And affected 300,000 users in 150 countries. Members of the science, space, and Technology Subcommittee looked at ways to strengthen the governments cybersecurity posture. This is just under two hours. We will come to order. Without objection, the chair is authorized to declare recess of the committee at any time. Good morning and welcome to todays hearing entitled, bolstering the Cyber SecurityLessons Learned from wannacry. I recognize myself for five minutes for an opening statement. I want to welcome the witnesses here today. And i would also welcome chairman smith, oversight subcommittee, Ranking Member beyer, research and deck Technology Committee chairman abraham. Research and technology Ranking Member lipinski. Members of the subcommittees, our expert witnesses and members of the audience. Cybersecurity, a content we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to ensure our systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real tangible measures the government can take to ensure its i. T. Security systems are propertily reinforced to defend against new and emerging threats including novel and sophisticated r ransomware threats. The focus of todays hearing will be the recent Wannacry Ransomware attacks. This attack impacted nearly every country in the world. Although the concept of ransomware is not new. The type of ransomware employed by wannacry was new. This conducted by wannacry was instructing people to pay 300 in bitcoin in order to regain access to users documents. Unlike typical forms of ran someware, wannacry signaled the ushering of a new type of worming. Ransomware which caused the attack to spread faster and more rapidly with each new infection. In light of the novelty built into wannacrys method of attack, cybersecurity experts including those we will hear from today have expressed significant concerns that wannacry is only a preview of a more sophisticated ransomware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the Wannacry Ransomware infection moved rapidly across asia and europe, eventually hitting the United States. The attack infected 7,000 computers in the first hour. 110,000 distinct i. P. Addresses in two days. And in almost 100 countries including the u. K. , russia, china, ukraine and india. Experts now believe wannacry affected approximately 1 to 2 million unique systems worldwide prior to activating the kill switch. In my home state, reportedly one of the few local governments subject to the attack, although cook county has worked to appropriately patch their systems, it is important that we ensure that v vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hackers responsible for wannacry mistakingly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. Krypton logic exploited a key mistake made by the hackers when he registered the domain connected to the ransomware attack. Experts estimate that in the kill switch prevented 10 to 15 million unique worldwide systems, system infections and reinfections. Although based on Information Available thus far, the federal Government Systems were fortunately spared by wannacry. We want to ensure the government is efficiently prepare in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee, im sorry, this climate of new and emerging cybersecurity threats. Through the lens of the aftermath of wannacry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how Public Private partnerships are an instrumental tool to help bolster the governments cybersecurity posture. Finally, we will learn how the president s recent cybersecurity order, which makes this Cyber Security framework on this branch, incorporates the most innovative security measures to defend against evolving threats. It is my hope that our discussions here today will highlight areas where improvement is necessary while offering recommendations as we move forward to ensure the federal government is prepared to respond to emerging cybersecurity threats. I look forward to hearing from our distinguished witnesses. I now recognize Ranking Member, the Ranking Member of the oversight subcommittee, mr. Beyer, for an opening statement. Thank you. I would just like to thank you and mr. Comstalk for holding this hearing. Cybersecurity should be a chief concern for every government, business, and private citizen. In 2014 the office of personnel managements Information Security systems and two other systems used by contractors were breached by statesponsored hackers compromising the personal information of millions of americans. That same year hackers released the personal information of sony picture executives, embarrassing emails between Sony Pictures employees and copies of the unreleased sony movies. In 2015 hackers took control of the power grid in the western ukraine and shut off power for over 200,000 residents. These three quick examples show the varied and widespread effects of Cyber Security breaches. So we know that cybersecurity breach with the genesis for this hearing was the wannacry outbreak. Wannacry ransomware infected 300,000 Computers Worldwide and could have been much worse. So i want to thank the ceo of kryptos for finding an employee to find the kill switch. Unless you did it yourself. And were very lucky that was found quickly and fortunate that federal systems were resistant to wannacry. But we know we may not be as lucky next time. And we must continue to strengthen our cybersecurity posture. In preparing for this, i have learned from my staff that i need to upload our security upgrades every time i get a chance on the personal computers and on the smartphones. And the may 11th executive order on strengthening the cybersecurity in networks seeks to build on the Obama Administration successes in the cybersecurity arena. And im happy that the Trump Administration, i dont agree with him on every topic, but they have taken the next good step. The executive order calls for a host of actions and myriad of reports of federal cybersecurity from every government agency. Simultaneously, the Trump Administration has been slow to fill newly vacant positions in nearly every government agency. And my concern is that the understaffed agencies will have significant difficulty meeting the dictate of the executive order. And im concerned that the proposed budget cuts in the trump mulvaney budget across all agencies will make the task a lot harder to strengthen the security of federal Information Systems. We have to make sure the federal government has the staffing they need in this vital area. The executive order also calls for agencies to begin using the nist framework for Cyber Security efforts. And im glad we have nist here with us here today. They play an Important Role to help thwart and impede cyberattacks. They are world renown for being used in this framework. Federal agencies will be very well served in using the nist framework. On a precautionary note, though, some efforts to expand the Cyber Security role beyond the Current Mission and expertise are well intentioned but perhaps misplaced. We recently had a debate of hr1224 here in this Cybersecurity Framework and auditing act of 2017. Which gives nist the Auditing Authority for all civil Information Systems. Currently, this is the responsibility of the Inspector General of this agency. They have the statute authority to experience the expertise and respond drkt directly respond to congress. Nist has no such experience or expertise. So i remain concerned about this proposal. I would be interested in any of the expert witnesses thoughts on nists role in cybersecurity and auditing. So i look forward to hearing from you today and for hearing from the general, the former ciso, about his experience in these positions and thoughts. One final note, bloomberg reported this week that the russian meddling in our electoral system was far worse than what has been previously reported. According to the report, hackers attempted to delete or alter data, Access Software designed to be used by poll workers and in at least oneins stance, Access Campaign finance database. These efforts need to change votes in order to influence the election and we need to take these Cyber Threats seriously. I think Vice President cheney called this a war on our democracy. Mr. Chairman, this Committee Held more than a half a dozen hearings on the Cyber Security issues during last congress, including the one on protecting the 2016 elections from cyber and voting machine attacks. So given what we know about the hacking and meddling in 2016 i hope this will be precursor on how to better protect our voting systems. Mr. Chairman, i yield back. Thank you, mr. Beyer, for the opening statement. I recognize mr. Abraham for an opening statement. Thank you, mr. Chairman. Over the last few years we have seen an alarming increase in the number and intensity of our cyberattacks. These attacks by cybercriminals and by unfriendly governments have compromised the personal information of millions of americans, jeopardized thousands of our businesses and their employees and threatened interruption of critical public services. The recent Wannacry Ransomware attack demonstrates cyberattacks continue to go from bad to worse. The most recent largescale cyberattack affected 1 to 2 million systems in more than 190 countries. Nevertheless, it could have been more catastrophic considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destructiveness of wannacry warns us to expect similar attacks in the future. Before those attacks happen, we need to make sure that our Information Systems are very ready. The research and subcommittee hearing earlier this year, a witness reporting to the gao testified and i quote, over the past several years, gao has made about 2,500 recommendations to federal agencies to enhance their Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented, unquote. It is clear that this status quo in federal Government Cybersecurity is a virtual invitation for more cyberattacks. We must take strong steps in order to properly secure our systems and databases before another cyberattack like wannacry happens and puts our government up for ransom. On march 1st, 2017, this Committee Approved hr1224, the nist Cybersecurity Framework assessment and origin act of 2017. A bill i introduced as a part of myon going interest over the state of our nations cybersecurity. This bill takes concrete steps to strengthen the federal governments Cyber Security. The most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, n. I. S. T. , Cyber Security framework which is used by many private businesses and directly nist to initiate several cybersecurity add its a priority of federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nist inhouse experts developed governmentwide technical standards and guidelines under the federal Information Security modernization act of 2014. And nist experts also developed through collaboration between government and private sector, the framework for improving Critical Infrastructure cybersecurity that federal agencies are now required to use pursuant to the president s recent cybersecurity executive order. I was very pleased to read that language. Considering the growing attempts to infiltrate Information Systems there is an urgent need to insure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. The status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nist cyber expertise is a singular asset. We should take full advantage of that asset starting with the very important step of annual nist cyberadd iudits of federal agencies. As cyber criminals and attacks continue to evolve and become more sophisticated, our government cyber defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. We will hear from our Witnesses Today about Lessons Learned from the wannacry attack and how the government can bolster the security of its systems. We must keep in mind that the next cyberattack is just around the corner and it could have a far greater impact than what we have thus far seen. Our federal government our Government Systems need to be better protected and that starts with more accountability, responsibility and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Thank you, mr. Abraham. My colleague mr. Lipinski has an opening statement. Thank you, mr. Chairman. And thank you, mr. Abraham, for holding this hearing on cybersecurity and Lessons Learned from the Wannacry Ransomware attack last month. The good news is that the government Information Systems were not negatively impacted by the wannacry attack. This was a clear victory for the cyberdefenses. However, i believe there are lessons to be learned from successes as well as failures. The combination of factors likely attributed to the success, including getting rid of most of the outdated windows operating systems, diligently installing Security Patches, securing critical i. T. Assets and maintaining robust perimeter defenses. As we know microsoft sent out a Security Patch for the vulnerability in march, two months before the wannacry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wannacry and its impact on other countries serves as yet another reminder that we must never be complacent in our cybersecurity defenses. The threats are ever evolving and our policies must be robust if flexible enough to allow our defenses to evolve accordingly. The federal Information Security m modernization act have roles in developing the implementation of policies as well as an incident tracking and response. Nist develops and updates Security Standards and guidelines both informing and responsive to policies itted by omb. Each agency is responsible for the compliance. In each office of Inspector General that requires office on the annual basis. We must continue to be compliant with fisma while conducting careful oversight. In 2014 nist released the Cybersecurity Framework for Critical Infrastructure which is currently being updated to framework version 1. 1. While it is still too early to evaluate the full impact, it appears the framework is being widely used across the industry sectors. Our committee recently reported out a bipartisan bill hr2105 to that i was pleased to co sponsor that would ensure the Cybersecurity Framework is easily usable by our nations small businesses. I hope we can get it to the president s desk quickly. In the meantime, the president s executive order directs federal agencies to use the framework to manage their own cybersecurity risk. As we have heard in prior hearings, many experts have called for this step and i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the vacant positions across the agencies that will be responsible for implementing the framework as well as shepherding the myriad reports required by the executive order. The top line budget cut of 25 was so severe that if it were implemented, nist would have no choice but to reduce its cybersecurity efforts. This represents the epitome of pennywise pound foolish decision making. This is among the best of the best when it comes to Cyber Security research and standards. And our modest taxpayer investments and their efforts secure the Information Systems, not just of the federal government, but of our entire economy. I trust that my colleagues will join me in ensuring that nist receives robust funding in the fiscal year 18 budget and doesnt suffer the drastic cut requested by the president. Thank you to the expert witnesses for being here this morning. And i look forward to your testimony. I yield back. Thank you, mr. Lipinski. This time i now recognize the chairman of the full committee, mr. Smith. Thank you, mr. Chairman. Appreciate your holding this hearing as well as the research and Technology Subcommittee vice chairman Ralph Abraham holding the hearing as well. In the wake of the Wannacry Ransomware attack. Todays hearing is a necessary part of an important conversation the federal government must have as we look for ways to improve our federal cybersecurity posture. While wannacry failed to compromise federal Government Systems it is sure that the outcome was due in part to a measure of chance. Rather than seeing this outcome as Cyber Security defenses, we must then increase this to better identify constantly evolving cybersecurity threats. This is particularly true since many cyberexperts predict that we will experience an attack similar to wannacry that is more sophisticated in nature, carrying with it an even greater possibility of widespread disruption and destruction. Congress should not allow Cyber Security to be ignored across government agencies. And im proud of the work the committee has accomplished to acquire the cybersecurity posture. During the last congress, the Committee Conducted investigations into the federal deposit insurance corporation, the Internal Revenue service and the office of personnel management. As well as passed key legislation with providing the government with the tools it needs to strengthen its cybersecurity posture. President trump understands the importance of bolstering our cybersecurity. He signed a recent executive order on cybersecurity which is a vital step towards ensuring the federal government is in position to detect, deter, and defend against emerging threats. Included in the president s executive order is a provision mandating that executive Branch Departments and agencies impleme implement nist Cybersecurity Framework. While continuously updating its Cyber Security framework, nist takes in measures from the private sector partners. Nist collaborates efforts to help to ensure that those entities that follow the framework are aware of the most pertinent, effective and cuttingedge cybersecurity measures. I strongly believe that the president s decision to make ni is, t framework for the federal government will serve to strengthen the governments ability to defend its systems against advanced cyberthreats like with the recent Wannacry Ransomware attack. Similarly, the committees nist act of 2017 sponsored by representative abraham draws on findings from the committees numerous hearings and investigations related to Cyber Security, which underscored the immediate need for a rigorous approach to protect a u. S. Cyber security infrastructure and capabilities. Like the president s recent executive order, this legislation promotes federal use of the nist Cybersecurity Framework by providing guidance that agencies may use to incorporate the framework and to Risk Mitigation efforts. Additionally, the bill directs nist to establish a working group with the responsibility of developing key metrics for federal agencies to use. I hope that our discussions here today will highlight distinct areas where cybersecurity improvement was necessary while offering recommendations to ensure cybersecurity objectives stay at the forefront of our National Security policy discussions. And with that, i yield back, mr. Chairman. Thank you, chairman smith. At this time, let me introduce at this time, let me introduce our witnesses here today. Captions Copyright National cable satellite corp. 2008