from the federal response to the colonial pipeline ransomware attack. without objection, the chair is authorized to declare the subcommittee in recess at any point. thank you to chairwoman clarke, ranking member gimenez, ranking member garbarino, and our panel of witnesses for joining us. the impacts of the may 7th ransomware attack on colonial pipeline was far reaching. as we all know now, nearly half of the east coast fuel is supplied by the colonial pipeline. when the pipeline was shut down, americans struggled to fill up their gas tanks and the incident threatened to cause major disruptions to the economy and well being of our country. that is why it is so important for us to have a conversation today about the federal government's response to the colonial incident and its role in ensuring the cyber security of our critical infrastructure. last week we heard from the ceo of colonial pipeline about how his company responded to the ransomware attack against it. i also asked him why his company prior to the attack appears to have resisted tsa's efforts to assess the pipeline's security prior to the attack. today we will hear from tsa and cisa, the dhs components that are charged with ensuring the cyber security of our nation's pipelines and responding to cyber incidents. i'm looking forward to learning not only about tsa and cisa's engagement with colonial before and after this incident but also about their plans to ensure we are better prepared next time, and unfortunately we know that there will be a next time. in recent weeks, we have seen two transportation systems fall victim to ransomware attacks in new york city and massachusetts. hospitals have been brought to a halt. even one of our nation's largest meat packers was shut down. we must ask ourselves what's next, our power grid, our aviation system, maybe next time it won't be foreign hackers looking for a quick payday but a nation state looking to cripple our economy. given the magnitude of these threats we need to ensure cisa and sector specific agencies like tsa have the tools and authority they need to take action and that they use them. and the pipeline context says tsa's establishment nearly 20 years ago, it has been the principle federal entity responsible for pipeline security. to this end, tsa published its pipeline security guidance and conducts pipeline assessments and inspections including assessments that focus specifically on cyber security. to date, these assessments have been voluntary, and unfortunately, voluntary standards have proven insufficient. according to tsa, prior to the attack, tsa had asked colonial pipeline on no less than 13 occasions to participate in physical and cyber pipelines security assessments, citing covid-19. colonial repeatedly delayed and chose not to participate. on multiple occasions, colonial didn't even bother responding to tsa's e-mails. in fact, colonial still has not agreed to participate in the physical assessment and only agreed to cooperate with tsa's cyber security assessment three weeks after the ransomware attack occurred. what's more, when a member of this committee asked colonial's ceo whether he would accept cisa's assistance, he politely declined. if this is how they view their regulators and federal partners, we have a problem. although many of these systems may be owned by private companies, when you operate infrastructure that we all depend on, you have a responsibility to the public. the good news is the tsa administrate has existing authority, statutory authority to address this. just a few weeks ago tsa used this authority to impose a first mandatory cyber security requirements on pipeline owners and operators. specifically, now they must report breaches, designate cyber security coordinators and self-assess their compliance with tsa security guidance. this is an important first step, but more must be done. we must empower tsa and cisa to act boldly to ensure operators of pipelines and all other forms of transportation part in their systems. meanwhile in a similarly important that other agencies in the federal government respect tsa and cisa's experience and expertise on these matters. the cyber security of our critical infrastructure is too serious for us to reinvent the while by providing duplicative authorities to the entity. tsa has the authority and technical talent that we need to tackle this challenge. and finally, before i conclude, i must note my disappointment that the fbi declined an invitation to attend this meeting. it is critical that members fully understand the fbi's role and efforts to counter cyber threats and i look forward to their participation in future events on these topics. that said, i'm looking forward to hearing from today's witnesses about how the attack on colonial pipeline will inform their approaches going forward. and the chair now recognizes the ranking member of the subcommittee on transportation and maritime security, the gentleman from florida for an opening statement. >> thank you, chairwoman clarke and ranking member garbarino. i'm thankful that the committees are holding this joint meeting on cyber threats to pipelines. as we saw in the recent ransomware attack on colonial pipeline securing our nation's 2.7 million miles of pipeline is of utmost importance. i look forward to hearing from mr. goldstein, ms. sonia proctor, and how cisa and tsa work together to ensure pipelines are secure from cyber threats. i thank the witnesses for their time today. i'm interested to hear from tsa with the directive that tsa issued last month, and ms. proctor detailing what plans tsa has for additional directives in the near future. i'm concerned with the push to move from the department of homeland security to the department of energy. i wholeheartedly agree there's more tsa can do in terms of increasing resources and expertise but i believe tsa or the department of homeland security is the appropriate agency to oversee pipeline security. tsa's close collaboration with cisa ensures there is a strong effort in securing all transportation modes against cyber threats. as a committee, we need to continue to strengthen our nation's cyber security by strengthening cisa and giving them all the tools and responsibilities needed to keep all of our cyber infrastructure safe and secure. i look forward to the discussion today for the security of our nation's pipelines against continued threats of cyber attack and frankly all of our nation's security threats and how we can protect the united states of america from cyber threats in the future, and madame chairwoman, i share your displeasure that the fbi did not participate today. thank you, madame chairwoman, and i yield back the balance of my time. >> the chair recognizes the chairwoman of the subcommittee, cyber structure, infrastructure, protection and innovation, the gentle lady from new york for an opening statement. >> i thank you madame chairwoman, bonnie watson coleman to ranking members, gimenez and garbarino, i thank you for working with me on today's hearing, and to our witnesses for joining us today. the ransom attack on colonial pipeline was a reminder to us all that cyber attacks can do more than compromise our data. we've seen ransomware attacks cripple hospitals, manufacturers, municipalities and meat packers. we've seen ransom demands skyrocket, operations brought to a standstill, and organizations left without many viable options aside from paying an unknown group of criminals who may or may not be subject to u.s. sanctions. unfortunately, the take away for many of our criminals behind these attacks is ransomware is easy money. these attacks are not the stuff of solar wind. they're simple, unsophisticated and rely on common cyber security missteps present in most organizations. i say this not to be fatalistic, but to acknowledge the tremendous challenge we face. these attacks are not going to slow down, and adversaries have learned that the higher the stakes for the victim, the higher the payout they'll likely get. if there's one message i hope to drive home today, it's that this administration needs to have a plan for responding to cyber incidents and be ready to execute that plan at a moment's notice. specifically the national cyber incident response plan, which lays out clear roles for cisa, fbi, and other parts of the federal government that play a role in responding to cyber attacks on critical infrastructure. we also have long standing directives like ppd 21 and ppd 41 that makes cisa responsible for coordinating federal efforts to secure critical infrastructure and doing so, hand in hand with sector risk management agencies like tsa, which oversee security for the pipeline sector. it appears the administration deviated from that plan in a number of ways, and i want to understand why that happened and what's being done to fix it. i want to see this administration become a well-oiled machine when it comes to responding to these attacks because that's what will be demanded moving forward. the second point i hope to make today is this, although cisa has come a long way in a short amount of time, there's still parts of its mission that we need to clarify. and there are parts of its mission that we need to authority and resource, commensurate to the enormous job we're asking this new agency to do. right now, cisa is tasked with leading asset response activities during a significant cyber incident, but what if the victim organization hires fire eye instead? what if they decline cisa's offer to provide technical assistance and delay or refuse to share information about the incident with cisa. what if they never report the incident to the federal government in the first place. this undermines our national security. cisa needs access to information it can use to understand the threat landscape and develop technical indicators that will help other entities prepare for similar attacks. as i've said before, i'm working on legislation that will require critical infrastructure to report certain cyber security incidents to cisa so that we're developing the muscle memory and the institutional knowledge to improve our cyber defenses over time. but this is only half of the bad. cisa also needs realtime visibility into threats on private sector networks so they're empowered to collaborate with owners and operators before, during and after an attack or prevent the attack from happening in the first place. this is especially true for the industrial control systems that power pipeline operations, energy generation, and countless other industrial functions, we rely on each and every day. these systems are increasingly connected to business and i.t. networks, which makes them vulnerable, and simply severing those connections is not always feasible. for the past few years, cisa has been piloting the program called cyber century, that gives cisa the ability to monitor and detech cyber threats on participating infrastructure networks and work proactively with owners and operators to address threats in realtime. this is the kind of operational role that congress envisions cisa playing on critical infrastructure cyber security and i'm currently working on legislation to strengthen and codify these efforts. i would be remiss if i did not mention that the federal government can only do so much. we need private sector critical infrastructure to step up, not just by investing in their own cyber security but also by partnering with the federal government. we need the private sector to open the door to cisa and tsa, not just because it benefits them, but because it benefits our collective national security. in conclusion, i will also echo the chairwoman's disappointment and our ranking member's disappointment that the fbi declined our invitation to participate in today's hearing. you cannot espouse the virtues of a whole of government response one minute and then refuse to appear before the congress with their interagency partners the next. but i nevertheless look forward to hearing from the dhs officials who have answered the call to testify before us today. and with that, madame chairwoman, i yield back. >> i thank the gentle lady from new york. i now recognize the ranking member of the subcommittee on cyber security, infrastructure protection and innovation, the gentleman from new york for an opening statement. >> i thank you, chairwoman. first i'd like to thank you as well as chairwoman clarke and ranking member gimenez for calling this important hearing and i thank our witnesses for being here today. last week's full committee hearing on this topic was on important opportunity to peer into the decision making process at colonial and to better understand the business or victim facing side of an attack. this week's hearing affords us a unique opportunity to closer examine the federal government's coordination and response efforts following an attack. while ranking member katko, myself and our partners on the other side of the aisle have all expressed concern with the white house's decision to have the department of energy leading the federal response to this attack instead of cisa and tsa as the lead agencies for the pipeline sector, we should all recognize the decision was not any of yours to make. we are very appreciative of your efforts in response to this hack and many others. but there are clearly still many questions regarding this attack that need answers. and i hope we're able to get clarity on the outstanding issues here today. i'm interesting in learning more about the value cisa is providing to the industry leadership, cisa provides a treasure-trove of helpful guidance to bolster their cyber posture. it's increasingly clear it should be hitting the depth of our nation's ceos and cios for making the tough investment decisions. while many of the members of our subcommittees understand the inherent value that cisa provides the agencies and, industries alike, the truth is cisa has a lot to prove to the hill, and it's important that you all are able to demonstrate that value. as the newest agency with the newest department, you're going to have to be forceful in staking your claim to ensure you're all leading the charge of major cyber incidents. the white house also shoulders some responsibility. it must empower cisa with the statute to be successful and appropriately delineate responsibilities between cisa, the sector risk management agencies and the incoming national cyber directory. cyber threats are rarely isolated to one sector, cisa's role as a central agency that connects the dots will help secure all critical infrastructure across our nation. it is also important that you are all not bashful when it comes to highlighting areas that need strengthening and areas that require additional resources, personnel, or authorities. thank you all for being here today, and i yield back. >> thank you very much to the ranking member. members are also reminded that the committees will operate to the guidelines, laid out by the chairman and ranking member in their february 3rd colloquy regarding remote procedures. the chair now recognizes the chairman of the full committee, the gentleman from mississippi, mr. thompson for an opening statement. >> thank you very much. good afternoon, i want to thank chairwoman watson coleman and chairwoman clarke for holding this important hearing on the federal response to the recent ransomware attack on colonial pipeline. the attack on may 7th that resulted in the week-long shut down of the 5,500 miles of petroleum pipeline on the east coast clearly represents a significant cyber attack on critical transportation infrastructure. it is clear that the future will bring more attacks like this, whether they're organizations like darkside that seek to exploit cyber security weaknesses for profit or foreign enemies seeking to weaken our nation. the federal government must be prepared to fight off attacks and respond to successful security breaches swiftly, and effectively. the cyber security and infrastructure security agency is the lead federal coordinator for securing critical infrastructure from cyber attacks. and the transportation security administration is the designated sector risk management agency for pipeline. yet, colonial failed to properly engage with tsa in recent months in order to safeguard pipelines against attacks and repeatedly reject technical assistance from cisa following the ransomware incident. while i'm pleased that colonial has finally agreed to a virtual cyber security assessment from tsa i'm alarmed that they refuse to do so until three weeks after an attack that resulted in the full shut down of their pipeline. despite authority placed within the department of homeland security to respond to cyber attacks on pipelines including through tsa authority, to issue emergency security directors, the director of energy was made the lead agency for response to the colonial incident. additionally, the federal government did not deem the attack a significant cyber incident as defined by policy, despite its substantial impact. if you don't believe me, ask those folk who are trying to find gasoline all over everywhere while this event was going on. it was a significant cyber event. cyber incidents response plans have been carefully crafted to ensure proper government response to incidents and we must ensure they are followed appropriately. the tax on colonial and others provide opportunities to learn and improve the resiliency of the pipeline sector and critical infrastructure across the u.s. i was pleased to see tsa take initial action by issuing a first ever mandatory cyber security requirements for pipeline. these new requirements went into effect on may 28th and will be critical to improving coordination among the pipeline industry, cisa, and tsa. more must be done to increase protections via pipeline and allow federal authorities greater ability to assess weaknesses and critical transportation infrastructure. unfortunately, cyber criminals are not going anywhere anytime soon. in fact, they're getting smarter and cyber attacks are likely to become more common. we must ensure the department of homeland security remains at the forefront of protecting our critical infrastructure from these threats. i look forward to our testimony. i yield back, madame chair. >> thank you very much, chairman. i now would like to welcome our panel of witnesses. ms. sonia proctor is the assistant administrator for surface operations at the transportation security administration. in her role she is responsible for strategic surface transportation security operations. not only agency wide but also on a national level. and in all surface transportation modes, including mass transit, freight, rail, highway, motor carriers and pipelines, ms. proctor has served in several roles at tsa previously, including in leadership roles at ronald reagan washington national airport and within the office of law enforcement and federal air marshal service. prior to joining tsa, ms. proctor served 25 years in the metropolitan police department rising from a patrol officer to interim chief of police. and she serves as the chief of police for the amtrak department. mr. eric goldstein serves as the executive assistant director for cyber security for the cyber security and infrastructure security agency. in his role, mr. goldstein leads cisa's mission to protect and strengthen federal civilian agencies and the nation's critical infrastructure against cyber threats. previously mr. goldstein was the head of cyber security, policy strategy, and regulation at goldman sachs, and he served in various leadership roles as cisa's precursor agency to national protection and programs directory. mr. goldstein has also practiced cyber security law at an international law firm, led cyber security research and analysis projects at a federally funded research and development center, and served as a fellow at the center for strategic and international studies. without objection, your witness's full statements will be inserted in the record. i now ask each witness to summarize his or her statement for five minutes beginning with ms. proctor. >> good afternoon, chairwoman watson coleman and clarke, ranking members gimenez and garbarino, and distinguished members of the subcommittee. i appreciate the opportunity to appear before you today to discuss tsa's role in securing our nation's pipelines systems. i also appreciate your indulgence as i resolve my own technology issues this afternoon. pipeline systems are vital to the economy, our national security, and the livelihood of our country. there are more than 2.8 million miles of natural gas and hazardous liquid pipelines owned and operated by over 3,000 private companies. pipelines are susceptible to physical attacks and as recently evidenced, cyber intrusions as well. these threats have the potential to negatively impact our national security, autonomy, commerce, and well-being. for these reasons, tsa remains committed to securing our nation's pipelines against evolving and emerging risks. to support this commitment, in october 2019, tsa established the office of surface operations and expanded its pipeline security staff from six positions to 34 positions working on field and headquarters operations and policy development. tsa has had a long established productive, private/public partnership with government partners and the pipeline industry to protect the transport of hazardous liquids and natural gas. to support pipeline owners and operators in securing their systems, tsa developed and distributed security training materials for industry employees and partners to increase domain awareness and ensure security expertise is widely shared. and in conjunction with the pipeline industry and our government partners, tsa developed a pipeline security guideline to provide a security structure for pipeline owners and operators to use in developing their security plans and programs. while the guidelines are not mandatory, the recommended security measures for both physical and cyber security serve as the de facto industry standard. tsa works with industry partners to assess and mitigate vulnerabilities and approve security through collaborative efforts including intelligence briefings, exercises, assessments, and on site reviews. two key examples would be the validated design reviews to promote a secure and cyber security posture, that tsa conducts in coordination with cisa to detect a pipeline operator's infrastructure, and the technology systems, and the pipeline corporate security reviews and pipeline critical facility security reviews that assess the degree to which the pipeline company is adhering to the pipeline security guidelines, physical and cyber security measures. in response to the recent pipeline cyber intrusion, tsa used its statutory authority and issued a security directive, which has the force of a regulation aimed to strengthen the cyber security and resilience of pipeline own ers and operators. tsa is committed to using its authority to implement appropriate security measures to elevate both the physical and cyber security of the pipeline industry. in addition, tsa in close coordination with the department and cisa continues to explore ways to mitigate threats through additional cyber security measures to ensure that critical pipeline owners and operators are engaging in baseline cyber hygiene and have contingency plans in place to reduce the risk of significant disruption of operations if a breach occurs. the pipeline system is crucial to u.s. national security, transportation, and energy supply. and that drives tsa's work to continue collaborating with our government and private partners to expand the implementation of intelligence driven risk based policies and programs. thank you for the opportunity to discuss tsa's pipeline security programs and i look forward to your questions today. thank you very much. >> thank you, ms. proctor. now i will recognize mr. goldstein to summarize his testimony for five minutes. >> chairman thompson, chairwoman coleman, and clarke, members of the committee, as noted in the members opening statements, cyber security threats represent an urgent risk to our national security, economic security and public health and safety. the committee is to be commended for your continued focus on this issue and your support especially role they're in. as the lead agency for civilian cyber security, cisa plays several key roles in managing the risk of ransomware and other intrusions. in particular, recognizing that most ransomware intrusions exploit no vulnerabilities, cisa develops and shares best practices to help organizations reduce the likelihood and impact of a ransomware intrusion. to this end in january of this year, cisa unveiled our reduce a risk campaign, a few months later in april, secretary mayorkas issued a high profile ransomware sprint that included a series of national events intended to ensure that leaders across the country understand the criticality of the risks and take urgent actions in response. and our work has continued as further update guidance and drive risk reduction. cisa serves a critical role in providing support to victims of cyber security incidents and share actionable information to protect future possible victims. upon learning of the colonial pipeline intrusion, cisa immediately began to collaborate with the fbi and other federal partners to gather information that could be used to help protect other potential victims of these sorts of serious campaigns. within four days of the intrusion, cisa and the fbi published a cyber security advisory with specific mitigations to reduce the likelihood and impact of similar events. we updated this advisory with technical indicators of compromise and amplified the alert to maximize use by network defenders including through a stake holder call with 9,000 participants from across critical sectors. these activities reflect cisa's role in national cyber security while cisa's expert network defenders are available to provide response and threat hunting, upon request of equal importance is our role in quickly using information from intrusions to protect others. and well before the colonial intrusion, cisa was taking action to address cyber security risks facing the pipeline sector. in particular through the pipeline cyber security initiative, cisa works closely with tsa and pipeline companies to conduct vulnerability assessments, analyze risk to the sector, and implement a key pilot program called cyber century which as ms. clarke noted leverages commercial technologies to monitor highly critical infrastructure networks for sophisticated threats. going forward it's very clear as a nation we must do more to address the risks of ransomware and other cyber intrusions affecting our nation's critical infrastructure. to this end, cisa is urgently driving progress in several key areas. first, we must gain increased visibility into cyber security risks and use this visibility to produce targeted guidance, share actionable information, and prioritize incidents that do occur. tsa's recently security directive that requires reporting of cyber security incidents to cisa is one key step, and we continue to evaluate potential ways to drive further reporting of incidents and cyber security risks to cisa in order to further enable this essentially visibility. second, we must continue to invest in and mature our voluntary partnerships with critical entities across the country. going forward, we are implementing our joint cyber planning office to plan, exercise and coordinate cyber defense operations between government and the private sector. third, we must leverage lessons learned and capabilities matures through our federal cyber security mission, including through activities undertaken in executing the president's recent executive order to support our partners across critical infrastructure, including by conducting persistent hunts, ingesting, analyzing and acting on security data, and driving defensible architectures. funding provided in the american rescue plan act is a critical down payment in driving this essential change. additionally, the establishment of a cyber responsive recovery fund or a crrf will ensure that cisa has sufficient resources and capacity to respond rapidly to cyber incidents. recommended by the cyber space alarming commission, and recently passed by the senate we do hope that the crrf will be considered soon by the house and provide cisa with additional resources to conduct our rapidly evolving and essential mission. in conclusion, our nation is facing unprecedented cyber security risk, and the list of significant incidents in recent months is long and growing. now is the time to act, and cisa is leading our national call to action. we will deepen our partnerships, enhance our visibility into national cyber security risk and drive targeted action in collaboration with our partners in the public and private sector, our international allies, and with congress we will make progress in addressing this risk and maintaining the availability of critical services to the american people. thank you, again, for the chance to appear today and i very much look forward to your questions. >> thank you, mr. goldstein, i want to thank both of the witnesses for their testimony, and i will remind the subcommittee that we will each have five minutes to question the panel. i'll now recognize myself for questions. the tsa pipeline security assessments are currently voluntary, although a new security directive does require operators to self-assess their compliance with tsa's guidance. this security directive requires critical pipeline operators to report cyber incidents and designate a cyber security coordinators who will be available 24/7. so ms. proctor, i'd like to ask you first, would you please discuss the process that led up to this security directive? how did tsa determine the directive was needed and how did you decide to include these specific elements? you have to unmute yourself, ms. proctor. >> ms. proctor. >> madam chair, i'm sorry if that was directed to me. i am having some connection ms. proctor? >> i'm sorry if that was directed to me. i'm having some connection problems again. i i thank you for your indulgence again. i'm requesting some assistance. >> can you hear me now? can you hear me? why don't we skip me, and -- i don't have -- madame chair, can you hear me? >> i can. >> okay. i'm having some technical problems again. the voice is going in and out. i'm requesting some assistance. so i beg your indulgence one more time here. >> thank you, mr. goldstein, then may i ask you a question? >> yes, ma'am. >> beyond pipelines, have you considered promulgating cyber security standards for other service transportation modes and like mass transit and airports? >> thank you, ma'am, for that question. in general, cisa's goal is to be a source of cyber security expertise across all sectors. where a given sector is subject to regulations by regulator with a particular jurisdiction, we certainly engage in discussions with regulators like tsa to ensure that they are benefitting from cisa's cyber security expertise when they are developing regulations that are applicable to entities within their given jurisdiction. we have a collaboration of a ro with tsa and look forward to conversations with other regulators based on their own unique authorities. >> i'm going to take that as a yes. i take that as a yes. >> we support strong cybersecurity across all sectors, ma'am. that's correct. >> thank you. thank you. i did have some questions for ms. proctor, but unfortunately, she is not able to answer those questions. so if we clear this up in the next few minutes, i will ask her her questions. but now, i will go to the ranking member, mr. gimenez for his five minutes. >> thank you, madam chairwoman. i really appreciate it. this is for mr. goldstein. >> that's the only question where had for him, right? >> mr. goldstein, is there any real difference -- i understand that tsa has jurisdiction, i guess, over pipeline security. but i look at cybersecurity a little different than, say, physical security over the physical aspect, the pipeline itself. we know there are threats to the pipeline. somebody does sabotage, et cetera, those are things we need to protect, and tsa needs to do that. in terms of cybersecurity, is there really a difference between the control systems for the computer network, the thing that's going to be hacked, for a pipeline and say an airport or a bank? or any such thing. isn't ransomware really attacking the computer systems themselves and really doesn't matter what industry that computer system is controlling? >> sir, thank you for that question. i think there are two ways to answer it. the first is, i think your last statement is absolutely correct. ransomware is a threat that can impact any organization in any sector, big or small, financial, energy, hospitality, across the board. which is why cisa has been so focused on promulgating these cross cutting best practices and guidance including our advisory promulgated after the colonial intrusion that is applicable to any organization. as you imply, these sorts of cybersecurity best practices are generalizable across sectors. now, it's also the case that different sectors may use different specific technologies, they may have different network architectures or different ways to use devices to achieve their operational needs. when it comes to the cybersecurity practices that we want to see, things like making sure your software is patched, you're using multilevel authentication, those are practices that are generalizable across sectors and regardless of the size of company. >> so when cisa makes a recommendation, do you make a recommendation to the agencies across the federal spectrum and say these are the things we recommend that you do recommend or write a regulation for your specific sector? is that the way it works here in the federal government? >> so in general, cisa puts out guidance and best practices and in the case of federal agencies, directives that are generally applicable. occasionally, we will put out guidance that is specific to control systems or certainly if we know about a given threat or incident that's affecting a particular sector, we may produce a targeted alert or warning focused on nuanced risk to a given sector or even a given device or we have information that a certain device is being exploited. regarding our interaction with regulators, generally, regulators including tsa, may seek cisa's expert advice and consultation on how to produce cybersecurity regulations that actually drive improved security and can be expected to reduce the likelihood of damaging incidents affecting that sector. but given the unique authorities and independence of many regulators, cisa is generally a font of expertise for those regulaors to exercise their authorities in this space most effectively. >> that's why i have a problem. okay. the problem that i have is that it appears to me that cisa is there to protect basically the thing that we're communicating with right now. okay. and that is the control systems, the control systems that are controlling most of america now, energy, the electricity, the pipelines, banks. it's coming out of a computer, and the computers are being hacked. and that's where our vulnerability lies. my concern is that different agencies may put different emphasis on the vulnerability that we have for cyberattacks and that it's really not focused. tsa's focus for the most part, i see, is the real focus is airport security, port security, and all that. physical security. and then cyberattacks, yeah, okay, but that may not be our core mission. whereas your core mission is cyberattacks. so wouldn't it be better for the federal government to kind of gel that into your agency and you become the voice on what needs to be done on cybersecurity? that's an opinion, i'm asking, and i know it's a loaded question. if you can answer it, please do. >> without question, cisa's key role today is being the federal civilian government's lead voice on cybersecurity. and our goal is to use every single platform to make sure that business leaders, that federal agencies, that regulators understand the criticality of this risk and act on it with urgency and immediacy. certainly, under current law, our goal is to work with agencies that have unique authorities to drive change, to help them use those authorities to maximize security improvement within their sector, but to your point, we strongly agree that cybersecurity needs to be a top of mind issue in every board room, in every c-suite, and every federal agency. >> thank you. i see that my time is up. thank you. >> thank you, ranking member. i now recognize the chairlady from -- the gentlelady from new york for her five minutes. >> i thank you, madam chairwoman. mr. goldstein, as i said in my opening remarks, i believe that for cisa to carry out its broad cyber mission effectively, it needs, number one, greater access to information about major cyber incidents, and number two, greater visibility into threats targeting private sector networks in real time. that is why i'm working on two pieces of legislation. one would require critical infrastructure owners to report cyber incidents to cisa, and other would authorize the capabilities cisa has built through the cyber sentry pilot. i see these efforts as complementary, given cisa the ability to monitor threats today and also learn how and why they're successful so we can prevent them from happening tomorrow. can you talk about how cyber sentry works, and some of the ways that it helps cisa partner with more effectively with the private sector? >> yes, ma'am. absolutely. to begin, thank you for your ongoing support of cisa. it is deeply appreciated. you know, as you noted, one of the challenges that cisa and frankly our country faces is a lack of visibility into cybersecurity risks facing our nation's critical infrastructure. and when we say cybersecurity risks, we should be precise about what we're speaking about. what we're talking about is the possibility of criminal groups of nation states breaking into our critical infrastructure with the intent to do harm. without that visibility, cisa is unable to fully conduct two of our core functions. the first is to understand systemic risk across our country and provide actionable information that can protect others so they can either detect and block these threats before break-ins occur or they can evict adversaries from their networks once the intrusion happens. we're also not able to fully understand those entities that may need our voluntary assistance in order to help understand the intrusion, remediate, and recover. cybersentry provides a unique capability to help protect the most critical infrastructure in this country. and what we have learned from a long history of cybersecurity intrusions is that many intrusions impacting critical infrastructure and particularly control systems actually begin on business networks. and so cybersentry provides commercial off the shelf technology that helps detect cybersecurity threats that are attempting to move from business networks to the operational technology or control systems network and provides coverage of both and allows cisa to use sensitive information about particular adversaries or threats to help understand and rapidly identify those kind of threats manifesting across the most critical networks. cybersentry is only a pilot today. it is deployed across a limited number of highly critical entities, but we have seen significant success with this program thus far. it both provides cisa with the added visible you mentioned and also provides real concrete benefits to the owner operators that are using cybersentry in the first instance and we look forward to further maturing the pilot as we go forward. >> as part of our -- as part of your pilot, so that it can be instructive as we're drafting this authorization, so thank you so very much for your work in this space. i know ms. proctor has joined us again. can you hear us, ms. proctor? >> please accept my apologies. >> no, no. understood. everything is not perfected yet. so we're just happy you're able to join us. i would like to ask just a quick question about the ppd-41, the national cybersecurity incident response plan. is that something that you're familiar with? >> yes, ma'am. i am. >> okay. there's a little delay, i guess, in your audio. on this committee, we spend a lot of time talking about the need for all organizations, large, small, public and private, to have incident response plans in place before an emergency, whether it's a flood, a fire, or a ransomware attack. it's important that in a crisis there's a framework to guide decision making and everyone knows what role they're supposed to play. the ppd-41 national cyber incident response plan lays out the federal roles and responsibilities or lines of effort. would you agree with me that the colonial pipeline cyber incident was likely to result in demonstrable harm to national security interests or the economy of the united states as defined under ppd-41? >> ms. proctor, you may answer this question. >> she's delayed on her audio. >> yeah, i just wanted to let you know that your time has expired, but she certainly may respond to your question, ma'am. >> appreciate that. >> yes, ma'am. i would agree with you on that. that was a significant incident. >> very well. madam chair, i yield back. >> thank you, madam chairlady. i now recognize mr. garbarino. >> thank you, madam chair. mr. goldstein, the committee has concerns with the white house's decision to put -- to place the department of energy at the helm of the federal government's response to the ransomware attack on colonial pipeline. in this case, doe is not the sector risk management agency, nor does it have a lead role in the cyber incident response in this case. dhs, via tsa, is the co-lead sector risk management agency along with the department of transportation. neither cyber incident response plan designates dhs via cisa as the lead agency for the response. what rationale were you and acting director wales given for doe being given the lead response to this incident? did you or any of cisa's leadership raise concerns with the white house about that? about doe being put in charge? >> certainly, congressman. i think it's useful to separate the various elements of this incident because it is one of the first incidents that we have seen in this country where a cyber event led to a decision to disrupt a physical function upon which americans depend. and there really were, i think, three distinct aspects to the incident. the first was the cyber intrusion itself. the cyber intrusion in so far as the federal response went was managed in accordance with ppd-41. the fbi, of course, led the threat response, and cisa led the asset response. now, it happened to be in this circumstance as colonial's ceo testified last week that colonial chose to engage a third party incident response firm rather than accepting cisa's response for incident response assistance. under current law, that is certainly the prerogative of a company to do. not providing on the ground incident response assistance, cisa focused on our broader asset response role of protecting others. as mentioned in my opening statement, we shared urgent alerts, warnings, can advisories with detailed information to protect other organizations from this specific ransomware group and the broader ransomware threat. the second element of this incident is the broad coordination of the national response. and of course, under ppd-21, the secretary of homeland security plays a critical role in coordinating the response to cyber or physical incidents affecting critical infrastructure. and here, senator mayorkas certainly played that role in close coordination with the white house and with our partners in the interagency and of course our secretary was at the white house podium and was one of the key national figures communicating about the response. the third aspect, of course, was the fuel supply issue. assuring that americans actually had fuel available to fill their tanks and that businesses were able to keep operating. and that is an issue within the remit of do sxerx was one of the core focuses of the government's interaction with colonial, recognizing that as advised by the company, the cyber incident was being managed by a well regarded third party. so doe's role in this incident and part of the reason for their centrality was the justifiable national focus on the fuel supply issue and doe's unique expertise and equities in assuring appropriate provisional fuel across the eastern seaboard during the duration of this incident. >> i get that, but this was the team, they were put in charge of the team for the government's response to the ransomware attack. this right now is a pipeline. next time, we don't know what it is. don't you think that -- or do you feel that further clarification is needed on the federal level as to who -- should cisa be the lead on all of these? because with a ransomware, it's always ransomware. we just don't know what other industry it's going to hit. i don't know if that makes sense, having doe in charge of this one and someone else in charge of another one. do you think clarification is needed on the federal level of who is actually in charge or at the top when there's a cyber incident? >> in this case, certainly, cisa did undertake our asset response role, and of course, the advisories and communications we put out were joint with the fbi, consistent with ppd-41, and not with other agencies outside of that construct. but certainly, we are deeply conscious that as we see the potential for these sort of incidents that bring together cyber intrusions and very real functional impacts that effect americans' lives, it's deeply important for the u.s. government to communicate clearly and concretely about how we approach these incidents and how we manage them as a whole of government effort to both reduce their prevalence and minimize impacts to the american people. >> i get that. and under ppd-41, why was this not a significant cyber incident under ppd -- this seems pretty significant? why was this not? >> this was absolutely a significant event. any time we have americans worried about cessation of an essential function like fuel, it is absolutely a significant event. here, however, based upon information received from colonial, the cyber incident aspects of this event were well managed by a trusted third party, and so based upon that information, the event itself was unequivocally significant and certainly dealt with as such at the highest levels of the u.s. government, but the cyber incident aspect of it was well managed by a third party and was a very well known type of ransomware that likely didn't reach the cyber specific threshold of significance that would usually trigger that designation under ppd-41. >> thank you, mr. garbarino. mr. thompson, recognize you. >> thank you very much. let me thank the witnesses for their testimony. mr. goldstein, it's always good to see you as a witness. you're good. i want you to tell me what authorities you think cisa lacks at this point in time that this committee could help you with. >> thank you, sir. always good to see you as well. i will really harken back to ms. clarke's eloquent statements which is we need to ability to get visibility into national cybersecurity risks. we need to understand where adversaries are intruding into networks across this country. we need to understand the techniques they're using to break in. we need to understand what they're doing or trying to do. the more of that kind of information that we get, we can then protect others and we can work as a whole of government to reduce the risk facing our country. >> so how do we -- how do we codify that authority that you are describing? >> yes, sir. so certainly, the more that we as a country can do to drive reporting of cybersecurity incidents to cisa, as tsa recently did with their directives and certainly as several of your colleagues have suggested via the other avenues, that will help drive that change. the second part, sir, is we need the ability to address resource gaps across far too many entities in this country. particularly our state and local tribal and territorial partners. the more we can do to help organizations that may be underresourced and hard to invest in core cybersecurity, build cybersecurity programs, including in the context of incident response, through the cyberresponse recovery fund or other mechanisms to allow our partners to get the funding they need, that will help raise the bar. >> thank you. so do we need volunteer compliance on the part of companies? or do you see some -- something down the road where we'll have to require companies to meet a test for their systems? >> certainly, sir. cisa right now is urgently focused on making best use of the voluntary partnership model where we are encouraging companies and giving companies help and resources to drive security across their systems and manage national risk. >> i don't want to go over my time, but that's a good point. so what did colonial do? >> sir, i don't have deep visibility into colonial's security posture. at the time of the intrusion. it is certainly the case today that there are many organizations in this company that -- pardon me, in this country who are a variety of reasons are unable to invest in the security they need and the u.s. government must take urgent steps to incentivize, drive, require those companies to make the investments that they need to make. >> okay. thank you. now, ms. proctor, what is your knowledge of what tsa did on the security side? >> thank you so much for that question, sir. tsa has had a long relationship, security relationship, with colonial. and that goes back to the beginning of our pipeline security guidelines. we have conducted corporate security reviews with colonial in the past. we have had, as you're aware, we have done critical facility security reviews with them. and last year, during the pandemic, we approached colonial to engage in a validated architecture design review. that conversation was ongoing over a period of time. and they recently submitted their approval to participate. it's now scheduled for the last week of july of this year. but we have conducted -- >> thank you. and my concern is that if there's no regulatory requirement for companies to allow tsa or whomever to look at their security protocols, they'll tell you to come back next month. they'll tell you to come back in six months. and i'm just concerned that given the expansion of ransomware attacks, a volunteer system without some compliance authority mandated puts us at risk. and you don't have to comment. that's, you know, my thoughts on it. you know, you can have -- you can have relationships with companies, but if that company knows that they don't have to at the end of the day comply, i just don't see us working to a threshold for security. and so madam chair, i yield back. >> thank you, mr. chairman. i now recognize representative harshbarger for five minutes. >> thank you. thank you, madam chair and ranking members and witnesses. i have a question for mr. goldstein. you know, cisa needs to engage directly with our nation's business leaders. and my goodness, there's even a voluntary program where they'll assist their vulnerabilities. but most of these companies, you know, they won't do it, and i totally understand why. they're afraid that their customer base may see that they have vulnerabilities, and they may not want them to know that they somehow would have their information compromised. there's things like their stock prices may drop. they may be afraid that they would be held in front of congress if this vulnerability is shown, so i do understand this. i guess my question is, what is cisa's position on whether a victim of ransomware should pay the ransom or not? who decides that? >> thank you for that question, ma'am. it is the position of the u.s. government that to strongly discourage the payment of ransoms. this is the case for two reasons. first of all, paying a ransom offers no assurance that the victim organization will actually have their data restored or have stolen data returned. and we have seen many instances of ransomware gangs either failing to decrypt the data or providing a decription tool that only decrypts part of the data and still leaves a lot of the data locked up and unusable. but of course, the second reason is that these ransomware campaigns and these criminal gangs are fueled by ransom payments. and the more that organizations pay ransom, the more that we can expect these criminal gangs to be incentivized to continue the scourge of attacks against u.s. critical infrastructure. the decision to pay remains with the impacted company and certainly for many companies, this is a hard decision, particularly if they provide some critical service. but these payments, again, provide no assurance of restoration and are what is driving these campaigns and these really damaging attacks to continue. >> do you know how many private companies have paid ransomware because they were hacked? you know, a lot of companies, even in my district, they don't even report it because of those reasons i gave you initially. and you know, you can't really track and get an accurate number of how many people have been hacked or paid the ransom because they don't want you to know. and then they have cyber insurance because of these ransomware attacks. this is -- i mean, it's gotten out of control when our own government, you have different agencies hacked and they don't know how it was happened and an outside entity has to tell us. there's a lot of reasons i understand why private reasons won't voluntarily be assessed, even to find out what their own vulnerabilities are. maybe they just don't trust the government, where don't know. but what percentage of companies do you have numbers on that report they had to pay ransomware or they have been compromised? do you have a number? >> so ma'am, we don't have a good number today, and it gets back to the question that the chairman raised, which is today, it is largely voluntary. whether a victim of a cybersecurity intrusion, including ransomware attacks, does report to either cisa or federal law enforcement. i do want to comment briefly, ma'am, on your last point, which is well taken on disincentives for sharing information with the government. because congress has already acted to largely address many of those concerns. both in the cybersecurity act of 2015 and in the protected critical infrastructure information act, both of which provide strong protections for information shared by the private sector with cisa, including protections from regimes like foia, regulatory use, civil litigation, et cetera, so one of our goals at cisa is to insure a broad understanding of these protections and insure companies take advantage of them by reporting both their cybersecurity risks and incidents to cisa. >> this is big business right now. and we've got to get a handle on it. that's why we're having these hearings. i do have another question. why, and this is just your opinion, why do you think the fbi did not take this committee up on our invitation, i guess you could say? >> ma'am, i've not discussed that question with my colleagues at fbi. i wouldn't be able to comment. >> well, that's your opinion. i appreciate that. i don't know -- how much time do i have left? >> you have 20 seconds. >> 20 seconds. well, i'll just yield back. thank you, ma'am. >> thank you very much. i will now recognize representative titus. >> thank you, madam chairman. thank you for holding this hearing. we certainly realize that we have put this off for too long. we need to get on top of it. and the testimony has been excellent. we focused on the colonial pipeline, but i would like to be sure that other kinds of energy infrastructure are protected, like generating stations. i represent las vegas, and we have a lot of lights there. we need a lot of sources of energy that's consistent, that's persistent, that we can count on to serve our residents and also 40 million visitors. now, nevada energy is our primary provider of energy, and they are doing a lot of investing in renewable energy resources. and they're developing them throughout the state, mostly solar, but some wind. which i think is a great thing, but i want to be sure that the government's adequately protecting those sources too from this -- from these kinds of threats. i wonder if y'all would comment on what cisa and tsa are doing in anticipation of maybe some needs in this area. >> yes, ma'am. so certainly, cisa is deeply focused on cybersecurity risks facing the energy sector and entities in particular. of particular note, the white house recently announced a 100-day industrial control system cybersecurity sprint, and the first sprint focused precisely on this sector, recognizing the centrality of the energy grid, of course, to our nation's economy and national security and the potential for a cybersecurity event to cause significant disruption. certainly, many entities across the electric subsector are well resourced and mature in this space. this is a sector that recognizes the risk. it has invested accordingly, but certainly, cisa and our colleagues at doe are deeply focused on providing tools, resources, and guidance to the sector, recognizing the risk and the need to make further investments to stay ahead of our adversaries. >> so do you work directly with the utilities? you would be working directly with nevada energy to help them to be sure they're up to speed? >> yes, ma'am. i can take back to see if we have worked with nevada energy reesely, but we work consistently with individual operators to assess their security and make sure they have what they need to be secure. >> i'm glad to hear that. well, second question that i have is, i know one of the problems we often have is trying to recruit and train and have in the field cyber professionals. and i understand that there's a program that's a scholarship program called cyber core. now, my district is home to several minority serving institutions. and i just wonder how much outreach you're doing or how much work you're doing with those institutions to try to attract and train people who will have the skills to enter into this field that is going to be needed increasingly as we go forward? >> ma'am, thanks very much for that question. you're absolutely correct. the building a deep diverse cybersecurity workforce is absolutely essential for us not only getting our arms around this risk but managing it going forward. cisa is deeply focused on working with institutions across the country, but particularly minority serving institutions, hbcus, community colleges, to make sure that those schools have curriculum, have training, have resources, and assistance so they can train the next generation of cybersecurity professionals. and certainly, we are focused in that regard, not only training that workforce so they can join federal service, including through programs like scholarship for service, but also insure that we are driving and catalyzing a robust educational community around the cybersecurity workforce at all levels of education to insure that we are educating people today so that they can be well equipped for the jobs of tomorrow. >> i'm going to reach out to the campuses in my district about this cyber core program and see what they're doing. can i have them get in touch with your office or somebody there to find out how they might enhance that and maybe get the word out more and be sure people, students there know that they can apply for this kind of program? >> yes, ma'am. most certainly. >> thank you. thank you, madam chairman, i yield back. >> i'm going to take this opportunity to ask ms. proctor a question i tried to ask when our system went down. ms. proctor, are you there. >> yes, ma'am, i am. >> thank you very much. you know, given that operators will only be required to self-assess their compliance with tsa guidelines, how would tsa verify the information provided? and what will the consequences be if the pipeline operator misrepresents their cybersecurity practices to the tsa? >> thank you so much for that question. because i think it's important to note that under the first security directive we have issued, there is a requirement for companies to conduct a self-assessment as part of those requirements and security directives. however, we are continuing to develop additional measures for pipeline companies, and we're developing now a second security directive, which would have the force of a regulation, and that will require more specific mitigation measures. and it will ultimately include more specific requirements with regard to assessments. the second security directive is going to be an ssi directive because of the nature of the mitigating measures that are going to be required within there. but these are also subject to inspection by tsi inspectors. we have a cadre of service inspectors that we have trained that underwent training at the training academy for pipeline operations. we have a subset of them who have also undergone cybersecurity training. they just recently completed an in-residence course at idaho national labs. so they have both pipeline operations training and cyber training. those will be the individuals who will be insuring that the pipeline companies are adhering to what's required in those security directives. >> thank you. yes or no, do you all have the resources and personnel that you need to be able to insure the accountability measures that we think are important? >> yes, ma'am. we do have those resources now. >> thank you. thank you very much. now i would like to recognize ms. van drew from new jersey. >> thank you, madam chair. i have just some questions. some of them may seem a little repetitive, but i really want to tack this down. for sonya proctor from the tsa, i understand there are growing concerns that the tsa -- >> congressman? can you unmute? i guess while we're trying to work this out, i will recognize representative clyde. >> thank you, madam chair. for holding this hearing. and this question is for eric goldstein. mr. goldstein, the subcommittee held a hearing last month on the ransomware crisis with experts from the private sector, former director krebs responding to a question of mine about how cisa gets the word out about its great services, said that marketing is not an area of strength for the agency. considering the recent attacks where cisa has not been directly involved, i think it's important that business leaders, critical infrastructure companies, and state and local governments are aware of cisa and its great services. so my question to you is, how many dedicated marketing professionals does cisa have? if i may, sir. >> thank you, sir. i don't have an exact number on the size of our relative external affairs team. happy to take that back for you. what i would say is fully agree with the general point. it is absolutely critical for cisa to make sure that every company in this country as well as every sltt government partner understands the services that we are offering and understands how our services can help them drive down cybersecurity risks and the investments they need to make. we need to do more to convey that message to every corner of this country. part of doing that is by having, as you frame it, marxting campaigns that make sure that the word gets out effectively. that is an area of urgent investment for us, and the point is very well taken. >> okay, well, because the more i learn about you, the more i like you. okay. so i want to make sure that the entire nation knows just what outstanding services you provide. so i strongly encourage you to have a very good media campaign, because i think our businesses need it. okay. we need to know that cisa is there really to help. tell me, does cisa have a position on whether the victim of a ransomware attack should pay a ransom? >> sir, we do. we advocate that victims -- we strongly discourage victims from paying ransom. and as noted through a prior question, that is for two reasons. first, because there's no guarantee victims will have their data restored, and second, of course, because paying ransoms is exactly what these criminal gangs want. and paying ransoms only further incentivizes these sort of damaging attacks to continue. >> okay. does cisa have an offensive capability? >> we do not, sir. we're purely a cyberdefensive organization. >> okay. all right. last week, i asked firefly senior vp charles car michael if his company would be willing to work with the federal government in helping to security the network, and he stated he would certainly be interested in the opportunity. mr. carmichael also stated that he believes the attacks on the colonial pipelines and jbs foods originated overseas. does cisa work with the private sector regarding any intelligence sharing or threat assessments to safeguard private or public networks? >> we do, sir. we have deep relationships with many if not the vast majority, of the nation's leading cybersecurity companies, internet companies, cloud providers, to do just the work you described. share and exchange of information, that these companies are learning about cybersecurity risks affecting their customers, fusing that together with what cisa is learning from federal networks and what we are learning from our partners elsewhere in government, and developing the common operating picture of cybersecurity risks. we have made real investments there. but there is certainly more work to do to insure that we have that deep visibility we need to understand risks that are impacting our country. >> okay. would you agree with his assessment that these attacks were perpetrated from overseas, all of them or any of them from this country that you know of? >> sir, as a general matter, many of these ransomware gangs are domiciled overseas. i'm not able to speak about any particular act in this case, sir. >> okay. do you have any evidence that would suggest they were sponsored by a foreign state? >> sir, in general terms, these criminal groups are seeking financial gain and are generally not seeking the sorts of strategic ends sought by nation states. >> if cisa doesn't have an offensive capability, do you know, does one exist in our country somewhere? >> sir, there are various other federal agencies that do exercise under their own authorities the ability to disrupt adversaries using cyber means including within the defense department. i would of course defer to those departments for further detail on their activities. >> okay. do you coordinate with any of those to assist them? in what you see? >> yes, sir. we work very deeply across the interagency with federal law enforcement, with the defense department, and other partners to insure we're sharing information and all our activities are well coordinated and aligned. >> thank you. thank very much, sir. with that, i yield back. >> thank you, representative clyde, for raising that issue because i was just talking about that myself, and i think the capacity to be able to be on the defensive is something we really have to drill down better on. mr. langevin. >> can you hear me okay? >> yes. >> very good. thank you for holding this joint hearing. i want to thank our witnesses for their testimony today and for the important work they're doing. mr. goldstein, let me start with you, if i could. last week, in front of this committee, i was so bold as to offer assistant service to the ceo of colonial pipeline. and he refused them. so i urged him to reconsider, as he says he's acting for the good of the country. so that being said, i just want to confirm that the offer is still on the table, and so mr. goldstein, just to confirm, cisa stands ready to offer assistance on the networks of the colonial pipeline if your services are requested, correct? >> yes, sir, we stand ready to support any entity providing critical services in this country, including, of course, colonial. >> thank you. thank you. so mr. goldstein, i know that cisa is a relatively new agency. and not everyone is familiar with the services that you offer. can you help the committee understand what value you bring to entities when they invite you on to the networks following a breach? furthermore, what benefits to other critical infrastructure owners and operators across various sectors can cisa bring to the table by having on-network presence? i hope that the ceo of colonial is watching. maybe this will encourage him to invite you in once and for all. >> indeed. thank you for that question, sir. the way you framed it is exactly right. and first and foremost, it bears noting that we do encourage organizations that are victimized by cybersecurity incidents to bring on a third party private response provider if they're so inclined. and we work very frequently closely in tandem with private incident response firms to conduct a joint response. so cisa's role is not replacing the extraordinary talent in the private cybersecurity market, but is instead additive thereto. that's the case in two ways. the first is in supporting a victim of a cybersecurity intrusion, we're able to bring to bear information from other federal agencies and from what we have learned across incidents affecting the federal government and our other partners and enrich the incident response that maybe already undertaken by the victim itself or the third party provider. so we can complement and add to the incident response bringing some unique information and in the case of incidents that impact control systems, some unique expertise and capability and our team that is focused on control system cybersecurity is one of the oldest and most expert teams doing that kind of work. in the first instance, we can be deeply complementary to an additive to the work already going on by an organization, and of course, if a victim chooses not to bring on a third party and seek cisa's help foundationally, we can certainly provide that primary incident response role as well. as you note, sir, our role extends far more broadly, and we're focused on managing national risk and insuring a cybersecurity intrusion that impacts one entity doesn't spread across others. and certain organizations should think of this as even if you're not a victim today, you may be one tomorrow. and if you are one today, that doesn't mean that you will not have an intrusion again in the future. and so organizations should certainly see this as an issue of national interest, where the more information that cisa can receive in the early days of an incident, by being part of the incident response and part of that initial assessment, that lets us move more quickly to glean information, glean those technical indicators that we can then share either in a focused way with organizations that may be directly impacted based upon their sector, their technology footprint, their geography, or broadly and nationally, and even internationally, to raise the cost for adversaries and insure that they're not using these same tactics, these same indicators over and over again. >> thank you for that. and before my time expires, mr. goldstein, we have seen press reports that third-party incident responders suggested not bringing the government in. do you find that outside cyber consultants can do work cooperatively with cisa in emergency situations like this one with colonial, for example, or do they bring their clients' reservations about government involvement? >> so we do find in general, sir, that certainly most of the major cybersecurity providers in this country work collaboratively with cisa and we have deep relationships with many of them and have ongoing operational collaboration around significant campaigns and significant threats. and certainly, would discourage any company or third party from deciding not to share information with the government as noted throughout this hearing, this really at this point is both an issue of national security and public health and safety and the more that u.s. government can understand this risk and take urgent action and mitigate it, the more we can drive down the trend over time and protect our people. >> thank you. >> gentleman is out of time. thank you. i understand mr. van drew is now available to be recognized for five minutes. mr. van drew. >> thank you. i'll give this a shot again. we had some technical issues. so although congress gave the tsa authority -- in 2001, there have recently been efforts to transfer its authority to the department of energy. >> mr. van drew is having technical problems again. we cannot hear you. so i will recognize representative laturner. >> thank you, madam chairwoman. my questions are for mr. goldstein. mr. goldstein, how are you doing today? >> well, sir, thank you. >> good. thanks for being with us. could you help us understand how many -- just the scope in the federal government of how many different government agencies are dealing with cybersecurity, ransomware, either on an offensive or defensive nature? >> certainly, sir. so the existing model for the federal government's cybersecurity is in the first instance, there are two agencies that are focused on cybersecurity incident response. that is cisa as the lead for asset response, which are efforts to understand and mitigate the immediate impacts of an incident, and then help to protect others and there are colleagues at the fbi who are the leads for threat response and focused on understanding the adversary and then of course taking actions to disrupt or impose costs. apart from cisa and the fbi, there are a number of sector risk management agencies that bring to bear specialized authorities in their sectors that may support cisa and the fbi for a cybersecurity incident affecting their sector. and then, of course, apart from the civilian space, both the department of defense and our nation's intelligence community have unique authorities to either gather information about adversaries who are seeking to damage our country through cyber means or, of course, take other measures to impose costs on our adversaries wherever they may be. >> the colonial pipeline ceo recommended that there be designated a single point of contact to coordinate the response to cyberattacks and incidents at large. what's your reaction to that? >> so, sir, our goal as the u.s. government is to make this as easy as possible for victims of cybersecurity incidents. and certainly, today, if an organization calls cisa, if they call the fbi, if they even call their sector risk management agency, they should get the same response. so we have worked deeply within the federal government to insure that we are providing victims of cybersecurity incidents with all of the resources that the federal government can bring to bear, and i think this actually works well in the context of the colonial intrusion where there was a wide breadth of federal agencies based upon the unique attributes of this incident, but those agencies collaborated well together behind the scenes and colonial was able to interact with a handful of agencies and not frankly the full breadth of agenies with some authority to manage this incident. certainly to your point, we can always do more to make this clearer for the private sector and make sure that the activity of reporting an incident to the federal government and engaging our help is as frictionless as possible and as simple as possible. >> i talked to people in the private sector in my state that this has happened to, and it's happened to a lot. the number seems to be growing, and so it's a great concern to me that the federal response to this can be kind of clunky. it's been described or suggested by some that we have one person that coordinates this and have the ability to control the budgets of all these other entities. do you have a response to that? >> so, sir, i think the -- >> there's some precedent for it in the past as well. i'm sorry. go ahead. >> certainly, the various agencies involved here, and certainly cisa and fbi as being the lead for cyber asset response, have unique authorities and unique capabilities to bring to bear. but you said you had the opportunity to hear testimony from our nominee for national cyber director just last week, and that role, i think, will also help further codify the structure and the engagement model and further streamline the manner in which the federal government engages with all manner of entities. so we're looking forward both to the speedy confirmation of national cyber director as well as, of course, for cisa, both of those individuals will help the government further mature our processes for simplifying engagement with the private sector. >> do you think that solves the problem, though? because i think from my perspective, it could still put us in the exact position that we're in right now. maybe improve it, right? but at the end of the day, it's concerning to me that we don't have one point of contact who controls the budget, who can force these different bureaucracies to come together and make sure that our response in the united states is clear and concise and efficient. do you think that those confirmations fix that problem? >> i think that we're are making progress over time in significant ways. i will say, sir, i was in this agency, you know, five years ago. having recently come back in, zee made significant progress in the intervening time. the confirmation of a new cisa director and the national cyber director will make another significant step forward in our ability to offer the sort of simplified cohesive engagement model you describe, but we will have more work to do because this is a deeply evolving space, and as the u.s. government, we'll have to evolve at pace. >> thank you for your response. >> representative laturner, your time has expired. thank you. chair recognizes representative slotkin. >> thank you, madam chair. thanks to our witnesses for being here. two very different questions. after the colonial pipeline was attacked, i went to all of the ceos of the pipelines that crisscross through michigan. both over land and in our inland seas, and asked them what they were doing in the wake of the colonial attack to improve their own cybersecurity, learning from the painful example that colonial was offering us. and i know that we put in these new procedures at the end of may. so i just want to understand in a very concrete way what actually happens. let's say enbridge, which is a big pipeline company, they go under the straits of mackinaw, a very sensitive place in michigan's great lakes. let's say they are attacked. what is the actual procedure? tell me the 911 process from the moment they're attacked in terms of engaging with federal agencies. whoever is the responsibility party should take that one. >> i can take it first and then i'll hand it to my colleague. and i will defer to my colleague if this pipeline is in scope for the tsa directive. but with tsa director does require a certain sect of pipeline entities to report cybersecurity intrusions centrally to cisa. upon receiving such a report, cisa triages the report based upon a standard methodology to assess the criticality of the incident based upon risk to the country, the nature of the entity, the nature of the intrusion and certainly for an intrusion affecting the entity of the criticality you note, we would offer some measure of incident response or threat hunting assistance. i will note in this case, it would still remain voluntary for this pipeline entity to accept our assistance. this entity could say they have chosen to engage a third party and that's how they want to engage their response. we would still encourage them to share information with us urgently so we can help them with the response and protect others. go ahead. >> as a requirement, just so i understand, is it true that within 12 hours now, they must contact cisa? is that the sort of requirement with the new rules that were put in place at the end of may? >> yes, ma'am. >> perfect. okay. so just so i understand. that's the 911 call they must make within 12 hours if they detect some sort of cyber intrusion. okay. and i know it depends on the type of pipeline, but i understand. and then completely different question on the sort of eve of a big meeting between president biden and vladimir putin. where putin has suggested that there be some sort of trade for groups that are conducting ransomware attacks, you know, from russia and groups that are allegedly conducting ransomware attacks from the united states. can you confirm for me, i know you're defensive and not offensive in nature. i know which they're not law enforcement, but mr. goldstein, can you confirm in one sort of yes or no, the united states of america has the ability to go after any criminal actors who are conducting ransomware attacks here or abroad? >> ma'am, that question will get into the authorities vested to federal law enforcement, which i'm not able to answer. >> okay. have you seen the russians do anything to try to clamp down on ransomware actors emanating from their soil? >> ma'am, what i can say generally there is we strongly encourage all countries to take urgent action against ransomware actors operating within any country, and the trend we have seen of ransomware attacks over the past year suggests that such action across the board is not being taken. >> so i understand it's not your jurisdiction. i just -- i guess i just want to make the point that a trade between vladimir putin and joe biden makes zero sense because we actually go after our criminals. we actually would takeaction, if we had a ran someware group that were threatening other countries that were attacking russia or attack a european ally or attacking china, we would go after them, unlike the russians who have taken at best limited action against those who we know, who we have said publicly are attacking the united states infrastructure. so it's more of a statement, i just feel like this, until we get to the root of the problem, that no action is being taken, often by the russians and the chinese against actors emanating from their soil, we're going to keep having this conversation over and over again and i know i'm out of time, i will leave it at that. thanks very much. >> thank you. we'll now recognize representative loria for five minutes. thank you. >> thank you, madam chair. and ranking members of both committees, for having this important hearing. i was reviewing the report and i saw there were 304 million ransomware attacks worldwide in 2020, that was a 62% increase from 2019, so the recent colonial pipeline ransomware attack was obviously not the first that we've seen of critical infrastructure, that has spurred the fuel shortages across the eastern seaboard for several day, and at the local level, we're seeing impacts like this as well in my district, for example we had the sanitation district with a ransomware attack that disrupted service for several weeks, and i think we can all agree that ransomeware attacks are a national crisis and as chairman thompson noted last week, the colonial pipeline ransomwear attack raise questions about the cybersecurity practices of our critical infrastructure owners and operators and whether the voluntary cyber security standards are sufficient to defend ourselves against these types of cyber threats. so i wanted to ask the question of our witnesses today, with regards to our critical infrastructure with owners and operators, such as those that operate pipelines, what evidence do you and other agencies have that the organizations you oversee actually understand the extent of their cyber security threats? >> we offer briefings to owners and operators of critical infrastructure, based on the threat that has been made clear over the last several years. we have arranged classified briefings, for owners and operators of infrastructure, to ensure that they understand the nature of the threat, and we also have provided assessment, vulnerability assessments so that they can identify and then close those cyber security gaps, to make themselves less likely to be a successful target for those who would like, who would be likely to launch those kinds of intrusions. we also work with owners and operators to conduct exercises, so that they can actually exercise their plans, one thing to have plan on paper, another thing to be able to exercise those, both within your company, and within the region or with others in your industry. so we have a layered approach. both in terms of providing education, assessments, exercises, to exercise those plans, and to be able to continue to inform of emerging threats and to keep the cycle about informing, exercising, and updating plans to keep that process under way. >> thank you, and that does sound like a good resource, and a good way for them to understand the potential threats, the emerging threats, help developing plans but can you collar clarify the matters any, this is all voluntary ohio on behalf of the company. >> well we started out with pipeline security guidelines that were not mandatory but as of may 28th we issued our first security directive which has the power of regulation, we're in the process now of developing our second security directive again which will be mandatory, which will have more specific mandatory mitigating measures that will be required by owners and operators. that directive is going to be very specific, so that is going to be marked as an ssi document, security, excuse me, security sensitive information, so that one will have a lot more detail and will be rather prescriptive in terms of the mitigation measures required. >> well, thank you. and in the last couple of seconds remaining, do you have a good assessment of all of the operators of the major pipelines and where they are on a scale that shows both they're wearness and preparedness and plans -- they're wearness and preparedness and their plans and ability to execute plans and tracking and within the pipelines of the network around the country do you know where the biggest vulnerabilities exist? >> we have conducted reviews. so we do have a good baseline for that, in terms of where they are with regard to their corporate plans, their cyber security plans, and also with their critical facilities in the field. so those are assessments that we continually perform with owners and operators in the pipeline community. >> okay. well, thank you very much, and my time has expired. i yield back. >> thank you very much. the chair recognizes representative rice. >> thank you so much. chairman thompson had asked you some questions about additional resources and such, and i mean it's clear that your agency has issued extensive ransomware guidance and led efforts such as the reduce of risk ransomware campaign to help owners and operators of critical infrastructure preparedness for ransomware threats but we also know that, you know, the colonial hack demonstrates that even when companies are willing to self-report, and engage with law enforcement, after a ransomware attack, they may not report to or engage directly with cisa and i think that's one of the issues we need to address here, so is this something that, cisa is not being clear enough to owners and operators about the value added that you could bring to the protection of their critical infrastructure or is it just that they are saying thanks but no thanks? >> there is certainly more that we can do to make sure that companies across sectors understand the unique value proposition, which was discussed in terms of the question about engaging cisa and the way that value is unique and additive to engaging a third party response firm, and additive to engaging with federal law enforcement. we work very closely with our partners, and our law enforcement, and often conduct joint responses, because we are achieving different mission objectives, when we support a victim organization, so certainly continuing to clarify the value proposition that cisa brings to the table and differentiating that and showing that it is complimentary to engaging other partners, i do think is a critical area of the work for the agency. >> what percentage of ran someware attacks would you say get reported to cisa? >> ma'am, due to the real problem we here with visibility here, i don't have a good number there, i would say recent inclusions of colonial, jbs foods, et cetera, we are seeing an increase both in organizations that are reporting incidents and also orks that are availing themselves of cisa's guidances and best practices and one example in the week after the colonial intrusion i think we saw increased views our ransomeware guide i think 400% that week after and we are seeing organizations across the country recognize this risk and recognizing that cisa is a support of support and expertise, because we can make sure that that continues and that we lead the country going forward. >> i agree but i think it is also really important for whatever federal agency it is that gets contacted by an operator of a critical piece of infrastructure in this country, that whether they take it to the fbi, that the fbi brings in cisa and whatever other agency, federal agency, you need to partner with, to address this as comprehension ifrl as possible and i hope that's what the practices is, or if it isn't, will be, going forward. just in the past few weeks, ransome ware attack against a massachusetts ferry operator shut down travel between the state and its islands and it was revealed that hackers had breached the networks of new york's mta, on whose trains my constituents work and ride every day. now, neither of those hacks posed a risk to passenger safety, but cyber attacks targeting mass transit, railway, aviation, they have the potential to put travelers at risk, and would be massively disruptive to society, writ large. so can you specifically discuss the recent ransomewear attack against the mta? >> yes,ma'am, as a matter of fact, i can. after that incident, i actually did speak with new york mta's cisso and i did learn from speaking with him that the attack was not considered to be successful. they did not actually access information in the system. they did not make a demand for ransom. they did not acquire information from the mta. the example that the cisso used would be that the ransomware intrusion opened the screen door but did not get in the front door. >> okay. >> that was the example that they used, they did not acquire anything in that attack. >> thank you for that clarification, i think it is really important for collaborate not just private in particular who are running pieces of critical infrastructure. thank you so much and i yield back the balance of my team. >> thank you. i recognize mr. gotheimer from new jersey. >> thank you for arranging the important hearing on cyber threats to pipelines. the recent ransomware attack on the largest fuel pipeline, colonial pipeline, i take it many americans across the east coast experienced a rush on gas, long lines at the pump from the failure of securing our critical infrastructure from hackers. i think it is fair to say that colonial had serious flaws, with an outdated vpn system that allowed multi-factor authentication and the task for securing our pipelines by conducting voluntary assessments of private operators. if i can ask the cisa administrator proctor, we know that on multiple occasions prior to the attack on may 7th, tsa requested cyber assessments of colonial system and colonial punted and is yet to participate in the assessments. can you compare the experience with the cooperation you have received from other pipeline operators? >> yes, sir, i would speak to that, in that the situation with colonial, for the requests that they have made, to reschedule, not unusual during the pandemic. during the pandemic, there were a number of companies that had limited personnel on-site. they considered their personnel on-site to be essential personnel. they did restrict them from a lot of interaction with outsiders. so colonial had postponed the discussion to get a schedule state for their assessment. the postponement was not unusual for other companies. other companies did go through. we did pivot and we did manage to find ways to conduct virtually, so we were able to schedule those in other cases. the colonial discussion was postponed because they were installing some new software, at one point they were doing some other updates, and we had spoken in march, they had asked for about six weeks to complete some cyber updates, and the six weeks was actually the week after the incident with colonial. we have since focused on getting that date in place, they are now scheduled for the last week of july, for their validated architecture design review. >> got it. has the pipeline ever flat out refused to cooperate with the inspection or tried to limit the scope of what you are assessing? >> no, it wasn't a refusal. it was rescheduling the discussion, so that they could deal with personnel issues. at one point, we had a conversation set with them and they had several employees that were covid impacted. so they delayed that. >> i'm sorry to interrupt, i was going to ask, is that similar, in terms of others ever done the same thing, when they've delayed and others refused other pipelines, is this consistent over the last threats? >> we have had other delays, but we have gotten, we have gotten to the point where we have done those assessments, and we had worked out a way to do them virtually, so it makes it more manageable for the company, even though they were trying to protect their essential employees from engaging with outsiders. >> got it. thank you so much. mr. goldstein, recently witnessed a series of attacks not just against pipelines but against mass transportation infrastructure. clearly we need robust cyber security standards for the transportation sector writ large. what other measures can we take to protect the sector not just from ransomwear attackers but china, iran and north korea? >> thank you, sir. the good thing is there is nothing particularly unique about ransomwear attacks, and the best practices that are promulgated by cisa and the source of cyber security directives that we impose upon federal civilance agencies are effective against ransomware actors and nation-states and really any adversaries. in addition as we think through the more sophisticated types of adversaries that may want to cause more lasting damage or gain more persistence, that is a program where cyber century comes into play and our ability to have persistent look into the critical infrastructure and broadening and maturing the pilot program, we'll be able to get more visibility and drive action, to drive out those risks of intrusions, as soon as they're identified. >> thank you. i yield back. thank you so much. >> thank you very much. now i want to thank the witness, your testimony has been invaluable and enlightening and thank you so much. remember the subcommittee may have additional questions for you all. the witnesses. and we ask that you respond expeditiously in writing to those questions. the chair reminds members of the subcommittee that the committee's record will remain open for ten days and without objection the subcommittee stands adjourned. thank you so much. c-span is your unfiltered view of government, funded by these television companies and more, including buckeye broadband. >> buckeye broadband supports c-span as a public service, along with these other television providers. giving you a front row seat to democracy. weekends on c-span 2, bringing the best in american history. in nonfiction books. saturday, on american history tv, at 8:00 a.m. eastern, on lectures in history, former charleston, south carolina, mayor, joseph riley and professor kerry taylor look at why a new african-american museum is being built in the city. they're joined by ed warl ball, author of "slaves in the family" and life of a clansman, and on the presidency, professor christopher leahy on a book president without a party, about tyler who was rejected from his own political party while in office. book tv features leading authors discussing their latest nonfiction books, sunday at 10:00 a.m. eastern, on afterwards, syndicated columnist george will and his book "american happiness and discontents" and what he calls the unruly torrent years between 2008 and 2020. along with amanda carp per. on noon eastern on in-depth, roxanne dunn barortiz, the author of several books including "outlaw woman" and indigenous people's history the united states. and the most recent, not a nation of immigrants. she talks about native american culture and history. the women's liberation movement. and the founding of the ungs. join our conversation with your call, tweets, texts, and facebook messages. watch american history, and book tv, every weekend, on c-span 2 and find a full schedule on your program guide. or visit c-span.org. axios hosted a conversation on renewable energy infrastructure and clean energy jobs with california senator alex padilla and the head of the blue green alliance, a partnership between clean energy groups and labor unions. this is half an hour. welcome to the latest news shapers event called the charge forward for clean energy jobs. i'm ben demon energy reporter from axios and i'm coming to you from

Related Keywords

New York , United States , Nevada , Iran , Washington , China , Florida , California , Whitehouse , District Of Columbia , Russia , Michigan , Mississippi , Jersey , New Jersey , South Carolina , Massachusetts , Americans , America , Russians , American , Eric Goldstein , Joseph Riley , Las Vegas , Sonya Proctor , Kerry Taylor , Roxanne Dunn , Sonia Proctor , Vladimir Putin , Watson Coleman ,