mr. lahood: we'll come to order. without objection, the chair has authorized to declare recess of the committee at anytime. good morning and welcome to today's hearing entitled "bolstering the government's cybersecurity: lessons learned from wannacry." i recognize myself for five minutes for an opening statement. i want to welcome the witnesses here today and welcome chairman smith, oversight subcommittee ranking member lipinski, our expert witnesses and members of the audience. cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an ever-evolving concept. maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ensure or systems are best positioned to defend against emerging threats. one of the goals of today's hearing is to learn about real, tangible measures the government can take to ensure its i.t. security systems are appropriately reinforced, to defend against new and emerging threats, including novel and sophisticated ransomware threats. the specific focus of today's hearing will be the recent wanna cry ransom attack, a new type of ransomware infection which infected over one million unique systems last month in a worldwide attack that impacted nearly every country in the world. although the concept of ransomware is not new, the type of ransomware employed by wanna cry was novel. wanna cry worked by encrypting documents on a computer, instructing victims to pay $300 in bitcoin in order to regain access to their users' documents. unlike typical forms of ransomware, however, wanna cry signaled the ushering of a new type of worming. ransomware which caused the attack to spread faster and more rapidly with each new move. in light of the novelty built into wanna cry's method of attack, cybersecurity experts, including those we'll hear from today, have expressed significant concerns that wanna cry is only a preview of a more sophisticated ransom ware infection that many believe will inevitably be launched by hackers in the near future. beginning may 12, 2017, the wanna cry ransom ware infection moved rapidly across asia and europe. eventually hitting the united states. the attack infected 7,000 computers in the first hour, 110,000 distinct i.p. addresses in two days, and in almost 100 country including the u.k., russia, china, ukraine and india. experts now believe wanna cry affected approximately one million to two million unique systems worldwide prior to activating the kill switch. in illinois, my home state, cook county's i.t. systems were compromised by wanna cry. reportedly one of the few local governments subject to the attack. although cook county has worked to appropriately patch their systems, it is important that we ensure that all vulnerabilities are appropriately remedied in the event of a more sophisticated attack. fortunately, the hackers responsible for wanna cry mistakenly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. the kryptos logic employee registered the domain linked to the attack. the kill switch prevented 10 knoll 15 million unique system infections and reinfections. although based on information available thus far, the federal government systems were fortunately spared by wanna cry. we want to ensure that the government is sufficiently prepared in the likely event of a more sophisticated attack. additionally, the committee wants to hear what congress can do to appropriately address this committee -- this climate of new and emerging cybersecurity threats. through the lens of the aftermath of wanna cry, today's witnesses will help shed light on key steps the government should take to ensure its systems are protected. we will also hear today about how public-private partnerships are an instrumental tool to help bolster the government's cybersecurity posture. finally, we'll learn about how the president's recent cybersecurity order which makes nist cybersecurity framework mandatory on the executive branch is a significant step in ensuring the cybersecurity posture includes the most up to date measure to defend against threats. it is my hope that we will highlight areas where improvement is necessary while offering recommending as to ensure the federal government is prepared to respond to emerging cybersecurity threats. i look forward to hearing from our distinguished witnesses. i now recognize the ranking member of the oversight subcommittee mr. buyer for an opening statement. >> thank you very much, mr. chairman. i'd just like to thank you and chairman comstock for holding this hearing. cybersecurity should be a chief concern for every government, business and private citizen. mr. beyer: systems were breached by state-sponsored hackers compromising the personal information of millions of americans. that same year, hackers released the personal information of sony picture executives, embarrassing emails between sony executives and employees and even copies of then un-released sony movies. in 2015 they took over the power grid in ukraine. the cybersecurity breach that was the genesis of this hearing was the wanna cry outbreak. it infected 300,000 computers worldwide and could have been much worse. i want to thank c.e.o. neino for being wise enough to find an employee to find the will switch, unless you did it yourself. we're lucky it was found quickly and we're fortunate that federal systems were resistant to wanna cry. we know we may not be as lucky next time. in preparing for this, i learned that i need to upload our security upgrades every time i get a chance on our personal computers and smart phone. the may 11 executive order on strengthening the cybersecurity of federal networks seeks to build on the obama administration's successes in the cybersecurity arena and i'm happy that the trump administration, i don't agree with them on every topic, but that they've taken the next good step. the executive action recommends a host of actions and a myriad of reports. my concern is that the understaffed agencies will have significant difficulty meeting the dictates of the executive order. frankly i'm also concerned that the proposed budget cuts in the original trump-mulvaney budget across all agencies will make the task a lot harder to strengthen the security of federal information systems. we've got to make sure the froth has the resources and staffing to meet the need in this vital area. the executive order also calls for agencies to begin using the nist framework for cybersecurity efforts and i'm glad we have nist with us here today they play an important role in setting cybersecurity standards that can help thwart and impede cybersecurity attacks. nist is world-renowned for its expertise in standards development and we'll be well-served to use their framework. on a precautionary note, i believe some effort to expand beyond the current mission are well intentioned but perhaps misplaced. we recently had a debate of h.r. 1224, the nist cybersecurity framework and auditing act of 2017 which gives nist audit authority. currently, this is the responsibility of the inspector general for each agency. they have the statutory authority, the experience and expertise and respond directly to congress. nist has no such experience or expertise and i at least remain concerned about this proposal. i'd be interested in any of the expert witnesses' thoughts on nist's role in cybersecurity and auditing. i look forward to hearing from you all today. i look forward to hearing from the former federal csio. bloomberg reported this week that the russian meddling in our electoral system was far worse than previously reported. according to the report, hackers attempted to delete or alter voter data, alter software designed to be used by pollworkers and in at least one instance access campaign finance database. this didn't need to change individual votes to change the election and we should take these sorts of attacks seriously. vice president cheney called it a war on our democracy. mr. chairman this committee held more than a half dozen hearing on cybersecurity issues including one on protecting the 2016 elections from cyber and voting machine attack. given what we know about the hacking and meddling in 2016, i heap this hearing will be a precursor for more hearings on how to better protect our voting systems. i yield back. mr. lahood: thank you for your opening statement. i recognize -- recognize mr. abraham for an opening statement. mr. abraham: over the last few years, we have an an alarming increase in the number and intensity of cyberattack. it's compromised the personal information of millions of americans, jeopardized thousands of businesses and threatened interruption of critical public services. the recent wanna cry ransomware attack demonstrates that cyberattacks are continuing to go from bad to worse. the most recent large-scale cyberattack affected more than one million to two million systems in more than 190 countries. nevertheless, it appears the impact could have been much more catastrophic, considering how fast that ransomware spread. while organizations and individuals within the united states were largely unscathed, due in part to a security researcher identifying a web-based, quote, kill switch, the potential destruction of wana cry warns us to expect similar attack in the future. before those attacks happen, we need to make sure our information systems are very ready. in a research and technology subcommittee hearing earlier this year, a representative of the g.a.o. testified, and i quote, over the past several years, g.a.o. made about 00,000 recommendations to federal agencies to enhance the information security programs and controls. as of february 2017, about 1,000 recommendations had not been implemented. unquote. it is clear that the status quo in federal government cybersecurity is a virtual invitation for more cyberattack. we must take strong steps in order to properly secure our systems and databases before another cyberattack like wanna cry happens and puts our government up for ransom. on march 1, 2017, this committee approved h.r. 1224, the nist cybersecurity framework, assessment, and auditing act of 201. a bill i introduced as part of my ongoing interest over the state of our nation's cybersecurity. this bill takes concrete steps to help strengthen federal government cybersecurity, the most important steps are encouraging federal agencies to adopt the national institute of standards and technology, nist, cybersecurity framework, which is used by many private businesses and directly -- and directing nist to initiate cybersecurity audits of priority federal agencies to determine the extent to which each agency is meeting the information security standards developed by the institute. nist in-house experts developed government-wide technical standards and guidelines urn the federal information security modernization act of 2014 and nist experts also developed through collaboration between government and private sector , the framework for improving critical infrastructure cybersecurity that federal agencies are now required to use pursuant to the president's recent cybersecurity executive order. i was very pleased to read that language. considering the growing attempts to infiltrate information -- information systems, there's an urgent need to ensure americans -- to assure americans that all federal agencies are doing everything they can to protect government networks and sensitive data. the status quo simply is not working. we can't put up with more bureaucratic excuses and delays. nist cyberexpertise is a singular asset. we should take full advantage of that asset, starting with the very important step of annual nist cyber audits of high priority federal agencies. as cyberattacks and cyber criminals continue to evolve and become more civil sophisticated -- become more sophisticated our , government's cyber defenses must also adapt in order to protect vital public services and shield hundreds of millions of americans' confidential information. we will hear from our witnesses today about lessons learned from the wanna cry attack and how the government can bolster the security of its system. we must keep in mind that the next cyberattack is just around the corner and it can a have far greater impact than what we have thus far seen. our government systems need to be better protected and that starts with more accountable, responsibility, and transparency by federal agencies. thank you and i look forward to hearing our panel. i yield back. mr. lahood: thank you, mr. abraham. i now recognize the ranking member of the research and technology subcommittee, mr. lipinski, for an opening statement. mr. lipinski: thank you, mr. lahood, and thank you for this hearing on the wanna cry ransom attack last month. the good news is u.s. government information systems were not negatively impacted by the wanna cry attack. this was a clear victory for cyberdefenses. however, i believe there are lessons to be learned from successes as well as failures. a combination of factors likely contributed to the success, including getting rid of most of our outdated windows operating system, diligently installing security patch, securing critical i.t. assets and maintaining robust network perimeter defenses. as we know, microsoft sent out a security patch in march. two months before the wanna cry attack. these and other factors played a role in minimizing damage to u.s. businesses as well. however, wanna cry serves as yet another reminder that we must never be complacent in our cybersecurity defenses. the threats are ever-evolving and our policies must be robust yet flexible enough to allow our defenses to evolve accordingly. the federal information security modernization act laid out key responsibilities for security of civilian information systems. under fisma, d.h.s. and o.m.b. have central roles in development and implementation of policies as well as an incident tracking and response. nist develops and updates security standards and flines both in forming and responsive to policies established by o.m.b. each agency is re1307bsable for its own compliance and each inspector general is required to audit its compliance with fisma on an annual basis. we must continue to support efforts to be compliant with fisma while conducting careful oversight. in 2014, nist released a cybersecurity framework for critical infrastructure, which is currently being updated to framework version 1.1. while it's still too early to violate the impact, it appears it's being widely used across industry sector. they recently reported out h.r. 105 i was pleased to co-sponsor that would ensure the cybersecurity framework is easily used by the users. i hope we get it to the president's desk quickly. in the meantime, the president's cybersecurity order directs federal agencies to use the framework to manage their own risk. as we have heard in prior hearings, many experts have called for this step and i applaud the administration for moving ahead. i join mr. beyer in urging the administration to fill the many vacant positions across the agencies that would be responsible for implementing the framework as well as shepherding the many reports required. finally i take this opportunity to express my disappointment in the administration's budget proposal for nist. the top line budget cut of 25% was so severe that if it were implemented, nist would have no choice but to reduce its cybersecurity efforts. this represents the epitome of penny-wise, pound-foolish decision making. nist is among the best of the best when it comes to cybersecurity stan car and they help secure information systems not just of our federal government but our entire economy. i trust that my colleagues will join me in ensuring nist receives robust funding and doesn't suffer the drastic cut requested by the president. thank you to the expert witnesses for being here this morning and i look forward to your testimony. i yield back. >> thank you, mr. lipinski. at this time i recognize the chairman of the full committee, mr. smith. mr. smith: thank you, mr. chairman. appreciate you holding this hearing. in the wake of last month's wanna cry ransomware attack, today's hearing is a necessary part of an important conversation the federal government must have as we look for ways to improve our federal cybersecurity posture. while wanna cry failed to compromise government systems it's almost certain the outcome was due in part to a measure of chance. rather than seeing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better identify constantly evolving cybersecurity threats. this is particularly true since many cyberexperts predict that we will experience an attack similar to wanna cry that's more sophisticated in nature, carrying wit an even greater possibility of widespread disruption and destruction. congress should not allow cybersecurity to be ignored across government agencies. i am proud of the work the committee has fleshed to improve the federal government's cybersecurity posture. during the last congress the committee conducted investigations into the federal deposit insurance corporation, the internal revenue service and the office of personnel management. as well as passed key legislation aimed at providing the government with tools it needs to strengthen its cybersecurity posture. president trump understands the importance of bolstering our cyber security. he signed a recent executive order on cybersecurity which is a vital step toward ensuring the federal government is positioned to detect, deter and defend against emerging threats. included in the president's executive order is a provision mandating that executive branch departments and agencies implement nist cybersecurity framework. while continuously updating its cybersecurity framework, nist takes into account innovative cybersecurity measures from its private sector partners. nist's collaborative efforts help ensure that those entities that follow the framework are aware of the most pertinent, effective and cutting edge cybersecurity measures. i believe the president's decision to make nist framework mandatory for the federal government will serve to strengthen the government's ability to defend its systems against advanced cyberthreats like with the recent wanna cry ransomware attack. similarly the committee's nist cybersecurity framework and assessment of 2017, sponsored by representative abraham, draws on findings from the committee's numerous hearings an -- and investigations relating to cybersecurity which underscore the immediate need for a rigorous approach to protecting u.s. cybersecurity infrastructure and capability. like the president's recent order, this legislation promotes federal use of the nist cybersecurity framework by providing guidance that agencies may use to incorporate the framework into risk mitigation efforts. additionally the bill directs nist to establish a working up with group with the responsibility of developing key metrics to use. i hope our discussions here today will highlight distinct areas where cybersecurity improvement is necessary while offering recommendations to ensure cybersecurity objectives stay at the forefront of our national security policy discussions. and with that, i yield back, mr. chairman. mr. lahood: thank you, chairman smith. at this time let me introduce our witnesses here today. our first witness is mr. salim neino, founder and chief executive officer of kryptos logic. he's credited with discovering new solutions for companies like i.b.m., dell and avaya. he received a bachelor's degree in science from university of california-long beach. kryptos is credited with largely stopping the wanna cry attack. we'll hear more about that during his testimony today. our second witness today is dr. charles romine director of the technology laboratory at nist, he received a masters degree in mathematics and ph.d. in apply mathematics from the university of virginia. our third witness, mr. tuhill is a retired brigadier general in the united states air force. he's an adjunct professor of cybersecurity at carnegie mellon university. previously he was chosen by president obama to serve as the nation's chief information security office. he received his bachelor's degree from penn state university and a master's degree in systems management and information systems from the university of -- university of southern california and our final witness today is dr. hugh thompson, chief technology officer for symantec. he also serves as an advisory board member for the anti-malware testing standards organization and on the editorial board of ieee security and privacy magazine. he received his bachelor's degree and master's degree and ph in applied mathematics from the florida institute of technology. we're glad you're all here today and look forward to your valuable testimony. i now recognize dr. nino for five minutes to present his testimony. >> thank you, chairman lahood. thank you for the opportunity to appear before you today at this joint subcommittee hearing, we greatly appreciate your interest in cybersecurity and look forward to sharing our thoughts and perfect i haves with you and members. dr. neino: a threat was identified. the intent of the threat was unclear it was immediately evident that its approach was unusually reckless. this threat has now popularly become known as wanna cry. it was at this time that our director of threat intelligence for breach monitoring platform -- for bridge monitoring platform notified me of our team's active monitoring of the developing situation. on this date at approximately 10:00 a.m. eastern time while investigating the code wanna cry we identify what had looked like an anti-detection mechanism which tested for certain do main -- a certain domain name. our team registered this domain name and directed it to one of our sink holes. we noticed that the propagation of the attack came to a standstill because of what we refer to as a kill switch being activated by our domain registration efforts. while our efforts stopped the attack and prevented wanna cry from deploying the ransom component, we knew it had propagated freely for many hour s at minimum. based on our estimates, we believe that anywhere between one and two million systems may have been infected in the hours prior to activated the -- activating the kill switch. contrary to widely reported and more conservative estimates of 200,000 systems. we have mitigated over 60 million infection attempts. approximately seven million of those are in the united states. and we estimate that these could have impacted at minimum 10 million to 15 million unique systems. i will note that the largest attack we thwarted and measured to date from wanna cry was not on may 12 or may 13 when the attack started but began suddenly on june 8 and 9 on a well-funded hospital on the east coast of the united states. it is very likely the health system is still unaware of the event. we measured approximately 275,000 thwarted infection attempts within a two-day period, another hospital was also hit on may 30, in another part of the country. a high school in the midwest was hit at the beginning of june 9. presumably every system at this location would have had its data held hostage if not for the kill switch. moreover, we have been under attack by those attempting to knock us offline thus propagating the attack. many of these came from a well-known botnet which took down parts of the united kingdom and the east coast. despite tease attempts our systems remain resilient. we believe the success of wanna cry illustrates two key facts about our nation's systems. vulnerabilities exist at virtually every level of computer infrastructure, ranging from operating systems to browsers, from media players to internet routers. exploiting and weaponizing such vulnerabilities has a surprisingly low entry barrier. anyone can join in, including rogue teenagers, nation states, and anyone in between. so how to we adapt an overcome and mitigate the threats and weaknesses? while many cybersecurity experts who have come before me offer the usual gloomy there are no silver bullets. i have had the opportunity to see both sides. our attack responses must be more agile and with higher velocity and intensity. while the nation has considerable risks the actual resources for cyberdefense are scarce an there are simply -- and there simply is not presently an adequate level of highly skilled, highly experienced and highly available operators in the cybersecurity field. while there's no shortage of good ideas which claim to be able to solve the problem and every subsequent idea needs development and support and testing maintenance, etc., all of which we characterize as developer debt. many of these take too long to procure and end up being outdated and essentially useless before the ink is dry on the paper it's written on. i am hopeful that there is a path forward. mitigations are effective and have increased the cost of attacking systems. other mitigations include various design approaches, including data systems and transmissions. such -- they measurably raise the bar for critical software like internet browsers, web servers and every protocols which are fundamental to business continuity. investigating -- investing in technology doesn't necessarily guarantee any actual improvement. in fact, one could argue that introducing more intel technology exacerbates the maintenance an creates immediate monetary loss because there are few metrics to measure the effectiveness of any particular tech nothing. this is because we are typically years behind the attacks in terms of the sword and shield battle. as these resources ebb and flow, knowledge debts are also created -- knowledge gaps are also created. we must be less risk averse in terms of the defensive operations we undertake, more open to failure and ready to adapt and learn from failure. we need a stronger -- stronger focus on threat modeling and fire drill simulation that will focus on the events of magnitude which will cause significant damage. a significant response with the wanna cry incident was there was no real cry for the course of action well communicated. the media focused on points contrary to the defense whodunit and this could have resulted in a complete breakdown of processes had this been an unpatched zero day vulnerability and there was no luxury of a kill switch. the largest success, though incomplete, was the ability for the f.b.i. and ncsc of the united kingdom to disseminate the information we provide sod affected organizations could respond. information sharing can be valuable but our framework could be vastly improved by triaging cybersecurity threats in a clear and repeatable scale. not too dissimilar to the richter scale which measures the energy released in an earthquake. likewise a scale that takes technical and social into account to evaluate its allows first responders, us, to focus on the most important areas of risk. while there do exist various scoring systems for evaluating the purely technical element, they fall short in terms of clear information. we focus too much on vulnerables with names like emmitt-172010. none of these impact the wider environment. we need an easier to grasp method to prioritize threats that large-scale destructive potential. to this end, once we determine a method to evaluate the risk, we can do -- we can apply the appropriate mitigation. in conclusion, one of the largest issues the transer to nature of the crisis. we think this can be explained by the fact that organizations are too slow to adapt. there's a vast human resource shortage and lit bill way of metrics to demonstrate return on investment in defensive technologies. again, i thank the subcommittee for inviting me here today to discuss our involvement and the lessons learned from wanna cry and i welcome the opportunity to answer any questions you may have when they're fielded. mr. lahood: thank you, mr. neino. i now recognize dr. romine for his opening statement. >> chairman lahood, raking member smith and others, thank you for the opportunity to appear before you today to discuss nist's key roles in cybersecurity and how they relate to recent incidents. in the area of cybersecurity we have worked with federal agencies, industry and academia since 1972 starting with the development of the data encryption standard. nist's role to deploy standards to protect the federal government's information systems against threats to the confidentiality, integrity and availability of information and services was recently reaffirmed in the federal information security modernization act of 2014. nist provides ways to recover from these attacks by ensuring that the recovered system is trustworthy and capable. nist's guide for cybersecurity event recovery provides guidance to help recover from a cyber event and integrate the processes and procedures into the enterprise risk management plan. the guide discusses hypothetical cyberattack scenarios including one focused on ransomware and steps taken to recover from the attack. thee years ago, nist issued the framework for -- issued the framework. it created through tight collaboration between industry and government promotes guidelines and practices. the framework prompts decisions affecting infection by the ransomware, propagation of the ransomware and recovery from it. while the framework does not prescribe a baseline of cybersecurity, for example a base lin that would have prevented wanna cry, it does prompt a sequence of interrelated cybersecurity risk management decisions which should help prevent virus, infection, and propagation and support expeditious response and recovery activities. on may 11, president trump signed executive order 13800, strengthening these have security networks that mandated federal agencies to use the framework. under the executive order, every federal agency or department will need to manage their cybersecurity risk by using the framework and provide a risk management report to the director of the office of management and budget and to the secretary of homeland security. on may 12, nist released a draft interagency report, the cybersecurity framework implementation guidance for federal agencies which provides guidance on how the framework can be used in the united states federal government in conjunction with the current and planned suite of nist security and privacy risk management guidelines and practices developed in response to the federal information security management act as amended, or fisma. another nist resource that can assist in protecting against similar future attacks is the most recent release of the nist national software reference library or nsrl. it provides a collection of software from various sources and unique file profiles, most often used by law enforcement, government and industry organizations to review files on a computer by matching the profiles -- profiles in the system. nist retains a database of all known vulnerabilities, such as the one exploited by the wanna cry malware. the list is a -- an authoritative source of security vulnerabilities that nist updates dozens of times daily. nist analyzes and provides a common severity metric to each identified as a rule initial. we recently initiated a project at our national center of excellence focused on recovering from cyberattacks. organizations will be able to use the results of the research to recover trusted backups, roll back data to a known good state, alert administrators when there's a change to a critical system, and restore services quickly after a wanna cry-like cyberattack. nist is extremely proud of its role in establishing and improving the comprehensive cybersecurity technical solutions standards and plans to address cyber threats. in general and ransomware in particular. thank you for the opportunity to testify today on nist's work in cybersecurity and in preventing ransomware attacks. i'd be happy to answer any questions you may have. mr. lahood: thank you, dr. romine. i now recognize dr. touhill. >> good morning, chairman lahood, ranking member beyer, members of the committee, thank you for the opportunity to appear today to discuss cyber risk management. i'm retired air force brigadier general greg touhill. i serve on the faculty of hines college where i instruct on cybersecurity and risk management. prior to my current appointment i served as the united states chief security officer and before that in the united states department of homeland security where i served as deputy assistant secretary for cybersecurity and communications. during that period i also served as director of the national cybersecurity integration system, commonly referred to by its acronym, n.k. during my air force career i served as one of the air force's first cyberspace operations officers and i currently maintain both the certified information systems security professional and certified information systems management. many people mistakenly view this as solely a technology concern. 's have a security -- cyber security is a multidisciplinary management issue and an essential part of an enterprise risk management program. i recognize we have a very full agenda of topics today and i'm sensitive to your time. i have submitted for the record a written statement and in that i discuss the recent wanna cry attack and assess how it may impact the public and private sectors. i view wanna cry as a slow pitch softball while the next one may be a high an fast fastball. i also discuss the public-private partnership. and i urge the congress to continue its great efforts to strengthen our enterprise risk posture. i urge you to authorize and empower the federal chief information security officer position which currently is not authorized for specified position. i also suggest that instead of calling it the nist cybersecurity frame without objection and i'm a huge fan of this framework, i suggest we call it the national cybersecurity framework. to reinforce the fact that it applies to everyone. further, nist did a brilliant job in crowd sourcing the go this framework but it was really people from around the country that brought to the table best practices. nist was a great trail boss for this but it is really a national cybersecurity framework. finally, in regards to the proposed h.r. 1224 legislation, i congratulate the committee and the members of the congress for taking the initiative to really reinforce the need to implement the framework across the federal government. i do suggest based upon my experience in both the military and the government sectors of the federal government, that we do two things with that act. one, is we amend that act to make it apply to national security systems as well. having served extensively in the military and in the federal government, i believe that the national cybersecurity framework applies equally to national security systems and i recommend you make that amendment. further, i concur with my colleagues who suggest that let's leverage the inspector general and auditing communities that are currently in the different departments and agencies and reinforce their need to conduct appropriate audits using that cybersecurity framework. again, i thank you for inviting me to discuss cyber risk management with you today and i look forward to answering any questions you may have. mr. lahood: thank you. i now recognize dr. thompson to present his testimony. >> good morning. thanks for having me. and chairman lahood, vice chairman abraham. la la pinsky. i'm grateful to talk about a critical subject. understanding the environment is essential to crafting good effect of defenses. ransomware attacks is one of the latest manifestations of the kinds of disruptive attacks that we are now facing. the time line of wannacry has been covered by the other folks many this panel. but i did want to share a graphical time line that you can see on the monitor. apologies for the small print. what's interesting and where i would like to add some colors is -- simantec man is the world's largest security company with technology protecting over 90% of the fortune 500 and being used extensively by government agencies around the world. in addition, we protect tens of millions of home users through or norton products. it represents the largest civilian threat in the world. wannacry was unique and dangerous because of how quickly it could spread. it was the first ransomware as a worm that had such a rapid global impact. once on a system, it propagated on nomous by exploiting microsoft. installs the ransomware package. it finds an encrypts a range of note and display as ransom demanding payment in bit coin. semantic worked closely with the government. we connected workers with our experts provided analysis and received the same back. d.h.s. g the outbreak coordinated operational activities. from our perspective, this was one of the most successful public/private collaborations that we've been involved in. our analysis of wannacry reveals that some of the infrastructures and tools has strong links to a croup called lazarus, which the f.b.i. has connected with north korea. lazarus was link dod the destructive attacks against sony pictures in 2014 and also the ct of approximately $81 from the bangledesh central bank last year. the links we saw from wannacry and lazarus include the shared code and the use of similar i.p. addresses and similar techniques. as a result, it is highly likely that the lazarus group was behind this spread of wannacry. the landscape continues to evolve quickly. we're seeing attacks not just in technology but in social engineering approaches that these attacks use. we're also seeing more attacks leveraged against i.o.t. devices such is the massive weaponization of i.o.t. devices y.th the mar it led to sig disruption of major cloud services. the explosive growth of attacks mariay acry and exploits the need for preparation integrated in layered defenses. response and recovery planning and tools is an essential part of cyber rest management because when good defenses won't stop many attacks, we have to be prepared that a determined adversary may get through those initial defenses and we must lay a foundation for recovery. there's no question that wannacry was an important event but it won't the last of its kind. it's an indicator of what's to come. good fortune played a significant role in minimizing its impact particularly in the u.s. but we will not always have uck on our side. which is why we want to make the necessary improvements to our defenses an response capabilities. this hearing is an important part of that effort. and we appreciate the . portunity to be here i look forward to any questions you may have. >> thank you, dr. thompson. the chair recognizes himself for five minutes and we'll begin questioning. the tight ol this hearing is lessons learned from wannacry. and we've talked a lot this morning about wannacry and how that played out across the world. but in terms of how we learned about the genesis and origin of where this came from, i know "the washington post" came out with an article yesterday that the n.s.a. has linked wannacry to north korea. i'm wondering if dr. nino you can talk about the genesis and origin of where this came from because it appears it's from a nation state. and i know there's references to what occurred with sony and the bangladesh bank. what we know about it. and what's being implemented on -- i guess on the government side to prevent this or hold an entity or the government accountable? >> thank you, chairman. i think if i understand your question, you're asking about when the origin and our con jeckchure to that. the umber two, perhaps defense but also correctly what would be the rules of engagement if it was another nation state. why it may not be -- why we think it's ambiguous to conjecture over the origin of wannacry. there are codes in there that suggests one way or another that some nation state could have been responseable. unfortunately, as i said in my written testimony, anyone could have created this level of attack and often misdirection is found typically in binaries like this attacks we see. i would compare it perhaps in analogy to photo shopping a program to look a certain way. or it could have simply been what it is which is exactly what we see. it's hard to tell. i won't say that i know the origin of the attack nor should i conjecture on it, but what i can say is that these attacks are hard to tell. so it would be very difficult to pursue an answer to that. i also think ha the question segways the same way. it would be difficult to create attribution or origin to any of attack and rules of engagement would be very difficult for us to give any kind of assessment on. >> dr. thompson? >> this was truly an interesting attack. we spent a lot of time in our research labs looking at both the code that was used in wannacry. but also where wannacry communicated out to. and there were very, very close similarities to other kinds of attacks that we've seen specifically attacks that we ibute -- we attribute to lazarus. the reuse of command and control infrastructure out on the internet by that malware led our researches to believe that this is strongly linked to the lazarus group. similar to my colleague at the end, we're not the intelligence community either. and i agree with those comments that attribution is often difficult. but what we've seen leads us to believe there was a part of this lazarus group and separately the f.b.i. has linked the lazarus group with north korea. and i think chairman lahood's article that you're referring to from yesterday is another from the arning n.s.a. >> dr. nino, we talked about the kill switch and how that stopped the attack. but we referenced the -- that a hospital and a high school were subject the attack. can you explain -- if the kill switch was implemented correctly how the hackers were able to perpetuate the attack despite the registration of the kill switch? >> absolutely. although, i'd like to be a dock rat, mr. nino. you have to understand the material makeup of the actual malware and how it works. why wanna cry was so significant is that it's self-propagating. that's what gives it the title a worm. meaning the actors don't even need to be in existence. sometimes we refer to these as zombie botnets because it continues to attack in the case of the example that given the testimony regarding health system. that was a corner case that was very significant. the worm continues to propagate because it is scanning and seeking to expand itself and that portion of the worm is not switch. o the kill so the expansion is still exploiting systems worldwide. what it's not trigering is the payload if you will, the ransom component. and that component doesn't trigger most of these organizations worldwide right now. i don't know they're getting actively exploited. but it's because they don't see the ransom portion of it. that's why we have 60 million attacks thwarted today. nobody knows it's still happening. i don't think the message has resonated given those figures that this still needs be patched and this -- again, points to the point of resources. >> thank you, mr. nino. i'm ott of time. i will yield to the ranking member mr. buyer. >> thank you, chairman lahood. i'm impressed by our panel. there's so much information. congratulations to being ph.d. mathematicians. that's wonderful. only mcinerny was our mathematician in congress. congratulation on winning the hacking tournament. i never had a chance to say that but it's very cool. and after all the things that you've done, combat and diplomacy to be up there in carnegie melon with their buggy races around chenly park. every university has something that makes it cooler than every place else. general, you talked in your long written testimony hr-24 a bipartisan bill but we've expressed a lot of concern about the audit function that this would be taking on. i was fascinated by your points which we didn't raise when we had the hearing here that it would make it much more difficult for it to be reviewed as an honest broker that that this would change the perceptions about their current and future roles. ve a chillen -- chilling relationshipping based on a common quest to identify and incooperate the practices and this would change them in not a good way and it would stifle the information from public to private entities to this. can you expand on that at ull? -- all? >> section 20-a in making sure that folks are in fact using the cyber security framework across federal government, i think it's bill yant. we need to follow on that big-time. it was something they was promoting as i was united states chief security officer. as a matter of fact my last federal chief information officer council meeting in january of this year, i proposed and we had a unanimous vote amongst the council to do a risk assessment for the federal government based on the framework. that portion of the legs i'm wholey supportive of. section 20-b the proposal to do the compliance and audit activities i'm a fan ofment i think it's important that we do auditing and compliance. however, i do stand by what i wrote in the written testimony that i think that this is not the best place to put that. it doesn't have the culture. it doesn't have the mission. it doesn't have the personnel to do it as effectively as the existing general auditing functions. midst is a great organization that i've been working with for the last 35-plus years. and the relationships that nist has is in fact as a neutral party that is on the quest to choreograph efforts to find the best ways of doing things. a compliance function on the other hand is looking to see if you were in fact following the checklist. i think that if we want to have an auditing and compliance function which i definitely think we should be doing. we should be giving direction toe those folks -- whose job it is to do that auditing in the compliance function. frankly, this is an operational issue. and inspector generals have always been in my book, the folks that do performance inspections that are the ones that are going to help those commanders in the field in the military as well as the executives in the federal government. -- do their job better and have better visibility and to their risk posture. i believe we need toe have the inspector generals that are currently in place be the one who is execute the intent of the community and the congress. >> thank you, general, very much. mr. ninno, based on your testimony, you should be a doctor is based on interesting things. the largest issues were that a, organizations are too slow to adapt, b that we have a research shortage and c, there are metrics to measure return on investment. you talk about creating a method to prioritize threats something like the richter scale. who should put this together? who should manage it? who should maintain it? how do we make this happen? >> i think it would be interesting to see the participation of this if it were crowd source through various academics and commercial and private intensities and you could see how they're prioritizing threats and see if that could be put into some sort of imlation system where it allows to be scaleable where resource is not scaleable that would be an effective area. i also see that the commercial sector alone can plus that as well and that could billion adopted but any time you have some sort of regulatory mandate, it is taken much more seriously. and what i mean by that is for instance if we had an event of magnitude that was measured and let's say number -- a 7.2 magnitude, shouldn't that particular event be required to be fixed by an organization whereas right now it's mostly voluntarily? so if a water system or a power grid doesn't fix it even after wannacry out, post, shouldn't we see that sort of mandate where we can know that that is regulated because that has context versus you can't boil the ocean when it comes to patching vulnerabilities. we're not going to win the war. it's infinite. but we should attack the ones we know about. >> chairman abraham. >> thank you, mr. chairman. i stand on tall brain cell power on our panel. we could probably use you guys' mathematicians when we work through our budget process. and doctor, if indeed, north virus s a role in this exploitation, i find it iron take that a country as north korea that not only suppresses freedoms would use lazarus. just an aside. when news of wannacry started spreading, what if any steps did they take to insure information systems were protect and was nist involved in any government meeting that took place around that time? >> thank you very much for the question. the -- the response for an event like wanna cry from the nist perspective, the scientific goal and as aniness institution that provides guidance is to learn as much as we can about the technical origins and to determine whether the guidance at we issue is significantly robust to help organizations prevent this kind of attack. i'm not aware of specific meetings that we were involved in that were discussing the operational side of -- of the wannacry. i think the -- you know, law enforcement and intelligence communities were certainly meeting. you heard reference to d.h.s. being quite active and helping the private sector to deal with this issue. from our perspective, it's more learning whether we can improve the guidance that we make available to entities to try to not only prevent these attacks but also recover from them and to be prepared for them in the future. >> and i'll stay with you for my second question in your testimony which i did read, you said that nis recommendations and the nis guide for the cyber security and cyber security framework would sufficiently address the wannacry incidents. will the requirement in the cyber executive order two agencies to implement the framework, help them be better prepared in the future to depend against these tapes of incidents. and sthowled be enough or should more be done? >> thanks for the question. it's difficult to know whether it will be enough for the next event. but i can say this -- one of the important things that emerged in our discussions with the private sector during the development of he -- of the framework was the -- we are often thinking about detection and prevention of attacks. sometimes we don't pay enough attention to response and recovery. and so one of the things that the framework does is to spell out the five functions of identify, protect, detect, respond and recover. and we're providing a lot of guidance with the incidence response guidance that we have, for example. to help different organizations to be better prepared in responding -- one of the analogies that i found was the boys and girls scouts motto is right. the better prepared an organization is through its risk management activities which we think the risk management framework from fisma coupled with for federal agencies and under the umbrella of the cyber security framework now. we think those are the tools that are necessary to implement the kind of preparedness that organizations should have. >> one quick follow-up. what specific steps in lieu of this, should this take to help federal and state agencies be better prepared as well as the private sector? . >> look we are looking at some of the incident response work that we have. some of the data integrity work. we launched the data integrity project at the national cyber security center of excellence which has a very strong tie-in ith ransomware type attacks we lunched that before wannacry came out. but in light of this new event, we're accelerating the work that's going on in the nccoe so we're able to provide practical examples of how to be prepared so that organizations can see how it's done. >> ok. and general, thank you for your service to court yuntrifmentjal, i yield back. >> i now recognize ranking mber la pinsky for his questioning. >> i thank you for all the work that you do. we are y think starting to take cyber security for seriously here in washington. although it's much more i think that we need do. part of the problem is understanding what this really means and the impact that it can have. also need to make sure that the american public knows the significance of cyber security and what could happen. we know when we're dealing with cyber security that technology is just part of the solution. what often matters more is we saw with wanacry is personal behavior and organizational behavior. individuals, must regularly install security patches and update software. they have plans and place for a quick response when they're attacked. these are social science issues. another social science angle is understanding criminal and terror network as well as actors. using the understanding to help inform our information gathering in our cyber defenses. >> i would like to hear from each of my witnesses. your thoughts on whether we are investing enough in cyber security and what more can be done? what more would you like to see us do to -- so that we are taking care of these issues. >> thank you, mr. la pinsky. i think it's a great point that you bring up. there are other shoes harder than software and secure. when you put them together it's very hard. >> one thing that we know will be quite difficult resources will maintain their need for quite some time. we have eroding boundaries. systems are changing. we have digital trance forbort nation continually happens. we have to relearn our people. this makes it very difficult for those responsible in those areas to manage risk to actually keep up with the actual threat. the pragmatic threat but in reality like wannacry. in that case, i think that we could see a huge value if we were to see investments and ings that allow threat organizations going back to the magnitude. y >> you can look at the areas that can hurt you the most. investigating those things and putting them together allows you to start to formulate a picture that allows you to prioritize. once you do that, the investments you make in those people and those resources will be maximized and we'll have a better chance of being more resilient. >> thank you. doctor? >> i'd like to describe two important misprograms that directly address the human part of this problem. >> one is, nest is privileged to host an interagency program that's dedicated to building a larger cyber security workforce. and we've made great strides in that area. the second part of the program is you're absolutely right that one of the key components in achieving security is understanding how humans enter ack with technology. you can be theoretically secure but technology. if the people who are trying to get their job done and focused on that and not -- taking advantage of or in some case even circumventing security that's in place in order to get the job done. you have to understand how to build systems that have the human in the loop. nist used a systems level approach for cyber security. but we think the use rers behind it. we have a recent understanding with psychologists, engineers on our staff what's entire mission is to understand how people interact with technology so that we can do better in security and usebility. >> thank you very much. when i was -- still in public service, as a u.s. chief information security officer. effort.five strategic three, do the right things at the right way and at the right time. four, makes sure that your continuously invading. and five, make sure that you're making risk management decisions at the right level. the first one was harden the workforce. >> always going to spend it on people. and frankly, your people are your greatest resource but they're also your weekest link. 958% of the accidents my u.s. third responded to. you could track back to a human failure. failure to patch. failure to recon fiction. it should be a stra teal jidge priority. it was the top one. >> further if you ask for where else could we informs? >> well, exercises. people should not necessarily be confronting crisis without having practiced ahead of time. my friend likes to say, the time to exchange business cards is not in time of crisis. we should be doing exercises more often than we are. and further. everybody these to play. too often we've seen senior executives to say dismiss that out to the serveerer room to play. it's a risk issue. and they are made in the border level. i think we need to invest in exercises. you're doing a lot. during the time i was d.h.s., the year before we had done 44. by the time we left, two years larlte, we were up to 270k3erses -- exercises. i hope we reward these type of practices because it will bite down our risk. >> dr. thompson? >> thank you. thanks for that question because i think what you're hitting on is probably one of the most important and underinvested areas in cyber security in general this human element cannot be separated from the technology. nauven the security community, we talk about advance persistent threats. and most people when they think about that think about very sophisticated code, malware. but information, what we're seeing is the root of many of these advanced persistent track is the initial way a company got -- or a person got infected. was an individual made in retrospect a bad choice. >> they doan downloaded a file. and we're seeing attackers becoming more socially sophisticated in the way they attack. we're seeing personalize attacks, looking for information on social met working sights for example. so they can create credibility. message. or tax they you're convinced that this is a reasonable thing to do. i think from an entry perspective. i want to give you one data point that i think might be useful. >> i've had the pleasure to serve as the program committee chair for the past 10 years. >> that conference had 40,000 people security professionals that showed up last year which is a sign of how important -- i think this city has become. three years ago we started a track called the human. it is becoming the because i think we all realize and i love the comments that the general manage. i think we would all realize that's one of the most critical areas. human element of the people that were responsible for cyber security. but also the human element of the users. and if i could make a final comment here, it is very easy r a user that there's an increase in utility. i know it's easier for me if i leave the door unlocked. you don't have to carry any gees or not. >> generally, you make it more security. you make it more painful. there are more things you can do. they can easily measure you. but they can't easily measure risk. we need to do a better job at helping the individual to recognize vissk. >> thank you very much. >> thank you, mr.la pinsky, i now recognize conkman higgins for his questions. >> congratulations on shutting down wanna cry. >> that was a big mistake to leave the domain unregistered. >> it's hards to say what it is. could have been intentional. we think it's nonintention nafment but it definitely was a mistake in any regard. >> well, congratulations on discover it. i would want had that kill switch -- not been -- >> i could only get a numb nail of what it might look like. >> we're seeing them -- and you'll start to realize that the sha slowed significantly. this could have been a very, very massive attack. >> i concur. >> most cyber experts agree that it appears that north korea was behind wanna cry. do you agree? >> i think there are tallahassee in the software program that you could use to associate it. but i do believe that intelligence is cumulative beyond cyber. you you need other areas to apri butte. >> what's your opinion? >> is north korea behind wannacry? >> i don't want to comment. d con een other con jeck jecture but i don't think it's worth commenting on. >> when security software destein, how easy is it for the design or to build a back door cess that would be virtually undetectable within that super -- cyber security. we've had >> good starting. the level to do that is very low. >> thank you for concluding that. brigadier general. my question is to you, sir. and thank you for your service. labsou similar with -- the out of moscow? >> i am familiar. >> manufacture of cyber security products. that top intelligence officials at the f.b.i., n.s.a. and other advised this body that they aspurski.st k however, it is still used wildly in the new york government. can you explain that to this committee? >> well, sir, i don't know what kind of conversation you know, my colleagues from those agencies had with this committee. however, if i take a look at the different products that are in the market today, i believe that the 34er7b products are -- that the american pickup trucks are the best out there. >> i concur. [laughter] that's a brigadier general speaking right there. >> >> that's an american speaking, sir. >> although there's no public evidence of collusion between kaspersky labs and the russian government, it is not a large and eugene kaspersky said they have no ties to the russian government. however, it is part of the national conversation, mr. chairman that and it's wildly known that the russians have been involved in efforts to influence governments across the he with cyber attack and has suggested that he would testify before this body. i strongly suggest that we take him up on this offer. i sure would like to talk to him regarding the kill switch in north korea. that having been a rather glaring error on the part of the designer of that worm cyber ttack. what do you think happened to that guy in north korea? it was a kill switch, wasn't it? so this message should it get to , if you can get out of the country, we're -- you're welcome in the west. we'll give you some real good food. mr. chairman, i yield back. >> thank you, congressman higgins. i now yield to congresswoman estes. >> thank you very much, this has been enlightening and helpful. one human element. you can buy tall great equipment in the world and as you said dr. thompson if you leave the door open it doesn't do you any good. a little bit about the analogy in hospitals about how people are used to washing their hands. it's low tech but it works. i think what we need to emphasize is hygiene. what are proper hygiene practice procedure ake that government and nongovernment. we have an issue on all levels of government in really old systems. this was exploiting a vulnerability in win doughs. who is still using those system? i can tell you it's local and state government that don't have any money. so that makes it an even greater issue. spreado your point about assessment and understanding levels of assessment. we need triage help to recognize -- what deaf con level is this? because everybody looks at their phones. i don't have time to update my system. that's human behavior. >> we ought to be getting social economists. and i think that needs be part of what the government -- part of what they're doing is to stay ahead of the game. we need to do that. a number of us were then asked in the briefing a couple of months ago with some of the folks from the top level of the private sector talking about how so much of our emphasis at the federal government has been and frankly the incentives have been for us to be in attack mode. we're developing our attacks cyber capability out of our government. e've left into the private secondor to do more defense -- sector to do more defense. it's less sexy but frankly a lot more important. what can we do with the culture change? >> is that out of nist? d.o.d.? n.s.a. to put the incentive there is. how do we make sure we're getting the broadest sector of tap lent pool. it might not strike people bringing in -- people who do snapchat for figuring out how do we make sure people don't click on that link? but if we don't do that, if we look at what happened in the hacking on the electoral system in the last year -- what happened to john podesta e-mail. it was someone who clicked on the link. it is going to be the weakest link or strongest link. anybody who has thoughts. that's what happened you're batting cleanup and want to raise the number of issues. but again, thank you very much. i'll look forward to following up with all of you and thank you for your efforts an in joinsing with us and figure out how question do beter for america. >> thanks. >> i'll make two very quick points. one is we have active research going on now under the program that i just talked about understanding human behavior trying to understand susceptibility to attacks. what are the things that factor into people not recognizing that something is a fishing attack. there's research coming out about that. with regard to culture change, i think maybe it's underappreciated sometimes, the culture change that's going on in board rooms and among c.e.o.s that in light of the framework as a catalyst i think for this. but i think this might have been on their radar anyway. but the framework is a means of cata liesing the understanding all of the other risk that you're already managing as a c.e.o., you now have the tools that you can to incooperate that into that entire risk management. >> i'd like to pile on to that. first of all, on the cyber hygiene, we all need to do better. we've worked very closely with nist to help promote the national cyber education programs in we have. i think we need to do better on that. i propose that we probably need or i call it the bite. let's get kids fully educated and we've been working with nist and across the inner agency to do that. and we also need to incentivize. we shouldn't necessarily be seen as the government that overregulates. we need to encourage and incentivize folks to do the same thing. but we also have to recognize that ricks is an intrinsic part of any management of any business. we have to be very careful that we don't ham shackle the difference between any boards or sea sweets. we need toe give them the tools and the support to be good wingmen to help them make those risk decisions. and then finally, we've had a lot of discussions publicly in this town over the last two, three, four years about rules an in additions as to who does what. >> as for me having served in uniform for 30 years and having done some public service on top of that, i think it really takes teamwork. >> i've used the d.o.d., and n.s.a. and intend intense community to help with deterrence and interdiction. when it comes to protecting hometown america, i believe that that's more property for d.h.s. and the work that's being currently done in the end kick to your graph different activities and better servicing the citizens. >> just a quick comment. first, i support the general sthaugs we resurrect motor vehicley the bear. we should repurpose him for this effort. but i will say first congresswoman, thank you so much for your comments. i very much agree with what you said your human element. i can tell you that the practice of security i think is changing very much because of that and i think about the folks that we hire at sematech is an example. the kinds of folks that are hunt downing the malicious nap works today. computer scientists and mathematicians but they are competition tuition nal and they're anthropologists. there are people who are looking at the human behavior o after an attacker group. that's one side. >> on the consumer side which we sale sel to. we spend an amazing amount of time thinking about how do we make security to this ipad? i call it the ipad because it's the only piece of technology i think i've ever given to my mom. i didn't have to give her any sfrux about how to use is it. she just under it. >> we spend a massive am of time now, today on design. her how do we make it easier to be more secure than last secure. and i think that is where a lot f effort must go and the security effort. how do we make it easier to be more secure than last secure? >> thank you. congresswoman. i was thinks maybe smoky the bear malware? >> we'll register the domain, mr. chairman. >> and i recognize mr. palmer for his questions. >> mr. nino, accept our thanks to the quick thinking that allowed the but with regard to your that 200 thundershowers is too low and before then the implementation of the kill switch. there may have been one or two million fexes. >> how are you going to explain practically no one tried to pay the ransom. >> i think there are some who tried to pay the ransom. the measure of success of that is hard to determined. >> what you've done is the -- from many studies in a large portion of the company do pay the ransoms when their computers are monitoring. while it's advertised. letsdz than 500 people did that. .100 of 1%. >> i think that's inaccident with what you're saying. >> i think when you look at, it's hard to associate the payment of the actual spread ounce. i'll tell you for brighter reasons. one when you look at the magnitude of the attack and you try to pace it. it was -- not clear whether you would get your systems back. anyway, and at this point the attacks have been abandoned. >> if you paid the ransom, you didn't go anywhere. most of the meet yeah were asking. we said, you would have to -- your own and determine if you should pay the attention. the data that we are receiving is absolute. when we get this data, it's not just one. e've been doing this for the decade. >> i'd like to thards question, general to hill and as many of our members have said thank you for your service, sir. your system is saying that almost everyone that was infected was running windows 7. so isn't it through the main reason that people were infected was because an intelligence community was late to the public. >> turn on your mic, please. >> sir, thanks for the question. just for clarity's sake, in my reason testimony, i highlighted windows 95 being used as an ex-semp >> he. now we're very susceptible to this type of attack. >> a lot of unpatched systems. >> lord, i'm skts about a vulnerability that was linked to the public. >> yeah, i agree. >> i'm very concerned about that. and i think that this highlights a couple of things. first of all, patch your systems. we've been telling you to do that. second of all, we'll take a look at the leakage of information or the attribution of second give you. that's curious. and nonacceptable. >> the reality is that a teen of hackers calling themselves shadow robbers published in the n.s.a. ex-employed called a turn of blue on the internet. and that happened january 2017. and microsoft released a patch three months later. march, the past was called -- 0-1-0. what's not a problem. the problem was that if you hadn't put all of the microsoft recommended patches on, all of the machines within 60 days you would back victim. it was a zero day attack. the blue code was released in january there was no way to protect the computer from it. i don't believe i would characterize this one. from my perch, you know, frankly because of the fact that we had some patches had had been put out. and they went through extraordinary members to create those statues for operationing systems that had previously been declared unsupportable. >> windows 95 has been online for about 19 years before it was retired. and for the last three years microsoft had not been supporting it. and then for home to come back and put out that patch in march was extraordinary. through a federal government and other organizations around the world, we went out and we clearly communicated. and carnegie melon was one of them. to alter the communities of interest. labeled as a critical path, sir. >> could you describe the double pulsear feature. since no one was pay that it was to allow access to the machines. that the double porch are is installing by becoming effective. >> thanks for your question. >> it's difficult to anticipate what the true intention was of this attack whether it was ransom wear. whether it was atashed. the ability but what is, i think interesting as a character of the attack. which goes back to your first question. of why didn't we see -- nor million or expected rates of ransom wear payment. >> the back hand that was sit up was very weak compared to the typical piece of rain that we see throughout in the wild and it is -- it is pretty incredible. many of these ransomware attacks have a very robust infrastructure behind them. they almost have the support of customer support that haven't infected. we didn't see that level of communication near the back end. >> i think the witnesses for their answers. i yelled back. >> now yield to congress webster for his questions. >> i think mr. chairman thank you for having this meeting. and thank you -- each of you was coming. but my mind has been on something else. and the statements that were given here were similar to that. in that they fit. there was an attack on yends. and i talked about that it was an advantagesed persistent there is. >> was it a personallied asnack >> and there are some people -- my seat mate after here. >> to turn it around. and so i just -- that's what was on my mind. these capitol police who ride and many of the members of this congress, maybe it's a different kind of threat but it was real. in this similar case there was no error. and so i just -- i want to take this time that i have just a few minutes and say, thank you for our people who work here and for the members of serve there. who provesed their still are, he rose in kaun tri -- they haven't been exposed yes. and thank you mr. chairman, yield back. >> thank you, i think we have a couple more questions. we're going to go for a seconds round. yeah, myself. five minutes. the dosh you wrote that national vulnerability data base that maintains it. . and up dates dudsness of time. i've known documented that vulnerability that the wanna cry malware ex-employeded. >> a recent report shows that 75% of the vulnerabilities were described else were first. i'm within the discovery of the and reporting on the n.v.d. what is the reason for the delay there if you could talk about that? and is nist working to get rid of that lag time. >> thank you for the question. >> we're always interested in trying to shorten time to deliver real ill-important information to our stakeholders. in the case of nvd. our goal is not first to dills close or first to disseminate. all the way as we can. our real goal is accurate cure tion including assessment of suspect. that requires a certain amount of analysis. before we can improve something in the data base. the other reason for that is that the disclosures are often rom sources that are not necessarily reliable from our spers -- perspective including as a result nerblets from sources that we're not -- that we don't view as authoritative would not in our best interest for the n.b.d. >> was there a delay in reportering that the wanna cry malware exploited? >> i don't know the exact duration between the time that we receive our report and the time that we put nut the m.v.d. >> i'm sure it was a matter of days. >> thank you. those are all my questions. i yeed to mr. buyer. >> thank you very much. general, you were the first chief information security office and you took that suggestion under the obama administration. do you believe they should have this organization. and i know the trump administration has until -- yes. any reason why you left at the time that you did. and now. well, first of all, thank you for the question. believe that this is a best practices. different organizations. first chief information was koreaed in the private sector over 30 years ago. it took about 10 years for the federal government to create one. i think it is. and it is critically important. have someone who is focused on information security and the risk to the enter prison. and advising the corporation community as it were. up, down, and across. and best practice. and manage that ricks. >> we still don't have an organization for a federal chief information security officer and statue. it was my position -- my position was appointed as administrative opponent. and i think that if we take a look at -- as we move forward. they recently came out. it is a great step forward. i think we need to firm up make sure that the disspogs an insuring position. we also need so that chief information can and doesn't >> they have quarterback to better manage or risk. if the opponent goes i look forward to see who the administration brings forward andly coach and serve as wingman for that person. >> great. while we're talking executive orders you made this real interesting that's we overclassify, that the default is to make everything the highest thing. and we should make a lower level of classification and argue her way up. or how do we operationalal tha -- and that? >> thank you for the question. because i was responsible for public and private partnerships and the information sharing between the public sector and private sector. and frankly, we overclassify too much time-sensitive information. and i believe that the solution set is going to have to be a combination of legislation as well as executive action. i think both branches of government are going to need to partner up to determine the best means of getting the information out to folks and take timely and actionable actions in this environment. >> you had one intriguing line in your testimony. points contrary to defense, who did it. and what i understood from that we spend so much time who is louisiana ar us rather than trying to defend ourselves. could you expand on that. naturally curious to knowon csi, i want who did it. >> i think the barrier of entry anyone could do it. conjecture of who has done it is a very difficult task because cybersecurity is something that could be misdirected. you never know who the attack is and focusing on that doesn't solve the problem we are vulnerable. you leave the door open. there could be thousands of people who walk by your house everyday. would it matter because you leave yourselves exposed? they do it because they can and should not make it that way. we should make it so we are resilient and strong nation in regards to defense. >> do you want to pile on at all? >> i do. thank you. we don't look at who is the country behind it and who is the person behind it but it is very critical of us to associate patterns of behavior. it will let us learn more about that group and the tactics and make us better prepared to protect against a new attack , sight unseen. and that was the case with a.v. engines because of previous training on this against the wannacry malware and leave it up to the intelligence community to decide who that group actually belongs to. >> mr. lipinski, any follow-up questions? mr. lipinski: i thank the witnesses for the testimony and all the work as i said and i'm sure we will be continuing this discussion. so thank you. >> in closing, i want to thank all the witnesses today for your important, insightful and impactful testimony. and as our committees looks to cybersecurity and the issues of national security, economic vullingnerkts, privacy, we look forward to work with you on those issues and appreciate you taking time out of your busy schedule to be here today. and the record will remain open for two weeks for additional written comments and questions from members. at this time, the hearing is adjourned. thank you. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] [captions copyright national cable satellite corp. 2017] a >> c-span's washington journal live every day with news and policy issues that impact you. coming up this morning, illinois democratic congresswoman robin kelly discusses security for members of congress. and the washington examiner discusses congress and concealed carry laws. be sure to watch c-span's washington journal live at 7:00 a.m. this morning. join the discussion. >> mitch landrieu will talk about the confederate monuments in the city and the future of race relations in the u.s. live at the center for american progress starting at 10:00 a.m. eastern here on c-span. you can follow live on c-span.org and on the c-span radio app.

Related Keywords

New York , United States , Cook County , Illinois , Washington , China , Florida , Togo , California , Virginia , North Korea , Russia , Ukraine , Americans , America , Russian , Russians , American , Northkorea Lazarus , Mitch Landrieu , Eugene Kaspersky , Charles Romine , John Podesta ,