Is that correct . I believe thats the case. Mr. Rogers not here. With that, again, i thank the chairman, and i now welcome power panel of witnesses. First, i would again like to welcome senator king, the former governor of maine who served as cochair of the solarium kitchen. Sits on the Senate Armed Services committee and intelligence and others and has been a vocal leader in cybersecurity throughout his tenure. I welcome the senator here. Next, representative Mike Gallagher, cochair of the Cybersecurity Solarium Commission and current member of the house of representatives for the 8th district of wisconsin. Mr. Gallagher is a member of the house Armed Services dmt a s co and a former member of this committee. Id like to welcome mr. Gallagher again back to congress after his paternity leave. I thank you for interrupting your paternity leave and being here with us. Again, gratsz on your daughter grace. In addition to being a huge packers fan, going to be proud of her father for the work that youve done with the commission. Next well hear from Suzanne Spaulding commissioner of cyber Solarium Commission and Senior Adviser of strategic and international studies. Before that, she served upd secretary for National Protection and programs director at the department of Homeland Security, which is now cybersecurity and infrastructure Security Agency. So i look forward to hearing her unique perspective and her emphasis on how Civic Education is an essential component of resiliency. Finally, we have dr. Samantha roberts, commissioner of cyber solarium and former National Security adviser during bush administration. Currently serving as chair of the foundation for defense of democracies center for cyber and technology innovation, and i deeply appreciate her coming to speak with us today and for her incredible contributions to i think continuity of the economy pl plan. With that, without objection, the witnesses full statement will be inserted into the record. I now ask each witness to summarize their statement for five minute beginning with senator king. It was a pleasure serving with you on the commission and i look forward to hearing your comments today. You are now recognized. Mr. Chairman, thank you very much for holding this hearing. It really means a lot to the work of the commission to be taking this next step. I would say that i use this Technology Every wednesday morning for the Senate Prayer breakfast an it seems to work very effectively except when we try to sing hymns. I think as long as we dont sing hymns well be fine. I appreciate your time. I appreciate involvement of representative who outlined a series of bills, all of which we think are important. I really want to thank him for his work. I want to give a little bit of background. The first thing to observe is in the last six months, weve learned that the unthinkable to happen. The unthinkable can happen. In the last 48 hours weve learned cyber is an ever present threat, as the chairman mentioned in his opening statement. The attack on twitter, which was a commercial one, but also the apparent attack by the russians on the security of our pursuit of a vaccine. Its just a reminder that this is not an academic question but its something really front and center in threats that this country is facing. The commission that youve mentioned several times, and that Mike Gallagher and i were privileged to cochair were set up in the 2019 National Defense a act. It had a unique structure, four sitting members of congress, four members from the executive and six members from the private sector. I can honestly say throughout our deliberations, and we had over 30 meetings, 400 interviews, thousands of pages of documents, there was not a single moment of partisanship or of partisan discussion. In fact, i had no idea the Party Affiliation of the other 10 members of the commission who arent members of congress. That, it seems to me, speaks to the importance and overriding power of this issue that really must unite us. So that was the work of the commission. We went through, as i mentioned, 30 meetings together. We had a stress test. We had a sort of contest of ideas in the middle of last summer. We really tried to approach this with fresh eyes to look at really two basic questions, what should our strategy be and what should our organizational structure be to protect, to prepare, and to prevent Cyber Attacks. As you mentioned, there are 82 recommendations in the report, 54 of which have been converted into legislative recommendations and presented to the various committees of both the house and the senate in the form of fully drafted legislative proposals. What were talking about is whats called layered cyber deterrents. That means resilience so that our adversaries feel theres not much to be gained by attacking us because of our security and our protection of our systems, but also a declaratory policy that if attacked we will respond. One of the deficiencies in our cyber posture over the last several decades has been we have a deterrent strategy for a major sort of threshold of use of force but we havent had a strategy and we havent articulated a doctrine that would provide a deterrent for less than use of force kind of Cyber Attacks. For that reason, as ive said many times, were a cheap date. Our adversaries dont compute the cost of attacking us. That has to change. Thats the strategic picture. The organizational picture is that cyber is scattered throughout the federal government. Its in the defense department, its in the Intelligence Community, its dhs, fbi. We really need to try to straighten out the organizational structure. One of my observations has been that messy structure equals messy policy. That leads with the creation of a National Cyber director in the white house appointed by the president , confirmed by the senate, which will give continuity to this important interest. We want somebody in the federal government who wakes up every morning with the mission of protecting this country in cyber space. Finally one of the crucial elements that we try to address in the report, and frankly its a difficult one, is the relationship between the government and the private sector. 85 of the target space in cyber is in the private sector. The private sector computers, whether in the Financial Sector or energy or transportation or telecommunications, they are the frontline troops in this battle, and yet its the federal government that often has the resources and expertise and ability to pull together this information in order to protect our country. So ill go back to, i think, one of you stated, i think represent katko stated and Mike Gallagher stated, this was our mission from the beginning. We wanted to be the 9 11 Commission Report without 9 11. Thats really what weve tried to focus on in this project. I want to thank the committee. Now is the time to put recommendations into law, into practice if were going to protect our country in the way that we all believe it can be done and certainly it should be done. The unthinkable can happen but we can be prepared, we can prevent and we can protect this country. Thank you. Thank you, senator king. One of the cochairs, did an outstanding job and i was proud to serve on the commission. Thank you for your testimony. Now i recognize congressman gallagher to summarize the Commission Statement for five minutes. Thank you. Not only for chairing this hearing today but immense contributions to the commission. Our final report would not have been possible, building on the work youve been doing for the last decade, so it was really great to work with you. I thank you Ranking Member katko for your engagement for meeting with us and our staff multiple times and for your leadership on these issues. Thank you, chairman thompson for giving us this form today. Let me just echo what my cochair senator king married to a packers fan said at the out set. We come from different parties, appointed on different sides and outside experts, commissioner spalding and it would have been impossible to confirm Party Affiliations if you listened to one of the debates we had as we met as a commission. What came out of the process was truly nonpartisan support that tends to put the country at any parochial or political interest. This really has been an issue that every president ial administration for the past 25 years, democrats and republicans has tried to figure out. How do we cyber space. Our efforts are vulnerable, if not already compromised. Our country lost hundreds of millions in states intellectual property theft. Major cyber attack on the nations Critical Infrastructure. Our Economic System would create chaos and damage. In an effort to for stall future, examined a broad range of policies that can more effectively defend our nation in cyber space. I should admit our Public Relations plan when we released march 11th, 2020, did not factor in a Global Pandemic taking over the conversation. Thats all the more reason its important to have hearings like this today. Not only suggest our full report and our pandemic annex. I would highlight key, one, reform structure and organization for cybersecurity that starts with establishing a National Cyber director with executive office of the president , cyber director as senator king outlined. It includes strengthening cisa outlined so it can serve as central core element to support integrative state and local cybersecurity efforts. I think its important that were not creating new organizations within the federal government but elevate and empower existing organizations like cisa that made progress but need more support from congress. Second i would say we have a variety of recommendations on national resilience, congress should codify rules of specific agencies, focusing National Risk management efforts and developing and maintaining continuity planning process so we think through the unthinkable now so were not having to make things up on the fly in the wake of cyber 9 11. Third and finally highlight need to reshape cyber ecosystem towards greater security. Were recommending, for example, congress establish and fund National Cybersecurity certification and labeling process to establish and manage program on security certification and labeling of ict products as well as establish bureau of cyber statistics charged with collecting data on cybersecurity. These recommendations and many more like them in the report are designed to implement the commissions recommended strategy of layered cyber deterrents, which is our theory how we evolve into harder target, ally and worse enemy, better defend our nation, economy and way of life in cyber space. Thank you for giving us the opportunity to present our findings here today. We look forward to the debate. Again, i want to highlight not only the contributions of the commissioners youll hear from but also our wonderful staff who has dedicated a year of their life to this important effort. I yield back. Thank you, chairman gallag r gallagher. I commend you. Both you and senator king are a great team cochairing cyber space, were indebted to you for your work and service. With that, thank you for your testimony and i now red cross nice miss spaulding to summarize the Missions Statement for five minutes. Youre muted. Youre unmuted. Thank you members of the committee. Thank you for this opportunity to be here today to testify. Its an honor to be here with my fellow witnesses and particularly, chairman, an honor it was to work with you again, having worked with you in 2007 on the commission for cybersecurity for 44th president which you cochaired. And i want to thank you for your long outstanding leadership on cybersecurity issues. And the bipartisanship, nonpartisanship, which youve heard today, really that tenwas set at the top by our two cochairs, senator king and congressman gallagher, so thank you for that. Of course a pleasure to work with commissioner ravage. I want to touch briefly on three key areas i think should and must be acted on very quickly given vulnerabilities weve noted with the pandemic. The first is strengthening dhs Cybersecurity Agency or cisa, the organization i once led at dhs is called, thanks in no small measure to the work of this committee and chairman thompson and i thank you for that. With malicious cyber actors targeting hospitals, vaccine developments and governments at every level and stayathome workforce presenting a massive attack service, cisas work has never been more important. This is why the Commission Urges congress to provide cisa promptly with the resources and authorities, including Administrative Subpoena Authority that it needs to be the National Risk manager, to serve as the central cyber civilian Security Authority to support federal, state, local, territorial and tribal governments and the private sector, to conduct continuity economy planning, a concept that the commissioner brought to the commission, so important. Identify systemically important Critical Infrastructure and coordinate planning and readiness across government and the private sector. Second, with regard to improving cyber ecosystem and reducing vulnerabilities, the commission turned first to improving the efficiency of the market. We looked at why isnt the market performing its function of driving better cybersecurity, a key reason we determined was that markets need information to operate effectively. So we asked the congress, establish that National Cybersecurity certification and labeling authority, the kind of underwriter laboratories effort that congressman gallagher mentioned, publish guidelines for secure cloud services, create that bureau of cyber statistics, promote a more effective and robust cyb cybersecurity mark and National Certification law. Finally, i believe one of the most important pillars in the report is resilience. We need to reduce the benefits side in the adversaries cost benefit analysis. Often that means reducing our dependence upon those network systems, developing redundancy, even analog systems, paper ballots, for example, are a way of building resilience into our election infrastructure. We have a number of urgent election related recommendations including reforming regulation of online political advertisements providing Grant Funding for states to improve election systems, replace outdated equipment, ensure voter verifiable paperbased systems and conduct post election audits. These are perhaps the most urgent of our recommendations. And id like to close with our recommendation to build public resilience against democracy at a whole. Media literacy is important but we need to focus on deterring the key objective of our adversaries, which is to weaken democracy by pouring gasoline on the flames of division that already engulf online discourse. Pushing americans to give up on institutions, not just elections but the justice system, the rule of law, and democracy itself. They portray our institutions as not just flawed by irrevocably broken. Where protesters and judicial reform advocates seek changes to make our institutions and our nation stronger, our adversaries seek only to make us weaker. They want americans to despair at the prospect of bringing about change, to despair at the prospect of being able to discern fact from fiction. They want to destroy the informed and engaged citizenry upon which a healthy democracy depends. To defeat our adversaries objective it calls for reinvigorating Civic Education, to help americans rediscover our shared values. Understand why democracy is so valuable that it is under attack and that every american must stay engaged, to hold our institutions accountable and continue to move us toward that more perfect union. Thank you for this opportunity, and i look forward to your questions. Thank you commissioner spaulding. Again, both for your participation and contributions and broad dedication and work on cyber. With that, i thank you for your testimony. Finally i now recognize doctor ravage to summarize. You are now recognized. Thank you. Thank you chairman thompson, Ranking Member katko, distinguished members of the committee and my fellow witness witnesses, who i have come to know and greatly admire over this past year. I thank you for inviting me to participate about one of our most pressing questions our government is currently tasked with answering. What steps can government and private sector do to defend our businesses, our military, our citizens, our country against future Cyber Attacks. Our recommendations in the cyber solarium hardening our resilience maintaining capability, capacity to impose cost on the adversary all in the service of deterring the type of catastrophic attack that our too esteemed Commission Chairman laid out in open speak in the report. We would not have lived up to the responsibility given us if we had not thought about what our country would do in the math of a significant cyber attack. I want to spend the next few minutes underscoring one of the commissions recommendations, the need for the u. S. To develop and maintain a continuity of the economy, or coat plan introduced by senator peters. During the cold war, the United States developed continuity of operation, to ensure the government could reconstitute and perform minimum set of essential public functions in the event of nuclear while coot, government Contingency Planning for the last 60 years, no equivalent effort exists to ensure the rapid restart and recovery of u. S. Economy after a major disruption major disruption despite the 2017 u. S. National Security Strategy identifying Economic Security as National Security. And the recognition that the private sector, as much as the u. S. Government itself, is a critical component of the security of our populace. So think about it for a moment, what it would mean for the u. S. Military and the Security Forces of our allies if there was a major attack on bulk power transmission, not only knocking out the lights in major metropolitan areas but taking Transportation Systems offline. Or if the major stock exchanges were compromised, if whole same payments, medicine, trader logistics were brought down. Now think about the difficulties that would create for mobilizing and deploying forces if this all occurred during a time of international crisis. Not knowing which plane, train, or bus to hop on to get to the rally point, leaving loved ones at home scared in the dark and not knowing if their medicine or baby formula will still be stocked at the local walmart, much of the economic base in the United States potentially losing complete access to their data for good. Creating and exercising continuity of the economy plan will derve as a visible deterrent to adversaries by demonstrating the United States has the wherewithal to respond to a significant cyber attack. It will show that we will not be cowed and that the economy upon which our livelihood depends is brought down by adversarial cyber attack they, the adversary, will feel our wrath. Our commissioned recommendation on coot revolve around in part determining any additional authorities or resources that will be required to implement plans in the case of a disaster and establishing a framework for rapidly restarting and recovering Core Functions in a crisis, grifg precedent to functions which destruction would cause catastrophic loss, lead to loss of confidence, imperil human life on a National Scale or undermine response, recovery, or mobilization efforts in a crisis. Continuity of the economy planning might also further review the feasibility of disconnecting Critical Services or specific Industrial Control Networks if National Security concerns overwhelm the need for internet connectivity. Continuity of economy planning should further explore options to store backup, protected data across borders with allies for partners, particularly in areas where economic disruption in either country could have cascading effects on the global economy. This could include technology that considers what seed data would need to be preserved and protected in verified format with a process to assure no compromise or manipulation. Finally coot must take into consideration lack of readiness by the general public. By its very nature continuity of the economy planning will not prioritize will only prioritize the most essential functions of the country and the locales both to enable rapid recovery from devastating cyber attack and to preserve the strength and will to quickly punish the attacker. Many industries will not be included in this planning and most citizens will not be able to rely on government assistance in the period following an attack. Its also true of National Disaster preparedness, the American People do not need to be helpless. Dhs and other relevant agencies should expand Citizen Preparedness efforts and Public Awareness mechanisms to be prepared for such an event. Coot along with recommendations in the report builds on cyber information and Security Agency cisa, dhs, what they have been working on for the past couple of years and seeks to ensure the u. S. Is prepared to respond and prepare for Cyber Attacks. While theres no solution that will protect from Cyber Attacks in perpetuity, there are steps the federal government can undertake that would significantly improve the governments ability to protect and defend itself from hostile cyber operations. So as we sit here in our virtual covid world trying to think the unthinkable and plan for the unplanable, we must ask ourselves the hardest question of all, what would a cyber day after look like if we didnt take this planning. Thank you for the opportunity to testify. Look forward to questions and discussions. Thank you. Thank you, commissioner ravich for your it will and leadership and your valuable contribution likewise to the Cyber Commission process and its recommendations. With that, again, i thank all the witnesses for their testimony, remind subcommittee members we will reach out five minutes to question the panel. I now recognize myself for five minutes. Ill start with you, senator king. Yesterday we saw a Multinational Coalition announce russian agents were targeting Vaccine Research through cyber space. Health Care Networks are important to our security. While its not clear whether russians were seeking to destroy data the attempts were clearly troubling. How would a National Cyber director play a role in preventing incidents like this and why did the excision find this construct. I think the key is to have someone in overall charge. As i mentioned before, weve got responsibility for cyber scattered throughout the federal government, a variety of different agencies, variety of Authority Funding levels, but theres no centroordinating function. To overseas white house, budgets, forge cooperation through the various agencies that are involved. I think it was one of the most obvious suggestions of the commission that we talked about. Now, we had quite a bit of discussion about where it should go and how it should be structured, but the conclusion one thought was elevate cisa or a new cabinet office. We rejected that. Number one, it would take a long time. Number two, duplicative of functions already there and wouldnt have the power and authority of the white house. So the model we ended up approaching it as is the u. S. Trade representative who has the responsibility for trade that cuts across a lot of agencies, Senate Confirmed and has that authority within the executive office of the president. The fundamental idea, i was in business before i got into politics, when i was doing contracting i wanted one throat to choke. Thats what were talking about here. One person responsible is held accountable. I feel this is a favor to the president to have somebody in that office that he or she can hold responsible for and will be accountable for all the various complex operations of the federal government with regard to cyber. Thank you, senator king, i completely agree and concur with you. Congressman gallagher, on wednesday we both testified before chairwoman maloney and oversight reform committee. You said Something Interesting about appropriately balance offensive and defensive cyber. Why is strengthening cisa so fundamental to the report . Thank you. Well, i think first let me connect it to what senator king just said. Not only is it important to have a National Cyber director to do preplanning, coordinate all the efforts of the federal government, but as i alluded to in my opening testimony we have organizations right now doing good work and we really felt the best path forward was to elevate, empower and give them the tools they need to get the job done. Strengthening cisa in that regard is perhaps one of the most important recommendations in our final report. As senator king and i point out in the chairmans letter opening the report, its not just a matter of better enabling cisa to do that defensive mission, not just a matter of giving cisa, for example, the authority to do persistent Threat Hunting on dotgov networks, its also a matter of making the mission of cisa so appealing that cisa can compete for talent with the likes of google, apple, facebook and win. We know we cant compete when it comes to we can pay some of the most talented Cyber Warriors out there but we can compete on mission. Thats one of the things told us about nsa while he worries about contention, by giving cisa elevating mission, we believe we can solve the Human Element that is endemic to every cyber issue. At the end of the day when discussions about cyber can get very technical, devolve into jargon, these are fundamentally human. The twitter hack this week was they fooled a human being into providing administrative credentials that resulted in the attack. Our greatest failures have been human failures. Our greatest success will be human successes. Empowering cisa, giving higher level of authority and longer term is one step towards this human solution to human problems in cyber. Thank you for that answer. Very inciteful and helpful. I appreciate the work that director, the team there, they also needed aed resources to be able to grow their inherent Cyber Workforce inherent capability and supporting that effort. So my time has expired. I now recognize the Ranking Member of the subcommittee mr. Katko for five minutes. Thank you very much, mr. Chairman. Thank you all for really a great conversation. Its wonderful to hear people not sniping from side to side, but all being on the same page about what we need to do in a bipartisan manner. Its truly inspiring. I do want to talk a little more about the leadership issue, because i think its critically important. Its the central focus upon which all this other stuff can happen. For 20 years i was federal organized crime prosecutor. Part of that was doing organized Crime Drug Task force cases. We had our quarterback. That was the office of National Drug control policy. He was able to look over all the disparate agencies that had a hand in Drug Enforcement and be that person the president needs to advise them on all drug related matters. So i know senator king i heard you talk a little about the leadership position, why its important. I want to drill down a little farther just so people understand why we need it similar to the position. Miss spaulding, perhaps you could talk about why a National Cyber director is important and what are the different agencies that are involved in the cybersecurity. Homeland security, department of defense, theres a lot more. Get an understanding of why we need this coordinated position. Ranking member, thank you. Youre absolutely right. There is really no major agency in the federal government that isnt in some way involved in cybersecurity. Certainly every agency is involved in ensure that it is able to perform its Mission Essential functions on behalf of the American Public in the wake of Cyber Threats and cyber risks. So the National Cyber director is absolutely essential. We cannot help but have this cyber activity distributed across the government. Department of energy, they are the experts in the in the Financial Services sector. Having those agencies be able to bring that sector expertise together with cyber expertise is really important. If youre going to have it distributed at nsa and fbi and dhs and doe, et cetera, then you need that central coordination function. Thats why that National Cyber director is so important. Again, having been the undersecretary that was the equivalent of the director of cisa, i think that white house support is critically important. It really should not in any way undermine cisas coordination role across civilian government with the private sector but stand behind and give the white house to undertake those activities. Thank you very much. In the interest of time before asking senator king, because really i understand fully what the issue is, i will note from the leadership position and having consistent leadership at the top of cisa and politicizing positions are important in attracting and maintaining talent. I do want to talk for a second. We have four Nuclear Power plants in my district, planlg grids in new york. I want to ask you quick about my concerns in that area, some of the most vulnerable areas of our nations infrastructure and local Municipal Utility Services have limited budgets to support their cyber capabilities. Was there a discussion during the commissions work how to potentially assist state, municipal and water facilities with cyber controls and coordination . Yes. Thank you. That he very much. We actually did look particularly at Water Utilities. There are 70,000 Water Utilities across the United States. 3,000 alone in the state of kaley. Thats equal to all electric utilities in the country. Many of them are very small. Many of them to cut costs and deal with personnel issues for the last number of years have put on, Incorporated Technology that frankly isnt safe. Some of the technology in adversarial countries and now in our water system. While you may be able to live in the dark for a day or two without energy, try living without water. We recognize this and have conversations about what can be done to help state, local, tribal, territorial and created, asked for recommendation cybersecurity Assistance Fund knowing again, state, local, needs best practices, needs assistance. They are not going to be the repository of all cybersecurity best practices. To make us all safe, we absolutely have to from the federal government on down help the smallest among us. Thank you very much. Its an important issue. I know im out of time, so i yield back, mr. Chairman. Very good, mr. Katko. Thank you for your line of questions. I just wanted to yield to the chairman still yield to chairman thompson. If not, well go to congressman Cheryl Jackson lee. I believe mr. Thompson has stepped away. So congressman, you are recognized for five minutes. Thank you very much, mr. Chairman. I appreciate this very important hearing, and im delighted to be here with commissioner spaulding and my colleagues, representative gallagher and senator king. I thank them both for their service on this. Particularly ill join with gallagher to congratulate you on the birth of a beautiful baby and i might imagine where opportunities are not limited. I am delighted and wish your family the best. This is an important hearing that deals with addressing the question of the recommendations by the cyber space Solarium Commission related to how the federal government can be more secure. Im wearing a mask because im in the epicenter here in houston, texas, came to my office to be part of this very important hearing but were fighting against very large numbers of covid19. In fact, were about 75,000 cases here in houston, my hometown and 717 deaths. Interestingly, cyber is how we will survive, because many people have turned towards cyber and connecting through this system. I wholeheartedly agree with the need for a Cyber National director, and i support that. Im also introducing an amendment to protect ndaa to protect the security of emails. I want to thank congressman langevin as well as congressman gallagher. I want to raise two questions as quickly as i can. Yesterday we were alerted to major hack of u. S. Twitter accounts including those of president obama, elon musk, bill gates, Mike Bloomberg and former u. S. President joe biden and others. At that time where misinformation at this time where misinformation poses greatest threat to Financial Security we need cybersecurity policy that will uphold the truth. The commission made a number of recommendations designed to improve collaboration between cisa and the private sector. So i would appreciate it if i first go to commissioner ravich or any that will would provide a similar breach. Weve asked for our private sector to ramp up their system. I think the government needs to not deny the First Amendment rights but have a forceful place in this and id welcome the comments of our two cochairs congressman gallagher and king but ill start with commissioner ravich on that. Let me ask the second question just so its on the record for answering. That is we are very much dependent, potentially, on the ending of covid19 on vaccines. We have just determined over the last couple of days that russia has been interfering with the Cyber Research on that team by a number of companies which really mean life or death for many americans. So commissioner ravich, would you answer the first question about the violation of twitter accounts. Thank you. Yes, thank you. That he very much. You know, we absolutely looked at before covid started and we were all working from home and relying on these devices on these networks to be able to interact with our government, to be able to register to vote, to be able to go to the dmv virtually, our Social Security payments. Now were realizing many of these networks could be untrustworthy. So a few things that we certainly highlighted in our original report and then in our pandemic annex, things like the internet of things security. Individuals are populace should not have to be cybersecurity experts. It is absurd in this day and age to say that when my mom or neighbor goes to the store and buys a router they have to be cybersecurity experts to know which one will protect them better. The same way when you see the locked icon on your email, the idea i should automatically know this is a trusted certificate. No, there have to be better safeguards in place from the government itself. So the commission really took kind of two tacks at this. One, what is the responsibility inside the government. How can we push ahead with better cybersecurity recognition of what is secure for individuals that they know what to buy and what not. Also, what are the responsibilities from the private sector. The government can only do its job if it understands attribu attribution better, what is being attacked, what type of Industrial Control Systems are most in the crosshairs of russia or iran or china or north korea, right . So the u. S. Government needs better information and data to be able to do intel sharing back to the private sector. These are some of the things that the commission really focused on but it has to be a different type of relationship between the u. S. Government and the private sector than really existed before if were going to be safer. Thank you. If senator gallagher and representative representative gallagher could take a moment to comment on russia. Congresswoman, youre not coming through. Congresswoman jackson lee, youre garbled. Senator . Senator king . Senator king is muted. Could you restate the question, congresswoman . I couldnt hear it. Can you hear me now . Id be happy to. Senator, its regarding thank you, chairman, for indulging. I want you to report on russias interference in our Vaccine Research, covid19 as a pandemic in our nation surging in many states as it relates to the work that were doing here to shore up our cyber system and maybe representative gallagher would comment as well. But the russian interference with Vaccine Research, how important the report of the Solarium Commissions report is in the work Going Forward. Can you hear me . Did you hear me . Yes, i can. I did. First i want to send my warmest thoughts to the people of houston. I know what youre going through. Ive seen it and been following it. Its a very tough time. I know it means a lot to them that youre there with them on this in this terrible time. What the russians appear to be doing, i think there are a couple of lessons to be learned from this. Number one, there are no boundaries for what our adversaries will do. Number two, the russians are doing something that the chinese, in fact, have been doing for many years, which is essentially theft of intellectual property. The estimates are chinese theft of intellectual property has cost our economy billions of dollars. Clearly this is one of the most important areas we need to shore up our defenses. We attended to this in a number of different ways in the report. The fundamental one of the fundamental issues i mentioned in my opening statement, they have to understand that theres a price to be paid for this. If the russians or the chinese or iranians or whoever it is comes after us and does Something Like this, we canafter tribute it to a particular country, there need to be consequences. There need to be results. Otherwise they will keep doing it. Why wouldnt they . Thats the kind of strategic area were talking about. Then also we need to be more defense oriented. Its very interesting that i cant remember 85 of the cyber risk rests upon individuals doing things like clicking on phishing emails. The most basic kind of cyber hygiene would be tremendously important in protecting our companies and our country electric these kind of attacks. I dont know how they got into those vaccine companies, but it wouldnt be surprising at all if it was some kind of phishing expedition that got the tremendous doengeses and password. The government has a lot of things we can do, and they are all in our report, or many of them are in our report. We also need to encourage the citizens to understand the magnitude of this risk. It may not be that they hit the pentagon but they are going to try to hit Smaller Companies and get into the system that bway. You raise an important question we have focused on and continue to do so. Thank you so very much. Thank you. Thank you, senator king, representative gallagher, senator ravich and senator spaulding. I join in congratulating you on the birth of your daughter. This an important time in life and youre stopping that new family moment and joining with us. Each of us is aware of the hostile cyber war. You mentioned that, dr. Ravich. I think the discussion, senator king, you just talked about is important as well. But Mike Gallagher said something that is important to this conversation. Our greatest failure will be in human failures. Senator king, you mentioned that, how easy it is for someone to open an email and allow that integration into someones personal cyber world to be shared and destroyed. Five years the protocol has been established and it has deployed very sporadically but has increased. What i am going to ask both you, commissioner, and commissioner spalding to address is what barriers exist to that old deployment of d mark so potential integration can occur and potential protection can occur as well . First of all, i think it is a great point because we obviously would all be more secure if the uptake on up front calls like that were more expansive. It goes back to some of the other things we were looking at on the commission directly which will get to your point. We had looked at things such as final Goods Assembly liability, right . Kind of as i was saying before why should my mom be a Cyber Security expert . Why should my doctor . They should know the devices they are buying are secure. The same thing when i if you sent me an email i should know it is from you. And right now frankly in not all places are things like trusted certificates actually to be trusted. So we dont want to be too prescriptive in terms of how the private sector needs to start to layer on much greater security in iut for instance and devices, hardware, and software. So we recommend a number of different ways to skim that cat. It is true. We are living in a time where if we dont make these types of devices, hardware, software more secure, we will all be more at risk. Congresswoman, i couldnt agree more. Thank you for your leadership on this important issue. Youre absolutely right that email is one of the most troubling vectors and most frequent and common vectors for malicious cyber activity to get into networks and systems. And d mark is one of the protocols that has proven to be most effective really at stopping this kind of activities. Critically important. We asked why isnt it that just uniformly adopted across the board. You are correct it is gaining ground and the adoption is moving forward but leaders, ceos, boards of advisers, secretaries of departments and agencies, leaders across the board need to support their chief Information Security officers when they make these recommendations. It is those leaders that decide about resource allocation and that becomes very important. To do that, it is helpful to show a return on investment and that requires information and it is one reason the commission has a recommendation to require Key Companies to report more information about malicious cyber activity so that we can begin to build the kind of repository of data that allows us to tell those Decision Makers who are allocating resources the cost of not implementing something as basic as d mark. I think the cost issue is important. I just have seconds left but i am perplexed by only 80 of federal agencies reported to be implementing d mark. Are there specific obstacles we in congress should address to see that all federal agencies . I suspect the 80 covers most if not all of the major departments and agencies of the government. Lots of very tiny, the denali commission, etcetera, that just need a lot of hand holding to make these technical changes. I applaud you for keep pushing their feet to the fire and keep pushing this. It is really important. Thank the gentleman. Before i turn to ms. Rice i need to step away from the chair for a few minutes. There is a meeting with our governor i need to virtual that i need to jump on to. It is covid related and related to our Small Business community. I will be stepping away as briefly as possible and ms. Underwood will take the gavel, the hearing Going Forward and in the unlikely event i cannot be back and forth i do want to thank the panelists today for their testimony and leadership on cyber. With that ms. Rice is recognized now for five minutes. Thank you so much. I want to thank my two colleagues and our prust sector witnesses here today. Members of this commission. If we do not implement every single recommendation in this report, shame on us as a government. I mean, it is just such common sense stuff and with everything that is going on right now in the world we see, in this report, why its so important to implement every single recommendation. Congressman gallagher i want to go to you first because it seems to me that there is a constant issue that comes up between the public and private partnership. Why is it, you know that it is hard for us to get that right . Do you think its possible for us to continue incentive based Public Private partnerships as part of a Cyber Defense program or is it going to come to congress having to more strongly consider imposing mandates . I think the other commissioners would agree the approach weve largely taken in this report was to try and incentivize the private sector to work more closely with the federal government or as we say in the chairmans letter trying and incentivize the private sector to take Cyber Security seriously. There are areas however where we are imposing further requirements no doubt the private sector, some may view as onerous but i do think connected to the earlier series of questions on the russian hack and things like that, i think culturally what were trying to do here is shift the culture and Intelligence Community and this is my verbage not contained in the final report from a culture of need to know to more toward need to share. It is not just that we need the private sector to step up and do more for their own security but we also want our Cyber Security professionals and federal government to be in a posture where theyre constantly sharing something with the private sector so they are seen as a valued partner with the private sector and the private sector doesnt view them suspiciously. Toward that end we recommend creating a common environment for sharing thread information and other relevant data across the federal government and then between the public and private sectors a recommendation to strengthen Public Private is for closer collaboration between the public and private sector and finally a recommendation about establishing a jount Cyber Planning Office to coordinate Cyber Security planning and readiness across the federal government and between the public and private sector. So i guess in some i still maintain hope that we can pursue an incentive based approach. But you are right to suggest that i think everything hinges on the level of trust between the public and private sector. We are not the Chinese Communist party. We cant just dictate outcomes for the private sector nor should we want to, right . We want to maintain the free and open balance in america. It is a delicate balance but one we hope weve struck well in the commissions final report. Yes, so it sounds like a little bit of territorialism, too, which is one of the things we learned about in a post 911 world. To see that rearing its head is not a good thing. I just want to be very mindful of my time and all of our witnesses time. I have to give a shout out to chris krebs because i think he is doing such a great job especially in the area of Election Security, really reaching out to individual states to help them secure their election infrastructure but id like to ask both of you in lute lute light of the Threats Associated with the upcoming election do you think the federal government is doing enough to defend elections from foreign interference . So im happy to start on that. I think not yet, no. I agree with you. I think chris krebs and the men and women at sisa are doing a terrific job and working very hard with state and local Election Officials who i think are also taking this very seriously. But in the Commission Report we have a number of recommendations that we really Hope Congress should will act on and will act very quickly. One of those is obviously the reforming of online political advertising. To prevent foreign uinterferenc in that regard. The other is providing the wherewithal, the support to our state and local officials so that they can do the things that need to be done to put secure systems in place but also to put paper based audit capabilities in place so we can reassure the public about the legitimacy of the process when it is challenged. So let me jump in. That is very thoughtful as always, what suzanne had said. You know, our Commission Report as the two cochairmen said has three parts of layer defense. When you look at elections each part of that layer defense has to be deployed, right . So shaping international behavior. Its not only us that is being attacked in our election. It is all free and democratic nations. So the friends and allies, those who believe in democracy and free enterprise, so that together we can share Lessons Learned and bolster our systems. The second resilience suzanne spoke about as always brilliantly the Election Commission needs senior cyber expertise because this is not one and done. It is not like were going to protect our systems and then thats it we dont ever have to protect them again. It is going to be consistent and constant. The third part of layer defense is imposed costs. Right . And so the adversaries that try to undermine what makes us a great nation, you know, have to actually really understand there will be costs imposed upon them for this. So the three parts of layer defense you can see when you look at the question of elections, how they all must relate to one another to make us more secure. Thank you so much. If we can protect our cant protect our elections that will doom our democracy i think quicker than anything else so thank you all so much for being here today and i yield back. Thank you. I now recognize myself for five minutes. Id like to start by thanking chairman thompson for calling todays hearing and the chairman for his dedicated work to strengthen americas Cyber Security both as a commissioner and valuable member of this committee. Cyber security advocates have been sounding the alarm for years about americas vulnerability to Cyber Attacks. As a representative from illinois, a state that experienced a major cyber attack in our election system in 2016 i am well aware that such attacks pose a threat at all levels of government and so a whole of government response is required. In the last few months the covid19 pandemic has exposed this vulnerability like never before as americans have struggled to telework securely, overworked hospitals have suffered ransom ware attacks. Cyber attacks targeted vaccine developers, and more. I am pleased the commission built on the recommendations in the march report by publishing a white paper in may on Cyber Security lessons from the pandemic. In this white paper the Commission Found maligned foreign operations are undermining Public Health, quote, the resulting confusion is threatening to become a literal matter of life and death. Miss spalder can you elaborate on how disinformation impacts our Cyber SecurityPublic Health or other areas of National Security even to the point of life and death . Absolutely, congresswoman. Thank you for that really important question. We have seen our adversaries take advantage of this situation and putting out disinformation around covid that confuses the public. It may not be that they are able to convince the public necessarily of the narrative that they are pushing, but they create confusion, which is deadly enough. If the public gives up as i say on their ability to figure out what is fact, when at a time when giving the American Public facts about what they should be doing to protect themselves, their families, their communities, and our nation, that is extremely destructive. When we see the covid coming together with our elections, as Election Officials are making decisions about how to adjust whether to adjust elections in light of the pandemic, and then those are winding up in courts and weve seen disinformation around all three of those covid, elections, and the courts and that is a really dangerous combination that threatens the peaceful transition of power. Thank you. I agree with the commissions assessment of the severe and even deadly Security Threat posed by disinformation, which is why in the last month i introduced the protecting against Public Safety disinformation act. This bill would direct the department of Homeland Security to assess, malign foreign disInformation Operations that threaten Public Safety and share their findings with state and local authorities like Public Health departments, emergency managers, and first responders. The commissions recommendations repeatedly highlight the role of state and local officials in heartening our Cyber Security posture. Ms. Spalding why is it so important for state and local officials to be involved in our National Response to disinformation and other Cyber Security threats . So weve gotten used to the state and local officials on the front lines of responding to disasters in the real world. And we have to understand as you say that they are also often on the front lines of responding to disinformation that causes confusion in their communities. We know that local sources of information are often more trusted than National Sources and we also know that they are being targeted both with ransomware, with traditional cyber activity, but the traditional activity can also be designed to undermine Public Confidence so part of an Information Operation and they need to be supported in combatting that. Thank you. As you may know the personal information of 76,000 illinois voters was accessed by russian operatives in 2016. Since then our state and local officials have been working hard to improve election systems and infrastructure but due to limited resources some have faced challenges in upgrading legacy machines and hiring additional Cyber Security personnel. Now when state budgets across the country have been defs stautd by this pandemic federal support is more urgently needed than ever. Over two months ago the house passed a bull the heroes act which would provide 3. 6 billion for Election Security grants in the states. Unfortunately, the senate has yet to act on this bill. We know that Election Security grants like those in the heroes act would equip these state and local officials with the resources they desperately need in order to secure our elections and National Security ahead of the election in november. With that i yield back. I have to step away and so ms. Rice will now chair the hearing. Thank you. Thank you so much. It looks like we have come to the end of the questioning so i would love to thank the all of our witnesses for your valuable testimony today and the members for their questions. This is a report that every Single Member of Congress Needs to digest and immediately get onboard doing something about in implementing as many of these recommendations as we can. The members of the subcommittee may have additional questions for the witnesses and we ask that you respond expeditiously in writing to those questions. Without objection the committee record shall be kept open for ten days. Hearing no further business other than to congratulate Mike Gallagher once again on lovely baby grace the subcommittee stands adjourned. Thank you all