Any background noise . Member, please mute their microphone. Going through documents and records please, email documents, im going to abbreviate my opening statement. I will put the full statement in the record given the fact that you probably cant hear me and understand me and im having trouble, you know, this is the second hearing, last hearing was in industries takeholders and we heard a distressing and serious gaps, shortages of several personnel, lack of even the most basic hygiene practices and a consensus among our witnesses that federal government needed to help the private sector which owns and operates 85 of the patients Critical Infrastructure to defend itself and respond to attacks. You know, the bill 3684 will provide funding at the local, state and federal level to enhance response to Cyber Security incidents. It improves the national highway system, other Transportation Systems, capabilities and established office of National Cyber directive to the principle advisory on Cyber Security strategy to identify Cyber Security incidents and coordinate a federal response. Those are noteworthy steps but theres more to do. Today well hear from multiple agencies responsible for transportation, other Critical Infrastructure and their efforts to help private industry. You know, we have, for the most part, relied upon voluntary approach to protecting assets, choosing not to mandate standards for Cyber Security audits or exercises. In contrast, in other areas of the private sector has the potential to cause significant harm and government has established very robust requirements that would be nuclear power, drinking water, wastewater and others to make them safer and more resilient but, you know, there are many of these industries relate to other Critical Industries in the private sector. And voluntary cooperation sometimes isnt enough. You have to spend a bunch of money on Cyber Security. The leeches on wall street are going to say hey, why are you spending all that money on Cyber Security . Trying to manage stock price, we want to see you put the money in the bank. So there needs to be a little nudging here and then, of course, the cost of an incident far exceeds the investment they should have and would have made to prevent that incident, not an absolutely catastrophic incident but basic incidents, ransomware and the other things that are rather routine. So i dont think putting forth basic Cyber Security standards, awareness and training should be voluntary. It should be required. And public safety, National Security, depend upon these steps. In the wake of the colonial pipe line cyber attack, the Security Administration had specific Cyber Security for pipe line to see defend against ransomware and other attacks. Colonial turned down a comprehensive audit before the event which might have helped prevent the event. So, you know, but it was voluntary so they said no thanks, we dont want to know about our vulnerabilities. Last week, tsa issued basic Cyber Security enhancements for the aviation sector. Security director for Passenger Rail, freight rail, detectors early as this week. So this is appropriate time for this hearing. Both the gao sorry and the department of transportations office of Inspector General who well hear from today made thousands of recommendations related to Cyber Security weaknesses at federal agencies and these recommendations remain unaddressed. Some of their more alarming findings find d. O. T. s failure to implement Cyber SecurityRisk Management strategy, weakness in faas approach for avionic systems and commercial aircraft. One of the department stock management challenges. Inconsistent software updates, lacks enforcement of Cyber Security requirements. I. T. Systems at d. O. T. Vulnerable to exploitation of hostile actors. I look forward to hearing from our expert Witnesses Today on the best mitigation potential solutions we could look forward, and with that, i recognize the Ranking Member who hopefully has control of their voice. Thank you, mr. Chairman, before our statement i want to acknowledge your announcement youre not seeking reelection next term and i want to thank you for your long and distinguished career serving three decades in the house of representatives. I have no doubt youre going to finish out your term and work just as hard as ever on behalf of your district and constituents and i also believe you and i agree transportation and infrastructure is one of the best and most important committees in congress and i know you will continue to work diligently to address vital issues for this committee in the coming months. I do wish you and your family all the best in your retirement. Turning to todays hearing, we will continue in examination on Cyber Security challenges, for the transportation and infrastructure sectors. During our first hearing on this topic in november, we heard from the perspective owners and operators of these critical assets about the steps theyve taken to improve their Cyber Security posture. The threats and risks they still face, and the effectiveness of federal government cyber activities. Now, we will hear testimony from some of those federal agencies themselves and how they are providing support to transportation, infrastructure operators, boosting their Cyber Security preparedness and response capabilities. Stake holders have expressed concerns about aspects of those federal programs, for instance, the recent security directives from tsa and i hope we can get some answers on how to improve their implementation. We also will hear today from how federal agencies are protecting their own systems, their own data, and infrastructure from everchanging Cyber Threats. I look forward to hearing from our witnesses, the panel, about the cyber challenges theyve identified and examined, for the federal agencies under the committees jurisdiction as well as receive updates from those agencies on how they are rising to meet these challenges. I appreciate our witnesses joining us today in discussing how operators of federal agencies can work collaboratively to improve Cyber Security of our nations Critical Infrastructure systems and Transportation Systems and transportation infrastructure. So with that, i would yield back and look forward to video . Video does not want to stay on. It just keeps blinking off. No okay. Good. Thanks. Thanks for the kind words, you know, i know that the committee will continue its great work. You know, between your leadership and others on the committee. With that, id like to move to recognizing the witnesses here today. Up first is mr. Cordell shacter, cio, d. O. T. , mr. Larry grossman, chief Information Security officer, federal aviation administration. Ms. Victoria nouse, federal administrator for policy plans and engagement. Rear admiral john w. Mader, assistant commodante for United States coast guard. Mr. Kevin dorsy, assistant Inspector General for Information Technology audits, Inspector General, department of transportation, and mr. Nick renos director Cyber Security at the gao. With that, i would first recognize mr. Shacter for five minutes. Good morning, chair, Ranking Member graves and members of the committee. Thank you for the opportunity to testify before you today and for your support of the department of transportation. Im cordell schachter, chief Information Officer. Im honored to be here with faa chief Information Security, larry grossman, us d. O. T. Office Inspector General, assistant Inspector General for it audits, kevin dorsy and officials from the u. S. Coast guard, transportation Security Administration and Government Accountability office. I was appointed usd. O. T. s chief Information Officer on august 30th this year, my testimony today is based on observations and review of d. O. T. Records during my three months in this position. My testimony is also informed by my 26 years of service as a local Government Official in new york city, 13 years of that service as chief Technology Officer and cio of new york Citys Department of transportation. In between two tours of new york City Government service i worked for several technology companies, taught masters level courses in Civil Technology at New York University in new yorkity, new york city, and st. Petersburg, i believe the program has improved the departments Security Posture and on a path for continuing improvement according to government best practices. U. S. D. O. T. s executive ranks have many officials with the knowledge and expertise of providing service directly to the public, this begins with deputy secretary trottenburg and the leaders of many of our operating administrations or modes. They have also head key elected and appointed leadership positions in cities and states, solving problems, protecting citizens, and improving the quality of life of their constituents. We now have before us, one of the greatest opportunities to improve the quality of life for all americans. We look forward to partnering with congress and our sister federal agencies to implement the land mark of partisan infrastructure law. On the same day that President Biden signed the law, he executed an executive order to ensure, among other priorities, increased coordination across the Public Sector to implement the effectively. We commit to that goal. Our executive Leadership Teams experience includes making improvements to systems while they continue to operate. Similarly, well continue to improve our existing systems to make them more Cyber Security while they continue to operate so that they resiliently support d. O. T. s operations and the american people. I want to transparently acknowledge we have multiple open audit findings from previous oag and gao Cyber Security audits, we take seriously their assessment, i designated Cyber Security improvement as the top priority for d. O. T. s Information Technology organization, the office of the chief information office. We begun a series of cyber sprints to complete tasks and make plans to meet our federal Cyber Security requirements and implement best practices including those from President Bidens executive order for improving the nations Cyber Security. The cyber sprints prioritize three area System Access control, website security, and improved governance, oversight and coordination across d. O. T. These activities address aig and gao findings. D. O. T. Is actively working to meet responsibilities to improve the departments Information Technology infrastructure while im lmtic our portions of the infrastructure law. We will also meet the challenge of continuously improving the Cyber Security of d. O. T. Information Technology Systems while keeping those systems available for use. We look forward to working with this committee. Our Agency Partners, and the white house, to strengthen and protect our infrastructure and systems. Thank you again for this opportunity to testify. I will be happy to answer your questions. Thank you, mr. Schachner for doing exactly in five minutes, appreciate that. Well now move on to mr. Larry grossman. Mr. Grossman. Good morning. From air Traffic Control to the largest airliner or the latest drone, connectivity is the way of the future in airspace. Its also why we have to constantly raise the bar when it comes to Cyber Security. Chair delfazio, Ranking Member graves, members of the committee, Cyber Threats are an on going concern and increasing reliance on highly integrated computers and networks is cause for vigilance at all levels of the aviation industry, this is especially true at faa where we are responsible for operating the nations air Traffic Control system and overseeing design, manufacture and testing of aircraft design and systems including avionics and me, personally, as a pilot, instructor, and for those we regulate and the community at large. I want to start by noting the executive order on improving the nations Cyber Security and i want to thank congress on continuing guidance and direction over many years. The faas effort to address cyber challenges benefits from your oversight and cooperative efforts with other branch agencies. We appreciate the input as we stride to make systems more efficient and safer. Youll hear it again, safety is a journey, not a destination, the true is same for Cyber Security. What we do today is not enough for tomorrow or the day after. Were always striving to improve. Constantly updating and evolving faas Cyber Security strategy, put into action through crossagency Cyber Security commitment. The strategy includes protecting and defending faa networks and systems, enhancing Risk Management capabilities, building and maintaining work force capabilities and engaging with external partners. We defend our air Traffic Control and other networks by using separate and distinct security perimeters and controls that are the responsibility of the faa chief Information Security officer and faa chief Information Officer. To assess Cyber Threats and vulnerabilities to our networks, weve developed a cyber Test Facility at our William J HughesTechnical Center where we also conduct testing. We ensure Cyber Resilience on aircraft through risk assessments during initial certification process or when there is time to a previous certification. When existing regulations do not provide adequate protection we issue special conditions. Throughout an aircrafts life, operators must track Security Issues in much the same way they do for other issues, using datadriven methodologies, that allows operators in the faa to make informed Risk Management decisions. Smart decisions require counted and dedicated cyber work force, and we continue to invest in our people. Congress recognized the importance of this effort and in 2018, asked faa to enter into agreement with National Organization of science, that study made it clear theres more work to do though many of the recommendations are consistent with the Cyber Security strategic objectives and others on going with faa recruitment efforts. Finally, one of the major components of our strategy is build and maintain relationships and trusts with our external partners. This is critical for defending and reacting and recovering from a cyber attack. Its why we are the lead agency on the Aviation Cyber Initiative entering task force with dhs and dod, its why we work collectively to address Cyber Security risks in the ecosystem, ranging from airport authorities to manufacturers. As technology of the aviation ecosystem evolves, we expect Cyber Security will continue to be a growing challenge and significant component of aviation safety and air space efficiency, we are prepared for this challenge and look forward to keeping congress and the committee informed, id be happy to answer any questions you may have. Thank you, mr. Grossman. Now, ms. Victoria newhouse, youre recognized for five minutes. Good morning, chairman defazio, Ranking Member graves and distinguished members of the committee, my name is victoria newhouse i serve as Deputy Assistant administrator for policy, plans and engagement at transportation Security Administration, i greatly appreciate the opportunity to appear before you today to discuss tsas Important Role in cybersecurity for our nations infrastructure, as you know, tsa was established by the transportation security act bound into law on november 19, 2001, under that law assumed the mission for cybersecurity in all transportation, be it aviation or the other systems, mass transit and Passenger Rail, motor way, pipeline, as well as supporting Maritime Security with United States coast guard partners. As we recently observed tsas 20th anniversary we rededicated ourselves to our Critical Mission to protect our nations Transportation System happens. My personal commitment to tsas Important Mission to ferociously protect our homeland is fueled by my own personal experience on september 11th, 2001, surviving the attack on the pentagon on that fateful day when we all lost over 290,077 friends and colleagues, this works with our stake holders and federal Agency Partners, including several on the esteemed panel today. Cybersecurity incidents affecting transportation are growing, evolving and persistent threat. Across u. S. , Critical Infrastructure, cyber threat actors have demonstrated their willingness and ability to conduct malicious cyber activities, targeting Critical Infrastructure by exploiting the vulnerability of Operational Technology and informational Technology Systems. Malicious cyber actors continue to target infrastructure through Transportation Systems. For instance, as mentioned earlier, the ransomware incident of the pipe line last may underscored this threat. Tsa is highly dedicated to protecting our Transportation Networks against these evolving threats and continue to work collaboratively with public and private stake holders to drive the implementation of intelligencedriven, riskbased policies and program and see continue our robust information sharing efforts. As reflected in the Cyber Security infrastructure testimony, provided by our industry colleague, on november fourth of this year, we have a vital, National Interest in understanding, mitigating and protecting its people and infrastructure from Cyber Security threats. Constantly evolving potential for malicious cyber activity against transportation infrastructure points to the need for continued vigilance, information sharing and development of dynamic policies and capabilities to strengthen our Cyber Security posture. Tsa has sought to mitigate the degradation, or malfunction of systems that control this infrastructure by implementing immediate security requirements through security policies. After the Colonial Pipeline ransomware incident in may, there was a clear understanding that we need to take more action to prevent another pipeline incident in the future, in that vein, tsa issued two security directives to immediately address these threats. We acquired the pipeline operators who operate and transport over 85 of the Nations Energy and assets to take immediate accidents to report Cyber Security incidents to my partner agencies, Cyber Security infrastructure and Security Agency, designate a express Cyber Security coordinator and that is available 24 7, and implement specific mitigation measures. We continue our work across all of our modes that credible cyber threat information is driving our most recent effort to issue more directives in this vein, as chairman defazio mentioned early, we are working with rail operators and aviation in four critical actions. Designating Cyber Security coordinator, reporting incident, developing Incident Response plan, and conducting selfassessments to address potential vulnerabilities and gaps. Chairman defazio, we continue robust engagement with our partners through Advisory Committee and our aviation Advisory Committee along with numless Corporate Executives all the way down to the security level. Chairman defazio on behalf of my colleagues at tsa we would like to congratulate you on your decades of service and thank you for your service to all of us and our nation, i look forward to taking any questions you may have. Thank you. Thanks, ms. Newhouse. History with tsa, aviation subcommittee and ranking, it was under our jurisdiction and we had the Homeland Security committee and we stood it up and pretty short order. I can say its still a work in progress, but its so far ahead of where we were pre 9 11 and id love to go into that at some point, anyway, not the subject of this hearing. Rear admiral john good morning, Ranking Member graves and distinguished members of the committee, im honored to be here this morning to discuss cybersecurity in the maritime Transportation System, a top priority for the coast guard. Our National Security and Economic Prosperity are inextricably linked to a safe marine Transportation System or mts, the mts is an integrated network of 361 ports and 25,000 miles of water ways. Marine transportation supports 1 4 of u. S. Gdp and provides employment for one in seven working age americans. The mts enables armed forces to project power around the globe and any substantial disruption to marine transportation can cause cascading effects to economy and National Security. Cyber attacks are a significant threat to Maritime Infrastructure and while we must work to prevent attacks, we must be clear attacks will occur and ensure the mts is resilient, protecting Critical Infrastructure and sharing resiliency is a shared responsibility. Thank you for holding both sessions to allow industry and government to describe their efforts. The coast guard is the nations lead federal agency for protecting the mts. In august, commodante released a cybersecurity out look for our work ahead. The Cyber Security is an operational imperative both for our service and the maritime industry. With support from congress, we established coast guard Cyber Command and built an Operational Force to execute missions and protect coast guard and d. O. D. Networks, cyber forces are mantrained and equipped with joint dod standards but have a broad range of authorities to address complex issues spanning National Defense and Homeland Security including protecting the mts. The coast guards approach to protecting mts proves our frame work, to prevent incidents, we leverage our authorities and the nations ports to standards and compliance, we refer to this as cyber Risk Management and require accountability, assessments, mitigations, exercises and Incident Reporting. To prepare for and respond to Cyber Incidents, coast guard sectors are leading field level exercises with committee and established unified demands with fci and cisa for response to Cyber Attacks in the ports. Cyber attacks will increasingly have physical impacts beyond computer networks, by incorporating cybersecurity into our response frame work, we provide a comprehensive allhazards approach to this threat but we cannot do this alone. As the cosector Risk Management, we look to cisa and tsa as key partners. Mts is dependent on other infrastructure, cisa shares vulnerability information and technical assistant, these build coherence within the interagency, Foster Collaboration with the private sector and ability to protect mts. Our efforts with cisa and tsa are strong and will continue to mature. Cybersecurity is a shared responsibility with the private sector as well, collaboration with the industry is paramount and focused on information sharing and good governance, we set up a branch within coast guard cyber demand as a focal point for threat monitoring, information share and get threat coordination, at the local level, continue to strengthen negotiations for engagement at maritime committees. Riskbased regulations which Leverage International standards are key for good governance. We established the National MaritimeAdvisory Committee to facilitate consultation with industry on standard development, we worked with the interNational Maritime organization or imo to address risks posed by foreign vessels. We are committed to a transparent approach as we balance the urgency of Cyber Threats with informed rulemaking. The cyber threat is dynamic. As we continually evolve to address mergent needs, we will need congresss continued support, we are grateful for the fiscal year 2021 appropriations, investments provide additional capability for our service and provide a key role in protecting the mts. The establishment of 22 mts cyber advisers in the field are key nodes for coordination and collaboration at our field units. We look forward to the continued dialogue with congress on this important issue and i appreciate the opportunity to testify and look forward to your questions. Thank you, admiral. Mr. Kevin dorsy. Good morning. Chairman defazio, Ranking Member graves and distinguished members of the committee, thank you for inviting me to identify on securing our nations infrastructure and evolving cybersecurity landscape. The transportation relies on over 400 i. T. System to see ensure safety and efficiency of our nations Transportation System. As you know, malicious Cyber Attacks and other compromise to the systems and networks may put public safety, Sensitive Information or tax payer dollars at risk. Our office has long identified Cyber Security as one of the departments top management challenges. Today, i will focus on three key areas one, developing a comprehensive d. O. T. Y. Cyber Security Strategy to address recurring weaknesses. Two, protecting, i. T. Infrastructure and Sensitive Information within the operations and three, coordinating with other agencies and Industry Partners. First, on a whole, d. O. T. Has established formal policies and procedures for Cybersecurity Program that aligns with federal guidelines, however, it still faces challenges implementing this program in a consistent or comprehensive manner. As a result, d. O. T. Faces the risk that Mission Critical systems could be compromised. Long standing deficiencies due to d. O. T. s inconsistent enforcement of enterprise wide informational Security Program, in Effective Communication with this operating administrations, and inadequate efforts to remediate recurring weaknesses. Many of these weaknesses can be attributed to d. O. T. s lack of progress in addressing 66 of our prior audit recommendations, including those to resolve more than 10,000 identifying vulnerabilities. Leadership challenges also limit d. O. T. s oversight. For example, the individual serving as the acting chief Information Security officer over the last year was not tasked with Information Security as an official primary duty. That has made it difficult for d. O. T. To implement longterm changes. Second, d. O. T. Must better protect the i. T. Infrastructure by its operating administrations. For example, to increase Cyber Security, faa must finish selecting and implementing more stringent Security Controls for 45 high impact systems that are critical for safely managing air traffic. In addition, unresolved Security Control deficiencies with ftas Financial Management systems could impede ability to disperse billions of grant dollars. Further more, joint Vulnerability Assessments and Penetration Testing of all the i. T. Infrastructure and multiple operating administrations, we were able to gain unauthorized access to millions of sensitive records, including personal identifiable information. Finally, d. O. T. Is one of the lead organizations dedicated to protecting transportation infrastructure, as such, it must effectively partner with other federal agencies and the private sector on efforts such as securing cloudbased services and meeting the president s recently issues executive order on improving cybersecurity. To that end, faa is working with dhs and dod along the Aviation Cyber Initiatives. Still, as the u. S. Up grades its transportation infrastructure, d. O. T. Must continue to strengthen and secure its i. T. Systems and networks while working to improve its efforts to respond to increasingly sophisticated malicious cyber campaigns. We remain committed to supporting d. O. T. s efforts at works to remediate existing vulnerability and bolster overall cyberSecurity Posture. We will continue to update you on our work and these related manners. This concludes my prepared statement. I would be happy to address any questions from you or members of the committee at this time. Thank you, mr. Dorsy. Now, finally, this is ridiculous, mr. Nick marinos. Thank you chairman, Ranking Member graves and members of the committee for inviting gao to contribute to this discussion about Critical Infrastructure security. As you know, our nations infrastructure increasingly relies on i. T. Systems and the protection is critical to public confidence, safety and security. Gao long emphasized the need for the federal government to improve its ability to protect against Cyber Threats to our nations infrastructure, in fact designated Cyber Security as a high risk area since 1997, emphasizing the need for the government to meet Cyber Security challenges through 10 critical actions, ill focus on two of them first is the need to execute a comprehensive cyberSecurity Strategy and second is to strengthen the role and protecting Critical Infrastructure from Cyber Threats. Over the last several decades, the federal government has struggled in establishing a National Strategy to guide how we engage domestically and international on cyber related issues. Last year we reported it needed improvements and it was unclear which official was responsible for the strategy. We recommend updating the document and congress consider passing legislation to designate a position in the white house to lead such an effort. In january, we saw Congress Pass a law that established the office of the National Cyber director within the executive office of the president and in june, the senate declared a director to lead the office, while this is important, until we see the executive branch develop a comprehensive strategy, we have an unclear road map for handling Cyber Threats facing the nation. Also, working with the private sector to protect our nations Critical Infrastructure from Cyber Attacks. Since 2010, made over 80 recommendations at strengthening the role in Critical Infrastructure, by enhancing capabilities and services of Cyber SecurityInfrastructure Agency known as cisa and ensuring federal agencies with sectorspecific responsibilities are partnering with the effective guidance and support they need. These include important directive actions within the transportation sector too, such as prsk faas commercial oversight and surt and tsas over sight of critical pipe line and Passenger Rail systems. Secondly, i would like to highlight the urgency for federal agencies coming out of the gao and Inspector General. Since 2010, gao made several thousand recommendations on cyberrelated topics, many extend far beyond Critical Infrastructure but they represent work that is needed to elevate the entire federal gult in its ability to tackle todays cyber problems and to anticipate those well face in the future, for example, deal with important work force issues such as recommendation to department of transportation that it assess its skill gaps in order to better oversee Automated Technologies like those that control planes, trains or vehicles without human intervention. They also call for improvements to federal agencys own protections such as through our recommendations to dhs that it work for agencies including faa to better implement Cyber Security tools that check for vulnerabilities. Although they deserve credit for i lmting recommendations, over 900 still remain, still a lot of work to do and we think agencies need to move with a greater sense of urgency to improve cybersecurity protections. In summary, in order for our nation to overcome the ever mounting and increasing array of challenges, our federal government needs to do a better job of implementic strategy among agencies and the operators on the front lines of this digital battle. This concludes my remarks and i look forward to answering any questions you may have. Thank you. Thank you for your testimony. I will try and squeak out a couple of questions here. Mr. Grossman, what are, briefly, lets say the top three Cyber Security challenges at the faa and what are you doing to quickly implement measures to mitigate this . Thank you for your question, chairman defazio. Faa operates, you know, large, complex infrastructure of interconnected networks and services. We have many service providers, includes satellitebased communications, you know, Automated Communications between aircraft, et cetera. This crossed system has become very, very complex. You know, most of our challenges, really, are around the purposebuilt, you know, legacy systems in operation today. These systems are operated 24 7, 365. They require extensive testing and operate custombuilt software. Really, they dont allow remote patching capabilities so, you know, keeping up with the cyber hygiene component is a fairly large challenge from, and, you know, an faa air Traffic Control perspective. We protect that system, though, through compensating controls, meaning that, you know, that network, while its very difficult to patch and update, it is very difficult to get, to attach to as well. Its not it doesnt have internet access. There are very mature Access Control lists. In other words, you know, system a can only speak to system b, you know, over very specific ports with very specific protocols and Everything Else is not addressed. You know, it additionally, you know, we one more mr. Dorsy. You were pretty critical, i thought, to do you agree with mr. Grossmans assessment . The challenges and why theyre i think the top three challenges are secure partnership at the informational Security Partnership level to provide the needed leadership, oversight and accountability necessary for agencywide improvements to address on going informational security weaknesses. Two, i think the two develop a comprehensive d. O. T. Y. Cyber Security Strategy to address recurring weaknesses and three, need to better protect and secure i. T. Infrastructure and systems information from potential compromises. So the three key areas i believe the Department Needs to focus on to address the weaknesses that we have identified over the last ten years. So mr. Grossman, are those things in progress . Well, you know, i am the chief Information Security officer for the faa so there is leadership within faa. And, you know, we are working with the oig to close, you know, these audit recommendations. We believe that we have protections in place while many of the compliancetype audits have, you know, a lot of findings, the actual vulnerabilities are, you know, in our opinion, most of them are mitigated through compensating controls. Okay. My time when im speaking of chief Information Officer, chief Information Security officer, speaking about at the Department Level, theyre responsibility for providing over sight at all the oa, including faa. So youre saying d. O. T. , other agencies no perment chief Security Agency at the department this time, serving as acting chief Security Officer. Okay, thank you, i yield now to Ranking Member graves because he can ask questions better with a voice than i can. Thank you. Thank you mr. Chairman. As a committee, we continue to hear conflicting reports from tsa and pipeline industry stake holders regarding the process and engagement through the issue of two tsa security directives. Further more, myself and Ranking Member graves, as well as Ranking Member portman sent letters to dhs, oig to review the process, which insisted a draft of the directives which i ask now to be entered into the record, mr. Chairman. No objection. Thank you, mr. Chairman, i would like, to ms. Newhouse, how would tsa evaluate implementation of the pipeline security directives . Thank you for your question, Ranking Member graves. We continue extensive, extensive engagement. I think thats the hallmark of what we are doing, in order to ensure continuous improvement. We actually developed and implemented an entire Field Service operational structure to do this so we have boots on the ground and what weve been finding thus far, as you mentioned, we issued two security directives this summer, post Colonial Pipeline, were proud to announce on behalf of us and our stakeholders that all stake holders subject to that directive have met all the requirements in the very First Security directive. Very tight guidelines, communicated beautifully with us, very vocal, and frankly, very direct with us when they met challenges. Let me ask you about those challenges if i could. What challenges have you identified during implementation . I think the biggest one and weve taken this to heart is the definition of a reportable Cyber Security incident. And we have taken steps and a great deal of feedback to modify that definition, to not include all potential incidents. We have narrowed that, focused that based on industry feedback. Excellent, recently, natural gas pipe line trade associations jointly requested tsa conduct in advance rule making to make information vital to replace the expiring security directives, asking unanimous consent for this to be entered into record, mr. Chairman. No objection. Thank you, sir, i hate to keep bothering you with that, i know your throat is killing you. As i stated, tsa can leverage the amp formal process to promote a greater understanding of what our reasonable, applicable and audible sustainable regulations. Will tsa issue an arpm to gather this information . Thank you for your question, Ranking Member, were considering all options including the most transparent, an advanced notice of proposed rule making is one tool we have exercised in the past successfully, and as we have continued robust engagement both at the classified and unclassified level, with all of our purpose transportation stake holders, in particular, our pipeline, rail, freight rail, Passenger Rail, and aviation stake holders, were considering all of those options so yes, sir, that is on the table. As you know, we are anticipating release of new security directive for rail. It should be as early as this afternoon if i understand correctly, and fortunately, weve heard concerns about the development of these directives from stakeholders including the freight Rail Industry on previous hearing on skieber security hearing and on a november fourth letter, i ask for that to be entered into the record, one more time mr. Chairman. No objection. Ms. Newhouse, how muchhow is incorporating feedback into these directives . Thank you, Ranking Member. We have continued robust engagement and frankly, we have been working extremely closely with the United StatesIntelligence Community, our partners at cisa, particularly department of Homeland Security, d. O. T. , energy and across the inner agency to provide that background information, that threat information that is driving all of these requirements. As recently as this week, i along with several of my top leaderships here at tsa have met with great rail and Passenger Rail executives with a classified briefing in our facilities to show them what were seeing, elicit input, and ask them for more input for either future requirements or other guidelines that we could issue together via us just telling them this is what they need to do. We have been having some successful engagements. As a matter of fact, today the number of pipeline individuals and other security personnel are receiving briefings as we speak, and we do have an apparatus around the United States to support those briefings, thanks to our Law Enforcement and Intelligence Community partners. Will you consider utilizing the federal rule making process for any future cyber making requirements . I think his time has expired. Absolutely. Ranking member, all of those options are on the table. Thank you, yield back. Thank you, gentleman. Representative norton is now recognized. Thank you very much, mr. Chairman. I hope everyone can hear me. My first question is for mr. Schachter, ms. New house of sta, im interested in information sharing among several partners. You each oversee Critical Infrastructure entities with some oversight, overlap, im sorry. Especially regarding aviation, and surface transportation, which i am particularly interested in because i sit on the subcommittee on aviation and serve as chair of the subcommittee on highways and transit. Can you explain to us in some detail how you collaborate to oversee the same sectors and Critical Infrastructure entities . Ms. Schachter, mr. Grossman, ms. Newhouse . Am i on mute . Thank you very much for that question, congresswoman. Information sharing is vital to securing the nations Critical Infrastructure and the infrastructure that d. O. T. Is responsible for. We collaborate extensively within d. O. T. We collaborate with the faa, and also with our federal partners in particular tsa, cisa, and even with omp which houses the federal chief Information Security officer. Chris derussia, the federal chief Security Officer was one of the First Federal officials that i met, virtually, of course, after joining the d. O. T. In late august. I have had subsequent sessions with jed easterly as well as chris ingless, the cisa director and National Cyber director, and we intend to keep up an open channel of communication as well as following up on various directives and formal information sharing that dhs has required. Thank you. Mr. Marinos, mr. Dorsey, can you highlight Cyber Security issues that give you the most concern and also explain why you feel the government has failed to fully address them. Yes, congresswoman, i can jump in first, and perhaps ken go go after. I think the bottom line is that we are constantly operating behind the eight ball. The reality is that it just takes, you know, one successful cyber attack to take down an organization, and each federal agencies as well as owners and operators of Critical Infrastructure have protect themselves against countless numbers of attacks. In order to do that, we need our federal government to be operating in the most strategic way possible, so as i mentioned in my oral statement, the importance of having a National Strategy isnt just to have something on paper but to actually execute that strategy, and that also carries forward to those agencies like the department of transportation, tsa and others who have sector specific responsibilities to do the same. We have seen consistently in our work that agencies have had challenges in maintaining very uptodate sector plans that actually would talk about the Cyber Threats that agencies are facing and the infrastructure is facing today. We think its very important for sector specific agencies to work with their Industry Partners to make sure theyre operating off the same song sheet, if you will. Thank you very much. Thank you, mr. Chairman, i yield back. Thank the gentle lady for yielding back. Im now going to yield the chair to andre carson who as we all know has a loud and booming voice and youll be able to understand him. So thank you. Thank you, chair, i hope you feel better. We appreciate you. Mr. Gibbs. Thank you, chair. Had hearing is titled evolving Cyber Security landscape, federal structures on securing the nations infrastructure. I was surprised we didnt bring in a witness from the Cyber Security and Infrastructure Agency, cisa, might be a good idea for the future, and we had testimony in the past, and we know that the coast guard is trying to upgrade their own i. T. Systems and the significant challenges you face in doing that. Can you provide us an update on how the coast guard is working to improve in this area, improve your i. T. Systems that you have been mandated by congress to do . Congressman gibbs, our approach to protecting the maritime Transportation System relies on us having our own ability to defend and operate our networks and so as part of the strategy for our work ahead, he has put defendant operate the networks, protect maritime Critical Infrastructure and enable coast guard operations for those three pillars how we move forward to accomplish all of our missions. With regard to defending and operating our networks through investments in the c. A. R. E. S act, with over 65 million in funding, we have been able to make significant investments to modernize our infrastructure and push more information out to our mobile users out in the field, and our cutters underway. But all of this is premised, our security is premised on it being an operational imperative, and so the key thing thats really driven us forward is the establishment of coast guard Cyber Command as an Operational Command under the purview of a twostar commander that oversees our Daily Mission execution in the i. T. Space, and then the coordination with our cio who is driving those investment and modernization projects forward. Thank you. Also, admiral, can you kind of expand a little bit on the activities, the resources youre making available to work with our facilities at the port level on their i. T. Infrastructure, Cyber Security. Congressman, at the port level, were really focused on working across the prevention and response framework to ensure that we have the ability to defend and then also respond resiliently from attacks. This is a shared responsibility between the private sector and the federal agencies involved. And so were doing a number of different things. First of all, we put in standards in place that require them to conduct assessments, have an accountable person, develop a plan, mitigate that plan, exercise it and report incidents. All of those pieces are really important. Through those assessments, we then have the opportunity to drive investments through the Port SecurityGrant Program to update Security Posture in the ports. And so last year, 17 million was allocated from the Port SecurityGrant Program for Cyber Security. These are some of the areas where things that are being done to increase the capability of the commercial infrastructure while also maintaining our operational ability. Also admiral, assistant commandant, youre responsible for the coast guards Maritime SafetySecurity Programs, what do you say, which side is winning, the increased Cyber Threats or increased digital based safety operational enhancements, how are we doing in this fight . Whos winning it . Congressman, its not an either or proposition for this. Its really an all of the above. And so as the assistant commandant for prevention policy, we make sure that we bring together the best of our ability to secure private industry, but then be able to respond as well. And so leveraging our prevention and response framework, weve made sure that weve taken a multilayered approach to engaged with the industry, sharing information with them at the local level through the area Maritime Security committees, and conducting compliance activities, and then at the national level, engaging across the inner agency with our national Maritime SecurityAdvisory Committee, with the mts, isac, and with other inner Agency Partners to make sure that were tied together, and providing a comprehensive network and comprehensive approach to this problem. Thank you, and im just about out of time. I just want to mention that i know youre not a Cyber Security expert yourself, and so hopefully youre aware of that fact and coordinating with your Cyber Security people also in the private sector. I yield back. Thank you for your service. Mr. Larsen. Thank you, mr. Chair. Mr. Dorsey has the gao investigated the progress of the federal agencies or the private sector in implementing the guidance or requirements laid out in the may executive order from the president to modernize and strengthen the defense of federal Technology Systems. Thank you for that question, congressman. However, you asked whether or not the gao investigated . I think that question should be directed towards the gao representative if im not mistaken. Im sorry. The gao representative can answer that. Yes, congressman, happy to. We have looked at aspects of the executive order. We actually have work underway right now specifically looking at the progress thats been made by the administration and actually overseeing whether the many requirements that its placed on agencies have actually been adhered to, so there are aspects within it that our work has touched on, including Cloud Computing and supply chain more recently. We have work underway looking squarely at the executive order. And do you have the time line laid out for the report already . Were expecting to be able to periodically report on the status of implementing the executive order throughout the upcoming calendar year, so were looking to provide information out sort of in a realtime basis, looking to provide something closer to the early spring. Early spring. Thank you. And mr. Dorsey, then, back to you. At what point would the d. O. T. Ig get involved . Thank you for your question, congressman. We have actually already initiated a review of the d. O. T. Efforts to implement cloudbased services with respect to the request or issues that were identified in the president ial executive order for directing federal agencies to ensure they secure their Cloud Based Services as they migrate forward. Were also planning to look at the departments efforts to implement or migrate toward a zero tech architecture. I have also been in contact with the departments chief Information Officer, and he has informed me that the department is working towards addressing the current initiatives and i plan to work with him over the next year or two to ensure that the department is doing what they say theyre planning to do, as well as report back to the administration as necessary, thank you. Thank you. Mr. Grossman, u. S. Aviation sector is very complex. Im sure that you are considering that complexity as you consider making the system less vulnerable to Cyber Attacks. The testimony from the gao in the first part of the hearing a few weeks ago stated that less than half of the respondents to a global study investigating Cyber Security trends within the air transport industry identified Cyber Security as a top organizational risk. Have you considered how congress can incentivize the private sector to address Cyber Security issues. How congress can . Incentivize the private sector to address the Cyber Security issues that continue to exist in the air transport industry. We have reached out to industry through the Aviation Cyber Initiative extensively. We have built a community of interest of over a thousand members thats across, you know, all of the components of the aviation ecosystem, and were using the bully pulpit to, you know, and it seems to be, you know, from an aviation perspective, we seem to be gaining a lot of traction. Can i follow up on that with a particular issue, and i dont know if youre handling this at the faa. Chair defazio and i recently have expressed safety concerns to the federal Communications Commission on the telecom industrys plan to utilize c band for 5g broad band service and the potential interference with aircraft. Can you update us on what the status of that is, and as well are will other technologies coming online that we need to be concerned about . Congressman, thank you for that question. Im not personally involved with the 5g effort but i am aware that the Telecommunications Companies have voluntarily agreed to a one month deployment delay to 5g bands to allow further safety analysis. We believe that aviation and Wireless Services can safely coexist, and the fcc and faa are using this time together to Exchange Information to come up with a path forward. Yeah, and i guess implied in our letter is that whatever solution you all think you come up with, wed be very interested in that solution to make some determinations about our own thoughts on it. Absolutely. Thank you very much. Thank you, mr. Chair. Thank you. Mr. Perry. Thank you very much, mr. Chairman. Mr. Schachter and marinos, during last months hearing on Cyber Security threats had an interesting back and forth regarding the increased Cyber Security threats associationed with the transition to electric buses and the fact that it brings with it a whole new level of cyber exposure and other Security Risks not previously anticipated. Mr. Belcher agreed that these increased risks include the ability to degrade batteries remotely, cause fires, manually take over controls of the vehicle, et cetera, and went on to say, we would be safer we were still running diesel buses. Im a fan of both diesel and well, all of them. Just got to be ready to implement the processes to make sure that were safe. While we were discussing these issues in the context of electric buses purchased by transit agencies with fta funding, these concerns are much more widespread than just buses. In fact, the same concerns apply to our electric vehicles, owned either by the government or by private citizens and the associated charging infrastructure. I wonder if either of you can expand on the significant increase in Cyber Security risks and threats we should expect as the result of the reckless pursuit of an electrified vehicle fleet by the majority, this administration and unfortunately some socialist voting members of my own party. Can you expand upon what we can expect . Well, thank you for that question. I think were conflating two separate and very important issues. One is the fuel that any vehicle uses, whether its electric power, diesel power, inheritly theyre not more or less at risk from a cyber perspective. What were really talking about here and the cyber issue is the electronic control system thats on board with not only electric buses but if you were to buy a new diesel bus or gasoline bus or gasoline car, those vehicles all have some sort of electronic control system there, Communication System which is potentially vulnerable, and the correct steps, just like in protecting government i. T. Systems, the correct steps need to be taken to protect the i. T. System in that vehicle. And when were talking about fossil fuel powered vehicles or electric vehicles, you know, where obviously the administration has identified addressing Climate Change as a top priority, and if we take the conversation to the subject of this hearing, which is Cyber Security, there are means and mechanisms of protecting those vehicles, Intelligent Systems on board, and we need to do that. And theres several organizations within d. O. T. At work on that right now. Mr. Marinos. Yes, congressman, you know, weve looked at issues with respect to modern vehicle Cyber Security over the last several years, and indeed, whether the fuel is gas or electric, the reality is were seeing an increase in the number of interfaces, chips being placed and the systems that those chips are powering, in fact, thats what were seeing as one of the challenges in terms of supply chains having chips to be able to manufacture new cars regardless of the fuel. The reality is if those interfaces are not properly secured, they can be through direct physical access and remotely as well. The need for our work force to be able to be in the best position to oversee these types of Automated Technologies, and as we reported back earlier this year, we think that the department of Transportation Needs to take a closer look at its work force to make sure as vehicles become more and more autonomous that they have the appropriate folks in place to oversee that type of technology. Given d. O. T. s lackluster Cyber Security posture at this moment, do you think theyre prepared to deal with a massive increase and risk, i would characterize, i know all of them have electronic interfaces, chips and so on and so forth, not all of them have the ability to set the battery on fire, if theyre not battery powered, if the battery is in there to start the vehicle. Would you say that they are prepared to deal with the increase in risk . I think that the department and i dont want to speak on its behalf but in response to our recent work, i think would also recognize that it had more to do in terms of being able to fill the skill gaps that theyre going to need to fill to be in the best position to oversee this emerging technology. Mr. Schachter . I would say d. O. T. s Security Posture is on par or even better than other organizations that have observed. All of us, the government as a whole, as well as individual agencies will have a continual challenge to meet Cyber Security requirements. And was said earlier in the hearing, we receive thousands of Cyber Security attacks every day, and only one has to slip through. So normal batting averages here dont apply. We have to be perfect to prekts protect our systems, agencies, and the government people. Its an immense challenge with limited resources. We all know that. I think d. O. T. s posture is forward. Its attempts to include some of the very latest technologies, we are already on the road to many of the items that are contained in President Bidens executive order, on Cyber Security, before that executive order was issued. The audit that was referred to a little while ago by mr. Dorsey regarding cloud services, theyre seen as a best practice as opposed to desk top applications because they can be better protected from a common perimeter, and d. O. T. Had previously organized itself into using a common operating environment, unifying all of the operating modes with the exception of faa, into a single system, thereby providing one surface to protect from attacks. Thats a best practice. We were there prior to the the gentlemans time has expired. Thank you, mr. Chairman i yield back. Thank you, mr. Chairman. Mr. Marinos, highlighting the testimony that in february of this year, the Cyber Security and infrastructure alert painting unauthorized access to a u. S. Water Treatment FacilitiesIndustrial Control Systems and attempted to increase the amount of chemical that is used as part of the treatment process. My biggest concern is on security of our Water Systems including our Treatment Plants and waterways. Are we doing enough to address the Water Systems security, and what are your concerns in this area . Simply put, we arent, congresswoman. The threats to the Water Infrastructure is real, and it comes from many of the same challenges that other sectors like it suffer, which include a reliance on legacy systems, systems that are not only outdated but beyond even being supported by the vendors that created them. These include also work force issues, having appropriate staff within often small organizations that manage the facilities to respond, in the case of the february attack it was fortunate that there was according to reports an official that was actually monitoring and was able to see the efforts as it happened, so they were able to thwart it, and so i think the reality is that there needs to be more that is done. Were encouraged by the fact that Congress Passed a law last year to establish the expectations of sector specific agencies, known as sector Risk Management agencies, and the Environmental Protection agency is that for the water sector. We think that epa can do more to reach out to the sector, to better understand whether the guidance that it provides is adequate to be able to address many of the challenges i mentioned. Would you suggest they do training, Virtual Training of all water agencies, small and large . Yes, i think it is important for them to do that in concert with their sector partners. There is a good establishment of both government and sector specific representation that as im aware based on even the prior hearing that your Committee Held are working towards better training but the reality is that we need to continue to see that happen more rapidly because the Cyber Threats continue to evolve as well. That is every day security, they were having a thousand or more security threats a day, certainly we can train people what to look for initially without having to wait months for training. Thats very important point, congresswoman. Its about elevating the entire Cyber Security awareness of the nation. The reality is that until we do that, the bad guys are going to continue to exploit those that have the lets see knowledge and expertise in this area. So what are your biggest concerns in the area . Well, i think, first and foremost is making sure that the support that federal Government Agencies is providing is the right one, and that means doing more to assess what the actual risks are to the specific sectors and reflecting that in actual plans that they can execute . Would that be epas responsibility . It would be epa, and the department of Homeland Security within cisa. Were looking to see a National Infrastructure plan get updated. Hoping to see that in the next couple of years. Unfortunately sectors cant wait to do that themselves. We should promote some kind of movement to immediately start assisting agencies that have no way of knowing what to look for. Actually, congresswoman, you have done that in law, a law that tasked gao with evaluating how effective sector Risk Management agencies are in fulfilling their statutory, so well be reporting back in the future. Many agencies are too small. They dont have personnel either equipped or trained and they may not know the new law exists and would help in being able to identify. So we need to go down to the grass roots, to the smallest of the small. I would agree. I think not only better information about what the expectations or responsibilities are but also what offerings the federal government can provide, through cisa, epa and others to those operators that need the help is very important. Well, with the army corps treatment, oversight over the dams, i think they should be part of it, too. They are part of the sectors that have been identified, so responsibilities do Carry Forward to the agencies that have responsibilities for dams as well. Thank you very much for your concern and i look forward to talking to you later. Mr. Chairman, i yield back. Gentle lady yields back. Mr. Davis. Ms. Newhouse, we understand the tsa will release security directives for Passenger Rail, freight trail and transit operators. Unfortunately we have heard concerns about the development of these directives from stakeholders, not the tsa. Including from the freight Rail Industry and that was at our previous hearing on Cyber Security and in a november 4th letter from the American Public transportation association. Which mr. Chair i ask unanimous consent to insert into the record . Without objection. Thank you. Ms. Newhouse, its good to see you again. Cant wait to see you all in person. Unfortunately the tsa failed to provide this committee with advanced notice of this despite that you were coming here the same week to discuss these same Cyber Security issues. Committee staff even asked and were essentially told to wait for official congressional notification despite what we knew of over committees receiving advanced notice. After back and forth by staff im told we received an embargoed copy at 9 25 a. M. This morning, which really doesnt give our team or us any time to meaningfully review and actually figure out what important questions we might have for you today to ask you about it. Further, the letters attached indicate the directives were issued yesterday, december 1st. I want you to take a message back, ms. Newhouse that this committee because we obviously have jurisdiction over the issues were talking about today, otherwise you wouldnt be here, we expect to be notified of actions your agency is going to take, just like other committees get that notification. If anything youre doing is going to affect the modes of transportation and the safety of those modes of transportation in the areas that we have jurisdiction over, we expect to be notified here and were one of the largest committees in congress. Can you please make sure you send that message back to your colleagues and take that message back to tsa, too, because were pretty frustrated and frankly, these are issues that i think we all ought to Work Together on, and instead of having a minimal amount of time to be able to address them. Thank you, great to see you. Hope to talk to you again in the future, and i look forward to our next meeting. Mr. Marinos, its my understanding the that gao is in the process of completing its annual report on Cyber Security and surveillance threats to congress. In undertaking this assessment, how is gao pursued access to house and senate Cyber Security data and how does the gao plan to ensure that information about congresss cyber posture remains secure . First congressman, i want to say we appreciate congress tasking us with this important review and take the responsibility of performing it very seriously. In terms of how were protecting the information, we recognize that the information we have been asked to review is very sensitive. We have a long successful track record of handling and protecting Sensitive Information that we receive from Government Agencies and from industry, and will apply the most rigorous protections that we can to the information that we receive. As you can imagine access to house data is something we all, republicans, democrats guard very closely. We recognize gaos expertise in the area and hope congressional entities are cooperating so that we achieve the desired aim of the annual report. Thank you again. Another question, mr. Marinos, we have seen attacks on our Critical Infrastructure, including the one earlier this year on the Colonial Pipeline as mentioned in early testimony. Monitoring is critical to thwart future attacks. However, monitoring is not the end of what our efforts should be, and we should have a layered approach to Cyber Security. Especially when protecting vital assets. Can you tell us, and this may be a question for d. O. T. Also, whats the department of transportation doing to fortify critical assets in the field, such as air Traffic Control towers, pipelines and railroads carrying Hazardous Materials or passengers and so that they can operate effectively when malicious actors have compromised the integrity of the network. Lets go to you, mr. Schachter, can you answer that with the time i have left. Sure. Thank you very much for the question. D. O. T. In each of the areas that you mentioned is working with our private sector partners to improve their Cyber Security practices, and as stated before our cooperation through tsa to those private sector partners, we act as cosector Risk Management officials in those areas, so we need the parmgs participation from all of those parties to become more cyber secure. We continue to offer to work with you on these endeavors and i apologize for mispro announcing your name early, i thank you all for being here today, and i yield back the balance of my time. Gentleman yields back. Mr. Johnson. Thank you, mr. Chairman. And thank you to the witnesses for your time and your testimony today. During part one of this hearing, we learned how our Critical Infrastructure remains vulnerable to Cyber Attacks and in october of 2021, the d. O. T. s oig released a report on the federal transit administrations Cyber Security weaknesses which found that weaknesses in ftas Financial Management systems could affect its ability to disburse covid19 funds. In atlanta, the metropolitan Atlanta Rapid Transit Authority has been anticipating 284 million in emergency funding, which is critical to the mobility of our residents, especially communities of color and essential workers who disproportionately depend on transit to get to work and school. My constituents cant afford a delay in funding because of a Cyber Security incident. The oig report notes that the fta has failed to fix weaknesses that have been known since 2016, a total of five years, while the delay is not unique to fta, it puts us all at risk. Mr. Dorsey, why has fta moved so slowly to implement Security Control fixes . Thank you for your question, congressman. Weve worked with the department for a number of years regarding the various Cyber Security weaknesses that weve identified throughout reviews of the various what we call system level reviews, and with respect to fta, what the department had informed us was the fact that they had accepted the risk for a number of reasons, regarding why they had these long standing weakens. One of the reasons was primarily they had to get the proper guidance at the Department Level with respect to addressing some of the weaknesses. Another reason was the fact that they had stated that they were concerned about decommissioning their systems or upgrading their systems for the fear that the systems had to be operational 24 7. With those issues in mind, we decided to report out all of those particular weaknesses and what the fta decided to do after we had reported out, they indicated to us that they would take the immediate actions to address our concerns. However, regarding the issues regarding the vulnerabilities associated with the six years or so associated with outdated data bases, the department indicated to be able to provide us with a response within by 2023. Let me ask you, is there Anything Congress needs to do to ensure that fta maintain better control over their Cyber Security . I believe that the congress what congress can do is work with the department and maybe provide a spread initiative, if you will, that requires them to make sure they prioritize the implementation of what we consider to be some of the most significant Cyber Security weaknesses that weve identified over the years and make sure that they follow up with congress, and report on their attempts and efforts to address those weaknesses. Thank you. Mr. Schachter, as the chief Information Officer at d. O. T. , you lead on i. T. And Cyber Security issues. How can you ensure that d. O. T. s component agencies such as fta and faa have the resources, capabilities and leadership to correct Cyber Security deficiencies so that cities like atlanta are not detrimentally impacted. Well, thank you very much for that question. And as i specified in my testimony, Cyber Security is our number one priority. And i highlighted three areas that were prioritizing within that to take immediate action. The first is Access Control. The second is web site security. And the third is governance and coordination across d. O. T. All of those issues are impacted, involved in, situations that you mentioned and mr. Dorsey has mentioned. Weve created cyber sprints that i also referenced in my testimony as a way to expedite improved performance in all of these areas. And i believe well be able to report back to you later this year that we have made significant improvements. Thank you, my time is up, and i yield back. Gentleman yields back. Mr. Babbitt. Thank you, mr. Chairman. As i said the other week when we had witnesses from the private sector here, im so glad were having this hearing and prioritizing this very important topic, for this committee to weigh in on the issue of Cyber Security and the transportation of Critical Infrastructure space, its a great responsibility and one we should all take very very seriously. Its also a very timely topic. Right before we went home for thanksgiving, the director of cisa told the house Homeland Security committee that quote ransomware has become the scourge on nearly every facet of our lives. A prime example of the vulnerabilities that are emerging is our digital and physical infrastructure increasingly converge. He went on to say that quote, the american way of life faces serious risks. Shes right. Internet attacks are a fullfledged standard feature of our modern day life. Hardly a day passes without a media story breaking about a cyber attack or a threat. These are costly, potentially life threatening. All of us saw what happened with the Colonial Pipeline breach and how the attack led to gas shortages and interrupted supply chains. Theres certainly a legitimate appropriate role for us and the federal government to play in protecting the american people, and our companies and businesses against theft, espionage, and Cyber Attacks. No question that each of you testifying here today are fighting for our National Security. However, as you all know, cyber intrusions are very hard to track. Weve got to be extraordinarily careful as lawmakers and rule makers that we dont meddle in something we dont properly understand and unintentionally create more bloated regulation or stifle innovation with overly burdensome requirements that dont truly secure our infrastructure. Any policy that we push forward has got to be aggressive, but consistent with our nations founding principles. Meanwhile, we provide for the common defense, while at the same time protecting Civil Liberties and free economic markets. Former director of National Intelligence and my former texas colleague and classmate, John Ratcliffe said that we need to attribute these attacks and either overtly or covertly retaliate against those responsible thereby creating a deterrent for the future. If our longterm strategy to cyber criminals is just to simply pay the ransoms and hope for the best with cyber insurance, we will certainly lose to our foes in this new battle front. My question for you all is this, and ill open this to anyone who would like to answer time permitting. What are some common sense steps we as lawmakers can take to help you, our partners in the executive branch better protect our infrastructure and to encourage better reporting of Cyber Threats without infringing on peoples Civil Liberties and the free market. Ill open that up. Go ahead, i yield to my colleague at d. O. T. Okay. Then, admiral you can come on second. Thank you. Thank you, congressman. Thank you, admiral, ill try to be brief. I think youre, one, summary of your statement, congressman is that Cyber Security is everyones responsibility, Public Sector, and private sector, and were all going to either succeed or fail at this together, and i think from a congressional standpoint its understanding that new systems or improvements to existing systems need to be secure by design, and created with Cyber Security in mind at step one. That would help us achieve our objectives. Thank you. Thank you. Admiral. Congressman, thank you. I support the comments made by mr. Schachter there at d. O. T. What i would offer as well, though is that we have to treat Cyber Security as an operational imperative, and it has to be part of the overall Risk Management approach, within both the private sector and the federal government, and so i think that in order to achieve that, you have to have an accountable person. They have to be able to do an assessment and understand the risk. They have to be empowered to manage those risks, and then it also comes back to exercising and reporting. Where it comes to reporting, right now, we have to change the paradigm from what is the minimum i need to disclose to how can i help protect others because as weve heard through testimony already, these incidents cut across so many different infrastructures and reporting really helps us to make us all stronger, congressman. Absolutely. Thank you so very much, and i hope that we will remember retaliation can curtail some of this. I will yield back, mr. Chairman. Gentleman yields back. At this time, i will yield to myself. Mr. Grossman, the aviation sector is composed of aircraft, airlines, airports and aviation operators such as air Traffic Control personnel and ground crew. As you know, its a mix of private Sector Companies and public agencies, including the faa. However, a cyber attack on one portion of the sector can have cascading effects on the entire system with devastating impacts to the public. Can you describe from a Cyber Security perspective how the faa assists and supports the aviation sector . Absolutely. Thank you for that question, congressman. You know, the faa engages with industry on several fronts. We are regulator and a collaborator, so from a collaboration perspective, we engage with much of the Aviation Community through efforts like the aviation isac, which were close partners with, the aviation sector coordinating council, manufacturers associations, and of course through our primary engagement, the Aviation Cyber Initiative. You know, in these engagements, we share best practices and standards, guidance, and we promote information sharing. As a regulator, we work directly with manufacturers and standards to ensure that these two are kind of married up. Folks are using industry standards, and you know, are Building Products that are appropriate. So in defending the aviation sector from various cyber crimes, do you believe it is important to coordinate and even cooperate with the private sector to assist them . Well, i think, you know, as mr. Schachter has mentioned earlier, Cyber Security is a team sport, you know, and were all in this together. Public and private sector Work Together, which is really why we formed the Cyber Initiative for, you know, for aviation itself across the entire ecosystem so that we can work more collaboratively with operators, manufacturers, other agencies, you know, private, Public Sectors Work Together to share information, and to try to improve the resiliency of the ecosystem. So this is for the entire panel. Where do you see the biggest Cyber Threats coming from, from specific actors, like the recently attacks on the local governmental entities with ransomware, from foreign entities, from phenomenon state actors, are there significant threats from even some of our own weaknesses, our failure to update and strengthen our Cyber Infrastructure or pour cyber hygiene and failure to apply strict Cyber Security protocols, what are your insights . Congressman, i think you just listed them all. I think i dont know that any of us i dont want to speak for the rest of the panel would highlight one over the other. I mean, we were all aware of the recent compromise of solar winds that occurred last year, but there are other threats out there, and i think, you know, that one, that compromise is certainly still fresh in our minds. But, you know, i wouldnt choose that actor over other actors or other vulnerabilities, if youre asking me which is worse. I would like to just mention, and it has come up several times both from the witnesses and from the congressman as well. Its the interdependencies between the Critical Infrastructure that make this so challenging, so were talking about transportation and transportation not only relies on other sectors to operate effectively, but other sectors rely on it as well. We issued a report just last month on the communication sector, and the transportation sector was one of those sectors as one depended on. It could not operate without it. I think the challenge is while theres resiliency built in to physical attacks, the Cyber Attacks continue to show us that we need to do more to not only shore up specific sectors but the entire nations approach to Cyber Security as well, which is why we emphasized in our recent work the importance of having a National Cyber strategy so that it can been an allin government effort to bring, elevate our Cyber Capabilities within the nation. Thank you. Thank you all. Mr. Graves of louisiana. Thank you, mr. Chairman. Appreciate witnesses testifying today, and appreciate the importance of this topic. We have offered a number of amendments trying to increase funds for different Cyber Security programs related to infrastructure and i think this is critically important. Ms. Woodward and perhaps admiral, your testimonies discuss information sharing between tsa and the coast guard that identified managed threats and the maritime Transportation System. How do you communicate the threats to the individual ports, and to help them, and how do you help to manage risk within the mts . Congressman, thanks for that question. So unity of effort within the coast guard is part of our dna, and so we take a multilevel approach to share information at the speed of cyber here with the industry. But this is a dynamic threat environment, and going forward, we need to use a combination of both existing tools and new tools, new methods to get after the information sharing. For this multilevel approach at the local level, we work through our area Maritime Security communities. Each have established cyber subcommittees that are responsible for that daytoday sharing of information for conducting the exercises, for reviewing best practices and understanding how to move forward. Those same people, then, are integral to response efforts when they occur in the ports. At the national level, we work through a number of different means. Weve established a Maritime Cyber Readiness Branch that becomes a focal point for threat information, dissemination, Technical Assistance in the field. We have embedded folks in cisa, we meet regularly with the sector Risk Management agencies. We engage with the mts information sharing and Analysis Center and we look for every opportunity to continue to share information and communicate threats and understand the vulnerabilities out in this industry so we can protect the mts. Thank you, and tsa, anything to update there . Thank you, congressman, and to compliment admirals information, i would like to say yes, the United States coast guard has privacy in our nations ports, however, tsa plays an Important Role to support the security of the maritime Transportation System. To that end, we have actually developed the tsa exercise Training Program which started, frankly, as a port step, Security Training exercise program. It started in the maritime sector in the mid2000s. We have grown that training and exercise program across all modes of transportation. U. S. Coast guard is an important partner. We can actually exercise at both a national and a local level. And if an entity is not able to participate, we do maintain all of those Lessons Learned and exercise information in an accessible system to thousands of local operators, first responders, and those Law Enforcement professionals who support the security of the nations ports and other transportation modes. Congress also generously chartered the surface transportation security Advisory Committee a few years ago. Amongst the members includes obviously our stakeholders, our private sector stakeholders representing a multitude of interests across all surface transportation modes. However, we also have 14 federal agencies that serve on that committee as nonvoting contributing members. Ms. Newhouse, i think my concern is if we have a very active, or very live incident, the ability to quickly communicate and disseminate that information with the ports, im not sure that the security committees or the apparatus that youre describing allows for that direct and sort of nimble communication to the ports and other potential threatened entities out there, and thats where my concern is. I just have about 45 seconds left. I want to ask one of the questions to the coast guard. Im going to follow up with you all through questions for the record but admiral, can you tell me whether or not you all are working with fema to update the nim system to be able to track and follow through on Cyber Incidents . Congressman, in terms of first of all, communication with the ports, we have 24 hour watches thatch access to the information and share that information but look forward to your questions and follow up questions. With regard to Incident Response, we stand up at the local level, a unified command, which is a structure that was established under nim to be able to response to incidents and we can be happy to provide more information about that and follow up later during this hearing. That would be great, and maybe nims isnt the perfect system. It seems like there needs to be a mechanism like that for tracking accountability. Thank you, mr. Chairman. Yield back. Gentleman yields back, ms. Titus. Thank you very much. I would like to go back and follow up on mr. Carsons comments about coordinating with the private sector. Mr. Grossman, you mentioned the assets, one area you didnt talk about the coordination is in commercial space. We have been hearing a lot about these joyrides to outer space, but we know its an important industry, it can help us take products up to the space station or launch satellites. Good potential use there. And there are a variety of companies that are starting to get into this, and i think that that increases the potential for Cyber Threats. I wonder if you could talk about how these isacs work, if youre looking at Cyber Threats, how we coordinate with the commercial space industry. Congresswoman, i thank you for your question. Unfortunately that doesnt fall under my purview, however i understand faas office of commercial space is heavily involved in the development of the space Cyber Security policies and assist in the development of the space policy directive. That directive established key Cyber Security principles to guide and serve as a foundation for u. S. Approach to Cyber Protection of space systems. I could certainly follow up with you to get more information on your question. I would appreciate that because i realize its not directly under what you do, but you do a lot of things all around that area, and i think its something thats worth bringing to the attention of the committee because its going to become increasingly an issue as we do more of this private space adventures, i guess. I would ask ms. Newhouse, i know you were instrumental in setting up the pretech program. Youre very informed on how this works, and you got it off the ground, and we have seen it expand now the line for precheck is longer than the regular line, i think, but one of the things that weve heard in areas that are with Rural Communities is that they have a hard time actually coming in person to get the precheck clearance. So theres some attempt to move to remote applications. Could you talk about that and how that data that could be collected remotely can also be protected and do you need legislation for that . Or is it something you can just do internally or through regulation . Thank you for your question, congresswoman, and thank you very much for your support of the tsa precheck program. We greatly appreciate the insights congress and all of our stakeholders give us on a daily basis. I can see at a very high level, i know the office, the program that runs that program for tsa has endeavored to expand enrollment capabilities as you mentioned, congresswoman, and were actually in progress of bringing on additional contract support, different vendors to do that in a secure manner. Im happy to get back to you and your staff with specific answers to those questions on how we are best requiring protection of that information, and how we will oversee that information. Thank you. Thank you. Id appreciate that. So much of our information is shared in an airport, whether its through tsa or just plug it in while waiting for your flight or even on the flight itself, so i think that to be sure that this is all secure information in the screening process because the trip begins when you get out of the car at the airport, we want that to all work well and we want people to feel secure that the information cant be compromised. I look forward to getting that from you, and i yield back, mr. Chairman. The gentlewoman yields back. The chair now recognizes mr. Weber for five minutes. Thank you, madame chairwoman, i appreciate that. I want to talk a minute about pipelines. I appreciated garret graves comments about ports, and well time these together. The Colonial Pipeline system was hacked into, i think it was may this year, and it was down for four or five days, feeds the southeastern United States, moves about 2 1 2 Million Barrels of product a day, which is gasoline and jet fuel, excuse me, extremely important for our infrastructure obviously. We would argue National Security infrastructure because we need to fuel our military stuff. The Keystone Pipeline in our district, without the Keystone Pipeline or more pipelines to carry stuff pipelines have a 99 safety rating. They move product the most efficiently and most safely. All that to say from an energy perspective, with vulnerability of being hacked, would it sound like we ought to have a system in place to notify the pipeline operators i would add ports too, as well as other ways we move energy. Since we have limited time now i know we talked about cyber speed so to speak. Should there be a process in place to where the greatest amount of energy is protected as early on as possible. Is this possible . Is that something that sounds a good idea and possible . Thank you for that question. If i understand it correctly, were talking about coordination and communication between the private sector partners that provide the energy, the fuels, the pipeline operators, as well as the government in its regulatory capacity. Correct. Let me also say ports too. Our country the economy of our country runs on trade. Lets not leave the ports out. Okay. So the same principles will apply in my answer. Thank you. Tsa has moved aggressively to improve information sharing and Incident Reporting from all of those private sector actors and to coordinate both with d. O. T. And other government regulatory bodies that have an interest in those areas. As you probably know, ports as well as the pipelines are privately operated, so we have to work with those private sector partners and try to influence them and advise them to improve their own Cyber Security practices to protect their systems so theyre less likely to be attacked. Some of that is standard i. T. Access control. It also moves into Operational Technology which are very specialized and outside the realm of d. O. T. Information technology. If we had a system to catch that i know we monitor a lot of stuff and be able to communicate that as quickly as possible i know there was discussion about banks some years back since ive been in congress. Same thing. If we had a system in place that we could at least be a i dont know what the right term is comanaging partner whereby if we know something is in the making we can alert them as quickly as possible and protect our infrastructure. Admiral, what do you think . Sound like a good idea . Congressman, intelligence and understanding whats happening to the threat level is really a critical piece of how we collectively protect the nation. So, weve established procedures by which we can share information rapidly, but both through the inner agencies down through our field units and in some cases with the private sector through our security committees. What were finding out, though, is this is a very broad problem and so its important that we get together and collaborate at the lowest level possible. Systems established a joint Cyber Defense collaborative that is bringing agencies together at a low level to be able to see those threats and challenges as they evolve and share them rapidly. This is an important issue. Were getting after it. Thank you for that. Madam chair, i cannot see the clock. How much time do i have . Gentlemans time is done. Ms. Newhouse, if you can prevent the random disappearance of my wifes airline tickets, it would be worth everything to me. Congressman, were happy to help. If you have any questions about tsa precheck or your family members, let me know. Thank you so much. Thank you, madam chair. I yield back. Thank you. Ms. Brownlee is recognized for five minutes. Thank you, madam chair. My first question is to mr. Dorsey. Mr. Dorsey, in october your Office Issued a disturbing report about i. T. Security weaknesses at the federal motor carier safety administration. You placed malware in the network and the agency failed to detect it. I was curious to know is this a practice that you do with other agencies . Why was this particular agency selected for this exercise . Im curious of the thought process behind it. Thank you very much, congresswoman, for your question. In our reviews weve issued a number of audits with respect to our Vulnerability Assessment of the departments i. T. Infrastructure to determine if there are secure practices to protect and secure infrastructures. It was not our first review of the department. It was our third review. We initially started in 2016. An issue was reported on the departments research. We followed that up. Federal motor carrier was just the third one in all its administration. We reviewed another review of the federal highway i. T. Infrastructure. Were doing to determine whether the department has instituted the proper controls over their own policies they have in place. We identified this Persistent Security weakness that has provided us with a path to actually compromise the departments i. D. Infrastructure. Did the federal Highway Administration fair better . We just initiated that review. It will only take about seven to ten months to complete our review. What weve found in the past is persistent weaknesses in basic things such as a lack of strong passwords, unpatched or what we consider to be software that is not updated in various operating systems. We found a lack of in krip shun and data. Thats how we were able to penetrate the infrastructure. Thank you, sir. Mr. Schecter, you said youve been there for three months. Certainly 11 years in the city of new york. I guess im just i would like to ask you how would you what grade would you give yourself at this particular point . An a, b, c, d, f . How would you grade yourself yourself . Thank you for the question. I dont have enough information to provide that sort of assessment. I can tell you mr. Dorsey mentioned some of those audit findings go back to 2016 before d. O. T. Created a Central Operating environment for the purpose of addressing across d. O. T. Some of the very same findings that oig found in multiple modes related to Access Control, vulnerability and patch management. The current operating environment gives us much better tools at d. O. T. Our performance has already improved, but we have a ways to go. Were transparently acknowledging that as i did in my opening statement. I think as pardon me . I wanted to go on to another question because i only have a few more seconds left. You also mentioned, you know, limited resources several times in your answers today. Im wondering, you know, do you have enough resources to do what you think you need to do and, if not, are you planning on making further budget requests in the 2023 budget cycle . Thank you for that question as well. Still too new to the position to fully assess whether we have sufficient resources as needed to address this or the resources in the right place or with the right expertise. I expect before too long to be able to share that information. Thank you, sir. Madam chair, yield back. The chair now recognizes mr. Burchet. Thank you. This is for the admiral. Im really concerned about the russian efforts to target the undersea fiberoptic cables, many of which are operated by private companies. I understand a lot of this information is classified. Given the coast guards role in protecting the marine Transportation System, can you comment on our nations ability to prevent against cyberattacks against our undersea cable infrastructure . Our Maritime Transportation infrastructure is varied and depends on other modes of Critical Infrastructure. As you highlighted, there are substantial threats against the maritime Critical Infrastructure every day. So thats why weve put together excuse me thats why weve operationalized or Cyber Security to make sure were getting after this threat at the speed it demands. I can offer you a followup brief regarding cables if you like. I would like that. Just out of curiosity how many ribbons are on your chest . Congressman, i dont even know how many ribbons are on my chest here. Maybe i can get you that answer for the record. Thats all right. Its very distracting. Its pretty cool. Thank you, brother, for serving our country. A buddy of mine back home is a coasty. I remember at the veterans Day Celebration that everybody gets up and sings their service anthems and my daddy was a marine. There was always just one coasty in all of knox county that would sing. He would scream it out in the back because he would be by himself. I always thought that was pretty cool. This is for mrs. Newhouse, tsa. I wont get after you for the Terrible Service sometimes i see people get because in knoxville, tennessee, the group is pretty good. I always gripe about the one in d. C. Which in my opinion is lackluster. The tsa announced plans to issue new Cyber Security regulations for rail and airline. How many time did yall give the impacted stake holders to respond and give feedback . Thank you, congressman. Thank you for recognizing our officers, especially the ones in tennessee. Thank you for that compliment. With respect to the rail and higher risk rail and rail transit directive, along with Security Program changes, we followed a very robust rubric of engagement. For aviation we utilized existing security requirements and programs and provided ample notice both in verbally and writing. We have also, as i mentioned in my opening to Ranking Member graves, weve taken that feedback and updated definitions of reportable Cyber Security incidents. Weve taken that seriously. With respect to my Rail Partners as i mentioned earlier, we have embarked on a robust engagement at the ceo level starting with secretary mayorkas, a long with our partners to engage both at the classified levels and unclassified levels to describe the known, ongoing threats driving these policies. We then provided written copies to the regulating parties to have an opportunity to review these, abeit in circumstances we have to act swiftly. What we have done is engaged and updated on feedback particularly from our Rail Partnerspartners. Has your agency received concerns from the stake holders how the upcoming Cyber Security directives would impact their Current Operations . Yes. Everything we do every day is about continuous improvement. One of those areas of continuous improve is first do no harm and compliment operations while securing operations. We have heard a number of concerns to ensure all operators, large and small, can apply these Cyber Security measures in an effective manner. We do take that into consideration and we continue to elicit feedback. Were not done when we issue the document. Its a continuous feedback loop. Thank you. Ive run out of time. I yield none of my time. The chair now recognizes mr. Payne. Thank you, madam chair. Ms. Newhouse, im going to contact you outside of this hearing with respect to precheck at Newark International airport. I received some documents from flyers that flew into newark that had an issue with the precheck. Ill do that at a later time. Under the rail Safety Improvement act of 2008, congress mandate railroads to positive train control systems. They work to prevent accidents by using an Information Network to regulate a trains position t. Can you elaborate on the new tsa directive on passenger and freight rail . How will this help secure ptc systems . Thank you for your question, congressman. We look forward to receiving the inquiry regarding tsa precheck. Were happy to help. With respect to the new Rail Security directives we worked with partners to implement them. If i may, we have focussed very heavily on reporting. We have to know even anything that could really reasonably impact those operations, whether its ptc or i. T. Systems. Early warning and indicators are critical. Thats part of the strategy with these new directives is to have a 24 7 reportability. Theres a clearing house. Its essential. We dont stall any reporting requirements or reporting channels that operators may have. This is the center of the United States government to maintain that information and disseminate it fast. With respect to any i. T. Or o. T. System were requiring our rail operators to develop a Cyber SecurityIncident Response plan. Were working with them. Were doing that in concert with the d. O. T. We want to make sure our folks in the field have that information at hand. Were asking the operators to conduct selfassessments and identify vulnerabilities and help close those gaps. Thank you. Mr. Marino, cyber hygiene is critical to keeps or infrastructure safe and operational. Federal agencies must not be exempt. As chairman of the railroads, pipelines and Hazardous Material subcommittee, we must prevent future attacks. How can Congress Help keep good cyber hygiene practices . The best method of doing that is your continued support of the Inspector General community and the audits we conduct. Its extremely helpful and productive in particular to have congress support not only during our audits, but following them when it comes to recommendations. Were grateful for that support. The important thing when it comes to in particular smaller entities is to ensure that those departments and agencies theyre part of have the capability to monitor the performance themselves and likewise at the more central level, omb and the federal offices are doing everything they can to give feedback to big and small agencies and what they need to do to get better at Cyber Security. Well, you know, i think i thank you for that answer. Madam chair, i yield back. Thank you. The chair now recognizes mr. Valderson. Mr. Grossman, good morning. Last year the gao offered six recommendations to the faa for its Cyber Security oversight program. It was found that future Flight Safety could be at risk if the faa doesnt ensure oversight. What is the faa doing . Congressman, faa looks at really the whole system of the airplane to ensure there is proper procedures and protections. You know, there were six recommendations. We have closure on two. Three more will be closed in march. We welcome that audit and made significant changes. Thank you. One of the recommendations the gao made which the faa did not concur with is to revise its procedures for periodic independent testing. Can you discuss why the faa disagreed with this recommendation . Absolutely, sir. It was independent testing on aircraft that are currently flying in the fleet today. We were concerned that independent testing or Penetration Testing is how we discussed it with gao on aircraft that are in the fleet that are active aircraft could leave residual damage to the systems affecting safety. Thank you. Has the faa developed Cyber SecurityTraining Program . A Training Program . Yes. Im not aware of what we have developed. I can look into that and get back to you. Thank you very much. In december of 2020 gao reported that none of the agencies implemented key practices for Communication Technology supply chains. Gao has made 80 recommendations to enhance Cyber Security. Nearly 50 of those recommendations have not been implemented. While we dont have time to go over all of them, which of these unimplemented recommendations should be given priority . Yes, congressman, appreciate you pointing out the importance of the recommendations we have outstanding. In addition to the recommendations within that specific report you mentioned in your questioning, i believe that the top recommendations with respect to Critical Infrastructure include making sure that agencies are doing everything they can to assess what the cyber risks are to their respective sectors, put forward plans with stake holder engagement that makes sense on how theyll support those sectors and execute. To put it very carefully, most of those recommendations express that in a variety of different ways across sectors that extend beyond transportation to include the grid, Financial Services and other sectors. We think its very important for cisa to reach its full potential. When congress accomplished cisa, the agency took on a large set of activities. Unfortunately they were not able to achieve quite a few of the important activities relating to Incident Response. These are activities they need to complete as quickly as possible. We heard from cisa theyll do those things this year or next. Thank you very much. I yield back. The chair recognizes mr. Malinowski. Looks like hes not on. Mr. Carter, you are now recognized for five minutes. Thank you, madam chair. Thank you so much to our participants. Mr. Dorsey, your organization provided a lot of oversight of federal government Cyber Security strengths and weaknesses. Have you looked at how prepared or vulnerable agencies are to protect Cyber Security attacks around the time of Natural Disasters . My district in louisiana suffered a substantial storm, one of the largest ever. My fear is as we know that hurricanes come every year, the intensity increases. My fear is our Critical Infrastructure is particularly vulnerable during those periods. Can you share your thoughts on ideas and or practices to protect our Critical Infrastructure during Natural Disasters . Would be happy to congressman. Its been identified as a real threat. It speaks to how important it is to consider not only when we can be strong at our weakest points which can come with Natural Disasters. I would say over the course of the last several decades weve been tasked by congress to look at how federal agencies are preparing themselves for man made or Natural Disasters. A key part of that is to ensure the continual availability of information. You cant do that without thinking about Cyber Security. I think thats probably a very important part of looking at any Cyber Security program at a federal agency, its ability to recover from disasters. Mr. Dorsey may have more specific d. O. T. Examples to provide. Im happy to passover to him. Thank you for the question, congressman. We initiated a review of the departments high value assets. We found the program is heavily relying on the department of Homeland Security to work with the department in assessing the departments high valued assets. The department identified 21 high valued assets. There have been four assessments since the department of Homeland Security initiated its review of d. O. T. s programs. Were planning to continue our work over the next several months to determine what the actual governments process is, as well as whether theyre taking the initial steps required to assess and remediate the potential for threat of any of those high valued assets. How do you disseminate that information with the local governments or states so that theyre equipped for future instances . I understand you have several practices or studies ongoing trying to determine best practices. How do you disseminate information so local governments are better prepared . Our job is primarily to report directly to the Department Heads as well as congress and how that information is disseminated down to the state and local level, i dont have mr. Marinos, can you respond . That falls on the shoulders of cisa. Think report to local state governments. Those are services that cisa has. Weve seen an important need for cisa to continue its out reach across the board so that there is awareness about what the federal government can do ahead of time to prepare itself to be resilient in a situation like you described where a Natural Disaster may coincide with a cyberattack. It would be helpful if you could share that information with us so we can share it with our local governments in case of hurricanes or wildfires. You can imagine the devastation if someone took control of our apparatus and we couldnt dispatch ems or fire equipment. Thank you very much for your time and attention. Any information you can share with us on how we as a committee can do better or push buttons further to provide resources or awareness so this information is getting out and were able to be prepared for future instances. As we know, unfortunately theyre becoming far too common. I yield back. Chair recognizes mr. Fitzpatrick for five minutes. Thank you, mr. Chairman. Mrs. Newhouse, thank you for being with us today. When with Colonial Pipeline suffered their cyberattack in may, tsa required reporting and incident report plans were needed. In 2020 the time to report a breach was over 200 days. What more is being done by your agency to identify cyberattacks in a quicker fashion. Thank you for your support and your question, congressman. With respect to those security directives and the pipeline industry, we require reporting within 12 hours. Thats because of the critical nature of our nations pipelines, the fact they carry the significant effects they would have because they carry the resources necessary to run this country. Were very forward leaning in establishing that immediate timeframe. We updated what is a reportable Cyber Security incident also. Secondly, its been found that over 80 of breaches are financially motivated. The average ransomware payment rose over a third in 2020 from 2019 levels to over 100,000. Do you believe American Companies should continue to pay ransom . Do you think legislation would be needed to desentviez . Ransomware has been identified as likely the highest level of malicious activity. Through the department of Homeland Security we work closely with Law Enforcement, the fbi, federal, state and local Law Enforcement to identify those opportunities. I would defer to my cisa colleagues on how we can do that from a technical standpoint in addition to the financial aspects as well. Happy to take that back and coordinate that for you. Thank you, ms. Newhouse. I yield back. The chair recognizes ms. Bordeaux. Weve seen the Cyber Security attacks on the transportation sector. In may of 2021 the Ransomware Attack on the Colonial Pipeline resulting in 40 of gas stations being out of gas in my state. Mr. Grossman, you talked about the value of training through participation exercises or simulations. My district is home to a lab which is a one of a kind living lab designed to provide a real world test environment to advance next Generation Intelligence and smart city technology. What kind of simulations do you run to prepare your staff for Cyber Security attacks and could you talk about the benefits of those life simulations . Absolutely. Thank you for that question. As i mentioned in my oral testimony, we have developed the cyber Test Facility in Atlantic City that serves as kind of the corner stone of some of our exercise activities. We regularly conduct Incident Response exercises that include both the Mission Support side or the normal i. T. Side of faa as well as the operational side or the natural air traffic system, air space system, excuse me. In addition to that, we conduct external exercises with dhs and all of government. There are cyber exercises. We have also conducted Enter International exercises with the caribbean, with mexico and several other countries. You know, this year weve begun looking at cyber ranges so that we can actually inject real world Cyber Security threat into our exercises so that we can get an actual look at what an attack would look like. I lost you. Sorry. I lost you there. Apologize. To follow up with that, mr. Cordell, at the d. O. T. , are there similar exercises you do that you can talk about and what the value add is of having that real life simulation . Thank you for that question because it gives me an opportunity to discuss one of the most effective and least expensive type of simulation exercises. Thats one where we send a test email encouraging people to click on an unknown link, a technique calling phishing. We see by repeating that on a regular basis people get much smarter and become more cautious about clicking on those links. As mentioned a while ago, this is a prime way that malware gets introduced into enterprise environments unknowingly by people within the organization. Its a very effective means of protecting the network and providing greater Access Control. Thank you very much. I yield back the balance of my time. The chair recognizes mr. Mast for a period of five minutes. Thank you. Admiral, i would love to start with you. Number one, thank you for your service in the United States coast guard. Very much appreciate that. Want to talk about this. If your men and women are physically attacked, do they return fire . Congressman, we have a wellestablished, welltrained process in place for use of force in the coast guard. It is not my area of expertise. So if you want to go into that in more detail i would be happy to take that question for the record or set up a briefing for you. Not a lot of detail. Just logically and common sense if somebody points the muzzle of a rifle at one of your men or women and depresses the trigger and moves around at a couple thousand feet per second towards your men and women, are they going to return fire . Congressman, they will execute their coast guard use of force policy. If fired on by an adversary, they will fire back. Thats right. Not meant to be provocative. Common sense they will. Again, understanding youre not a shooter by your own admission, do you think that they should shoot until they totally eliminate the threat . Just opinion. Im looking for opinion on this. I understand youre not a shooter. Congressman, our folks need to ensure their own personal protection, ensure the protection of their colleagues and ensure the protection of any members of the public as well. So they will carry out the policy until that coast guard is ensured that things are safe. We should dispatch threats in my opinion. Ive been a part of doing that in a different place. I want to label this on cyberattacks and Cyber Threats. I want to layer that on this question. Should we approach a cyberattack in the same way we would approach a physical attack . Should we go out there theres a moment it turns from depending myself to going out there and seeking a violent course of action. It becomes offensive. Thats not provocative. Should we be pursuing that in every instance of being shot at in the form of cyber, that we dispatch that threat so it can never again pose that threat to us again . As we move this into the cyber landscape its important to understand there are key differences. Theres a big difference between a shooter right in front of you using force against you that you can see and react to versus somebody in the cyber space that might be working through a different adversary and might be working through a different venue to get after you. Attribution in cyber space is really critical. That said, the coast guard released a cyber strategic outlook in august that puts together three lines of effort. The first line of effort is about defending and operating our networks and d. O. T. Networks. The second is about protecting the maritime Transportation System. Then the third line do you believe that is in making that transition that we were attacked, were now assessing and were transitions to offensive to eliminate wear we assess the origin of that threat . If you can assess the origin, do you believe in be congressman, with support from the administration and the budget were building out a Cyber MissionTeam Capability that allows us to take full spectrum provided we have the right authority in place against adversaries. So thats a yes. Its part of our strategy. Full spectrum meaning, yes, you should have the capability to transition to the offensive against where you believe a threat originated from . Congressman, that is the key part of our three lines of effort in our outlook. Were aligning our training under the joint d. O. D. Standards so that we can work closely with the department of defense to carry out what the nation needs from their forces. Your time is expiring. Thank you, mr. Chair. Chair recognizes himself for five minutes. Last month we heard from industries. I look forward to hearing from our witnesses on how the federal government can work with its private sector partners. This is for mr. Dorsey. My district in massachusetts has two leaders at least in the Cyber Security industry. Industrial defender and cyber arc. These Companies Work on software to Keep Technology in line with compliance. Has the d. O. T. Office looked at how federal agencies are working with Companies Like this . Do you have any recommendations for providing cooperation . First mr. Dorsey. Thank you for your question, congressman. The department of transportation has not looked at that line of coordination, if you will, but what i will say its part of our annual assessment. We do work with the department and ask them a series of questions from the standpoint of the supply chain, of Risk Management and what we do with that line of reasoning is to go back and determine whether or not the department has taken appropriate steps with respect to ensuring that any vendor related software is not associated with counterfeit efforts. We also make a determination to what extent does d. O. T. Ensure that products, systems and services of external providers are consistent with d. O. T. Cyber security policy. Thats a new requirement thats been incorporated in the metrics that we have to assess on an annual basis. Outside of that, thats how we communicate with the omb as well as how we work with congress with respect to what the departments efforts are. Thank you. Mr. Marinos . Two thoughts here. Jao was tasked by law to evaluate the standards were. The biggest one in this area is the Cyber Security framework. As part of the reviews were wrapping up the fourth review. We looked at how the cyber framework was pulled together including the engagement in a draft and incorporating them into the framework. Weve done this on a couple iterations. We may not not necessarily interact directly with organizations like those you mentioned, but we evaluate how were taking in information from folks out there, the experts on Cyber Security and whether they can use that to better the framework and the guidance thats being put out. The second thing i mentioned is that jao does engage with state and local audit offices, including the Massachusetts Office as well. Its been a great opportunity because it gives us a cancel to have a better sense of how effective federal guidance is within their capacity and what are the threats and landscape theyre seeing, state and local agencies have to combat as well. Thank you to you both. Chair yields its time and recognizes mr. Johnson for five minutes. Mr. Chairman, mr. Johnson of south dakota . Yes. Sorry. Very good. Not a problem. I will start with mr. Grossman. I had the opportunity to visit an air traffic facility in sioux falls. It was fantastic. They showed me around. I couldnt help but notice how antiquated some of the computer equipment was. There were some newer systems. They seemed to be intermingled, but some were older than some of the folks working in the tower. Give me a sense of the challenges we have keeping these systems safe when theyre so antiquated. Thank you for your question. Appreciate your trip. You know, i think from a cyber perspective, you know, those systems while they appear to be old, we are able to keep them secure. You know, if youre asking about simply replacing those systems, thats not in my area, but i would have to take your question back to our air traffic organization. From a Cyber Security perspective, even though they appear old, they are certainly secure. Okay. Very good. I appreciate that. Maybe ill shift gears now to mr. Marinos. I listened with interest when you noted that gao made 3,000 recommendations for improving Cyber Security to federal agencies and even more interest when you noted there are more than 900 that have not been implemented. We havent had a lot of discussion today about dams, which is under the jurisdiction of this committee. Sir, are you aware of any particular obviously the dam is critically important from an electrical generation perspective and Flood Control perspective. Are you aware of any recommend recommendations made for our dam infrastructure that have not been implemented . Building off the most recent question i answered, the Cyber Security framework applies to all sectors. As part of the work weve done, weve gone out to dhs and the other sector Risk Management agencies and asked whether their sectors are finding it useful. That would include the dam sector as well. In those instances weve seen that federal agencies are challenged not only within that sector but others to have that dialogue with operators big and small. There are a variety of reasons for that. One, there may not be the appropriate expertise by the operators to be able to interact and provide that feedback, even to be able to use the framework. Its a very expansive set of its been sort of equated to a grocery store. They can pick and choose the Cyber Protections you might want to implement. The important thing is for dhs to get feedback from not only the dam sector but others to make sure the guidance its providing is useful. As you alluded to in your last answer, that is more comprehensive, right . Its across all impacted agencies. Anything in particular stand out with regard to we were talking about the antiquated i. T. Systems in place with the faa. I know thats also the case for the operations of the dam systems with western area powered administration and others. Anything in particular that comes to mind with that subsector . Absolutely. Doesnt just relate to that specific inspector. Legacy systems are something that operators need to be thinking about ahead, have a plan for how they intend to modernize. As larry pointed out, mr. Grossman, many of those systems may have in some ways better protections if theyre air gapped, in other words if theyre not connected to business systems. They may be better suited for the operational control activities they do. The reality is that that connection to the federal government, how did those operators know what the greatest threats are . That requires a good amount of information sharing. I think thats well said, sir. Is there a has gao indicated the investment gap . We talk about these legacy systems and the need to replace them. Has gao estimated the size of that gap in dollars and cents . Could you point me toward a particular report . Happy to share information from the federal agency site, but the federal government continues to spend 80 of its i. T. Budget on legacy activities, not on modernizing. Thats an important aspect as well as the d. O. T. Mentioned modernizing with security in mind from the beginning. Thank you. Mr. Chairman, i yield back. Chair recognizes mr. Malinowski. Thank you, mr. Chairman. I want to zoom out a bit, no pun intended, and talk about the future of transportation, 5, 10, 15 years from now and get into how the department is guarding against new and emerging the threats. Then ill ask mr. Marinos for his reactions. I participated a few days ago into table top exercise that simulated a hostile power taking down our gps systems. Something that obviously would have incredibly dire implications for nearly all modes of transportation, air, rail, maritime and more. In the consumer automobile context, some of americas largest companies, tesla, apple, alphabet, are investing billions of dollars in Autonomous Vehicle technology. I was in a meeting yesterday with the ceo of alphabet which owns an autonomous driving startup, wamo, he reaffirmed his interest to us in bringing that technology to the market. While theres no Expert Consensus on when there will be Widespread Adoption of level four, level five autonomy, i think its safe to say well have a huge number of vehicles on the road by the 2030s that are relied on Artificial Intelligence on making decisions, accelerating, braking, every road decision. Every car today is rolling off the Assembly Line with computers. Many have Entertainment Systems that are preinstalled. Theres even more revolutionary technological change to come, including potentially cars that are charged by the highways that they drive on themselves. As all of you know, any product, device or Service Connected to the internet or otherwise reliant on code is going to be vulnerable to compromise. The stakes are going to be incredibly high when were talked about software powered machines carrying people at 70 miles or more down the freeway. Mr. Schecter, recognizing your primary focus is on the internal i. T. Management of the department, that youve only been on the job for a few months and are not personally writing the regulations relating to autonomy, i want to ask you some questions about how you and your colleagues are thinking about the threats around the corner. What cyberrelated challenges does the department expect to encounter in 5, 10, 15 years when the technologies were just talking about today become mainstream . Whats going to keep your successor up at night and what, if anything, are you doing now to prepare . Thank you very much for that question. Gps and overall positioning navigation and timing are very important issues that d. O. T. Is studying in multiple places. The best example i can give you relates back to my experience in new york city where we were one of the three national connected vehicle test locations through the department of transportation, connected vehicle pilot program. Securely communicating with all of the test vehicles and standing up and security credential Management System so that vehicles were communicating with basic Safety Information like emergency braking or even traffic signal we wanted to be sure the federal government wanted us to be sure that all those transmissions were from authenticated actors and nobody was spoofing actors and potentially causing home to either the people operating the vehicles or other road users as well. Thats a future technology that is not so far aware, but certainly demonstrates the issue involved that youre referencing that those communications need to be secure and we need to know on the transmitting and receiving end theyre from partners we recognize. I guess im out of time. I yield back. Chair recognizes ms. Gonzalezcolon for five minutes. Thank you, mr. Chair. My question will be to mr. Larry grossman. I just want to bring to attention that the faa decision to utilize section 804 to consolidate air traffic in miami for basing which includes puerto rico and san juan airport operates with the technology. Yet the Flight Center handles more than 4,000 flights monthly, all flights including arrivals, departures and over flights from puerto rico to u. S. Virgin islands and British Virgin islands and south america due to its 400 mile long air space, which can take commercial airline an hour to transit through. This is the same number of flights that atlanta air space covers from charlotte to savannah. While i understand this has been done to consolidate operations and for cost savings, my concern is that what are the assurances that a cyber attack on the faa facilities in miami wont affect air Traffic Control operations in puerto rico and what type of redundancies are put in place in smaller airports in rural and remote places should larger air Traffic Control operations be affected by a cyber attack . Considering that we got the International Airport, but as well small airports around the island. Thank you for your question. Im sure you know im not responsible for facilities consolidation. From a cyber perspective the protections our air Traffic Control systems have are virtually identical whether theres a facility thats local or whether its remote and managed through our secure communications protocols, which is a service that we obtain. But that service is the same whether the facility is local or remote. The security parameters are the same. Mr. Grossman youre talking about the aviation ecosystem. What kind of training to airport and air Traffic Control workers get in Cyber Security . Well, you know, i cant speak for airport workers that are not specifically employees or contractors but i can tell you that all air Traffic Controllers are required to take yearly security Awareness Training and all contract tower employees, et cetera. After the first hearing we got on this topic, some employees last month in the hearing said that they were conducting personal business on Work Computers or even personal cell phones that expose the company they work for to Cyber Attacks. How can we ensure that the same does not happen at airports around the country or while airplanes are in the sky . Well, i can assure you that there is no personal Business Done on any Mission Critical system or service. Individuals government issued work space that they get their email on, they are permitted to do limited personal use and that is very limited. You know, if someone needed to on their break time log into the bank or Something Like that. Thank you. Mr. Dorsey, how often does the dot test its Security Controls as part of the Risk Management issues oeg identified in 2021 and what does those testings include . [indiscernible] thank you for the question, congresswoman. [indiscernible] adequately testing Security Controls identifying and managing risk, protecting i. T. Systems from a configuration standpoint. The gentlewomans time is expired. Thank you. Ill be happy to provide you with an updated response. Thank you. Thank you, mr. Chairman. The shortcomings in our nations Cyber Security readiness are apparent both in the private and Public Sectors as evidenced by the attacks this year on the Colonial Pipeline. Mr. Dorsey, as you noted in your testimony, your office has identified Information Security as a top management challenge in the department of transportation, but yet the d. O. T. Has not resolved dozens of open recommendations by your office in the last year. In the report done by Clifton Larson llp released in october of this year, they concluded that the d. O. T. Must develop and communicate an Organization WideRisk Management strategy and Implementation Plan to guide and governor supply chain risks. What do you see as barriers to this recommendation being implemented . And given the supply chain issues we are experiencing, how urgently can the department of transportation act on this recommendation to avoid future disruptions . I think you need to unmute. Sorry. Thank you for the question. As noted in my testimony there are three key areas that the department can take immediate steps to address the Cyber Security issues weve identified over the years. Similar to addressing supply chain Risk Management issues, this is applies to all of the Cyber Security issues associated with the department. What the Department Needs to do is solidify its leadership at the department to the Security Office level to ensure that working with the current and new chief Information Officer to establish the right framework and controls to ensure the enforcement of the various recommendations weve made over the years. The second thing the Department Needs to do is develop a comprehensive d. O. T. Wide Security Strategy to address our recurring weaknesses. Until they do so, which we made recommendations we made overarching recommendations this year and to the departments credit they agreed to implement those recommendations. I think that will go a long way to addressing some of the concerns. Lastly ensure they put the proper control in place to protect and secure i. T. Infrastructure and with regards to Risk Management [indiscernible] as we go forward. Thank you. Thank you. Leaving ourselves open to ransomware and other Cyber Attacks put people in jeopardy. Its a national Security Risk and threatens our economy. There needs to be better communication between the private sector and government to be sure we are prepared for future attacks. In our hearing of november 4th we heard reporting mandates would create a flood of information resulting in pertinent information being lost or skipped over by agencies. What steps are being taken by the tsa to ensure reporting mandates are collecting and processing pertinent information in an effective manner . And, two, can you walk me through how tsa takes in reported Cyber Threats and processes the data . Thank you, congressman. Appreciate that. Im very proud of the fact that we have continued robust engagement, a lot of engagement with a lot of stakeholders including those who served on the panel the previous hearing. Particularly, just this past week weve had executive level meetings with Senior Executives in rail and Passenger Rail on this topic. We received their feedback on draft security directives and thatinformed what we were looking for. Weve made it more effective, less broad. So it is an actual or reasonably likely to have a devastating impact on any of their systems. So it is also important to note that those reports go to what we call Cyber Security and infrastructure Security Agency has a centralized operation center. Thank you. My time is up. I yield back. The chair recognizes ms. Van dine for five minutes. Thank you very much. I want to thank all of you for being us. My direct is home to dallas ft. Worth International Airport which is the largest economic driver in the state of texas and one of the nations most important airline hubs. Over thanksgiving weekend we saw passenger numbers exceed 90 of prepandemic volume throughout the country. Dfw airport is part of a working group with dhs and tsa and ive heard they bechtbenefitted from transparency and have gained valuable information from working together. Mr. Grossman, many of our airport Critical Systems are hosted by airports around the country. Does the faa offer collaboration similar to what we have seen with dhs and tsa for airports . Second question would be, what more can we do to increase information sharing with our airports . Thank you for those questions. I may have you repeat the first one, but i will answer the second one first. We collaborate extensively with airports through our initiative as well as the council which has Airport Authority and aia as members. So our collaboration with airports is pretty rich in substance. We share best practices with airports. On many occasions when there was a vulnerability identified on a system that was a non faa component, we immediately shared that across airport industries. I would ask if you could repeat the first question. The first question i talked about on dhs and tsa and how they have collaborations in a working group thats focused on transparency in ways to better collaborate. The question was, does the faa have a similar working group with airports like the other two do . We participate with tsa on the airport working group. Okay. I have a followup question for mr. Grossman and for victoria newhouse. Everything we have heard from airlines is that in 2022 that could be a record breaking year in terms of traffic from europe, the middle east and south america given pentup demand. Cbp staffing for International Arrivals is going to be critical and could be a significant pinch point if theyre not prepared. How is the faa preparing for further disruptions in the system as they move closer to the busiest travel time of the year . Well, again, i apologize, thats not a cyber specific security question. I believe our staffing numbers are not going to be impacted by that. Okay. Are you expecting further disruptions or no . Im not expecting any further disruptions, no. Okay. So theres no preparations being made then for the increased travel in 2022 . Were staffed for that increased travel. Im not sure of the question specifically. Ms. Newhouse, what is the tsas plan to ensure checkpoints have Proper Staffing and wait times are minimized for passengers . Congresswoman, we are leaning forward very heavily. As you may have heard over this past year we have worked very hard to hire as many officers as we can. Its a very Competitive Labor market, but we are also focused on ensuring realtime reporting. We share that with our airline and airport partners daily and sometimes hourly to ensure any sort of issues in the system whether equipment or personnel related is addressed immediately. Last, we do have our National Deployment force ready and able to deploy at a moments notice to support increased operations around the country. Weve seen that successfully for major sporting events such as the super bowl, spring training, also in the event of a Natural Disaster were able to put our personnel in to support air operations while the personnel affected on the ground can evacuate safely. Thank you. I appreciate that. I again have gotten lots of calls and questions from folks who are constituents in district 24. They travel a lot and there are a lot of frustrations. The lines are getting longer as there are fewer tsa workers. Thank you. I yield back. Chair recognizes mr. Lamb for five minutes. Thank you. Mr. Dorsey, i took from your testimony that while there are several technological and purely Cyber Security issues at play here, there seems to be at the foundation kind of a personnel issue of maintaining consistent leadership in key roles and keeping people in place and bringing people up through the system so they understand it. Thats very similar to what ive seen on other committees dealing with not only Cyber Security but Technology Acquisition and implementation. Its not an easy problem to solve. I was just curious if in your work you saw any commonalities about why we were losing people or failing to gain them in the first place or any suggestions how we could fix the personnel side of it. Thank you for the question, congressman. We dont necessarily review what the workforce related issues are with respect to the departments Cyber Security posture, so i will not be able to provide you with a direct answer. What i will say is that i am very encouraged by the departments current chief Information Officer and the various discussions ive had with him regarding the effort and his plans moving forward with respect to addressing the workforce issues. What our reviews have found is there has been inconsistency at the top regarding the departments leadership from chief Information Officer as well as the chief Information Security officer. As i noted in my testimony, over the last year the department had an acting chief Information Security officer who said Cyber Security was not his primary role and responsibility. But what i will say is i am encouraged by the conversations that i had with the current chief Information Officer and i look forward to working with him moving forward. Thank you. I appreciate that. Do any of our agency witnesses want to weigh in on this question . This is a common problem for us, because obviously people with strong Cyber Security management backgrounds are also in very high demand in the private sector. So i dont know if you have any Success Stories or suggestions you could make to us about trying to put ourselves on a firmer footing here from a personnel perspective. Youre on mute. Thank you. Yes. Id like to respond to that. Thank you for the question. It gives me the opportunity to say that after having noted that improving Cyber Security at d. O. T. Is our number one priority, our second priority is investing in our workforce. That means investing and helping them develop their careers so that theyre not only able to perform at higher levels with their responsibilities but theyre adequately prepared for future responsibilities. It also includes recruitment and making sure we hire the right people with the greatest potential and were looking at our own people for future professional opportunities. Ill refer back to my experience as cto and cio at the new York City Department of transportation where i worked for 13 years. Able to achieve very low rates of attrition. Even though the private sector often came calling with higher salaries, we lost relatively few people. I understand from Industry Information thats a frequent problem not only for the government but even private Sector Companies losing staff to one another as each tries to outdo the other for best food or health club in addition to just cash compensation. The government is often at a disadvantage when trying to compete in that arena. I think what we can do, though, is we play to our strength, which is the importance of our mission, the opportunity for people to make a contribution to improving and now in this environment the United States. And i believe well have a compelling story to tell that will both attract good new people as well as help us keep the good ones that we already have. I agree. We have to appeal to their patriotism. I hope if theres a way to help any of your agencies do that, that you will let us know because we know how important that the is. I yield back. The chair recognizes ms. Deal for five minutes. Thank you very much for holding this important hearing. During my tenure serving as Orange County supervisor and board of directors for Orange County transportation authorities there was a cyber attack on the octa, hackers had systems for two days and demanded ransom to unfreeze them. We did not pay the ransom and chose to ignore the demands. We had staff restore all infected servers. Are there ways agencies can improve communication with the state and local government to best protect against these Cyber Attacks . And do you think the United States has the proper workforce to fight these current and future threats . These threats are coming in from sometimes china, sometimes north korea. Thank you, congresswoman. Were very proud of our relationship with both our federal, state and local partners, many of whom operate critical assets throughout the country. We have a very robust Field Operation now in place that focuses solely on surface operation. Thats one resource thats available 24 by 7. We divided it up into six regions and it has an entire team of personnel ready to go to engage one on one. You hit it on the nail. That continued collaboration and dissemination of information, it could be anonymous, but its important that we continue to provide threat and indicator information to all operators, whether state or local or private. Were established a number of mechanisms to do that throw our through our directives. Our tsa Operations Center also serves at ill call it a reden redundancy. We have pretty unique information sharing cells within the government. We have individuals both for surface transportation and aviation that can actually participate indaily threat briefings with the tsa. Thats another opportunity where we provide that persistent information both indicator threats and tools. A security bulletin was issued last week. Thats where we work closely with our Intelligence Community. We rely closely and heavily on their intelligence and assessments along with our fbi and other entities. We do have the workforce in place in the United States government. I have a background in intelligence operations myself and i can say with personal knowledge that we do have direct access to that intelligence and Law Enforcement information. Thank you very much for your detailed answer. Admiral, i have a question. Protecting against Cyber Threats is really critical for the point of long beach in l. A. Right now we have a supply chain crisis as we have about 175 ships waiting to unload. Congress has made several changes to better integrate kieb kieber Cyber Security planning and response. Can you describe how the coast guard built Cyber Resilience in the port of l. A. And long beach ports and others like it from attack . Congresswoman, the current supply chain crisis really highlights the importance of the mts to our National Economy and to our National Security. It really emphasizes the need to put proper protective measures in place, but then also be able to be resilient in response to attack. We put together a comprehensive framework across the whole prevention and response framework to make sure ports and Maritime Infrastructure are able to prevent attacks and be able to respond and be resilient. Im happy to follow up with a brief afterwards if desired. Thank you very much. I have one more question but im going to submit this question. Thank you. My time is up and i yield back. That concludes our hearing. I would like to thank each of the witnesses for your testimony today. Your comments have been insightful and helpful. I ask for unanimous consent that the record remain open for 15 days for additional comments and information submitted by members or witnesses to be included in the record of todays hearing. Without objection, so ordered. The committee stands adjourned. Cspan is your unfiltered view of government. Broadband is a force for empowerment. Thats why charter has invested billions building infrastructure, upgrading technology, empowering opportunity in communities big and small. Charter is connecting us. Charter communications supports cspan as a Public Service along with these other television providers, giving you a front row seat