Be a member of congress. We welcome suzanne spaulding. Also thomas fanning, two of the commissioners of the commission. First of all, i want to thank the cochairs and the two commissioners for their important work on the Cyberspace Solarium Commission. I think the end product is excellent. I think it has some solid recommendations that a number of these are within our committees jurisdiction and will be working hard to vault those and the ones evaluate those and the ones that we can get them passed into law. They can be done through executive action. I would like to spend my time, enter my formal written statement into the record. I just want to talk about two of the commissions of recommendations. When i got here in the congress in 2011, cybersecurity was a hot issue. It still is. It is not going away. But i remember the buzz word back then is we have to do something about this. We have made a number of attempts and quite honestly, we have made a fair amount of progress. My own sense is the bad guys, the people on offense always have an advantage but i think were catching up and closing that gap between offense and defense. There has been some very common themes. First is we have to do a better job of information sharing. I think we have accomplished that with the establishment of the Cybersecurity InfrastructureSecurity Agency headed up by chris krebbs now. We had a Conference Call with director krebbs last weekend. He said cyberactors were trying to steal medical information on the development of a vaccine. This is a persistent threat that is not going away. Which makes the commissions work so incredibly important. The first thing i want to talk about and were working to get included into the Defense Authorization act so it can become law is the need to put someone in charge. National cyberdirector. We held a hearing a counterterrorism years ago of the blue ribbon study panel. That was established on biodefense. It is interesting their number one recommendation is we need somebody in charge. Not too long ago we held a hearing on 5 g. Once again, the number one recommendation out of that Committee Hearing was we need somebody in charge of the implementation and development of 5 g if were going to compete in the world. Lo and behold, i think the number one recommendation out of this commission is we need somebody in charge. Now there is some controversy behind that. Contactly how to set it up is complex. I signed on the letter with sandra who is leading the charge on the Senate Armed Services committee has asked the commission to continue to study and make recommendations exactly how that National Cyberdirector would be established. What part of the administration that individual should be placed into that they can have the maximum positive impact and so hopefully the commission will Stay Together and make that recommendation and we can get that included into the national Defense Authorization act. The other recommendation i want to talk about is something that we did cover if a hearing with the director krebbs in a public hearing is the need for and this is actual we have a bill on this. It is called cybersecurity vulnerability disclosure act. There is a need for a system to be able to contact individuals where they have noticed that there is a threat and right now the only way they can contact those people is if they can literally subpoena the records to find out who those individuals are. Identify them so they can contact them. This shouldnt scare anybody. It shouldnt be a issue of civil liberties. Im going to ask everybody on our committee to do everything we can to by book or by crook hopefully get that into the Defense Authorization act as well. Those are the things i want to concentrate on. I dont want to steal the commissioners thunder. Now i turn it to senator peters. Very good, senator. Thank you for bringing us together. Thank you to our witnesses for joining us today and for your cyberspace the solarium commission. I would like to thank our colleague senator king and for appearing before us today and subjecting himself to our questions so thank you senator king for doing that. Cyberattacks are one of the greatest threats to our National Security and it is a Commission Found in the report, the United States is not thoroughly prepared to defend ourselves. Ed a versares like china, russia, iran have repeatedly attempted to hack into our Critical Infrastructure, interfere in our dreament process and engage in large scale in intellectual property theft. Hey launched a cyberattack against our hospitals to steal information on the virus for the Coronavirus Vaccine that threatened the health and safety. Americans without sufficient cybersecurity tools, resources and skilled personnel, these attacks could have a devastating impact on our daily lives. Your report makes some critical information that with must consider so we can prevent and recover from malicious style attacks. Your recommendations are wise ranging. I think they boil down to three main goals. One, we must work with our althrice promote responsible behavior in cyberspace. We must deny advantages to oured a versares and impose greater costs on those who engage in malicious sibe attacks. I have worked on a bipartisan basis with many of my colleagues on this committee to advance legislation to meet some of these goals. I look forward to discussing some of these today and find ways to come together and make sure were dealing with cybersecurity issues. Thank you again for all of our witnesses joining us today and i look forward to your testimony. Thank you, senator peters. I know this is a web event and not an in person hearing. Ill just ask you to swear that the testimony you give before the committee will be the truth, the whole truth and nothing but the truth so help you god. Thank you. Our first witness is senator angus king. The cochair over the cyberspace commission. Since 2002 he has served as a senator from the state of maine. He was governor of maine for two terms. He graduated from the university of virginia law school. I really appreciate the opportunity to testify before you. What i would like to do is give you a background on the commission and what our fundamental findings were and talk about our strategy of layerd cyberdeterrence. First the commission was set up by the 2019 National Defense act. The mission of the commission was to establish an overall Strategic Direction for american policy in cyberspace, number one and number two, make recommendations for implementing that strategy. The commission had 14 members, four from the congress, four from the executive and six from the private sector. It was entirely nonpartisan. There were really no partisan discussions whatsoever apart from the four members of congress, i have no idea of the policy affiliations for any of the other members over the commission. We have 29 in person meetings. We interviewed over 400 people and went through thousands of pages of documents and ended up with 81 recommendations, 57 of which require legislative action which have been submitted to the various committees and the staffs in the senate and the house. So what are the fundamental findings . It rests upon three issues. Run is reorganization. Get the structure right. The chair talked about this at the beginning. The second is resilience. How do we build cyberdefenses to keep ourselves save safe from attack and the third is response. How do we respond to attacks in such a way as to defend our country. Now the fundamental strategy if you will is called layerd cyberdefense. Layerd cyberdeterrence. Here are the layers. Number one shape behaviors. That is establish norms and standards in the International Community so that this is not a unilateral onecountry kind of effort. The second is to deny benefits. That is to strengthen our cyberdefense and that is part of this is reorganization and part of this is strengthening other agencies that well talk about later this morning. But to basically be more resilient and that includes plans for the recovery of the economy in the case of a sibe attack. The third is the strategy of deterrence. We have been attacked over and over over the last 1015 years. Our adversaries have paid very little price. We need to establish a clear declaratory policy that if you attack the United States in cyberspace, you will have to pay a cost and that is really the fundamental idea of deterrence and we have got to be clear about it and we have got to have oured a versares make the calculation that attacking us is going to cost them. I want to change their calculus when making that decision. Thank you very much for holding this hearing. Look forward to answering your questions. Thank you senator king. Our next witness is congressman mike gallagher, the cochair of he Cyberspace Solarium Commission. You received a bachelors degree from Princeton University and pitched a from georgetown ph. D. From georgetown, university. Congressman gallagher . Thank you, chairman johnson, Ranking Member peters abs and distinguished members of the committee. It is an honor to be here. Thank you to you and your staffs for engaging super actively with the work of the commission as we try and turn our recommendations into actual legislation. We start really from sobering recognition similar to the one hich animated the original project solarium some 67 years ago. It was not getting the job done. I would wholeheartedly agree with chairman johnson. For a variety of reasons we have yet to achieve the speed and agility that is necessary for survival in cyberspace. How do we get there . As angus king reminds me, structure is policy. I would like to talk a bit about our recommendations related to structure. First, we believe that we must create a House Permanent Select Committee on cybersecurity in order to streamline congressional oversight and authority. Second we believe we must establish a Senate ConfirmedNational Cyberdirector that chairman johnson talked about, to lead National Level coordination for cyberstrategy. A public voice for cybersecurity and technology issues. We need to strengthen it to ensure infrastructure conduct Risk Management and cybercampaign planning and lead public and private collaboration allowing it to compete with talent not only with n. S. A. But with google and other companies. And we need to recruit, develop and retain a stronger federal cyberworkforce and there by close our workforce gap and finally we believe we need to strengthen our cybersupply chain. The commission has taken an approach that the power is in free competition. Our strategy amounts to little more than occasionally limiting the access to firms we dont trust into our markets. I believe this is not working. Consider the conference tation for 5 g where the Chinese Communist party is able to subsidize their champions like huawei without having to respond to Market Forces. To counter this, the commission calls for investing information D Communications technology, industrial capacity and reinvigorating our research and development. Of course this will cost some money. Whether in this terms of responding to a pandemic or a massive cyberattacking we believe america can no longer afford to depend on Chinese Technology for Critical Technology with that, i would like to once again thank chairman johnson and angus king and commissioners tom fanning and suzanne spaulding. What made this a unique experience was the quality of participation we got from our outside experts, the executive branch and the sitting members of congress. With that i look forward to your questions. Thank you, congressman gallagher. Our next witness is suzanne spaulding. She is a commissioner of the solar cyberspace commission. She was the undersecurity for the department of Homeland Securitys National Protection d programs director from 20112017. She priestley served six years at the central tension agency d as an advisor to the nonproliferation center. Miss spaulding . Chairman johnson, Ranking Members of the committee, thank you for this opportunity to testify here today. I want to touch on three areas that i think can and should be acted upon quickly. Particularly given the vulnerabilities exposed the pandemic. The first is strengthening the cyberSecurity Agency as the organization that i as the undersecretary is now called. Congress recognized their central role in our countrys efforts to reduce cyberrisk and the commission strongly endorsed this view. Malicious cyberactors targeting hospitals and Health Research research. Home this work has never been more important which is why we urge congress to provide the agency promptly with the resources and authority it needs including Mission Support functions to be able to be the National Risk manager. Continuity of the economy planning. Identify systematically important Critical Infrastructure and coordinate planning and Research Across the federal government and with the private sector. Second, with regard to improving the cyberecosystem and reducing vulnerabilities, the commission understood that markets are usually more efficient than government and can drive better cybersecurity. We looked at why the market is not performing that function today. A key reason is that markets need information in order to be effective. To provide this information, we ask that congress establish a National Cybersecurity certification and labeling authority to help consumers make informed decision when buying connective device, guidelines for Cloud Services. Promote a more effective and market. T cyberinsurance finally i believe one of the most important pillars in the report is resilience. We need to reduce the benefits side in the adversarys costbenefit analysis. Sometimes the most Cost Effective way to reduce cyberrisk will be reducing our dependence on those network systems. Developing redundancies, perhaps analog backup for ways of interrupting cybereffects. Paper ballots are a way of building resilience into infrastructure for example. We have a number of urgent recommendations but i would like to conclude with our recommendations to pilled public resilience against disinformation. Beating ill literacy can help but we need to weaken democracy by pouring gasoline on the flames of division that already occupy online discourse. Pushing americans to give up on our institutions, not just elections, but the justice system, the rule of law and democracy. They seek to destroy the informed and engaged citizenry upon which democracy depends. The commission calls for reinvigorating civic education. Help americans rediscover our shared values, understand why democracy is so valuable, that it is under attack and that every american must stay engaged to hold our institutions accountable and continue to move toward a more perfect union. Thank you for the opportunity to testify and look forward to your questions. Thank you, miss spaulding. Our final witness is mr. Thomas fanning. He is also a member over the Cyberspace Solarium Commission and president and c. E. O. Of southern company, one of the nations leading energy companies. He has work there more than 38 years and currently serves as a cochair and the liaison between the federal government on the power sector on matters of National Security and terrorism and cybersecurity and disaster recovery. He previously served on the Federal Reserve bank in atlanta. Mr. Fanning . Good morning. Thank you chairman johnson, Ranking Member peters and members over the committee for the opportunity to testify today. The United States is at war. Virtually unchecked for years, oured a versares have been stealing our intellectual property and disrupting american commerce and our democratic way of life. This war is being waged primarily on our nations Critical Infrastructure, mainly the energy sector, Communications Network and our financial system. Only 87 to have Critical Infrastructure in the United States is owned and operated by the private sector making collaboration between the private sector and the government imperative. The Cyberspace Solarium Commission was created for this new digital reality. Later, the the outline serves as a practical road map to protect, prepare, hold to ntable and respond existential cyberthreats. We have a three pronged strategy for success. Reshape behavior on the battlefield, impose cost on oured a versares and deny benefits to our enemy. There is no international accepted principle with escalation and deescalation in cyberspace. The first step in shaping behavior on this battlefield is to define state accepted behaviors in cyberspace and have consequences for behavior s that arenot acceptable. We need to communicate these behaviors to our friends and also our adversaries who take us. Every day American CompaniesLike Southern Company face millions of sibe attacks. With the full support to have private sector, the federal government must advance a strategy to maintain an offensive posture in cyberspace through regular persistent engagement with friends and foes alike. It must include the full weight of the federal government, the department of defense, the f. B. I. , the secret service and the Intelligence Community. The third strategic prong is to deny benefits to our enemy. We do this by strength tng Critical Infrastructures ability to maintain continuity against a sibe attack. We must also tack steps to shape the cyberecosystem and process technology and data that make up cyberspace for its greater security. We must create a true joint effort, moving beyond information sharing to allow common access to actionable intelligence, clab ratsive announcements, joint planning and action. It means clearly identifying the most systematicically important infrastructure and bringing to bear the full resources of the United States government in supporting and defending them from nation state attacks. The public and private sectors are True Partners in this effort and we must move forward in better harmony. I am confident the report and recommendations will help us to do that. Im happy to answer any of your questions. Thank you mr. Fanning. Let me quick start out, senator king, im assuming you received a letter from senator rounds asking the commission to study and propose the exact structure for the National Cyberdirector. Is that something is that a mission you have accepted . Absolutely. I talked with senator rounds about that last week. I think the questions are good ones and i think it is absolutely appropriate that were going to apply ourselves to answering those questions and try to flesh out some of the details how this new office would work what the authorities would be and how it would fit in with other structures in the federal government. Thanks, senator king. Congressman gallagher. My second point was giving them that subpoena authority so when they identify a threat they are going to be able to find out who that who is being target bid that threat and provide notice. Hat are the prospects in senator hassan and my bill to accomplish that . We very much support the recommendation and appreciate the work that you are doing, fully support the bill language. As for the prospects in the house, i cant give you a good assessment right now but we are working with the committees and really leveraging one of the unique strengths of the commission which is that the other house member on the commission, a democrat, has enormous influence within his caucus on these issues. He is a subcommittee chair. He has been a champion of this proposal as well as some of the proposals ebated such as the creation of a Cybersecurity Commission in the house. I just want to say we believe the authority as called for in Commission Report and in your legislation would strengthen the ability to be proactively protecting vulnerabilities and Critical Infrastructure and help secure them before they are compromised and the final point led make and this is very much in line with the approach we tried to take throughout the report which is not to create a lot of new agencies with fancy acronyms but to take a look at the agencies that exist now and figure out how we elevate it and empower it and give it the tool it needs to accomplish its very important mission. If you can spearhead the efforts in the house so we have common language and were not pingponging it back and forth, my goal would be to pass the Defense Authorization act. Miss spaulding, you mentioned the need for a data breach notification. The first two goals. Better information sharing and national preemptive standard for data breach. Did not realize how complex and difficult that was. That is part of your recommendation. Do you mr. Spaulding unfortunately, mr. Chairman, we do not. We understand that congress is going to need to work through those issues and our recommendation was designed to describe the elements we think need to be in csc and to add wind to your sales as you attempt to corral your fellow members into reaching consensus because it is something that is so important to achieve on a National Level as you understand. Notification laws in effect, there are over 50 of them. Each the has each state has its own. It is difficult to operate across state lines but it does not result in the statistics and information on a National Scale that could help this National Bureau of cyber statistics that could help advance the Cyber Insurance market, could help making cases to management for return on investment. That is the kind of information that a National Reach law would help accomplish. Chrmn johnson as you know, we will need a lot of help. Im not sure we have our sails up much less wind in them. Mr. Fanning, we have spoken about my concerns about the threat to our national grid. Cyber attacks represent a similar attack. Can you give us some assurance that we are addressing these problems and we have resiliency in our electrical grid . Im specifically concerned about iran launching a sad light circling the globe and coming up over america multiple times a day. That is a big concern of mine. I appreciate our dialogues in the past. I think one of the points i have tried to make is there needs to be a comprehensive approach to all of these issues. Escc my leadership there. Now, we see the coronavirus pandemic. What we need to do is have a comprehensive approach where we harmonize the efforts of government with the efforts of the private sector dirt and let us not forget state and local governments and our international part. Every silo inat silo of thend every strategically important sectors of the economy have been doing a pretty good job but what we have got to do in order to advance the ball for america is to harmonize these efforts and collaborate. Chrmn johnson thank you, mr. Fanning. I will reserve the must the rest of my time and turn it over to senator peters. My first question is for senator king and mr. Fanning. The reports have indicated Chinese Government has been sponsoring Cyber Attacks against our hospitals, our Government Networks and our Research Institutions presumably in vaccinef covid19 research. This is clearly unacceptable putting american lives at risk. My first question for senator king is how with the recommendations in this report and enable us to combat these kinds of attacks we are seeing from china . Sen. King it is important to is a longrange problem in cyberspace. They are at it and want to be more active than they are coming at us. If you go back through our recommendations, we need to step back and Start Talking about establishing International Norms and standards so that if there is a violation, it is not only us calling foul but the whole world and i think that has got to be part of the strategy for combating Something Like what china is doing. Secondly, resiliency, strengthening our defenses. The final piece i think is so important is to let the chinese and the whole world know that if you pull Something Like this, you will pay a price. We dont define what the price is. It does not have to be kinetic or cyber or a particular price but there will be consequences. I believe one of the real problems of the whole cyber pastor has been that we have been basically taking the punches without responding. I want our adversaries to say maybe if we do this, we are going to get whacked in some way, shape, or form. This is exactly the kind of thing we are talking about and frankly, one of the things we talked about is if you come at us in a time of National Crisis like the pandemic, the response will be stronger and the penalties will be stronger. Think it has to be a comprehensive strategy that you the things one of that this pandemic has shown us is how vulnerable we are particularly when you think about how many people are working from home. We have a whole level of target space we were not showing to the world just two or three months ago. Peters mr. Fanning, im sure you would like to jump in and say how we protect our infrastructure. My company a loan gets attacked millions of times a day and that is not unusual for any of the major providers. Ed groupa trisector and guys like jamie dimon, others. We have a joint threat matrix modeling what the different kinds of consequences and likelihoods are of a whole spectrum of attacks. We are developing a wish list. Now, they show up in the solarium recommendations. Weare working to make sure are consistent with what is happening in the private sector and what we need to do about it as a federal government. What is important in this report is you dont see many words like sharing, collaborate. We have to first illuminate the battlefield. We have to share the effort of the Intelligence Community, of our sector specific Community Sector specific agency and then we have to hold the departments responsible and accountable. Peters thank you to both of you. To protect our nations Critical Infrastructure from these kinds of attacks. Pressed thently administration to hold the Chinese Government accountable. To make it clear that this activity will not be tolerated particularly during a pandemic. And that there will need to be consequences. Whether it is addressing Cyber Threats or our overreliance on china for medical supplies needed to address the coronavirus pandemic temp i think we need to stand up to the Chinese Government and strengthen our National Security. This effort is so important. My next question is for senator king as well. Regarding the continuity of the economy, these issues are relevant. In the event of a widespread or prolonged cyber attack on Critical Infrastructure, i think we all agreed that the impact could be catastrophic. I question is can you discuss the recommendation . What lessons are we learning from covid19 we should be considering for a longterm cyberattack . We have learned the necessity of planning and thinking the unthinkable. A room smart people in and talking about what could happen and what would happen and how to bring the economy back. The continuity of the economy planning and setting that up as a real function is one of our most important recommendations. We have got to be thinking about what happens if the northeast grid goes down or the southern grid. Aboute got to be thinking the lessons we are learning now. Frankly, i think once we get through this awful situation we are in now, one of the most important things is an after action assessment. What did we learn . What was missing . What are the critical functions . What are the pieces we need to be paying attention to that are likely to be vulnerable . Before i finished, i also want to mention, the chairman asked a question about breach notification. Sen. Wicker the senator cantwell, and senator moran all have good bills on that and i think we have some models to go forward. Of the the continuity economy, it is a critical function. It has to be strategic, specific and i want to be ready when this happens. It is going to happen, mr. Senator, it is going to happen. I told somebody the other day we are seeing the longest wind up for a punch in the history of the world that the punch will calm. Sen. Peters thank you, mr. Chairman. Mn johnson let me reorganize the list of questions. I dont see senator scott on the board. Incorrect, have someone text me but right now, let us go to senator carpers. Carper congressman gallagher, im not sure i have had the pleasure of meeting you. Fanning, as soon as i heard your first name, i like to immediately. Welcome. Always greatit is to have a captain at the helm and we welcome you. [indiscernible] tom coburn is my wing man. [indiscernible] accomplished a lot [indiscernible] what did we do well . [indiscernible] ms. Spaulding great to see you senator carper. Thank you for your question and your hard work. You did accomplish a great deal and i would say some of the most important things were solidifying the other authority of what was then the National Protection programs director. Because that is really important. Mostnment operates effectively when it has a clear mission. And helping to codify the existing mission of the Cyber Security and infrastructure resilience efforts was a really important step forward. And so come your work on the legislation to codify the verytions center, important to get those authorities in place. Codifying its role as the forary and Central Place the business sector to come with information. Thato be the key place gets information back out to the private sector. Clarifying clearly what the mission is and that it has been tagged with that mission is really important and continues to be important. , undering the agency your terms, the budget has continued to go up. It was so far behind to begin with, there needs to be significant increase in those resources particularly for the Mission Support functions that dont get the attention. It is typically easier to get the funding for a specific program to go out and do something but the box office what the rack Office Support to acquire the technology or for the hr function so we can bring in that talent we need so badly to be able to do this mission, funding those adequately is very important in the commission strongly recommends that. To continue to make sure the leadership has the expertise it needs so we recommended a head ofr term for the that agency. So they can be in there long enough to become familiar and then really move out on a strategy and making sure we are doing the mission effectively. The things that you started, that the committee has continued to pursue, these have continued but need to be accelerated. And they all need to be done on a bipartisan basis. I want to thank our cochairs, senator king and congressman gallagher for leading us in such a nonpartisan way. It is a way Cyber Security should be done and i hope it will continue to be done. Per tom coburn passed away a little more than a month ago. After a long battle with cancer. Ms. Spaulding im sorry to hear about that. Sen. Carper i think you in order to create a more perfect union. We need to do a better job in this regard as the threats continue to be there. I remember for 9 11, we created the 9 11 commission. By hamilton. D [indiscernible] our committee adopted [indiscernible] great bipartisan leadership with the cochairs. Senator carper, if i could interject. Mike gallagher has characterized our commission and the work we are doing we want to be the 9 11 commission without 9 11. That is exactly what we are trying to do here to think about how to respond and how to respond in a systematic come across the government kind of way and the private sector. That is the key the 9 11 commission without 9 11. High, work hard and dont quit. One of the areas we have not quit in but we dont have much to show for it undoubtedly create a national, a Uniformed National approach. Sen. King that is one of our key recommendations. Arper that is why we look forward to working with you on this. Chrmn johnson thank you, senator carper and we appreciate ,ou pointing out senator coburn that was a huge loss to all of us. I also appreciated ms. Spaulding using the term nonpartisan. I appreciate that over bipartisan. There is nothing partisan about the threats that we face. Our next senator is senator hawley. Hawley congressman gallagher, i want to come back to something you mentioned in the testimony is china is using includingarfare investments into intellectual property. I appreciated your focus on this and have appreciated your work in the house on this. I want to give you a chance to expand on those themes. When it comes to Cyber Attacks, what is it you see . How does china operate . How do they typically attack . Whom do they typically target . My own awakening on this issue was painful. I spent most of the last decade as a middle east specialist in uniform not understanding how china operated. Aremember vividly getting letter after the massive attack of over 22 million federal Government Employees records for your thank you service but your records have been hacked. Tot was a call to me understand what was going on. It is fair to say that chinese most hawkish specialist still did not understand how aggressive the new leader would be to the Chinese Communist party. Ae have had multiple series of attacks we know go back to the Chinese Communist party. In addition, we know there are certain state champions of huawei in particular that operate effectively as appendages to the Chinese Communist party. The wall street journal argued is a headquarters. Thatinite states report pointed out the scale in which Huawei Technology has been compromised. We found nothing to contradict that assessment in our own work on the commission. If anything, we would emphasize the findings of the blair house field commission. Ieldlair huntsf commission. Up to this point, we have taken a primarily defensive approach which is necessary but insufficient. We said were going to put hu awei on the nonentity list. The commission though recommends adding to that with a positive approach involving a significant investment in research and development, finding creative ways to work with allied countries on key technologies to make sure we are not dangerously dependent on china Going Forward and finding a way to make a positive case for American Global leadership and a contrasting case of what we have seen from the ccp. Hawley let me ask about the vulnerability of our supply chain. The report acknowledged the threat of the supply chain on our ecosystem. I have been an advocate for onshoreng on short supply chains. Could you elaborate on some of the recommendations and what role do you see the private sector playing . Rep. Gallagher absolutely. I think it is 4. 6 in the report that congress develops directs the government to develop a technology industrialbased strategy to ensure more trusted supply chains and the availability of critical information anD Communications technology. This starts with a simple identification of which technologies are critical and where we have single points of failure in the supply chain so we are not discovering those single points of failure in the midst of a crisis which i would submit we are in in some cases when it comes to advanced pharmaceutical indicators, medical equipment right now. We are asking the federal government with an enhanced commission and cyber focus to identify proactively where are the areas where we either manufacturingthat back to the United States as you have had multiple pieces of legislation aimed at doing that it also potentially work with partners. To semiconductors, taiwan is an obvious target for a chance for enhanced cooperation. It all begins with identifying key areas of risk where a foreign adversary could restrict the supply of a Critical Technology or intentionally introduce supply chain. Hawley tell me about the role you think the private sector or what play here and how we get a balance of both requirements and incentives to help the private sector to get to where it needs to be. Rep. Gallagher i think this is one of the major things we wrestled with throbbed the commissions entire work how do you get the balance we ccp. T want to out ccp the we cannot adopt a one size fits all, heavyhanded series of recommendations. Pursue thatstead incentivizing approach . Theree landed on is that are simple things we can do to incentivize the private sector rather than mandate they do certain things. For example, when of the recommendations in the report is mandatory and attrition testing for publicly traded companies so that they have to invest more than Cyber Security. What we saw time and again is wherever the cease we prioritized and took Cyber Security seriously, those companies outperformed their competitors. ,e would like to, for example see best practices emerging right now become the industry standard. 60 rule. The 110 being able to isolate it and corn tying quarantine it in 60 minutes. We believe best practices like that can become the norm. We deliberately try to adopt an approach that harnessed Market Forces so that the private respondould step up and to a clear incentive that the federal government is setting. Hawley thank you. Sen. King i would like to touch on your comment. The supply chain. We have learned during the covi d crisis how critical our supply chain is. Secondly, we have to realize Economic Policy has been integrated with intelligence and National Policies by subsidizing i to make ithuawe cheaper in order to insinuate itself into the nations of the worlds infrastructure. The cheapest may not always be the answer. Maybe a little premium on the price to have control of the supply chain is an insurance policy. I think that is the way we have to look at this because historically, we would say let us get the cheapest we can. That will bite us. We have to analyze every piece of military wet, Critical Infrastructure, and say where is it coming from . Is it safe . I think you have identified one of the most serious issues facing us and it will not quit. Wley thank you for your leadership and thank you mr. Chairman. Hassan . Hnson senator hassan thank you for the hearing and to our panelists for the work and the effort you have thisn to be with us in new, remote hearing world. Senator king, i would like to start with you. Reportprehensive outlines many key steps the federal government can take to prevent and mitigate the effect of Cyber Attacks. The report is relatively quiet on how the federal government can strengthen state and local governments against attacks. National Governors Association that wrote a letter asking for funding to help state and local governments defend at ends defend itself against attacks. Legislation was introduced to to develop a grant program. We all know that our collective Cyber Security is only as good as our weakest link. It is critical to improve our resiliency down to the smallest locality. Could you examine the possibility of state and local security . We did and a major wave of ransomware has attacked our cities and towns. We have had a small towns in maine that of been talked about and have had hits of ransom. I think there was Something Like 45 mentions of state and local tribal governments. Here is what we wrestled with. We believe and we advocate for the creation of a fund to assist states and localities in dealing with these issues. Not only money but also Technical Expertise. It, part of what we wrestled with was what i called moral hazard. We dont think the federal government should relieve the states of their own obligations to protect their own networks and do what is necessary. What we proposed is a matching program where it would start for a 90 share, 10 match improving Critical Infrastructure on the state level. Year by year, it would scale up in end up being 5050. We want the states to be engaged also. Saying Cyber Security is the job of the fed. That is the way we approached it but we understood and believed thely that working with states on Critical Infrastructure is absolutely important. It is elections, the National Guard has a role to play. I think there are a lot of ways we can integrate with the states have ay but we we shared responsibility. The commission wrestled with this but that is where we came out. New hampshire has seen Ransomware Attacks. When it comes to town meeting time or state a jet balance, what you dont want to do is have the matching obligation be so great that you put at risk federal Cyber Security because a small town cannot beat a cyber operation. Those are the things get the think about. I wanted to move on to ms. Spalding and build on something that senator johnson asked about. One of the solarium commissions recommendations is for congress to pass a Cyber Security vulnerability act. Ourbipartisan bill passed community and senator johnson and i are working to pass this bill into law. Mr. Spalding, can you explain cnet authoritye particularly in the context of covid19 . Ms. Spaulding thank you, senator. Have neededing we for quite some time. And going back to my time. Hhs has the will to scan the internet for known vulnerabilities. That areystems publicly facing the internet that we can tell half the volunteers half the vulnerabilities are what we are looking at. We can identify who owns the system so we can reach out to them and warned them. This would be an administrative subpoena. The folks that have the information about who owns the system are there providers, the Internet Service providers. What we need to be able to do is take that ip address which is the tools allow us to know and go to those providers and say we have found this. It looks like an Industrial Control System which is something that may empower the Critical Infrastructure. It could be the energy infrastructure, transportation, they have ad we see very dangerous on the ability where a bad actor could cause a problem. Hassan i also wondered to talk to you about Cyber Threats in health care. Prior to the pandemic, the health care was a tough target. In the context of covid19 when hospitals are already facing strange resources, im concerned that Ransomware Attacks could have an impact on human life. Some nationstate that actors are targeting u. S. Covid19 research efforts. That is very concerning. Can you help us understand what we can do right now and Going Forward to improve the resiliency of our Health Care Sector to her . Ms. Spaulding such an important point. It is addressed by our commission recollect recommendations. This is the kind of event, a series of events that could be covered under the cyber state of address. Short of the kind of National Emergency where you have physical distraction and consequences along the line of a hurricane or a superstorm. Beyond the routine, daytoday occurrences that we deal with every day. The aztecs during a pandemic on this vital infrastructure could rise to the level of the cyber status. It would trigger the ability for cisa funds. Thecale up and help resources and facilities being attacked. And to bring in Additional Resources particularly the call on assistance for experts within the dod or the Intelligence Community and where we have to reimburse them. That is a key part of that authority. And really critically important. Hassan if there is any time for additional questions i have one more for senator king which we can do later on the National Guard. Chrmn johnson thank you, senator hassan. Senator rosen and then romney and lankford. Senator rosanne. En thank you, mr. Chairman. Thank you for your work. And especially my colleagues angus king and congressman mike gallagher. We were i freshman together. Work. Of great happy to see that you are continuing with that. Looking forward to seeing what you are doing. We know that the cyberspace solarium report found shortages in our talent. Is a former Computer Programmer and systems analyst i introduced a number of bipartisan bills to support our workforce including legislation to prepare our junior rotc consider atudents to career in Cyber Security. What do you think are the additional forward thinking solutions that congress can offer to provide our business communities, our government with the Skilled Workforce they need to strengthen our infrastructure and protect americans from bad actors . And considering what is ,appening now in this pandemic also addressing retraining these are jobs that will continue to grow where other jobs may not come back as robustly. Ms. Spaulding thank you for that question and thank you so much for your efforts on this really important issue. Andow i noted it earlier we are doing everything we can to build a talented workforce we need on the scale that we need it. It is a huge challenge and something we need a tangle. We have a number of recommendations in the report along these lines. One of the most important is to continue to build on the things that are working and that we think are successful. The scholarships for Service Program to build the cyber corps is one of those we think is very important and worth building. Where the government reaches out early on to encourage students to study Cyber Security, helps them with their education and in theey have a job government. I will take them out of school and give them on the job training and then i know that you in the private sector will lure them away. Oftentimes, mighty audience would laugh but i know you know what a strong draw the mission can be. It is also important to focus not just on recruitment it also retaining that workforce. One thing we worked on is the important of an exclusive Work Environment so when you have succeeded in teaching girls to code and recruiting women and a diverse workforce, women and minorities, that you retain those talents by creating an inclusive workforce. Those are the kinds of things that we looked at. Senator rosen, may i provide another answer to that question . It sounds minor but could be major. We need to work on our security clearance process. We have been doing a lot of work on it on the Intelligence Committee because we were losing good people. I know of people that gave up after a year or more of waiting the administration has improved that considerably and the backlog is down. Theyre working on reciprocity so if you have a security clearance for one agency, you can apply for another. We talked about the creation of a rotc like program. Scholarship aid and then a commitment. On thisright to focus issue because if we do not get the talent, we are in trouble. I think Mike Balaguer mentioned gallagherall mike mentioned the shortfall of 35,000 people that we need in the secured Cyber Security area. Last december my which isblocks passed going to promote Stem Education for girls. And thank you for answering my security clearance question which i do think is hurting us. I want to talk about protecting data through Cloud Services. Spaulding,g, and ms. What can the federal government learned from the private sectors experience of migrating to the cloud . And then i will start traded over to suzanne. The movement to the cloud can be a positive development because it you dont have all of your data in 10,000 locations all of which are vulnerable. That means the cloud has to be more secure. We do talk in the report about developing a securities the entered for cloudbased services andhat companies governments, whoever wants to use a Cloud Service can have some knowledge or assurance that they are dealing with a secure service. Suzanne, would you like to touch on that issue . Commissionng the felt strongly that we wanted to encourage folks to move to the cloud. , that is going to be a more secure environment. You will have real experts securing that data but not all Cloud Service providers are equal. We thought it was important to try to push the market by providing information for folks meets cloud provider meet basic standards. We have to make sure that the. Loud environments are secure our recommendation is for the development of guidelines and that those guidelines and folks can see whether Cloud Security providers are providing a secure environment. It cannot just be that it goes to the lowest bidder. Rosen we need to think about our interNational Security as we share data across borders, global borders. That is important to secure that as well. Thank you so much. Chrmn johnson thanks, senator rosen. Senator romney . Romney it is a bit of deja vu for me because many years ago when i was serving as governor in massachusetts, i was part of the Homeland SecurityAdvisory Committee and we came together and spoke about this topic. We felt we were behind and there were actions we needed to take if we were going to be effective in protecting our cyberspace. What is somewhat alarming is to find we are still talking about i mightot as much as have anticipated being done has been done. I would like to focus a moment on what it is that prevents something from happening. In an authoritarian regime, the person at the top can demand something happens and everyone jumps. In the case of kim jong on, they might find themselves no longer breathing. We have to use the tools we have. Fanning, is ask mr. There not the potential to create a lot of pressure coming from the corporate sector on the white house . We need the white house to get fully behind us because it is hard at the congressional level hills to push a string of uphill. Im pushing to metaphors there. Two metaphors there. How do we do that, mr. Fanning . And why has it not happened so far . Mr. Fanning senator romney, great to see you again. I think that is happening. The fact that all of the Critical Infrastructure in been working with the sector specific industry. Had weelaborate collaborate at all levels of government . Facts ise important that not all private sector is created equal. Unfortunate acronym but it is systemically important Critical Infrastructure. We do this at the asset level. That canfy assets either prevent major loss of life, significant economic or enable us to defend ourselves. Is identifydoing the most critical assets in america and then evaluating the layers around those assets of the private sector, to really work with the federal government. And in my opinion, it is not just a voice that says you need more. I think the private sector has a special obligation in this new cyber Digital World we are in to join in the effort and defend america. To join in the efforts to have a special relationship with the community. E to create a more resilient america. And that is why we have the designation of high priority , joint collaborative analytic framework and a variety of other recommendations. You know, as i walk the halls of congress and work in the administration, my sense is there is a great desire to have this happen. We are not without motivation. To pull thatt have effort and direct it in a certain way and i think the report does that. Senator romney, can i touch on that . Principle that structure is policy. If you have a messy structure, you will have a messy policy and right now, we have a structure in our government where we have really good people and good agencies like Cyber Command but there is nobody in charge. Again, going back to my business days, i like to have one quote to choke and that is the National Cyber director. We need someone at a high level that can oversee and coordinate and work on the planning with all of these different disparate parts of the federal government that are working on this. Need. K that is a critical the other recommendations that has not gotten much discussion is we recommended that the congress reorganize itself and develop select committees on cyber because we have got cyber jurisdiction scattered across as many as 80 subcommittees. It is difficult to get anything done. That will be difficult because i am on intelligence and Armed Services and we are talking to Homeland Security. People will have to give up some jurisdiction to gain a more cohesive approach to this picture in both the congress and the executive branch. You are onto something. You want centralized leadership and if you are governor or president , you want someone to go to and say i want this to work. Right now though if you are president coming your have to go to a bunch of different places. Romney i have five more questions. Spauldingask ms. Whether the Intelligence Community can get behind this effort . Let us tear down some of the barriers and go to the white house and get it behind us. If thed strike me that head of the cia and the department of defense and the secretary of defense were to say to the president we really need this one person and we need to restructure this, it will happen. But if the white house is dragging its heels on this, it wont happen. Can we get support from the leaders of the agencies that deal with this topic to get behind this principle . Ms. Spaulding one of the advantages we had was unlike any other commission i have been involved with, we had people from the executive branch sitting on the committee and they attended every meeting, nearly 30 overtime. In ahile they were not position to sign on to the final report given the separation of powers issue, i think there is a strong understanding of the need to court and eight coronation at a senior level for Cyber Security efforts. And the Intelligence Community is an absolutely essential part of that effort. I would like to thank along with thethat we can get consensus around the need for this coordination effort and push this through. Sen. Chrmn johnson thank you, senator romney. Senator hassan, you wanted to ask another question. Senator king, our committee passed a ill come a Pretty Simple belt, and there are so committees under Homeland Security making it difficult for the department to really respond properly to congress when you are going to that many different committees. Similar concern you have regarding Cyber Security. We could not get that simple commission established in the law to take a look at that. Kybashed. D washed it is a little insane in terms of how dispersed the Congressional Authority is across cyber and Homeland Security. Is the lankford what difference between the National Cyber director and what the commission is doing now . Congress has a bad habit of saying this is not working how we wanted it to. Are we talking about elevating the commission . In the first instance, we are recommending elevating and empowering the commission in a variety of ways that might surprise you do not already exist. We shift the director to a fiveyear term and increase their pay and push for new resources. We will always have that mission of defending Critical Infrastructure, defending onein a similar way of the least appreciated recommendations in the report that could have the biggest impact is giving it the authority to do persistent Threat Hunting on. Gov networks adjust this before the attack and the National Director has a more coordinating function making sure that the commission in performing the mission is working well with nsa, cyber, and all the other federal agencies that play in the cyberspace. And i think the advantage of a National Cyber director, especially one that is Senate Confirmed and therefor more responsive to the senate and house oversight, is the proximity to the president is the proximity to the president , and having the ear of the president. Od ilankford like an structure. We modeled it more after the u. S. Trade representative. It is entered interdisciplinary and it worked with Senate Confirmed leadership. The more robust debates we had on the commission. The commission has the role of coordinating across the civilian government agencies. From this National Cyber directory would be able to bring together the offenses and defense of planning to make sure offensive ande defensive elements. Civilian role and not a military role for this position . Ms. Spaulding that would be our recommendation. Sen. Lankford we have talked before that the Committee Structure was designed in a way that it should never have been designed. It was more accidental. And over the years, as agency have been created, congress has not kept up. It is becoming more chaotic Holding People to account. Is it easier to create another select committee or easier to strip away the authorities and landed them in a committee . Obviously, it has other areas. Better to be freestanding or strip everything away . Sen. King i think the select committee and the analogy, senator, is to the Intelligence Committees which did not exist before the 1970s. There was a realization after the Church Committee that there was a need to have one committee with special expertise in a fairly technical area. We are talking not only about this commission but there are military aspects of this. , the calm, nsa intelligence agencies. I think there is a good argument to be made that a special select committee and frankly, one of the things we talked about was having the membership of the committee be the leadership of the various committees such as this one. That is who would be the members. The chair and the Ranking Member or designees. I think there is a way to do it and i realize jurisdiction is life around here that i think this is a moment like the 1970s when there is a specialized area incredibly important to the future of the country and right now, as senator johnson said, you can have these that a simple bill and it can take years. I dont want to go home after a cyber attack and say we were talking about it and there were several bills but it was really hard. I dont think that with my constituents. Lankford nor should it. , once you hit a government standard, it does not take long for it to be stale. In the cyber world, you have a lot of technology with a lot of innovation. Assoon as a government sets standard, it is out of date. How do we keep a standard from slowing down innovation . A standard should not be thought of as a static requirement. It will include a process to evaluate gaps in the future and how to improve whatever it is. By the also be weighted Critical Infrastructure of america. If it is thought of to be incorporated into this systemically important infrastructure, it will have a quicker response time. , inink the private sector working with government and collaborating, not quite desireng, has a special to work to make sure whatever we do fits the national interest. There will be benefits and burden. Thatnk the benefit will be you will have a realtime evaluation on the battlefield. As i mentioned the battlefield of today is the electric system. Weve got to make sure our stuff works. If we can get realtime evaluation, collaborating with the Intelligence Committee, agencies, folks like dod, well all be better off. I think this is a big carrot for private investments. Chairman, thank you. Thank you, senator langford. I see another senator, shes ready to go. I also see senators that want to ask questions, use the hand function. Ask your questions in the forum and i will call on you. Are you there . Thank you so much, chairman johnson, and i want to thank our witnesses for your service to the commission and for participant today. As our country navigates the coronavirus pandemic, we clearly see the importance of strategies for public safety. It has shown us the need to fortify security. Many americans expanded their footprints through telework, virtual schooling, telemedicine, and virtual social gatherings. We will face immense challenges from the coronavirus pandemic for some time, and we must take steps to ensure our networks are secure. The parallel between these should make us ask whether the United States is prepared to sustain and recover from a potential cyberattack. I hope we can look at this report through the lens of the ongoing pandemic and identify challenges we need to tackle now so we are better prepared for the next crisis. My first connection is for ms. Spalding. This was published to implement social distancing program protocols. The pandemic has caused a reppo transition to a much greater reliance on virtual environments. Could you expand on the recommendations you feel are most critical given this new environment . Yes, thank you, senator, and you are right about the heightened risk environment we face in the context of the pandemic. There are a number of things. We have this at home workforce. Everyone is using their home toters and Wifi Networks interact. And so one of the recommendations that we have is for this National Security certification, and this is the kind of thing that can get up and running quickly. Its like an Underwriters Laboratory it would help provide information to consumers as they look at securing purchasing devices, like home routers, webcams, etc. , that we know have been vectors for malicious activity, how to evaluate their purchases from a cybersecurity perspective. I think that is critically important to continue to inform the public about how to make wise choices also for our business owners, critically important around the industrial internet of things, that they too have the information they need to make informed decisions as they are purchasing equipment. Strengthening systems, making sure that it has the resources it needs to do the kind of outreach to the American Public and to the Business Community to let them know when we are seeing heightened activity in a given area, how to secure their homes, devices that they already own. Those are things that can be done right now and that really, there is a strong sense of urgency about. Thank you. Senator king, introducing the report, you and congressman gallagher state clearly Election Security must become a greater priority. I agree. One of the key recommendations is congress should improve the structure and function of the Election Assistance Commission to help states and localities better protect election integrity. Arizona secretary of state shares with me the importance of federal assistance and helping arizonas efforts to secure elections. What steps can Congress Take to gain bipartisan support about election cybersecurity . After your response, i pose the same question to congressman gallagher. Ill give you two thoughts. Stabilize, we need to the funding for the convention and enable it to do its job. Secondly, we have an interesting recommendation. As you know, the commission is set up on a bipartisan basis, and the problem is its deadlocked and quite often cant take any action whatsoever. Were suggesting the appointment of a fifth commissioner, with Technical Expertise in the cyber area, who can only vote on the cyber related issues. And this would break the deadlock on the kind of issues that we are talking about here this morning, to enable us, for the commission, to actually do this important work on behalf of of all the states. Those are two specific suggestions, fifth commissioner, limited in their vote to cyber related issues to break the deadlock so that actions by the commission can move forward to deal with this really critical issue. First of all, senator, we miss you in the house. It is great to see you again. Not mutual, but thanks. [laughter] but in addition to what senator king said, the fact that we are, something that miss spaulding said earlier, we are coming out in strongly in favor of a paper trail, and we recognize a sever commission having such a recommendation in addition to, it we have a recommendation that streamlines and modernize the sustained Grant Funding to maintain election systems. And then we are a country and in treat and try to we are intrigued and try to recommend there are a lot of nonprofits in the space providing free cyber literacy to campaigns. We think that is a good thing. We want to encourage those efforts because the topdown funding is dependent on individual personalities and systems in those states. We need a mix of topdown and bottomup Going Forward. Thank you so much, congressman gallagher. On a personal note, congratulations on your wedding, and one day i will see you in the gym again. I have no further questions. Thanks. I dont see senator hassans hand up, but i know you have a question. Do you have your question . I do, thank you. This is to senator king. Thanks to all the panelists for a superb discussion. Senator, the commissioners report includes the National Guard to help prepare for cybersecurity incidents. Yet as you point out, our affirmative defense policy does not provide clear guidance of what activities the National Guard can conduct or whether they can be supported by federal funding. I know this has been an ongoing issue in my state. What you think is the best mechanism to engage the National Guard in helping states and measures that help decrease separate security vulnerabilities . Do you believe current 30s are or does the card need authorization to conduct authorities or do the coordinator authorization to conduct it . I think they are sufficient and the guard can be a tremendous asset to the states in this situation because of their technical abilities. I think what we believe, what i say i think, what the commission recommends, is a clarification of guidance from the department of defense that would allow reimbursement to the guard, that title 32, so that should be able to be cleared up fairly straightforwardly, and thats our recommendation. The guard is a tremendous asset. Lets use it. And lets not have obstacles. Its really about making clear that when the guard does cybersecurity work with the state, there is a federal interest in it, too. Is, aolutely, there sure huge federal interest. That was one of our specific recommendations. Thank you very much and thank you, mr. Chair. Senator romney . Gallagher, line of questioning that you described with chinas intrusion to cyberspace, corporate and government, was really quite revealing and very effectively presented. And i think you made the point that we, as well as our international partners, need to push back against the intrusions being made by china. I guess the question is, how can we go about doing that . Any thoughts . Right now there is a moot, not only in our country, around the , whether America First or france first, people pulling back, becoming less associated with a global basis. Like you, i figure the only way we are going to get china to be dissuaded from the course that they are on is if we, and other nations that follow the rules of law, if we come together and say hey china, if we do the six, you can no longer have these things, you can no longer have unfettered access. You cannot have access to any of our markets. Can we get there . How do we get there . Does the u. S. Have to leave this . Does someone else lead it . Had do we create recognition not just here, but around the world . Do we need to push against the worlds most benevolent actor right now, which is china . Great question. I think it is the question we are going to be grappling with the next few decades. My own view, having watched this play out, i think the momentum for some form of selective decoupling from china will continue, in some ways, regardless of who is president come 2021, 2025. And this is my view, and this is a bit outside the strict text of the report, is the smart way to avoid autarky, because we cant make everything in america, while weaning ourselves of dependency on china, is to harness that made in America Energy to more productive partnerships with our allies. I mentioned taiwan when it comes to semiconductors. There is an opportunity to expand with australia when it comes to rare earths. And what we recommend in the 5g pooling ourling resources with likeminded countries who have expertise in order to not just say why way and gtr bad way way ngt bad, its notare going to be cost prohibitive. That is the general election trying direction were to push our cooperation with allies. There is a variety of smaller recommendations in line with that, for example, elevating the position in order to facilitate our cooperation with allies. The final thing ill say, to tie it to the question you asked senator king earlier, while it is very hard to deter the Chinese Communist party at present, we believe that this is further evidence of the need for a clear declaratory policy. We are recommending both a strengthening of the existing policy above the use of force threshold, to say if you attack us, we will respond. But also, the publication of a second declaratory policy, below the use of force threshold, so china cannot do what reports are attacking right now, Certain Companies to gain access to information on a Coronavirus Vaccine without fearing the consequence. There is a lot there. I apologize for going on. It is an important question. Senator romney, there is an important visible. You hit on a key question. Churchill once said the only thing worse than fighting with allies is trying to fight without allies. Asia, what iits to found is china has clients and customers we have allies. And we dont tank sufficient take sufficient advantage of that. One of the recommendations, from the secretary of state, we have got to involve the rest of the world in setting with the guardrails are. China violates them, as you said, they are not going to be facing sanctions from us, but from the entire world. Theyre, above all else, sensitive to economic responses. If it is an international response, it is more powerful than if it is unilateral from our side. So, i think youre asking a concussion a key question. You were asking about the importance of elevating norm setting and talking about how we can provide some interNational Guardrails to this kind of malicious activity. Thank you. I yield my time, mr. Chairman. Thank you. Very well said, both of you. Thanksgiving thank you. Centre langford . Senator langford . Let me go down more, because this is what my question was about. We found it difficult to hold into account. Some of them, a chance to walk through, theres a great story about two more romanians, basically living like the kardashians, stealing bitcoin for people all over the world. They were just basically buying on the dark web information and putting out ransomware. They happen to hit on some on pennsylvania avenue through our security cameras, and president trumps inauguration, took over some security cameras. It was an International Incident from two folks from romania who didnt even. Know what they had they were able we were able to get to them and arrest of. But many questions, whether india or south america or europe, we have actors that are doing this and have increasing difficulty to hold them to account. A lot of our conversations are about nationstates, what recommendations do you have about individual actors and to work with nationstates within their country . What are the options we have . Well, thats one of the tough it sortbout cyber is of changes the power relationships. You can have two guys in romania who can wreak havoc, or a small country like north korea who can also wreak havoc. You dont have to be a superpower. In order to play effectively in this area. I think this is another place where talking, there are two sides to this, one is improving resilience. We havent talked a lot about it today, but of gray our game in terms of protection but to upgrade our game in terms of protection. It would be voluntary. It will be consumer driven. But have people be more careful about what it is they are buying. This is going to be much more important as we go to the internet. It is not only a router that can spy on you. It might be your microwave or your car, for sure. So, we have got to be more better in defense. But i get back into this international peace. If we impose sanctions on two guys in romania, they may not care. But if the sanctions are also imposed by hungary, austria, russia, and their neighbors, and maybe romania, then maybe we can get after the. The international after them. The International Cooperation is breaking down the barriers for Law Enforcement so we can go against some of these people, wherever they are. But that means we have to expand our reach and that means we have to be cooperating with our allies. Could i quickly add there is a school of thought out there that we engage with and continue to debate with that could suggest this is why deterrence are not possible in cyberspace . We believe it is because, at the end of the day, we are not deterring cyber or cyber instruments. We are deterring human beings using those instruments. We are touching on is attribute attribution and the need to improve the capability. We have a variety of recommendations that attempt to do that, such as codifying and strengthening, agencies already doing this like the intelligence he Integration Center intelligence Integration Center, and arrive at a Culture Center where they are more proactive in german the results of rapid attribution with the private sector, and it may be the target of those loan actors you identify. The challenge is not just attributions, though that is a significant challenge. It is enforcement. A group of folks in pakistan that decide to do this, and we go to the pakistani government and say this is one of your citizens. They say we believe it is not. Now what do we do . We do have recommendations to strengthen the fbi ability to bring his Law Enforcement tools to the nation effort, including strengthening their overseas presence and sever attaches and embassies, cyber attaches and embassies. So, at least in countries where you can get some cooperation and build relationships, a lot of that is being on the ground, being able to provide assistance to the country in which you are, where this league might be based, so that you build a relationship so when you need information from the, they are willing to corp. From them, they are willing to cooperate. This is an ongoing issue, whether it is robo calls or trying to target fraud for recipients, or a cyber threat directly towards the industry and infrastructure, or towards stealing credit card numbers and such. We have a global issue on this right now we dont have a lot of tools in the toolbox. We put pressure on nationstates to knock it off. We have to find ways to find the rich. Right now, our focus seems to be on nationstates more than individuals within nationstates. We to have a value on both. I appreciate your work. It will put a save can amount of time significant amount of time in this. We talked about the number of hours spent on this. Thanks for all the work and compiling this together. Lets make sure it doesnt sit on the shelf together. Thank you. We agree. Thanks, senator langford. I see senator hassan as the hand. Do you have another question . Really a comment and a reminder. Let me echo senator langford thanks to all of you. Let me remind you the committee passed a standard spill that would say when the federal government purchase internet of things, certain Security Standards would have to be met. We have something we passed out of committee we might be able to work from and keep pushing on. So, just wanted to make that note. Thanks. I have one last question for aulding. And i will give everyone a chance to comment. But he mentioned the commissioner is recommending that most people transfer their data into the cloud. Again, makes a lot of sense. He would assume the cloud probably has the absolute best security versus smaller actors. But can you provide some assurance . Now, rather than a huge disbursement of this data across thousands of companies, were going to have all of our eggs in one or a few very large baskets that security is breached, it could represent a really big problem, make a really big mess. You address that aspect of it . Its an excellent point. It is something, for example, in elections in 2016, we looked at the decentralization of elections across the countries as a way of mitigating the risk of a nationally of a National Impact from hacking activity. Look, and, if you thats a good example, if you look carefully at that, particularly states and counties, particularly locations where there might be a close election, that decentralization doesnt necessarily buy you protection. It is an ongoing discussion about biodiversity, if you will, the diversity of systems and assets making it more challenging for the adversary. I think what weve seen is the adversary is able to overcome a lot of that. As weve seen these broad attacks, where it takes over webcams, hundreds of thousands of them across the country and around the world, millions, we realize that we are not getting as much benefit from that tissue. Network that distributed network. If you have secure cloud providers, you really can we have concluded increase your overall security of your systems. But that is key and that is the point we emphasize is our recommendation. You need to have standards, Security Standards for those Cloud Security providers. T recommendation of some kind of National Certification of the types of services. Thats exactly right, both the certification of the kinds of equipment folks will purchase , and the guidelines of making sure those providers meet the relatively high level of Security Standards. Thank you. Mr. Fanning, do you have some closing comments . Yes, sir, and german, thank you chairman, thank you so much for your leadership. Euro committee is doing the lords work here. We didnt talk as much in this hearing about the importance of the collaboration between the private sector and government. This isnt going to be a government led issue at the end of the day because the infrastructure is in the hands of the private sector. We need to join the obligation. There are important issues that arise out of that that are really different from the way we think about them today. One of the clearest examples is the continuity of the economy. The old model in our industry is liability. There was a cost associated with an outage and we can figure how reliable the equipment must be to prevent that cost. The notion of resilience says this is how my system operates under abnormal conditions, whether a hurricane, snowstorm, covid virus, or cyberattack. The only way we would be able to continue the economy and provide an american way of life we are all used to is for the private sector to pitch, not catch, and work with the federal government and the state and local governments, whether the Fusion Centers the governors themselves, for the state and local government, to really think about a different way to turn the economy back and get us back on our feet. This commissions report deals with these important issues, and it is really important to into consider the ramifications Going Forward. Thank you for your time. Appreciate it. Thank you. Miss spaulding . Thank you, mr. Chairman. I want to thank you for your leadership and giving us time to talk and answer your questions and. Talk about our Commission Report i think the outstanding leadership earlier and talk about our Commission Report. I thank the outstanding leadership earlier and talk about our Commission Report. I know our time at dhs, when he and i worked with the subsector coordinator counsel, which he has shared, is that he is somebody who has really gets this issue and is out there every single day trying to make sure our infrastructure, not just in electricity, but across other critical sectors, is going to be there when the American Public needed. This point needs it. His point is not an exercise in elimination. This is Risk Management. And resilience, the ability to be reliable, it is baked into the electric sector. It is such an important lesson for us to spread across this country as we talk about Cyber Security. But thanks very much. Thank you. Gallagher, you were up to the plate. Thank you for this opportunity. I would just like to add we view this much unique makeup as an asset with not only puts the participation, but how we can avoid the report collecting dust on a shelf summer. Your staffs have been excellent working with us, and our staff, we hope to continue that collaboration and partnership as we fight to get our recommendations in the national Defense Authorization act and other legislation. We are at your disposal in terms of what you need from us and our team as we debate these issues. Though we didnt solve everything, we debited to provoke a debate and build on the work youve done. Thank you for allowing us to talk about it today. Thank you, congressman gallagher. Senator king, youve got the basesloaded. Youre betting cleanup batting cleanup. Not get out of the park. Thank you, mr. Chairman. Were here because the nation is under threat. Were in the midst of the coronavirus crisis, unprecedented, no doubt about that. That is taking a lot of attention. But this threat hasnt gone away. In fact, its being magnified by this. The job we have now is action. We talked this morning and all of us on this hearing share an understanding of these issues and how important they are. But we have to communicate that to our colleagues. This isnt something academic. This is coming at us. Its not something that may come at us. Its coming out as today. Millions of times a day right now by malicious actors. Weve got a responsibility to move forward. Youve taken leadership on this issue. You talked about bills, it administrative subpoena bills. We need another word. Were seeking information for companies under attack. We talk about the need for national leadership, for some kind of coordination, for better resiliency, and also for a declaratory policy that puts our adversaries on notice, that they will pay a price for coming after the United States of america. We have the means, i think the Commission Report has given is important guidance. And now its up to us as members of congress and people from the private sector, who have made such a huge competition something. I dont want to walk away and say we had a great commission. It was a good report. 80 one recommendations, 57 proposals. We really didnt accomplish much. The onus is on us to make it happen. This committee has been on this for a long time. Support appreciate the you have already indicated it i look forward to working with you to get the details right, to work with the house, other committees and the senate so that we can take action here to defend this country that we love. Thank you, mr. Chairman. The attention you have given to the subject. Thank you, senator king. I complete agree with you. We have turned this report into action. I want to thank the four of you, all the other commissioners, all Staff Members who worked so hard on this. Your dedicated efforts and your very thoughtful recommendations. We will do everything we can to bring those to fruition. We are required to sign into law and get action. Thank you for all of your hard work. I concludes this hearing. The record will remain open. Mr. Chairman . Yes. I want to ask, a short talk. I apologize. Apparently he did not get that message. I didnt. Just a short thought i would like to add. Thank you very much. Our thanks. For what youve done on this project. We live extra ordinary lives. Here 20 years ago, [indiscernible] with some of our colleagues in the house of representatives. My father and my fathers mother, my moms brothers, certainly world war ii, a battle. Nazi. M, thanks to their courage, my life. Make this world a safer place from communism. A couple of months after i arrived in the senate, we suffered a terrible attack on 9 11. Hen, terrorism today, it is still a threat. Communism is not but security attacks, cyber threatens our security as a nation. Again, onto race tom keene i want to raise up tom keene. The external leadership. [indiscernible] thanks for your work. Cspans washington journal live every day with news and policy issues that impact you. Coming up this morning, we will talk about the federal response to the coronavirus pandemic with rita wilson. We will talk with adrian smith of the ways and means committee. Then a discussion of how the republican and democratic parties are preparing for nominating conventions this summer amid the pandemic with john ward. Jessica taylor on the key races in the battles for the senate this fall. Watch cspans washington journal live at 7 00 eastern this morning. Join the discussion. On capitol hill, social distancing guidelines remain in place as congress begins. The senate is back today at 3 00 p. M. Eastern to consider a judicial nominee to the u. S. District judge for arizona with the vote set for 5 30. The rest of the week they have more nominees to consider, including republican lawyer, james trade trainer to be a commissioner. For now the senate has no plans to take up the the three cholla dollar Coronavirus Relief package. The house of representatives have no votes scheduled this week but on tuesday during a short session, there will be a squaring in Ba Swearingen for two republican members. The reauthorization of pfizer fisa. Watch it on cspan and on cspan2. , sonny perdue talks about issues with the Food Supply Chain and Meat Processing plants. The Supplemental Program known as sna