Transcripts For CSPAN2 Officials Testify On Protecting Cyber

>> inaudible conversation] >>. [inaudible conversation] >> if i am hearing background noise i request a member please commute their microphone microphone . i'm going to abbreviate my statement and will put the full statement in the record given the fact that you probably can't hardly understand me. this is the second hhearing, the last hearing was an industry stakeholders and we heard a distressing and serious gaffe. lack of shortages of cyber personnel, lack of even the most basic hygiene practices and a consensus among our witnesses that we need to help the private sector which owns and operates 25 percent of the patients critical infrastructure to defend itself from and respond to attacks . the to build 3684 will provide funding at the local, state and federal level to enhance the nations cyber resilience and response to cyber security incidents. as other public transportation systems preparedness capabilities we established an office of national cyber director, the presidents advisor on policy and strategy to identify cyber security incidents and coordinate a federal response . those are noteworthy steps but there's more to do. today we will hear from federal agencies responsible for transportation and other critical infrastructure and their efforts to help private industry . we have for the most part relied upon voluntary approach to protecting assets , choosing not to mandate standards for either security audits or exercises. in contrast in other areas of the private sector have the potential to cause significant harm and the government has established very robustrequirements that would be nuclear power, aviation , drinking water and wastewater and others to make them saferand more resilient . but there are many of these industries relate to other critical industries. the private sector and voluntary cooperation. sometimes it isn't enough. you have to spend a bunch of money on cyber security. the leeches on wall street will say why did you spend all that money on cyber security to try to commend your stock price ? we want to just put the money in the bank. so there needs to be a little nudging here and of course the cost of the incident far exceeds the investment that they should have and would have made to prevent that incident, that absolutely catastrophic incident , the more basic incidents of ransom where that are rather routine. so i don't think that implementing basic cyber security standards, reporting requirements and awareness training should be voluntary . it should be required. public safety, the national security depends on these steps. in the wake of the colonial pipeline cyber attack, the transportation security administration mandated specific cyber security protections for pipelines to defend against ransom where and other attacks. colonial had turned down the comprehensive audit efbefore the event which may have helped prevent the event. so it was voluntary so they said we don't want other vulnerabilities. last week tsa issued basic cyber security enhancements for the aviation sector next year the anti-essay intends to issue a directive. as today or this week. so this is an appropriate time for this hearing. both the gao and department of transportation's office of inspector general who we will hear from made thousands of recommendations related to cyber security and these recommendations remain unaddressed. some of their more alarming findings are dot's failure to implement cyber security risk management strategy weaknesses and faa's approach to cyber security for avionics systems and commercial aircraft . similarly the ot ips and a range of cybersecurity missions need information security. one of the interdepartmental challenges . lax enforcement of federal cyber security environment, and the ot's are vulnerable to exploitation by hostile actors and i look forward to hearing from our expert witnesses today on the best mitigation potential solutions that we can look forward to. and with that i recognized the ranking member who hopefully will add to his voice. >> before i give my statement i want to acknowledge your announcement that you're not going to be seeking reelection next term and i want to commend you for your long and distinguished career serving three decades in the house ofrepresentatives . i think that says a lot. i have no doubt you will finish out your term and work as hard as ever on behalf of your district and constituents and i believe you and i agree that transportation and infrastructure is one of the best and most important committees in congress and i know you will continue to work diligently to address the vital issues before this committee in the coming months. i do wish you and your family all the bestin your retirement . turning to today's hearing, we will continue an examination on cyber security challenges. for the transportation and infrastructure sectors, during our first term on this topic we heard from the perspective owners and operators of these critical assets about the steps they have taken to improve their cyber security prosper posture. the threats thatthey still face and effectiveness of our cyber activities . i will hear testimony from some of those federal agencies themselves and learn how they are providing support to transportation infrastructure operators and boosting their cyber security preparedness response capabilities . stakeholders have expressed concerns about aspects of those federal programs, for instance the recent security directives from the tsa and i hope we can get some answers on how to meimprove their implementation. we aalso will hear today from how federal agencies are protecting their own systems, their own data and infrastructure from ever-changing cyber threats . i look forward to hearing from our witnesses on the panel about the cyber challenges they've identified and examined under the committee's jurisdiction as well as receive updates from those agencies on how they are rising to meet these challenges and i appreciate our witnesses joining us today and discussing how operators and federal agencies can work collaboratively to improve cyber security of our nation's critical infrastructure systems and transportation systems and transportation infrastructure so with that i would yield back . >> the video does not want to stay on. it just keeps blinking off. all right, good. i know the committee will continue its great work between your leadership and others on the committee. with that i like to move to recognize the witnesses here today. the first is mister cordell schachter, chief information officer, cio dot. mister larry grossman, chief information security officer, federal aviation administration. miss victoria newhouse, deputy assistant administrator for policy plans and engagement, transportation security administration. rear admiral john w mauger, coast guard united states coast guard.en mister kevin dorsey,assistant inspector general for information technology on his audience . office of inspector general department of transportation and mister marinos. with that i would first recognize mister schachter for five minutes. >> good morning chair defazio, ranking member graves and members of the committee m. thank you for the opportunity to testify before you today and for your support of the department of transportation. i am cordell schachter, chief informationofficer . i am honored to be here with faa chief information security officer larry grossman. us dot office of inspector general assistant inspector general for it audit kevin dorsey and officials from the us coast guard transportation security administration and government accountability office . i was appointed us dot chief information officer on august 13 this year. my testimony today is based on my observations and review of the ot records during my three months in this position. my testimony is also informed by my 26years of service as a local government official in new york city . 13 years of that service as chief technology officer and cio of new york city's apartment of transportation. in between 2 tors of new york citygovernment service i worked nine years for several multinational technology companies . i've also taught masters level courses in civic technology at new york university new york city and at st. peter's universityin jersey city new jersey . i believe you asked the ot cyber security programs have improved the departments information security posture and we are on a path for continual improvement according to government best practices . us dot's executive branch has many positions filled by professionals with the knowledge and expertise bof providing service directlyto the public . this begins with secretary buttigieg and the leaders of many of our operating administrations . they have also helped keep elected and appointed leadership positions in cities and states solving problems, protecting citizens andimproving the quality of life of their constituents . we now have before us one of the greatest opportunities to improve the quality of life for all americans. we look forward to partnering with congress and our sister federal agenciesto implement the landmark ippartisan infrastructure law .on the same day president biden signed the law and executed an executive order to ensure among other priority increased coordination across the public sector to implement it effectively. we can live to that goal. our executive leadership team's experience includes making improvements to systems while they continue tooperate . similarly we will continue to improve our existing systems to make them more cyber secure while they continue to operate so that they resiliently support the ot's operationsand the american people . i want to transfer knowledge we have open audit findings from previous oig and gao cyber security audits. we respect and take seriously their assessment. i have designated cyber security improvements as the top priority for dot's information technology organizations, the office of the chief information officer . we have begun a series of cyber sprints to complete tasks and make plans to meet our federal cyber security requirements and implement best practices including those from president biden's executive order for improving thenation's cyber security . cyber sprints prioritize three areas. system access control, website security and improved governance, oversight and coordination across the ot. these priority activities address oig and gl plans. the ot is actively working to meet its responsibilities to securely improve the departments information technology infrastructure while implementing our portions of the bipartisan infrastructure law. we will also meet the challenge of continuously improving the cyber security dot information systems information technology systems while keeping those systems available for use. we look forward to working with this committee, our agency partners and the white house to strengthen and protect our infrastructure and systems. thank you again for this opportunity totestify . i will be happy toanswer your questions . >> thank you mister schachter for doing it in five minutes. we will now move on to mister larry grossman. mister grossman. >> from maritime control to the largest airliner to the smallest drone conductivity is the way of the future. it's also why we have to constantly raise the bar when it comes to cyber security . chair del fazio, ranking member graves, members of the committee, cyber threats are an ongoing concern and are increasing reliance on highly integrated and independent computers and networks is cause for vigilance at all levels of the aviation industry. this is especially true at faa we are responsible for operating the nations air traffic control system and overseeing design and testing of aircraft systems including avionics. and also for me personally as a pilot and flight instructor , but i'm here today to discuss faa's approach to cyber security within our agency . for those we regulate and for the aerospace community at large. i want to start by noting the importance of this administration's recent executive order including the nations cyber security and i want to thank congress for continuing guidance and the direction over many years. the faa's efforts to address fiber challenges benefited from your oversight and cooperative efforts withother executive branch agencies . we appreciate all input as we continually strive to make our aerospace systems safer and more efficient . you heard administrator dixon say before safety is a journey, not a destination. the same is true of cyber security. what we do today will not sabe good enough for the day after. .we are always striving to improve. we're constantly updating cyber security strategies to put into action, to cross agency cyber security commitments. the strategy includes protecting and defending faa networks and enhancing our risk management capabilities, building and maintaining workforce capabilities and engaging with external partners. we defend our at traffic control and other networks by using separate and distinct purity parameters and controls that are the responsibility of the chief information security officer and faa chief information officer. to assess cyber threats and vulnerabilities to our networks we developed a cyber test facility and are welcome william j technical center but we conduct testing and evaluation. we ensure cyber resilience in connected aircraft risk assessments during initial certification process is change the previous designs existing regulations will not provide adequate protection . >> this is critical for recovering from a cyber attack and is why we are a lead agency on the aviation cyber initiative interagency task force with dhs . it'swhy we work collectively to identify and address hyper security rests . the ecosystem includes stakeholders ranging from airport authorities to manufacturers. as technology of the aviation ecosystem evolves, we expect cyber security will continue to be a growing challenge and significant component of aviation safety and aerospace efficiency. we are prepared for this challenge and look forward to giving congress informed. i'll be happy to answer any questions you may have . >> thank you mister grossman. miss victoria newhouse, you are recognized for five minutes . >> good morning chairman, ranking member graves and distinguished members of this committee. my name is victoria newhouse and i serve as deputy assistant administrator for policy, plans and engagement at the transportation securityadministration . i greatly appreciate the opportunity to appear before you to discuss tsa's important role in cyber security for our nation's infrastructure. as you know tsa was established by the deviation and transportation security act to sign into law in november 19 2001. under the law tsa assumed a mission to undersea oversee transportation security and all modes of transportation be that aviation or the nations surface transportation systems. mass transit and passenger rail, freight rail, motor carriers, pipelines as well as supporting maritime security with our united states coast guard. as we recently observed tsa's 20th anniversary week we dedicated our self to our critical mission to protect our nations transportation systems. my personal commitment to tsa's important mission to ferociously protect our homeland is fueled by my own personal experience on september 11, 2001 surviving the attack on the pentagon on that fateful day when we all lost over 2900 77 friends, family members and colleagues . . this is not a mission we can accomplish alone. our success is dependent on close collaboration and strong collaboration with our industry stakeholders and federal agency partners including several who are on this esteemed panel today. cyber security incidents affecting transportation are rolling, evolving and persistent threats. across us s critical infrastructure cyber ththreat demonstrated their willingness and ability to conduct malicious fiber activities. targeting critical infrastructure by excluding the vulnerability of operational technology and information technology systems r. malicious directors continue to target us critical infrastructure for transportation systems. for instance, as mentioned earlier the ran somewhere incident against the colonial pipeline underscores this threat . tsa is dedicated to protecting our transportation networks against these evolving pthreats and we continue to work collaboratively with public and private stakeholders to drive implementation of intelligence driven risk-based policies and programs and continue our robust information sharing efforts . ogas reflected in the fiber security infrastructure testimony provided by our industry colleagues , on november 4 of this year we have a vital national interest in mitigating and protecting its infrastructure from cyber security threats. constantly evolving potential for malicious cyber activity against transportation infrastructure points to the need for continued vigilance , information sharing and development of policies and capabilities to strengthenour cyber security posture . tsa had mitigated the degradation or malfunction of systems that control this infrastructure by implanting immediate security requirements through security policies . after the colonial pipeline ran somewhere incident in may there was a clear understanding that we need to take more action to prevent another pipeline incidents in the future. in that vein, tsa issued security directives to immediately address these threats. we will acquire the pipeline operators who operate and transport over 85 percent of the nation's energy and assets to take immediate action to report cyber security incidents to my partner agencies, cyber security infrastructure and security agency, designate a cyber security coordinator if that is available 24 seven and implement specific mitigation measures. we continue our work across all of our modes as credible cyber threat information is driving our most recent efforts to issue more directives in the same. as chairman defazio mentioned we are working with our rail, higher risk freight rail and rail transit operators and aviation in 4 critical actions. designate a cyber security coordinator, reporting incidents to ticisa. chairman defazio, we continue our robust engagement with our partners through our service transportation security advisory committee and our aviation security advisory committee along with numerous corporate executives all the way down to the security level. chairman defazio on behalf of all my colleagues at tsa we would like to congratulate you on your decades of service and thank you for your service to all of our nation. i look forward to taking any questions you may have. >> thank you miss newhouse. it was under our jurisdiction when we had all land security . we stood it up in pretty short order and i can say it's still a work in progress but it's so far ahead of where we were pre-9/11 and i love to go into that at some point but anyway, that's not the subject of this hearing. rare admiral john. >> good morning chairman defazio, ranking member graves and distinguished members. i'm honored to be here to discuss cyber security in the maritime transportation system, a top priority for the coast guard and our national security and economic prosperity are inextricably linked to a safe and efficient marine transportation system or nts. the mts is an integrated network of hundred 61 boards and 25,000 miles of waterways . marine transportation supports one quarter of us gdp and provides employment for one in seven working age americans. nts enables our armed forces to project power around the globe and any substantial disruption to marine transportation can cause adcascading effects to our economy and to our national security. cyber attacks are a significant threat to the maritime critical infrastructure and why we must continue to work to prevent attacks, we must be clear i that attacks will occur and ensure the nts is resilient. protecting maritime critical infrastructure and injuring resiliency is ashared responsibility .li thank you for holding both sessions to allow industry and government to this despite their efforts. the e coast guard is the nations lead federal agency for protecting the nts and in august , don't release a cyber strategic outlook to guide our work ahead. at the core of the coast guard strategy is recognition cyber security as an operational imperative. to our service and for the maritime industry.im with support from congress we established coast guard cyber command and build an operational force toexecute missions and protect coast guard and dot networks . cyber forces are manned, trained and equipped in accordance with dot standards . uibut have a broad range of authorities to address complex issues spanning national defense and homeland security including protecting the nts. the coast guard approach to protecting the nts leverages our prevention and response framework to prevent incidents we leverage our authorities ntin the nations boards to standards and conduct compliance. we refer to this as a cyber risk managementand require accountability assessments, mitigations, exercises and incident reporting . to prepare for and respond to cyber incidents coast guard sectors are leading field level exercises with maritime security committees and had established commands with sbi and cisa to leave the response. cyber attacks will increasingly have physical impacts beyond computer networks. by incorporating cyber security into our prevention and response frameworks we provide a comprehensive all hazards approach to this threat. but we cannot dothis alone . as a co-sector risk management we look to both cisa and tsa as key partners. the nts is dependent on other critical infrastructure. cisa coordinates across sectors, shares threat and vulnerability information and provides cyber technical assistance. these efforts build coherence within the interagency, foster collaboration with the private sector and enhance our ability to protect the nts. our relationships with cisa and tsa are strong and will continue to mature. cyber security is a shared responsibility with the private sector s. collaboration with the industry is paramount and focused on information sharing and good governance. at the national level we stood up a cyber readiness branch within coast guard cyber command as a focal point for maritime monitoring, information sharing and response coordination. at the local level we continue to strengthen medications at our area maritime security . risk-based regulations which leverage international and industry recognized standards are the foundation for good governance . with congressional support we rnestablished the national maritime security advisory committee to facilitate consultation industry on standards development. we worked with international maritime organization to address the risks posed by foreign vessels. we are committed toa transparent approach as we balance the urgency of cyber threats with informed rulemaking . the cyber threat is dynamic. as we evolved to address s emerging needs we will need congresses continued support. we are grateful for the fiscal year 21 appropriation. investments in coast guard cyber command provide additional capability and serve a key role in protecting the nts. the establishment of 22 and he asked cyber advisors in the field are key for coordination and collaboration at our field units. we look forward to the continued dialogue with congress on this important issue and i appreciate the opportunity to testify and look forward toyour questions . >> thank you admiral. mister kevin dorsey. >> good morning. chairman defazio, ranking member graves and the distinguished members stof the committee. thank you for inviting me to testify on securing our nation's infrastructure in an evolvingcyber security landscape . the department of transportation relies on 400 it systems to ensure the safety and efficiency of our nations transportation systems. as you know, vicious cyber attacks and other compromises to these systems and dot networks may put public safety, sensitive information or taxpayer dollars at risk. our office as long identified cyber security as one of the departments top management challenges. today i will focus on three key areas. one, developing a comprehensive dot wide cyber security strategy to address recurring weaknesses. 2, protecting it infrastructure and sensitive information within dot operating administrations and three, coordinating with other agencies and energy partners. first, duon the whole dot has established formal policies and procedures for cyber security programs that align with federal guidelines . however, it still faces challenges implementing the program in a consistent or comprehensive manner. and the results, dot faces the risk of its mission-critical systems could be compromised. our office has reported on long-standing efficiencies due to dot's inconsistent enforcement of an enterprisewide information security program, ineffective medication with its operating administrations and inadequate efforts to remediate these weaknesses. many of these weaknesses can be attributed to dot lack of progress in assessing 66 of our prior audit recommendations. including those to resolve more than 10,000 identified authorities. leadership challenges also mean dot's oversight. the individual serving as the acting information security officer over the last year was not cast with information security and an official primary duty. that has made it difficult for dot to implement longtime changes. second, the ot must better protect the it infrastructure operating administrations. for example to increase cyber security, faa must direct and implement more stringent security controls for 45 high impact systems that are critical for safely managing and tracking. in addition, unresolved security control deficiencies with fda financial management systems could impede its ability to disperse billions of dollars. furthermore, penetration testing of the it infrastructure ntat multiple operating administrations we were unable to gain unauthorized access to millions of sensitive records including personal identifiable information. finally, dot is one of the lead agencies to protect the nations transportation infrastructure. as such it must effectively partner with other federal agencies and the private sector on efforts such as security and meeting the presidents recently issued executive order on improving cyber security. to that end, faa is working with dhs and dot on the aviation cyber initiatives. as the us upgrades its infrastructure dot must continue to strengthen and secure its it systems and networks awhile working to improve its efforts to respond to increasingly sophisticated malicious cyber campaigns. we remain committed to supporting dot's efforts as it works to remediate and bolster its overall cyber security posture. we will update you on our work on these and related matters.this concludes my prepared statement. i would be happy to address any questions for youor members of the committee at this time . >> thank you mister dorsey. and now finally, it's ridiculous. mister marinos. >> thank you chairman defazio, ranking member graves for inviting gao to contribute to this discussion about cyber security. as you know our nation's infrastructure increasingly relies on it systems to carry out operations and the protections of our systems is vital to national security. gao has emphasized the urgent need for the federal government to improve imits ability to protect against cyber threats for our nation's infrastructure. we designated cyber security as a high risk area since 1997. our most recent updates to congress emphasized the need for the federal government to address cyber security challenges. today i will focus on two of them. the first is the need to develop and execute a comprehensive national cyber strategy and the second is the need to strengthen the federal role in protecting critical infrastructure from cyberthreats . after the last several decades the federal government has little to establish a strategy to guide how we engage domestically and internationally on cyber related issues . last year we recorded the prior administrations cyber strategy needed improvement and it was unclear which official wasresponsible for quite dating the execution of the national strategy . we recommended the national security council consider passing legislation to designate a position in the white house to lead such an effort. in january we saw congress passed a law that established the office of the national cyber director within the office of the president and in new june it was confirmed. while this is an important step forward until we see the executive branch established a comprehensive strategy our government will continue to operate without a clear roadmap for how intends to overcome the threats facing our nation. we recorded the federal government has been challenged in working with the private sector to address our nation's critical infrastructure. since 2010 we've made over 80 asrecommendations aimed at strengthening the role in critical infrastructure. this includes by enhancing the capabilities and services of dhs cyber security and infrastructure agency known as cisa and ensuring federal agencies with sector specific responsibilities are providing its partners with guidance and support theyneed . these include important corrective actions within the transportation sector such as including faa's oversight of cyber security and tsa's oversightof the cyber security of critical pipelines and passenger rail systems . finally i'd like to highlight the urgency for federal agencies to implement all the cyber recommendations that have come out of the work performed by the gao and inspectors general. since 2010 gao has made 7000 recommendations on cyber related topics and many extend far beyond topics related to critical l infrastructure but they represent work needed to elevate the federal government and its ability to tackle cyber problems and anticipate those we will face in the future . a deal with important workforce issues such as our recommendation to the department of transportation that assesses skill gaps in order to oversee automated technologies those that control planes, trains or vehicles without human intervention . it called for improvements to federal agencies on protections is recommendations to dhs at work with agencies including a the emessay to implement tools that check for vulnerabilities and insecure networks. the agencies deserve credit for implementing many recommendations over 900 still have yet to be implemented including the related to improving critical infrastructure cyber security so clearly there's a lot more work to do and we wothink agencies need to move with a greater sense of urgency to improve their cyber security protections. in summary in order for our nation to overcome its melting and increasing array es of challenges our federal government needs to do a better job of implementing strategy oversight and coordination among agencies and with the owners and operators on the front lines of this digital battle. this concludes my remarks and i look forward toanswering any questions you may have . >> thank you for your testimony. i will try to squeak out a akcouple of questions here. mister grossman, briefly let's say the top three cyber security challenges at the faa and what are you doing to quickly implement measures to mitigate this? >> thank you for your question chairman. the faa operates large complex infrastructure of interconnected networks and services. we have many service providers includes satellite-based communications aircraft and the system has become very complex. most of our challenges are around the legacy systems in operation today. these systems are operated 24 seven 365. they require extensive testing and operate custom-built software. really they don't allow remote touching capabilities so keeping up with the cyber hygiene component is a fairly large challenge at faa air traffic control perspective. we protect that system though through controls meeting that that network while it's very difficult to patch an update, it is very difficult to get too attached to as well. it doesn't have international internet access. there is immature access control list. in other words system in a can only system b. over specific forts with specific protocols and everything else is not addressed . additionally, ... >> we need one more. mister dorsey, you were pretty critical i thought. you agreed with mister grossman's assessment of the job challenges and why you think they aren't yet rectified? >> thank you for your question chairman defazio. i think our challenges are to solidify leadership at the chief information security officer level to provide the needed leadership, oversight and accountability necessary for agencywide improvement to affect ongoing security weaknesses. two, to develop a comprehensive dot wide cyber security strategy to address weaknesses and three, to better protect and secure it infrastructure from potential compromises. two key areas the department needs to focus on to address the weaknesses that we identify over the last 10 years. >> mister grossman, are those things in progress? >> i am the chief information security officer for the faa so there is leadership within faa . we are working with the oig to close these audit recommendations. we believe that we have protections in place while many of the compliance audits have a lot of findings, the actual vulnerabilities are in our opinion most of them are mitigated through complicating calls. >> when i was speaking of the chief information officer, chief information security officer i was speaking at the department level . responsible for providing oversight over all of these including faa. >> nursing dot the faa and other agencies. >> yes sir. >> there is no permanentchief information security officer . we were serving as acting chief information security officer. >> i'm going to yield now to ranking member graves because he can ask questionsbetter with a voice that i can . >> thank you mister chairman. as a committee, we continue to hear conflicting reports from tsa and pipeline industry stakeholders regarding the issuance of 2 directives. furthermore irmyself and ranking member graves as well as s ranking member portman sent letters to dhs, oig review process in which tsa and cisa directed directives to be entered into the record mister chairman . >> without objection. >> i would like to submit to ms. neuhaus, how would tsa evaluate thepipeline security directives ? >> thank you thank you for your question ranking member graves. we continue extensive engagement. i think that's the hallmark of what we are doing in order to ensure continuous improvement. we have actually developed and implemented an entire field service operational structure so we have boots on the ground and what we have been finding thus far as you mentioned serve, we've issued to security directives this summer postcolonial pipeline. we're proud to announce on behalf of us and our stakeholders at all stakeholders that are subject to that directive have met all the requirements in the very first security directive. it's a tightdeadline. communicated beautifully with us . very vocal and frankly very direct with us when they met challenges. >> let me ask you about those challenges if i could, which have you identified ? >> the biggest one is the definition of a cyber security incident and we have taken steps and a great deal of feedback to modify that definition to not moinclude all potential incidents. we have narrowed that and focused that based on industry feedback b. >> recently the oil and national pipeline requested tsa conduct an advanced notice of proposed rulemaking to gather information vital to drafting a proposed regulation replacing a security directive. we ask unanimous consent for this letter to be entered into the recordmister chairman . >> without objection. >> i hate to keep bothering you, i know yourthroat is killing you . as i stated tsa and relevance the process to promote a greater understanding of what our reasonable applicable r audible and sustainable regulations. it will tsa issue and a npr to this information? >> thank you for your question ranking member. we are considering all our options including the most transparent option, and a npr and or advanced notice of proposed rulemaking is one tool that we have exercised in the past successfully and as we have continued robust engagement both at the classified and unclassified level with all our surface transportation stakeholders. in particular our pipeline, rail, freight rail,passenger rail and aviation stakeholders we're considering all of those options . >> we are anticipating the release of a new security directive for rail. should be as early as this afternoon if i understand correctly. unfortunately we've heard concerns about the development from stakeholders including from the freight rail industry . our previous. on cyber security in november 4 letter from american public transportation association which i asked unanimous consent to be entered into the record. i apologize for the inconvenience one more time . >> ms. neuhaus, stakeholder engagement how you conducted and how has tsa specifically incorporating feedback in these directives ? >> we have continued robust engagement and frankly we've been working closely with the united states intelligence community. our partners at cisa and homeland security, energy and across interagency to provide background information, that threat information is thriving on all of these requirements.as recently as this week i along with top leadership here at tsa have met with freight rail and passenger rail executives. with the classified briefing in our facility to show them what we're seeing, the two illicit inputs and paask them for more input for either future requirements or other guidelines that we could issue together by us just telling them this is what we need to do a we've been having successful engagement and today a number of pipeline individuals and other security personnel are receiving briefings as we speak and we do have an apparatus around the united states to support those briefings thanks to our law enforcement and intelligence communitypartners . >> will you consider the rulemaking process for any fiber requirements? >> absolutely. all those options are on the table. >> representative north is recognized. >> thank you mister chairman. i hope everyonecan hear me . i first question is for mister schachter. i'm interested in information sharing among several collectives. you each oversee critical infrastructure entities. with some oversight, overlap i'm sorry. especially regarding aviation and surface transportation which i am particularly interested in because i sit on the subcommittee on mediation and serve as chair of the subcommittee on highways and transit. can you explain to us in some detail how you collaborate to oversee the same sectors in critical infrastructure entities. >> mister schachter. mister grossman. ms. neuhaus. >> thank you for that question. congresswoman. it's information sharing is vital to securing the nation's critical infrastructure and infrastructure that theot is responsible for . we collaborate extensively within the ot. we can the faa and also with our first in particular tsa, cisa and even omc which houses the federal information security officer. krista russia, the federal chief information security officer was one of the first federal officials that i met virtually of course after joining the dot in late august. >> .. and open a channel of communication as well as following up on various directives and formal information sharing that dhs has required. >> thank you, . mr. marinos, mr. dorsey, can highlight cybersecurity issues i gave the most concern and also explain why you believe the government has repeatedly failed to fully address them? >> yes, congresswoman. i can jump in first and perhaps we can go after. i think the bottom line is that we are constantly operating behindin the eight ball. the reality is that it just takes one successful cyber attack to take out an organization, and each federal agency as well as owners and operators of critical infrastructure to protect themselves against countless numbers of attacks. do that we need our federal government to be operating in the strategic way possible. as i mentioned in my oral statement the importance of having a national strategy isn't just at something on but to execute that strategy. that carries forward to those agencies like the department of transportation, tsa and others of sector specificc responsibilities to do the same. we have seen consistently in a work agencies have had challenges in maintaining very up-to-date sector plans that would talk about the cyber threats agencies are facing and the infrastructure is facing today. we think it's important for sector specific agencies to work with our industry partners to make sure their operating off the same song sheet, if you will. >> thank you very much. thank you, mr. chairman. i yield back. >> i think the gentlelady for yielding back. i now i'm going to yield the chair to greg carson who we all know as a loud and booming voice and you will be able to understand him. so thank you. >> thank you, chair. hope you feel better. we appreciate you. mr. gibbs. >> thank you, chair. this hearing is titled evolving cybersecurity landscape, federal perspectives on securing the nation's infrastructure. ity was surprised when we bringn aa witness from the cybersecuriy infrastructure security agency, cisa. i think it might be a good idea for the future. we have had testimony in td we know that the coast guard is trying to update, create their own i.t. systems and the challenges come significant challenges your facing doing that. can you provide us an update how coast guard is working to improve your i.t. systems and that mandated by congress to do? >> congressman giffords, our approach to protecting the maritime transportation system relies on us having our own ability to defend and operate our networks.e so as part of the commandant strategy for our work ahead, he has put that defendant operate the networks, protect maritime critical infrastructure, and naval coast guard operations as those three pillars for how we move forward to accomplish all of our missions. g and operating our networks, through investments in the cares at with over $65 million in funding we've been able to make significant investments to modernize our infrastructure and push more information out to our mobile users out in the field and are cutters underway all this is premised on it being operational inherited. so the key thing is really driving us more to the establishment of coast guard command as an operational command under the purview of a two star commander overseas our daily mission execution in the it space. then the coordination with our cios who is driving those investments and modernization projects forward. >> thank you also admiral. if you can expand on the resources you're making available to of course work with our core facilities on their it infrastructure and cyber security. >> congressman, at the port level we're really focused on working across the prevention and response framework to ensure that we have the ability to defend and then also respond resiliently from attacks. this is a shared responsibility between the private sector and the federal agencies involved. so we're doing a number of different things. first we put in standards in place that require them to conduct assessments. half an accountable person. develop a plan and mitigate that plant and report incidents. all those pieces are important. says assessments we then have the opportunity to drive investments through the port security grant program to update security posture in the ports. until last year $17 million was allocated from the port security grant program for cyber security. these are some of the areas where things that are being done to increase the capability of the commercial infrastructure. while also maintaining our operational abilities. >> also has your role as assistant commandant, you're responsible to the coast guard maritime security programs. what do you say, which side is winning? increase digital safety operational enhancements, how are we doing in this fight? >> it's not an either/or proposition for us. it's really and all of the above. so as you see prevention policy we make sure that we bring together the best of our ability to secure private industry but then be able to respond as well. so leveraging our prevention response framework , we've made sure that we've taken a multilayered approach to engaging with the industry, sharing information with them at the local level through the area maritime security committee and conducting compliance activities then at the national level engaging across the interagency with our national maritime security advisory committee with the mts buyback and then with other interagency partners to make sure that we are tied together and providing a comprehensive network and comprehensive approach to this problem. >> i just about out of time and i want to mention i know you got a cyber security expert yourself so hopefully you're aware of that fact and your coordinating with your cyber security people and also in the private sector. i yelled back my time. thank you. >> mister dorsey has the gao investigated the progress of the federal agencies for the private sector in implementing the guidance and requirements laid out in the may executive order from the president to modernize and strengthen the federal technology systems? >> thank you for that question. as the gao investigated i think that question should be directed towards the gao representatives . that's if i'm not mistaken . >> miscellaneous can answer that. >> happy to. we have looked at efforts of the executive order and have work underway right now looking at the progress that's been made by the administration and actually overseeing whether the many requirements that is placed for the agencies adhere to so there are aspects within it that were passed on including supply chain more recently but we have work underway that's going to be looking at the executive order. >> do you have a timeline laid out for the report already ? >> are expecting to report on the status of implementing the executive order throughout the calendar year so we're looking to provide information on a real-time basis to provide something closer to early spring. >> thank you. mister dorsey, at what point with the wood the oig get involved? >> we have initiated a review of the dot's efforts to implement cloud-based services with respect to the request or issues that were identified in the presidential executive order for federal agencies to ensure they secure cloud-based services as they migrate forward. we're also hoping to complement efforts to migrate towards a zero tech architecture as outlined in the president's executive order. i've also been in contact with the department's chief information officer and he has informed me that the department is working towards addressing the current initiative and i plan to work with him next year to ensure that they report back to this administration if necessary. >> thank you. mister grossman the aviation sector is complex. i'm sure that you are considering that complexity as you consider helping the system be less vulnerable to cyber attacks but the testimony from gao in the first part of the hearing a few weeks ago says less than half of the respondents to the global study investigating the cyber security trends within the air transport industry identified fiber security as a top organizational risk. all consider how congress can incentivize the privatesector to address cyber security issues ? >> how congress can? >> to address these cyber security issues. >> we have reached out to the industry through the aviation cyber initiative extensively. we built a community of interest over 1000 members that cross all of the components of the aviation ecosystem and we're using the bully pulpit to and it seems to be from deviation perspective we seem to be getting a lot of traction. >> can i follow up on that with a particular issue and i don't know if you're handling this but it's chaired fazio and i recently expressed the concerns to the federal indications commission on the telecom industry plan to utilize it broadband service and a potential interference with aircraft radio parameters. i know that administrator dixon is weighing in on this with the fcc. can you update us on what the status of that is and as well are there othertechnologies coming online that we need to be concerned about ? >> thank you for that question. i'm not personally involved with the 5g effort but i am aware that telecommunications companies have all agreed to deployment delay for their five gc band to allow partners. we believe that aviation in five gc band wireless services can safely post this and the fcc and faa are using the site together to exchange information to come up with a path forward. >> i guess implied in the letter that whatever solution you all think you come up with would be very interested in that solution to make some determinations . thank you very much. >> thank you mister perry. >> german. mister schechter and miss brown as, during last month's hearing on cyber security we had an interesting back and forth with mister scott meltzer on the minute institute in court regarding increased cyber security threats associated with the transition to electric buses and the fact that it brings with it a whole new level of cyber exposure and other security risks not previously anticipated. mister belcher agreed that these increased risks include the ability to degrade batteries remotely, cause fires, manually take over controls of the vehicle at sarah and went on as far as to say we be safer if we were stillrunning diesel buses . i'm a fan of diesel and all of them. just got to be ready to implement love processes to make sure that we're safe. while we were discussing these issues in the context of electric buses, purchased by transit agencies with fda funding these concerns are much more widespread than just buses. in fact the same concerns apply to our electric vehicles. on either by the government or private citizens. and the associated charging infrastructure. i wonder if either of you can expand on the significant increase in cyber security risks and threats we should expect as the result of the relentless pursuit of electrified vehicle fleets by the majority of this administration and unfortunately some socialist voting members of my own party. can expandon what we can expect ? >> thank you for that question. i think we're conflating two separate and very important issues. one is the fuel that any vehicles use whether it's electric powered, diesel power, inherently they are not more or less at risk from the cyber perspective. what we're really talking about here and the cyber issue is the electronic control system that's on board with not only electric buses but if you were to buy a new diesel bus for gasoline busor gasoline car , those vehicles all had some sort of electronic control system there communications system which is potentially vulnerable. the correct steps just like in protecting government it systems, the correct steps need to be taken to protect the it systems in that vehicle. and when we're talking about fossil fuel powered vehicles or electric vehicles, we're obviously the administration has identified addressing climate change as a top priority. and if we take the conversation to the subject of this hearing which is cyber security, there are new mechanisms of protecting those vehicles intelligent systems on board and we need to do that and there are several organizations within dot at work on that right now. >> congressman, we've looked at issues with respect to modern vehicle cyber security overthe last couple of years and indeed , whether the fuel is gas or electric, the reality is that we're seeing an increase in thenumber of interfaces . the number of chips being placed in the systems those tips are powering and in fact that's what we're seeing as one of the challenges in terms of supply chains having those tips to manufacture new cars regardless of the fuel. the reality is if those interfaces are not secured they can be exploited through direct physical access and even remotely as well. the reality and an important element is the need for our workforce is to be able to be in the best position to oversee these automated technologies and as we recorded earlier this year we think that apartment of transportation needs to take a close look at this workforce to make sure that as vehicles become more and more autonomous that they have the appropriate folks in place to oversee that technology. >> .. cybersecurity or that executive order was issued. the audit regarding cloud services were seen as the best practices better protected from the perimeter and if they had previously organized themselves into using a common operating environment unifying all of the operating with the exception of the faa to a single system providing one surface to provide for attacks. that is the best practice. we were there prior -- >> you highlighted the testimony -- the u.s. water treatment facility, industrial control system and incentive used as a part of the treatment process. the concern is the water system including treatments -- what are your concerns in this area? >> the threats to the water infrastructure is real and comes from the same challenges other sectors including the reliance on the legacy systems that are not only outdated but the vendors that actually created them. these include workforce issues, having appropriate staff within very small organizations that reach these facilities to be able to respond in fact in the case of the february attack according to reports there was an official there was monitoring and was able to see the efforts as it happened the reality is there needs to be more that is done and we are encouraged by the fact to establish the expectation of the specific agencies and the environmental protection agency is that for the water sector. we think that epa can do more to reach out for the sector to better understand whether the guidance that it provides is adequate to be able to address the challenges that i mentioned. >> would you suggest that they do virtual training? >> i think it's important for them to do that in concert with their partners and there is a good establishment of both government and sector specific representation as i'm aware based on the hearing that your committee held they were having a thousand or more security threats a day. initially without having to wait months for training. it's about elevating the entire cybersecurity awareness of the nation. until we do that, they will continue to exploit those that have the least knowledge. a. >> what are your biggest concerns in the area? >> making sure the support of the federal agency is providing is the right one and that means doing more to assess and the plans that they can execute. if that would be the department of homeland security we are still waiting to see a national infrastructure plan get updated in the next couple of years we can move to immediately. you have done that in the wall so congress did pass the law that passed gao with evaluating how effective they are in fulfilling the statutory responsibilities so we will be reporting back to you in the near future. >> many agencies are too small either equipped or trained. but also what offerings the federal government can provide others to those operators that need the help is very important with oversight i think they should be part of it. a. >> they are part of the sector that has been identified as so they do carry forward to the agencies that have responsibility. >> thank you for your concern and i look forward to talking with you. mr. chair man, i will yield back we understand tsa will reduce transit operators but unfortunately, we've heard concerns about the development from stakeholders at the tsa including from the industry in the previous hearing on cybersecurity and november 4th letter from the american public transportation association which i ask unanimous consent to insert into the record. >> it's good to see you again. can't wait to see you all in person. unfortunately, the tsa failed to provide a notice of this despite you were coming here despite what we knew of the committee is receiving advanced notice after back and forth by staff i'm told we received in an embargo copy of 9:25 this morning which doesn't give our team or us any time to meaningfully review and actually figure out what important questions we might have for you today to ask about. the letters were yesterday, december 1, which was i just want you to take a message back that this committee because we have jurisdiction today otherwise you wouldn't be here. we expect to be notified of actions that your agency is going to take just like other committees. if anything you are doing is going to affect the mode of transportation and safety of the mode of transportation in the areas we have jurisdiction over, we expect to be notified here. can you please make sure you send that back to your colleagues. of these are issues i think we all want to work together on. hope to talk with you again in the future and look forward to the next meeting. it's my understanding the gao is in the process of completing the report on cybersecurity how has the gao pursued access and plan the cyber posture remain secure? >> we appreciate congress tasking us with this and we take the responsibility of performing it very seriously. in terms of how we are protecting information we recognize it is very sensitive but we also have a successful track record of handling the information that we received from government agencies and industries and we will obviously apply the most rigorous protections we can. as you can imagine access to house data is something we guard very closely however we also recognize the expertise in this area and hope congressional entities are operating to achieve the desire to the annual report. another question, we have seen attacks on the critical infrastructure including the one earlier this year on the colonial pipeline monitoring is critical to thwart the attacks but isn't the end of what the efforts should be and we should have a layered approach to cybersecurity when protecting the most vital assets. can you tell us, and this may be a question, what is the department of transportation doing to fortify the assets in the field such as the traffic control towers that are carrying hazardous materials and so they can operate effectively what they are already compromising. let's go to you. can you answer that with of the time i have left? thank you very much for the question. so each of these areas that you mentioned working with our private sector partners to improve the cybersecurity practices and as stated before, the cooperation through tsa to those private sector partners we access code sector risk management officials in those areas, so we need the participation from all those parties to become more cybersecurity. >> we continue to work with you on these endeavors and i apologize for mispronouncing your name before. thank you all for being here today and i will yield back the balance of my time. >> thank you, mr. chairman and to the witnesses for your time and testimony today. during part one of the hearing we learn how our critical infrastructure remains in october of 2021, the dot released a report on the federal transit administration's cybersecurity weaknesses which found that weaknesses in fta's financial management systems could affect its ability to disburse the funds. the oig report notes that they failed the weaknesses that have been known since 2016 a total of five years while the delay is not unique, it puts us all at risk. why has fta moved so slowly to implement security control fixes? >> thank you for the question, congressman. we've worked with of the the det for a number of years regarding the various cybersecurity weaknesses that we've identified and with respect what the department has informed us to get the proper guidance with respect to end the fear that the system needed to be operational 24/7. the issues regarding for the six years or so and the responses by 2023. >> for the initiative if you will and require to make sure they prioritize implementation of what we consider to be some of the most significant cybersecurity weaknesses that we've identified over the years and make sure they report on the attempts and the leadership for the deficiencies so that the cities like atlanta are not detrimentally impacted. a. >> thank you very much for that question and as i specified in my testimony, cybersecurity is our number one priority and i highlighted three areas that we are prioritizing within that to make immediate action. first is access control, second is website security and the third is governance and coordination across the dot. all of those issues are impacted and involved in the situations that you mentioned. we've created cyber spreads that i mentioned in the testimony as a way to expedite improved performance in all these areas and i believe we will be able to report back that we have made significant improvements. >> thank you. my time is up and i will yield back. as i said that the other week i'm so glad we are having this hearing and are prioritizing this important topic. as we wait on the cybersecurity and critical infrastructure space, it is a great responsibility and one that we should all take a very, very seriously. it's also a very timely topic. right before we went home from thanksgiving, the director told the security committee that, quote, ran somewhere has become the scourge on every facet of our lives and it's a prime example of the vulnerabilities emerging as the digital and physical infrastructure increasingly converge. she went on to say the american way of life faces serious risks. internet attacks are full-fledged standard feature of the modern day life and hardly a day passes without a story breaking about a cyber attack or at least a threat. they are disruptive, costly, and potentially life-threatening. all of us saw what happened and now lead to gas shortages and interrupted to supply chains. there is a legitimate appropriate role in the federal government to play in protecting the american people and the companies and businesses against theft, espionage and cyber attacks. no question each of you testifying today are fighting for the national security however as you all know, cyber intrusions are hard to track. we've got to be extraordinarily careful as lawmakers and rule makers that we don't meddle in something that we don't understand and unintentionally created more bloated regulation with overly burdensome requirements that don't truly secure our infrastructure. in any policy we push forward it's got to be aggressive and consistent with of the nations founding principles. meanwhile while at the same time protecting civil liberties and free economic markets. the former director of national intelligence and my former texas colleague and classmate said that we need to attribute these attacks and these are overtly or covertly retaliated against those responsible thereby creating a deterrence for the future. for the long time a strategy of cyber criminals it is a simply pay the ransoms and hope for the best. my question for you all is this and i will open to anyone who would like to answer with time permitting. what are some common sense steps as lawmakers we can take to better protect our infrastructure and encourage better reporting of cyber threats without infringing on people's civil liberties and the free market and i will open that up. i will yield to my colleague. >> thank you, congressman. cybersecurity and responsibility, public sector, private sector and we will either succeed or fail at this together. it's understanding that new systems need to be secure by design and created with cyber cybersecurity in mind as step one. that would help us achieve our objectives. >> congressman, thank you. i support the comments made. what i would offer is that we have to treat cybersecurity as an operational imperative and it has to be part of an overall risk management approach above the private sector and federal government and so in order to achieve that, they have to be able to do em assessment one is a minimum that i need to disclose to how can i help protect others as we've heard from testimony already in these incidents cut across so many different infrastructures and reporting helps us. >> absolutely. thank you. we will remember retaliation can occur to help some of this. i will yield back. at this time i will yield back to myself. the aviation sector is composed of aircraft the private sector companies and public agencies including the faa however a cyber attack on one portion of the sector can have cascading effects on the entire system with devastating impacts. can you describe from a cybersecurity perspective how the faa assists and supports the aviation sector? >> thank you for that question. the faa engages so we engage with much of the aviation community which we are close partners with and the aviation sector coordinating council manufacturers association and of course primary and engagement in the cyber initiative and standards, guidance and we promoted relation sharing. and to assure they are using industry standards and are building products. a. >> do you believe that it's important to coordinate and cooperate to assist them? >> i think as mentioned earlier cybersecurity and we are all in this together public and private sectors for aviation and the higher ecosystem with operators, manufacturers, other agencies, public and private sector work together to share information and to try to improve the resiliency. this is for the entire panel. where do you see the biggest cyber threats coming from specific actors like the recent attacks on local government entities with ran somewhere from foreign entities and nonstate actors are there significant threats from even some of the weaknesses like the failure to update and strengthen were poor cyber hygiene what are your insights? >> i don't want to speak for the panel to highlight one over the other. i think that compromise is certainly still fresh in our mind, but i wouldn't choose that over other actors or vulnerabilities if you're asking me which is worse. it's come up several times transportation not only relies on others to operate but other sectors rely on it as well on the communication sector and transportation sector was one of those that had been identified as one you could not operate without it so while there is the resiliency built in to show us we need to do more to not only shored up specific sectors but the nations approach as well which is why we emphasized in the recent work the importance of having a cyber strategy so it can be and all of government efforts to bring and elevate. a. >> thank you all. a. >> for the programs related to infrastructure. between the tsa and the coast guard threats and the transportation system how do you help to manage risks? >> congressman, thanks for that question. of the effort in the coast guard is part of our dna so we take a multilevel approach to share information that the speed of cyber. it's a dynamic threat environment and going forward we need to use a combination of tools and methods to get after the information sharing so for this multilevel approach at the local level, we work through the area of maritime security each of us have established subcommittees that are responsible for that day-to-day sharing of information for conducting the exercises for reviewing best practices. the same people are integral when they report in the board. at the national level we work through a number and have established the maritime cyber prettiness branch and the coastt guard that becomes a focal point or threat information dissemination technical assistance and we meet regularly with the risk management agency and engage with the information sharing and analysis center and look for every opportunity to continue to share information and communicate threats and understand the vulnerabilities so we can protect the mts. the united states coast guard has privacy in the nation support however they play an important role to support the transportation system. to that end we have the program that started as a port step security training exercise program that started in the maritime sector we have grown the training and exercise program across all modes of transportation. at the u.s. coast guard is a program where as mentioned we can exercise at a both a national and local level and if an entity is not able to participate we do maintain all of those lessons learned and exercise information in an accessible system to thousands of local operators, first responders and law enforcement professionals who support the ports and other transportation modes. congress also generously chartered the surface transportation security advisory committee a few years ago and across all transportation modes however we also have 14 federal agencies that serve on the committee. if we have a very active and very live incident, the ability to quickly disseminate that information, so i'm not sure that the security committees or the apparatus that you're describing allows for them to sort of nibble the communication to the ports and other potential threat entities. can you tell me whether or not you are working to update the system to be able to track and follow through on cyber incidents? >> in terms of communication with the ports, we have 24 hour watches that have access to the information and we share that information but we look forward to the questions and follow-up questions. it was established to be able to respond and we would be happy to provide more information about that and follow-up later on in the hearing. >> that would've been great it seems like there needs to be some type of mechanism. i will yield back. >> the gentleman yields back. [inaudible] good potential use and there is a variety of companies that are starting to get into this and i think it increases the potential for cyber threats. how wee coordinate with the commercial space industry. >> congressman, congresswoman, thank you for your question. unfortunately that doesn't fall under my purview. however, i understand the commercial spaces heavily involved in the development of the space cybersecurity policies and assist the development of the isac at space policy directive. i can certainly follow up with you. i realize that isn't directly under what you do and it's worth bringing to the attention of the committee because it is going to become increasingly an issue as we do more of this. i know that you were instrumental in setting up the program so you were very informed on how this works and we have seen it expand. one of the things that we have heard is they have a hard time coming to get the clearance. >> thank you for your question, congresswoman and for your support as the program. we appreciate the insights that congress and the stakeholders give us on a daily basis. i do know that the office that runs the program for tsa has endeavored to expand enrollment capabilities as you mentioned to get back with specific answers to those questions on how we are best requiring protection of that information and how we will oversee that information. >> thank you and i would appreciate that. whether it's through tsa i think that it's to be sure it is information in the streaming process because when we want people to feel secure that that information can't be compromised so i look forward to getting that from you and i will yield back, mr. chairman. >> the gentlewoman yields a back end of the chair weber for five minutes. >> i want to talk a minute i appreciate the phrase about ports and as you all know the colonial pipeline system is attached i think may of this year extremely important to the infrastructure obviously we would argue. the keystone pipeline or more pipelines to carry stuff with the safety rating all of that is to say from an energy perspective would it sound like we ought to have a system in place to notify the pipeline operators as congressman greaves did and other ways that we move energy if since we have limited time and i know we talk about the speed of cyber space so to speak, but should there be a process in place to the greatest amount of energy protected as early on as possible number one is that a good idea and number two, is it possible? >> that is a good question and if i understand correctly we talk about coordination and communication between the private sector partners that provide the energy, the tools and the pipeline operators as well as the government and its regulatory capacity. tsa has moved aggressively to improve information sharing and incident reporting from all of those private sector actors and to coordinate a booth with dot and other regulatory bodies that have an interest in those areas. as you probably know, the ports and pipelines are privately operated so that we have to work with those private sector partners and try to influence them so they are less likely to be attacked. some of that is standard access but moves into the operational technology, which are very specialized and outside of the realm of dot information technology. >> i know there was a discussion about the banks years back but if we had a system in place whereby if we know something is in the making we can alert them as quickly as possible and protect the infrastructure in terms of the national security and the marketplace if you will. >> intelligence and understanding of what's happening to the threat level is a critical piece of how we protect the nation so we've established procedures by which we can share information rapidly both through the interagency down to the field units and with several cases the private sector through the maritime security committees. what we are also finding out is that this is a very broad problem and so it's important that we get together and together and collaborate at he the lowest level possible. this has established a joint cyber defense collaborative that's bringing private sector and the interagency together at a low level to be able to see those threats and challenges as they evolve and share those outlooks rapidly and put themitigations in place so this is an important issue and were getting after it . >> madam chair, i cannot see theclock how much time do i have ? let me submit one thing for missnewhouse. if you could prevent the random disappearance of my wife's tsa member on airline tickets it would be worth everything to me in congress . i appreciate what you all do. >> we are happy to help and if you have any members have questions about the essay project or your family members, these let me know and i am happy to make sure we solve any issues. >> thank you madam chair, i yield back. >> the gentleman yields back, ms. brownlee is recognized for five minutes. >> thank you madam chair. my first question is tomister dorsey . mister dorsey in october, your office issued a disturbingly more about it weaknesses atthe federal motor carrier safety administration . you placed malware in the network and the agency failed to detect it. so i was curious to know is this a practice that you do in other agencies? why was this particular agency elected for this exercise? i'm sorry, i'm curious of the thought process behind it . >> thank you very much congresswoman for your questions . we on an annual basis we issue a number of audits with respect to our quantum ability assessments and penetration testing work of the department it infrastructure to determine whether and establish secure practices to detect and te secure it infrastructure . however we do what we did was not our first review of the it infrastructure. as a matter of fact it was the third review. we started back in 2016 an additional report on these centers, state department's research and we followed that up with the department's association and it was just the third inning a series with respect to assessing the departments security posture. and all of this operating administration initiated another review of the federal highway administration it infrastructure. and what we are doing that for is to determine whether the policy is instituting oversight of their own policies that they have in place so we've identified primarily persistent security weaknesses that provided us with a task to actually compromise the departments it infrastructure. >> the federal highway administration fare better ? >> we just initiated that review. we only take about 7 to 10 months to complete our review and we reported on the status of that review at the time but what we found in the past is persistent weaknesses and basic things such as a lack of strong passwords. unpatched or what we consider software that is not updated in these operating systems. we found a lot of encryption and those weaknesses are how we primarily were able to penetrate the departments it infrastructure . >> thank you sir. mister schachter, i know you've been in the departments and in your opening comments aryou said you've been there for three months. certainly 11 years in the city of new york. and i guess you know, i would just like to ask you how would you sort of, what grade would you give yourself at this particular point? and eight, a.b., ac, add, and asked? how would you grade yourself right now? >> thank you for the question. i don't have enough information yet to price that sort of an assessment but what i can tell you is as mister dorsey mentioned him of those findings to go back to 2016 before the ot created a central operating environment for the purpose of addressing across the ot some of the very same findings that oig found in multiple modes. related to access control, vulnerability and patch management that the common operating environment gives us much better tools to provide that security across all the modes that the ot use this common operating environment. so our performance is already improved but we have a ways to go and we are transparently acknowledging that as i did in my opening statement and i think as, pardon me? >> i wanted to go into another question. you mentioned limited resources several times in your answers today. and so i'm wondering you know, do you have enough resources to do what you think you need to do and if not, are you planning on making you know, further budget requests in the 2023 budgetrecycle ? >> thank you for that question as well. i'm still too new to the position to fully assess whether we have sufficient resources as needed to address this or the resources in the right place or with the right expertise. and i expect before too long to be able to share that information. >> thank you sir, my time is up. i yield back. gentlewoman yields back. the chair recognizes mister burke six for five minutes. >> this is for rearadmiral mauger. how do you say your name sir, is it mauger or mauger ? >> it's mauger, sir. >> you can call me tim. i believe semper peratis is our motto. i'm concerned about efforts to generate 99 percent of us medications abroad many of which are operated by private companies . i understand a lot of information about undersea cable systems are classified and given the coast guard's role in protecting the marine transportation system it can you comment on our ability to respond to cybertek attacks against ourundersea infrastructure ? >> congressman, our maritime transportation medical infrastructure is very varied and it's dependent on other modes of critical infrastructure . and as you highlighted, there are very substantial threats against the maritime critical infrastructure every day. so that's why we put together excuse me, that's why we operationalize our cyber security and made it possible as part of our framework to make sure we're getting after those threats at the speed and pace of which it demands. i can offer you a follow-up brief with regard to cables if you'd like sir. >> i would really like that. just out of curiosity how many ribbons are on your chest? >> congressman, i don't even know how many ribbons are on my chest here. maybe i can get you the answer for the record. >> it's very distracting but i think it's pretty cool. thank you for serving my country and i remember a buddy of mine nine ron eisenberg and i always remember at the veterans day celebration everybody gets up and sings there service anthems or whatever and my daddy was in the marine corps and he would sing the marine corps hymn and there was always one coastie that would scream itout because he would be by himself and i always thought that was cool . this is for mrs. newhouse, the tsa. i won't get after you for the terrible service. sometimes i see people get because in knoxville tennessee the group is pretty good. i always write about the one in dc which in my opinion is lackluster but a couple of months ago the tsa announced plans to issue new cyber security regulations for rail companies and how much time did your agency give the impacted stakeholders to respond and provide feedback on those directives? >> thank you congressman for recognizing our fine transportation security officers particularly in tennessee. we are proud of them and frankly most of ourairports and officers in the country so thank you for that complement . with respect to the rail and higher risk rail transit directives along with the aviation security program changes we followed a very robust rubric of engagement. i will give you an example for aviation. we utilize existing security requirements andprograms and provided ample notice and comment both verbally and in writing and multiple sessions . we have also as i mentioned in my opening to ranking member graves, we've taken that feedback and updated definitions of the affordable cyber security incidents so we've taken that seriously. with respect to my rail partners as i mentioned earlier in my testimony, we have embarked on a robust engagement at the ceo level started starting with secretary mayorkas along with other members as well as our cisa partners to engage at the classified level and unclassified level to describe the known ongoing and persistentthreats that are driving these policies . we then provided written copies to the regulated parties to have an opportunity to review these. albeit in certain circumstances we do need to act swiftly given the persistent threats but what we have done particularly over this last month i can personally tell you for my veoffice the standpoint we have engaged extensively over the last four weeks and have updated based on those feedbacks from our rail partners. >> has her agency received any concerns from your stakeholders about how the upcoming cyber security directives would impact our current operations ? >> thank you congressman. everything we do every day is about continuous improvement. one of those areas of continuous improvement is to first do no harm and complement operations while securing those operations . so we have heard a number of concerns to ensure that all operators large and small can apply these cyber security measures in effective and efficient manner so we do take that into consideration and we continue to elicit feedback. we're not just done when we issued the document. it's a continuous feedback loop and improvement and we have dedicated to that. >> i've run out of time and i yield none of my time back to you chair later. >> the chair recognizes mister payne for five minutes. >> missed newhouse, i'm going to contact you outside of this hearing with some respects to three check at north international airport. i received some documents from flyers that flew into north that have an issue with the project. but i will do that at a later time. under the rail safety improvement act of 2008, 28 congress mandated railroads that carry hazardous materials in passengers to install positive train control systems. they work to prevent unsafe movements and accidents by using an information network to regulate trains positions. can you elaborate on the new tsa directive concerning cyber security and passenger and freight rail and how it will this directive help secure ptc systems. >> thank you for your question and we look forward to receiving the inquiries regarding pre-check. with respect to the new rail security directives we can work with our partners to implement. with respect to positive train control and any other operational or informational technology systems, those directives apply to all of it. and if i may, we have focused very heavily on reporting. we have to know what even anything that could really reasonably impact those operations it is cdc or other ip or ot systems. so the early warning and indicators are critical. that is part of the strategy with these new directives is to designate that coordinator . have it 24 by seven availability to report those incidents to cisa. as admiral motter mentioned cisa as a clearinghouse. we don't forestall any other recording requirements that operators may have to independent operating agencies but cisa is the center of the united states government teto maintain that information and disseminate it back. it can go at the national level down to the local level. with respect to any it and ot system we are requiring user rail operators develop a cyber security incident response plan. we're working with them. we're doing that in concert with all the administrations at the ot. we want to make sure our folks in the field as you are well familiar with them have that information and how that at hand . they're asking the operators to conduct self assessments and identify vulnerabilities using apps and have us help them those gaps. thank you. >> thank you, mister marino, this cyber hygiene is critical to keeping our cyber transportation infrastructure they and operational. so federal agencies must keep , must not be exempt from adhering to cyber hygiene standards. as chairman of the railroads pipelines and hazardous materials subcommittee, our responsibility to ensure that federal railroad administration needs to be meet the evolving threats of cyber attacks. how can congress better assist agencies such as fra to develop and keep good cyber hygiene practices? >> i think the best method of doing that is your continued support of the inspector general community as well as the gao and the audit that we conduct. it's extremely helpful and productive and in particular to have congresses support not only during our audits but also following them when it comes to recommendations that we've made so we are grateful for that support. i think the important thing when it comes to in particular smaller entities is to ensure that those departments and agencies that they are part of have the capability to monitor the performance themselves and likewise the more central level on the and federal cio and cisa offices are doing everything they can to likewise give feedback to big and small can see to get better at cyber security . >> thank you for the answer man chair i will yield back. >> the chair now recognizes mister alderson for five minutes. >> thank you madam chair. my first question is to mister grossman. mister grossman first of all, last year the gao offered recommendations to the faa to strengthen its cyber security oversight program. the gao report found that evolving cyber threats and increasing productivity between airplanes and other systems could put future flight safety at risk y at the fa if the faa doesn't prioritize oversight. can you discuss what the faa isdoing to ensure these networks and systems are secure from cyber threats ? >> good morning or good afternoon congressman. faa looks at the whole system of the airplane, once equipment is installed to make sure there's proper procedures and protections. the avionics gao on it you referenced, the gao issued sixrecommendations . we have already proposed closure on to. two of those three are scheduled for closure in march and just one we have not concurred with we welcome that audit and made some significant changes . >> thank you. one of the recommendations the gao made which the faa did not concur with was to consider revising its policies and procedures for periodic independent testing. can you discuss why the faa disagreed with this recommendation ? >> absolutely sir. it was independent testing on aircraft that are currently flying in the fleet today. and we were concerned that independent testing or penetration testing is how we had discussed with the gao on aircraft that are in the fleet that are active aircraft could leave residual damage to the avionics systems and affecting safety. >> thank you and i have one more follow-up from you. as the faa developed cyber security training programs? >> in avionics cyber security training programs. i'm not aware of what we have developed but certainly we can look into that and get back to you. >> i appreciate it. mister marino's, thank you for joining us this afternoon. and in december ge2020 gao reported none of the 23 agencies in its review had fully implemented key foundational practices for managing information and medications technology supply chains. since 2010 gao has made 80 recommendations to enhance infrastructure cyber security as of november nearly 50 of those recommendations have not been implemented. while we don't have time to go over all these recommendations could you please discuss which of these unimplementedrecommendations should be ggiven priority ? >> yes congressman, i appreciate you pointing out the importance of the recommendations we have outstanding. in addition to the recommendations we makewithin that avionics report that you mentioned earlier in your questioning , i believe that the top recommendation with respect to critical heinfrastructure includes making sure federal agencies that have sector specific responsibilities are doing everything they can to assess the cyber risks are to their respective sectors, put forward plans with stakeholder engagement that makes sense on how they're going to support those sectors and execute. to put it very carefully most of those recommendations really express that in a variety of different ways across sectors that extend beyond transportation to include things like the grid, k-12, financial services and other sectors. we think it's important for cisa to continue its effort to reach its potential. when congress passed the ball establishing cisa the agencies that grew out of mpd took on a large set of activities that it had challenges to complete by the end of 2020 but unfortunately our report we issued this year showed they were not able to achieve a few of the important activities related to workforce planning and identifying essential functions. these are activities cisa needs to complete and referred from cisa theirs intends to do many of those things by this year or the next the urgency is there for that organization to gain its full apotential to provide infrastructure and thefederal agencies as well . >> madam chair i yelled back. >> the gentleman yieldsback and the chair recognizes mister malinowski for five minutes . it looks like mister malinowski may not be on. mister carter, you are now recognized for five minutes . f>> thank you madam chair, greatly appreciate the opportunity. thank you to our participants . mister malinowski and mister dorsey, your organization has provided oversight of federal government cyber security strengths and weaknesses. have either of your organizations looked at how prepared or vulnerable agencies are two potential cyber security attacks this typically around the time of natural disasters? as you know my district in louisiana suffered a substantial storm. one of the largestever . and my fear is as we know that hurricanes come every year with intensity increases. and my fear is that our critical infrastructure is particularly vulnerable during those period. can you share your thoughts on ideas and or practices to protect our critical infrastructure during natural disasters? >> i'd be happy to congressman and you noted in the previous hearing that the national association of states cios also identified that as a real threat so i think it does just how important it is to consider not only when we can be strong our most resilient space but also at our weakest points that can, often with natural disasters. of the last rse several decades gao has been tasked by congress to look at how federal agencies are preparing themselves for man-made or natural disasters through continuity of operations and a key part of continuity planning is to ensure the continual availability of information and you can't do that without thinking about cyber security as well. i think that's probably an looking at art of any cyber security program at a federal agency is its ability to recover from disasters. i'm not sure if esther dorsey may have more specific related examples to provide but i'm happy to passutit over to him . >> thank you for the question congressman. and thank you gao. i want to state that we have recently initiated the department's high-value assets and what we felt is that the department's high-value assets program is heavily reliant on the department of homeland el security to work with the department in assessing the department's high-value assets. it's identified 21 high-value assets from my understanding. there has been at least four assessments to the department of homeland security has actually it initiated its review of theot's program . and we're planning to continue our work over the next several months to determine what the actual governance process is that the department has in place as well as other or not they are taking additional steps to require it to assess and remediate the potential for the threat of any ofthose high-value assets . >> how do you disseminate that information with local governments or states so that they are equipped for future instances? i understand you guys have several kisses or studies tuthat are ongoing trying to determine best practices, how do you disseminate information so local governments are prepared are better prepared? >> our job is primarily to the department heads as well as congress. and how that information is disseminated down to thestate and local level i don't have . >> could you respond to that sir? >> i think that falls on the shoulders of cisa. we've seen them develop its capabilities especially when it comes to the support can provide state and local governments and owners and operators that may not have capabilities to do things like assess their own capabilities of those are offering the services that cisa has. one thing we've seen is a need to continue its outreach across the board whether big or small operators so that there is awareness about what the federal government can do a head of time so it can prepare itself to be resilient in the event of a situation like you described where a natural disaster may coincide with a cyber attack. >> it would be helpful if you would share information that we might be able to share with our local governments. what to do in case of hurricanes or wildfires. you can imagine the devastation if someone took control of our apparatus and we were not able to dispatch emergency ems or fire equipment. these are real-life issues that unfortunately are becoming far too frequently experienced with local state government. so thank you very much for your time and attention. any information you could share on how we as a committee can do better or push buttons further to provide resources for awareness so this information is able to be prepared for future instances. as we don't unfortunately there becoming far too common. i yield back, thank you. >> gentleman yields, chair recognizes mister fitzpatrick for five minutes . >> missed newhouse, thank you for being with us today . when the colonial pipeline suffered their ran somewhere back in may , we saw a great impact of our nation in infrastructure. if these directives to require reporting an incident report plans were needed in 2020 the average estimated time to identify a breach was over 200 days. so my question first question is what more is being done by your agency to identify cyber attacks in a quickerfashion ? >> thank you for your support and your question. with respect to the security directives to the pipeline industry we require reporting of the incidents within 12 hours. that is because of the criticality of our nations pipelines, the fact that they carry the majority of the significant effects they would have to if those were attacked because they carry a majority of the resources needed to run this country . that's why we're very forward leaning in establishing that immediate timeframe and we have since updated that definition of what is affordable cyber security incident in collaboration with the industry . >> secondly, over 80 percent of breaches are connection motivated and the ransom where payment goes over 3020 20. from 2019 loves. to over $100,000. do you believe american companies should continue to pay ransoms to bad actors and if not, do you think that legislation would be needed to basically incentivize or if not bad and make illegal payments. >> cisa director easily. >> i would say that through the department of homeland security, and cisa in particular we work closely with our lawenforcement, fbi , both federal and state local law enforcement to identify those opportunities. i would defer to my cisa colleagues on how we can best combat ran somewhere from a technical standpoint in addition to the financial aspects as well. happy totake that back and that for you . >> thank you miss newhouse. chairman, i yield back. >> chair recognizes miss bordeaux for a period of five minutes. >> thank you mister chairman. we have all seen the far-reaching negative implications of cyber security attacks on the transportation sector . example in may 2021 the ransom where attack on the colonial pipeline resulted in 43 percent of gas stations in my home state of florida being out of gas. it's clear from today's testimony more work needs to be done to strengthen cyber security protections in all areas of the transportation sector. mister grossman, in your written testimony you talk about the value of training through participation exercises for simulations. my district is home to curiosity curiosity log which is a one-of-a-kind living lab designed to provide a real-world test environment to advance next-generation intelligence mobility and smart city technology. what kind of simulations do you run to prepare your staff for cyber security attacks and could you talk a little bit about the benefits of those real life emulations? >> absolutely congresswoman. thank you for that question. we as i mentioned in my oral testimony as well, we have developed the cyber test facility in atlantic city that serves as kind of the cornerstone of some of our exercise activities. we regularly conduct incident response exercises that include both the mission support side or the normal it side of faa as well as the operational side or the national air traffic spaces. in addition to that, we conduct external exercises with dhs. and all of government, you know, there are cyber exercises. we have also conducted international exercises with the caribbean, with mexico. with several other countries. and you know, this year we've begun looking at cyber ranges that we can actually inject real-world cyber security threats into our exercises so that we can get an actual look at what an actual attack would look like. physically when we simulate an exercise it is with that dexterity. >> i'm sorry. >> i lost you for a second there. >> just to follow up with that, mister cordell, at the dot are there similar types of exercises that you do that you could talk a little bit about what the value added is of having that kind of real-life simulation . >> thank you because it gives me an opportunity to discuss one of the most effective and least expensive types of simulation exercises. and that's one where we send essentially a test email encouraging people to click on an unknown line, a technique called nifishing and what we see is by repeating that on a regular basis, people get much smarter and become much more cautious about clicking on those links . and as was mentioned a little while ago, this is a prime way that malware gets introduced into enterprise environments . unknowingly by people within the organization. so this is as i said a very effective, very inexpensive means of detecting the network and providing greater access controls. >> thank you very much. i yield back the balance of my time. >> chair recognizes mister math for five minutes. >> thank you for your service in the united statescoast guard . i very much appreciate that. i want to talk a little bit about your men and women are physically attacked, do they return fire? >> congressman, we have a well established, well rehearsed, well trained process in place for use of force in the coast guard. it is not my area of expertise so if you want to go into that in more detail i'd be happy to take that question for the record or set up everything for you. >> not a lot of detail. just reallylogically and commonsensical he , if somebody points the muzzle of a rifle at one of your men or women and depresses the trigger and moves around a couple thousand feet per second, are they going to return fire? >> congressman, they will execute that coast guard use of force policy. so if fired on by an adversary they will fire back . >> that's not meant to be provocative but it's common sense that they will . again, understanding you are not a shooter by your own admission. do you think that they should shoot until they totally eliminated the threat? just opinion, i'm looking for opinion on this. i understand you are not a shooter. >> i think in the general sense our folks need to ensure their own personal protection, ensure the protection of their colleagues and ensure the protection ofany members of the public as well . though they will carry out continuous use of force policy until that local coast guard woman or man is sure that things are safe. >> i've been a part of doing that in a different place. i want to layer this on cyber attacks and cyber threats. the reason i ask that was to go and layer that on this question. should we approach a cyber attack in the same way that we would approach aphysical attack ? should we go out there? there's a moment in terms from defending myself going out there and seeking a violent course of action to dispatch the threat coming against you and it becomes authentic and that's not provocative. should we be pursuing that in every instance of shot in the form of cyber. that we dispatch that threat it can never again pose that threat to us again. >> congressman, as we move this and cyber landscape, is important to understand the rt differences. there's a difference of the shooter in front of you using force you can see versus somebody in the cyberspace that might be working through a different adversary or might be working through a different venue to get after you. so attribution in cyberspace is really critical. that said, the coast guard released a cyber strategic outlook in august that puts ootogether three lines of effort. the first line of effort is about defending and operating our networks and dod networks. the second is about protecting the maritime transportation ndsystem and we bring together the full spectrum of the prevention and response framework to protect themaritime transportation system . >> you believe in making that transition however from we were attacked, we are now processing what happens from the attack and we are now transitioning to offensive to eliminate where we assess the origin ofthat threat . if you can assess the origin of that threat dyou believe in becoming offensive against that threat? >> we are building with support from congress in fiscal year 21 and with support from the administration and the fy 22 presidents budget are building out a cyber mission team capability allows us to take all spectrum operations provided we have the right authorities in place against adversaries. so it's an important part of our strategy. >> .meeting yes, you believe you should have that capability to transition to the offensive against where you believe a threat originated from. >> that is a key part of our three lines of effort and outlook. we are outlining our trading under the joint dod standards so that we can work closely y with the department of defense to carry out what the nation needs. >> thank you mister chair. >> chair recognizes himself for five minutes. last month we heard from industries on real-world challenges they face and i look forward to speaking with our witnesses and how the federal government can work with infrastructure as well. this question is for first mister dorsey and mister marinos in that order. our district in massachusetts myhas two liters at least in the cyber security industry, industrial defender is located in foxboro massachusetts. these companies work on security roadmaps and software to protect complex operational technology in line with appliance has the dot inspector general's office and or the gao look at how federal agencies are interacting with atcompanies like these andlocal transportation agencies and do you have any recognitions for improving public-private coordination ?>> this question is first for mister dorsey and then for mister marinos. >>. >> we have not looked at that line of ordination but when i will say as as part of our annual assessment we do work with the department and a series of questions from the standpoint of the supply chain risk management area and when we do with that line of reasoning, we just go back and determine whether that department has taken the appropriate steps with respect to ensuring that any vendor related software that they get is not associated with any type of counterfeit efforts or anything like that and we also make concerns to what extent the dot ensures that products, components, systems and tservices of providers are consistent with the dot security policy. that's a new requirement that has been incorporated in the it system message that we have to assess on an annual basis. so that's how we go about communicating with the omd as well as how we report to congress with respect to what the department's efforts are. >> mister marinos. >> to thoughts here, one gao was asked by law to evaluate the oddities of the national institute of technology on this and the latest one in this area is cyber security frameworks and as part of this for reviews were wrapping up in the next few months. we look at how the cyber framework was pulled together including what kind of engagement in doing a public exposure draft and receiving comments from outside stakeholders and incorporating them into the framework. they've done this on a couple iterations and they are forced to it on other vessel publications as well raso we may not interact with organizations like those that you mentioned but we certainly evaluate how they are taking in information from experts on cyber security and how they can use that to enter the framework and guidance they put out the second thing i mentioned is that gao does engage quite often state and local offices including the massachusetts state offices on well that's a good opportunity because it gives us a chance to have a better sense of how effective federal guidances within their capacity and what are sort of the threats and landscape they are also seeing state and local agencies have to combat as well? >> thank you to you both and the chair yields the balance of his time and recognizes mister johnson for five minutes . >> are you talking about misterjackson of south dakota ? very good, not a problem. i will start with mister grossman and mister grossman i recently had the opportunity to visit an air trafficcontrol facility in sioux falls. it was fantastic, really dedicated people forsure . sean and it and others showed me around . i ulcouldn't help but notice how antiquated some of the computer he was. the other systems they seemed to be intermingled with in the tower. so give me some sense very quickly of the kind of challenges that we have keeping these systems say? >> you for your question and appreciate your trip. from a cyber perspective systems while they are to be old, we are able to keep them secure. if you're asking about should we be replacing those systems i would ask it's not in my area that i would have to take your question back toour air traffic organization . but from a cyber security perspective, even though they appear old, they are certainly secure. >> maybe i'll shift gears now to mister marinos. i listened with interest when you noted that gao has made 6000 recommendations, for approving cyber security to federal agencies and more interested when you noted there are more than 900 of them that have not been implemented by those agencies. we haven't had a lot of discussion today about dams which are under the jurisdiction of this committee. are you aware of any particular and obviously the dam is criticallyimportant from an electrical generation perspective . are you aware of any particular recommendations that have been made to the department of homeland security vis-c-vis cyber security or our data infrastructure thathave not been implemented ? >> harassment we're building off the most recent question the new cyber security framework applies to all sectors. as part of the work of this series of reviews gone out to dhs and the other now sector risk management agencies and askthem whether their respective sectors are finding it useful . are they adopting it? sthat would include the subsector as well so in those instances you seen that federal agencies are challenged not only with that sector and others to have that kind of dialogue with operators big and small within their respective sectors. there are a variety of reasons for that. there may simply not be the appropriate expertise to provide that kind of feedback , even to be able to use the framework and the way it's intended . an expensive set of what it's equated to is like a grocery store. you pick and choose the cyber protections you might want to implement so the important thing is for dhs to make sure it's getting feedback from not only the dam sector others to make sure the guidances useful. >> i think that's helpful but as you alluded to with your last answer, that is more comprehensive. it is across all impacted agencies. does anything in particular stand out? we were talking about some of the antiquated it systems in place at thefaa . i happen to know that's also the case for the operations of the dam systems with western area power ni administration and others anything in particular that comes to mind with that subsector? >> absolutely and it doesn't relate to that purse specific subsector but operations are something that operators need to be thinkingabout the head. have a plan for how they intend to modernize and as mister grossman pointed out, many of those systems may have in some ways better protections if there are air gaps . if there not protect connected to systems andthose companies they may be better suited for the operational control activities they do but the reality is that again, that connection to the federal government . how do those operators know what those are? that's going to require information sharing to know what the posture is within the dam system . >> i think that's well said . as gao indicated the investment gap as we talk about these legacy systems and the need to replace them. as gao estimated the size of thatgap in dollars and cents and could you point me towards a particular report that i could review to learn more ? >> happy to share information from the federal agency side but the federal government continues to send 80 percent of its it budget on legacy activities, not on o modernizing so i think that's an important aspect as well as the dot mentioned modernizing with security from thebeginning . >> thank you mister chairman and i yelled back. >> thank you mister chairman. i want to zoom out of it, no pun intended and talk about the future of transportation. five, 10, 15 years from now and get into how the department is guarding k against new and emerging threats and then i'll ask mister mayorkas for his reactions. to, i want to ask mister schachter for his thoughts and mister marinos for his reactions . i participated a few days ago in a tabletop exercise that simulated a hostile power and taking down our bts systems, something that would have incredibly dire implications even today for nearly all modes of transportation. air, rail, maritime andmore . in the consumer automobile contract, some of america's largest companies, tesla, apple, alphabets are investing billions in autonomous vehicle technology i was in a meeting yesterday with some ceo of alphabet. which owns an economist driving startup and he reaffirmed his interest to us in bringing that technology to the marketplace. so while there's no expert consensus on precisely when there will be widespread adoption of level iv, level v autonomy i think it's safe to say we are going to have a huge number of vehicles on the road certainly by the 2030s t. that our family or even exclusively reliance on artificial intelligence make decisions about accelerating, breaking, earning every which decision. and in effect today every car is rolling off the assembly packed with computers . many have internet-based internet-enabled entertainment systems that are preinstalled. and there's even more revolutionary technological change to come. including potentially cars that are charged by the highway they drive on themselves. as all of you know, any product device or service connected to the internet or otherwise reliance on code is going to be vulnerable to compromise and the stakes are going to be high when we're talking about where powered machines that are carrying people at 70 miles or more down the freeway. so mister schachter, recognizing your primary focus is on the internal it management of thedepartment, that you've only been on the job for a few months , and you're not personally writing the regulations related to autonomy or grid safety i want to ask you some big picture questions about how you and your colleagues are thinking aboutthe threats that are around the corner . what cyber related challenges does the department expect to encounter in five, 10, 15 when the technologies that we're just talking about today become mainstream? what's going to keep your successor up at night and what if anything are youdoing now to prevent it ? >> thank you for that question. gps and overall positioning, navigation and timing are very important issues that dot is studying in multiple places. the best example i could give you actually relates back to my experience in new york city where we were one of the three national connected vehicle test locations through the department of transportation connected vehicle pilot programs. and securely communicating with all of the test vehicles and standing up security credential management system so that vehicles were committed getting for basic safety information like emergency braking. or even traffic signal phase warnings like when you pwere about to approach a redsignal . we wanted to be sure, the federal government wanted us to be sure that all of those transmissions were from authenticated actors and potentially it was causing harm to either the people operating vehicles or other road users as well. that's a future technology that is not so far away but certainly demonstrates the issue involved that you're referencing. those two medications need to be secure and we need to know both on a transmitting and receiving end with those partners we recognize . >> i guess i'm out of time, i yield back. >> chair recognizes miss gonzalez cologne for five minutes . >> my question will be to mister larry grossman. and the question will be i just wanted to bring to your attention that the faa decision we utilize section 804 to consolidate air traffic control operations in miami for the caribbean basin which includes puerto rico and our airports, one airports operate with the 1970s technology. the center handles more than 4000 flights monthly consistent with all flights including arrivals, departures and others for the british virgin islands and oversight from south america due to its 400 mile long airspace. which can take commercial airline and our to travel to. this is the same number of slides that atlanta covers from savanna so my question would be i understand that this has been done to consolidate operations and for cost savings. my concern is that what are the assurances that a cyber attack from the faa facilities in miami won't affect air traffic control operations in puerto rico and what type of redundancies are put in place for smaller airports in rural remote places should a larger air traffic control operation be affected by a cyber attack considering that we got international airports as inwell. >> thank you very much for your question. i'm sure you know i'm not responsible specifically for facilities consolidation but from a cyber perspective, the protections that are air traffic control systems have are virtually identical whether there's a facility that's local or whether it's remote and managed through our security medications policies which are a service that we obtain but that service is the same whether the facility is you're dealing with a local facility or a remote facility. the security problem is the same. >> you been talking about oevery ecosystem and with this concept in mind, what kind of training can air traffic control workers get on cyber security? >> i can't speak for airport workers that are not specifically employees or contractors but i can tell you all air traffic controllers are required to take yearly security awareness training and all as are all the contractors. contract tower employees etc. . >> after the first hearing we got on this topic some employees last month in the hearing said that they were conducting a work or cell phones that exposed the company they work for two cyber attacks . how can we ensure that the same does not happen at airports around the country or wild airplanes are in the sky ? >> i can assure you there is no personal business on any mission-critical system or service. individuals, government issued workstations that they get their email on, they are permitted to do limited personal use and that is very limited but if someone needed to fund their break time. >> mister dorsey, how often does dot tested security controls as part of the risk management issues. the oag identifies in 2021 and what those testings include and if we do have any operating agencies. contact with differenttypes of oversight . >> thank you for the question congresswoman. we assess the tadepartment cyber security controls based on new cyber security frameworks to determine whether or notthey adequately assess security controls . >> .. the chair recognizes mr. carbajal for five minutes. >> thank you, mr. chair. the shortcomings in our nation cybersecurity readiness are apparent both in the public and the private sector's, as evidenced by the cyber attacks this year including on the colonial pipeline and jbs foods we cannot leave ourselves vulnerable enough to allow bad actors to control essential infrastructure such as energy supply, water management, supply chains inno public transit. mr. dorsey, , as you noted in yr testimony your office has identified information security as a top management challenge in the department of transportation. but yet the dot has not resolved dozens of open recommendations by your office in the last year. in the report done by clifton larson released october this year, they conclude that the dot must develop and communicate and organizationwide supply chain risk management strategy and implementation plan to guide and govern supply chain risks. what do you see as barriers to this recommendation being implemented? given the supply chain issues were currently experiencing how urgently can the department of transportation act on this recommendation to avoid future disruptions? [inaudible] >> i think you need to get unmuted. >> sorry. thank you for the question, congressman. as noted in my testimony there are three key areas of the department needs to take immediate steps to address obscured issues with identified over the years. addressing supply chain risk and the issues applies to all the cybersecurity issues. what the department needs to do is to solidify its leadership at the department to the security office level to ensure that working with the current and new chief information officer that they established the right type of framework and controls to ensure the enforcement of the various recommendations that we've made over the years. the second thing the department needs to do is to develop a comprehensive dot wide cybersecurity study to address our current weaknesses. until they do so, which we made a recommendation, we made an overarching recommendation of this year, and to the department's could it they admit that recommendation once theyceo that, i think that will go a long way with addressing some of the concerns regarding supply chain mismanagement. the last thing to ensure proper control in place to protect and secure its i.t. infrastructure and with regards to supply chain risk management as key area will focus on during our review this year and will continue to report on that as we move forward. thank you. >> thank you. ms. newhouse, leaving ourselves open to ransomware and other cyber attacks puts people's lives in jeopardy. it's a national security risk and threatensth our economy. there needs to be a better communication between the private sector and government to ensure we're prepared for future attacks. and our hearing of november 4 we heard concerns the industry representatives that reporting mandates would create a flood of information resulting in pertinent information being lost or skipped over by o agencies. what steps are being taken by the tsa to ensure reporting mandates are collecting and processing pertinent information in an effective manner? and, two, can you walk me through how tsa takes in reported cyber threats and processes the data? data? >> thank you, congressman. i appreciate that. i am very proud of the fact that we have continued our robust engagement. a lot of engagement with a lot of stakeholders including those who served on the panel the previous hearing. particularly myself and the staff, we had executive level meetings with senior executives and passenger rail on this very topic. we received feedback on her draft security directives. that's better informed her definition of what we were looking for have a cybersecurity incident. we made it more effective, less broad so it's actual or an incident that is reason likely to have a devastating impact on any of their systems. it is also important to note, those reports go to success central, they have a centralized operations center. i directives mandate reporting of the information to the central. >> thank you, my time is up, i yield back. >> the chair recognizes ms. van dyne for five minutes. >> thank you very much. i want to thank all of you for being with us is morning. my district is to dallas fort worth international airport which is the largest economic driver in the state of texas and the most important airline hubs. over thanksgiving we can we sell passengers numbers 1690% of prepaid debit volume dropped the country. the airport is part of a working group with dhs and tsa. we benefited from transparency and obtain valuable information from working together while also making positive improvement after tsa conducted a review. ms. hunter many of them were critical systems such as radar systems are hosted by airports around the country. does the faa offer collaboration similar to what we seen at dhs and tsa for airports? the second question, what more can the faa do to expand current collaboration and increase information at airports? >> thank you for the questions. i may have you repeat the first battle into the second verse. we collaborate extensively with airports to the aviation cyber mission as well as the aviation counsel which has airport authorities and aia as members. our collaboration with airports is pretty rich in substance. we share best practices with airports and on many occasions when there was a vulnerability identified high believe on the airport waiting system that was not faa component, we immediately share that across the airports industry. i would just ask if you could repeat the first question. >> the first question i talked about dhs and tsa inhabit how collaboration working to focus on transparency to better cooperate. i didn't know the question was that the faa had similar working groups with airports that the other to do? >> we participate with tsa on the airports working group. >> okay. >> i have a follow-up question for mr. grossman and victoria neuhaus. everything that we heard from airlines. in 2022 he could be a record-breaking year in terms of traffic for europe, middle east and south america given the pent up demand. obviously it could throw went into those plans. but cbp staffing for international arrivals will be critical. it could be a significant pinch point if they're not prepared. how is faa preparing for the disruptions of the system as they move closer to the busiest travel time of the year? >> i apologize, that is not a cybersecurity specific question. i believe our staffing numbers are not going to be impacted by that. >> are you expecting for the disruptions? or no? >> i'm not expecting any further disruptions, no. >> okay. so there's no preparations be made then? for the increased travel in 2022 question. >> we are staffed with increased travel. i'm not sure i understand the question specifically. >> what is the tsa's plan to ensure checkpoints to have proper staffing wait times organize for passengers customer spivak congresswoman we are moving forward very heavily as you may have heard from the ministry to over the past year. we worked very hard to hire as many officers as we can to very competitive labor market. we also focus on real-time reporting. we share that with her airline hanger partners daily and sometimes hourly to ensure any issues in the system whether it's equipment or personnel related is addressed immediately. last we have our deployment force ready and able to deploy at a moments notice to support increased operation around the country. we seen that successfully for major sporting events such as super bowl , spring-training hand and the other of a natural disaster. were able to put or personnel in for support air operation whether personnel are affected on the ground and the families can evacuate safely. thank you. >> i appreciate that. i again have gone lots of calls and questions from folks who are constituents in district 24. they travel a lot and there's a lot of frustration that they are feeling like the lines are getting much longer and the tsa folks are working. i just want to make sure that the focus are working on. thank you i yield back. >> picture mechanize as mr. lamb for five minutes. >> thank you, mr. chair and thank you to our witnesses. mr. dorsey, i want to start with you. i took from the testimony that while there are several technological and purely cybersecurity issues at play. there seems to be the foundation a personnel issue of maintaining consistent leadership in the key role in keeping people in place and bringing people up to the systems of the understand it. that's very similar to what i've seen on other committees dealing with cybersecurity and technology acquisition and implementation. it's not an easy problem to solve. i was curious within your work if you saw commonalities of why we were losing people failing to gain them in the first place or any suggestion on how we can fix the personal side of it? >> thank you for your question congressman. our assessments don't necessarily reveal what the workforce related issues are in respect to the cybersecurity pasta. i will not be able to provide you with the correct answer. what i will say, i am very encouraged by the department's current chief information officer in the various discussions i've had with him regarding the effort and his plans moving forward with respect to the workforce issues. we have found that there has been inconsistency at the top regarding the departments leadership from the chief officer as well as the chief information security officer. as i noted in my testimony, over the last you the department had an active chief security officer who said cybersecurity was not his primary role in 2020. i will say i have expressed from the conversations from the chief information officer that he look forward to working with him moving forward. >> i appreciate that. do any of our witnesses want to weigh in on this question. basically what i'm getting at is a common problem for us. people with strong cybersecurity management backgrounds are very high demand in the private sector. i don't know if you have any success stories or is just as you could make to us about putting on a firmer foot in a personnel's perspective. you are on mute it sounds like. >> thank you. i would like to respond to that. thank you for the question he gives her the opportunity to say that after noting cybersecurity at dot is our number one priority. our second priority is investing in our workforce. that means investing and helping them develop their careers so they're not only able to perform a higher levels with the current responsibilities but adequately prepare for future responsibilities. it includes recruitment and making sure that we higher in the right people with the greatest potential hand that were looking at her own people for future professional opportunities. i will refer back to my experience at cto and cio at the new york city department of transportation where i serve 13 years. in that role, we were able to achieve very low levels of attrition due to a robust training program that invested in our staff and make them part of the agency strategic mission where they felt ownership and empowered. even though the private sector often came with higher salaries we lost relatively few people. i understand from industry information. that's a frequent problem. not only for the government the private sector companies losing staff to one another as each tries to outdo each other with food and health in addition to cash compensation. the government is adding disadvantage when trying to compete in that arena. what we can do is play to our strengths which is the important information. opportunity for people to make a contribution to improving and now with this environment, the united states. i believe will have a compelling story to tell that will both attract good new people as well as help us keep the good ones that we already have. >> i agree we have to appeal to their patriotism and if there's any way we can up agencies do that, you let us know because we know how important it is. thank you for your participation i yield back. >> the chair recognizes ms. steele for five minutes. >> thank you, mr. chairman and ranking member for holding this important hearing. during my tenure of serving as a supervisor and board of director for orange county transportation authority with the cyber attack on the oct a. hackers brought computer systems for two days and demanded ransom to unfreeze them. we did not pay the ransom and they ignored the demand and we had staff restore all servers. i want to ask ms. neuhaus, are there ways better agencies can improve communication with the state and local government to protect against the cyber attacks and you think the united states has a proper workforce to buy the current and future threats based coming in from china and north korea? >> thank you congresswoman. we are very proud of our relationship with the federal, state and local partners. many who operate critical transportation throughout the country. we have a very robust field operation and place that focuses solely on service operation. that's one resource available 24/7. each region we divided up into six region and has a responsible team a personnel ready to go to engage one on one. you are absolutely hit on the nail. that continued collaboration and dissemination of information could be anonymized but is important that we provide both threaten indicator information to all operators whether state or local or private and we established a number of mechanisms to do that through our directives we are looking for reporting so we can filter that makes her get sent out anonymized and work through assistance is essential to make sure the reports are getting disseminated in a timely manner. tsa operations center served as a redundancy. third we do have unique information sharing cells within the united states government. we have groups of individuals for service transportation and aviation that can participate in daily threat briefings. they could do it remotely from the location and that's another opportunity where we provide the persistent and formation, threat and tools. you point out that the nation state actors security bulletin as recently as last week referencing a nation-state actor. that is what tsa, dhs enterprise work very closely with the u.s. intelligence community. we rely closely and heavily on their intelligence and assessments along with a bureau of investigation and law enforcement entities. we have the workforce in place in the united states government. i have a backward and intelligence operations myself. i can say with personal knowledge we have direct access to the intelligence and law enforcement information. >> thank you very much for your detailed answer. admiral, i've a question. protecting against cyber threats is really critical for the long beach and l.a. right now we have a supply-chain crisis and we have about 175 ships waiting to unload. it's very important. congress has made several changes to better integrate cybersecurity training in response. how is the coast guard conducting vulnerability assessments of maritime critical infrastructure. can you describe how coast guard builds cyber resilience and the ports of l.a. and long beach and others like it from attacks? >> congresswoman the current supply-chain crisis highlights mts to our national economy into a national security. emphasizes the need to put proper protective measures in place but also be able to be resilient in response to attacks. we put together comprehensive framework that we believe federal maritime regulator across the whole prevention and response framework to make sure port communities maritime infrastructure to prevent attacks and able to respond and be resilient. the port security grant program is a key program for building resiliency into ports and funding fy 21 we were able to fund 60 project the $18 million in provide such support of l.a. the opportunity to increase her assessment. i'm happy to follow-up with a brief "after words" if desired. >> thank you very much. i have one more question but i'm gonna submit this question. my time is up and i yield back. >> that concludes our hearing i would like to thank each of the witnesses for your testimony your comments have been insightful and helpful. ask for consent remain open until eyewitnesses provided answers to any questions that submitted in writing. i ask i consented the record made open for 15 days for orders without objection, so ordered. theo committee stands adjourned. [inaudible conversations] [inaudible conversations] [inaudible conversations] today supreme court justice stephen breyer announced his retirement. president bill clinton nominated him to serve on the nation's i scored in 1994. four. he passed senate confirmation by vote of 87-9 and a sworn in the sworn in as a 105th justice on the court on august 3, 1994. >> american history tv saturdays on c-span2, explain the people and events that tells the american story. 2 p.m. eastern on the presidency we will look back on the scandal that led up to president richard nixon's resignation with jeff shepherd who was at the time the youngest lawyer on president nixon's white house staff pick is also the author of the nixon conspiracy, watergate, and the plot to remove the president. then at 8 p.m. eastern on lectures in history professor catherine teaches a class on politics and culture in the united states from 1800 through the 1830s. she describes how the country changed during the time between the presidencies of thomas jefferson and andrew jackson you're exploring the american story. watch american history tv saturdays on c-span2 and find a full schedule on your program guide or watch online any time at c-span.org/history. >> the u.s. house returns tuesday with votes later in a week on legislation to end forced arbitration agreements for sexual assault and harassment survivors in the workplace. members are expected to vote on whether to prevent foreign individuals who violate lgbtq human rights from entering the u.s. on the other side of the capital the senate is back monday at 3 p.m. eastern and will consider several of president biden's judicial and executive nominees. they include your pennsylvania president amy gutman to serve as u.s. ambassador to germany, and lita joe louis to be president of the export-import bank. watch live coverage of the house on c-span, the senate on c-span2, unlighted c-span.org, or are new c-span now video app. >> next house rules committee holds a roundtable on hunger among college students. members discussed the role of the federal government in local communities and preventing hunger on college campuses as well as barriers to existing basic needs programs. this is about two hours 15 minutes. >> college students who worry about food often seeof the greas take a hit. they can take them over

Related Keywords

Miami , Florida , United States , Puerto Rico , Germany , Mexico , New York , New Jersey , Texas , Virgin Islands , Whitehouse , District Of Columbia , Togo , Dallas , Americans , America , German , American , Mister Grossman , Mister Schachter Grossman , Larry Grossman , Greg Carson , Cordell Schachter , Mister Larry Grossman , Amy Gutman , Mister Dorsey , Mister Schechter , Mister Kevin Dorsey , Grossman Mister , Mister Belcher , Mister Cordell , Mister Marino , Mister Malinowski , Mister Carter , Mister Schachter , Kevin Dorsey ,