vimarsana.com

Protection, and securitysecuri technologies will come to order. First of all, im sure speak for all of us here on the dais in expressing our deepest condolences to all of the family members and all of the victims of yesterdays tragedy in las vegas. Events like the one yesterdayic really demand the utmost humanity in response to such blind hate and evil, and hopefully will give us all a renewed sense of purpose today as we approach the task of the h day. The subcommittee is meeting today to receive testimony regarding the department of Homeland Security is Cybersecurity Mission. I recognize myself for an Opening Statement. We are here to today, at the start of National Cybersecurity awareness month, to discuss what i believe is one of the defining Public Policy challenges of ouri generation, the cybersecurityy posture of the United States. We have seen cyberattacks hit practically every sector of our economy with devastating impact to both Government Agencies ande the private sector alike, and its our shared duty to ensure were doing our best to defend against the very real threat our cyber adversaries pose. Y but make no mistake, the cybersecurity challenges we face are about much, much more than simply protecting bottom lines, or intellectual property, or even our nations most classified information. They also impact the personal, often irreplaceable informationt of every american. P this year, weve seen on a grand scale just how much damage can be done by a single individualee or entity looking to conduct a cyber attack. The equity fax breach shows that it takes only one bad actor and only one exploitable vulnerability to do something to compromise the information of 145 million americans. This is not the first cyber thtack that has garnered National Attention and, unfortunately, it almostt assuredly will not be the last. As the members of this panel and as our witnesses here today know well, there is no Silver Bullet or guaranteed technology to fix the cybersecurity problem. Techno rather, we need to be part of an ongoing, sustained, dedicated, persistent and comprehensive campaign to ensure the United States remains the worlds cybersecurity superpower. We will continue to need a sharp workforce, the collective efforts in publicprivate partnerships, and the leadership of our Government Agencies to leverage our resources and counter our highly sophisticated cyber adversaries. Coday, this subcommittee meets to hear from the government sop officials charged with meeting these Cyber Threats. Mittee these are the folks on the front lines day in and day out. Dhs is the federal governments lead civilian agency for cybersecurity, and within it, the National Protection and programs directorate, or nppd,in leads our National Effort to safeguard and enhance the resilience of the nations physical and cyber infrastructure, helping federal agencies and, when requested,re the private sector harden their networks and respond to cybersecurity incidents. Nppd partners with criticalden t infrastructure owners and operators and other Homeland Security enterprise stakeholders to offer a wide variety of cybersecurity capabilities, such as system assessments, Incident Response and mitigation support and the ability to hunt forem malicious cyber activity. This collaborative approach to mitigating Cyber Incidents isor meant to prioritize meeting the needs of dhs partners, and is consistent with the growing recognition among government, academic and Corporate Leaders that cybersecurity is increasingly interdependent across sectors and must be ate core aspect of Risk Management strategies. This committee has been workings hard to ensure that nppd and dhs in its entirety has the necessary authorizations and organization it needs to combat growing Cyber Threats. Dhs needs a strong and sharp workforce than an efficient organizational structure to support both its cybersecurity and its Infrastructure Protection missions. Earlier this year, this committee marked up and passed h. R. 3359, the cybersecurity ann Infrastructure Security Agency act of 2017 to reorganize and threngthen nppd. As the cyber Threat Landscape continues to evolve, so should dhs, and in doing that, h. R. 3359 is the tool well use to bring nppd to a more visible role in the cybersecurity of this nation. As a committee, and as a congress, we have taken important steps in the right direction with legislation on information sharing, modernizint the federal governmentse rig information technology, and in getting our state and local officials the cybersecurity support they need. Some of these programs have been years in the making. Realtime collaboration between the government and the private sector is a lofty and worthwhile goal. Through the automated indicatorn sharing program, or ais, dhs has been partnering with industry tr create and enhance that broaderg informationsharing environmenta and weve made progress in the right direction. Try to while we know that proactive information sharing is only as good as the information being provided, that type of relationship can only be made possible with a Strong Foundation of trust. Im looking forward to a robuste discussion today, not only about how the department can be best organized and equipped to ensure that we are leveraging the resources of the federal government towards this immenser challenge, but also how the government can forge and grow the necessary partnerships to achieve greater cybersecurity t for our nation. We have to get this rightsary because new technologies, the internet of things, driverless cars, artificial intelligence, and quantum computing, are rapidly evolving. We need to be securing at the speed of innovation, not of bureaucracy. Because we are in an era that requires flexibility, resiliency and discipline and i hope i will hear those values operationalized in the forthcoming testimony. Cyberspace plays an increasingly dominant role in the fabric of our society, and it will take continual collaboration across the public, private, international and domestic spaces to keep making the advancements needed to prioritize cybersecurity for our country. I know this is a responsibility that everyone on this subcommittee takes extraordinarily seriously, and i look forward to the discussion today with our witnesses. The chair now recognizes the t ranking minority member of the subcommittee, the gentleman from louisiana, mr. Richmond force Opening Statement. Thank you, mr. Chairman. Good morning. Please were kicking off cybersecurityin awareness monthy talking to the department of Homeland Security about its Cybersecurity Mission and how congress can help ensure dhs ist wellpositioned to protect Critical Infrastructure from Cyber Attacks. Before they can, however, i would like to send my condolences to the families of victims sunday nights horrific shooting. To the survivors, your you in r thoughts and prayers here to the brave First Responders who ran into danger when everyone else was running away from it, were grateful. The democrats on this committee has said this before but it bears repeating. At some point will have to come together and enact sensible gunt legislation. And and as the congressman representing new orleans i cannot sit silently as the president consults the routine survivors of puerto rico, andep the san juan mayor who is trying to help them. Ive been through katrine and i know what its like when youree at your most vulnerable moment and youve lost everything. And what youre looking for ist assistance because its beyond your capacity to respond to a storm of that magnitude. So having seen people grieve the loss of their homes and businesses and struggled to peace their lives back together, i can tell you the last thing the people in puerto rico and the Virgin Islands need our in insults. I urge the president to take a break from twitter, roll up his sleeves and get to work. Turning to the issue at hand, as an agent of represent new orleans which a significantsleee Energy Sector assets. Last month we heard disturbing reports of a new wave of efforts to reach Energy Sector networkss in the United States. According to symantec, in some cases hackers achieved unprecedented access toachiev operational systems. In light of these reports im interested to know how the department of Homeland Security and the department of energy are working together to secure Energy Sector networks and make them more resilient. Additionally, as a member of this committee and the Congressional Task force on Election Security, im eager to hear about dhs is activities to secure our election systems. Although the administrations commitment to the Critical Infrastructure designation appeared to waver earlier this year, i was encouraged when acting secretary duke told Committee Democrats last month that there are no plans to resend the designation. With that comment i look for during about the progress dhs is making to help state and localat governments security election infrastructure and whether the department has adequate resources to carry out its responsibilities in that space. For example, i understand theres a ninemonth wait for a risk and Vulnerability Assessment, and that some secretaries of state have complained about the lengthynd clearance process for electionas officials. I am concerned these challenges may deter some states, particularly those i started a Critical Infrastructure designation come from taking full advantage of the resources dhs can bring to bear. To that point, dhs has struggled to build some of the relationships necessary to execute its Election Security mission. Although ive heard dhs is making progress in this regard, i am concerned mistakes made notified certain secretaries ofg state that their election infrastructure has been targeted, though it had not been, maeve undermined the trust that dhs has sought to build. I will be interested in learning what do you need from congress to address election infrastructure request more quickly and build trust within the election infrastructure community. Finally, when ms. Manfra, testified in march i asked what i could expect the dhs Cybersecurity Strategy. The strategy required pursuant to legislation offered wednesday march 23 to it still has not been submitted to congress. I understand the Trump Administration did not fill leadership positions relevant to the execution of dhs, Cybersecurity Strategy with any real sense of urgency, and ongoing vacancies may be contributing to the delays. But the strategy six months overdue, and that is not acceptable. With that, mr. Chairman, i yield back the balance of my time. Thank the gentleman. The chair now welcomes and recognizes the chairman of the full committee, my colleague from texas, mr. Mccaul for any Opening Statement that he might have. Thank you, chairman ratcliffe or i would also like to extend my thoughts and prayers to the victims and family members of the horrifying tragedy in las vegas. I am hopeful that as americans, we can come together and prevent such violence from happening again. Im pleased to be at this important hearing today with our distinguished guests here at this hearing. Americas National Security is r continually threatened by islamist terrorists, tyrannical regimes building and proliferating weapons of mass destruction, and human traffickers and transnational gang members like ms13 who stream across our border. These threats are well known, and we need do everything we can to stop them as we see them coming. Members, however, we also find ourselvesl in the crosshairs of invisible attacks in a sustained cyberwar from nationstates and other hackers. And as we become more and morers reliant on computers and smartphones in both our personal and professional lives, everyone is a potential target and sadly, many of us have already been victims. Become over the past few years we have seen many successful largescale cyberattacks take place. In early september, hackers wer. Able to breach equifax, a credit reporting agency, gaining access to Sensitive Information on as many as 143 million people. In 2016, we know that russiaiato tried to undermine our electoral system and democratic process and in 2015, we learned that china stole over 20 million security clearances including mine. And and probably some here at this dais. These kinds of violations are simply unacceptable. I am proud to say that over the last few years, the committee on Homeland Security has recognized these threats and led the charge to strengthen the defense of our nations networks. In 2014, we enacted severalre important bills that empowered dhs to bolster its workforce, codified dhss cyber center, and updated fisma for the first time in 12 years. A year later, the cybersecurity act became law, which enhances information sharing and makes te dhs the lead conduit for cyber threat indicators and defensive measures within the federal invernment. While information sharing has come a long way, the Wannacry Ransomware attack recently illustrated just how important and beneficial those relationships are. Just last week rob joyce, the cybersecurity coordinator at the white house, noted that we need to find a way to provide the private sector with more expansive access to cyber threat information in a controlled setting; something i believe we need to strengthen. Moreover, issues relating to the sharing of classified information with the privatecces sector, like accrediting scif space, granting security clearances to key personnel, anw enabling consistent twoway communication, are issues we arl looking at closely. In other words, we have made progress in the way indicators are shared but i want to examine if we can do more regarding the overall sharing of classified information. Made earlier this year, i was pleased to see President Trump issue an executive order to strengthen the cybersecurity of federal networks and Critical Infrastructure. Going forward, i am hopeful thao the house can advance secur legislation that i have introduced to elevate nppd as a Standalone Agency and better support the Cybersecurity Mission at dhs. This month is National Cybersecurity awareness month, a time to learn more about these threats and offer ideas on how we can best secure ourselves against these growing threats. While we have had some success on this issue, we must do more. O our cyber enemies, including terrorists, are always evolving looking for new ways to carry out their next attack. Fortunately, this is an issue that transcends party lines. Its not a republican or a democratic issue. Lets Work Together to make ourr cybersecurity strong and keep the American People safe. I would like to thank todays witnesses for their time and their service. A very important component of the department that often, as i mentioned in my opening, with focus a lot on counterterrorism, on the board and other thingss that i consider this mission the department has to be one of the most important that this nation faces. So i look forward to the conversation about our congress and the executive branch can Work Together and how we can work with leaders in the private sector to enhance the nation can cybersecurity. With that i would like to get back to the chairman, and if i may, submit my questions for the record. Thank the chairman, and the chair now welcomes and recognizes the ranking minority member of the full committee, the gentleman from mississippi for his Opening Statement. Thank you very much. Good morning. Id like to thank chairman ratcliffe and Ranking Members richmond for holding todays hearing to examine the work dhsg is doing to shore up our nations cyber defenses. There is no doubt that our country is facing an evolving array of Cyber Threats. As we stand here today, enemies are thinking of new and novel ways to strike at everything from banks to hospitals and chemical facilities. Nefarious actors even want to disrupt some of our most basic institutions. Last year we learned our nations election system serve as a new frontier for Cyber Attacks. Ti with every passing day we learn of new ways cyber operatives are looking to exploit everything from the media we consume to the databases that store Voter Registration data. Inthis country theres nothing t more sacred than the ability to engage in civic activity and cyber criminals are seeking to undermine our democracy. Furthermore, as i watched the devastation unfold in texas, florida, order rico and the Virgin Islands, i am reminded of the fragility of our systems. Disrupting the systems we rely on for power, fuel, food and water and be deadly, regardless of whether its caused by cyberr attack or a natural disaster. In short, the Digital Network we rely on for our daytoday life are facing a multitude of threats. To respond to these threats, congress has put its trust in dhs over the past few Years Congress by way of this committee has consistently expanded dhs is Cybersecurity Mission, giving the department a key role in securing federal networks as well as the systems that support our nations Critical Infrastructure. The department made huge strides in admitting these new authorities, including by standing up an Automated System to share cyber threat data and advising the new election infrastructure subsector on how to promote cyber hygiene with election ministers throughout the country. We cannot, however, expect dhs to carry out these responsibilities with both hands tied behind its back. To be successful the Department Needs adequate resources, a robust staff, strong leadership, and clear strategy. Unfortunately, this administration has been gravely unfocused when it comes to cybersecurity. Tegy. President trump falsely promised to deliver a comprehensive plan to protect americas vital infrastructure from Cyber Attacks on the first day in office. It took months with the president hepresident to get aroo issuing an executive order on cybersecurity. Also, a quarter of the 28 person National Infrastructure Advisory Council resigned in protest of President Trumps insufficient attention to Cyber Threats. President trump floated the idea of an impenetrable cyber unit with russian, at the same time members of his administration were considering and ultimately deciding to ban the use of products on federal networks. Within dhs the chief Information Officer resigned after serving only four months, and the National Program and protection directorate, the departments main cyber arm, is still operating without a permanent i undersecretary. Whether the men and women in this room are willing to acknowledge in an open setting that they are struggling without this leadership, we can be certain of these gaps are making their job harder. I look forward to hearing from the panel today about how the department is carrying out its cyber mission, and i hope thatrd you will be candid with us aboua the obstacles you face. Indeed, if there are areas where you need additional resources, or legislative clarity, tell us how we can help. H im especially eager to hear from ms. Hoffman about how dhs works with one of its key partners in securing Critical Infrastructure, the department of energy. With that, mr. Chairman, i yield back. I think the gentleman. Other members of the committee are reminded that Opening Statements they be submitted for the record. We are pleased to have distinguished panel of witnesses before us today on this very important topic. Mr. Christopher krebs is the senior official performing the duties of the undersecretary of the National Protection and programs directed at the United States department of Homeland Security. Great to see you today, mr. Krebs, great to see you in your new role at dhs. Ms. Jeanette manfra is of the assistant secretary cybersecurity and communications in the National Protection and programs directorate at dhs. Also great to have you back before our subcommittee, ms. Manfra. And finally, ms. Patricia hoffman is acting assistant secretary for the office of electricity delivery and Energy Reliability at the u. S. Department of energy. Thank you for being with usty at today. I would now like to ask the witnesses to stand, raise your right and so i can swear you in to testify. Witnes [witnesses were sworn in] give let the record reflect each of the witnesses has answered in the affirmative. You may be seated. The witnesses told written statement will appear in the record. That shared a recognizes mr. Krebs for five minutes was Opening Statement. Chairman ratcliffe, Ranking Member richmond, ranking them for thompson, millers of the committee, good morning thank you for todays hearing. In this month of october we recognize National Cyber student awareness month, a time to focus on how cybersecurity is a shared responsibility that affects all americans. The department of Homeland Security through is a Critical Role in safeguarding and securing cyberspace, a core element emission. I want to begin by thanking committee for taking action over some of the Cybersecurity Infrastructure Security Agency act of 2017. If enacted this legislation would mature instream on the National Protection and programs directorate or nppd, and rename our organization to clearly thelect our central mission. The department some support this muchneeded effort and a gorgeous swift action by the full house and senate. Nppd Mission Statement is clear. We lead the nations ever to ensure the security of the h science of our cyber and physical infrastructure. Ea we collaborate with other federal agencies, state, local and tribal tail governments and, of course, the private sector. Our three goals are as follows. Secure and defend federal networks and facilities, identify and mitigate Critical Infrastructure systemic risk, incentivize and probably enable enhanced cybersecurity physical practices. No question this is an expansive mission. Broadly enable Cyber Security practices. No question this is an expansive mission. Im proud to share with you the tireless efforts of so many at nppd. The targeting of our elections, intrusions into energy and nuclear serkt. Harvey, irma and, maria. As threats to our Critical Infrastructure evolve, were partnerring with owners and operators throughout the country. The security is truly a shared responsibility. Todays hearing is about dhss Cyber Security mission. Earlier this year the president signed an executive order on strengthsen the Cyber Security on Critical Infrastructure. This set in motioning a searase of of undeliverables to lower our risk. Dhs working with federal and stieb oar partners. Across the federal Government Agencies have been implementing the agency standard. Agencies are reporting to dhs and the office of management and budget on the Cyber Security Risk Management. Dhs and omb are investigating. In addition to our efforts to protect federal government networks, were focussed on how government and industry Work Together to protect the nations Critical Infrastructure. Were developing an inventory of authorities and capabilities. Were prioritizing entities at greatest risk of attack that could result in catastrophic consequences. We call this our section nine efforts. Let me discuss our continuing efforts. Facing the threat by Foreign Government during the 2016 elections, dhs conducted unprecedented outreach and Cyber Security assistance to state and local Election Officials. It included indicators of compromise, technical data and best practices. Before and after election day, we declassified and shared information related to russian malicious cyber activity. These steps have been critical to enhancing awearness among election ofilthszs and educating the american public. The designation of Critical Infrastructure is Critical Infrastructure provides a foundation to institutionalize services and supported. Were working to develop local information, sharing protocols in establish key working groups. Yet, there is more to be done and we shall not waver. In the face of increasingly sophisticated threats, nppd is focussed on defending our nations critical inhad frustructure. Technological advances such as the internet of things. However, they also increase Access Points that could be leveraged to gain unauthorized access to networks. We must integrate cyber and physical risk in order to effectively secure our nation. Expertise around Cyber Security risk and interdependentancies today and i look forward to your questions. Iq, mr. Krebs. Capabi ms. Manfra, you are now recognized for five minutes. Chairman ratcliffe, rankingiz member richmond, Ranking Member thompson, members of the committee thank you for holding todays hearing. I also want to begin my testimony by thanking this committee for taking action earlier this summer on the cybersecurity and Infrastructure Security Agency act of 2017. A name for our organization that reflects our mission is essential to our workforce, recruitment efforts and effective stakeholder engagement. We must also ensure nppd is a properly organized to addressin cybersecurity threats both now and in the future and we appreciate this committees cyber leadership. Cyber threats even one of the most significant Strategic Risk for the United States. Cyber risks threaten our National Security, Economic Prosperity and Public Health and safety. Our adversaries cross borders at the speed of light. Over the past Year American side has persistent threat actors including hackers, criminals and nationstates increase in frequency, complexity and and sophistication. In my role at dhs i had the Departments Office of cybersecurity and medications which includes our 24 7 watch center and operations, theatio National Cybersecurity and communications integrationns center. Our role goes live three work streams, instrumenting Agency Networks through the deployment of sensors, assessing and measuring agency bold abilities and risks as well as Critical Infrastructure, and directing and advising actions that federal agencies and Critical Infrastructure entities can take to better secure their networks. As you all know the nccic is a civilian government for cybersecurity information sharing acid Incident Response in coordination for both Critical Infrastructure and the federal government. As my colleague noted we are emphasizing the security of federal networks. Nppd assistant to federal agencies includes first providing tools to safeguards of the executive Branch Networks through our National Cyberiding Protection System and the continues diagnostic mitigation programs. Second, measuring and motivating agencies, and third, serving as a hub for information sharing and incident reporting, and finally providing operational and Technical Assistance. Einstein, the sensitive flood of a part of National Cyber Protection System refers to the federal governments suite of intrusion detection and prevention capabilities that protects agencies and classified networks at perimeter of eachdet agency. Hat today einstein is a signature based intrusion detection and prevention capability that takes action on known malicious activity. Our nonsignaturebased pilot efforts to move your signatures are yielding positive results. These capabilities are essential to discovery of previous unidentified vicious activity. We are demonstrating the ability to capture data that can rapidly be analyzed for anonymous activities using technology from commercial, government and openb sources. Nominized using technologies from a commercial government and open sources. Theyre defining future operational needs as well as the skillsets and personal required to the nonapproach to Cyber Security. Einstein is our tool but it will not detect or block every threat. Therefore, we must compliment it with sishms and 25089s inside the Agency Networks. These tools are enabling agencies to manage risks across their entire enterprise. At the same time these tools are going to proprime dhs. Through a common federal dashboard. Nppd is working with our interagency partners. Are those systems going to cause a Significant Impact in the United States. We conduct Vulnerability Assessments. To determine how an adversary would penetrate a sism to access Sensitive Data and without being detected. Protecting them before an incident occurs. When necessary the department is also taking targeted action to address specific Cyber Security risk through the issuance of finding operational directives. Were working to enhance cyber across the globe. They prokekt ursystem. By bringing together all levels of government, International Partners and the public, were taking action to protejt against Cyber Security risks, enhance information sharing on best practices and Cyber Threats and to strengthen resilience. I look forward to any questions ms. Hoffman, you recognized for five minutes. Chairman ratcliffe, Ranking Member richmond and members of the subcommittee, thank you for the opportunity to discuss the continuing threats facing our Nation Energy infrastructure and the department of energies role. Cybersecurity and resilience at the Energy Sector is one of the secretaries Top Priorities and a major focus of the department. The department of energy is at the Sector Specific Agency for cybersecurity of the Energy Sector. D. O. E. Works with dhs and join with other agencies, the private sector organizations for a whole of government response to Cyber Incidents by protecting assets and countering threats. In addition, the department of energy serves as the lead agency for Emergency Support function 12, which is energy, under the National Response framework. D as the lead, the sf 12 responsible for facilitatingle restoration of damaged energy and infrastructure. The Department Works with industry, that all state and local partners to facilitate response from recovery. Combining d. O. E. His role as fo cybersecurity with National Response activity injures incidents both side and physical impacts are recorded in the Energy Sector. At this moment in time i would like to acknowledge the secretary does express his support for the victims of hurricane harvey, irma and maria. I would also like to express my gratitude for all the utility workers that have been working very hard in the region for restoring power. Er in extreme cases the department can also use its Legal Authority as those in the federal power act as amended by the fixing america surface transportation act to assist in recovery operations. Congress enacted several important new Energy Security measures in this act as relates to cybersecurity. The secretary of energy was provided emergency, was provided a new authority upon the declaration of a emergency by the president to issue emergency orders to protect or restore critical electric and Critical Infrastructure or defend critical or electric infrastructure. This Authority Allows d. O. E. To respond as needed to the threat inucyber and physical attacks to the grid. D. O. E. Has collided with the Energy Sector for nearly two decades and voluntary publicprivate partnerships that engage owners and operators at all levels are technical, operational, and executive. Along with state and local governments, to identify and mitigate physical and cyber risks to the energy systems. In the Energy Sector the core partnerships have consisted with electric Sector Coordinating Council and the oil and gas coordinating council. In these meetings interagency partners including dhs, states, International Partners come together to discuss important security and resilient issues for the Energy Sector. The electric sector specifically has been very forward leaning and aggressive in trying to address cybersecurity issues. D. O. E. Plays a Critical Role in supporting the Energy Sector cybersecurity by building in security. Specifically weve been lucky building capabilities in this sector in three areas. The first area is preparedness, enhancing the visibility and Situational Awareness and Operational Networks as well as i. T. Networks. Nal increasing the alignment of cybersecurity preparedness across multiple states and federal jurisdictions. Response recovery activities in supporting the whole of government effort, and leveraging the expertise of the department of energy is National Labs to drive cybersecurity innovation. Threats continue to evolve the d. O. E. Is working diligently to stay ahead of the curve. The solution is an ecosystem of resilience and works in partnership with state local and industry stakeholders to advanca best practices, strategies and tools. H to accomplish this with a six hour information sharing tos. Better inform local investment decisions, encourage innovation and the use of best practices to help raise the Energy Sector Security Maturity and strengthen local Incident Response and recovery activities. Especially for the participation of Training Programs and. Exercises. I appreciate the opportunity to be a before the subcommittee and represent one of the sectorpr specific agencies and the Energy Sector cybersecurity capabilities. However, i would be remiss not to take a moment and stress the interdependent nature of our infrastructure and requires all sectors to be constantly focus on improving their posture. So d. O. E. Looks forward to continuing to working with the federal agencies to share best practices and build a defense in depth. So with that i would like to thank you for being here today and look forward to answering your questions. Thanks, ms. Hoffman. I now recognize myself for five minutes of questions. Ms. Manfra, i want to start with you. Ec you mentioned einstein and cdma and your testimony and the role they play in securing federal networks. What to give you an opportunity to provide some public clarity and limitation of cdm specifically. Can you give us some idea of how many departments and agencies have fully implement it cdm phase one and am an Agency Dashboards are up and running, is the dhs dash were up and running, and give us some perspective on that. Yes, sir. Thank you for the question. Cdm, we are in the process of deploying both phase one and phase two. Phase one being focus on hardware, software, asset management, identify what is on the networks integral to the agencies, and phase to look at who is on the networks. So dealing with issues like access and identity management. We can get back to you with the specific numbers of agency deployment. Ag they are all in various stages of deployment. We have made it available to all agencies but each individual agency is in a different stage of deploying. We are nearing 20 agencies that have an Agency Dashboard up and running, and this month, the department of Homeland Security will be standing up the federal dashboard. So that will be receiving feeds from those Agency Dashboards. That will then allow us to have more near realtime understanding of that sensor, what those centers are identifying of those Agency Networks and allow us to better prioritize Vulnerability Management for agencies. Terrific, thanks. One of the of the points i want cover today was last week the weo came out with a fairly critical report on the current state of federal cybersecurity. One of the most would appear to be most troubling aspects of that was a statistic that only seven of the 24th cfo act agencies and programs within any functions, considered effective per the trento standard for cybersecurity control. That doesnt sound very good. I want to give either you, mr. Krebs, or you ms. Manfra, the opportunity, as a talk about the cybersecurity posture of the dot gov, reconcile that with the gao report. Sir, i think that we have, we learned a lot over the years about Agency Capacity to managee cybersecurity risks and the resources they have to do so. I can say agencies have securit prioritized the management of the cyber risk at their highest level across the government. D what we learned in both the deployment of cdm, engagement in partnership with omb in making agencies is that there remain some significant gaps. We have built over the last couple of years and are i continuing to build Technical Assistance capabilities, things like design and engineering, architecture reviews, helping agencies getting much more indepth insight into the networks and providing them with a greater level of assistance both engineering and on the government side to help them ofi address their often very complicated networks with the limited resources we have here we do see a lot of potential for cdm in the ability to deliver tools at a lower cost across a agencies, and this is the first time that many agencies have ha access to this level ofs have automated data to understand what is on the network. And so we see a lot of potentia for this, but for many agencies theres a lot of capability that has to be built and will continue to take advantage of things like shared service, more capability from dhs to deploy to agencies who need it most. So you just comment about shared services and resources. I want to followup on that a bit because i think its a book to look where we are but also look to where we are going. And so looking forward a bit, how do you see dhs federal Network Protection tools evolving past, say a saynaturebased Threat Detection tools, and particularly where my conversation with the administration and the cybersecurity advisors to the president really putting emphasis on Cloud Computing and shared service, shared i. T. S services and resources. So i guess in a sense what is the einstein future generation 10. Oh look like . Im not exactly sure what einstein 10. 10. Oh will look le it but i can tell you where we n are looking to evolve. As agencies, the presence Key Initiative around modernizing i. T. And us nudges the technology. There are large challenges with Legacy Technology but we need to modernize the way we govern and procure. No as we do that we are working very closely to modernize our security processes. M lastly take advantage of things Like Cloud Services we ensure that we are modernizing ourit security approach but also not losing the inside that we haveve into traffic, either internetworks are in and out of Agency Networks. Importantly, we learned on cdm some key lesson from the first phase of deployment. We now have a new contract vehicle in place that will enable the deployment of cloud and mobile Security Technologies in addition to the on premise sensing capability that we have right now. We are evolving. Capare building on what industry is learning from behavioralbased detection methods, and weve had some successful pilots and look berward to continuing to build that capability. Terrific. My time is expired. The chair now recognizes mr. Richmond for his questions. Ms. Manfra, mr. Krebs, either one, you all know that by the legislative the call forqu departmentwide cybersecurity derategy within dhs. That strategy and report was due in march. We still dont have it. Whats the status of it . And if you run into problems in getting it done, what are those problems . How can we help . Thank you for the question. The office of policy has quesi strategy. It rolls in components across the department between the secret service, ice, Homeland Security investigations, u. S. Coast guard, Transportation Security Administration as well as nppd. While we dont necessarily lead the development of the strategy because it is a departmentwide strategy, we are a significant player. To speak to the status of the strategy itself, my interest in where it sits is influenced by the president s executive order 13800 that was released back earlier in the spring. That report puts dhs at the front or in the lead for almost all of the reports particularly in the first two in the fourth work stream. Federal networks, Critical Infrastructure and cyberourth workforce. So while those reports and assessments are underway they are anticipated to have Significant Impacts and some of the priorities perhaps of theth department including nppd. I believe the decision onon finalizing the strategy has been to lets get to the cybersecurity assessment related to the eo as well as the administrations anticipated National Security strategy, National Security Cybersecurity Strategy that are expected in the next several months, and then when we have a broader understanding of where the department is going, that will then feed into the cybersecuritt strategy. That said, rolling at all back to the requirement in the ndaa i that you offered, it is still as a priority to finalize that, report. St that said, as a department we are moving forward with a number of our priorities. I do want to touch on a couple of things mentioned early. As a senior official performing duties of the undersecretary, what we do not have a permanent undersecretary for nppd, i i hae been authorized and then given a very clear direction by acting secretary duke to move out andma execute every aspect of nppd. So while we didnt have a permanent undersecretary right now, i have all authority that i believe i need to execute the departments mission within nppd. With regards to a strategy, i would talk about in terms of report, let me just take that aside. Do we have departmentwide strategy with how were going, how we deal with cybersecurity . And i need challenges that were going to continue to face in the near future. My understanding is that there is a departmentwide Cybersecurity Strategy in draft form, yes, sir. So again, i dont want to get into the wheat. I just saying are you all operating with some comprehensive strategy on a daytoday basis to protect the cybersecurity . Y . I understand, yes, sir. Going back to my opening remarks i indicated nppd is in the lead for ensuring the nations Critical Infrastructure outside as good a physical threats. I mentioned at the top go which is securing our facilities. For me and with the assistant secretary man for, that is at the very top of our minds and recently. The second piece is securing identifying and mitigating systemic risks across the infrastructure, the nations infrastructure. When i think about that i think about section on Critical Infrastructure greatest risk. Os bottom also putting election infrastructure integrate as i mentioned, that for me is the number one priority for nppd are Critical Infrastructureng perspective. We cannot fail there. Third and finally is enabling and incentivizing better security practice across the broader Critical Infrastructure community to include state local, small and mediumsize businesses. Ms. Hoffman, theres been a great deal of concern among national could experts that russias goal in disrupting the ukraine power supply 2015 and 26 he was to test its capabilities in preparation for larger attack on the United States. Last month we learned that russia may been responsible dragonfly 2. 0, which exploited and targeted some of our Energy Sector. Which how was the Energy Sector responding and what is their capabilities to prevent a widespread attack . With that i yield back. Thank you, congressman, for the question. Ukraine attack was a very much an eyeopening event for the Energy Sector, and the Energy Sector specifically, the electric sector got very e organized in recognizing we had to continue to step of our Continuous Monitoring capabilities, our ability to detect behavior on the system but also building inherent protection and as we develop new technologies. Recognize that the core of anything is protecting against spear phishing and passwords and credentials, and thats starting to really go after where do we need to be with respect to preventing an attack from occurring on the system. Weve been working actively witr electric sector to build some tools and capabilities and for protections of their system. The chair now recognizes the gentleman from new york, mr. Donovan, for five minutes. Thank you, mr. Chairman. I would just like to ask one question of all of you. In 2015, Congress Passed the cybersecurity act, and in 2017 we passed the cyber and Infrastructure Security Agency act, and the president also issued an executive order back in may to strengthen ourture abilities. What do you guys need . What can congress do to help you protect our nation, our federal agencies, our private entities . As mr. Richmond said, our energy industries. What do you guys need from us to help you protect our nation better than we are able to douys now . Thank you for the question. Er the very first thing i would start with is come as you make in the cyber scared andld Infrastructure Security Agency act of 2017, passing at a full committee was a significant step forward. What we need is quick action by the full house and the senate. Let me give you ample anecdote about why thats important. That bill will give us three things. One, it will allow us to introduce some operational efficiencies, looking at, infrastructure across thecienci organization, pushed them together so that we are more c streamlined at how we engage and deliver services from a Customer Service orientation. Second, it will help with our si branding and clarify roles and responsibilities, not just within nppd but more important with our federal, state andes local partners and the private sector. Ly and finally what thats going to do is give us the ability to attract talent. I think we talked about workforce. We talked about hiring and abou partnership. But on the clarity of roles and responsibilities, let me talk about that. Ive been down to puerto rico in the last, twice in the last week. T i was there last monday, and then i was there last friday with acting secretary duke. On friday meeting with the acting secretary duke, the governor and his key staff, we were discussing a number of other Critical Infrastructure challenges in puerto rico. When it came around to me iturec talked about the communications infrastructure. As you all know the National Fumigation center resides within the office of cybersecurity andt communication. When we talked about the status of things, what i was talking about was how we are assisting the communications carriers, whether its at t, sprint, tmobile, verizon, helping them get back in and prioritize delivery of temporary sprint, capabilities, wheels, light trucks, to help temporarily pop up the key medications coverage but at the same time helping them get resources in for celle towers. As i briefed out where we were on helping those Companies Get resources back in, i introduced myself as the senior official perform the duties of the undersecretary for the National Protection and programs directorate. Now, try repeating that back to its not easy. Someone would never heard that before immediately went on, to t press interview and alongside the tsa administrator, ice, none of the coast guard, effective Homeland Security, the fema regional administrator, she said we add fema, tsa, coast guard and the communications guy. Sa she doesnt know how to describe me. She doesnt know how to describe me, when im out engaging my stakeholders, they dont understand the mission i deliver. I need help clarifying that and providing very up front clear what i do and what my team delivers. That is a significant advancement. Any help i can get there, please help me out. More broadly in terms were in stock taking where the department sits in cybersecurity. There are significant authorities that come to bear in the event of a great incident. Dhs has authority in terms of information response and sharing. Thank you to those authorities. Going forward were not quite sure what we need. I tell you this, the Cyber Security threat is not going away. We need to be staffed, were not going to use Less Technology Going Forward, as you had indicated earlier we are going to the cloud. We are going to share services. Were going to be relying on the crosscutting capabilities in the Internet Technology sector. We need to ensure from a digital defense perspective we have what we need. We welcome that conversation and you can believe that youll see me again and we will be talking about that. I have two seconds left. Would you contribute, please . Yes, sir, very briefly, just to compliment what chris talked about, were working within the federal government to understand what what is the full breadth of our authorities. How can we lean into the existing authorities that you have to deploy more capability with the Critical Infrastructure sectors, were working to understand, now that weve identified these both critical assets at greatest risk, are there legal and operational and policy hurdles we need to address to assure we have appropriate authorities in place and we work with you for this analysis. Please dont wait. Mr. Chairman, i yield back the time i dont have left. Thank you. The chair recognizes the gentleman from mississippi, mr. Thompson. Thank you, mr. Chairman. The last two speakers have talked about being resourced and staffed from an agency standpoint. Last march we held a hearing talking about staffing at the department. Can you give us the number of Unfilled Positions in the Cyber Division right now . Sir, we are currently staffed at 76 of our fully fund funded. So were 24 under. Can you tell us why we are understaffed at this point . Yes, sir, there are a variety of reasons. The first largely thanks to the work in this committee and our appropriations staff in congress in building the billets are that allocated to my organization, we have grown significantly. Weve worked very hard to build according to those to that great in billets, weve had some challenges. Weve worked with our management colleagues and Human Capital colleagues to identify areas where we can reduce the time to hire. I can say looking at statistics, from physical year 16 to fiscal year 17 weve reduced the time to hire by 10 . Many of these requirements have to do with security clearances. It does take a long time to process people through that security clearance process. Weve made significant process. Weve worked with our Security Office to find ways to continue to shorten that. Were also diversifying our recruitment path looking at the scholarship for Service Cyber core program its been a great pipeline to bring after the government has scholarships, bringing these individuals in as interns and hiring them fulltime, theyre already fully qualified for our direct hiring authority and look at other programs, pathways, and following other recent graduate programs. We are looking at partnerships with industry where they yes, sir. I dont mean to cut you off, but, so, is the problem we have too many programs to task people to or im just trying to find out why when we give you the authority to hire, why weve not been able to come closer to whatever that authority is and is that something we need to do to get you to that point . Sir, ill separate the authority that we were given by congress to build an accepted Service Program. What i was referring to was, i did not believe a couple of years ago we were fully leveraging the authorities we already had and the programs that we already had to bring people in and tightening the time line that it takes to bring people on. The accepted Service Program is led by our chief Human Capital officer. I know this is a half priority for her. We did not go to appropriately expedite the development of that program four years ago. We have now done so. Its my understanding we will now be able to hire against that Program Beginning in fiscal year 19, but theres a regulatory process that we have to do. Just for the sake of the committee, can you provide us with a timeline between when somebody whos considered for employment and when that is completed . Is it get back to us. Yes. Whether its three months, six months, a year . I think that would be instructive for us so we can kind of see if theres whats involved. The reason i say that, i think that all of us are constantly bombarded by people looking for Employment Opportunities and if we have potential opportunities here, is it something we are not doing, were not going out recruiting and just what, we just need to kind of figure something out. Right, and i do if i could, sir, just clarify. The 76 is just indicating people that are on board right now. If you include the people that are in the full pipeline, that brings us about to 85 . And for us, were averaging 224 days to hire. That sounds long, but that is to include a top secret fbi clearance process, which is actually a fairly, for the benchmark of the rest of the government were doing quite well. We want to work with you, sir, well come back with you. Please get back. Yes. Mr. Krebs, we have a Congressional Task force on Election Security and we made a request of the department to provide us a classified briefing around this issue and weve been told that it has to be bipartisan. That you cant just brief democrats. Are you aware of that . Sir, im not aware of any existing policy. Let me say this, i share your concern o on election infrastructure and i want to say directly to you as well. Its my top priority at the department. If we cant do this right and dedicate every as set to assess our state and local partners, frankly, im not sure what were doing daytoday. In terms of what weve done we are prioritizing delivery of those briefings, information sharing to our state and local partners. Were doing it in a bipartisan manner, and we should pull in the same direction. Going forward, i would encourage any additional briefings that we have provided a series of bipartisan briefings to the Homeland Security committee, both classified and unclassified. The real crux of this issue, the underpinning issue here is a trusted relationship. Now, do sir, i appreciate it, but we have established a working group within the democrats on a committee and were just trying to get a briefing. So, i think its nice to say i dont want to brief you because there are no republicans, but were members of congress and all were trying to do is get access to the information, and if your interest is there, im convinced youll provide it and thats the spirit in which the request was made. So, well make it again. Yes, sir. And look forward to you coming back and just bring us what information you have as members of congress and thats all we ask. Thank you. I yield back, mr. Chair. Thank you. Thank you, Ranking Member. Chair now recognizes jim from virginia, mr. Garrett. Thank you, mr. Chairman. Im going to hit my talk button and my voice sounds better with the microphone is on. I want to piggyback on what my friend and colleague and Ranking Member thompson said, i would agree with you that election infrastructure, cybersecurity as relates to overseeing elections is something that crosses and transcends the aisle and anything that you give democrats to or give the exact same to the republican members and would be great for your time given its redundancy. I dont see why some party should be briefed in the absence of others in the United States of america. If you do bring the request, to electro security as relates to cybersecurity issues, please invite me. I cant fathom that one party has a monopoly on free and fair elections. Im sure my colleague doesnt mean it that way, i want to be clear that should not be a partisan issue and perhaps people from both parties are invited or give the same briefing twice, which i think is inconsiderate and short sighted. And what we know about the cyber activity, specifically with relation to astona and ukraine, to my understanding the bulk of the platforms used to infiltrate infrastructure, i said platforms, malware, it would be appear based on my speaking to this forum, kill this, black energy, were known entities were discovered as relating to this, as to the coordinating task, how do we how well do we stay ahead or try to stay online with it . I understand its the moving target and to the extent to theres noi hope again, i understand the format were in might limit the conversation that we have, a lot of the malicious activity to this point conducted, we presume, and data would presume the russians, how quickly can we pick up on advancements in malware and inculcate them into our preventative measures . And thats wide open to whichever one of you wonderful folks would like to address it. Thank you, sir. If i may, ill start and provide a bit of a broader approach and defer to my colleague from the department of energy to anything on the good in electricity. Im subject to the time limit, so i apologize, but so ill do this quickly. Yes, sir. Generally speaking, we have talked about advanced persistent threat here. When we think about threats its not, generally speaking, advanced. Companies and organizations are not 0 doing the blocking and tackling, and some of the exploitations were based on open known vulnerabilities that werent patched. The concept of a zero day exploit while its out there. Its not actually the primary exploit at that we tend to see in the wild. Let me interrupt you. And i am a big fan of limited government, but in this arena because the entire nation hangs in the balance, not just the elections, but everything that relates to our grid, might not be effective to hit the particular Power Providers where it counts, essentially make it cost something for entities that dont patch the known threats. Youll be uptodate on x, y and z and ments my colleague can speak to that. You guys are great, but time the first operational direction we issued was reducing the patch vulnerabilities to 30 days. We have actually seen a complete cultural change as a result of that and we are now seeing the government highly testing and patching those critical vulnerabilities. So, i just wanted to throw that out there. So theres a carrot and a stick. I had a he id rather the carrot, but i dont mean to cut you short. Ive got 15 seconds. The nature of nerc and whether its semi private autonomous sued owe entity, compromises tactics, procedures and et cetera. So, i dont think that nerc as an operation it does have the operations center, sharing information rit large and capabilities to compel and look at the industry to respond so we can get the information we need. Thank you all, and i apologize going briefly over. Thank the gentleman. And the chair recognizes my friend from rhode island. Thank you, mr. Chairman. I want to thank our witnesses for your testimony here. And before i go into my question, i just wanted to mention for just publicly and to mr. Garrett, im a member of the Election Task force that certainly the democrats have put together on Going Forward in improving Election Security and i will say to my colleagues, there was an initial outreach to republicans to make this a bipartisan effort which was not accepted, it was not we didnt find anyone that was receptive, but i would say this, the task force to the public, my colleague, mr. Garrett, is welcome to participate fully with that and with respect to the Ranking Members question on the classified briefing both on russias interference in our election and how were better securing our elections systems. I would say that along with democrats and republicans, i would prefer it as a democrat and republican briefing, however we get the briefing, i dont want a misunderstanding of what the representative was asking, we want a briefing. Wed ask that you provide that to us. Yes, sir, thank you, i do believe weve provided a classified briefing in the past and welcome the full Committee Briefing or subCommittee Briefing on that as well, sir. And one thing i wanted to mention, your authority and active role in cyber, but i would reiterate its vitally important that we get key people appointed and in place permanently. I respect the work youre doing and your team and, but we need permanent people in place, both for confidence and clarity to what the mission is. So let me get into my questions very quickly, ill try to go through them. The ones you cant answer fully because of time constraints, id request a followup in writing. On september 13th, there was a binding operation of directorive 1701 which directed departments to remove from systems in the next 90 days, in nothing so doj issued a Public Statement to coincide with the establishment of the directive. Id like to commend the department, it added transparency and that was important. My question was what analysis led to this removal from the federal networks and i understand this may be classified in which case i request that you and your team provide briefings to members on operations behind it, i think its vitally important this committee on both sides of the aisle understand what went into that. Next, mr. Krebs, sec was breached in late 2016 and we now know that the attackers had access to corporate filings, profit, public release. The announcement of this breach was made nearly a year after it was first discovered. My question was, when was dhs informed of the breach . And what was dhss involvement in detecting, responding and recovering from these from this attack . And finally, how did dhs improve its integration with federal agencies to assure that these types of attacks are identified and notified quicker in the first. Let me briefly touch on the first piece and then ill kick it over. That was based on totality of evidence including by the most part open Source Information and in terms of a classified briefing, i believe we are on the schedule for some point in the next month or so with the full committee, the monthly intel briefing. So with that, if i may, id like to turn it over. Thank you. Sir, welcome to support a briefing on it. As far as the sec, were happy to come in and have a more full conversation with this about that. They didnt notify us last year on november 4th of an issue. It was at the time the extent of the issue was not well understood and given the time limits here, i think it might be more useful if we sat down and other members as appropriate to walk through specific details. And what do you think that what was the dhss involvement in detecting and recovering . We have limited involvement with the sec. They did not request our assistance for response. And on the issue of how to make it work better in the future . Sir, in addition to this incident as well as several others we are reviewing our procedures to ensure that its clear that when an incident happens, what role the Department Needs to play in the response, not just at the request of an agency. And then, if were looking at specific Critical Services and functions, then the Department Needs to have a more active role in that response regardless of whether the Agency Requests it. Thank you. In august, congressman herd and i traveled to defcon and we were looking at the willingness to report vulnerabilities to improve overall security. And what if they establish a vulnerable process for dhs sites and software. Again, one of the things i found with about the program was very helpful in identifying security vulnerabilities and getting to the right individuals on the vulnerabilities and talking to security researchers. One of the things that impressed me most, they want just want to make the internet better and want to know when they find a vulnerable that they pass forward, they report it and somebody is going to do something about it and actually going to be heard. What progress has dhs made in this respect . We have a longstanding program on vulnerabilities and control systems as well as enterprise technologies, and weve been working with security researchers in both communities for years to provide them a space for them to yief that visibility and also to activate with the owner of software for a patch and much of the alerts we issue are with researchers. We also have our own organization within my group that conducts penetration vulnerabilities and Risk Assessment across the government to include hds networks. We need to assure that theyre supplemented with broader risk and vulnerability analysis and testing to make sure that theyre addressing and what about the dhs owned systems . My Organization Also supports Penetration Testing and Vulnerability Assessment within the dhs. Particularly the high value assets that dh schs owns. And and that the management in interested in what the department has done and how that might apply to dhs. So we look at how that might be applied. Mr. Chairman, i had one more on Election Security. And can i ask that . I know weve touched a bit, but for the record i want to dive deeper into this. Its interesting that state and local officials have access to resources from dhs to protect systems that represent the cornerstone of our democracy. So, can you further describe how dhs is, would working with officials to protect networks . I believe the response to unprecedented interference in our elections last year to be sufficient, and secondly how can we improve access to resources . There are additional funds and resources that the Department Needs in this respect . So, thank you for those questions. Let me start at the end with your improving relationships. And with the Department Last summer, this all manifested. I can speak to generally the relationships with state Election Officials. That was not an existing relationship between the department of Homeland Security in the state and locals. However, we do have strong relationships, of course, with the Homeland Security advisors and officers and chief information Security Officers. But to square the circle on this specific threat, we need to develop partnerships that are, you know, three or four legs on the stool within each specific state and each state is going to be a little bit different in terms of how, you know, who they designated as the chief Election Officials and as well as the vendors of the technology. In terms of how to improve relationships, its going to take a lot of effort and a little bit of time and those are things that we are working on right now. We dont have much time, but we are dedicating resources. In fact, just this morning, i sent out a notice across my organization reflecting some changes we made organizationally last week about a task force. Previously, the election piece has been held within the office of infrastructure as a program. Again, matching my words with execution, were elevating with a task force and across them and resourcing it appropriately. And this is speaking to the resources, were pulling the resources together in recognition that we dont have a lot of time, given there are preelections this year. Ftes that are committed to this . I dont have the ftes on hand. And i believe that and specifically. If i can make one additional point on resources, Ranking Member richmond noted that his understanding was that there was a ninemonth wait for risk and Vulnerability Assessments. I dont know whether thats the exact current number, but that speaks to the high demand that were experiencing for our Assessment Services and that is everything from Penetration Testing to the cyber hacking scans that multiple states and localities have participated and continue to participate in, as well as the more in depth risk and Vulnerability Assessments. We are growing that program and we are diverting resources, were Building Infrastructure so that we can more scale that and thats service that is were providing and not just the federal agencies, but to state and local governments and Critical Infrastructurement and were experiencing much more demand for those services and were continuing to look for ways to upscale that. Thank you for that. And any answers you can give in writing, i appreciate that. Thank you for your indulgence. Youre welcome, gentleman. Yield back and i want to thank all three of our Witnesses Today for your valuable and insightful testimony. Thank all the members for the questions today. The members of the committee have additional questions for witnesses and well ask you to response in writing. Pursuant to committee 7d the hearing record will be held open for ten days and without objection the subcommittee stands adjourned. [inaudible conversations] [inaudible conversations] [inaudible conversations] u. S. Senate about to gavel in to get business underway today. Senate lawmakers continuing consideration of executive nominations. Today eric hargan for deputy hhs security we should see a vote throughout the day. Live coverage of the u. S. Senate here on cspan2. The presiding officer the senate will come to order. The chaplain will lead the senate in prayer. The chaplain let us pray. Almighty god, were grateful that your will prevails when reliance on humanity is futile. Give our senators the wisdom to

© 2025 Vimarsana

vimarsana.com © 2020. All Rights Reserved.