The committee will come to order. Cyber security remains one of the greatest challenges facing our nation. As we become more reliant on technology and Digital Infrastructure they can threat of Cyber Attacks has dramatically increased. Every day our citizens, our Critical Infrastructure operators and our federal, state and local governments have to defend against hundreds of thousands of potential Cyber Attacks. These come from criminals who take advantage of our vulnerable people, foreign actors who threaten our Critical Infrastructure, and hackers who try to destabilize american businesses. Cyber attacks are more coordinated and more dangerous than ever. In response to this threat, american regulators have begun to set new standards for Cyber Security and digital safety. They have moved quickly in that work. And in the last four years alone, federal regulators have passed 48 rules on Cyber Security. More than 10 per year. And that doesnt include new policies at the state as well as the local level. The surge of regulations comes from a good place. It represent ours governments response to a new and growing threat that has helped give american businesses some important guidance on how to keep safe from these cyber threats. The challenges that the challenge is that even though all aspects of our society are vulnerable to Cyber Attacks from electric grids to Water Systems to gas pipelines, no one, no one is coordinating this effort. This is a patchwork of new guidelines set bicep rat agencies. Regulators are working to respond to the unique challenges that their sectors certainly face and they often are not looking at the Bigger Picture of how all of these different rules interact with each other. And without that higherrer level of coordination theres no way to ensure these guidelines dont overlap, duplicate or quite simply contradict each other. The results are often confusing and inefficient. Businesses are scrambling to follow a web of new standards, ones that can change quickly with no technological innovations. Airlines have to adhere to three different regulators on Cyber Security. Railroads have six. A bank could have 16 different oversight bodies, all of whom are passing their own standard and expecting those standards to be followed. This is not necessarily a case of where more is better. We must be smart in these regulations to ensure the higher level of Cyber Security. In short, businesses and their employees are spending too many resources trying to understand these new guidelines. Companies with taking their Cyber Security professionals off the line to fill out paperwork, leaving their defenses undermanned and as a rule nerchlt we need effective regulations on Cyber Security. No question about that. But we need them to be efficient, adaptable and coordinated all across different agencies. Harmonization and harr monoizing these guidelines will make our government more efficient, help businesses compete on the global stage and ensure that were addressing Cyber Security threats in the most effective way. And thats why im working on legislation to establish a Harmonization Committee at oncd that would require all agencies and regulators to come together, talk about Cyber Security regulations and work on harmonization. Passing legislation is the only solution. We have to bring independent agencies together and start harr monoizing this effort. Marm onizing this effort harm onizing this effort. Only congress has the ability to do so. If we fail at this mission we wont be able to build the most Effective Response to cyber threats. It is the practice of this committee to swear in witnesses. If youd each stand and raise your right hand. Do you swear that the testimony you give before this committee will be the truth, the whole truth and nothing but the truth so help you god. I do. So help you god. Our first witness is the assistant National Director for cyber policy and programs. He previously served as oncds deputy chief of staff. Prior to that he spent more than a decade on the staff of congressman jims r. Langevin, principal author of the national Cyber Security act. Youre recognized for your opening comments. Nicolas good morning, chairman peters and distinguished member ofs of the committee. Thank you for the opportunity to testify before you today. Todays hearing is about a complex topic, how to set baseline Cyber Security requirements across infrastructure in a harr monoized manner. Despite the complexities, our Value Proposition is simple. In a harmonized environment well see Better Outcomes as we reduce the dollars going into regulatory compliance. Pursuant to the national Cyber Security strategy implementation plan, the office of the National Cyber director, oncd, released a request for information about regulatory harmonization and reciprocity. Oncd received 86 unique responses to the r. F. I. Covering 11 of 16 Critical Infrastructure sectors in. All the respondents represent over 15,000 businesses, states and other organizations. We have analyzed the responses and yesterday we released our summary of the more than 2,000 piefnlings comments we received. There are three key findings. First, the lack of harmonization and reciprocity harms Cyber Security outcomes while increasing compliance costs. Second, challenges with harmonization includes businesses of all sectors and all sizes and crossed jurisdictional boundaries. Third, the United States government is positioned to act to address these challenges. Let me share some of what we heard. The business round table, a group of c. E. O. s whose Companies Support one in four american job, noted that, quote, duplicative, conflicting or unnecessary regulations require companies to devote more resources to fulfilling Technical Compliance requirements without improving Cyber Security outcomes. Close quote. The National Defense industry association, whose more than 65,000 corporate and individual members comprise much of our Defense Industrial base wrote, quote, inconsistencies also pose barriers to entry especially for small and midsized businesses that often have limited resources, close quote. In some cases, respond ins noted that chief Information Security officers were spending 30 to 50 of their time not on security but on compliance activities. Ondc leads the National Cyber policy and strategy. In alignment with our mission, both the national Cyber Security strategy and recent National Security memorandum on Critical Infrastructure, assign ondc for regulation across the government. Improving federal coherence in partnership with interagency and private stakeholders is at the core of our mission. Based on feedback from the r. F. I. , oncd has begun to build a pilot reciprocity framework. We expect this to give us insight into how to best achieve reciprocity when designing a Cyber Security regulatory approach from the ground up. However, hour vision however our vision cannot be fully achieved without help from congress. As the United States chamber of commerce noted in its filing, quote, a significant challenge to u. S. Regulatory harmonization efforts are independent regulatory agency, close quote. Further, quote, the u. S. Chamber urges congress to produce legislation to address this challenge, close quote. The administrate supports chairman peters bill consistent with reports previously provided to the committee that would allow ondc to better carry out our mission by bringing them together in a policymaking process. This would act as a catalyst to develop a crosssector framework for harrer harmonization and reciprocity. Such a framework is foundational which would do three things. First, strengthen Cyber Security readiness and resilience across all sectors. Second, simplify responsibles of cyber regulators will enables them to focus on their arias of expertise. And finally, substantially reduce the Administrative Burden and cost on regulated entities. Mr. Chairman, members of the committee, in closing, legger to harmonization is a hard problem. It is a problem that has existed for decades and the trendline is generally heading toward more fragmentation, not more harmonization. Its a problem that requires leadership from ondc and congress informed by the private sector. We have the opportunity to set the stage for a more harr monoized future and i hope youll do so together. Thank you for the opportunity to testify today. I look forward to your questions. Sen. Peters thank you. Our next witness is david hencerman, director of Cyber Security at the u. S. Government Accountability Office in. That role he oversees audits on Critical Infrastructure, the i. T. And Cyber Security work force, Cloud Computing and the i. T. Modernization effort theats i. R. S. Prior to joining g. A. O. In 2002, he worked as a Business Consultant for several private sector firms and served as a Surface Warfare officer in the United States navy. You are recognize for your opening remarks. David thank you. Chairman peters, members of the committee. Thank you for inviting g. A. O. To discuss our work on the federal governments efforts to harr monoize cyber skirt regulations. Our nation increasingly depends on computerbased Information Systems and data to execute fundamental operations and process and maintain crucial information. Cyber based intrusions and attacks on federal and nonfederal are becoming more common and more disruptive. These attacks threaten the continuity, confidence and integrity of these systems including those that support our nations Critical Infrastructure. Never has there been a greater need to ensure that these vital systems have the appropriate direction and guidance needed to ensure their security. Because the private sector owns the majority of this infrastructure its crucial that the public and private sectors Work Together to protheectz assets and systems. However, when Critical Infrastructure sectors are subject to multiple regulation, the that grow and evolve in a decentralized manner this can result in redunn cant or conflicting requirements. In recent years, interest in harr monoizing these has harmonizing these has gained momentum. I want to summarize our work in this area and share ongoing efforts in. Legislation sponsored by this committee, the 2022 Cyber Reporting for critical infrastrur structure act addressed the need for cyber Incident Reporting in addition to Incident Reporting requirements that are deconflicted and harmonized. The administrate addressed harmonization in the 2023 national Cyber Security strategy. The administration also addressed this Important Information in a request for Information Published by the office of the National Cyber director, oncd, the organization that leads the administrations harmonization efforts. It sought Public Comments on opportunities for and obstacles to harmonizing cyber regulation. Further the april, 2024, National Security memorandum called for an approach to harmonizing cyber regulations as part of a National Plan for infrastructure Risk Management. Taken together these congressional actions provide an important starting point for the harmonization effort. However g. A. O. s past work and ongoing observations offer notes on the challenges faced in this journey in. February2024, in a report ott ondcs national Cyber Security strategy did not define Performance Measures. We have found that welldefined Performance Measures allow for more accurate assessment of the extent to which initiatives such as those found in the National Cyber strategy are achieving their stated objectives. Without identifying the appropriate outcome oriented Performance Measures, ondc may be limited in its ability to deliver the effectiveness of the National Strategy in meeting its goals of better securing cyberspace and the nations Critical Infrastructure. Further, a 2023d. H. S. Report required found Cyber Reporting requirements across our nations Critical Infrastructures. Among those we found substantive differences such as varying definitions, differing report timelines and other mek niches. Notably the report only looked at one aspect of cyber regulations and still found 45 applicable requirements this. Serves as a stark reminder of how many regulations likely exist in the broader realm of general infrastructure Cyber Security and how much work will be required to excuse me, to harmonize these numerous requirements once theyre identified. In summary, given the increasing need for harmonized cyber regulations it will be important for stake holds for the this vital process representing the legislative executive branches to continue to work toward a common goal. It will also be crucial to develop goals for this process based on both realistic time frames as well as measurable performance. This whole of government effort will require two things. One, a continued focus to ensure the performance goals are well defined and outcome oriented and two that the appropriate ground work is laid to fully understand the universe of regulations to be harr monoized. By taking these actions we can better position our nations Critical Infrastructure to successfully defend itself against the growing and everpresent Cyber Security threat. Mr. Chairman, this concludes my state. Thank you. Sen. Peters thank you. As both of you mentioned in your opening comments and i mentioned in mine, we know regulations are used by federal agencies in multiple ways. I mentioned in my opening about making sure we have clean water to drink. Protecting investors from predatory practices, and the list goes on. Cyber security regulations have received a greater amount of attention giving the given the growing threat of Cyber Attacks which is not going down and could argue is going up on our Critical Infrastructure and federal i. T. System which is are a particular target. Why do Cyber Security regulations lend themselves generally to be a good candidate for harmonization across these agencies . We need to do harmonization in a lot of fields but why seuber but why Cyber Security in particular . Nicolas the reason were particularly interested in looking at baseline Cyber Security requirements across Critical Infrastructure sectors is that the information and Communications Technology thats used, whether youre in a bank, a Nuclear Power plant, a Water Treatment facility, the information and Communications Technology is largely the same and the first thing that adversaries are trying to do when they get access, whether they are trying to steal money, drop ransomware or potentially affect our ability to mobilize militarily, the first thing theyre going after is these enterprise i. T. Systems. And for that reason, because the enterprise i. T. Systems are common across sector, we ealy feel strongly that having a harmonized approach with reciprocity across different regulators will help ensure that we get both better Cyber Security outcomes and less money spent on compliance. Sen. Peters very good. Several Public Comments as oncds request for information on harmonization discussed the difficulties in understanding and implementing Cyber Security requirements. Which i think leads to a Compliance Culture as opposed to dedicate regular sources to actually protecting our systems from Cyber Attacks. So how can regulators better tailor their requirements to promote Cyber Security rather than just a check the box exercise that only incrementally increases security but unfortunately does not move us forward . And in the process significantly increases the compliance burden wile not moving us forward . David thank you, senator. I think one way to thoif this is not a lot different from our duplication overlap and fragmentation work for the committee. The comptroller general was talking about the redunn cant requirements is not different its on a much greater scale. Its something thats national and something were still struggling to understand the breadth of. I think the general idea that regulations are a patchwork here and there, specific sectors will pass rules because its important to them, theyre dealing with a certain threat. When you have organizations that work across sectors or across state lines or across International Boundary you run into a lot of things that they have to do noition what they may do with their sort of, what ill call their home set of rules and regulations. And so that compliance issue becomes a real cost burden. Some of the work that weve done, we did the job in 2020 looking at states and dealing with four agencies, f. B. I. , i. R. S. , s. S. A. And c. M. S. And 35 of the states reported a moderate to significant increase in cost related to the compliance they had to do to meet thee different to meet the different regulations of those four agencies. To remove that, i think you need to look for a common framework. People caulked about talked about whether the nist Cyber Security framework offers that, but it stretches across the government that can be customized to meet the needs of individual seconders. Sen. Peters very good. As noted in your opening statement, the office of the National Cyber director is designated as the federal lead for addressing federal Cyber Security harmonization. So my question to you, what are the Biggest Challenges oncd is now facing in harmonizing cyber regulations . Nicolas certainly, thanks for the question. There are two things i would highlight as challenges. One is the threat we have here where you see dozens of regulators who have dozens more regulations you mentioned the 48 that weve seen just in the past four years. Which means that from our perspective, you really need a strategic approach, a topdown approach that says this is the framework that were aiming at. And gives that guidance to regulators. But that gets into the second challenge. The first challenge is the breadth of the problem and getting our hands around it. The Second Channel is getting all of the relevant parties to the table. As i mentioned from our perspective, the most important part of ensuring that we have a framework that is applicable across sectors and does appropriately address the concerns that different regulators have is to ensure all of them are participants in a policymaking process to design such a framework. But doing so at the moment we are limbed in our ability to do so with respect to independent Regulatory Commission which is is something that we truly need Congress Help with. Sen. Peters you stated in your testimony that the administration supports legislation that would require all agencies, including our independent regulatory agencies, to come up to the table, basically, and work on harr monoizing their harmonizing their regulations with everybody else. So specific question for you, sir, how would having this convening authority help the oncd actually address this issue . What are going on the strengths of getting this tone . David thank you, mr. Chairman. Nicolas thank you, mr. Chairman. It would help enormously, frankly. It would help because when we want to talk to our independent Regulatory Commission partner, which we do as much as we can, have a we have a coalition of the willing. We have folks who want to come to the table, who believe this is an important problem, and have a conversation about it. But having a clear mandate from congress to bring everyone to the table will let us do what we do best at oncd which is listen to our partners, work with them to address the challenges, an as i said, design a comprehensive framework that allows for harmonization, but just as important, reciprocity. The idea that once ive proven as an entity that i have met the requirements once, i do not need to do so, no matter how many other regulators are asking the same questions. Thats what will allow us to both get better Cyber Security outcomes and at the same time reduce the burden on businesses. Sen. Peters thank you. Senator hasan, youre recognized for your questions. I appreciate our witnesses being here, thank you and the teams you work with for the work you do. I want to start with some questions about where we are on certain issues. Sen. Hassan recent Cyber Attacks like the one on health care months ago highlighted the impact Cyber Attacks can have on critical services. We saw that an attack could result in a major disruption to the whole National Health network. What steps have your office and different instra structure sectors taken to identify potential single point os failure in Critical Infrastructure . Nicolas thank you for that question. Its one thats important tour work in the administration. When i was on the hill i actually worked with the Cyberspace Commission where we talked about systemically important Critical Infrastructure and if you look at the president s letter to congress, delivering the report on section 9002 of the fiscal year 2021 National Authorization act in respops to Congress Request he specifically highlighted the fact that we need more policy on systemically important entities as a key goal of the policy process that we kicked off in november of 2022. That has produced this new National Security memorandum and right now sector Risk Management agencies are working to, within their sector, identify exactly as you described these critical points of failure and then working with the National Director to ensure once weve got them identified we can ensure we are appropriately managing that risk. Sen. Hassan another question for you, effective implementation of Cyber Security laws requires a federal work force with the necessary skills. Whats the director doing to expand the work force so Government Agencies have the expertise needed to safeguard our countrys Cyber Security . Nicolas there are two things i think ill highlight for this. Something thats a key priority of National Cyber director harry cokier jr. The first is that we recognize that our regulatory partners need Capacity Building or Cyber Security regulations. Were talking about how we need harmonization we need to ensure they have the appropriate expertise. Thats something we at the office of National Cyber director with our partners at the office of management and budget in our annual budget guidance we provide to agencies have specifically highlighted for the fiscal year 2025 budget as a key priority that they are making investments in the personnel that they need in order to do their jobs effectively. More broadly, one of the key goals of implementing the National Cyber work force an education strategy we released last year is both removing barriers and broadening pathways to entry. A Key Initiative we are focused on right now is skills based hiring. Its removing the barrier of saying if you have the appropriate skills to do a Cyber Security job but you do not have a Fouryear College degree that should not be a barrier in terms of your being able to join the federal government and just at the end of april we announced that next year, the 202 the 2210 series, the largest series of federal employees, theyre working to ensure all 2210s ugh you can hire using a skills based process which see believe is incredibly important to getting the talent we need into federal jobs. Sen. Hassan thats really helpful. Stay in touch if there are additional strategies we can employee to bring people in from the private sector to work for the federal government. Mr. Hinchman your written testimony talks about harmonizing Risk Management planning. I introduced Bipartisan Legislation last year to codify the department of Homeland Securitys national Risk Management process. Im pleased to see the white houses National Security memorandum includes a requirement to implement part of our tbhism memorandum requires the department of Homeland Security to develop a National InfrastructureRisk Management plan. And to update it periodically. How could this plan improve Cyber Security across u. S. Critical infrastructure and how could the plan help harmonize regulation . David i think this plan will go a long way toward all of those things. The National InfrastructureProtection Plan was last scwhrup dated last updated in 2013. Its desperately needed. The world has changed so much in the last 11 years in terms of technology and how its used as well as the threats we face on a daily basis. I think the National Cyber securities approach of building for what purpose a Risk Management plan that starts with the sectors, very sectorspecific, makes them go out, understand what does their Threat Landscape look like, which then ill come in to oncd or excuse me to d. H. S. Which informs the National Plan which is unsubmitted to the white house, is a very important first step for understanding what it is were facing and what we need to have out there so we can ensure that individual sectors have the customized Cyber Security standards they need in addition to the National Framework thats developed. Sen. Hassan and as they have the infrastructure they need, you can identify things they have in common, as were talking habit harmonizing efforts, trying to make sure the Regulatory Framework is reflective of those specific needs. David absolutely. We dont yet understand what we dont know. Until that work is done and these efforts, as hes been describing, thats going to come together and well understand the landscape a lot better and that will ensure positive doments like structures in sectors and one more question to you, mr. Important reporting requirements for Companies Targeted by a cyberattack. Companies must inform department ofHomeland Security about cyberattacks on Critical Infrastructure. These reporting requirements provide the federal government with Important Information to prevent cyberattacks on other companies. One way to improve reporting requirement is streamline them to patriotic sure companies are able to fulfill obligations. How are the federal government streamlining reporting requirements for cyberattacks . I would argue that effort is in its infancy. The press that you see about the rule that came out last year with cisas proposed rulemaking has people concerned, that there isnt that harmonization happening yet. Small businesses are scared that they will be crushed under Administrative Burden and there is still work to be done that we are imposing there is going to be a burden but there needs to be sensitive activity to differentsized organizations. In july of 2023, the office of the National Cyber director released a request for information cybersecurity harm niecessation. Lack of theme amongst regulators and independent regulatory agencies, the federal communications commission, federal trade commission stands out to me. How is it incorporating the feedback from the r. F. I. Into their work . Thank you, mr. Chairman. We are very much the reason that we put out the r. F. I. Is absolutely that we rely on the input of our partners in the private sector and interagency to inform our work. There are a couple of things that stood out in terms of the r. F. I. And approaching how our work is Going Forward. One element is the fact that reciprocity which should be part of the solution was really highlighted as something that is absolutely critical to our getting this right. The focus on the compliance burden points to the fact that yes, you want to harmonize because that gives you the simplicity and clarity of what it is you need to do but need the reciprocity that translates into less compliance costs. The other thing that is highlighted, the amount of supply chain Risk Management and that for a number of companies they are trying to figure out how do they manage risk in their supply chains and connections back into their networks or there is disruption in their supply chain could impact their business. Having a harmonized framework would help them do their internal risk processes which is not something we were thinking through at the outset and now say this could be a catalyst for businesses, too and you could help them manage their Business Risk and say, these folks have met the baseline standards and helps us understand what their posture is for our own risker management. In your testimony, you highlighted that the federal government should adopt model definitions and consider setting minimum cybersecurity requirements. How do conflicting contribute to the difficulties in overall compliance . Any time an organization is subject the word is regime you run into compliance burdens. And we have done work in the Financial Network that cisa spends 30 , 40 on compliance rather than cybersecurity. And it gets to duplication overlap and multiple reporting regimes, you spend a lot of doing paperwork rather than focusing on your job because you need to meet the requirements. A single overarching framework would remove a lot of that burden so there is a single point of reference that everyone starts from when thinking about cybersecurity and includes reporting requirements. And when we talk about reporting requirements, there is a framework beyond that, protection of data and Response Recovery and really important that people go to one place, know where that starts and streamline the compliance requirements. There is a compliance burden, but we can do a lot to streamline that and minimize it. To what extent has disharm niecessation impacted the ability of companies to compete internationally . That is absolutely been something that we have heard because for a number of reasons i would say. First and foremost it can Mean Companies need to invest in multiple systems. So you are forcing them to duplicate their Information Technology because they are subject to dishair moan just regulatory regimes and when that is the case, if they are competing against a company say in europe that is only operating under an e. U. Framework, they will be at a competitive disadvantage. I think that really points to part of what we are hoping to get out of this effort if we have a strong federal framework or baseline cybersecurity requirement developed by all of the relevant parties in the interagency and the independent Regulatory Commission that is very helpful for us in digital trade negotiations, in other export of american businesses because we can say we are looking for mutual recognition with our International Partners and give folks what exactly that means because we have a single framework to point out because when you look at mutual recognition because we are pointing back to what were doing which is a hodgepodge of different regulatory requirements. Senator lankford, you are recognized. Thanks for the information and background. I had to run and out through this hearing. You gave a stat earlier that i want to drill down. One of the business organizations said they spend 30 50 of their time not on security but on compliance. Did they give you information or sense of what that compliance is that could not be and thanks very much for that question. That 30 to 50 is for chief Information Security officers and their time. That was in response. More recent testimony that was given in april said when you look at the teams time sometimes it is up to 70 . 70 of the Human Capital han 70 of their teams time was spent on compliance activity. The concern that we have is not that there shouldnt be requirements, there absolutely must be. The Financial Services system is vital to our economy and National Security. However, when you have time spent on developing reports, responding to examiners questions, not in a standardized way, that is a challenge and a further challenge is if enough regulator comes in and says, hey, yes, you have all of these reports that you developed for the first but we have different opinions with respect to risk and the chairman had asked earlier about why cybersecurity is amenable to harm niecessation and the risk is the same Information Systems. Imrm more of a cybersecurity guy than a compliance guy. I met with some folks that were in Rural Health Care and Nursing Homes and skilled nursing, they are frustrated because they are adding additional nurses not to see patients but to fill out forms requested by c. M. S. They have increased compliance. You got more forms and not more care. And i know we have duplication, but we have increased requirements to do some of these completed forms to turn in to be able to put in a drawer and they can say you didnt fill out the form completely. I need to ask why o. M. B. Doesnt have the authority to do this. Onlily there is authority that o. M. B. To coordinate in all agencies. What is unique that gives this legislation that o. M. B. Doesnt have right now . First of all, we are lockstep with the office of information and Regulatory Affairs at o. M. B. And work closely with them. Part of the challenge they have is they dont have a Gold Standard when it comes to executive branch regulators and said this isnt harmonized. You can come to a regulator and said this is what good baseline cybersecurity requirements look like. The other challenge is the independent Regulatory Commissions which we do not have the authority nor o. M. B. Or the National Cyber director and from our standpoint, we need to hear from everyone in order to design something effectively and that is something from the administrations perspective, the administration supports the approach that chairman peters has laid out. Im going to defer and be done earlier rather than later. I know that is shocking. Chairman peters, this is an area we need to work on in the independent agencies not just in this area but in a broader area. Im not going to force a comment on this, my perspective, there are independent agencies feel like they are independent from everybody. They are not independent from everybody. They need additional oversight and need to go through the review and boundaries that need to be there when they are creating new regulars. They need on some kind of oversight not only in this area but broader area in the days ahead. I agree with you. And this is a very meaningful example of how we have to bring them together in a key area. But im with you. Senator rosen, you are recognized. Former Software Developer systems analyst, i. T. Can help us with streamlining the process and remove those duplicative reporting. You shouldnt have to put it in this form. It should populate in all the forms. I think there are a lot of things that can happen concurrently and a lot of ways to work on this and i look forward to working on that as well. But im going to talk about cyber incident trends. Implementing these regulations, they create large data tests of information about the state of private sector cybersecurity. Im a former analyst and Software Developer, the data can bolster the resilience of the public and private sectors by identifying widespread vulnerability, i merging threats, et cetera. It can be used in other ways against people as other people as well because you can deag ray vaccinate the data. How are agencies collaborating. To leverage the data to identify these trends and help us move forward faster to target the entities. Thank you for that question. As a former programmer myself, it is something that is of interest to us in conversations we have been having as we work to implement the legislation that this committee pushed forward, the cyber Incident Reporting to ensure we are seeing those gains in terms of an understanding of the cyber landscape. One of the things i remember general alexander said from the beginning of his time as director of n. S. A. , we need a picture of whats going on in cyber space. We are only positioned to do the proper analytics and i had conversations with the office of statistics, Homeland Security statistics which has a Cybersecurity Program looking at this challenge and as we move towards implementation in 2025, we need to take advantage of what we can from the broader analytics landscape and we in partnership with cisa and the department of treasurys federal Insurance Office are working on for Cyber Insurance data as well because the insurers see these trends, too. It is important we share some of the data in important ways and we are not in silos and Insurance Companies see it one way and you are missing these common threads. And speaking of working as programmers, theres a work force shortage, we know it, especially in the private sector and nearly 470,000 cybersecurity jobs open in the United States and compounding this challenge, cybersecurity teams they really spending too much time on compliance. If you want to add anything else about what he said about how we use our staff in smart ways and use Artificial Intelligence and populate data to avoid those duplicative efforts. If there is anything you would like to say i would like that and Additional Support you might need from us to help you do that. Thank you for that question. The cyber work force issue is all of us that we are passionate about in adapting the education strategy and i got into cyber policy because as a programmer i did not get trained on Software Development and i was in Public Policy classes and listening to my peers say we have concerns about cybersecurity. And i said i think i am the problem. It is absolutely a challenge that we see. A lot of the work we are doing on regulatory harmon niecessation and reciprocity is reducing the demand side. We want our cybersecurity not on delivering reports to multiple regulators but focused on how are we going to actually secure systems. So there are a lot of gains in terms of production on the demand side and wont deal with those open jobs. The thing we are focused on are removing barriers. I mentioned earlier we are doing work to ensure that a skillsbased hiring for the federal government is the way we look at things Going Forward and looking to do that in contracts and major focus of ours that there should not be requirements in federal contracts if you provide i. T. Support to the federal government that you need to have a particular degree and great way to broaden the base if that needs to come in. In addition to expanding the private sector work force we know we have to implement the National Cybersecurity strategy and adding Trained Personnel to many agencies. Everybody needs us. I met with the federal rotational Work Force Program to help federal agencies better. And so, mr. Hinchman, which agencies are required to oversee the federal cybersecurity regulations themselves. That is a big unknown. I will be doing the g. A. O. Mandate that was in your bill. The federal government doesnt understand what our cyber work force looks like. We are doing a job for this committee that is looking at five of the largest consumers of cyber work force and trying to understand how they are managing their work force at the Department Level and we are finding that in terms of the general practices that need to be applied, there is work that needs to be done and a job we are doing for chairman green looking at the cost of the federal cyber work force. And how much was spent on cyber and looking for initiatives that different agencies have to get federal cyber workers into the work force for us. But the government is really just now trying to understand what the federal cyber work force looks like. I am looking at this work and body of work that will add value to this conversation and we need to fill the cyber work force gaps. If i had my way i would be down in Elementary School teaching about robotics, stem and logic, things i carry every single day and show young folks the path forward and great exciting careers they are and get them early and get the bug, no pun intended for software and that is my hope to bring young folks along. Senator blumenthal, you are recognized. Thank you both for your work. I think we are all coming more and more aware of the need tore standard setting and rules in this area of cyber i think the general public is becoming more aware of it as well as we see the effects of ransomware throughout our economy and society. Just last february, as you well know, Ransomware Group launched an attack on changed health care, one of our Nations OnlineHealth Care Claims and still seeing the effects of it in connecticut and probably around the. Russia, cine and iran and other foreign adversaries are probing for vulnerabilities for more catastrophic attacks. Again, very recently, the head of our cyber general expressed his fierce that china are prepositioning itself in our Critical Infrastructure and creating in case there is greater conflict. Really scary set of developments. We have seen the immense cost of attacks, and colonial pipeline, merck. We need to treat this crisis like a national emergency. We need to give it the that americans should feel of a nation under attack and ramping up our efforts that russia and china cant keep exploiting this Critical Infrastructure. My question to both of you is where are we falling behind of setting cybersecurity rules that counter these efforts by russia and china that set the bar higher so that we are more invulnerable . That is a very good point and really appreciate the question, so let me do a little bit of framing and talk about the specific sectors and what we are up to and why regulatory harmonization will help. We at the office could not agree more that this is something that the American People need to understand and know about. I heard the National Cybersecurity boss said he was grateful to testify in january in front of the house about the activity, Peoples Liberation army and china prepositioning and the fact that is putting america at unacceptable risk. Unacceptable risk and we need to address that risk. One of the ways to do so is put in baseline cybersecurity requirements. This administration is leaning on the transportation sector where we have emergency directives from the Transportation Security Administration and turning into proposed rulemaking to solidify the significant gains there. There was an executive order that the president signed out giving the coast guard additional authorities in the maritime sector. One of the areas is seeing to do in the water and waste water sector there is significant deficiencies and work we need to do and i think foundational to our approach is knowing that we need to see better cybersecurity outcomes if we have a framework and say heres how you should be approaching securing your enterprise i. T. Systems which they are targeting to get that to set those beach heads. And if you will be able to invest more in cybersecurity. So we will see better cybersecurity outcomes with a harmonized baseline and we are focused on this. We are a cyber office. Our concern is cybersecurity outcomes. When we see the amount of time and efforts spent on regulations, we need to have better ones. I would echo the comments. The single Cybersecurity Framework is the important starting point. But i also think Congress Needs to expand authority. As i mentioned in my oral comments that the private and Public Sector need to Work Together and we cant compel organizations to do certain things. That does not mean we should be passing wholesale power out there. And the number of different plans have been put forward by the administration talking about the need for those agencies to approach congress with specific proposals for what they need. I think to echo the waste water thought, i have a review looking at cybersecurity that we are doing for two subject committees on Homeland Security and thats the problem they ran into. This past fall there was a much publicized that e. P. A. Ran into trying to impose cybersecurity requirements because they didnt want to go through the rulemaking process and met with a number of lawsuits from states and organizations and withdrew their requirement. There needs to be a different thinking about how we get the private sector to come along with these requirements once they are in place. Thank you both for your work and answers to those questions and thank you for having this hearing. There are many multi sillable words. But it is and we need to Pay Attention more vigorously than we have done. Thanks, mr. Chairman. Couple of time questions here for both of you. Federal agencies and not the only agency to have regulations. We have state regulations, local cities and give you a couple of examples. Massachusetts state law requires all personal information about massachusetts residents to develop, implement and maintain a comprehensive Information Security program. New York Department of Financial Services has adopted robust set of cybersecurity rules with significant requirements for any company that provides a financial or Credit Service within the state of new york and i would go on and on with that list. How is the federal government working to coordinate with state, local, tribal, territorial governments all across the government landscape to harmonize these regulations . I will both the department of Financial Services and state of new york responded to our r. F. I. And one of the things that stood out they were asking for federal leadership. And having strong federal guidelines which a harmonized set of baseline requirements would help them significantly. In terms of how they would model their work. They have worked with permanent Financial Services with federal regulators and something we are concerned about. When we see duplicative requirements whether at the state level, international level, that gives us pause. If we can set a strong federal baseline requirement and we can lead, we do have strong confidence that our state governments will look at that as a Gold Standard and move in that direction and our International Partners. One of the things that the National Cyber director has consistently impressed upon me is in his conversations with International Counterparts they bring up regulatory harmonization and they say, gee it would be great to see federal leadership here and need the United States to help us understand because you have the most reliance on technology. If you can set a and shoot for as well. It is incumbent upon us partnering between the administration and congress to set that standard. How does this contrasting federal, state, local regulations, how does it impact businesses in our country . Very similar to the problems with federal agencies, multiple requirements, the examples and reporting rule that schools are required to follow. The notice also includes schools and now going to have schools that are trying to figure out to do their reporting and these are organizations that do not have resources for this. They are undermanned and i. T. Is underfunded and maybe one person doing it for the entire district and i dont know thats sustainable. We need to think about how those state and local rules are impacted by perhaps the federal leadership thats been called for so that they have more of a benchmark to follow and states are increasingly passing privacy laws which may be conflicting with guidance from the federal level. How does a business operating both of those. And regulations, is the patch work pop up as well and needs to be managed and brought into a common framework and they know what the standards are. I thank both of our witnesses. Tank you for being here today and sharing your thoughts. Congress and the entire federal government must Work Together to harmonize our cybersecurity regulations. The testimony is very clear to that point and without question a critical stepner protecting our businesses from cyberthreats. I look forward to Work Together with you to strengthen cybersecurity standards and make sure they are coordinated, effective and efficient and give our industries the guidance that they need. The record for this hearing will remain open for 15 days until 5 00 p. M. On june 20 of 2024 with the submission of statements and questions for the record. This hearing is now adjourned. [captions Copyright National cable satellite corp. 2024] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org. Public servicg with these other television providers. Giving you a front row seat to democracy. A look at future Progressive Political candidates seeking to improve their electability. Participants learn about the