Community center . No, it is way more than that. Comcast is partnering with 10 Community Centers to create wifi enabled li zones, so students from low income milies can get the tools they need to be ready for anything. Comcast supports cspan as a Public Service. Along with these other television providers. Giving you a front row seat to democracy. The director of the cybersecurity and infrastructure Security Agency, jen easterly, testified for a house subcommittee on a range of technical challenges facing the u. S. Artificial intelligence, and concerns about the chinese government. And information sharing. [silence] the committee on Homeland Security subcommittee on Cyber Security and Infrastructure Protection will come to order. The purpose of this hearing is received testimony from jen easterly, director of cybersecurity and infrastructure Security Agency. We now recognize Ranking Members for the purpose of seeking unanimous consent. Thank, you chairman, i asked for unanimous consent that the gentlelady from new york, miss clark, be permitted to participate in todays hearing . That objection so ordered. I now recognize myself in her opening statement. Welcome back for our second subcommittee hearing of the congress. Last month we hosted Industry Leaders to give their perspective on the state of american cybersecurity and particularly how Cybersecurity InfrastructureSecurity Agency or cisa has developed since its creation five years ago. I am glad we will hear directly from the director jim easterly, for her views on the evolution where needs to grow and mature by 2025. Director easily and i have a fantastic working relationship since i started as Ranking Member of the subcommittee last congress. I look forward to continuing our strong bipartisan relationship with this congress. In our last hearing, there was some common themes for our witnesses that i hope to further explore with directories this afternoon. First we learn that system must work with the industry and variations the partners to ease compliance, the compliance burden that industry faces for duplicative regulation. It is clear that our nation must increase resilience to cyber risks across the board. Particularly within our Critical Infrastructure sectors. But we must find the right balance between Regulatory Burden and security outcomes. We also heard a lot about one of jcdc. We are jcdc has the potential to be a value add to the private sector, benefit both the jcdc and the industry. Finally and perhaps most foundationally, we heard about the need for robust cybersecurity workforce. We had only the enough people, but there are people with enough skills this is one of my Top Priorities this Progress Development of our Cyber National workforce. This hearing is timely and comes as we are evaluating the president s fiscal year in 2024 budget request. Cisa is requesting 3. 1 billion, 145 billion 2023. Enacted funding level. He dialogue we had during this hearing will help in the former committees review of the budget. Particularly no system abolition of the National Security system production. I think i speak for all members when i say that we want to statues exceed. Its mission is two important avail. It is our responsibility to ask pointed productive questions about this is stewardship of the resources and Authorities Congress has given. As i said in our last hearing congress intends to be partner to cisa to ensure the agencies meets its full potential. Director easterly i look forward to your testimony today and i thank you for being here. I now recognize the Ranking Member, the gentleman from california, mr. Swalwell for his opening statement. Thank, you chairman, and welcome director. It was just 12 hours ago that the chairman and i were here early in the morning with our colleagues voting. I dont think we voted the same way on many of the amendments yesterday. But on this issue and your success, there is no daylight between the chairman and i. And my colleagues. Your success is americas success in this space. In that its something we are rooting for and want to enable. I also represent east Bay California district that is home to tech giants like trying to outand workday. But also an emerging cybersecurity Insurance Company called sawyer security. And ive worked with all of them to protect not just Large Companies but small and Medium Sized Companies from emerging threats. As a chairman said, says that an Inflection Point in cross. They made an operational component of dhs five years ago. Since then its budget has nearly doubled. And congress has provided it with a range of new authorities. For mandatory cyber Incident Reporting to persistent threat lobbying on federal networks. To cyber century. And cisa has ambitiously taken on new responsibilities to meet the demands of an evolving threat landscape. Building trusted relationships with new stakeholders in the process. For that i and our team command says that for its Proven Ability to dynamically respond to evolving threats ranging from Election Security to open Source Software vulnerabilities and the shields of campaign. And as it relates to Election Security, i hope to hear an update from cisa on some recent successes. It has launched promising new initiatives including the National RiskManagement Center and the joint Cyber Defense collaborative. A collaboration that so many outside organizations, private sector folks are asking, how do we get in . How do we persevere . Which to me means you are a victim of your own success in that regard and that there is high interest in growing and expanding the ability to share information and collaborate to take on our threats. All of these are worthy efforts and i support them and im committed to their success. Today i look forward to hearing how they will continue to deliberate and then you work it takes on and the commitments it makes to our partners. As more stakeholders become aware of cisa and its capacity. They have placed more and more demands on its resources. Cisa cannot be as you know every thing to every one. And certainly it has not had half the resources to boil the ocean. Becoming the powerhouse cybersecurity Critical Infrastructure defense agency, cisa has the potential to be requires what cisa has the potential to be, it requires clear Strategic Direction and chairman leadership. I have every confidence that director easterly has both and i will be interested in learning more about your vision for cisa moving forward. I am also interested as a reference to the future of jayz easy, stakeholders have a lot in jcdc of an innovative flexible tool for salah to gather and views threaten information and foster realtime collaboration and push out security practices to initiatives like its shields up campaign. Over the past year and a half cisa has expanded jcdcs focused to include open Source Software security and protecting highrisk communities by journalist or Civil Society organizations. Although these are worthwhile efforts it is unclear what criteria jcdc is using to select which areas to focus on. Which organizations to partner with. And how these activities are tied to the jcpoas original purpose of streamlining cyber planning and operational collaboration. I look forward to candid conversations about defining jcdcs core functions. How to ensure jcdc partners are involved in decisions about its future. And how it can bring a more proactive posture to cisas defense activities. Formalizing the answers to these questions through authorization will ensure jcdc has enduring value for years to come. On a related note i understand that cisa is in the process of reviving the National RiskManagement Center and i look forward to learning more about plans to make csis analytical hub. Finally, it is critically important that says they do more to secure Industrial Control Systems and other operational technologies. I appreciate the support from my legislation that we passed through the law last year. The Industrial Control System cybersecurity training act which will solidify the existence of meaningful training courses, to ensure ot remains at the forefront of our security focus. As i am sure you will agree, descent must develop that workforce now. Not five years from now. Also doing more tooth to promote threats to understand threats to oc easthams. Pushed out its cyber performance goals. And grow programs like cyber century that monitor our ot threats. Thank you again to the chairman for convening us here today. Thank you director easterly and your team who has worked with us i look forward to a robust conversation about attacking threats that we face. I yield back. Thank you, Ranking Member. I do not see the chairman of the Ranking Member of the full committee. So others members of the committee reminded that Opening Statements may be submitted for the record and i am pleased to have director easily before us to discuss the important topic and i ask that our witness please rise and raise their right hand. Do you solemnly swear that the testimony will give before the committee of Homeland Security of the United States has for this be the truth, the whole truth, nothing but the truth, so help you god . Yes. Let the record reflect that the witnesses answered in the affirmative and thank you and please be seated. I wouldve looked formally introduce our witness jen easterly hes she is the director of Cybersecurity InfrastructureSecurity Agency had to adjust. She was nominated by President Biden april 2021, and unanimously conservatives confirmed by the senate from july 12th 2021. It is no easy feat. As director she leads the effort to understand an inch and reduce risks to the cyber and physical infrastructure that americans rely on every day. The four serving her current role she was the head of Firm Resilience and Morgan Stanley and responsible for ensuring preparedness and response to business disrupting operational incidents and risks. She also has a long tenured Public Service to include two tours at the white house. Director thank you for being here today, and i recognize you for five minutes to summarize your opening statement. Thank you so much. Chairman and Ranking Member and the members of the subcommittee for the opportunity to appear before you today. Finally excited to share what we are doing to ensure that the system of today and tomorrow is the agencyreduce risk to the cy physical infrastructure that americans rely on every day. Since cisa was established in 2018, the threats we faced have become more complex, more geographically disbursed and dispersed and affect businesses from sizes large and small and ultimately the american people. Cisas mission has never been more urgent and its a sense of urgency that each of us at cisa feels every day to ensure that we are making the best use of the resources and authorities that congress has jen rustsly pro generously provided to us in the past several years and having a clear return on investment both to you and the american people. As youre well aware, the past two years have been pretty intense. From the solar Wind Supply Chain compromise to the Ransomware Attack on Colonial Pipeline, to vulnerabilities in Microsoft Exchange servers, from our shield up campaign, from russia militia cybersecurity, to help state and local Election Officials secure election infrastructure during the 2022 midterms. Cisa, along with our partners, have been front and center on each. Weve aggressively leveraged all of the authorities weve had to enhance our operational vulnerability to hunting to conduct planning and operations with our Industry Partners including our Operational Technology and Industrial Control System partners through the joint Cyber Defense collaborative to identify vulnerable systems through oured a minute admin subpoena process. To serve as both a sector Risk Management agency for eight sectors and one subsector and more broadly as the National Coordinator for Critical Infrastructure security and resilience working with our sisters to reduce crosssector risk. Even as we maintained the highest operational tempo in an increasingly complex and threat environment weve been growing and maturing as a new agency. Cocreating a culture of collaboration to enable us to attract and retain the best talent in the nation. And indeed, growing that talented workforce by nearly 1,000 new teammates in the last couple years. Meticulously executed our rapidly expanding budget to ensure we remain responsible stewards of taxpayer dollars. And last september we published our firstever Strategic Plan which outlines our Ambitious Goals through 2025 across four key pillars Cyber Defense, Risk Reduction and resilience, agency reunification. I greatly appreciate this committees steadfast work to help cisa achieve these goals and also appreciate that the tenetess outlined in the cisa 2025 plan from optimizing the organization, growing an expert Cyber Workforce, advancing our capabilities, harnessing partnerships and measuring outcomes to determine progress are all well aligned. So our efforts together can advance a shared vision for cybersecurity in america. Were aggressively executing this plan working with our trusted partners to enable a collective defense of our Critical Infrastructure to include working with those target rich cyber poor entities like Small Businesses and School Districts and water facilities and hospitals and local election offices to ensure that they have the resources and tools they need to improve their cybersecurity and build resilience. Needless to say, theres much, much more to be done to protect and defend our nations Critical Infrastructure from driving adoption of secure by Design Principles in our Technology Products to championing corporate cyber responsibility in every board room to implementing a groundbreaking cyber Incident Reporting regime and much more done torp done to mature our great team and optimize our value to our partners. With perhaps no partner more fundamental to our sesquicentennial than you success than you all. We would not be here today without tremendous bipartisan congressional support, especially from this committee and this subcommittee. We are very grateful for your commitment to ensuring cisa is armed with the talent, the resources and the authorities necessary to meet our mission of reducing risk to the Critical Infrastructure americans rely on every day. This is truly a nofail mission. And thanks to your support, we are thriving. And while were proud of what weve accomplished to date, we recognize the crith cality of crith kalt of continued support in terms of authorities and budget to ensure that we sustain this progress. We must and we will continue pushing hard under your oversight and with your support to strengthen this agency and by extension the security and resilience of our nation. Thank you for the opportunity to appear before you today. I look forward to your questions. Mr. Garbarino thank you, director easterly. Members will be recognized by seniority. An additional round of questioning may be called after all members have been recognized. And i just not going to call myself first because my vice chair has another hearing she has to go through and i know she has some very interesting questions. I would like to yield i recognize ms. Lee from florida for five minutes. Ms. Lee thank you, mr. Chairman. Thank you, director easterly, for being here today. As my former role as florida secretary of state i had an opportunity to work with you, your predecessor, your team over at cisa in working to secure election infrastructure. So id like to begin there with a couple of questions about that sector. And the work of cisa in the elections arena. Starting out, would you describe to the committee what cisa does in collaboration with state and local Election Officials as it relates to cyberspecific risk assessments and then also where appropriate the deployment of hunt and Incident Response teams to state and local elections offices . Would you please describe those services, when theyre utilized and whether you see the need of them increasing or decreasing . Ms. Easterly thanks so much. Thank you for your partnership and leadership on this issue in particular. So as you know, weve been in this role now since 2017, and we have been learning constantly about the demands of Election Security election infrastructure security. And really i would say refining our relationships with state and local officials to ensure we are meeting their demands. As i think you know from 2017 to 2020, our focus was very much on those cyber services. From vulnerability scanning to remote vulnerability assessments to Penetration Testing to helping with Incident Response. I think actually we are in a much better place in terms of cyber hygiene and high behr and cybersecurity with our election infrastructure. One thing we have found, however, going through 2022, was that the threats were very different now. Not only was there cyber, but there was also physical security issues. There were insider issues, and there were issues of concern around foreign influence and disinformation. So while we continue to provide those Cybersecurity Services, we are actually expanding our full range of Services Based on the demands that were getting from state and local officials. And so one of the things that we did earlier this year was set up a full road map along five lines of effort. And we provided it to our state and local Election Officials. The full range of those Cybersecurity Services that you mentioned, congresswoman. But also physical security, insider security. And then were really pushing hard to get beyond the state and the state election directors so we can get down to communities and counties and parishes and towns because we see those are the entities that are truly rich as a target but cyber poor. So the other thing we did is we put together a place mat of services so there was no mystery in terms of what we offer and we made that available to all of our constituents using our field forces that weve grown almost double over the past several years. Ms. Lee on that subject, i know one of the challenges that faces cisa and many other partners across sectors as it relates to technology and cyber is recruitment and retention of appropriate talented trained people and i know cisa launched the Cyber Talent Management system back in 2021 with the intention to recruit and retain the appropriate professionals you need for your workforce. How has ctms been working . You mentioned the expansion of your team. Have you been able to fetchedively effectively recruit . And how does the budget request support that operation and recruitment . Ms. Easterly thank you for asking the question. That was, as you know, about seven years in the making. And so actually implementing it has been something thats been a real project that we have continuously looking at how its working and our ability to bring on more talent. I think were about 80 people with the Cyber Talent Management system and some really extraordinary talent. At this point in time, we continue to use our title 5 authorities. Our normal authorities to bring on talent. Were hoping to use ctms more aggressively this year. But i will tell you, i think the recruiting weve done to date is a real success story. 516 people last year. Were on pace to exceed that. Our retention level is around 7 to 8 . Its not just quantity. Were bringing in some of the best talent across the country. While our workforce has grown every year, the request that we put into the budget only adds very small increment. I think maybe 10 people. And so what were doing now is trying to get down to about 90 total. And then, of course, well focus on retention. But to be frank, i am ok if somebody comes to work at cisa for three to five years and then goes off to a hospital or a Power Company or a bank to help them with their Critical Infrastructure security because at the end of the day, this is really about collective cyberdefense and we need to Work Together hand in hand. Ms. Lee mr. Chairman, my time has expired. I yield back. Mr. Garbarino the gentlelady yields back. I now recognize the gentleman from louisiana, mr. Carter, for five minutes. Mr. Carter mr. Chairman, thank you very much. Director easterly, thank you very much for being here. Thank you for the incredible work that you do. In my home state in louisiana and around the nation, far too many Higher Education institutions are experiencing data breaches. What steps does cisa taking to protect the privacy and integrity of our institutions and combat Critical Infrastructure cybersecurity issues . Ms. Easterly its a real scourge across the country. One of the focused areas we did based on being asked by the congress to take a look at the k12 cybersecurity act, was we spent a lot of time putting together a guide for k12 schools and School Districts across the country and we worked with a lot of experts to ensure it was a guide which schools that were resource poor could take advantage of. So we created this guide. Very simple steps about things that can be done to prevent data breaches and Ransomware Attacks. Weve seen a lot of that. And then what were doing is working with our field forces to actually do outreach across the country to schools and School Districts to ensure that they understand the resources, the free resources that we provide and they can take advantage of them so they can drive down risks. So weve aggressively started that outreach at the beginning of 2023 so at the end of the day, we can measure success seeing whether we were able to drive down some of these events that unfortunately mr. Carter and how does that success measure . Ms. Easterly so what we want to do mr. Carter have you seen success marginally . Ms. Easterly we see success on the feedback were getting. The problem is we dont know the universe of these threats at this point in time. This is why the cyber Incident Reporting for Critical Infrastructure act is important because well finally get an idea of the universe of ransomware incidents. Now its a lot of the feedback we get directly saying, because you spent time with us, we implemented these things and its happened us improve our cybersecurity. Mr. Carter tell me about hbcus . We know that hbcus are under attack. Combivir university was crippled for some time. I know Howard University and many others likewise in almost sequence at one point there were like eight hbcus that were hit in success. Can he succession. Can you tell us of any plans you have taken since then to protect or encourage or enhance the ability to make those institutions safe Going Forward . Or safer . Ms. Easterly yeah. Thanks for asking the question. So weve actually done a lot of work with hbcus. Most is about the bomb threats they have received to ensure that their physical security and they were prepared for that. At the same time, however, we have been working as part of our reach outreach to target Rich Resource poor entities to help them understand those steps that they can take to increase their baseline. I dont have the information specifically on our outreach with respect to cyber for hbcus, congressman, but im happy to get back to you on that. The one point i would make, a recent program we just implemented had some real stung nearterm stunning nearterm success and some of it is institutions of Higher Learning and thats the preransomware notification initiative. Well get tips from security researchers from industry about ransomware getting put down on a system and before it actually gets activated, we can actually notify that entity and they can do something about it before they have a really bad day. And many of the targets that weve been notifying are k12 and institutions of Higher Education. So im happy goat you more get you more details. Mr. Carter and with 1 36 left, i want to ask you about drones. We know we see the increased use of drones. We visited the southern border this past weekend. We know that Drone Traffic is incredible and a real impediment to protecting the southern border. We also know that Critical Infrastructure, pipelines, utility companies, crime scenes and drug trade, because my understanding is now that the drones are bigger, they can go longer, faster, and they have the sxasity to capacity to carry up to 50, 60 pounds, which makes them very, very dangerous. Can you share with us what you can about what you guys are doing relative to Critical Infrastructure and the drone usage . Ms. Easterly its a real concern of ours as well. We have a section thats part of our infrastructure security that focuses on physical security that is taking a hard look at this issue. Weve done a few assessments to date and were looking to update them working with our partners. But ive spent time in particular up in new york where there is a real concern from our folks on the ground of nefarious use of some of these capabilities. So id be happy to follow up with you and get more information on the kind of things were doing and get your feedback on what might be more helpful to your constituents. Mr. Carter and if theres anything you can share that we can share with them in the way of grants, in the way of resources, in the way of things they can be doing to better protect or arm you with facts that are going on whether at the university level, at the plants, or crime scenes or other Critical Infrastructures that there may be resources that may not be available or aware of that we can make available to them. Ms. Easterly id love to follow up on that conversation in particular. Mr. Carter thank you very much, mr. Chairman. I yield back. Mr. Garbarino the gentleman yields back. I now recognize myself for five minutes of questioning. Director easterly, i had aly i can to start my questions today by asking about a fundamental issue. Our Cyber Workforce challenge. Cisa is obviously not the only place where the workforce gap is an issue and there are many agencies in the federal government and Companies Across the private sector that are working to improve the national Cyber Workforce. We talked about and you just said in your answers to ms. Lee how youve been able to make some hires recently. Thats very exciting news. But i want to know, what do you see as cisas role in developing the national Cyber Workforce, both public and private . Ms. Easterly yeah. Thanks for the question, chairman. So i look at this as first of all we have to make sure cisa has what we need and then theres, of course, the federal workforce. I think probably some 35,000 focused there in the country itself. 700,000. And cyber is a borderless space. You look at the big number around the world, 3. 5 million. Id say a couple things. First of all, with respect to the country, i do, just because we serve as americas Cyber Defense agency, we play an Important Role in helping to build that pipeline. Because at the end of the day, i want to make sure that cisa is successful in the next 25, 50, 100plus years. And that frankly has to start from the youngest of ages. And so one of the things that weve done based on the grant that we received, the cyber Education Training and assistance program. Weve given that grant to the Cyber Innovation Center and they make curriculum available k12. So if you are giving this curriculum to help some of our more younger members understand that, hey, this cyber thing is not that scary. Its really interesting. I want to be a part of it. That can actually start that pipeline. So i think thats one really important aspect of it. We also do train, retraining for the federal workforce for those that might want to get into cyber. And then we give grants to organizations like the end power and those are underserved communities. We are looking at using a myriad of tools. Were also working, of course, across the federal government with nist and with the office of National Cyber director thats working on a more full some Cyber Strategy. Gash grash you said its mr. Garbarino you said its borderless. I called it the third border. I got yelled at by my staff. I cant say it any more. I do want to focus on something that was brought up by one of our witnesses from she was from the bank policy institute. She testified that Financial Services sector, Cyber Workforce is spending 30 to 40 of their time on compliance. The sec. A may the s. E. C. Said at the end of the year it will probably be closer to 50 . And the s. E. C. Proposed a rule that seems to conflict with the requirements in the connelly mandated congressionally mandated Critical Infrastructure act. Im wondering, we had chairman gensler. What did you and him take to harmonize the s. E. C. Rulemaking . Ms. Easterly thank you. Having spent 4 1 2 years at Morgan Stanley and i know heather and very simple theic to those views. We dont want to create burden or chaos. What we want to do is get the information in a streamlined way. And so, of course, weve had discussions across the government. As you know, chairman, one of the things, of course, the cyber inti dent Incident Reporting council which is working best how to harmonize among the various acts we have in the private sector. I think the good news in the legislation that you all gave up us, it very specifically accounts for any crossover. So very specifically legislation says that if we if theres a requirement to report to another agency, and they have a reporting timeline thats similar to ours, if they have substantially similar information, then you can sign a memorandum of agreement so you dont have to report twice. And were making sure that is a streamline process. I think its really important again from a harmonization perspective. Mr. Garbarino i appreciate that. I know the council is supposed to be giving us a report. Were waiting for that. I did want to followup. Have you spoken to the chairman . From his testimony is teams like you it seems like you two speak often. Ms. Easterly we have spoken and we are both trying to accomplish the goal of ensuring we get the information that we need. His role is different than mine, of course. The reason why we need the information is so we can render assistance and also we can use that to help protect the wider ecosystem. So im sure well end up in a i hope well end up in a good place. Mr. Garbarino i hope so, too. 50 of your time on having somebody spend 50 of their time on compliance, that means 50 of the time theyre not on defense. Ms. Easterly 100 . Mr. Garbarino i appreciate it. I yield back. I recognize the gentlelady and former chairwoman of this committee, ms. Clarke from new york. Ms. Clarke good afternoon. And let me begin by first thanking our chairman grbarino and Ranking Member swalwell for permitting me to waive onto the subcommittee for holding this very important hearing on the state of our nations cybersecurity posture and cisas role and perspectives. Thank you, gentlemen. Let me also thank director easterly for your leadership and service and for joining us today. When i chaired this subcommittee last congress, i often remarked that there is a disconnect and imbalance, if you will, of cisas mission versus authorities. Congress expects cisa to carry out one of the broadest, most ambitious missions in the federal cyber space. But its authorities pale in comparison to many of the counterparts. At least until recently in the17th congress we worked across the 117th congress we worked across the aisle to empower cisa and make sure cisa can require, not just request, that Companies ReportCyber Incidents to cisa for the broader ecosystem. I for one am ready to start seeing those results. So director easterly, my first question is about certificatesia. Is cisa on track to making the deadline . And what would it take for cisa to move faster . Ms. Easterly thank you very much. Great to see you again, congresswoman. I think few people in this country want me to move faster than me. You know, we did want an accelerated process. We were told to go through the full rulemaking process. We are. You point out an authorities perspective. We dont do Law Enforcement. We dont do intel. Were not military. Were a voluntary agency at the end of the day. We felt that the consultative process was really important, particularly given the concerns that the chairman articulated. We did 27 listening sessions. 176 those 17 of those were virtual. We did a request of information. We received 130 comments. We did that to help create the rule which actually now exists in draft and we are going to have to go through the process. But that rule should go out, the notice of proposed rulemaking should go out on time in march of 2024. And september, 2025. Please trust me, i am trying to do everything i can to accelerate that process. We want to get it right because it is so important and so groundbreaking. Ms. Clarke yikes. My next question is, what is cisa doing to hit the ground running when these rules go into effect . Ms. Easterly so its a really important question. Some of this was reflected in our budget. Because this is not a trivial task. We need to make sure we have the people and the technical infrastructure in place to be able to take these huge amounts of reports that were going to get totoriage them, toage to triage them, to analyze them, and use them in a way to enable us to actually get that information out to protect the larger sector. And so that is a huge amount of work. Not only just the administrative aspects of the rulemaking but actually all of the technical infrastructure in place across the agency. So we are in the process of leveraging the funds that we received and will hopefully receive to be able to create that. Ms. Clarke i want to thank you. In responding to chairman garbarino, you spoke about the regulatory harmonization. Thats a really key component. Thats the only way we are going to keep our private sector partners engaged and really feeling as though theyre being heard. My next question to you is whether cisa has an approach for federal regulators like the s. E. C. Or partly cloudy about f. C. C. About entering into m. O. U. s to share incident reports . Ms. Easterly yeah, 100 . I think this is a really good part of the legislation. Specifically, it exempts the the statute exempts companies from reporting to cisa if three conditions are met. If its similar information, similar time frame, and if the other agency agrees to put an m. O. U. In place. So we are very happy to do that. We just need to negotiate each of those m. O. U. s. And our intent is to do that between the notice of public rulemaking and the final rule. Ms. Clarke very well. Before i close, i just want to reiterate how important it is that cisa continues to engage with stakeholders. And hear outside perspectives about how to make the rules as smart, effective, and tailored as possible. To the goals of circia. Thank you very much. Mr. Chairman, i yield back. Ms. Easterly thank you, maam. Mr. Garbarino the gentlewoman yields back. Thank you for being here. Love having you back. I now recognize mr. Ezell of mississippi for five minutes of questioning. Mr. Ezell thank you for seeing you this afternoon, and other members. Director easterly, thank you for being here and participating today. This very important hearing. Id like to talk about cisas partnership with the f. B. I. Especially considering the joint Ransomware Task force recent work to take down these bad actors. I understand that jcdc is working to update the National CyberIncident Response plan which will also address this partnership. This updated plan, how do you think cisa and the f. B. I. Will Work Together to address Incident Responses . Ms. Easterly thank you for the question. I have to say, you know, in my almost 30 years in government, ive never seen such a Great Partnership and i say that really sincerely. Some of that was going to personalities. I think it is very much a result of the mission. Its a function of the mission. And so we partner very closely with f. B. I. In fact, the legislation, the joint Ransomware Task force, said cisa will lead. And we made the decision. We said that doesnt really make a lot of sense. We want to make sure that f. B. I. Is with us linked in arms and so we made them a colead because its important, as you know, we have the asset response, responsibilities and f. B. I. Has the threat response. And so we Work Together very symbiotically in everything we do to ensure if there is an incident we can be there to respond and f. B. I. Will be there to render assistance and also investigate. So im incredibly pleased with the quality of that relationship, both at the federal level, sir, and with local Law Enforcement. And thats something our field forces on the ground have really developed close working relationships over the past couple of years. Mr. Ezell thank you for that. And that is just so important working with not only the f. B. I. But with our local Law Enforcement which is my background. So cisa is requesting 98 million for requirements for the cyber Incident Reporting for Critical Infrastructure. Can you talk just a little bit about how the agency plans to spend this money . Ms. Easterly yeah, absolutely. Thank you for that. So as i was saying, this is one of the most important groundbreaking things that i think the congress has done for cybersecurity because for the first time we will understand much more about the universe of incidents and attacks and we really dont. Anybody that says its going up, its going down is completely antidotal. So for the first time we will have a better picture of that. But it is not a trivial endeavor to set up the infrastructure to enable us to ingest those reports, to triage them, to analyze them, and use them in a way that protects the victim. But be able to provide that as warning to the rest of the sector and the ecosystem to help them drive down risk. So that 98 million is both people but its also technical infrastructure that will enable us to do all of those things. From Case Management to stakeholder Relationship Management to a threat Intel Platform to an analysis capability. And thats what we are putting in place now, sir, and hope we get the additional funding to allow us to do it the rye way. Its important the right way. Its important for the nation. Mr. Ezell thank you. And mr. Chairman, i yield back. Mr. Garbarino the gentleman yields back. I now recognize mr. Menendez from new jersey for five minutes of questioning. Mr. Me then dheas thank you, mr. Mr. Menendez thank you, mr. Chairman, mr. Ranking member. Second time in less than a couple of hours. Good to see you in such good moods. Director easterly, thank you for joining us today. You know, im really thankful to be on this subcommittee. I think about cybersecurity as often as i can. Im also on the transportation and Infrastructure Committee here. And serve for the Congressional District of new jersey which is home to what Security Experts call the most dangerous two miles in the country and that was really because of the physical assets and from a physical security perspective. But increasingly i think about all the challenges from a cybersecurity one. So im fortunate to have you here today and thankful for the work that you do. I guess starting off, i think about it a lot but you deal in it every day. Probably the most significant position we have in our country. How do you feel about americas preparedness from a cybersecurity perspective addressing guarding against Cyber Attacks today in 2023 on a scale of one to 10, lets say . Ms. Easterly i think we have made vast strides. Even just over the last couple of years. I think there is much work to be done, to be very frank. In particular, my big concern is nation state adversaries. In particular, china. And if you read the which im sure you did the Intelligence Community annual assessment. It specifically talks about actions that china may take to disrupt our Critical Infrastructure in the event of a conflict. I am motivated every day on the urgency of ensuring that the country is as prepared as possible to withstand but really to be resilient to at the end of the day i think our ability to prevent is very, very difficult. We have to be able to mitigate and to recover and to have the resilience to get our nation back up and running if there is a major attack. Mr. Menendez appreciate that. And when you engage from different stakeholders from industry, you know, government actors, what is their perception of the risk that cybersecurity or cyber threat poses to all of us, either from municipalities who may see their Tax Department hacked to infrastructure or operators of various infrastructure systems, transportation systems, where do you see across the board in a blended sort of average on a scale of one to 10 . I let you off because im thankful to have you here. You know, im just trying to gauge what the perception is out there of this threat and how serious people are taking it. Because we need to take this, in my pun, one of the opinion, one of the critical threats. Ms. Easterly i agree with you. I think its improving because of Colonial Pipeline. Its improving because of the scourge of ransom rare. You know, ransomware has become sadly a Kitchen Table issue and therefore were making cybersecurity and cyber hygiene a Kitchen Table issue. Its not where it needs to be but much better because of those things. Were now working with the field force day in aday out with businesses and day out with businesses large and small, with entities that werent thinking about their cybersecurity and telling them, these are the basics that you need to do. Because its not when youre doing the basics, you can actually deal with the vast majority of the kind of threats that you would get from a cyber criminal organization. Mr. Menendez definitely, let us know how we can amplify this message. When we do Small Business tours, were generally talking about Small Businesses. We should be talking about cybersecurity when were visiting all these different institutions. Small, mediumsized businesses, companies in our districts. But youre sort of alluding to the challenge that im sure gives you a lot of concern, that gives me a lot of concern is that where admittedly not where we need to be and where i see this threat, especially when you talk about nation state adversaries, because its not just china, its russia, its iran, and they are serious about having this ability to target our various online component which concerns me. But the thing that keeps me up sometimes at night because a lot in this job keeps me up at night. Cybersecurity. This cybersecurity subcommittee is great. But the reality is that the speed of the threat and the way in which it can develop is exceedingly fast. And as we do in this country, were thoughtful but that means were not as quick as oured a var sears may be. Adversaries may be. What can we do to enable you to enable your various partners, stakeholders to not constantly playing catch up which is harder and harder to do the more compounding this challenge becomes, but what can we do to potentially get ahead in the nottoodistant future . Ms. Easterly thank you for asking the question. Its a really, really important one. First, in terms of how you can help, to help amplify our message, i think, chairman, youve done that before in terms of i am a big fan of multifactor authentication. I think, congresswoman, you have as well. I would welcome all of you to help us get the message out. Thats one thing. The other thing, we have done cybersecurity round tables in some of your districts and we would love to do more. If thats something we can do to sit down with your constituents, please, let us know. We got field forces. Now, to your larger question, i think its the right one. At the end of the day, what we are doing as a status quo can help make us more resilient but i dont think its sufficient or sustainable. I think we need to take a different approach. This is one of the things weve been doing a lot of work on. First and foremost, we need to ensure that the technology in a underpins the Critical Services and functions that americans rely on every day is built secure. Secure by design with a limited number of vulnerabilities and secure by default with things like multifactor authentication built in from the start. We have, because of misaligned incentives, basically allowed innovation and we love innovation but innovation should not trump safety and security in a world where we all rely on tech. So thats a really important message. Id love to talk more about it at a separate time. The second thing is, we need to make sure every leader, every c. E. O. , every board room is incorporating cyber responsibility as a matter of good governance. Not it gets delegated to the i. T. People. But they see it as their responsibility. And then finally, we need to continue pushing hard on persistent, operational collaboration. The things were building with the cyber joint collaborative. Knowing that a threat to one is a threat to all. Its about a coequal partnership between government and industry with reciprocal expectation, a value add and transparency, where the private sector doesnt have to worry about punitive sanctions because they share information. And getting rid of the friction. It has to be a frictionless experience. We have to have shared analytics, shared platforms. And thats what were building with our joint collaborative environment and our cyber Analytic Data services. So those three things are different in kind and i believe its those kind of things that will really enable us to get ahead of this very difficult threat. Mr. Menendez thank you. I appreciate your generosity on time. I yield back. Mr. Garbarino it was an important question. I wanted it on the record. The gentleman yields back. I now recognize my colleague from texas, ms. Latrell, for five minutes. Mr. Menendez everybody was going to ask the questions i was going to ask. Mr. Latrell that was mine. I have been prepping for two weeks. Mr. Menendez i have been prepping for three weeks. Mr. Latrell i mimic my colleague from california, mr. Swalwells statement. You are the leading edge. Youre the next phase of combative frontier in the protection of our country, the cyber space. Well no longer fight wars the way my colleagues did in the military with bombs, planes and guns. Its you. So thank you for taking and shouldering that weight. To drive a point home real quick, as far as when mr. Menendez asked what we can do, i think we need to stay out your way. Understanding the cyber space in terms of threat and risk, were so siloed and thats an issue. Are you having success in breaking down those silos when it comes to multidepartment coordination . Ms. Easterly yeah. Its a great question. I think one of the things that the joint Cyber Defense collaborative gave us was the legislation. Its in statute. Its the only cyber entity in statute that says we bring together the federal cyber ecosystem. So not just cisa but f. B. I. And n. S. A. And cyber com and other agencies. Thats why it was built to actually break down those silos and weve been doing that over a short period of time, not just bringing in industry but bringing in state and local colleagues, bringing in International Partners. And then by design, bringing in the federal government. So that is not an easy thing to do, sir. We are trying really hard. And i have to say, i joined this job from the private sector. And i thought there were a lot of issues with silos and a lack of cohesion. And so we know what the problem is and were working hard to enable us to fix it. Mr. Luttrell its great to hear. Im sure the scaleability is pretty arrested russ. Working across multiple Cloud Services. And with our Threat Hunting teams. Are we having success . The communication between the two are just completely theyre just armynavy to each other. Ms. Easterly think navy. Mr. Luttrell i was waiting on that one. To my point, if we have a threat or active attack in a certain corporation department, whatever, do we have success if it can move across multiple domains with cisas ability to track that and also with notifying and prevent . Ms. Easterly its an important question. Let me talk about federalcivilian. Gov. We have been making improvements there. We made improvements in terms of solar wind. To put end point detection at departments and agencies we can do that persistent hunting so we can have that visibility. We also now have something that gives us a dashboard level view to say whats going on at those systems. So that visibility is improving. On cloud providers in particular, you know, theres something called the shared responsibility model. I think as a military guy, no one is in charge like no one is in charge. And so i have a little bit of concern with the shared responsibility model, particularly in its putting the burden of responsibility on businesses that just dont have the resources to bear it. So i think at the end of the day, cloud providers need to bear the bulk of the security burden. And the visibility should come back to the entity that is contracted with those Cloud Service providers. And so very important things like logging, for example. Security logs helps us understand the nature of a threat, malicious activity. But oftentimes, if a Cloud Service provider is charging you extra for that security feature, then the customer will lack visibility. So there are things we need to do to work with cloud providers to ensure that the shared responsibility model is not misplacing the burden on those who cant bear it. Mr. Luttrell thank you. Id really like to see that but translate down into my rural district in polk county. Its something that hasnt come to fruition yet. Im hoping that cisa will continue to push the envelope and make sure the American Public at the end of the day needs protected and not our everyone. Thank you so much. I yield back, mr. Chairman. Ms. Easterly id a lot of to come out to your district and have that discussion. Mr. Luttrell cmon. Mr. Garbarino the gentleman yields back. I now recognize the Ranking Member, mr. Swalwell, for five minutes of question. Mr. Swalwell thank you, chairman. Director, you laid out your mission and your accomplishments and your challenges. I see it that one of your greatest challenges is to figure out what are your Core Competencies and what you can do do well to have the greatest impact and then what are the gaps that cisa can fill . And also, what are the most important functions that need to be carried out . Even when doing so is controversial or risks picking a fight. So i was hoping you could speak to that. Ms. Easterly so, yeah, thank you for asking the question. You know, when i came into this job, my predecessor, a great friend of mine, did a strategic intent document. And that laid out some great priorities for what we do operationally. But you know, frankly, we needed a road map. So we spent about a year actually developing that Strategic Plan. And if you take a look im sure youve seen it. Its organized not by our divisions or our missionenabling offices. Its organized by four key principles. Cyber defense, infrastructure risk and resilience, operation hal collaboration, and operational collaboration and unification. Im a Firm Believer if everything is a priority nothing is a priority. So we basically laid out, these are things that everyone in the agency needs to do when we laid out representative outcomes as well as a measurement approach. Now, based on that, every entity, every division, every missionenabling office did an annual operating plan that lays out at a more granular level the measures of effectiveness and measures of performance that they are responsible for and i we are looking at being much more rigorous in how we allocate our resources and our time to ensure we are being good stewards of the taxpayer dollars. Mr. Swalwell with respect to that, i have a similar question. Jcdc where it can be most effective and put structures and processes in place to formalize those functions and how are you thinking about those scopes moving forward . Ms. Easterly we would like to have a team come in. This is one of the most important groundbreaking things that the congress has given us. We have the strategy that we just finished. And so the focus is about two fundamental things. One is about planning against the most serious threats to the nation. The fact that it is collaborative fusion to help us understand the threat. Now given the myriad of threats we face, there are a lot of demands that we have to enable to us be able to respond and be proactively prepared for various threats. We have operationallized with the election. But we are being deliberate about what efforts we take on and that is based on the threat and the feed pack we get from our partners. If you look at the planning, its walker, to reduce control systems. It is things that based on the threat and the risk, everyone has measurable and we get feedback. Mr. Swalwell there is a proposal to release the a publicprivate Panel Established by executive order in 2021 to investigate significant Cyber Incidents similar. What would the relationship between them and cisa and interact with the reporting authority, the subpoena authority . You see them as sufficiently separate . Ms. Easterly and we actually manage the infrastructure and the fracts with that. But they have a distance and part of that Decision Making to keep some cushion there. Congress gave us subpoena which allows us to do scanning of infrastructure and if we see a vulnerability we can do a subpoena so we can tell them. Administrative subpoena that comes through as well. I think it is a helpful thing for the them to have and i dont think there are any issues with their power with cisa, which is being seen as a trusted partedner, not a regulator or anybody who is going to issue it. Mr. Garbarino i recognize, the chair of the transportation and Maritime Security subcommittee. Mr. Gimenez two splat subjects. One of them is when i was mayor of miamidade, i was approached and said there may be some issues with the cranes at our port where i think out of 13 cranes, 10 of them were made in china and maybe 70 are actually made in china. Some of those cranes, all of those made in china have the skin, the bones all made in china, but in some, the internal workings, the guts, some of the Computer Systems and operating systems may be made in germany. In sum, it is all chinese made. I was made aware there may be some threats. I have two things i am concerned about. Number one, c. C. P. Decides not to replace some spare parts when they break down, it could hurt our ability to provide commerce because most of the stuff we move move through these cranes. Or, two, if it is Chinese Software reporting back to the c. C. P. And track everything we do, what cargo is flowing through, hornets hornets have you et cetera. Et cetera. Ms. Easterly i think you are talking about the port Machinery Company and we have significant concerns. We are working with our partners across the government to help to see what we can do it given the market share piece of this. But it is a significant problem we need to turn our attention to. This is a piece of a larger issue of Chinese Technology encroaching into our National Security. And i worry about that from a very Strategic Perspective and setting up a counter c. R. P. Cyber effort and we are bringing a person on on. But this would have to get ahead of. Mr. Gimenez its his committee, not my committee. The other thing i want to talk about is completely different. 80 of the drones that are used in the United States are manufactured in china, too. And come to my attention that on occasion with these drones, you hook it up to get a software update, ok. And i was wondering when you are doing the software updates, you are downloading information the other way. Can you imagine the p. R. C. Had all the information gathered, all the images gathered by 80 of the drones flying around. That is an incredible amount of data. Is that download twoway or oneway and checked out to see if information is going the other way . I just thought of something nobody thought of . Ms. Easterly the number of chinese drones makes you worry less about the highaltitude balloon. What i would tell you from a technical perspective is not something being uploaded if they say downloads provide this update they could be putting something malicious and that what happened with the russians and something malicious. I think there are significant concerns, again given any sort of oversight or surveillance of an adversary who is a threat to this nation. Mr. Gimenez are they uploading information to the host . Ms. Easterly i do not know that. But there are chinese capabilities, tiktok, there is a ton of data from 130 million americans that are going back to the p. R. C. Mr. Gimenez what i say trojan horse, malware that is stuck in a program that sits dormant until they decide to unleash it and there may be trojan horses all over the place we know nothing about, and then ok, unleash havoc on the United States. Are we taking steps . Ms. Easterly that goes to the heart of our mission. Our job is to protect and defend with Critical Infrastructure. Im working with companies to be aware that could be used for espionage. And a lot of this comes down to education and my earlier point. The technology that we rely on every day was not created with safety and security in mind. It is important that those products are tested and developed specifically before it comes to the consumer to look for potential vulnerabilities like that. Mr. Garbarino the gentleman yields back the balance of his time finished the first round of questions. There are a couple who want to ask a second round. We will start the second round and recognize the gentleman from louisiana, mr. Carter. Mr. Carter director easterly as we see technology move as fast as it does, every day there is new mode or method to infiltrate, to damage, to destroy. On a scale of 110, what would you say your agency feels about your ability and capability to remain competitive and equal to . Ms. Easterly we are at a 7. Every day we work to stay ahead. I think to be very frank with you, i dont worry about capability. I think the United States of america has the most capable cyber forces in the world. I worry about the assem met try of values because the adversaries will do things with impunity that we wouldnt do. Thats where i think we have to be concerned. And the idea of the status quo. We have to be everybody in this nation k through gray need to do to stay safe online and Software Companies are building Safe Products and working closely together for the good of the nation. Mr. Carter along that line, the biden administrations National Cybersecurity strategy shifts from consumers to the provider. This is the big idea that could impact the price of software, its utility, cost and competitiveness for the u. S. Software industry in international markets. Much of our Economic Prosperity for the past several decades is based on innovation and computer software. What macroeconomic model is d. H. S. Proposing to deal with this . We shift the responsibilities. And there is a lot of risks and a lot of challenges . Ms. Easterly i cant speak to the macroeconomic model. Mr. Carter thats number three. Ms. Easterly im happy to follow up. At the end of the day, shifting the burden. Just to talk about this at a strategic level, its been 40 years since the internet came into being and think back to 1983, no one thought of security when creating the internet. Nobody thought and we were moving fast and breaking things with social media and a. I. And hurdling into a space and dont know what the outcomes will be. Im a huge fan of innovation. But what im saying is we cannot let innovation be the most important thing that we look at when we are thinking about creating products that americans rely on every single day. I want to live in a world that i dont want to teach my 90yearold mom. I want to live in a world that i dont have to check the box that i agree to use 17,000 word contract to turn my phone is that says you are libel. Mr. Carter arent we there . All of the things you just mentioned . Ms. Easterly where security and safety is baked in, your seatbelt and air bags come with your car. Mr. Carter i find that the more technology moves, the move sophisticated the basic functions are. You mentioned the telephone, you mentioned it exists now and getting more complicated for the average person to use. And i understand the importance of technology moving. Are we moving in the direction that we are able to combat the threat of the infrastructure threat of ransomware, cyberattacks that cripple networks . Ms. Easterly we are getting more capable as a nation and the growth in this agency that the congress has generously helped us with. But i think we are saying the same thing, the complexity and not putting the complexity on the consumer. The complexity needs to be put on the provider so everything is seamless and easy for the consumer. The consumer shouldnt have to figure out how to implement the security controls. They need to come based in. Mr. Carter are you concerned with what it does to the economics of it . And go into the macroeconomics. The costs associated, what does it mean to the consumer, as we shift more responsibility to the provider, safe to say we will see sound pushback of what it costs to the individual . Ms. Easterly i would like to live in a world that has much more safer products and increasingly vulnerable where everything is going to be smart and i. O. T. , i would pay it at the front end and know i have a safe product rather than knowing im going to get attacked with ransomware. Mr. Carter we have to take into consideration we have a lot of poor people, a lot of people that see what we are talking about tacked onto the consumer makes a big difference to a person who is on a fixed income that is unemployed or underemployed. We are considerate of the fact that we want to make sure that the provider does this and may be an extra cost associated, lets be mindful that extra costs to Many Americans can be deal breakers. We can make a real difference to those entities that are not well resourced at all and 80 of the money goes out to local and 25 of that goes to rural. So it is very specifically focused on how to improve cybersecurity that dont have resources, so what we have seen to date is requests for training to improve that cyber work force and seen requests for equipment and requests for assessment and 15 plans in. We have approved all but two of them and in seven, the money has already gone forward and i think mississippi may be one of them. But that money has already disbursed. So we are working hard to get it out of the door. Mr. Ezell hopefully reach out and come out and help us a little bit. Ms. Easterly i would love that. Mr. Ezell we have talked about some of the threats in your view what is the gravest cyber cybersecurity threat that we should be focused on . Ms. Easterly artificial intelligence. Incredible things that a. I. Will do but talking about talking about security in mind have the capabilities have the right control and guardrails to keep us safe and secure. I think those two challengers are things that we will be concerned about over the next 10, 20 years. Mr. Garbarino i now recognize mr. Gimenez for a second round. I appreciate you holding this hearing and my colleague we have ports and Cybersecurity Spending because of the being very sensitive of our technology is produced in china. The only reason i like being here, my grandmother lived to 9 and had High School Education and watching the Technology Develop and the advances in technology and she said it didnt scare her but what scared her how quickly it was changing and your point about innovation brought me back to those conversations and they are important ones. You brought so many good points and thank you for your testimony and what you are doing. Secure by design, secure by default. There is a challenge there because as my colleague was alluding to how much of technology is produced in china. And secure by design, secure by default makes complete sensef we are not developing it, how do we make sure and hold accountable. And which we are. It is becoming a compounding problem where we are losing the ability to live without this technology and yet we are not developing it ourselves and how in this manufacturing r d space tay we are living in countries like china do we get secure by design, secure by default future . Ms. Easterly if there is Chinese Technology or products within our supply chains but for the federal government and in terms of our ability to use a platform for informing owners or operators about the dangers of Chinese Technology we would recommend that be replaced or not used frankly. Mr. Menendez that is a challenging thing. And go through all the levels of the supply chain and make sure they are secured by design, secured by default. Ms. Easterly easy does not appear in the National SecurityCyber Strategy but one and you know, we have to understand the supply chain, incredible complexity. We cant say because i didnt know, our foreign adversaries and now our infrastructure has been compromised or ultimately destroyed. These are all very difficult things. Frankly, this subcommittee and this partnership is so important to the security of the nation. Mr. Menendez im sure these are things we want to work on. If there is a way or almost thinking about a service a way Onboard Technology and bring it through, going through the supply chain on the sanctions front and all the work around it from different state actors and f. B. I. That is challenging to track and being able to do that cross border, that is going to be a challenge. But this was helpful. My colleague from texas just arrived and make sure she gets to her questions and i look forward to continuing this conversation with you and your staff. Mr. Garbarino i recognize mr. Gimenez for his second round. Mr. Gimenez you said the big threats are c. C. P. And a. I. And we also talked about to start to decouple and i heard of a major purchase of major computers from one of our departments like half a billion dollars worth and makes you start, are they listening to us. Who are they listening to that they would half a billion dollars in Computers Made in china or chinese companies. I think we need to get that word out. I serve on the select committee on china, one of the areas that i find where we have bipartisan support. We are kind of think the same way. May not have the same solutions, but we are its good to see that america has woken up collectively and we are working to address this threat. I want to go to a. I. People are trying to make say we need to slow down a. I. We cannot slow it down because our adversaries are not going to slow down and they understand the potential of artificial intelligence. But in military hardware, a. I. Is get that advantage on us, its huge, huge. We cant. We have to keep going. But that being said, a. I. Has the potential to do incredible good. Mankind, woman kind, the human race can explode with new findings, new knowledge, new abilities through the use of this technology. But then a. I. Can be incredit apply destructive. The only defense we have against a. I. Is a. I. So are we developing that capability . You have a. I. Can do good and you know a. I. Can do bad and you need a defensive a. I. To fight the bad a. I. Ms. Easterly there is a lot of work being done on the defensive side and offensive side and i agree with you, congressman, there are Amazing Things that can be done with this capability. But i have also much like you seen a dark side. When i was in the army and deployed many times and head of counterterrorism at the white house and what i worry about are our adversaries, whether a nation state like china, or a criminal using this to create cyber weapons, bio weapons, to do things that we may not do in a valuebased democracy. And we need to have those important conversations because i really do believe in the good for technology, but a. I. Will be the most powerful weapons of this century and the most powerful weapons, Nuclear Weapons were built and maintained by governments that were disincentivized. This technology is built by companies to max mids profits to their shareholders. Its a different conversation and i applaud the efforts as well as many across the federal government. It is incredibly important. Mr. Garbarino i now recognize the gentlelady from texas, ms. Jackson lee, for five minutes. Ms. Jackson lee let me thank you for the courtesies and thank the Ranking Member extended. I appreciate being delayed tore other meetings. Let me direct you director effort eastly. I invited you last year to the energy brain trust that i hosted. You were kind to send someone but i am inviting you for 2023. This and brain trust has been around for more than 30 years and participation in the administration. Someone is taking note and i appreciate it very much that you are doing so. I want to continue the line of questioning. I find the production domestically of chips. And how important is the manufacturing of chips in the United States the cybersecurity of our system doing our chips and having that manufacturing capacity right here in the United States . Ms. Easterly hugely important to have chip manufacturing capacity from a technology perspective. In terms of cybersecurity systems, chips are not a huge piece of the actual process but part of the technology. Ms. Jackson lee we remember doing that through the pandemic that cars were not able to be manufactured because of the supply chain. Let me move to houston. List of critical trashing includes petro Chemical Companies and years past or infrastructure, it was missing the which rely on automation. Have they engaged to cisa in order to develop a good working relationship to deal with their Critical Infrastructure problems . Ms. Easterly yes. And have great relationships with those industries. Ms. Jackson lee one of the gaps insista in terms ngos, faith organizations, neighborhood organizations, Small Businesses, maybe even small colleges and i would be interested in working with the agency for a round table in laying the ground work of forming that kind of level in the United States that are not necessarily informed. Is that a good idea to make sure we can have cisa in our communities talking to that level and be able to raise their understanding of the importance of cybersecurity . Ms. Easterly love it. Ms. Jackson lee we have heard the horrors of ransomware. We have heard the stories, the tall tales and russia continues to harbor large numbers of ransomware gains. Do you want to expand how you have gotten your hands around ransomware. A. I. Is here. Just talking to my seat mate here and said it was coming and we both agree it is here. I am concerned about large population, low income and minorities and rural persons out of the circle of even understanding a. I. And good and dangers and relate that to cybersecurity. First russia and ransomware and second the a. I. And accessibility to lowincome communities. Ms. Easterly we have done so much since the summer of 2021 following the Colonial Pipeline attack. We set up a onestop shop website that brings the federal resources of the government to explain what ransomware is and what to do when you are hit and build resilience and set up the joint Ransomware Task force and targetresearch for those communities like schools and hospitals and water facilities and we are focused on ransomware and best practices they can use. The other thing we Just Launched is ransomware vulnerability pilot no matter what your size is and get a prioritized list of where they might have vulnerabilities wrlg actors have specifically leveraged ransomware so that allows those to patch them and our initiative where we are getting tips that tell us that malware has been deployed and not activated. And then we reach out and we have done it with k12 schools to help them prevent a very bad day and that is the virtue. Those are some of the things and we will continue to drive that forward. On and we have to have a hard look at who they are being used by. And also the guardrails for safety and security that are being put in place even as we innovate. And hugely important conversation. So i appreciate the question. Ms. Jackson lee i thank you so much. Thank you for the time. I yield back. Mr. Garbarino the end is almost near. And everybody has been here today for a second round of questions and we never had Something Like this and everybody respects your opinion. So im going to recognize myself for my second round of questions. Information coming out is frequently already publicly available and isnt as timely as it couldp what information do they get. And members already participated in . I wanted to add, they all love the idea. They love this complaint about it. If you could answer. Ms. Easterly one of our operating at cisa. And talking to our partners. The model has to be and adding value. If we are not adding value. We should go away. I know how hard that job is and just trying to help them. We have heard various labors of you know, these products are fantastic and what we have already seen. I dont want to put too much into the fact these are all you might hear one or two things. I would like to come back to you with a more fullsome presentation. We did two round tables. And what is different in the products and advisories we have put out, they are multi sealed and that makes a difference to have cisa, f. B. I. And n. S. A. And International Partners and sending a koa herpt signal to industry that this is the voice of the u. S. Government providing this feedback. And we are enriched by our Industry Partners to help make those products better. Ill go back and get you more specification on that. We have evolved that into a better place. Mr. Garbarino everybody i have spoke to cisa has been much more responsive than other agencies involved. Its great on your part. I do appreciate that. We have there was some comments about how membership and maybe work that into the presentation. Talk about cisa balances having a wider range of partners and could reduce the efficiency of official collaboration. Ms. Easterly thanks for asking the question. Trust. A lot of people want to join that and we want to benefit from their vulnerabilities and capabilities but we have to make sure we have trust groups. So we started out in august of 2021 and started out with big test companies. Why . Because they have the most global visibility they have global reach and that was eliminated and lacked visibility. We started out with a small group but since that period of time, we have been adding on hundreds of partners. But the projects that we work on are pavingly 20 of these entities. And we are keeping the trust group small and focused on efforts that address the biggest risk to the nation and doing after action reviews to ensure we can take great advantage of the talent, the authorities and capabilities. One other thing, we talk about industry but this is industry, International Partners several partners and state and local partners. When you think about the visibility that comes together based on the input of those partners, i would challenge some of the comments about the lack of value. As we have evolved we are getting into a place where that information is enriched and full of a lot more value than anything we have provided for. Mr. Garbarino i have a couple more. Ill let you respond in writing. I yield to the Ranking Member, mr. Swalwell, for his second round. Mr. Swalwell just following up on my colleague from the miami area, he talked about the concern about chinese drones and chinese technologies in our infrastructure and i mentioned to him but ill mention to my John Garamendi called the Airport Infrastructure vehicle which would prohibit federal funds being spent on chinese buses. They are flooding our communities with cheap passenger buses. And its not just that this hurts the ability to make it in america, they are wiring these buses with wifi and other abilities to connect to the network and well send it to everyone. On a. I. , i take this to the worst case scenario, a zero click attack is where i could receive a text message or email and even with the best cyber hygiene, because it was sent to me, thats it. Theyre in. And i also understand to conduct those zero click attacks, they are expensive. And have to get in someones systems or device. Does a. I. Put us at risk of significantly reducing the cost of adversary. Ms. Easterly i dont have a technical study on that, but i would assume so. As much as a. I. Can be used for Amazing Things. It could be used to cause great damage. The saying is you only have to be right once, as an adversary you have to be right all the time. Think about the offensedefense. And so it makes our job even more difficult. The optimist and i used to be and we can create these a. I. Capabilities. But the thing that i worry about we are hurdling into this space driven by competition and business, not necessarily driven by safety or security concerns. While i am concerned about china, look at the difference, china is focused on implementing a. I. With a huge amount of regulation. Thats the difference. They are being purposeful about how they are controlling and evolving that capability. We are not. We need to think what a. I. Looks like in china and how it can be use for nepharious purposes. Mr. Swalwell switching to insurers and most successful insurer is not the one who has the most policies because you would not and i know in the Cybersecurity Strategy you put out, you conceive or contemplate a tr inch alike system and if you could speak to Cyber Insurance and im thinking about the giants they are going to figure out. I really do worry the smaller and mediumsized businesses that are wrap up here with my final minute to speak to Cyber Insurance . Ms. Easterly we are doing a study based on the National Security strategy. We dont have a comprehensive view of the landscape because we dont have legislation. We have that implementation. I think that hinders Cyber Insurance companies from being able to price Insurance Companies if you dont understand what baseline is for Cyber Incidents and attacks. Some of the discussion i think lloyds made the decision they exclude state actors. It would make it difficult and state sponsored. If a state i think will benefit from a better understanding of the ecosystem and i think robust trialike study, i welcome that. But i would like to dig more deeply into. Mr. Swalwell i yield back. Mr. Garbarino i love the idea on the Cyber Insurance. I think we dont have direct oversight like the Financial Services committee. And we will need a hearing on that would be great. I thank the director for the valuable testimony and members for their Great Questions today. The members of the subcommittee may have some additional questions. I know i do for you and we would ask the witness to please respond to these in writing. Pursuant to committee rule, it will be held. The subcommittee stands adjourned. [captions Copyright National cable satellite corp. 2023] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org