Identifying on the Agency Networks and allow us to better prioriti prioritize. Thanks. So one of the other points i want to cover today was last week the gao came out with a fairly critical report one that would appear to be most troubling said only 7 of the 24 csf agencies have programs with any functions considered effective per the niche standards for Cyber Security control. That doesnt sound very good. I want to give you the opportunity to as we talk about the Cyber Security posture of the dot guv, reconcile that with the report. Sir, i think that we have weve learned a lot over the years about agency capac tattoo manage Cyber Security risks and the resources they have to do so. I can say theyve prioritized across the highest level of government. What weve learned through engagement in partnership and measuring agencies is there remains significant gaps and we have built over the last couple of years and are continuing to build Technical Assistance capabilities. Things like design and injufearing. Helping agencies get much more indepth insight into those networks and providing them with a greater level of assistance both engineering and on the government side to help them address the often complicated networks with the resources we have. But we see a lot of potential for cdm in the ability to deliver tools at lower cost across agencies and this is the firsz time many agencies have had access to this level of automated data to understand what is on their network and so we see a lot of potential for this. But for many age aensz theres lot of capability that hads to be built and were continuing to take advantage of things like shared service. More capability of dhs to deploy to agencies. So you comment about shared services and resources i want to follow up because i think its important to look where we are and where were going. So looking forward, how do you see dhss federal Network Protection tools evauvlting past say a signaturebased Threat Detection tools and particularry where my conversations with the administration and Cyber Security advisors really putting an emphasize on Cloud Computing and shared it services and resources. So i guess in a sense what is einstein future generations, 10. 0 look like . Well, im not exactly sure what einstein 10. 0 will look like yet but i can tell you where were looking to evolve. The president s Key Initiative around modernizing our it. There are large challenges with legacy technology. But we need to modernize the way we governor and procure. Were working very cleesly to modernize our security processes. We insure that we are modernizing our security approach but not losing the inside that we have into traffic, either traversing inhadternal or in and out of Agency Networks. Importantly we have learned on cdm some key lessons from the first faces of good d ploimd. We have a new contract vehicle in place that will enable cloud and noble technologies in additioning to the oun premise capability we have right now. We are buildling on what industry is learning from behavioral based detection method and we have had successful pilots and look forward to continuing to build that capability. My time pfszects pired. The chair now recognizes mr. Chair for his questions. You all know i authored legislation to dpraul a Department WideCyber Security strategy within dhs. That strategy and report was due in march. We still dont have it. So bhaults rr the status of it and if youre running into problems getting it done, what are those problemsed . Sir, thank you for the question. The office of policy has the pen, so to speak. It rolls in components across the department between secret service, i ice, Homeland Security investigations, u. S. Coast guard, as well as nppd. So while we dont necessarily leave the investment of that strategy, we are a significant player. My understanding of where it sits is thefluenced by the president s executive order, 138hung released earlier in the spring. That reports puts dhs at the front or in the lead for almost all of the reports, particularly in the first two and fourth work stream. Federal net wrkz, critical infrastrurture and private work forts. They are anticipated to have severe impacts on some of the priorities of the department including nppd. So i believe the decision on finalizing the strategy has been lets get through the sthuper asecurity assessments as well as the administrations anticipated national. Security strategy that are expected in the next several months and when we have a broughter understanding of where the department is going, that will fwiet that said, it is still as a priority to finalize that report. Frrts that said, as a department, we are moving forward with a number of our priorities. I do want to touch on a couple things you did early. As the senior official performing the duties, while we do not have a permanent nem tep saesh reitary to move out and execute authorization by secretary duke. While we do not have a permanent undersecretary now i believe i have every authority i believe i need to execute the mission within nppd. In terms of strategy and we talk about report, let me take that aside. Do we have a departmentwide strategy how we deal with cybersecurity and our needs and challenges we continue to face in the near future. Sir, my understanding there is a departmentwide Cybersecurity Strategy in draft form, yes, sir. Again, i dont want to get into the weeds. Are you operating on a catastroph comprehensive strategy on a daytoday basis . Were in the lead for insuring the nations physical infrastructure of cybersecurity and threats. Our top goal is securing federal networks and facilities for me and with the assistant secretary manfra, that is at the very top our minds every single day. The second piece is identifying mitigating systemic risks across the nations infrastructure. When i think about that, im thinking about the section 9 Critical Infrastructure greatest risks and also putting election infrastructure in there. As i mentioned in my opening comment that, for me, this is number one priority for nppd. We cannot fail there and third and finally incentivizing better practices across the community to include, state, local, medium sized businesses. Miss hoffman, theres been a great deal of concern among National Security experts russias goal of disrupting ukraines Power Supplies in 2015 and 2016 was to test its capabilities for a larger attack on the United States. Last month we learned russia may have been responsible for dragonfly 2. 0 which exploited and targeted some of our increasing sector. How is the Energy Sector surviving and what is the capability widespread with that at your back . Thank you, congressman. The ukraine attack was very much an eye Opening Event for the Energy Sector, specifically the electronic sector got very organized recognizing we had to step up our Continuous Monitoring capabilities, ability to detect behavior on the system and also building inherent protections as we develop new technologies, recognizing the core of anything is protecting agooens sphere fishing and pass words and credentials and starting to go after where we need to be to prevent an attack on the system. Weve been working very actively on the sector to build tools and capabilities for protections of their system. The chair now recognizes the gentleman from new york, mr. Donovan for five minutes. Thank you. Id like to ask a question of all of you. In 2015, Congress Passed the cybersecurity act and in 2017 we passed the cyberinfrastructure security act and the president also issued an executive order back in may to strengthen our abilities. What do you guys need . What can congress do to help you protect our nation . Our federal agency, our private entities, as mr. Richmond said, our Energy Industries . What do you guys need from us to help you protect our nation better than were able to do now . Sir, thank you for the question. The very first thing i would start with, as you mentioned the cybersecurity and Infrastructure Security Agency act of 2017, passing out of the full committee was a significant step forward. What we need as i mentioned in my opening comments, quick action by the full house and senate. Let me give you a little antidote why thats important. That bill will give us three things, one, it will allow us to introduce some operational efficiencies, looking at Common Infrastructure across the organization, push them together so we are more streamlined how we engage and deliver services from Customer Service oriencation. Second, it will help with our branding and clarify roles and responsibilities not just within nppd but more importantly with our federal, state and local partners and private sector. I will come back to that in a second. Finally, what that will do is give us the ability to attract talent. We talked a little bit about workforce and hiring and partnership. On that clarity of roles and responsibilities, let me talk about that for just a second. Ive been down to puerto rico twice in the last week. I was there last monday with administrator long and the president s Homeland Security advisor, tom boss sert and i was there last friday with acting secretary duke. On friday, meeting with acting secretary duke, the governor and his key staff we were discussing a number of the Critical Infrastructure challenges in puerto rico. When it came around to me, i talked about the communications infrastructure. You know the National Communication center resides within the manfrose organization. And we talked about whether were assisting at t, sprint, tmobile, help them get back in to prioritize capabilities, cell on wheels, cell on lite truck, things like that to help temporarily pop up the Communications Service and help get communication is in for cell towers. As i briefed out where we were helping those Companies Get introduced back in i introduced myself as the official performing the duties of the undersecretary National Program doctorate rat. Try repeating that back out its not easy. Someone who has never heard that before immediately went onto a press interview alongside the tsa administrator, vice commandant of coast guard, department of Homeland Security said we have 93, tsa, coast guard and the comes guy. She doesnt know how to describe me, when im out engaging my stakeholders, they dont understand the mission i deliver. I need help clarifying that and providing very up front clear what i do and what my team delivers. That is a significant advancement. Any help i can get there, please help me out. More broadly in terms of additional authorities and clarification of authorities we are in the process of running that kind of stock taking of where the department sits in cybersecurity. Department of energy in the fast act got significant authorities that could come to bear in the event of a grid incident. Dhs has authorities in terms of Incident Response information sharing, thank you for those authorities. Going forward, were not quite sure just yet what we need. I will tell you this, the cybersecurity threat is not going away, our adversaries are getting faster, more agile. We need to be resourced and staffed and positioned to respond to that. I know one more thing we will not use Less Technology going forward. As you indicated earlier we are going to the cloud, to shared services and relying upon these crosscutting Technology Capabilities in the Information Technology sector. We need to insure from a digital defense perspective we have what we need. We welcome that conversation. You can believe that youll see me again and we will be talking about that. I have two seconds left. Would ow contribute, please . Yes, sir. Very briefly, just to compliment what chris talks about, were working within the federal government to understand what is the full braet of our authorities, how to lean into the authorities we have to deploy more capability within the Critical Infrastructures were working to understand now that weve identified these most critical assets at greatest risk, are there legal and operational and policy hurdles we need to address in order to assure we have appropriate prevention and response and recovery capability is in place and we look forward to working with you. Please dont wait until another hearing. Let us know how we can help. Absolutely. I yield back the time i have left. The chair recognizes the gentleman from mississippi. Mr. Thompson. Thank you, mr. Thompson. The last two speakers have talked about being resourced and staffed from an agency standpoint. Last march, we held a hearing talking about staffing at the department. Can you give us the number of unfilled position is in the Cyber Division right now . Sir, we are currently staffed at 76 of our fully funded billets. So we are 24 under. Can you tell us why we are understaffed at this point . Yes, sir. There are a variety of reasons. The first, largely thanks to the work of this committee and our appropriations staff in congress in building the billets that are allocated to my organization, we have grown significantly. We have worked very hard to build according to that growth in billets. We have had some challenges. Weve worked with our management colleagues and Human Capital colleagues to identify areas we can reduce the time to hire. I can say looking at the statistics from fiscal year 16 higher to fiscal year 17 hire weve been able to reduce the time to hire by 10 . Many of these requirements have to do with security clearances. It does take a long time to process people through that security clearance process. Weve made significant progress. Were continuing to work through our Security Office to continue to shorten that. Were diversifying our recruitment paths looking at scholarship for Service Cyber core program has been a great pipeline after the government funded scholarships, bringing these individuals in as interns and hiring them full time, theyre already fully qualified for our direct Hire Authority and looking at other programs such as pathways, president ial fellows and other programs. Were looking at partnerships with industry yes, sir. I dont mean to cut you off. Is the problem we have too many programs to attach people to or im just trying to find out why, when weve give you the authority to hire, why weve not been able to come closer to whatever that authority is. Is there something we need to do to get you to that point . Sir, separate the authority that we were given by congress to build an accepted Service Program. What i was referring to was i did not believe a couple years ago we were fully leveraging the authorities we already had and the programs we already had to bring people in and tightening the timeline that it takes to bring people on. The accepted Service Program is led by our chief Human Capital officer. I know this is a high priority for her. We did not probably appropriately expedite the development of that program four years ago. We have now done so. My understanding that we will now be able to hire against that Program Beginning in fiscal year 19 but theres a regulatory process we do have to undergo as a part of that. Just for the sake of the committee, can you provide us with a timeline between when somebody whos considered for employment and when that is completed . Is it not just get back to us yes, sir. Three months, six months, a year . I think that would be instructive for us, so we can kind of see if theres something involved . Yes, sir. The reason i say that, mr. Chairman, i think all of us are constantly bombarded by people looking for employment opportunities. If we have potential opportunities here, is it something we are not doing . Are we not going out recruiting in a broader view or just what . We just need to kind of figure something out. Right. If i could, sir, just clarify the 76 is just indicating people that are on board right now. If you includie the people in te full pipeline, that brings us to 85 . For virginia we are at about 224 days to hire. That sounds long but that is to include a top secret sci clearance process actually for the benchmark of the rest of the government, were actually doing quite well. We want to continue to work with you, sir, we will come back with you. Please get back with us. Mr. Krebs, we have a Congressional Task force on Election Security and we made requests of the department to provide us a classified briefing around this issue and weve been told that it has to be bipartisan, that you cant just brief democrats. Are you aware of that . Im not aware of any existing policy. Let me say this. I share your concern on election infrastructure. I made that clear today wanted to say directly to you as well it is my top priority at the department. If we cant do this right and dedicate every single asset we have to assisting our state and local partners frankly im not sure what were doing daytoday. In terms of what weve done, in terms of engagements we are prioritizing delivery of those briefings information sharing to our state and local partners. We are doing it in a bipartisan manner because my opinion is that this does Transcend Party lines and we should be doing this all pulling the same direction. Going forward, i would encourage any additional briefings, we have provided a series of bipartisan briefings to the house and Homeland Security committee both classified and unclassified. The real crux of this issue, the underpinning issue here is a trusted relationship. Now, did we have i appreciate it. But we have established a working group within the democrats on the committee and were just trying to get a briefing. Its nice to say i dont want to brief you because there are no republicans but were members of congress and all were trying to do is get access to the information. If your interest is there, im convinced you will provide it. Thats the spirit in which the request was made. Well make it again. Yes, sir. And look forward to you coming back. Just bring us what information you have, as members of congress. Thats all we are asking. Thank you. I the field back, mr. Chair. I thank the Ranking Member. The chair recognizes jim from virginia. Mr. Garrett. I hit my talk button, my voice sounds better with the microphone on. I want to piggyback on what my Ranking Member thompson said i would agree with you election infrastructure vircybersecurity it comes to conducting elections is a priority that crosses and transcends the aisle and i would ask any briefings you give to democrats to you invite me or give the exact same briefings to republican members i think is inconsiderate of your time. I cant fathom why one party should be briefed in the absence of elections outside the presence of another in the United States of america. If you do and i hope you do respond to the Ranking Members request to brief on kribs as to cyber issues please invite me. I cant fathom one party has a monopoly on hoping we get Fair Elections and i cant think my colleague doesnt mean it that way and people from both parties should be invited or make the same briefing twice i think is inconsiderate and shortsighted. Having said that transitioning to russian cybersecurity particularly with relationship to stony and the ukraine, my understanding the bulk of the platforms used to infiltrate infrastructure, i say platforms, malware, it would appear, based on my ability to speak in this forum, were off the shelf, if you will, kill this for example, black energy were known interrogation discovered as it relates to these attacks as part of a coordinated attack. How well do we stay ahead or try to stay online with it . I understand its a moving target. The malware that might be implemented to the extent theres any hope, again, i understand the format were in might limit the conversation we have, a lot of the malicious activity to this point conducted, we presume and data would indicate by the russians has used off the shelf technology. I guess the question there is how quickly can we pick up on advancements in malware and inculcate them into our preventive measures . Thats wide open to which ever one of you wonderful folks would like to address it. Thank you, sir. If i may, ill start and provide a bit of broader approach and defer to my expert colleague from the department of energy to anything specific to the grid and electricity. Im subject to a time limit. I apologize but ill do this quickly. Yes, sir. Generally speaking we already talked about advanced persistent threat here. We think about threats, its not necessarily speaking advanced, its just persistent. Folks are still organizations are still not doing the basic blocking and tackling you think about want to cry or not pet ya, some of those were based on open known vulnerabilities, they just werent patched. The concept of a zero day e exploit while its out there its not the common one we see in the wild. Let me interrupt you. I ham a big fan of limited government but the entire nation hangs in the balance, everything as it relates to our grid, might it not be effective to hit the particular Power Providers where it counts and essentially make it cost something perhaps metaphorically and literally for companies that dont patch those open known threats . And that is something that will be within the purview of the government, you will be up to date by x, y and z or it will cost you . My colleague can talk to the government piece. You guys are great. Five minutes. We were trying to reduce the time to patch critical vulnerabilities to five days. We are seeing a change in that and seeing the government highly prioritizing patching those critical vulnerabilities. I want to throw that out there. Theres a carrot and a stick . Id rather the carrot but im glad to hear you say youre addressing that. I dont mean to cut you short, miss hoffman. I want to speak to the nature of nurk and the fact its a semiprivate autonomous pseudo entity compromises tactic, procedures, et cetera. I dont think it as an organization compromises any sort of intelligence and has Information Sharing Center which is sharing information at large and has capabilities to compel and look at the industry to respond so we can get the information we need. Thank you all and i apologize for going briefly over. Thank the gentleman and the chair recognizes my friend from rhode island. Thank you. I want to thank the witnesses for your testimony. Before i go into my questions, i just want to mention, for publicly, and take you to mr. Garrett, im a member of the Elections Task force that the democrats put together on how to go forward in improving Election Security. I would say to my colleague there was an initial effort and outreach to republicans to make this a bipartisan effort, which was not accepted, there was no we didnt find anyone that was receptive. I would say this, the task force means are open to the public, my colleague, mr. Garrett, is welcome to participate fully with that, and with respect to the Ranking Members question on the classified briefing, both on russian interference in our elections and how were better securing our election systems, that is a democrats only or democrats and republicans, i would prefer it as a democrat and republican briefing, however we get the briefing, unless im misunderstanding what the Ranking Member was asking we just want the briefing. Wed ask that you provide that to us. Yes, sir, thank you. I do believe we have provided a classified briefing in the past and welcome the full committee and subcommittee briefing on that as well. The other thing i want to mention mr. Krebs, i appreciate your comments you have all the authorities in your acting role to do the job necessary in cyber. I would reiterate it is vitally important we get key people appointed and in place permanently. I respect the work youre doing and your team and but we need permanent people in place, both inspires confidence and clarity to what the mission is. Let me get into my questions very quickly. I will try to go through them. For ones you cant answer fully because of time constraints i request a followup in writing. So on september 13th, dh issued binding operations 1701 directing federal agencies to remove products from within the system in the next 90 days. In doing so dhs for the first time issued a statement to coincide with the establishment. I id like to commend the agency. My question is what analysis led to the removal from federal networks. I understand this answer may be classified in which case i request you and your team provide a briefing to members on whats behind it. Its very important both members on both sides of the aisle understand what went into that. Next, mr. Krebs, the sec was breached late in 2016. We now know the attackers had access to corporate filings prior to their public release. The announcement of this breach was made nearly a year after it was first discovered. My question was when was dhs informed of the breach and what was dhss involvement in detecting, responding and recovering from this attack . And finally, how can dht improve its integration with federal agencies to insure these types of attacks are detected and notified quicker in the future. Thank you. Congressman langevin. Let me touch on the disbursement piece. It was based on the totality of evidence including the most part open source information. In terms of a classified briefing i believe we are on the schedule for some point in the next month or so with the full committee monthly intel briefing. With that, id like to turn it over to miss maneva. Sir, welcome. We are happy to come in and have a more full conversation with you about that. They notified us last year and the extension of the issue was not misunderstood and given the time limits it might be better if we sat down with you and other Staff Members as appropriate to walk through specific details. What do you think that what was the dhs involvement in detecting and responding to the recovery . Sir, we have very limited involvement with the sec. They did not request our follow on assistance for a response. The issue of how they can work better in the future . Sir, in addition to this incident as well as several others we are reviewing our procedures to insure that its clear that when an incident happens what role the Department Needs to play in response not just at the request of an agency. If were looking at specific Critical Services and functions the Department Needs to have a more active role in that response regardless whether the Agency Requests it. Thank you. In august, congressman will hurt and i traveled to a bipartisan trip to the Security Congress and were impressed with the willingness to report for overall internet security. What is established for a reporting process for dhs sites and software. One of the things i found with the pentagons Bounty Bug Program was very helpful identifying security vulnerabilities and getting the attention of the right individuals to close those vulnerabilities, talking to researchers one of the things that impressed me most was they just want to make the internet work better but they want to know when they find a vulnerability there is a path forward they can report it and somebody will do something about it and they will be heard. What progress has dhs made in this respect . We have a long Standing Program on operational vulnerability and Industrial Control Systems as well as enterprise technologies. Weve been working with security researchers in both communities for years to provide them a space for them to identify that vulnerability and also to evacua advocate with security researchers. We have our own organization within my group that conducts Penetration Testing and risk and vulnerability assessments across the government to include dhs network. While Bug Bounty Programs can be useful we need to insure theyre supplemented with a broader risk and vulnerability risk and testing my organization does to insure organizations are appropriately prioritizing what theyre addressing. What about dhss specifically owned systems . My Organization Also supports Penetration Testing and slublt assessments within the dhs particularly high value assets dhs owns. I do know our leadership and management is interested in learning from what the department of defense has done in their Bug Bounty Program and how that might apply to dhs and were continuing to work through how that might be applied for our organization. I had one more on Election Security. Can i ask that . I know weve touched on this a bit. For the record i wanted to dive a little deeper into this. Very interesting, insuring state and local Election Officials have access to resources from dhs to protect the vital systems that represent the cornerstone of our democracy. Can you further describe how dhs is working with Election Officials to protect networks . Do you believe dhs response to the unprecedented interference in our elections lasts year has been sufficient . How can we improve the relationship and access to resources . Are there additional funds or resources the Department Needs in this respect . So, thank you for those questions. Let me start at the end with your improving relationships. While i was not at the Department Last summer as this all manifested, i can speak to generally the relationships with state Election Officials. That was not an existing relationship between the department of Homeland Security and the state and locals. However, we do have strong relationships with the homeland Security Advisors and chief Information Officers and chief information Security Officers. But to square the circle on this specific threat we need to develop partnerships that are three or four legs on the stool within each specific state. Each state is going to be a little bit different in terms of how who they designated as the chief election official and vendors of technology. It will take a lot of effort and a little bit of time. Those are things we are working on right now. We dont have much time but are dedicating resources. Just this morning i sent across my organization and ppd reflectsing changes we made organizationally last week by establishing an Election Task force. Previously it had been held within the office of infrastructure as a program. Matching my words with our execution, were elevating it as a task force, bringing pieces across the dhs components including the office of intelligence analysis and resourcing it appropriately. This is speaking to a lot of resources. Were pulling the resources together in recognition we dont have a lot of time given there are three elections this year. And the number of ftes and money committed to this . I dont have the ftes on hand. I can get back to you on it. I believe miss man fra has. And Funds Available as well . I want to point to the resources, Ranking Member richmond indicated there was a nine month wait on risk and vulnerability assessments. I dont know if thats the exact current number but that speaks to the high demand that were experiencing for our a Assessment Services everything from hygiene programs we participate in and in depth vulnerability assessments. We are growing that Program Building resources and Building Infrastructure to more scale that. But our services were providing not just to federal agencies but also to state and local governments as well as Critical Infrastructure. Were experiencing much more demand for those services and were continuing to look for ways to scale that capability. Thank you for your answers. If there is a followup you can provide to us in writing or briefings, i appreciate that. Mr. Chairman, thank you for your indulgence. Youre welcome. The gentleman yields back. I want to thank all three of our Witnesses Today for your valuable and insightful testimony and questions of the members today. If they do have additional questions of witnesses respond in writing. Pursuant to Committee Rule 7d the record will be held open for a period of 10 days and without objection, the subcommittee stands adjourned