workforce. So while those reports and assessments are under way, they are anticipated to have significant impacts on some of the priorities perhaps of the department including mmppd. So i believe the decision on finalizing the strategy has been to lets get through the cybersecurity assessments related to the e. O. As well as the administrations anticipated national Security Strategy and National CyberSecurity Strategy that are expected in the next several months and then when we have a broader understanding of where the department is going, that will then feed into the cyberSecurity Strategy. That said, rolling it all back to the requirement in the ndaa that you authored, it is still a priority to finalize that report. That said as a department we are moving forward with the number of our priorities and i do want to touch on a couple things you mentioned early, as the senior official performing the duties, while we do not have a permanent under secretary, ive been theoriesed and given the very clear direction by acting secretary duke to move out and execute every aspect of mmppd. So while we do not have a permanent under secretary right now, i have all the authority i believe i need to execute the departments mission within mmppd. With regards to a strategy and we talk about in terms of report, let me just take that aside. Do we have a Department Wide strategy with how were how we deal with cybersecurity and our needs and challenges that were going to continue to face in the near future . Sir, my understanding is there is a Department Wide cyberSecurity Strategy in draft form, yes, sir. So and again, i dont want to get into the weeds. Are you all operating with some comprehensive strategy on a daytoday basis to protect the cybersecurity . I understand, yes, sir. Going back to my opening remarks, i indicated that mmppd is in the lead for insuring the nations Critical Infrastructure both cybersecurity and physical threats. I mentioned the top goal which is securing our federal networks and facilities. For me and with the assistant secretary manfra thats at the top of our minds every single day. Identifying and mitigating Systematic Risk across the infrastructure, the nations infrastructure. When i think about that, im thinking about the section nine Critical Infrastructure at greatest risk but im also pointing election infrastructure in there. As i mentioned in my opening comments, that for me is the number one priority for mmppd from a Critical Infrastructure standpoint. We can not fail there and third and finally is enabling and incentivizing better security practices across the broader structure community. Ms. Hoffman, theres been a great deal concern among National Security experts that russias goal in disrupting the ukraines power supply in 2015 and 2016 was to test its capabilities in preparation for a larger attack on the United States. Last month we learned that russia may have been responsible for dragonfly 2. 0 which exploited and targeted some of our Energy Sector. How is it Energy Sector responding and what is their capabilities to prevent a widespread attack. With that i yield back. Thank you, congressman for the question. Ukraine attack was a very much an eye Opening Event for the Energy Sector and the Energy Sector specifically, the electric sector got very organized in recognizing that we had to continue to step up our Continuous Monitoring capabilities. Our ability to detect behavior on the system but also building inherent protections as we develop new technologies. Recognize that the core of anything is protecting against spear phishing and passwords and credentials and thats starting to really go after where do we need to be with respect to preventing an attack from occurring on the system. So weve been working very actively with the electric sector to build some tools and capabilities and for protections of their system. Okay. Chair now recognizes gentleman from new york, mr. Donovan for five minutes. Thank you, mr. Chairman. I just like to ask one question of all of you. In 2015, Congress Passed the cybersecurity act, in 2017 we passed the cybersecurity and Infrastructure Security Agency act and the president also issued an executive order back in may to strengthen our abilities. What do you guys need . What can congress do to help you protect our nation, our federal agencies, our private entities . As mr. Richmond said, our energy, industries, what do you guys need from us to help you protect our nation better than were able to do now . Sir, thank you for the question. The very first thing i would start with is as you mentioned the cybersecurity and Infrastructure Security Agency act of 2017. Passing out the full committee was a significant step forward what we need is quick action by the full house and the senate. Let me give you a little anecdote about why thats important. That bill will give us three things. One, itll allow us to introduce some operational efficiencies. Looking at Common Infrastructure across the organization, push them together, so that we are more streamlined in how we engage and deliver services from a Customer Service orientation. Second, itll help with our branding and clarify roles and responsibilities but more importantly with our federal partners, the state and local partners and private partners. And finally whats thats going to do is give us the ability to attract talent. Weve talked about workforce, weve talked about hiring and weve talked about partnership. But on that clarity of roles and responsibilities let me talk about that for just a second. Ive been down to puerto rico, twice in the last week. I was there last monday and then i was there last friday with acting secretary duke. On friday meeting with acting secretary duke, we were discussing a number of the Critical Infrastructure challenges in puerto rico. When it came around to me i talked about the communications infrastructures. The National Communication center resides within the office of cybersecurity and communication. Now when we talked about the status of things, what i was talking about was how we are assisting the communications carries whether its at t, sprint, tmobile, verizon, helping them get back in, prioritize deliveries of temporary capabilities, to helping temporary popup the communications coverage but at the same time helping them get resources in for cell towers. Now as i briefed out where we were on helping those Companies Get resources back in, i introduced myself as the senior official performing the duties of the under secretary for the National Protection and programs directorat. Now try repeating that back. Its not easy. Someone that has never heard that before immediately went on to a press interview and alongside the tsa administrator, ghost card, the secretaries of Homeland Security, she said we have fema, tsa, coast guard and the comms guy. She doesnt know how to describe me. When im out engaging my stakeholders they dont understand the mission i deliver. I need help clarifying that and providing very upfront, upfront clear what i do and what my team delivers. That is a significant advancement. Any help i can get there, please, help me out. More broadly, though, in terms of additional authorities and clarification of authorities, we are in the process of running that kind of stock taking of where the department sits in cybersecurity. Department of energy and the fast act got significant authorities that could come to bear in the event of a grid incident. Dhs has authorities in terms of Incident Response, information sharing. Thank you for those authorities. Going forward, were not quite sure just yet what we need but im going to tell you this the cybersecurity threat is not going away. Our adversaries are Getting Better and faster and more agile. We need to be resourced. We need to be staffed. We need to be positioned to respond to that because i also know one more thing. We are not going to use Less Technology going forward. As you kaled earlier, we are going to the cloud. We are going to shared services. Were going to be relying upon these Cross Cutting Technology capabilities and the Information Technology sector. We need to be ensured that from a digital defense perspective we have what we need. We will we welcome that conversation and you can believe that youll see me again and well be talking about that. I have two seconds left in my, would you contribute please . Yes, sir. Very briefly, just to compliment what chris talked about, were working within the federal government to understand what is the full breadth of our authority. How can we lean in to the existing authorities we have to deploy more capability with the Critical Infrastructure sectors we are working to understand now that weve identified these most critical assets at greatest risk, are there legal and operational and policy hurdles that we need to address in order to ensure that we have appropriate prevention. So we look forward to working with you as we conclude these analysis. Please dont wait till another hearing. Please let us know how we can help. Mr. Chair, i yield back the time i dont have left. We recognize the gentleman from mississippi, mr. Thompson. Thank you, mr. Chairman. The last two speakers have talked about being resourced and staffed from an agency standpoi standpoint. Last march we held a hearing talking about staff at the department. Can you give us the number of Unfilled Positions in the Cyber Division right now . Sir, we are currently staffed at 76 of our fully funded billet. So we are 24 under. Can you tell us why were under staffed at this point . Yes, sir. There are a variety of reasons. The first largely thanks to the work in this committee and our appropriations staff and congress in building the billets that are allocated to my organization. We have grown significantly. Weve worked very hard to build according to those to that growth in billets but we have had some challenges. Weve worked with our management colleagues and our Human Capital colleagues to identify areas where we can reduce the time to hire. I can say that looking at the statistics from fiscal year 16 hiring to 17 hiring, weve been able to reduce the time to hire by 10 . We are many of these requirements have to do with security clearances. It does take a long time to process people through that security clearance process but weve made significant progress, were continuing to work with our Security Office to identify ways that we can continue to shorten that. Were also diversifying our recruitment path, looking at the scholarship for service. It has been a great pipeline to bring after the government has funded scholarships, bringing these individuals in as interns and hiring them full time. They are already fully qualified and looking at other programs such as pathways, president ial management fellows and other recent graduate programs. Were also looking at partnerships with industry where they can i dont mean to cut you off, but is the problem we have too many programs to attach people to or im just trying to find out why when we give you the authority to hire, why weve not been able to come closer wherever that authority is and is that something we need to do to get you to that point . Sir, separate the authority that we were given by congress to build an accepted Service Program. What i was referring to was i did not i did not believe a couple years ago we were fully leveraging the authorities we already had and the programs that we already had to bring people in and tightening the timeline that it takes to bring people on. The accepted Service Program is led by our chief Human Capital officer. I notice is a high priority for her. We did not probably appropriately expedite the development of that program four years ago. We have now done so. My understanding is well now be able to hire against that Program Beginning in fiscal year 19 but theres a regulatory process that we do have to under go as a part of that. Just for the sake of the committee, can you provide us with a timeline between when somebody whose considered for employment and when that is completed . Is it not just get back to us or is it three months, six months, a year . I think that would be instructively for us so we can kind of see if theres politics involved and the reason i say that, i think all of us constantly bombarded by people looking for Employment Opportunities and if we have potential opportunities here, is it something were not doing, were not going out recruiting in a broader view or just what, we just need to kind of figure something out . Right. If i could, sir, just clarify. The 76 is just indicating people that are on board right now. If you include the people in the full pipeline, that brings us to 85 . And so for us were at averaging about 224 days to hire. That sounds long but that is to include a top secret sci clearance process which is actually a fairly bench mark, were actually doing quite well. We want to continue to work with you, sir. Well come back with you. Just, please get back with us. Mr. Krebs, we have a Congressional Task force on Election Security and we made request of the department to provide us a classified briefing around this issue and weve been told that it has to be bipartisan, that you cant just brief democrats. Are you aware of that . Sir, im not aware of any existing policy. Let me say this, i share your concern on election infrastructure. I think i made that clear today and i want to say it directly to you as well that it is my top priority at the department. Again, if we cant do this right, if we cant dedicate every single asset we have to safety our state and local partners, then frankly, im not sure what were doing daytoday. So in terms of what weve done in terms of engagements, we are prioritizing delivery of those briefings, information sharing to our state and local partners. We are doing it in a bipartisan matter. This does tran scend party lines and we should be doing this. Going forward i would encourage any additional briefings and we have provided a series of bipartisan briefings to the House Homeland Security committee both classified and unclassified. The real crux of this issue, the underpinning issue here is a trusted relationship. Now did we have i appreciate it, but we have established a working group within the democrats on the committee and were just trying to get a briefing. So i think its nice to say i dont want to brief you because theres no republicans but were members of congress and all were trying to do is get access to the information and if your interest is there, im convinced that youll provide it and thats the spirit in which the request was made, so well make it again. Yes, sir. And look forward to you coming back and just bring us what information you have as members of congress and thats all we ask. Thank you. I yield back, mr. Chair. Thank you. Chair now recognizes jim from virginia, mr. Garrett. Thank you, mr. Chairman. I want to hit my talk button. My voice sounds better with the microphone on. I want to piggyback on what my friend and colleague thompson said and suggest that i would agree with you that election infrastructure, cybersecurity as it relates to partnering with overseeing conduct elections a priority that crosses and transcends the aisle and i would ask that any briefing that you give to Democrat Members you perhaps invite me too or give the exact same briefing to republican members which i think is in considerat of your time but i cant fathom why one party should be briefed on cybersecurity as it relates to our elections in the absence of another in the United States of america. So if you do, in fact, and i hope you will respond to the Ranking Members request to brief on election electoral security, please invite me because i cant fathom that one party has monopoly on hoping that we can have free and fair trustworthy elections and im sure my colleague didnt mean it that way. I want to be very clear that that should not be a partisan issue and perhaps people from both parties or give the same briefing twice, which i think is incarpal tunnelat and shortsighted. Transitioning to what we know as it relates to russian cyber activity specifically with relation to estonia and the ukraine, based on my understanding the bulk of the platforms used to infiltrate infrastructure as it platforms malware it would appear based on my ability to speak in this forum were off the shelf, if you will, black energy were known entities that were discovered as it relates to these attacks as part of a coordinated attack. How well do we stay ahead or try to stay online with . I understand its a moving target, the malware that might be implemented because to the extent theres any hope i understand the format that were in might limit the conversation that we have, a lot of the malicious activity to this point conducted we presume and data would indicate by the russians has used off the shelf technology. So i guess the question there is, how quickly can we pick up on the advancements in malware and sort of into our preventive measures and thats wide open to which can ever one of you wonderful folks would like to address it. If i may, ill start and provide a bit of a broader approach and defer to my expert colleague from the department of energy on anything specific to the grid and electricity. Im subject to a time limit so i apologize. Ill do this quickly. Yes, sir. Generally speaking when weve already talked about advanced persistent threat here. When we think about threats its not necessarily generally speaking advanced. Its just persistent. Folks are still, Companies Organizations are still not doing the basic blocking and attacking. Some of those explorations were known on open vulnerabilities. The consent of a zero day export its not the primary exploit that we tend to see in the wild. Let me interrupt you. And aim big fan of limited government but in this arena because the entire nation hangs in the balance but everything as it relates toll our grid, might it not be effective to hit the particular Power Providers where it counts and that is essentially make it cost something, perhaps metaphorically and literally for entities that dont patch those open known threats and thats something that would be within the purview of the government . You will be up to date on next wednesday or itll cost you . Would that be something thats been explored . My colleague can speak to the government piece and then well talk. Im not trying you guys are great, five minutes. No problem. Very briefly. The first directive we issue was reducing the time to patch vulnerabilities to 30 days. We have seen a complete cultural change as a result of that and we are now seeing the government highly prioritizing patching those critical vulnerabilities. I just wanted to throw that out there. Theres a carrot on the stick. Im glad to hear you say youre draetsing that. Ive got 15 seconds, i want to speak to the nature of nirk and whether or not its a semiprivate pseudo entity compromises intelligence, et cetera, procedures . I dont think nirk has an organization compromises any sort of intelligence. It does have the Information Sharing Analysis Center which is our mechanism for sharing information to the sector at large. It also has capabilities to compel and look at the industry to respond so we can get the information we need. Thank you all and i apologize for running briefly over. Thank the gentleman and the chair recognizes my friend from rhode island, congressman. Thank you, mr. Chairman. I want to thank our witnesses for your testimony. Before i go into my questions i wanted to mention for publicly and take you to mr. Garrett, that some member of the Elections Task force that the democrats have put together on how to go forward in approving Election Security and i would say to my colleague that there was an initial effort in outreach to republicans to make this a bipartisan effort which was not accepted. It was we didnt find anyone that was receptive but i would say this, the Task Force Meetings are open to the public. My colleague, mr. Garrett is welcome to participate fully with that and with respect to that Ranking Members question on the classified briefing, both on russian interference in our elections and how were better securing our election systems, that is a democrats only or democrats and republicans, i would prefer it to be a democrat and republican briefing. However we get the briefing, unless im misunderstanding what the Ranking Member was standias we just want the briefing. We ask that you provide that to us. Yes, sir. I do believe we have provided classified briefing in the past and welcomed the full Committee Briefing on that as well. So the other thing i wanted to mention, i appreciate your comments that you have all the authorities and inn your acting role to do the job necessary in cyber. I would reiterate that it is vitally important that we get key people appointed and in place permanently. I respect the work that youre doing and your team and but we need permanent people in place, both to inspire confidence and clarity. Let me get to my questions very quickly. Ill try to go through them. If there are ones you cant answer fully because of time constraints, either request a followup in writing. And so on september 13th, dhs issue aid binding operational director tif 1701 which directed agencies to remove products from the systems within the next 90 days. And in doing so, dhs first first time issued a Public Statement to coincide with the establishment of the directive and which i would like to commend the department for this added transparency. I thought that was important. My question is, what analysis led to the removal of from federal networks and this is the case this answer may be classified in which case i would request that you and your team provide briefing to members on the that this committee both sides of the aisle understand what went into that. Next, mr. Krebs the sec was briefed in late 2016 and we now know that the attackers had access to corporate filings private to the public release. The announcement of this breach was made nearly a year after it was first discovered. My question was when was dhs informed of the breach and what was dhss involvement in detecting, responding and recovering from these from this attack . And finally, how can dhs improve its integration with the federal agencies to ensure that these types of attacks are detected and notified quicker. Thank you. Let me briefly touch on the ca perskie piece. That determination was based on the totality of evidence including open Source Information and in terms of classified briefing, i believe we are on the schedule for some point in the next month or so with the full committee, the monthly intel briefing. With that if i may id like to turn it over to thank you. Sir, welcome to support a briefing on ca perski as far as the sec were also happy to come in and have a more fulsome conversation with you about that. They did notify us last year on november 4th of an issue. It was at the time the extent of the issue was not well understood and given the time limits here i think it might be more useful if we sat down with you and others Staff Members as appropriate to walk through specific details. And what do you think what was the dhs involvement in detecting and responding to the recovery . Sir, we have very limited involvement with the sec. They did not request our followup for a response. And on the issue of how they can work better in the future . Sir, in addition to this incident as well as several others we are reviewing our procedures to ensure that its clear that when when an incident happens, what role the Department Needs to play in a response not just at the request of an agency and that foo f were looking at specific Critical Services and function, then the Department Needs to have a more active role in that response regardless of whether the Agency Requests it. Thank you. In august, we traveled to deafcon and i think we both were impressed by the willingness to report vulnerabilities in order to improve overall internet security. One of the things i found the pentagons program was very helpful in identifying security vulnerabilities and getting to the attention of the right individuals to close those vulnerabilities, they want to make the internet work better and but they want to know that when they find a vulnerability that theres a path forward and they can report it and someone will do something about it and its heard. We actually have a very longstanding program on both Operational Technology vulnerabilities so Industrial Control Systems as well as enterprise technologies and weve been working with security researchers in both communities for years to provide them a space for them to identify that vulnerability and also to advocate with the owner of that software for a patch and much of the alerts that we issue are the result of collaboration with security researchers. We also have our own organization within my group that conducts Penetration Testing and risk vulnerability assessments to include dhs vulnerabilities assessment across the government to include dhs networks, so while our bug programs can be useful, we need to insure that theyre supplemented with the broader risk and vulnerability analysis and testing that my organization does to insure organizations are appropriately prioritizing what theyre addressing. Okay, what about dhs own systems . My Organization Also supports Penetration Testing and vulnerability assessments within the dhs, particularly the highvalue assets that dhs owns. I do know that our leadership and the management is interested in learning from what the department of defense has done in their Bug Bounty Program and how that might apply to dhs, so were continuing to work through how that might be applied for our organization. I had one more on Election Security. Can i ask that . So i know we have touched on this a bit, but for the record, i really wanted to dive deeper into this. Its a very interesting to insure that state and local Election Officials have access to officials from dhs to protect the vital systems that represent the cornerstone of our democracy. Can you further describe how dhs is working with Election Officials to protect networks . Do you believe that dhs response to the unprecedented interference in our elections last year has been sufficient, and how can we improve the relationship and access to resources . Are there additional funds or resources that the Department Needs in this respect . So thank you for those questions. Let me start at the end with improving relationships. While i was not at the Department Last summer, as this all manifested, i can speak to generally the relationships with state Election Officials. That was not an existing relationship between the department of Homeland Security and the state and locals. However, we do have strong relationships, of course, with the Homeland Security advisers and the chief Information Officers and chief information Security Officers. But to square the circle on this specific threat, we need to develop partnerships that are, you know, three or four legs on the stool within each specific state. And each state is going to be a little bit different in terms of how, who they designate as the chief election official as well as you roll in the vendors of the technology. So in terms of how to improve relationships, its going to take a lot of effort and a little bit of time. And those are things that we are working on right now. We dont have much time. But we are dedicating resources. In fact, just this morning i sent out a notice across my organization and ppd reflecting some changes we made organizationally last week, by establishing an Election Task force. Previously, the election infrastructure piece had been held within the office of Infrastructure Protection as a program. Again, matching my words with our execution, were elevatingatize a task force, bringing components or pieces across the dhs components including the office of intelligence analysis and resourcing it appropriately. This is speaking to a lot of resources, were pulling the resources together in recognition that we dont have a lot of time given there thrare three elections this year. And the money is committed to this . I dont have the ftes on hand right now, but i can get back to you. And specifically. If i could just make one additional point on the resources. Ranking member richmond noted his understanding there was a ninemonth wait for risk and vulnerability assessments. I dont know whether thats the exact current number, but that speaks to the high demand that were experiencing for our assessment services. That is everything from Penetration Testing to the cyber hygiene scans that multiple states and localities are participating in and continue to participate in, as well as these more in depth risk and vulnerability assessments. We are growing that program. We have diverting resources. Were Building Infrastructure so we can more scale that, but these are services were providing not just to federal agencies but also to state and local governments as well as Critical Infrastructure. And were experiencing much more demand for those services, and were continuing to look for ways to scale that capability. Thank you. Thank you for your answers. Again, if there is a followup you can provide to us in writing on briefings, i would appreciate that. Mr. Chairman, thank you for your indulgence. Youre welcome. The gentleman yields back. I want to thank all three of our Witnesses Today for your valuable and insightful testimony. Thank all the members for their questions today. The members of the committee do have some additional questions for witnesses, and well ask you to respond to those in writing. Pursuant to Committee Rule 7d, the hearing record will be held open for a period of ten days. And without objection, this subcommittee stands adjourned. American history tv on cspan3 is in primetime this week starting at 8 00 p. M. Eastern. Tonight, the life and influence of william buffalo bill cody on the 100th anniversary of his death. Wednesday night, the 60th anniversary of little rock central high schools integration, with former president bill clinton. Thursday night, a discussion on the leadup and response of the 1957 forced desegregation of little rock central high school. And friday night, from American History tvs oral history series, interviews with prominent photojournalists who documented major events throughout American History. Watch American History tv this week in primetime on cspan3. Cspan, where history unfolds daily. In 1979, cspan was created as a Public Service by americas Cable Television companies and is brought to you today by your cable or satellite provider. Former equifax ceo Richard Smith testified before the Senate Banking committee recently on the companys data breach, which exposed personal information on more than 140 million people. Alabama senator Richard Shelby is the chair of the banking committee. This committee will come to order. This morning, we will hear testimony from Richard Smith, former