Well come to order. Without objection, the chair has authorized to declare recess of the committee at anytime. Good morning and welcome to todays hearing entitled bolstering cybersecurity. I recognize myself for five minutes for an opening statement. I want to welcomethe witnesses here today and elcome chairman smith, Oversight Subcommittee Research and Technology Ranking member lipinski, our expert witnesses and members of the audience. Oversight subcommittee research and Technology Ranking member cyd from wannacry. I recognize myself for five minutes for an opening statement. I want to welcome the witnesses here today and welcome chairman smith, oversight subcommittee Ranking Member lipinski, our expert witnesses and members of the audience. Cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ens e or systems are best positioned to defend against emerging threats. One of the g cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ensure or systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real, anna cry ransom attack, a new type of ransomware infection which infected over one million unique systems last month in a worldwide attack that impacted nearly every country in the world. Although the concept of ransomware is not new, the type of ransomware employed by wanna cry was novel. Wanna cry worked by encrypting documents on a computer, instructing victims to pay 300 in bitcoin in order to regain access to their users documents. Unlike typical forms of ransomware, however, wanna cry signaled the ushering of a new type of worming. Ransomware which caused the attack to spread faster and more rapidly with each new move. In light of the novelty built into wanna crys method of attack, cybersecurity experts, including those well hear from today, have expressed significant concerns that wanna cry is only a preview of a more sophisticated ransom ware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the wanna cry ransom ware infection moved rapidly across asia and europe. Eventually hitting the United States. The attack infected 7,000 computers in the first hour, 110,000 distinct i. P. Addresses in two days, and in almost 100 country including the u. K. , russia, china, ukraine and india. Experts now believe wanna cry affected approximately one million to two million unique systems worldwide prior to activating the kill switch. In illinois, my home state, cook countys i. T. Systems were compromised by wanna cry. Reportedly one of the few local governments subject to the attack. Although cook county has worked to appropriately patch their systems, it is important that we ensure that all vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hackers responsible for wanna cry mistakenly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. The kryptos logic employee registered the domain linked to the attack. The kill switch prevented 10 knoll 15 million unique system infections and reinfections. Although based on Information Available thus far, the federal Government Systems were fortunately spared by wanna cry. We want to ensure that the government is sufficiently prepared in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee this climate of new and emerging cybersecurity threats. Through the lens of the aftermath of wanna cry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how publicprivate partnerships are an instrumental tool to help bolster the governments cybersecurity posture. Finally, well learn about how the president s recent cybersecurity order which makes nist Cybersecurity Framework mandatory on the executive branch is a significant step in ensuring the cybersecurity posture includes the most up to date measure to defend against threats. It is my hope that we will highlight areas where improvement is necessary while offering recommending as to ensure the federal government is prepared to respond to emerging cybersecurity threats. I look forward to hearing from our distinguished witnesses. I now recognize the Ranking Member of the oversight subcommittee mr. Buyer for an opening statement. Thank you very much, mr. Chairman. Id just like to thank you and chairman comstock for holding this hearing. Cybersecurity should be a chief concern for every government, business and private citizen. Mr. Beyer systems were breached by statesponsored hackers compromising the personal information of millions of americans. That same year, hackers released the personal information of sony picture executives, embarrassing emails between sony executives and employees and even copies of then unreleased sony movies. In 2015 they took over the power grid in ukraine. The cybersecurity breach that was the genesis of this hearing was the wanna cry outbreak. It infected 300,000 Computers Worldwide and could have been much worse. I want to thank c. E. O. Neino for being wise enough to find an employee to find the will switch, unless you did it yourself. Were lucky it was found quickly and were fortunate that federal systems were resistant to wanna cry. We know we may not be as lucky next time. In preparing for this, i learned that i need to upload our security upgrades every time i get a chance on our personal computers and smart phone. The may 11 executive order on strengthening the cybersecurity of federal networks seeks to build on the obama administrations successes in the cybersecurity arena and im happy that the trump administration, i dont agree with them on every topic, but that theyve taken the next good step. The executive action recommends a host of actions and a myriad of reports. My concern is that the understaffed agencies will have significant difficulty meeting the dictates of the executive order. Frankly im also concerned that the proposed budget cuts in the original trumpmulvaney budget across all agencies will make the task a lot harder to strengthen the security of federal Information Systems. Weve got to make sure the froth has the resources and staffing to meet the need in this vital area. The executive order also calls for agencies to begin using the nist framework for cybersecurity efforts and im glad we have nist with us here today they play an Important Role in setting cyberSecurity Standards that can help thwart and impede cybersecurity attacks. Nist is worldrenowned for its expertise in Standards Development and well be wellserved to use their framework. On a precautionary note, i believe some effort to expand beyond the Current Mission are well intentioned but perhaps misplaced. We recently had a debate of h. R. 1224, the nist Cybersecurity Framework and auditing act of 2017 which gives nist audit authority. Currently, this is the responsibility of the Inspector General for each agency. They have the statutory authority, the experience and expertise and respond directly to congress. Nist has no such experience or expertise and i at least remain concerned about this proposal. Id be interested in any of the expert witnesses thoughts on nists role in cybersecurity and auditing. I look forward to hearing from you all today. I look forward to hearing from the former federal csio. Bloomberg reported this week that the russian meddling in our electoral system was far worse than previously reported. According to the report, hackers attempted to delete or alter voter data, alter Software Designed to be used by pollworkers and in at least one instance Access Campaign finance database. This didnt need to change individual votes to change the election and we should take these sorts of attacks seriously. Vice president cheney called it a war on our democracy. Mr. Chairman this Committee Held more than a half dozen hearing on cybersecurity issues including one on protecting the 2016 elections from cyber and voting machine attack. Given what we know about the hacking and meddling in 2016, i heap this hearing will be a precursor for more hearings on how to better protect our voting systems. I yield back. Mr. Lahood thank you for your opening statement. I recognize recognize mr. Abraham for an opening statement. Mr. Abraham over the last few years, we have an an alarming increase in the number and intensity of cyberattack. Its compromised the personal information of millions of americans, jeopardized thousands of businesses and threatened interruption of critical Public Services. The recent wanna cry Ransomware Attack demonstrates that cyberattacks are continuing to go from bad to worse. The most recent largescale cyberattack affected more than one million to two million systems in more than 190 countries. Nevertheless, it appears the impact could have been much more catastrophic, considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destruction of wana cry warns us to expect similar attack in the future. Before those attacks happen, we need to make sure our Information Systems are very ready. In a research and Technology Subcommittee hearing earlier this year, a representative of the g. A. O. Testified, and i quote, over the past several years, g. A. O. Made about 00,000 recommendations to federal agencies to enhance the Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented. Unquote. It is clear that the status quo in federal Government Cybersecurity is a virtual invitation for more cyberattack. We must take strong steps in order to properly secure our systems and databases before another cyberattack like wanna cry happens and puts our government up for ransom. On march 1, 2017, this Committee Approved h. R. 1224, the nist Cybersecurity Framework, assessment, and auditing act of 201. A bill i introduced as part of my ongoing interest over the state of our nations cybersecurity. This bill takes concrete steps to help strengthen federal Government Cybersecurity, the most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, nist, Cybersecurity Framework, which is used by many private businesses and directly and directing nist to initiate cybersecurity audits of priority federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nist inhouse experts developed governmentwide technical standards and guidelines urn the federal Information Security modernization act of 2014 and nist experts also developed through collaboration between government and private sector , the framework for improving Critical Infrastructure cybersecurity that federal agencies are now required to use pursuant to the president s recent cybersecurity executive order. I was very pleased to read that language. Considering the growing attempts to infiltrate information Information Systems, theres an urgent need to ensure americans to assure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. The status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nist cyberexpertise is a singular asset. We should take full advantage of that asset, starting with the very important step of annual nist cyber audits of high priority federal agencies. As cyberattacks and cyber criminals continue to evolve and become more civil sophisticated become more sophisticated our , governments cyber defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. We will hear from our Witnesses Today about Lessons Learned from the wanna cry attack and how the government can bolster the security of its system. We must keep in mind that the next cyberattack is just around the corner and it can a have far greater impact than what we have thus far seen. Our Government Systems need to be better protected and that starts with more accountable, responsibility, and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Mr. Lahood thank you, mr. Abraham. I now recognize the Ranking Member of the research and Technology Subcommittee, mr. Lipinski, for an opening statement. Mr. Lipinski thank you, mr. Lahood, and thank you for this hearing on the wanna cry ransom attack last month. The good news is u. S. Government Information Systems were not negatively impacted by the wanna cry attack. This was a clear victory for cyberdefenses. However, i believe there are lessons to be learned from successes as well as failures. A combination of factors likely contributed to the success, including getting rid of most of our outdated windows operating system, diligently installing Security Patch, securing critical i. T. Assets and maintaining Robust Network perimeter defenses. As we know, microsoft sent out a Security Patch in march. Two months before the wanna cry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wanna cry serves as yet another reminder that we must never be complacent in our cybersecurity defenses. The threats are everevolving and our policies must be robust yet flexible enough to allow our defenses to evolve accordingly. The federal Information Security modernization act laid out key responsibilities for security of civilian Information Systems. Under fisma, d. H. S. And o. M. B. Have central roles in development and implementation of policies as well as an incident tracking and response. Nist develops and updates Security Standards and flines both in forming and responsive to policies established by o. M. B. Each agency is re1307bsable for its own compliance and each Inspector General is required to audit its compliance with fisma on an annual basis. We must continue to support efforts to be compliant with fisma while conducting careful oversight. In 2014, nist released a Cybersecurity Framework for Critical Infrastructure, which is currently being updated to framework version 1. 1. While its still too early to violate the impact, it appears its being widely used across industry sector. They recently reported out h. R. 105 i was pleased to cosponsor that would ensure the Cybersecurity Framework is easily used by the users. I hope we get it to the president s desk quickly. In the meantime, the president s cybersecurity order directs federal agencies to use the framework to manage their own risk. As we have heard in prior hearings, many experts have called for this step and i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the many vacant positions across the agencies that would be responsible for implementing the framework as well as shepherding the many reports required. Finally i take this opportunity to express my disappointment in the administrations Budget Proposal for nist. The top line budget cut of 25 was so severe that if it were implemented, nist would have no choice but to reduce its cybersecurity efforts. This represents the epitome of pennywise, poundfoolish decision making. Nist is among the best of the best when it comes to cybersecurity stan car and they help secure Information Systems not just of our federal government but our entire economy. I trust that my colleagues will join me in ensuring nist receives robust funding and doesnt suffer the drastic cut requested by the president. Thank you to the expert witnesses for being here this morning and i look forward to your testimony. I yield back. Thank you, mr. Lipinski. At this time i recognize the chairman of the full committee, mr. Smith. Mr. Smith thank you, mr. Chairman. Appreciate you holding this hearing. In the wake of last months wanna cry Ransomware Attack, todays hearing is a necessary part of an important conversation the federal government must have as we look for ways to improve our federal cybersecurity posture. While wanna cry failed to compromise Government Systems its almost certain the outcome was due in part to a measure of chance. Rather than seeing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better identify constantly evolving cybersecurity threats. This is particularly true since many cyberexperts predict that we will experience an attack similar to wanna cry thats more sophisticated in nature, carrying wit an even greater possibility of widespread disr across Government Agencies. I am proud of the work the committee has fleshed to improve the federal governments cybersecurity posture. During the last congress the Committee Conducted investigations into the federal deposit insurance corporation, the Internal Revenue service and the office of personnel management. As well as passed key legislation aimed at providing the government with tools it needs to strengthen its cybersecurity posture. President trump understands the importance of bolstering our Cyber Security. He signed a recent executive order on cybersecurity which is a vital step toward ensuring the federal government is positioned to detect, deter and defend against emerging threats. Included in the president s executive order is a provision mandating that executive Branch Departments and agencies implement nist Cybersecurity Framework. While continuously updating its Cybersecurity Framework, nist takes into account innovative cybersecurity measures from its private sector partners. Nists collaborative efforts help ensure that those entities that follow the framework are aware of the most pertinent, effective and cutting edge cybersecurity measures. I believe the president s decision to make nist framework mandatory for the federal government will serve to strengthen the governments ability to defend its systems against advanced cyberthreats like with the recent wanna cry Ransomware Attack. Similarly the committees nist Cybersecurity Framework and assessment of 2017, sponsored by representative abraham, draws on findings from the committees numerous hearings an and investigations relating to cybersecurity which underscore the immediate need for a rigorous approach to protecting u. S. Cybersecurity infrastructure and capability. Like the president s recent order, this legislation promotes federal use of the nist Cybersecurity Framework by providing guidance that agencies may use to incorporate the framework into Risk Mitigation efforts. Additionally the bill directs nist to establish a working up with group with the responsibility of developing key metrics to use. I hope our discussions here today will highlight distinct areas where cybersecurity improvement is necessary while offering recommendations to ensure cybersecurity objectives stay at the forefront of our National Security policy discussions. And with that, i yield back, mr. Chairman. Mr. Lahood thank you, chairman smith. At this time let me introduce our witnesses here today. Our first witness is mr. Salim neino, founder and chief executive officer of kryptos logic. Hes credited with discovering new solutions for Companies Like i. B. M. , dell and avaya. He received a bachelors degree in science from university of californialong beach. Kryptos is credited with largely stopping the wanna cry attack. Well hear more about that during his testimony today. Our second witness today is dr. Charles romine director of the Technology Laboratory at nist, he received a masters degree in mathematics and ph. D. In apply mathematics from the university of virginia. Our third witness, mr. Tuhill is a retired Brigadier General in the United States air force. Hes an adjunct professor of cybersecurity at Carnegie Mellon university. Previously he was chosen by president obama to serve as the nations chief Information Security office. He received his bachelors degree from Penn State University and a masters degree in systems management and Information Systems from the university of university of Southern California and our final witness today is dr. Hugh thompson, chief Technology Officer for symantec. He also serves as an Advisory Board member for the antimalware Testing Standards Organization and on the Editorial Board of ieee security and privacy magazine. He received his bachelors degree and masters degree and ph in applied mathematics from the Florida Institute of technology. Were glad youre all here today and look forward to your valuable testimony. I now recognize dr. Nino for five minutes to present his testimony. Thank you, chairman lahood. Thank you for the opportunity to appear before you today at this joint subcommittee hearing, we greatly appreciate your interest in cybersecurity and look forward to sharing our thoughts and perfect i haves with you and members. Dr. Neino a threat was identified. The intent of the threat was unclear it was immediately evident that its approach was unusually reckless. This threat has now popularly become known as wanna cry. It was at this time that our director of Threat Intelligence for breach monitoring platform for bridge monitoring platform notified me of our teams active monitoring of the developing situation. On this date at approximately 10 00 a. M. Eastern time while investigating the code wanna cry we identify what had looked like an antidetection mechanism which tested for certain do main a certain domain name. Our team registered this domain name and directed it to one of our sink holes. We noticed that the propagation of the attack came to a standstill because of what we refer to as a kill switch being activated by our domain registration efforts. While our efforts stopped the attack and prevented wanna cry from deploying the ransom component, we knew it had propagated freely for many hour s at minimum. Based on our estimates, we believe that anywhere between one and two million systems may have been infected in the hours prior to activated the activating the kill switch. Contrary to widely reported and more conservative estimates of 200,000 systems. We have mitigated over 60 million infection attempts. Approximately seven million of those are in the United States. And we estimate that these could have impacted at minimum 10 million to 15 million unique systems. I will note that the largest attack we thwarted and measured to date from wanna cry was not on may 12 or may 13 when the attack started but began suddenly on june 8 and 9 on a wellfunded hospital on the east coast of the United States. It is very likely the Health System is still unaware of the event. We measured approximately 275,000 thwarted infection attempts within a twoday period, another hospital was also hit on may 30, in another part of the country. A high school in the midwest was hit at the beginning of june 9. Presumably every system at this location would have had its data held hostage if not for the kill switch. Moreover, we have been under attack by those attempting to knock us offline thus propagating the attack. Many of these came from a wellknown botnet which took down parts of the United Kingdom and the east coast. Despite tease attempts our systems remain resilient. We believe the success of wanna cry illustrates two key facts about our nations systems. Vulnerabilities exist at virtually every level of computer infrastructure, ranging from operating systems to browsers, from Media Players to internet routers. Exploiting and weaponizing such vulnerabilities has a surprisingly low entry barrier. Anyone can join in, including rogue teenagers, nation states, and anyone in between. So how to we adapt an overcome and mitigate the threats and weaknesses . While many cybersecurity experts who have come before me offer the usual gloomy there are no silver bullets. I have had the opportunity to see both sides. Our attack responses must be more agile and with higher velocity and intensity. While the nation has considerable risks the actual resources for cyberdefense are scarce an there are simply and there simply is not presently an adequate level of highly skilled, highly experienced and highly available operators in the cybersecurity field. While theres no shortage of good ideas which claim to be able to solve the problem and every subsequent idea Needs Development and support and testing maintenance, etc. , all of which we characterize as developer debt. Many of these take too long to procure and end up being outdated and essentially useless before the ink is dry on the paper its written on. I am hopeful that there is a path forward. Mitigations are effective and have increased the cost of attacking systems. Other mitigations include various design approaches, including data systems and transmissions. Such they measurably raise the bar for Critical Software like internet browsers, web servers and every protocols which are fundamental to business continuity. Investigating investing in technology doesnt necessarily guarantee any actual improvement. In fact, one could argue that introducing more Intel Technology exacerbates the maintenance an creates immediate monetary loss because there are few metrics to measure the effectiveness of any particular tech nothing. This is because we are typically years behind the attacks in terms of the sword and shield battle. As these resources ebb and flow, knowledge debts are also created knowledge gaps are also created. We must be less risk averse in terms of the defensive operations we undertake, more open to failure and ready to adapt and learn from failure. We need a stronger stronger focus on threat modeling and fire drill simulation that will focus on the events of magnitude which will cause significant damage. A significant response with the wanna cry incident was there was no real cry for the course of action well communicated. The media focused on points contrary to the defense whodunit and this could have resulted in a complete breakdown of processes had this been an unpatched zero day vulnerability and there was no luxury of a kill switch. The largest success, though incomplete, was the ability for the f. B. I. And ncsc of the United Kingdom to disseminate the information we provide sod affected organizations could respond. Information sharing can be valuable but our framework could be vastly improved by triaging cybersecurity threats in a clear and repeatable scale. Not too dissimilar to the Richter Scale which measures the energy released in an earthquake. Likewise a scale that takes technical and social into account to evaluate its allows first responders, us, to focus on the most important areas of risk. While there do exist various scoring systems for evaluating the purely technical element, they fall short in terms of clear information. We focus too much on vulnerables with names like emmitt172010. None of these impact the wider environment. We need an easier to grasp method to prioritize threats that largescale destructive potential. To this end, once we determine a method to evaluate the risk, we can do we can apply the appropriate mitigation. In conclusion, one of the largest issues the transer to nature of the crisis. We think this can be explained by the fact that organizations are too slow to adapt. Theres a vast Human Resource shortage and lit bill way of metrics to demonstrate return on investment in defensive technologies. Again, i thank the subcommittee for inviting me here today to discuss our involvement and the Lessons Learned from wanna cry and i welcome the opportunity to answer any questions you may have when theyre fielded. Mr. Lahood thank you, mr. Neino. I now recognize dr. Romine for his opening statement. Chairman lahood, raking member smith and others, thank you for the opportunity to appear before you today to discuss nists key roles in cybersecurity and how they relate to recent incidents. In the area of cybersecurity we have worked with federal agencies, industry and academia since 1972 starting with the development of the data encryption standard. Nists role to deploy standards to protect the federal governments Information Systems against threats to the confidentiality, integrity and availability of information and services was recently reaffirmed in the federal Information Security modernization act of 2014. Nist provides ways to recover from these attacks by ensuring that the recovered system is trustworthy and capable. Nists guide for cybersecurity event recovery provides guidance to help recover from a cyber event and integrate the processes and procedures into the Enterprise Risk Management plan. The guide discusses hypothetical cyberattack scenarios including one focused on ransomware and steps taken to recover from the attack. Thee years ago, nist issued the framework for issued the framework. It created through tight collaboration between industry and government promotes guidelines and practices. The framework prompts decisions affecting infection by the ransomware, propagation of the ransomware and recovery from it. While the framework does not prescribe a baseline of cybersecurity, for example a base lin that would have prevented wanna cry, it does prompt a sequence of interrelated cybersecurity Risk Management decisions which should help prevent virus, infection, and propagation and support expeditious response and recovery activities. On may 11, President Trump signed executive order 13800, strengthening these have Security Networks that mandated federal agencies to use the framework. Under the executive order, every federal agency or department will need to manage their cybersecurity risk by using the framework and provide a Risk Management report to the director of the office of management and budget and to the secretary of Homeland Security. On may 12, nist released a draft interagency report, the Cybersecurity Framework implementation guidance for federal agencies which provides guidance on how the framework can be used in the United States federal government in conjunction with the current and planned suite of nist security and privacy Risk Management guidelines and practices developed in response to the federal Information SecurityManagement Act as amended, or fisma. Another nist resource that can assist in protecting against similar future attacks is the most recent release of the nist National SoftwareReference Library or nsrl. It provides a collection of software from various sources and unique file profiles, most often used by Law Enforcement, government and industry organizations to review files on a computer by matching the profiles profiles in the system. Nist retains a database of all known vulnerabilities, such as the one exploited by the wanna cry malware. The list is a an authoritative source of security vulnerabilities that nist updates dozens of times daily. Nist analyzes and provides a common severity metric to each identified as a rule initial. We recently initiated a project at our National Center of excellence focused on recovering from cyberattacks. Organizations will be able to use the results of the research to recover trusted backups, roll back data to a known good state, alert administrators when theres a change to a critical system, and restore Services Quickly after a wanna crylike cyberattack. Nist is extremely proud of its role in establishing and improving the comprehensive cybersecurity Technical Solutions standards and plans to address cyber threats. In general and ransomware in particular. Thank you for the opportunity to testify today on nists work in cybersecurity and in preventing Ransomware Attacks. Id be happy to answer any questions you may have. Mr. Lahood thank you, dr. Romine. I now recognize dr. Touhill. Good morning, chairman lahood, Ranking Member beyer, members of the committee, thank you for the opportunity to appear today to discuss cyber Risk Management. Im retired air force Brigadier General greg touhill. I serve on the faculty of Hines College where i instruct on cybersecurity and Risk Management. Prior to my current appointment i served as the United States chief Security Officer and before that in the United States department of Homeland Security where i served as Deputy Assistant secretary for cybersecurity and communications. During that period i also served as director of the National Cybersecurity integration system, commonly referred to by its acronym, n. K. During my air force career i served as one of the air forces first Cyberspace Operations officers and i currently maintain both the certified Information Systems security professional and certified Information Systems management. Many people mistakenly view this as solely a technology concern. s have a security Cyber Security is a multidisciplinary management issue and an essential part of an Enterprise Risk Management program. I recognize we have a very full agenda of topics today and im sensitive to your time. I have submitted for the record a written statement and in that i discuss the recent wanna cry attack and assess how it may impact the public and private sectors. I view wanna cry as a slow pitch softball while the next one may be a high an fast fastball. I also discuss the publicprivate partnership. And i urge the congress to continue its great efforts to strengthen our enterprise risk posture. I urge you to authorize and empower the federal chief Information Security officer position which currently is not authorized for specified position. I also suggest that instead of calling it the nist cybersecurity frame without objection and im a huge fan of this framework, i suggest we call it the national Cybersecurity Framework. To reinforce the fact that it applies to everyone. Further, nist did a brilliant job in crowd sourcing the go this framework but it was really people from around the country that brought to the table best practices. Nist was a great trail boss for this but it is really a national Cybersecurity Framework. Finally, in regards to the proposed h. R. 1224 legislation, i congratulate the committee and the members of the congress for taking the initiative to really reinforce the need to implement the framework across the federal government. I do suggest based upon my experience in both the military and the government sectors of the federal government, that we do two things with that act. One, is we amend that act to make it apply to National Security systems as well. Having served extensively in the military and in the federal government, i believe that the national Cybersecurity Framework applies equally to National Security systems and i recommend you make that amendment. Further, i concur with my colleagues who suggest that lets leverage the Inspector General and auditing communities that are currently in the different departments and agencies and reinforce their need to conduct appropriate audits using that Cybersecurity Framework. Again, i thank you for inviting me to discuss cyber Risk Management with you today and i look forward to answering any questions you may have. Mr. Lahood thank you. I now recognize dr. Thompson to present his testimony. Good morning. Thanks for having me. And chairman lahood, vice chairman abraham. La la pinsky. Im grateful to talk about a critical subject. Understanding the environment is essential to crafting good effect of defenses. Ransomware attacks is one of the latest manifestations of the kinds of disruptive attacks that we are now facing. The time line of wannacry has been covered by the other folks many this panel. But i did want to share a graphical time line that you can see on the monitor. Apologies for the small print. Whats interesting and where i would like to add some colors is simantec man is the Worlds LargestSecurity Company with technology protecting over 90 of the fortune 500 and being used extensively by Government Agencies around the world. In addition, we protect tens of millions of home users through or norton products. It represents the largest civilian threat in the world. Wannacry was unique and dangerous because of how quickly it could spread. It was the first ransomware as a worm that had such a rapid global impact. Once on a system, it propagated on nomous by exploiting microsoft. Installs the ransomware package. It finds an encrypts a range of note and display as ransom demanding payment in bit coin. Semantic worked closely with the government. We connected workers with our experts provided analysis and received the same back. D. H. S. G the outbreak coordinated operational activities. From our perspective, this was one of the most successful Public Private collaborations that weve been involved in. Our analysis of wannacry reveals that some of the infrastructures and tools has strong links to a croup called lazarus, which the f. B. I. Has connected with north korea. Lazarus was link dod the destructive attacks against Sony Pictures in 2014 and also the ct of approximately 81 from the bangledesh central bank last year. The links we saw from wannacry and lazarus include the shared code and the use of similar i. P. Addresses and similar techniques. As a result, it is highly likely that the Lazarus Group was behind this spread of wannacry. The landscape continues to evolve quickly. Were seeing attacks not just in technology but in social engineering approaches that these attacks use. Were also seeing more attacks leveraged against i. O. T. Devices such is the massive weaponization of i. O. T. Devices y. Th the mar it led to sig disruption of major cloud services. The explosive growth of attacks mariay acry and exploits the need for preparation integrated in layered defenses. Response and recovery planning and tools is an essential part of cyber rest management because when good defenses wont stop many attacks, we have to be prepared that a determined adversary may get through those initial defenses and we must lay a foundation for recovery. Theres no question that wannacry was an important event but it wont the last of its kind. Its an indicator of whats to come. Good fortune played a significant role in minimizing its impact particularly in the u. S. But we will not always have uck on our side. Which is why we want to make the necessary improvements to our defenses an response capabilities. This hearing is an important part of that effort. And we appreciate the. Portunity to be here i look forward to any questions you may have. Thank you, dr. Thompson. The chair recognizes himself for five minutes and well begin questioning. The tight ol this hearing is Lessons Learned from wannacry. And weve talked a lot this morning about wannacry and how that played out across the world. But in terms of how we learned about the genesis and origin of where this came from, i know the Washington Post came out with an article yesterday that the n. S. A. Has linked wannacry to north korea. Im wondering if dr. Nino you can talk about the genesis and origin of where this came from because it appears its from a nation state. And i know theres references to what occurred with sony and the bangladesh bank. What we know about it. And whats being implemented on i guess on the government side to prevent this or hold an entity or the government accountable . Thank you, chairman. I think if i understand your question, youre asking about when the origin and our con jeckchure to that. The umber two, perhaps defense but also correctly what would be the rules of engagement if it was another nation state. Why it may not be why we think its ambiguous to conjecture over the origin of wannacry. There are codes in there that suggests one way or another that some nation state could have been responseable. Unfortunately, as i said in my written testimony, anyone could have created this level of attack and often misdirection is found typically in binaries like this attacks we see. I would compare it perhaps in analogy to photo shopping a program to look a certain way. Or it could have simply been what it is which is exactly what we see. Its hard to tell. I wont say that i know the origin of the attack nor should i conjecture on it, but what i can say is that these attacks are hard to tell. So it would be very difficult to pursue an answer to that. I also think ha the question segways the same way. It would be difficult to create attribution or origin to any of attack and rules of engagement would be very difficult for us to give any kind of assessment on. Dr. Thompson . This was truly an interesting attack. We spent a lot of time in our Research Labs looking at both the code that was used in wannacry. But also where wannacry communicated out to. And there were very, very close similarities to other kinds of attacks that weve seen specifically attacks that we ibute we attribute to lazarus. The reuse of command and control infrastructure out on the internet by that malware led our researches to believe that this is strongly linked to the Lazarus Group. Similar to my colleague at the end, were not the Intelligence Community either. And i agree with those comments that attribution is often difficult. But what weve seen leads us to believe there was a part of this Lazarus Group and separately the f. B. I. Has linked the Lazarus Group with north korea. And i think chairman lahoods article that youre referring to from yesterday is another from the arning n. S. A. Dr. Nino, we talked about the kill switch and how that stopped the attack. But we referenced the that a hospital and a high school were subject the attack. Can you explain if the kill switch was implemented correctly how the hackers were able to perpetuate the attack despite the registration of the kill switch . Absolutely. Although, id like to be a dock rat, mr. Nino. You have to understand the material makeup of the actual malware and how it works. Why wanna cry was so significant is that its selfpropagating. Thats what gives it the title a worm. Meaning the actors dont even need to be in existence. Sometimes we refer to these as zombie botnets because it continues to attack in the case of the example that given the testimony regarding Health System. That was a corner case that was very significant. The worm continues to propagate because it is scanning and seeking to expand itself and that portion of the worm is not switch. O the kill so the expansion is still exploiting systems worldwide. What its not trigering is the payload if you will, the ransom component. And that component doesnt trigger most of these organizations worldwide right now. I dont know theyre getting actively exploited. But its because they dont see the ransom portion of it. Thats why we have 60 million attacks thwarted today. Nobody knows its still happening. I dont think the message has resonated given those figures that this still needs be patched and this again, points to the point of resources. Thank you, mr. Nino. Im ott of time. I will yield to the Ranking Member mr. Buyer. Thank you, chairman lahood. Im impressed by our panel. Theres so much information. Congratulations to being ph. D. Mathematicians. Thats wonderful. Only mcinerny was our mathematician in congress. Congratulation on winning the hacking tournament. I never had a chance to say that but its very cool. And after all the things that youve done, combat and diplomacy to be up there in carnegie melon with their buggy races around chenly park. Every university has something that makes it cooler than every place else. General, you talked in your long written testimony hr24 a bipartisan bill but weve expressed a lot of concern about the audit function that this would be taking on. I was fascinated by your points which we didnt raise when we had the hearing here that it would make it much more difficult for it to be reviewed as an honest broker that that this would change the perceptions about their current and future roles. Ve a chillen chilling relationshipping based on a common quest to identify and incooperate the practices and this would change them in not a good way and it would stifle the information from public to private entities to this. Can you expand on that at ull . All . Section 20a in making sure that folks are in fact using the Cyber Security framework across federal government, i think its bill yant. We need to follow on that bigtime. It was something they was promoting as i was United States chief Security Officer. As a matter of fact my last federal chief Information OfficerCouncil Meeting in january of this year, i proposed and we had a unanimous vote amongst the council to do a Risk Assessment for the federal government based on the framework. That portion of the legs im wholey supportive of. Section 20b the proposal to do the compliance and audit activities im a fan ofment i think its important that we do auditing and compliance. However, i do stand by what i wrote in the written testimony that i think that this is not the best place to put that. It doesnt have the culture. It doesnt have the mission. It doesnt have the personnel to do it as effectively as the existing general auditing functions. Midst is a Great Organization that ive been working with for the last 35plus years. And the relationships that nist has is in fact as a neutral party that is on the quest to choreograph efforts to find the best ways of doing things. A compliance function on the other hand is looking to see if you were in fact following the checklist. I think that if we want to have an auditing and compliance function which i definitely think we should be doing. We should be giving direction toe those folks whose job it is to do that auditing in the compliance function. Frankly, this is an operational issue. And Inspector Generals have always been in my book, the folks that do performance inspections that are the ones that are going to help those commanders in the field in the military as well as the executives in the federal government. Do their job better and have better visibility and to their risk posture. I believe we need toe have the Inspector Generals that are currently in place be the one who is execute the intent of the community and the congress. Thank you, general, very much. Mr. Ninno, based on your testimony, you should be a doctor is based on interesting things. The largest issues were that a, organizations are too slow to adapt, b that we have a research shortage and c, there are metrics to measure return on investment. You talk about creating a method to prioritize threats Something Like the Richter Scale. Who should put this together . Who should manage it . Who should maintain it . How do we make this happen . I think it would be interesting to see the participation of this if it were crowd source through various academics and commercial and private intensities and you could see how theyre prioritizing threats and see if that could be put into some sort of imlation system where it allows to be scaleable where resource is not scaleable that would be an effective area. I also see that the commercial sector alone can plus that as well and that could billion adopted but any time you have some sort of regulatory mandate, it is taken much more seriously. And what i mean by that is for instance if we had an event of magnitude that was measured and lets say number a 7. 2 magnitude, shouldnt that particular event be required to be fixed by an organization whereas right now its mostly voluntarily . So if a water system or a power grid doesnt fix it even after wannacry out, post, shouldnt we see that sort of mandate where we can know that that is regulated because that has context versus you cant boil the ocean when it comes to patching vulnerabilities. Were not going to win the war. Its infinite. But we should attack the ones we know about. Chairman abraham. Thank you, mr. Chairman. I stand on tall brain cell power on our panel. We could probably use you guys mathematicians when we work through our budget process. And doctor, if indeed, north virus s a role in this exploitation, i find it iron take that a country as north korea that not only suppresses freedoms would use lazarus. Just an aside. When news of wannacry started spreading, what if any steps did they take to insure Information Systems were protect and was nist involved in any government meeting that took place around that time . Thank you very much for the question. The the response for an event like wanna cry from the nist perspective, the scientific goal and as aniness institution that provides guidance is to learn as much as we can about the technical origins and to determine whether the guidance at we issue is significantly robust to help organizations prevent this kind of attack. Im not aware of specific meetings that we were involved in that were discussing the operational side of of the wannacry. I think the you know, Law Enforcement and intelligence communities were certainly meeting. You heard reference to d. H. S. Being quite active and helping the private sector to deal with this issue. From our perspective, its more learning whether we can improve the guidance that we make available to entities to try to not only prevent these attacks but also recover from them and to be prepared for them in the future. And ill stay with you for my second question in your testimony which i did read, you said that nis recommendations and the nis guide for the Cyber Security and Cyber Security framework would sufficiently address the wannacry incidents. Will the requirement in the cyber executive order two agencies to implement the framework, help them be better prepared in the future to depend against these tapes of incidents. And sthowled be enough or should more be done . Thanks for the question. Its difficult to know whether it will be enough for the next event. But i can say this one of the important things that emerged in our discussions with the private sector during the development of he of the framework was the we are often thinking about detection and prevention of attacks. Sometimes we dont pay enough attention to response and recovery. And so one of the things that the framework does is to spell out the five functions of identify, protect, detect, respond and recover. And were providing a lot of guidance with the incidence response guidance that we have, for example. To help different organizations to be better prepared in responding one of the analogies that i found was the boys and girls scouts motto is right. The better prepared an organization is through its Risk Management activities which we think the Risk Management framework from fisma coupled with for federal agencies and under the umbrella of the Cyber Security framework now. We think those are the tools that are necessary to implement the kind of preparedness that organizations should have. One quick followup. What specific steps in lieu of this, should this take to help federal and state agencies be better prepared as well as the private sector . Look we are looking at some of the Incident Response work that we have. Some of the data integrity work. We launched the data integrity project at the national Cyber Security center of excellence which has a very strong tiein ith ransomware type attacks we lunched that before wannacry came out. But in light of this new event, were accelerating the work thats going on in the nccoe so were able to provide practical examples of how to be prepared so that organizations can see how its done. Ok. And general, thank you for your service to court yuntrifmentjal, i yield back. I now recognize ranking mber la pinsky for his questioning. I thank you for all the work that you do. We are y think starting to take Cyber Security for seriously here in washington. Although its much more i think that we need do. Part of the problem is understanding what this really means and the impact that it can have. Also need to make sure that the American Public knows the significance of Cyber Security and what could happen. We know when were dealing with Cyber Security that technology is just part of the solution. What often matters more is we saw with wanacry is personal behavior and organizational behavior. Individuals, must regularly install Security Patches and update software. They have plans and place for a Quick Response when theyre attacked. These are social science issues. Another social science angle is understanding criminal and Terror Network as well as actors. Using the understanding to help inform our information gathering in our cyber defenses. I would like to hear from each of my witnesses. Your thoughts on whether we are investing enough in Cyber Security and what more can be done . What more would you like to see us do to so that we are taking care of these issues. Thank you, mr. La pinsky. I think its a great point that you bring up. There are other shoes harder than software and secure. When you put them together its very hard. One thing that we know will be quite difficult resources will maintain their need for quite some time. We have eroding boundaries. Systems are changing. We have digital trance forbort nation continually happens. We have to relearn our people. This makes it very difficult for those responsible in those areas to manage risk to actually keep up with the actual threat. The pragmatic threat but in reality like wannacry. In that case, i think that we could see a huge value if we were to see investments and ings that allow threat organizations going back to the magnitude. Y you can look at the areas that can hurt you the most. Investigating those things and putting them together allows you to start to formulate a picture that allows you to prioritize. Once you do that, the investments you make in those people and those resources will be maximized and well have a better chance of being more resilient. Thank you. Doctor . Id like to describe two important misprograms that directly address the human part of this problem. One is, nest is privileged to host an Interagency Program thats dedicated to building a larger Cyber Security workforce. And weve made Great Strides in that area. The second part of the program is youre absolutely right that one of the key components in achieving security is understanding how humans enter ack with technology. You can be theoretically secure but technology. If the people who are trying to get their job done and focused on that and not taking advantage of or in some case even circumventing security thats in place in order to get the job done. You have to understand how to build systems that have the human in the loop. Nist used a systems level approach for Cyber Security. But we think the use rers behind it. We have a recent understanding with psychologists, engineers on our staff whats entire mission is to understand how people interact with technology so that we can do better in security and usebility. Thank you very much. When i was still in Public Service, as a u. S. Chief Information Security officer. Effort. Five strategic three, do the right things at the right way and at the right time. Four, makes sure that your continuously invading. And five, make sure that youre making Risk Management decisions at the right level. The first one was harden the workforce. Always going to spend it on people. And frankly, your people are your greatest resource but theyre also your weekest link. 958 of the accidents my u. S. Third responded to. You could track back to a human failure. Failure to patch. Failure to recon fiction. It should be a stra teal jidge priority. It was the top one. Further if you ask for where else could we informs . Well, exercises. People should not necessarily be confronting crisis without having practiced ahead of time. My friend likes to say, the time to Exchange Business cards is not in time of crisis. We should be doing exercises more often than we are. And further. Everybody these to play. Too often weve seen Senior Executives to say dismiss that out to the serveerer room to play. Its a risk issue. And they are made in the border level. I think we need to invest in exercises. Youre doing a lot. During the time i was d. H. S. , the year before we had done 44. By the time we left, two years larlte, we were up to 270k3erses exercises. I hope we reward these type of practices because it will bite down our risk. Dr. Thompson . Thank you. Thanks for that question because i think what youre hitting on is probably one of the most important and underinvested areas in Cyber Security in general this Human Element cannot be separated from the technology. Nauven the Security Community, we talk about advance persistent threats. And most people when they think about that think about very sophisticated code, malware. But information, what were seeing is the root of many of these advanced persistent track is the initial way a company got or a person got infected. Was an individual made in retrospect a bad choice. They doan downloaded a file. And were seeing attackers becoming more socially sophisticated in the way they attack. Were seeing personalize attacks, looking for information on social met working sights for example. So they can create credibility. Message. Or tax they youre convinced that this is a reasonable thing to do. I think from an entry perspective. I want to give you one data point that i think might be useful. Ive had the pleasure to serve as the Program Committee chair for the past 10 years. That conference had 40,000 People Security professionals that showed up last year which is a sign of how important i think this city has become. Three years ago we started a track called the human. It is becoming the because i think we all realize and i love the comments that the general manage. I think we would all realize thats one of the most critical areas. Human element of the people that were responsible for Cyber Security. But also the Human Element of the users. And if i could make a final comment here, it is very easy r a user that theres an increase in utility. I know its easier for me if i leave the door unlocked. You dont have to carry any gees or not. Generally, you make it more security. You make it more painful. There are more things you can do. They can easily measure you. But they cant easily measure risk. We need to do a better job at helping the individual to recognize vissk. Thank you very much. Thank you, mr. La pinsky, i now recognize conkman higgins for his questions. Congratulations on shutting down wanna cry. That was a big mistake to leave the domain unregistered. Its hards to say what it is. Could have been intentional. We think its nonintention nafment but it definitely was a mistake in any regard. Well, congratulations on discover it. I would want had that kill switch not been i could only get a numb nail of what it might look like. Were seeing them and youll start to realize that the sha slowed significantly. This could have been a very, very massive attack. I concur. Most cyber experts agree that it appears that north korea was behind wanna cry. Do you agree . I think there are tallahassee in the Software Program that you could use to associate it. But i do believe that intelligence is cumulative beyond cyber. You you need other areas to apri butte. Whats your opinion . Is north korea behind wannacry . I dont want to comment. D con een other con jeck jecture but i dont think its worth commenting on. When Security Software destein, how easy is it for the design or to build a back door cess that would be virtually undetectable within that super Cyber Security. Weve had good starting. The level to do that is very low. Thank you for concluding that. Brigadier general. My question is to you, sir. And thank you for your service. Labsou similar with the out of moscow . I am familiar. Manufacture of Cyber Security products. That top intelligence officials at the f. B. I. , n. S. A. And other advised this body that they aspurski. St k however, it is still used wildly in the new york government. Can you explain that to this committee . Well, sir, i dont know what kind of conversation you know, my colleagues from those agencies had with this committee. However, if i take a look at the different products that are in the market today, i believe that the 34er7b products are that the american pickup trucks are the best out there. I concur. [laughter] thats a Brigadier General speaking right there. Thats an american speaking, sir. Although theres no public evidence of collusion between government, it is not a large leap. And eugene has suggested that his products have no ties to the russian government. However as part of the national conversation, mr. Chairman, and its widely known that the russians have been involved efforts to influence governments across the world with cyberattack, and he has suggested that he would testify before this body and i suggest that we take him up on his offer. I would like to talk to him regarding the kill switch. That having been a rather glaring error on the part of the designer that that worm cyber attack. What do you think should happen to that guy in north korea . It was a kill switch, wasnt it . This message should it get to any of the cyber experts in north korea, if you can get out of the country, you are welcome in the west and would love to have you before this committee and give you some real good food. Mr. Chairman, i yield back. Thank you. I now yield to congresswoman esty. Ms. Esty there are a couple of points i want to return to and drill down on, and one is the Human Element because it is important because you can buy all the great equipment in the world and if you leave the door open, it doesnt do you any good. And i think a little bit about the analogy in hospitals about people washing their hands and it may be low tech, but it works. One thing we have to emphasize, hygiene. What are proper hygiene practices. And how we make that standard operating procedure. For all organizations government and nongovernment. We have an issue in the federal government in particular, in all levels of government of really old systems and look at the fact this was exploiting a vulnerability in windows. Who still uses those still uses those, local and state governments are still using these old systems so that makes it an even greater issue. Your point about threat assessment and understanding needs of assessment we triage show. Help. Everybody gets those notes on those phones and i dont have time to upgrade my system. That is the reality of Human Behavior. I suggest a couple of things. We should get behavioral economics and social media experts to your point, dr. Thompson. We need to stay ahead of the game. We need to do it. A number of us were at a briefing with some of the people from the top level of the private sector talking about how our emphasis has been the incentive for us to be on attack mode. We are developing our attacks. We have left it to the private sector. To do defense. We need to be doing more defense. Defense, incentivize it is less sexy but important. Is that out of nist to put the incentive there and make sure we are getting the broader sector talent pool. Again, it may not strike people bringing in people who do snapchat for figuring out how do we make sure people dont click on that link. If we dont do that, if we look at the hacking on the electoral system and last year with John Podestas email. It will be the weakest link in the strongest link at the same time. What happens when you are at the end of the hearing and batting cleanup and raise a number of issues. Thank you and i look forward to following up with you and appreciate your efforts and figuring out how to do better for america. Ill make two quick points. We have active Research Going on now under the program we just talked about, trying to understand Human Behavior and susceptibility to phishing attacks. And what are the factors of people not recognizing it is a phising attack. With regard to culture change, it is underappreciated, the cultural change going on in boardrooms among ceos who, in light of the framework as a catalyst for this, but i think this might have been on their radar. But the framework is a means of cataloging the understanding of board rooms and c. E. O. s that managing risk to financial reputation and business Operational Risk and all the other risks that you are managing as a c. E. O. , you now have the tools that you can use to incorporate cybersecurity risk into that entire Risk Management. I would like to pile on. On the cyber hygiene, we all need to do better. And we work very closely with nist to help promote the National CyberEducation Programs that we have. And i think we need to do better on that. I proposed that we probably need owl. Dsy woodsy lets get kids out there fully educated out there and bring that pipeline up. And been working with nist and across the agency to do that. We need to incentivize. We shouldnt be seen as the government but overregulate and need to encourage to do the right thing and buy down their enterprise risk. We have to recognize that risk is an intrinsic part of management of any business and we have to be careful we dont shackle the boards from actually managing their risk and need to give them the tools and support to be good wing men. And finally, we have had a lot of discussions publicly in this town over the last two, three, four years about who does what. As for me, having served in uniform for over 30 years and done some Public Service on top of that, it takes team work and i view the d. O. D. And n. S. A. And intelligence communities mission to help us with deterrence and interdiction and stop them and take the fight to the bad guys but protecting hometown america, that is more appropriate for d. H. S. To cor choreograph different activities across the federal government in better serving the citizens. A quick comment. I support the suggestion by the general to resurrect smokey the bear. Great to see him again and repurpose them or the effort. Thank you congresswoman for your comments, i agree with what you said about this Human Element. Security is of changing because of that. I think about the people we hire at symantec as example, people hunting down the malicious Networks Today are not just Computer Sciences and mathematicians, but computational linguists, behavioral psychologists, anthropologists, people looking at the Human Behavior of an attacker group. On the consumer side, we sell and norton, we spend an amazing amount of time thinking about how do we make security similar to the ipad . I call it the ipad because it is the only piece of technology i have ever given to my mother and i did not give her any instruction about how to use it. She just understood it. And we spend a massive amount of time now today on design, how do we make it intuitive and make it easier to be more secure than less secure. And that is where a lot of effort must go in in the Security Community today, how do we make it easier to be more secure than less secure. Thank you. I was thinking as you referenced smokey the bear, might be smokey the bear malware. We will register the domain, mr. Chairman. I recognize mr. Palmer for his questions. Mr. Palmer accept our thinks thanks that allowed the kill switch to prevent so many inif he cans but with regard to your measurements, 200,000 infections is too low and before the implementation there may have been one or two million infections. How do you explain practically no one tried to pay the ransom, if there were that many more. I think some tried to pay the ransom. The measure of success is hard to determine. Mr. Palmer what you got from large portion of the companies do pay the ransoms. But monitoring the bit coin, less than 500 people did so. That is inconsistent what what you are saying. It is hard to associate the payments to the actual spread and ill tell you for a variety of reasons. When you look at the actual attack and magnitude of the attack and trace it to the payments, if you look to the mechanisms, not clear whether you would get your system back. And at this point, the attacks have been abandoned. If you paid it, you didnt go anywhere. Most of the media and experts were suggesting not to pay the attack. We said you have to base your own risks in determining if you should pay. What i can say the data we are receiving is absolute. When we get the data, it is not just one, but doing this close to a decade and we see analyzed data. It is accurate. Mr. Palmer i would like to address this question to the general and thank you for your service. Your testimony refers to people that people were running windows 95, but most infected was windows 7. Isnt it true that the main reason people were infected because the Intelligence Community older ability vulnerability was leaked to the public . Sir, thanks for the question. Just for clarity sake. In my written testimony, i highlighted windows 95 being used as an exemplar, but there were plenty of operating systems that were susceptible including nopatched 7, systems. Mr. Palmer im asking about Intelligence Community vulnerability that was leaked to the public. If we look at it from that standpoint, im concerned about that and this highlights a couple of things. First of all, we have been telling you all along to do that. Second of all, that as we take a look at the leakage of information or the attribution of leakage of information that is serious and unacceptable. Mr. Palmer with regard to the patch, shadow brokers published something in january, 2017 and microsoft released a patch that addressed that vulnerability three months later. So it was not a problem. With machines being out of date, the problem was, that if you put all the recommended patches on, only the machines within 60 days you would become a victim. Bluecoat was released in january. I dont believe i would characterize this one as a full zero day attack. From my perch, frankly because the fact that we had some patches and microsoft went through extraordinary measures to go out and create those patches for operating systems that had previously been declared unsupportable many years before and i used windows 95 in my testimony because windows 95 had been online for 19 years before it was retired. And for the last three years, microsoft had not been supporting it, and for them to come back and put out that patch in march was extraordinary. And through federal government and other organizations around the world, we went out and we clearly communicated and carnegie melon was one of them, clearly communicated to the communities of interest, this is an important patch. A critical patch. Mr. Palmer i have one more question. Could you address the future you mentioned, no one was paying the ransoms but it was to allow access to the machines. Thanks for your question. Its difficult to anticipate what the true intention was of this attack, whether it was ransomware. Or the ability to propagate a backdoor. But what is interesting as a characteristic of the attack which i think goes back to your first question of why didnt we see the quote normal or expected rates of ransomware payment, it the backend infrastructure that was set up was very weak compared to the typical piece of ransomeware we see out there in the wild. It is pretty incredible that these attacks have a very robust infrastructure behind them. They have almost the equivalent of Customer Support for people that have been infected with the ransomware and didnt see that level of sophistication on the back end. I think the witnesses for your answers and yelled back. Yield back. I yield to congressman webster for his questions. Mr. Weber thank you for having my mind has been on Something Else and the statements that were given here were similar to that in that they fit. There was an attack yesterday and i thought about the fact that it was an advanced persistent threat, and not only that, it was a personalized attack. And there are some people who acted heroicically to turn it around. That was on my mind. The Capitol Police service who protected life and heroic acts by members of this congress, maybe its a different kind of threat, but it was real. And in this case, there was no human error. And so i want to take this time i have just a few minutes and say thank you for our people who work here and for the members who serve here who prove there are still heroes in our country. We have not been exposed yet. Yesterday, some were exposed. So thank you, mr. Chairman. I yield back. Thank you. We have a couple of more questions and go for a short second round. I yield myself five minutes. You note in your written testimony that the national thatrability database maintains and updates dozens of times daily of all known and publicly vulnerabilities that vulnerability that wannacry exploited. A recent report notes 75 of the vulnerabilities were disclosed elsewhere first, and takes seven days between the discovery of a vulnerability and reporting. What is the reason for the delay there, if you talk about that and is nist working to get rid of that lag time . Thank you for the question. We are interested in trying to shorten time to deliver Important Information to our stakeholders. In the case of nvd, our goal is not first to disclose or first to disseminate although we want to do it as early as we can, our real goal is accurate curation, including assessment of the impact that a vulnerability might have and that requires a certain analysis before we can include something in the National Vulnerability data base. The disclosures are often from sources that are not necessarily reliable. Including information about vulnerabilities from sources we are not doing as authoritative. Would not be in our best interest for the nvd. Was there a delay in reporting the vulnerability the Wannacry Malware brought . I dont know the time we received the report and we put it in the nvd. I am sure a matter of days. Thank you. General, you were the first to Information Security chief Information Security point you took last september under the obama administration. You believe the federal government should have this federal position, and i know the crop administration has not filled it. Why did you leave when you did and concerns about it being refilled . I believe this is a best practice to have a chief Information Security officer in different organizations. The first one was created in the private sector over 20 years ago. It took 20 years for the federal government to create one. I think it is critically important as part of an Enterprise Risk Management approach that you do in fact have someone focused on Information Security and the risk to the enterprise. Advising the corporate community. Up, down and across as far as what those risks are and best practices to buy down and manage that risk. Within the federal government, we still dont have an authorization for a federal chief Information Security officer in statute. My position was appointed as administrative appointment and i think as we take a look at as we move forward and the executive order that recently came out is a great step forward. I think we need to firm up and make sure that this position is an enduring position and we need to authorize and empower the position such that that chief Information Security officer can have the authority to direct. I look forward to see who the administration brings forward and i will coach and serve as wing man. While talking executive orders, you may be interesting case that we over classified. That the default is to make the highest thing and we should make the default position at the lower level and argue our way up. How do we operationalize that . Executive order, legislation, memorandum . Thank you for the question. I am passionate about it because i was responsible for public and private partnerships and the information sharing between the Public Sector and private sector. And frankly, we overclassify too much timesensitive information. In the federal government, in my view. And i believe that the solution set is going to have to be a combination of legislation as well as executive action. I think both branches of depoft of government are going to need to partner up to determine the best means of getting the information out faster to folks and take timely and actionable actions in this environment. You had one intriguing line in your testimony. One says that points contrary to defense, who did it. And what i understood from that we spend so much time who is trying tother than defend ourselves. Can you expand on that . I just want to know who did it . I think the barrier of entry anyone could do it. Conjecture of who has done it is a very difficult task because cybersecurity is something that could be misdirected. You never know who the attack is , and focusing on that doesnt solve the problem we are vulnerable. We are vulnerable. Open, leave the door there could be thousands of people who walk by your house every day, would it matter because you leave yourselves exposed . They do it because they can and we should not make it that way. We should make it so we are resilient and strong nation in regards to defense. Thank you. Do you want to pile on at all . I do. It is interesting we do not spend much time looking at who did it and the country behind it, the enterprise or person behind it. Tois critical for us associate patterns of behavior. If we associated one attack with another and believe they are learnted, it will let us more about that group and the tactics and make us better prepared to protect against a new attack sight unseen and that was the case with a. V. Engines and Artificial Intelligence engines, because of previous training on this against the Wannacry Malware and leave it up to the Intelligence Community to decide who that group actually belongs to. Thank you very much. Mr. Lipinski, any followup questions . Mr. Lipinski i thank the witnesses for the testimony and all the work as i said and im sure we will be continuing this discussion. So thank you. In closing, i want to thank all the Witnesses Today for your important, insightful and impactful testimony. And as our committees looks to cybersecurity and the issues of National Security, economic vulnerabilities, privacy, we look forward to work with you on those issues and appreciate you taking time out of your busy schedule to be here today. And the record will remain open for two weeks for additional written comments and questions from members. At this time, the hearing is adjourned. [captions Copyright National cable satellite corp. 2017] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org ] ehouse customers on ending Sexual Violence will hold a roundtable discussion this morning on Sexual Assault or mention and assistance for victims prevention and assistance for victims. Watch it on cspan2, cspan. Org. Or listen to it on the cspan radio app. Live on cspan, washington a. M. Al is next and it 00 10 00 a. M. , ms. Landrieu on race relations. Former Senate Sergeant at arms and Capitol Police chief Terrance Gainer on security around capitol hill. At 8 30, robin kelly, a member of the Oversight Committee on security for members of congress. At 9 00, Philip Workman of the Washington Examiner on allowing members of congress to legally carry firearms. It is friday, june 16, 2017 and on capitol hill, somewhat lawmakers say they feel like targets and the aftermath of the shooting that left congressman steve scullys in Critical ConditionSteve Scalise in Critical Condition and several others wounded. Numbers of congress discussed increasing security members and some with the idea of allowing members of congress to bypass great washington, d. C. Gun laws. ,he question for our viewers should members of congress carry guns at the capital