Senator angus king and congressman Mike Gallagher. If i lived further north congressman al gore would be my member of congress. We are pleased to welcome Suzanne Spaulding who ill introduce people more formally prior to their also thomas fanning, two of the commissioners of the commission. First of all i want to thank the cochairs and that commissioners for the important work on the Cyberspace Solarium Commission. I think the end product is excellent. I think it has solid recommendations that a number of these are within our committees jurisdiction over the working hard to evaluate those and the ones that we can get them passed into law of these recommendations can be done through executive action. What id like to spend my time just enter my formal written state into the record, i just want to talk about two of the commissions recommendations. When i i got here in the congrs in 2011, cybersecurity was a hot issue. It still is. Its not going away. I remember the buzzword back ban is we have to do something about this. Weve made a number of attempts and quite honestly we made a fair amount of progress. My own sense is the bad guys, the people and often always have an advantage but i think were catching up, closing the gap between offense and defense. Theres been some very common themes. First one is where to do a better job of information sharing. I think weve accomplished that certainly with the establishment of the cybersecurity and Infrastructure Security Agency headed up by chris krebs right now. By the way when a Conference Call director krebs last week and he was reporting that bad actors, cyber actors are trying to take advantage of covid, trying to steal some of the medical information on the velvet of vaccine. This is a persistent threat thats not going away which is what makes the commissions work so incredibly important. The first recommendation i want to talk about that quite honestly were working hard at getting hopefully include if the National Defense authorization act, so it can become law is the need to put somebody in charge, a National Cyber director. We held a hearing a couple years ago of the blue ribbon study panel, and this was another panel establish on biodefense. Its interesting that the number one recommendation is the same as this committee is we need somebody in charge. Not too long ago we held a hearing on 5g. Once again, the number one recommendation out of the Committee Hearing was we need somebody in charge of the implementation, the development of 5g if going to compete in the world. So now lo and behold i think the number one recommendation out of this commission is we need somebody in charge. There is some controversy behind that. Exactly how to step it up is complex. I signed on a letter with senator rounds who is leading the charge on the Senate Armed ServicesCommittee Asking the commission to continue while you still have your commission to study and make recommendations exactly how that National Cyber director would be established in what part of the administration that individual should be placed into, that they could have the maximum positive impact. So hopefully the commission will Stay Together and make that recommendation and we can get that included into the National Defense authorization act. The other recommendation is something that we did cover in a hearing with director krebs, both insecure setting as those in the public hearing is the need for, this is senator hassan and i have bill of this, the bill is called cybersecurity vulnerability identification disclosure act. Theres just i need for system to build the contact individuals where they have no theres a threat and right now the only way they can contact those people is they can literally subpoena the records defined to those individuals are, but didnt buy them so they can contact them. This should scare anybody. This shouldnt be an issue with Civil Liberties is a very Necessary Authority that cisa needs and ill ask everybody on our committee to do what we can by hook or by crook hopefully get the and National Defense authorization act as well. Anyway, those things i want to concert on. I do want to steal the commissioners thunder here and the testimony, or my Ranking Member senator peters his thunder with his Opening Statement salter now to senator peters. Very good, mr. Chairman. Thank you. Thank you for bringing us together for the string and thank you to our witnesses for joining us today and for your hard work on the Cyberspace Solarium Commission. I especially would like to thank our colleague senator king for his leadership on cybersecurity policy and for appearing before us today and subjecting himself to our questioning. So thank you, senator king come for doing that. Cyberattacks are one of the greatest threats to our National Security and, as the Commission Found in your report, the United States is not thoroughly prepared to defend ourselves in cyberspace. The findings and recommendations included in your report could not have come at a more important time. Adversaries like china, russia, and iran have repeatedly attempted to hack into our Critical Infrastructure, interfere in our democratic processes, and engage in largescale intellectual property theft. Most recently, the Chinese Government launched a cyberattack against our hospitals and Health Care Research facilities in an effort to steal information on a Coronavirus Vaccine, an attack that threatened the health and safety of americans. Every one of these attempted attacks are targeted to undermine our national and economic security. Without sufficient cybersecurity tools, resources, and personnel, these attacks could have a devastating impact on our daily lives. Your report makes critical recommendations that Congress Must consider as we work to ensure our country is better prepared to deter, prevent, and recover from malicious cyberattacks. Your recommendations are wideranging, but boil down to three main goals we must work with our allies to promote responsible behavior in cyberspace; we must deny benefits to adversaries who exploit our vulnerabilities; and we must impose greater costs on those who engage in malicious cyberattacks. I have been proud to work on a bipartisan basis with many of my colleagues on this committee to advance legislation that will help meet some of these goals. I look forward to discussing these recommendations today and finding additional ways we can continue to strengthen our cybersecurity protections. Thank you again to all of our witnesses for joining us today, and i look forward to your testimony. Iq, senator peters. I know this is a web event, not in person very but it is the tradition of this he ill ask you to swear the test when you will give before this committee will be the truth, the whole truth and nothing but the truth so help you god. Thank you. Our first witnesses senator angus king. Senator king is a cochair of the Cyberspace Solarium Commission. Since 2013 he served as the First Independent senator from the state of maine. Prior to joining the senate was the governor of maine for two terms. Hes a a graduate of Dartmouth College and university of virginia law school. Senator king. And Ranking Member pierre, south dakota, patient the opportunity to testify before you. What id like to do is give you a little background on the commission, what our fundamental findings were and then talk about our strategy of labor, of layered cyber deterrence. First, the commission. It was set up by the 2019 National Defense act, and the mission of the commission was to establish an overall Strategic Direction for american policy in cyberspace. Thats number one. And number two, to make recommendations for implementing that strategy. Activation of 14 members, format from the congress, four from the executive, and six from the private sector. It was entirely nonpartisan. There were really no partisan discussions whatsoever and apart from the four members of congress i have no idea of the partisan affiliations of any of the other members of the commission. We had 29 in person meetings. We interviewed over 400 people. We went went to thousands of pages of documents, and ended up with 81 recommendations, 57 of which require legislative action which have been submitted to the various committees and the staffs in the senate and the house. So what are the fundamental findings . The real basis of the commission rests upon three issues. One is reorganization. Get the structure right. That year talked about this at the beginning. The second is resilience. How do we build cyber defenses to keep ourselves safe from attack . And a third is response. How do we respond to attacks in such a way as to defend our country . The fundamental strategy, if you will, is called layered cyber defense. Layered cyber deterrence. Here are the latest. Number one is shaped behaviors. That is, establishing norms and standards in the International Community so that this isnt a unilateral one country kind of effort. The second is to deny benefits, and that is to strengthen our cyber defense, and that is we are position and it is reorganizing cisa and others will talk about. But the basically the more resilient and that includes plans for the recovery of the economy in the case of a cyber attack. The third is the strategy of deterrence. We have been attacked over and over, over the last ten or 15 years and are adversaries have paid very little price. We need to establish a clear declaratory policy that if you attack the United States in cyberspace, you will be able you will have to pay the cost, and thats really the fundamental idea of deterrence, and we have to be clear about it and weve got to have our adversaries make the calculations that attacking us is going to cost them. I want to change their calculus when they are making that decision, and thats what the fundamental strategy is that were going to be presenting to you today. Thank you very much holding the steering. Look forward to answer your questions. Thank you, senator king. Our next witness is congressman Mike Gallagher. He is the cochair of the cyber and space Solarium Commission. He represents wisconsins eighth Congressional District in the u. S. House of representatives. He received a bachelors degree from Princeton University and phd from georgetown university. He served in the United States marine corps for seven years and did two diploma in iraq. Congressman gallagher. Take a chairman johnson, Ranking Member peters, the names of the committee. Its an honor to be a presenting the findings of the Cyberspace Solarium Commission and thank you to you and your staffs for engaging so proactively with the work of the commission as we try and turn our recommendations into actual legislation. We start really from a sobering recognition, so her the one which animated the original project solarium some six or seven years ago which is is toy the status quo is not getting the job done. I would wholeheartedly agree with chairman johnson that weve taken important steps towards reform such a standing up cisa, u. S. Cyber command for a variety of reasons we get to achieve the speed and agility that is necessary for survival in cyberspace. How do we get there . As my good friend and fellow coach or a disking continually me, structure is policy. Id like to talk a bit about our recommendations related to structure. First, we believe we must create a house permanent select and Senate Select committee on cybersecurity in order to streamline congressional oversight and authority. Second, we believe we must establish a Senate ConfirmedNational Cyber director that chairman johnson talked about to lead National Level coordination for Cyber Strategy to serve as a public voice for cybersecurity and emerging technology issues. Third, we believe we need to strengthen cisa to ensure the National Resilience of Critical Infrastructure, conduct National Risk management and Cyber Campaign planning, and late publicprivate collaboration ultimately allowing cisa to compete for talent that only with the nsa to with the google other attractive private sector companies. Fourth, Commission Ways when he to recruit, develop and retain a stronger federal Cyber Workforce and thereby close our 35,000 person federal Cyber Workforce gap. Fifth and finally, we believe we need to strengthen our cyber supply chain. The commission has taken an approach that believes in the power of free and fair competition to breathe innovation but it amounts little more to occasionally limiting the access affirms that we dont trust into our markets. I believe this isnt working, consider the competition for 5g with the Chinese Communist party is able to subsidize their National Champions like huawei, thereby advance the goal of dominate the Global Market without him to respond to Market Forces. To counter this the commission calls for investing information and communications technology, intellectual capacity and reinvigorating our investment in research and development. This will cost some money but whether in terms of responding to a pandemic or responded to a massive cyber attack, we believe america can no longer afford to depend on the largess of the Chinese Communist party for critical technology. With that i like to once again thank chairman johnson, Ranking Member peters, along with my coach or a disking as well as commissioners tom fanning and Suzanne Spaulding who really made this unique experience was a quality of participation we got from her outside experts, the executive branch and, of course, the city members of congress that i look forward to your questions. A few, congressman , congres. Our next witness is ms. Suzanne spaulding. Shes a commission of the Cyberspace Solarium Commission and the Senior Advisor for Homeland Security center for strategic and international studies. She was the under secretary for the department of Homeland SecurityNational Protection and programs director from 2011 20112017. She previously served six years at the Central Intelligence agency as assistant general counsel and legislative advisor to the directors nonproliferation center. Ms. Spaulding. Chairman johnson, Ranking Member peters and members of the committee, thank you for this opportunity to testify here today. I i want to touch briefly on the areas that i think can and should be acted upon quickly. Particularly given the vulnerabilities have been exposed by the pandemic. The first is strengthening dhs cybersecurity and Infrastructure Security Agency, or cisa, as organization that i lead as the undersecretary that dhs is now call. Thanks in no small measure to the work of this committee for which i am grateful. Congress recognize cisa central role to reduce cyber risks and the commission strongly endorse this view. With malicious cyber actors targeted hospitals and Health Research and an athome workforce presenting a massive attack surface, cisas work is never been more important which is why we urge congress to provide the agency promptly with the resources and authorities that it needs, including Mission Support functions, to be able to be the National Risk manager, provide continuity of the economy planning, identify systemically important Critical Infrastructure, and coordinate planning and Research Across the federal government and with the private sector. Second, with regard to improving the cyber ecosystem and reducing vulnerabilities, the commission understood that markets are usually more efficient than government and can try better cybersecurity. We looked at what the market isnt performing that function today. And a key reason is that markets need information in order to be effective. To provide this information we ask that congress establish a National Cybersecurity certification and labeling authority to help consumers make informed decisions when buying an active devices. Published guidelines for Cloud Security services, create a bureau of cyber statistics, promote a more effective and efficient Cyber Insurance market, and passed the National Data breach notification law. Finally i believe one of the most important pillars in the report is resilience. We need to reduce the benefits side in the adversaries costbenefit analysis. Sometimes the most costeffective way to reduce cyber risk will be reducing our dependence on those network systems. Developing redundancies, perhaps even analog backup, for ways of interacting cyber ethics. Paper ballots are way of building resilience into infrastructure, for example. We have a number of urgent election recommendations but i would like to conclude with our recommendation to build public resilience against disinformation. Media literacy can help but we really need to focus on defeating a key objective of our adversary, which is to weaken democracy by pouring gasoline on the flames of division that already occupy online discourse. Pushing americans to give up on our institutions, not just election, but the justice system, the rule of law, and democracy. They seek to destroy the informed and engaged citizenry upon which a democracy depends. To defeat our adversaries objective the commission calls for reinvigorating civic education. Help americans rediscover our shared values, understand why democracy is so valuable that it is under attack, and that every american must stay engaged to hold our institutions accountable and continue to move toward a more perfect union. Thank you for the opportunity to testify, and i look forward to your questions. Thank you, ms. Spaulding. Our final witness is mr. Thomas fanning, also a commission of the Cyberspace Solarium Commission and the chairman president and ceo of Southern Company, one of the nations leading energy companies. He has worked for Southern Company for more than 38 years and curly serves as a culture of Electricity Subsector Coordinating Council, principal liaison between the federal government and electric power sector on matters of National Security, from terrorism and cybersecurity to disaster recovery. He has privacy served on the board of directors and chairman of the Federal Reserve board in atlanta Federal Reserve bank in atlanta. Mr. Fanning. Good morning. Thank you, chairman johnson, Ranking Member peters, and members of the committee for the opportunity to testify today. The United States is at war, virtually unchecked for years, our adversaries have been stealing our intellectual property and disrupting american commerce and our democratic way of life. This war is being waged primarily on our nations Critical Infrastructure, mainly the energy sector, Telecommunications Networks and our financial system. Fully 80 some of the Critical Infrastructure of the United States is owned and operated by the private sector making collaboration between the private sector and the government imperative. Cyberspace Solarium Commission was created to reimagine u. S. National security doctrine for this new digital reality. Later cyber deterrence approach outlined in the Solarium Commission report serves as a practical roadmap to protect, repair, hold accountable, and respond to existential Cyber Threats. We proposed a three prong strategy for success, recent behavior on the battlefield, and impose costs on her adversaries, and deny benefits to our enemy. Certainly there is no internationally accepted and civil evacuation deescalation in cyberspace. The first step in reshaping behavior on this battlefield is to define state accepted behaviors in cyberspace to include clear consequences for behaviors that are not acceptable. Then we need to communicate these behaviors not only to our friends but also our adversaries who attack us. Every day American Companies like Southern Company face millions of Cyber Attacks including from nations the adversaries. With the full support of the private sector, the federal, must advance a strategy to fend forward and an offensive posture in cyberspace through regular, persistent engagement with friends and foes alike. This engagement must include the full weight of the federal government including the department of defense, the fbi, the secret service and the Intelligence Community to allow for rapid and effective responses to these attacks. The third strategic prong is deny benefits to our enemies. We can do that by strengthening the Critical Infrastructures the building and maintain continuity against a cyber attack. We must also take steps to reshape the cyber ecosystem, the people, processes, technology and data that make up cyberspace for its greater security. Finally, we must create a true joint effort between private and federal government. This includes moving on information sharing to allow common access to collaborative announcement, joint planning and action. It means clearly identifying to the systemically important Critical Infrastructure and bringing to bear the full resources of the United States government in supporting and defending them from nationstate attacks. Senators, the public and private sectors are True Partners in this effort. We must move forward in better harmony. I am confident that the cyberspace lab Commission Report and recommendations will help us to do that. Im happy to answer any of your questions. Thank you, mr. Fanning. Let me just quick start out, senator kaine. Im assuming you received the letter from senator rounds asking the commission to study catch you up to the point of legislative language proposed in the exact structure before the National Cyber director. Is this something, is that a mission you accepted . Absolutely. I talked with senator rounds about that last week and and ik the questions are good ones and to think its appropriate were going to apply ourselves to answering those questions and try to flesh out some of the details of how this new office would work with the authorities and how it would fit in with the federal government. Thanks. Congressman gallagher, my second point was giving cisa that subpoena authority so when they identify a threat they will be able to find out who is being targeted by that threat and provide notice. What are the prospects in the bill to accomplish that . What are the prospects in the house . We very much support the recommendation and appreciate the work that you are doing. Fully support the bill language. As for the prospects in the house, i can give you a good assessment right now but we are working with the committees and really sort of leveraging one of the unique strengths of the commission, which is that jim langevin was he of the house member on the commission, democrat, has enormous influence within his caucus on these issues. Hes a subcommittee chair on a relevant cyber related subcommittee and hes been a a champion of this proposal as well as some of the more hotly debated proposals such as the creation of a Cybersecurity Commission in the house. But but i just would say we bele that the Administrative Subpoena Authority as called for in the commissions report and as called for in your legislation would strengthen cisas ability to be proactively detecting vulnerabilities in Critical Infrastructure and help secure them before they are compromised. The final point i would make and this is very much in line with the approach we tried to take throughout the report, which is not to create a bunch of new agencies with fancy new acronyms, would you take a look at agencies that exist now, particularly cisa and figure out we elevate and empower it and give cisa the tools that meet in order to accomplish its very important mission. If you can spearhead the effort in the house so we could have, language so it passes one chamber where not pingponging back and forth. My goal would be to get this attached to the National Defense authorization act. Ms. Spaulding, you mentioned the need for a National Data breach notification. When i started talk about when to do Something Back in 2011, those are always the first two goals, better information sharing and national preemptive standard for data breach. I didnt realize how incredibly complex and difficult that was. Thats part of your recommendation. Do you have a secret formula for actually accomplishing that . Unfortunately, mr. Chairman, we do not. We understand that congress is going to need work to those issues. Our recommendation was really designed to describe the elements that we think need to be in this legislation and at window to your sales as you attempt to corral your fellow members into reaching consensus. Because it is something that is so important to achieve on a National Level as you fully understand. We have breach notification laws in effect. There are over 50 of them. Every state has their own, and it is difficult obviously for businesses operate across state lines, but also doesnt result in the kind of statistics and information on a National Scale that could help, for example, this National Bureau of cyber statistics that could help advance the Cyber Insurance market, would help cisa trying to make cases for the management for return on investment. Thats the kind of information that a National Reach law could help accomplish. As you well know we will need a lot of help. Im not even sure we have our sales up, much less wind in them. Mr. Fanning, you and ive spoken in the past about my concern about emp as a threat to our national grid. Cyber attacks represent a similar type of threat. Can you give us some assurance that we are addressing these problems so we have the resiliency within our electrical grid . What progress has been made . Im particularly concern now that iran has launched successfully a satellite data circling the globe and coming up over america probably multiple times a day. That is a big concern of mine. Yes, thanks. I appreciate our dialogues in the past. One of the points that i try to make is there needs to be comprehensive approaches to all of these issues. In fact, my leadership is been about seven years. We see cyber issues, natural disasters like hurricanes and tornadoes, and that we see the coronavirus pandemic. What we need to do is have a comprehensive approach where we harmonize the efforts of government with the efforts of the private sector and lets not forget state and local governments and are International Partner whole idea is not a comprehensive approach to this. I would say that every silo of government, and i would say the silos of the strategically important sectors of the economy, have been doing a pretty good job. But what weve got to do in order to advance the ball for america is to harmonize these efforts and collaborate. Thank you, mr. Fanning. Ill reserve the rest of my time and turn over to senator peters. Thank you, mr. Chairman. My first question is for senator king and mr. Fanning. In his report recently indicated the Chinese Government has been sponsoring Cyber Attacks against our hospitals, Government Networks and our medical research institutions, presumably in search of covid19 vaccine research. This is clearly unacceptable. It puts americans lives at risk. My first question senator king is how would some of the recommendations specifically in the support of yours enable us to combat these kinds of attacks were seeing from china . Well, first, i think its important to note that china is a longrange problem in cyberspace. They are clearly active. They want to be more active, and theyre coming at us. I think if you go back through our recommendations, number one, we need to step back and Start Talking about establishing International Norms and standards. So that if theres a violation is not only us that are calling foul, but its the whole worl. I think its got to be part of the strategy for combating Something Like what china is doing. Secondly, we talking about resiliency which are strengthening our defenses. But the final piece that i think is so important is to let the chinese and whole world know that if you pull Something Like this, you are going to pay a price. We dont define what the price is. It doesnt have to be committed, it does have the cyber, it doesnt have to be in a particular price but there will be consequences because i believe that one of the real problems with whole cyber posture has been that we can basically taking the punches without responding, and i what our adversaries to say maybe if we do this we would get whacked. In some way, shape, or form. Thats exactly him this is exactly the kind of thing that weve been talking about. And, frankly, one of the things we talked about was if you come at us in a time of National Crisis like the pandemic, the response will be even stronger. We werent showing to the world just two, three months ago. Thank you, senator king, well said. Mr. Fanning, as the ceo of a Critical Infrastructure company, im sure you would like to jump in and add how we protect infrastructure from chinese and others. Its all over the place, my company alone gets attacked millions of times a day. Thats not unusual for any Critical Infrastructure provider. One of the things i championed over the years and now weve formed, a trisector group, guys like jamie dimon and j. P. Morgan and Brian Moynihan and boa and randall stevenson, weve developed a joint threat matrix basically modeling what the different kind of consequences and likelihoods are for a whole spectrum of attacks and now were developing a wish list and theyre showing up in the solarium space, kind of working through our work to make sure that we are consistent with what really is happening in the private sector and what we need to do about it as a federal government. As i can say, an important point in this whole, i think, report, is you dont see very many words like sharing and cooperate. It is collaborate. Since 87 of the Critical Infrastructure is owned, we have to illuminate the battlefield and share the effort of the Intelligence Community of our Sector Specific Agency and then the folks that will hold the bad guys accountable, fbi, et cetera. We have to all Work Together and all have to be accountable to make sure that we keep america safe. Well, thank you, thanks to both of you for that answer. We must do more to protect our nations Critical Infrastructure from certainly these types of attacks, as you mentioned, many other attacks that are happening on a daily basis and recently i pressed the administration to hold the Chinese Government accountable for irresponsible action to make it clear that this is not going to be tolerated particularly during a time of pandemic and there is going need to be consequences. Whether its our overreliance on china for medical supplies needed to address the coronavirus pandemic, i think we need to all stand up to the Chinese Government and strengthen our National Security and this effort is so important. My next question for senator king as well is the solariums recommendations recording the continuity of the economy are particularly relevant given the challenges were addressing here with the coronavirus pandemic. So in the event of a widespread or a prolonged cyber attack on Critical Infrastructure, i think we all agree the impact could be catastrophic. My question to you, senator king, could you discuss the recommendations and what lessons do you think we should be learning from covid19 for a longterm cyber attack . One thing weve learned is the necessity of planning, the necessity of thinking the unthinkable, of putting smart people into a room and talking about what could happen and what would happen and how to bring the economy back. I think the continuity of the economy planning and setting that up as a real function is one of our most important recommendations, and youve got to be weve got to be thinking about what happens if the northeast grid goes down or the southern grid, weve got to be thinking about the lessons that were learning now. Some unanticipated. Frankly, i think once we get through this awful situation that were in now, one of the most important things is an after action assessment. What i call an after action assessment, what did we learn . What was missing . What are the critical functions . What are the pieces that we need to be paying attention to that are likely to be vulnerable . Before i finish, also let me mention, the chairman asked the question about breach notification. Senator wicker, senator cantwell and senator moran have bills on that, i think theyre all good bills and i think there are models that we can go forward, but to get back to the continuity of the economy, i think its absolutely a critical function. Its got to be strategic. Its got to be specific. And i want to be ready when this happens. Its going to happen, mr. Senator, its going to happen. I told somebody the other day, we are seeing the longest windup for a punch in the history of the world, but that punch is going to come. Yeah, absolutely. New for that answer. Thank you, mr. Chairman. Thanks, senator peters. Let me just read off the list of questions in order. Senator scott, carper, hawley, hassan, rosen, romney and lankford. Now, i dont see senator scott on the board. So if thats incorrect, have somebody text me, but right now well go to senator carper. Thank you. Nice to see you all of you and good luck on so many of congressman galloway, i dont know that i had the pleasure to meeting you, but look forward to that. A and that was before i read your bio, welcome. And great to have in the house. The benefit of being up close and personal watching what weve done and failed to do, and [inaudible] youll recall tom coburn was my wingman on the committee, and accomplished a lot with the support of several of the members here today in this hearing. Just reflect back on some of the steps making you may recall [inaudible] and one of the things we finally did well so thank you. Great to see you, senator carper and thank you for the question and thank you for all of your hard work over those years and continuing to today in your leadership on cybersecurity and other issues, we did accomplish a great deal and i would say some of the most important thing were solidifying the authority of what was then the National Protection and programs director again as now. Government operates mostly when it has a Clear Mission and helping to codify the existing mission of the Cyber Security and infrastructure resilience effort at dhs was a really important step forward so your work on the legislation to codify its operation center, the National CyberCommunications Integration center very important to get those in place. Codifying its role as the primary Central Place for the business sector to come with information. All right, and to be the key place that then gets information back out to the private sector. So, clarifying very clearly what that mission is and that dhs had as been tagged with that mission was really important and continues to be important. Resourcing the agency under your terms of budget began to go up and has continued to rise, but really, it was so to begin with particularly with resources. Particularly for the Mission Support functions that dont get the attention. Typically its easier for funding for specific program to go out and do something, but the back Office Source for procurement. For acquiring the technology that needs to be acquired, position, for hr, Human Resources so we can bring in the talent that we need so badly to do this mission. Funding those adequately becomes very important and the commission strongly recommends that. To continue to make sure that the leadership there has the expertise that it needs so we recommended a fiveyear term for the head of that exactly, so this they can be in there long enough to become familiar and then really move out on a strategy and making sure that were doing the mission effectively. So, the things that you started, that the committee has continued to pursue, these continue, but they need to be accelerated and it all needs to be done as it has been to date on a bipartisan basis. I want to thank our cochairs, senator king and congressman gallagher for leading us in a bipartisan and nonpartisan way. Its the way Cyber Security should be done and i hope will continue to be done. Thank you for those kind thoughts. A friend and former colleague tom coburn passed away a little more than a month ago. Im sorry to hear that. And after a long, long battle with cancer, he left a great legacy and this is just one and trying to build on that. I think you mentioned in your remarks you used the words in order to form a more focused union and part of the preamble of our constitution and a reminder again as much as we tried in the past to do a better job in this regard, continuing to evolve, and sources evolve i remember when 9 11, the 9 11 commission, it was chaired by i want to say a former hamilton, one of the cochairs and from new jersey, and they presented us with recommendati recommendation. [inaudible] and we, our committee literally adopted all, but maybe a handful of recommendations. There was great bipartisan leadership. [inaudible] senator, carper, if i could interject, Mike Gallagher has characterized our commission the work were doing, we want to be the 9 11 commission without 9 11. Thats great. Thats exactly what were trying to do here, to think about how to respond and how to respond in a systemic across the government kind of way and the private sector, but thats the key. The 9 11 commission without north american. That you, angus. And one of the things i have my graduates to hear, aim high, work high, the golden rule and dont quit. One of the areas we dont we havent quit in, but dont have a lot to show for is our efforts to undoubtedly create a national approach, a Uniformed National approach. And thats one of our key recommendations. We look forward to working with you on that. Theres so many different jurisdictions and competing issues and interests. With your help and support and maybe a good bipartisan whip finally get to thank you, senator carper and certainly appreciate you, again, pointing out senator coburn, that was a huge loss for all of us and for the senate and for this nation. I also appreciated miss spauldings use of the term nonpartisan. I prefer that to bipartisan, that totally eliminates the thought of partisanship, in what we face and solutions we need to enact. I appreciate that. Our next senator is senator hawley. Thank you, mr. Chairman and thank you to all the witnesses for being here. And the commission. Congressman gallagher, i want to come back to you in your joint testimony, you said china has fueled economic where fair in trillions of intellectual property and cut our economic competitiveness and i appreciated your focus on this and i appreciated your own work in the house on this issue. So i just want to give you a chance to expand on some of those themes i think are so important. Let me start, but asking you, when it comes to Cyber Attacks, what do you see . How does china typically operate . How do they typically attack and whom do they typically target and what is it that they seek to gain or disrupt . Well, just quickly, my own awakening on this issue was painful. I spent most of the last decade as a middle east specialist in uniform not really understanding much in the way that china operated, but i remember vividly getting a letter from the office of Personnel Management an of the massive hack of over 22 million peoples, you know, federal Government Employees records saying, thank you for your service, but your records have been hacked and that was a wakeup call for me to recognize that i needed to widen my own aperture and understand what was going on. And xi jinping had just come to power and didnt understand how aggressive direction he would take the Chinese Communist party. And since then not only the obm hack, but multiple, a series of attacks that we know go all the way back directly to the Chinese Communist party, in addition we know that there are certain state champions, huawei and dt in particular that operate as an appendage of the Chinese Communist party. And we have the huawei beamed back information the same time every night at midnight and we pointed out the scale in which Huawei Technology has been compromised. So we found nothing to contradict that assessment in our own work on the commission. If anything, we would emphasize the findings of the blare huntsman commission, the transfer of intellectual property theft in the order of 300 billion a year, the greatest transfer of wealth in human history. I would say that up to this point and what i alluded to in my opening testimony, weve taken primarily a defensive approach which has been necessary, but insufficient. In other words, weve said, you know, were going to put huawei on the enemies list and do a variety of things to dissuade our allies from operating with c krch cc and a positive approach, development, finding ways to work with allied countries on key technologies in order to ensure that were not dangerously dependent on china Going Forward and finding a way to make a positive case for American Global leadership in a contrasting case with what weve seen from the ccp. Very good, thank you for that. Let me ask you just a little about a closely related topic which is our supply chain vulnerability, particularly as it relates to china. The report to acknowledge our extended supply chain threatened and the u. S. Eco system, the Economic System and i have been advocate for reshoring, onshoring. Can you elaborate on the Risk Management techniques and what role to you see the private sector playing . Absolutely, so we recommend, and i believe recommendation 4. 6 in our report, that Congress Directs the government to develop and a an Information Technology industrial based technology for more untrusted supply chains and communications technology. So, this starts with a simple identification of which technologies are critical and where we have single points of failure in the supply chain so that were not discovering the single points of failure in the midst of a crisis, which i would submit we are in some cases with advanced pharmaceutical indicators and medical equipment right now. Were asking the government with ensansed sissa and cyber focus to identify proactively where are the areas where no kidding, we either have to bring that manufacturing back to the United States as youve had multiple pieces of legislation aimed at doing that, but potentially, also, work with partners. So, for example, when it comes to semiconductors, taiwan is an obvious target for enhanced cooperation. And i believe the administration right now is exploring some sort of deal with dscm, a major Taiwanese Semiconductor company, know in order to build certain things in the United States. Its identification of our domestic and our allied itc industrial capacity and identifying those key areas of risk where a foreign adversary could potentially restrict the critical supply of technology or intentionally introduce compromise at a large scale and that should affect our direct investments in those key areas or our investment in research and development. Thats really good. Tell me what role i think the private sector plays here and how we get a balance of both requirements and also incentives to help the private sector get to where it needs to be. I think this is one of the major things we wrestled with, throughout the commissions entire work, which is to say, how do you get that balance between, we dont want to sort of out ccp the ccp for lack of a better word. We cant adopt a one size fits all heavyhanded topdown series of regulations. And how do we instead pursue that incentivizing approach and what weve sort of landed on, there are simple things that we can do to inventize the private sector rather than mandate they do certain things. For example, one of the examples in the report is mandatory Penetration Testing for publicly traded companies. So that they have to invest more in Cyber Security. Because what we saw time and again is that wherever the csuite did actually prioritize and take cybersecurity seriously, those companies outperformed their competitors. We would like to, for example, over time, see certain best practices that are emerging right now become the industry standard. So, for example, theres something called the 11060 rule, where youre able to detect an intrusion in one minute have someone look at it in 10 minutes and isolate and quarantine in 60 minutes. By incentivizing the csuite to invest in cybersecurity, we believe over time best practices like that could become the norm. And i would say and suzanna alluded to it, wed try to adapt an approach that harnessed Market Forces so that the private sector could step up and respond to a clear incentive that the federal government is setting. Very good. Thank you. Thank you all. Senator hawley, id like to touch on your question for a moment. Yes. The supply chain. Number one, weve learned in the covid situation how critical the supply chain is and what a mistake it is to rely on supplies for Critical Materials outside of our borders. The second piece is, we have to realize that the chinese are integrating Economic Policy with intelligence and National Policy by subsidizing things like huawei to make it cheaper in order to insinuate itself into the nations or the worlds internet infrastructure. We have to realize the cheapest may not always be the answer and maybe a little premium on the price is an insurance policy. Because historically weve said well get the cheapest wherever we can and thats going to bite us. And supply chain, we just have to analyze every piece of military equipment and piece of crit cat infrastructure and say where is it coming from and is it safe . I think youve identified one of the most serious issues thats facing us, its not going to quit. Thank you for that senator king, and thank you for your leadership over many years on this issue and a privilege to serve with you on the committees that we do, thank you, mr. Chairman. Thank you, senator hawley. Senator hassan. Before this hearing and thank you to our panelists for your work. All the effort that youve put in and for being with us in this new remote hearing world we live in. Senator king, i wanted to start with the question to you. The comprehensive report outlines many key steps that the federal government can take to mitigate Cyber Attacks. However, the report is relatively quiet on how the federal government can help strengthen state and local governments ability to prevent against attacks. Recently the National Governors association wrote a letter to house and Senate Leadership asking for funding to help state and local governments defend against crippling Cyber Attacks amid the covid19 pandemic. Before this crisis, legislation was introduced to both the house and senate to create a sizable federal Grant Program for state governments. We know that its only as good as our weakness link to the last point they were makingment and we have the cyber resiliency, down to our smallest localities. Did you example the possibility of federal support for state and local Cyber Security . If so, what were your conclusions . We absolutely did. And in fact, a major wave of rans ransomware attacked our cities and towns. Weve had small towns in maine, that ive talked about this, that had hits of ransomware. I think there was Something Like 45 mentions of state, local, tribal government. But here is what we wrestled with, we believe and we advocate for the creation of a fund to assist states and localities in dealing with these issues, not only money, but Technical Expertise, which sissa has throughout the federal government. But part of it, part of the thing we wrestled with is what i call moral hazard. We dont think the federal government should relieve the states of their own obligations to protect their own networks and to do whats necessary. So, what weve proposed was a matching program, where it would start with a 90 federal share, 10 match for improving Critical Infrastructure on the state level, which year by year would scale up and end up 5050. We want the states to be engaged as well. We dont want them to say, well, cybersecurity is a defense job, thats not our job. That wont work. Thats the way we approached it, but we understood and working with the states on Critical Infrastructure is absolutely important. I mean, its elections, National Guard has a role to play here. I think there are a lot of ways that we can integrate with the states properly, but we need to it needs to be a shared responsible, i guess is the way i would put it. And that was the commission wrestled with this, but thats the way we came out. Well, i thank you for that. I would make the note and New Hampshire has seen Ransomware Attacks on very, very small jurisdictions, tiny systems. When it comes to town meeting time or state budget balance, what you dont want to do is having the matching obligation be so great you put at risk federal cybersecurity because a small town cant meet a cyber obligation or a state has to cut its budget to balance it so those are the things that we have to think about. I wanted to move on to ms. Spaulding and i wanted to build on something that senator johnson asked about. As you know, one of the Solarium Commissions recommendations is for congress is pass the cybersecurity vulnerability identification and notification act. The bipartisan bill passed our committee and senator johnson and i are continuing to work to pass the bill into law. Ms. Spaulding, drawing on your experience at the department of Homeland Security can you explain why sisa needs the subpoena authority particularly in the context of the covid19 pandemic . Yes, senator, thank you for that question and thank you for your efforts to try to get this authority passed through congress. Its something that we have needed for quite some time and going back to my time at dhs. Dhs has the tools to scan the internet for vulnerabilities, for known vulnerabilities, to find systems that are publicly facing the internet, that we can tell have the vulnerability that were looking for. What we cannot do without a tremendous amount of effort sometimes not at all is to identify then who opens that system so we can reach out to them and warn them. So this would be an administrative subpoena. The folks who have the information about who owns that system are the providers, the is ps, the Internet Service providers. So what we need to do is take that ip address which the tools allow us to know and go to those providers and say, we have found this, it looks like an industrial control system, which is something that may power our Critical Infrastructure, it could be in the energy infrastructure, transportation, you know, all kind of infrastructure, and we see that they have this very dangerous vulnerability that an adversary, a bad actor could exploit and cause problems. We dont know what its and we cant tell them. Thanks for that response and i look forward to continuing to work with senator johnson and members. Committee on getting that legislation passed. Miss spaulding, i also wanted to talk to you about Cyber Threats and health care. Prior to the pandemic, the Health Care Sector was in part of malicious actors and with covid19 and the hospitals. Im worried that it could be a threat to human life. And its not just a warning that some nation state backed actors are targeting covid19 medical research efforts. Obviously, thats very concerning. Can you help us understand what we can do right now and Going Forward to improve the resiliency, including the threats to these medical Research Facilities . Yes, senator, such an important point and its addressed by our Commission Recommendations a number of ways. This is really the kind of event, series of events that, for example, could be covered under this cyber state of distress that we talk about in the Commission Report, which is falling short of the National Emergency where youve got physical destruction and consequences along the lines after hurricane or a super storm. But are beyond the routine daytoday occurrences that we deal with every day. The attacks during a pandemic on this vital structure could rise to the level of the cyber state of distress and the key there is that it would trigger the ability for sisa particularly to use fund to tap into a response and Recovery Fund to scale up, to go out and help these researchers, these facilities that are being attacked, the hospitals, our health care providers, and to bring in additional resources, particularly to call on assistance for experts within the dod or the Intelligence Community and where we have to reimburse them. So, thats a key part of that authority. And really critically important. Well, thank you, i see im over time, mr. Chair. If this is time for additional questions, i have one more for senator king which we can do later on on the National Guard. Thanks. Sounds good, senator hassan. Lets go senator rosen, romney and then lankford. But senator rosen. Thank you, mr. Chairman. And i thank you, Ranking Member for bringing this great hearing today with amazing witnesses. Thank you for your work and especially my colleagues, angus king and of course, congressman Mike Gallagher. We were freshmen in the house together and we were both founding members. Bipartisan caucus and a lot of great work there and great to see youre continuing with that and look forward to seeing what youre doing. And you know, we know that the cyber cyberspace Commission Report and this is widespread in the public and private sector. As a former Computer Programmer and systems analyst ive introduced a number of bipartisan bills to promote our cybersecurity work force, including legislation to prepare our junior rotc candidates for careers in cybersecurity, build support of apprenticeship programs in cybersecurity modeled after nevadas instate cybersecurity apprenticeship program. So ms. Spaulding, what do you think are the additional forwardthinking solutions that congress can offer to provide our business communities, our government, with the skilled work force they need to strengthen our nations Cybersecurity Infrastructure and protect americans from bad actors and even considering what is happening now in the pandemic and covid crisis, also addressing retraining. These are jobs that are going to continue to grow where other jobs may not come back as robustly. Senator, thanks for the question and thank you so much for your efforts on this really important issue. I noted it earlier and i think making sure that we are doing everything we can to build the talented work force that we need on the scale that we need it across this country. Its a huge challenge and something we all need to tackle. We have a number of recommendations for the Commission Report along these lines and one of the most important and sweeping is to build and continue to build on the things that are working and that we think are successful and certainly, the scholarship f for we think is important and where the government reaches out early on to encourage students to study cybersecurity, helps them with their education. And then they have a job with sisa or others across the government where i used to say to the private sector, ill take them right out of school. Ill give them onto job training. I know that you in the private sector will then lure them away with higher salaries, but i believe that a number of years after theyve put their kids through college theyll come back to government because theyll miss the mission and often times the audience would laugh, but i know that you know what a strong draw that mission can be. I think its also important to focus not just on recruitment, but retaining that cyber work force. One of the things we worked on at dhs is the importance after Inclusive Work environment so wh youve succeeded in, for example, teaching girls to code and recruiting women and a diverse work force, women and minorities into the cybersecurity work force, you retain those talents by creating an Inclusive Work force. So those are the kind of things that we looked at and really Important Program for congress to continue to support. Senator rosen, if i could could i join in and provide another answer to that question . One thing, and this sounds minor, but it can be major, we need to work on our security clearance process. Thats my next question. Well, weve been doing a lot of work on it on the Intelligence Committee and i know of people who gave up after a year or more of waiting. And i must say the administration has improved that considerably, the backlog is down. Theyre working better on reciprocity so if you get a security clearance for one agency it can apply to another. But thats one of the issues. The other thing we talked about creation of a program where you could get some scholarship aid and then make a commitment when you came out, but youre absolutely right to focus on this issue because if we dont get the talent, were in trouble and we need, i think, Mike Gallagher mentioned at the beginning, a shortfall of like 35,000 people across the government that we need in the Cyber Security area. So, its one of our most important priorities. And hundreds of thousands across the country. And i was pleased that last december my Building Blocks of stem bill did pass which is going to promote Stem Education for young girls and thank you for answering my security clearance question. That was my next question. I do think it is hurting us in government. With the short time i have left, i want to talk about protecting data through Cloud Services. So, senator king and for ms. Spaulding, quickly, what can the federal government learn from the private sectors experience in migrating to the Cloud Services . How can we better partner with that to be sure that were able to do that . Let me start and ill turn it over to suzanne. The movement to the cloud can be a very positive development because you dont have you dont have all of your data in 10,000 locations all of which are vulnerable, but that means that the cloud itself has to be more secure and we could do talk in the report of developing a security standard for cloudbased services so that companies and governments, whoever wants to use a Cloud Service can have some knowledge, some assurance that theyre dealing with a secure service. Suzanne, do you want to touch on that issue . Thats exactly right. We the commission felt strongly that we really wanted to encourage folks to move to the cloud for many really, for most, thats going to be a more secure environment. Youre going with to have real experts who are securing that data. But not all Cloud Service providers are equal and so, we thought it was really important again to rely to try to push the market by providing information for folks on whether which Cloud Service providers meet certain security standard. If were going to encourage folks move to the cloud we have to make sure that the cloud environments are indeed secure. So our recommendation is for the development of guidelines and that those guidelines be public and folks can see whether Cloud Security providers are indeed providing a secure environment. It cant just be that it goes to the lowest bidder. I think youre right. I think we also have to include just not national Cloud Services, but think about our interNational Security as we share data across borders, global borders, thats important to secure that as well. Thank you so much. Thanks, senator rosen. Senator romney. The part of this discussion, it is a bit of deja vu for me because many years ago when i was serving as governor in massachusetts, i was part of the Homeland SecurityAdvisory Committee and we came together and spoke about this topic and felt that we were behind and that there were actions we needed to take if we were going to be effective in protecting our cyber space and what is somewhat alarming is to find were still talking about it and not as much as i might have anticipated being done has actually been done. And so id like to focus for a moment on what it is that prevents something from happening. We in an authoritarian regime the person in the top can demand that something happens and everybody jumps or in the case of kim jongun they found themselves, you know, no longer breathing. So, we dont have that model. Im not suggesting we do, but we have to use the tools that we have and so im going to ask mr. Fanning it begin with, is there not a potential to create a lot of pressure on the coming from the corporate sector on the white house . We need to have the white house get fully behind this because its hard at the congressional level for us to push a string uphill. Im mixing two metaphors there, but nonetheless its hard to do it from the bottom up. Would it not be helpful if the Corporate America shouted we need the federal government to step in here to provide the following elements to get behind this report . How do we do that, mr. Fanning, and why hasnt it happened so far . Senator romney, great to see you again. Look, i think thats happening. The fact that all of the Critical Infrastructure in america has been working with their sector specific agencies. I think the issue is really now how do we harmonize and collaborate with all of the government . One of the important facts, i know with your background, youll get here is that not all private sector is created equal. Weve called a designation of sticky, but its systematically important Critical Infrastructure. So working through sisa, a riskbased approach, what the most critical is in america and we do that at the asset level. So we identify assets that can either prevent major loss of life, significant economic disturbance, or prohibit or hurt our ability to defend ourselves, to fight back, to see, to listen. And so, what were doing is to identify the most critical assets in america and then, evaluating the layers around those assets of the private sector to really work with the federal government. And in my opinion, its not just a voice that says you need more. I think the private sector has a special obligation in this new cyber Digital World that we are in to join in the effort and defend america, to join in the effort to have a special relationship with the Intelligence Committee, Sector Specific Agency, dod, et al to create a more that why we have the sticki and frame work that will carry this out. You know, as i walk the halls of congress and work in the administration, my sense is there is a great desire to have this happen. We are not without motivation. And really, i think it now says weve got to pool that effort and direct it in a certain way. I think that the Solarium Commission report does that. I certainly hope so. Senator, romney, can i touch on that for a bit . Sure, angus, go ahead. I have a life principle, structure is policy. If you have a messy structure youre going to have a messy policy and right now we have a structure in our government that is we have really good people in agencies, sisa, and cyber command. Theres nobody in charge. Going back to my business day i always like to have one throat to choke and thats the National Cyber director. We need somebody at a very high level who can oversee and coordinate and work on the planning with all of these different disparate parts of the federal government that are working on this. I think thats an absolutely critical need. The other recommendation, which hasnt gotten much discussion today is, we recommend that the congress reorganize itself and develop select committees on cyber because weve got cyber jurisdiction is scattered across ive heard as high as 80 subcommittees in the congress. Its very difficult to get anything done. Now, thats going to be difficult because im on intelligence and Armed Services and were talking now to Homeland Security. People are going to have to give up some jurisdiction in order to gain a more coherent approach to this issue, both in congress and in the executive branch. So, youre onto something and you know, you want some centralized leadership and if youre governor or youre president and you want somebody you can go to and say, i want this to work. But right now, if youre president you have to go to a bunch of different places and thats our goal here. I fully agree. So one question and five to go, i have one minute to go, im not going to get them in. But i want to ask of ms. Spaulding whether or not the Intelligence Community can say tear down the barriers between us and lets go to the white house and get the white house behind it. Would strike me if the head of the cia, department of defense, secretary of defense were to say to the president we really need to have this one person, we need to restructure this in the following way, thats going to happen. But if the white house is dragging its heels on this, its not going to happen. So, is there i mean, can we get support from the leaders of the, if you will, the agencies that deal with this topic to get behind this principle . So, one of the advantages that we had on this commission, senator, was that unlike any other commission ive been involved with, and ive been associated with many, we have people from the executive branch sitting on the commission. And they attended every meeting, all of our nearly 30 meetings over time, and while they were not in a position to sign onto the final report, given the separation of powers issues, et cetera, i think theres a strong understanding of the need to coordinate and to have coordination at a senior level for Cyber Security efforts. And the Intelligence Community is absolutely essential part of that effort. So i would like to think, along with you, that we can get concensus around the need for this coordination effort and push this through. Well, thanks, senator romney. By the way, this is this hearing a clicking along pretty quick. Senator hassan, if youd like to ask another question, stick around and ill give awe opportunity to do that. Senator king, pass add bill a simple bill and under Homeland Security, making it difficult for the department to respond properly to congress when youre going to that many different committees. Similar concern that you have in times of cybersecurity, we couldnt even get that simple commission established into law to take a look at it. That got kiboshed, but im happy to work with you on both issues because again, this is a little insane in terms of how, you know, dispersed the Congressional Authority is on both cyber as well as Homeland Security. With that well turn it over to senator lankford. Thanks, mr. Chairman. Thanks for the hearing, ive got a ton of questions like senator romney was talking about before. Congressman gallagher, let me ask you a question. What is the difference as you would see this between the National Cyber director and what sisa is doing now. Congress has a bad habit of saying this is not working as we want to and well leave that in place and plus, add another thing onto it. Were talking about sisa and elevating it or two Different Things and it works for the National Cyber director . Whats the different . Well, sisa in the first instance were recommending elevating and empowering. In a variety of simple ways that might surprise you dont already exist. For example, start at the top, we shift the director to a five year term, increase their pay, push for resources and authorities to he will evaluate their stature in the federal government. But sisa is always and suzanne, having worked in this job the best person to talk about in, in my mind always going to primarily have the mission of defending Critical Infrastructure, defending the dotgov space in a way that cyber com defends the dotmil space. The biggest impact is giving sisa to do Threat Hunting on dotgov networks so they can defend prior to the attack and the National Cyber director in my mind has a more coordinating function that is making sure that sisa in performing that mission is working well with nsa, with cyber com and all the other other federal agencies that play in the cyber space. The advantage of the National Cyber director, particularly one Senate Confirmed and therefore in theory more responsive to senate and house oversight, is that proximity to the president , having the ear of the president and hopefully enhance their ability to coordinate across missions and do longterm planning at sisa, sort of the fight on a daytoday basis. More of an odni type structure . You know, we did look at the odni structure and debated it as a model for National Cyber director. Ultimately we had something more model to the trade director. We found its interdisciplinary, its functionally oriented and institutionalized with Senate Confirmed lip and situated within the executive office of the president , but this is really one of the more robust debates we had on the commission. Suzanne, you wanted to add to that. Guest sisa coordinating across the area. And denied benefit asset response function. So this National Cyber director would bring together the defensive and offensive planning to make sure those things are coordinated and working in a synergistic way and not at crosspurposes. And bring in title 10dod authorities into that broader whole of nation, whole of government planning. So civilian role not a military role for this position . That would be our recommendation, yes. To be able to do the whole of nation work for the private sector. Thank you. Senator king, let me ask you about the select Committee Proposal here shifting out. You and i have talked about before that our Committee Structure was designed in a way that it never should have been designed. More accidental as designed. And over the years agencies created and congress has knots kept up with the structure of the house and the senate committees, its more and more chaotic and trying to hold people to account. Trying to do another select committee and able to strip those away, is it easier to create another select committee and easier to land them in a committee. Its pet better to strip away and i think the Intelligence Committees, they didnt exist before the select committees and there was a realization after the Church Committee there was a need to have one committee with special expertise in a technical area. And were talking not only sisa, but military aspects. Cyber com, nsa, the intelligence agency. So i think theres an argument, a good argument to be made that a special select committee and frankly, one. Things we talked about was having the membership of that committee be the leadership of the various committees such as this one. They would, thats who would be the members, the chair and Ranking Member or designees. I think theres a way to do it and i realize that jurisdiction is life around here, but i think this is a moment like the 70s, where theres a specialized area thats incredibly important to the future of the country, and right now as senator johnson said, you can have a very simple bill and it takes years and i dont want to go home after a cyber attack and say, well, congress really, we were talking about that and there were a couple of bills, but four different committees that had jurisdiction and it was really hard. I dont think thats going to wash with my constituents. Nor should it on that. Let me ask you a question about standards i saw in the report multiple different times to be able to push private sector to have better standards, Higher Standards and creating a standard. Spent a lot of our conversation on the internet of things. Once you hit a government standard it doesnt take long long for it to scale in the cyber world. Youve got a lot of technology and innovation. By the time the government any agencies set the standard its out of date. How do we keep a standard from slowing down innovation . Well, you raise a very important point. The standard shouldnt be thought of as a static certification, rather, a lot of the standards that will be certified will include a process to evaluate gaps in the future. To evaluate how to improve whatever it is. It will also be kind of weighted by the importance in the Critical Infrastructure of america. In other words, if its thought of to be incorporated into this systematically important infrastructure, it will have a much higher standard, a much quicker response time. So look, i think the private sector, in working with government now, in collaborating not cooperating, has a special burden to work to make sure that whatever we do fits the national interest. This will be benefits so if theres more for us to do and perhaps its more expensive, i think the benefit will be that you will have a realtime evaluation of the battlefield. As i mentioned, you know, the battlefield of today is the electric network, the telecom and the financial system. Weve got to make sure that our stuff works and if we can get realtime evaluation collaborating with the Intelligence Community, specific agencies and folks like dod will all be better off. I think this is a big carrot for private industry. Governor. Thank you. Thank you, senator lankford. I see senator sinema. So if shes ready to go, she can go. If senators have a question, use that raise your hand function and well start with senator hanson after senator sinema, are you there . Yes, i am. I want to thank you for holding this hearing and thank the witnesses. As we navigate the pandemic, we look alt cohesive strategies for Public Safety and the pandemic has shown the need to fortify our Cyber Security. Overnight Many Americans expanded their virtual footprint through virtual work, telemedicine, a we wi we will face challenges from the coronavirus pandemic to assure networks are secure, this makes us ask whether the United States is prepared to recover from a potential cyber attack. I hope we can look at this through the lens of the ongoing pandemic and was we need to tackle now so we are better prepared for the next crisis. This report was published to implement social distancing protocols and stayathome orders in response to the pandemic. The pandemic has caused the rapid transition to greater reliance on virtual environments we can you expand on recommendations that are most tickled prioritize given the new environment . Absolutely right about behind risk environment we face in the context of this pandemic. There are a number of things, we have this at home workforce. Everyone is using home routers and Wifi Networks to interact. One of the recommendations we have is for National Certification and labeling authority and this is the kind of thing that could get up and running quickly. It is like an Underwriters Laboratory, and it would help provide information to consumers as they look at securing purchasing devices like webcams but we now have been malicious activity vectors, how to evaluate their purchases from cybersecurity perspective. That is critically important to continue to inform the public how to make life choices but also for our business owners, critically important around the internet of things and industrial internet of things that they have the information they need to make informed decisions as they purchase equipment, strengthening, making sure it has the resources it needs to do the outreach to the American Public and business community, to let them know when we see heightened activity, how to secure their homes, devices they already own. These are things that can be done right now and theres a strong sense of urgency. In the chairmans letter introducing the report, u. S. Congress and gallagher state clearly election decrees must be a greater priority. One of the key recommendations is congress should improve the structure of the commission to help states and localities better protect election integrity. The secretary of state shares with me the importance of federal assistance in helping arizonas effort to secure elections. What step can Congress Take to gain bipartisan support for these recommendations about cybersecurity and i pose your same question to congressman gallagher. Two thoughts. We need to stabilize the funding of the convention and enable it to do its job. We have an interesting recommendation. The commission is set up on a bipartisan basis and the problem is it is deadlocked and cant take any action. We suggest the appointment of a fifth commission with Technical Expertise who can only vote on cyberrelated issues and this will break the deadlock on the issues we are talking about to enable us to actually do this important work on behalf of all the states. Stabilize funding, limit their vote to cyberrelated issues, to break the deadlock so actions by the commission can move forward to deal with this critical issue. We miss you in the house, it is great to see you again. Not mutual. In addition, the fact that something mrs. Spalding said earlier is we are very much coming in favor of paper balloting and auditor paper trail and the Cyber Commission having such a recommendation addition to stabilizing the commission we have a recommendation to streamline, modernize bug Grant Funding for states to improve election and we are intrigued and try to recommend ways where funding from the top down, how can we take advantage of the bottom up, they are providing free cyberliteracy to campaigns and we think that is a good thing because a lot of time top town funding is dependent on the individual personalities in those states so we need a mix of topdown and bottomup Going Forward. Thank you. On a personal note congratulations on your wedding and one day i will see you in the gym again. Thank you. I dont see you hanging up. Do you have a question . I do. This is to senator king, thank you for superb discussion. The commissions report includes recommendation for the National Guard to help prepare for cybersecurity incidents yet as you point out the department of defense policy doesnt provide clear guidance to what the National Guard can conduct or whether these can be supported by federal funding. In the ongoing issue in my state what do you think is the best mechanism to engage the National Guard that decrease cybersecurity vulnerabilitys. You believe they are sufficient, to the preventive measures. I distant was the word authority to guidance, the authorities are sufficient and the guard can be a tremendous asset to the states in this situation because of their technical abilities. What we believe in the Commission Recommends is clarification of guidance from the department of defense that would allow reimbursement to the guard under title 32 so that should be cleared up fairly straightforwardly and that is our recommendation. The guard is a tremendous asset lets use it and not have obstacles. When the guard does cybersecurity work with the state there is federal interest in it too. There sure is. A huge federal interest. That was one of our specific recommendations. Thank you, take care. Senator romney. The line of questioning you describe with regard to chinas intrusion, was really quite revealing and very effectively presented and you made the point that we as well as our International Partners need to push back against the intrusions being made by china. How do we go about doing that . There is a mood not only in our country but around the world, everybody pulling back with this america first, france first, people becoming less associated on a global basis to saying how do we work these things out together but the only way to get china to be dissuaded from the courts is if we and other nations that follow rules of law if we come together and say china, if you keep doing these things you no longer have unfettered free access to our markets, we will respond collectively. You cant have access to any of our markets but i am interested in your thoughts, how do we get there . Does someone else lead it . How do we create recognition on the part not just here but around the world to come together and push against the most malevolent actor which is china . I think it is the question we are grappling with the next few decades. My view is i see moments and for decoupling from china will continue in some ways regardless who is president in 20212025. This is my view outside district text of the Commission Report, the smart way to avoid, we cant make everything in america, weaning ourselves off dependency on china is to harness that made in America Energy into more print partnerships. Taiwan when it comes to semiconductors, theres an obvious opportunity when it comes to rare earth and what we recommend, the 5g space, pooling our resources with likeminded countries that have expertise in this space in order to not just say huawei is bad but we as a free world have a better product and more secure product we can offer to you and it will cost a little more but will not be cost prohibitive. Thats the general direction we are trying to push our cooperation with allies with a variety of smaller recommendations elevating the secretary of state position to facilitate cooperation with allies. To tie it to the question you asked earlier, it is hard to deter the Chinese Communist party at present, we believe this is further evidence of the need for clear declaratory policy and we are recommended a strengthening of the existing declaratory policy above the use of force threshold, if you attack us we will respond but also promulgation of a second declaratory policy below the use of the threshold so china cant do what reports suggest it is doing, hacking companies to gain access to information on a Coronavirus Vaccine without fearing the consequence. There is a lot, i apologize for going on. There is an important principle you hit on a key question. Churchill said the only thing worse than fighting with allies is trying to fight without allies. China has clients and customers, we have allies and we dont take sufficient advantage of that and one of the recommendations is a new position of assistant secretary of state for International Norms in cyberspace, sitting with the guard rail saw. Of china violates them they are not just facing sanctions from us but from the entire world and they are above all else sensitive to economic responses. It is going to be a lot more powerful than if it is unilateral from our side. Part of the answer has to be what we talked about in the report, the importance of elevating norm setting and talking about how we can provide interNational Guardrail activity. Thank you to both of you. Senator lankford. It is part of my question as well. Talking on a nationstate we have a problem with cybersecurity individual actors, it is difficult to hold them. It is a great story, two romanians living like the cardassians stealing bit coin from people all over the world, buying on the dark web information and putting out ran somewhere, they hit on some on pennsylvania avenue through our security cameras, took over security cameras on pennsylvania avenue, caused an international incident, they didnt know what they had, just doing ran somewhere. Getting to arrest them in many countries whether in india or south america or Eastern Europe we have actors that are doing this and finding increasing difficulty of looking working with local governments to hold them to account so a lot of the conversations have been about nationstates. What recommendations do you have. What are the options we have. Thats one of the tough things about cyber, it changes all the power relationships, you can have a small country like north korea but can also recap act. You dont have to be a superpower in order to play effectively in this area. This is another place where there are two sides in and one is improving resilience was we havent talked about that today but to really upgrade our game in terms of protection and you talked about an Underwriters Laboratory label. It would be voluntary, consumer driven but have people be careful about what they are buying and this will become more important as we go to the internet of things, not only a router conspiring you but might be your microwave or your car for sure. We have got to be better at defense but back into the international peace, if we impose sanctions on two guys in romania they may not care but if the sanctions are imposed by hungary, austria, russia and their neighbors and maybe romania we can get after them. The International Cooperation is a way of breaking down National Barriers for Law Enforcement so that we go against some of these people wherever they are and we are trying to expand our reach and that means cooperating with our allies. There is a school of thought out there that we engage with and continue to debate with that this is why deterrence is not possible in cyberspace. We believe it is because at the end of the day we are not deterring cyber or cyber instruments but human beings using those instruments so we are touching on a problem of attribution to improve capability and we have a variety of recommendations like codifying and strengthening agencies that already exist like the cyberthread intelligence Integration Center so they can better partner with the private sector and arrive at a cultural change where they are more proactive in sharing results of rapid attribution with the private sector entities that may be the target of loan actors you identify. It is not just attribution but a significant challenge of enforcement, a group of folks in pakistan that decide to do this and we believe this is one of your citizens and we say we believe it is not, what do we do . We have some recommendations to strengthen the fbis ability to break Law Enforcement tools to the nation effort and including strengthening their overseas presence and recommendations that strengthen mutual Legal Assistance so in countries with cooperation where you build relationships, being able to provide assistance to the country where the league might be based so that you build a relationship that when you need information from them they are willing to cooperate. It would be helpful because it is an ongoing issue whether it is robo calls, Social Security recipients or cyberthreat or toward stealing credit card numbers we have a global issue on this. Right now we dont have a lot to put pressure on nationstates to put pressure on individuals to knock it off. We dont have leverage. Our focus is on nationstates more than it is on individuals in nationstates. We have to have a balanced appreciate your work, didnt put a significant time on this. We talked multiple times about the number of hours we spent on this so thanks for all the work piling this together. Lets make sure it doesnt sit on the shelf somewhere. We agree. I see senator hassan, do you have a question . Our comment and reminder, this committee passed an internet of things standards bill that said when the federal government purchases internet of things certain Security Standards have to be met so we have something passed out of committee we might be able to work from to keep pushing on so i wanted to make that note. Thank you. One last question from this spalding and i will give the witnesses a chance for a closing comment and do it in reverse order starting with mister fanning but you mentioned the commission recommending most people transfer data into the cloud. Makes sense. You would assume cloud has the best security versus smaller actors, but can you provide some assurance, the power of that is the fact that there is a huge disbursement of all this data across 1000 companies and now we have all our data eggs in a few very large baskets that if security is breached it could represent a big problem and make a big mess. Can you address that aspect of it . It is an excellent point and it is something in 2016, we looked at the decentralization of elections across the country and a way of mitigating the risk of a National Impact from hacking activity but if you look, thats a good example, if you look carefully at that particularly in states, counties and locations around the county where there might be a close election that decentralization does not by you protection. It is biodiversity if you will, the diverse city of systems making it more challenging for the adversary. What we have seen is the adversary is able to overcome a lot of that. Weve seen broader tax in which the adversary takes over, hundreds of thousands around the world we realize we are not getting as much benefit from that distributed network. If you have secure cloud providers, increase your overall security assistance. That is the point we emphasize, our recommendation. You need standards, Security Standards for Cloud Service providers. A National Certification of those services. The certification of the kind of equipment purchased and guidelines and making sure Cloud Service providers meet relatively high level of Security Standards. Mister fanning, do you have closing comments . Yes, thank you for your leadership, i always enjoyed our chat in your whole committee is doing the lords work here. Let me say this. We didnt talk as much during this hearing about the importance of the collaboration between private sector and government. Is it going to be a government lid issue in my view because so much infrastructure, you need to join the obligation and there are important issues that arise out of that really different from the way we think about it today. One of the clear examples is continuity of the economy. The old model, reliability. There was cost associated with an outage and we could figure out how reliable the equipment was to prevent that cost. The notion of resilience says this is how my system operates under abnormal conditions whether it is a hurricane, snowstorm or cyberattack. The only way that we will be able to continue the economy and provide an american way of life we are all used to is for the private sector to work with the federal government and state and local governments whether it is the governors themselves or state and local government, to really think about a different way to turn the economy around and get us back on our feet. The commissions report deals with a lot of those issues and it is important to consider the ramifications of that Going Forward. So thank you for your time, appreciate it. Thank you. Miss spalding spaulding. Thank you for your leadership on these issues and giving us the time to talk with the committee and answer your questions and talk about our Commission Report. I thank our outstanding leadership earlier but i want to thank tom fanning. An outstanding contributor to the Commission Report bringing that valuable insight, but i know from my time at dhs when we worked closely together with the Electricity Subsector Coordinating Council which he has chaired for such a long time that he is somebody who really gets this issue and is out there every single day trying to make sure our infrastructure not just in electricity but a critical sectors will be there when the American Public needs it. This is an exercise not in risk elimination, this is Risk Management and resilience, ability to be reliable but is baked into the sector, such an important lesson to spread across the country but thanks very much. You are up to the plate. Thank you for this opportunity. I would add that we very much you our unique makeup of this commission as an asset not only with participation from outside experts but in sitting legislator as a way to avoid the report collecting dust on a shelf somewhere. Your staffs have been excellent in terms of working with us and our staff. We hope to continue that partnership as we fight to get our recommendations in the National Defense authorization act and other legislation and we are at your disposal in terms of anything you need from us as we debate these issues and didnt solve anything in this report. We attended of nothing else to provoke debate and build on the work you have already done so thank you for allowing us to talk about it today. Thank you. Congressman gallagher. Youve got the basesloaded, you are knocking it out of the park. Talk about why we are here, we are here because the nation is under threat and we are in the midst of the Coronavirus Crisis now which is an unprecedented crisis, no doubt about that and that has taken a lot of the attention but the fact is this threat hasnt gone away. It has been magnified by this crisis and the job we have now is action and we talked this morning and all of us on this hearing and share an understanding of how important they are but we have to communicate that to our colleagues that this isnt academic, this is coming at us, our private sector, millions of times a day by malicious actors and so we have a responsibility to go forward. Youve taken a lot of leadership on this issue, the administrative subpoena bill, we need to get rid of the word subpoena. That scares people. We need another word, we are seeking information to assist companies that are under attack. We talked about the need for national leadership, coordination, better resiliency and declaratory policy that puts adversaries on notice that they will pay a price for coming after the United States of america. We have the means. The Commission Report has given important guidance and now it is up to us as members of congress and people from the private sector who made such contribution to this project to Work Together to do something. I dont want to walk away and say it is a good report, 81 recommendations, 57 legislative proposals but we didnt accomplish much. The onus is on us to make it happen and this committee has been on this a long time and i appreciate the support indicated for our major recommendations and i look forward to working with you to get the details right, to work with the house, other committees in the senate so that we can take action to defend this country that we love. Thank you, really appreciate the time you took with us in the attention you have given to this critical subject. Thank you, senator king. I completely agree with you. We have to turn this report into real actions so i want to thank the four of you, all the other commissioners, all the Staff Members who worked so hard on this, for your hard work, your dedicated efforts and not full recommendations. We will do what we can to bring those 2 fruition and try to get implemented through executive action, thank you for your hard work, that concludes this hearing, the record will remain open 15 days until may 28th through 5 00 pm. I want to add a short thought, you did not get that message. I did not. Do you have a question . Know, just a short thought i would like to add. Go ahead, i am sorry. Our thanks to each of you for the work youve done on this project. We know pretty well all of that. I came here 20 years ago and share with our colleagues, naval flight officers, my father and my fathers father in world war ii, the question, they rose to the occasion and through that a lot of loss of life and thanks for their courage. My life has been in airplanes, trying to make the world a safer place. We suffered impact on 9 11 and the terrorism today, communism, security threats, cyberattacks, a major threat to our Security Force and the reason we succeeded and came out of 9 11 is extraordinary leadership. I would like to raise up the governor of new jersey if i could, a great leader, extraordinary leadership. Susan collins, senator the and your self, really played out in this committee so thanks for your work. Is a look at our live coverage tuesday. At 10 am eastern on cspan Federal Reserve chair Jerome Powell and treasury secretary Steve Mnuchin testify before the Senate Banking committee about the distribution of Financial Aid under the cares act, a 2 trillion bill that Congress Passed in march in response to the coronavirus pandemic and on cspan2 the senate is back at 10 00 am eastern to consider judicial and executive nominations including James Trainor to be a member of the federal election commission. Sunday night on q and a jeff quinn discusses his book the vagabonds about summer road trips taken by henry ford and