Require a near constant struggle to stay ahead of events and the real danger lies in getting complacent. Effective cybersecurity is an ongoing line of effort. The Threat Landscape is diverse, the best practices are changing, the information you get may not always be reliable. The task can seem overwhelming and the stakes are high. In this context, i have found myself thinking effective cybersecurity cannot move at, quote, the speed of government. By that i mean cybersecurity is a 21st century Public Policy program just not manageable by 20th century government means. Regulations, mandates and centralized action in general, these approaches are inadequate to match the pace of change. Congress needs to make sure that the governments role in detecting and responding to cyberattacks is clearly defined, that theyre focused first and foremost on the security of federal information networks. Today well hear from the department of Homeland Security and their cybersecurity work. How it is evolving about their approach to this complex range of threats. With respect to individual actors and industries that are at their greatest risk of cyberattack, health care, education, financial services, retail, Critical Infrastructure, the proliferation of Ransomware Attacks have made clear that these entities have to take on the responsibility themselves on a daytoday, minutebyminute basis. All cybersecurity is essentially local. Today well hear from experts in state government, the Health Care Sector, public education, on their experience with cyberthreats and incidents and see the state of cybersecurity in these industries. Fortunately for both government and the private sector, the marketplace for Cybersecurity Services is continuing to grow and mature. Well hear from one firm that consults with private and public entities and works with themo respond to cyber incidents. I would like to thank the Ranking Member for suggesting this hearing and i look forward to hearing from our panelists. Senator . Thank you very much, mr. Chairman, for working with me to arrange this hearing and for your opening comments. I deeply appreciate the portunity to continue working on an issue that i believe is critical to our economic security. State and local governments ve been prime targets for cyberattacks for a number of years. But the stakes have only grown as covid19 has forced millions of americans to migrate their eryday activities to the line world. Many stunts now learn from their teachers on a computer instead of in thclassroom. Doctors treat many patient through telemedicine instead of in person. Governments handle many essential Services Online instead of at city hall. The massive increase in online activities over these past nine months mea that the targets for cybercriminals have increased commensutely. Unfortunately, cybercriminals have taken advantage. One firm that tracks cyberattacks on schools and School Districts report that 44 attacks have occurred so far this school year and many more likely went unreported. We will hear fm the superintendent of one of these schools today. In the spring, interpol warned that Ransomware Attacks against hospitals have grown significantly as hackers sensed an opportunity to extort money inansom with hospitals overwhelmed with covid patients. About a month ago, a cyberattack hit the university of vermt medical center, forcing it to divert patients to other facilities, thereby jeopardizing the care of many patients, especially those in nearby rural areas who do not have the resources to travel to the next the federal government has a. Responsibility to help protect our communities from the threats. The cybersecurity and frastructure Security Agency has done a commendable job helping our state and local governments, the number and severity of attacks on our commities continues to increase. This heari will help us identify ways for congress d the federal government to better assist state and local governments set fending off these cyber atcks on our communities. We have great witnesses who can help us work through these challenges, including the acting director, who we are happy to have here today. We are missing our original federal witness, chris krebs, because he was fired abruptly by the president two weeks ago. In a nonpartisan manner, and approached the most important task, securing the u. S. Election infrastructure with professionalism and tenacity. Job,s fired for doing his and we are less safe because of it. Strong,perative we have independent leadership going forward. As the Biden Administration seeks to fill this position in 2021, i would encourage them to look to director krebs when considering his successor. Witnesses, i appreciate your willingness to testify. I want to thank you all for the role you play in keeping us safe. I look forward to learning from your experiences, as well as your expertise. Thank you, mr. Chairman. I will proceed with introductions. We will start in the first panel with our federal witness. Im pleased to introduce brandon wales,cting dirtor for the cybersecurity and infrastructure Security Agency at the United States department of Homeland Security. Person to serve as the executive director of the agency before being very recently elevated to acting director. In this role, he oversees cisas efforts to defend civilian networks, mage risk to National Critical functions and work wh stakeholders to raise the securi baseline of the nations cyber and physical infrastructure. Acting director wales, thank you for coming before the subcommittee today and i look forward to hearing your testimony. Chairman paul, Ranking Member hassan, and members of the subcommittee. Thank you for the opportunity to testify regarding the cybersecurity and infrastructure Security Agency support to state, local, tribal and territorial stakeholders in mitigating a broad range of cyberthreats facing our nation. Whether focused on Election Security, responding to the digital transformation, or addressing the plague of ransomware, i believe sustaining capacity will be the defining cybersecurity challenge of the next decade. This is my first appearance before the committee and im honored to lead the men and women of our agency as we defend today and secure tomorrow. I want to begin by thanking the cisa workforce and the Election Security community for their work over the last four years, culminating in the november 3rd election. Our goal was simple, to make the 2020 election the most secure in modern history. We succeeded in building a Robust Community made up of state and local Election Officials, key federal agencies and private sector election vendors, in surging the technical capacity of cisa to improve defenses nationwide and harnessing the capabilities of cisa, the fbi, the national Security Agency, the u. S. Intelligence community and the department of defense to identify threats, respond to incidents, and take action when necessary. As a result, layers of security measures are put in place by Election Officials and the community acted quickly. For example, we were able to rapidly share information on russian intrusions into state and local networks and attempts by iranian government actors to send spoofed voter intimidation emails were outed within 27 hours. Our Election SecurityMission Continues and cisa will remain in an enhanced coordination posture until after Election Results have been certified in every state. We also stand ready to support States Holding runoff elections in the coming months such as georgia and louisiana. This year has not only been focused on elections. Beginning in february we have been working to support the nations response to covid19, including helping to security the development and distribution of potential vaccines. Since the pandemics earliest day, we have seen cyberactors exploiting remote work. Cisa ramped up informationsharing efforts, established a telework resource hub and surged Cybersecurity Services to highrisk entities. Now under the hhs warp speed, were prioritizing service to companies to protect u. S. Vaccine development and distribution. Recently, hospitals across the country with hit with ransomware looking to profit from disruptions of health care delivery. This was appalling but not surprising given the growth of ransomware incidents. Ransomware is quickly becoming a national emergency. We are doing what we can to raise awareness, share best practices, and assist victims. But improving defenses will only go so far. We must disrupt the ransomware Business Model and take the fight to the criminals. While Election Security, a pandemic response, and ransomware may look different, the one thing they have in common is the reliance on the networks at the state and local level. These Networks Keep our communities running, despite global challenges. These are the networks that help us to respond to emergencies, these are the netwks that run local hospitals and schools and they are in need of urgent assistance. Sa is taking action by operationalg partnerships, hiring additional coordinators to boost engagement in sta capitals across the country, supporting cyber proposals and the fema grant making process, and continuing to push cisa resources out from hequarters to our where our partners are in states and communities. In conclusion, i want to thank the mmittee for its leadership on legislation that has advanced the authorities on legislation, and for your support for legislations pushing through congss that will push cisa further. This committee has been an essential partner our mission, and i look forward to continuing to work with you to defend today and secure tomorrow. Thank you, again, for th opportunity to appear before you and i look forward to your questions. Thank you. Senator hassan had to go vote. Shell be back in a few minutes. You mentioned russia and iran and it went by quickly. You said they were attempts to change votes or to interfere in the election somehow . What did you exactly s . Sure. The activity was different i both cases. In the case of russia, russia had launched a fairly Broad Campaign to target state, local, private sector, and federal tworks using exposed vulnerabilities. Using what . Exposedulnerabilities. Fairly well known vulnerabilities there were oking for to get inside of networks. Yore talking about election networks that count votes . Were talking about general networks, these could be private Sector Networks and things unrelated to ections. In one case, it did include where they compromised a local coty network and downloaded information that had to do with the election. This was not tabulation of the election . Absolutely not. What did you say about iran . Spoofed voter intimidation emails. To your knowledge, there were no votes changed by a foreign actor, in fact, was that true . No votes were changed by a foreign actor that you know of . We have no evidence that votes were changed by a foreign actor. No attempts were directly stopped . Is there an existing Voting Network . You cant hack into a Voting Network that is sort of there . We have numerous advantages in part because we have a highly decentralized system. Theres not an election network. There are hundreds and thousands of election networks across the country. In addition, the actual vote tabulation systems, those are not networked on the internet. The places where we see the most activity tends to be those highly centralized internetenabled systems, Voter Registration or Election Night reporting. But in those cases, we did not see any adversary capable of compromising those systems it sounds like a general rule of thumb, if we are looking for advice on how to protect ourselves, the whole push of modern technology is to make us more connected and maybe part of the advice is we dont need to be too connected, having separate systems, is some of that advice taken within the federal government . You said were protected in the electoral system because we have states and counties and there isnt theyre not completely integrated. We probably dont want to integrate or federalize things with elections. Is it true within the federal government that theres compartmentalization on purpose to try to protect against cking . One of the mar recommentions to any entity is to be thoughtful about how you network your systems, where you should segment your systems, where you should air gap you systems. Theres a reason why the classified networks that are operated by the Intelligence Community are not accessible readily througthe internet. You want to keep those things parate. Samehing for Industrial Control Systems that operate the most sensive infrastructure in the country. You want to build additional barriers to prevent people from moving to small compromises onto parts of networks that could have more significant consequences. How much of the problem with attacking a network is coming through an email versus another way of attacking a network . Frankly, it varies. Coming through an email, that normally includes things like spearfishing where you get an email that says click on this and all of a sudden, its malicious payload comes and compromises your computer. Right now that has been one of the more significant ways we have seen networks compromised. Over the last year, we have seen a dramatic growth in people compromising networks by exploiting private network software. This is a result of the expansion of people teleworking, remote working, and a dramatic increa in the number what does that mean . You are not attacking it through email, you are attacking it through the cloud, somehow . Not necessarily the cloud, but if you are connecting through a virtual private network, which is the way that yocall into your companys network, im atome on my laptop calling into my compas network, virtual private network, vpn software, and there are vulnerabilities inome of the more common vpn software, mo of which have been patched. If a cpany has not patched the vulnerability, an actor may be able to exploit the vulnerability theyre not logging io your computer. Theyre logging into yo network and bouncing back into your computer more importantly, they want to get into the network. Theyre exploiting that vulnerability to gain access. On theyre inside, using a variety of other vulnerabities, theyre trying to elevate their privileges. Th have administrative capabilities, so they can create new accots and they can do whatever they want. Whats a guess on the percenta . How much of this is an email problem . Is half of it email . 75 . 25 . I would say half is spearfishing relat intrusions. It seems like there would be a technological solution in some of that in trying to protect email networks, maybe you have a separate network that never communicates. It comnicates with each other, talks to each other, but never commicates with almost somehow completeeparation of yo email network from the rest of your network. s hard today given the amount of terconnection between the various tools that you use, in terms of any business. But most of the ways iwhich networks are compromised today are exploiting vulnerabilities that where patches are available and where the solutions to mitigate these problems are readily available and theyre not being implemented by the. T. Security professionals at companies. How rapidly does it change . How rapidly does someone have to figure out, you knowtheres a brandnew phishing or, you know technology you need to stay on top of it. Every day, new patches are released for software. It may not be every single day for every piece of software. But on any given day, there are new patches that come out for software. I. T. Security professionals need to stay on top of that, understand the vulnerabilies, prioritize their efforts to close those vulnerabililities. The bigger theetwork you have, the more complicated it is. When you come up with a patch, are you able to keep that secret from the criminals are they can see the patch and respond to the patch . They can see it these patches are made publicly available. As many indivials can protect their networks. Its a catandmoe game. Every change we make on th defensive side, offensive cyber actors are going to look to see what they need to do to get ound that. When we have a state actor that is going after classified , and we have creative ways that state actors aresing, are we able to share them with the private sector or are we too worried that getting that knowledge out reveals that we know how to combat certain things . Are we sharing on a consistent basis knowledge that you gain with therivate sector . Absolutely. So the partnersh that we have with the intelligenccommunity , in particular, the national Security Agency, is better than any time in my entire history with the department. We are getting a significant amount of information from them. Things they are seeing over seas, activity they are seeing from foreign nations, gettg that information to be declassified so we can get it out to people, whether it is a specific incident at an individual location or more importantly, information that could benefit the entire community. A lot of the alerts that we are pushing out, alerting the community to different tactics th our adversaries are using, are based on intelligence sources we are severing from the intelligence commuty. That process is happing quickly. Does it work both ways as private industry getting back from private industry, as well . There was a vibrant Cybersecurity Community right now that has grown up over the past decade. Theres a lot of information out there for everyone. Rely upon information provided by private sectors, private security firms to help improve our defenses at the dot gov. Theres a benefit to this Community Sharing as much information as possible because thats the way we will have a more secure and more defended cyber ecosystem. As someone concerned with privacy, ive been concerned about having im all for telehealth and allowing the internet to allow us to see doctors remotely, i think its a good thing. But im concerned about having a unique patient identifier, where all of our data goes into one place and is stored in one place. It goes back to compartmentalization. Hacked, 22 million records were released. I know it was a big mistake, and hopefully we have learned from that. But there is a danger. I think from a Patient Point of view, and the point of view that there are sensitive things, whether youve got an Infectious Disease acquired sexually, psychiatric disorder you dont want the world to know about, theres a lot of things that can be private. Starting with my father 20 years ago and continuing today, we have been trying to get away from a unique patient identifier that the federal government has. I think it will be nice if people could equate that not only with privacy, but also the idea of hacking, that the more centralized your Health Care Records are, it might be easier , but it might be ezio easier for bad Health Actors to cause damage and any thoughts on Health Care Security with regard to unique patient identifiers . I think the challenges you are describing are the same challenges we deal with in every cybersecurity challenge, how you balance the need to create more efficient, more effective systems with the risk that poses because of the nature of connected systems being potentially vulnerable. We encourage people to be thoughtful and take a really risk based approach. How much information needs to be centralized. How much information needs to be network. Once you make the decision, go to the next step and ask how you defend the information that needs to be net worked to the maximum extent possible. If im going to have senseitive Sensitive Information that is accessible, i need to make sure my Cyber Security practices are going to be sufficient to defend that. I need to make sure my patch management is good. I need to make sure my coiguration management is good. Iould conclude by saying the moral i get from ur discussion on elections is there is some advantage to disconnectedness, compartmentalization, having counties, states, and federal governments be separate, whether you can go to a county and verify an election. It doesnt go into some sort of mass network or computers. I thinke are lucky to have this federal and state operation with regard to elections. But i think people ed to think it through before the efficiency experts say it would be easy to have your medical records everywhere, at every doctor all the time, everywhere in the u. S. It will be easy until a hacker gets in and all of your private information is all over the internet. Beareful what you wish war wish for, some of those that want centralized things. Theres a danger of losing your privacy. Thank you very much. I thank you for what you just covered in your questions. I want to start with a question focusing on how we help state and local governments protect against Cyber Threats. Your agency is responsible for securing federal Information Technology infrastructure from a wide range of Cyber Threats. Its widely accepted your work to secure the space is critical. However, some might argue it is not the federal governments job or responsibility to also try and secure state and local governments from Cyber Threats. Just let me ask you, does the federal government have an obligation or responsibility to also protect state and local governments from Cyber Threats . Cybersecurity is a shared responsibility in multiple domains. Since it takes seriously the responsibility we have to utilize the information, knowledge, expertise on cybersecurity to help all aspects of our Critical Infrastructure, whether they are state and local governments, private Companies Operating on a power grid, hospitals, if they are chemical plants. We have a responsibility to help them. Again, every system owner bears some responsibility for managing the security on their networks. So i think its trying to figure out where their responsibilities and our responsibilities intersect. We understand that we have a lot of information and expertise we can provide. We can make sure they are armed with all of the information that we have been able to glean from the Intelligence Community, our own visibility into the cyber activity of our adversaries, and the tactics they are using. Its our job to provide that as broadly as possible to make sure they are prepared. Each of those individual asset owners needs to go to the process senator paul and i just discussed. The riskbased process to say how much security do i need in what parts of my network, and how can i put it in place to be as robust as is required by the risk im facing . Thank you. To followup, if a state or a community is vulnerable to cyber threat, how does that broadly impact the security of americans who do not live directly in that state or community . The state governments across the countr and local governments, operate some of our most critical infrtructure. Whether its operating Water Treatment facilities in some states and communities municipal power authorities in others. At the state level, they also distribute significant amounts of funds thrgh which federal programs funnel money through. States are a critical part of our fabric for our economic and Homeland Security. It is an important interest of the federal government that states have as much of our Cyber Security knowledge and expertise as possible to help safeguard those Critical Systems. Thank you. Various proposals have been introduced in congress that establish a stand alone federal Cyber SecurityGrant Program for state and local governments that would pay for Cyber Security upgrades at the state and local level. Without specifically evaluating each bill, can you please describe for me the elements and considerations that congress should be thinking about if we authorize a Grant Program of this nature . Are there any elements of a grantrogram you view as musthave ite . We would be happy to work with congress on what a Grant Program would be, how it cane structured to serve the maximum value. Until that time, we have been working closely with fema over fema hasyear as required, as part of its last round of Homeland Security grants, th a portion go a set of highpriority items, incling state and cybersecurity. We spent t past year working with states, worki with fema to review the proposals submitted. I think this will provide us good baseline to understand how states are thinking about investing in Cyber Security, utilizing federal grants. How we can provide Additional Information to them to better shape and focus those grants on the hight risk aspects of their networks grantmaking is obviously a complicated topic, one cisa doesnt have direct responsibility for managing. So i would probably refer you to people at fema who know about the grantmaking sausage. But at the more macrolevel, i think we have a lot to help shape grantsso they target the things we need to protect most. It reflects the true parership that exists between the feral government and our state and local governments on Cyber Security. Thank you. Cyber insurance is an important tool that helps companies and entities prepare for, prevent, and respond to Cyber Attacks. However, an august 2019 report revealed if an entity has Cyber Security insurance, policy holders will use their Cyber Insurance policy to pay the ransom during a ransomware event, which is further incentive for hackers to launch Ransomware Attacks. The report shows that hackers target Cyber Insurance policy holders because the likelihood of the victim paying the ransom is much higher. During the covid19 pandemic, our increased dependency on island Services Online services may increase the incentive to pay ransom so Critical Services can be restored more quickly. Does cisa or your Partner Agencies know when an Insurance Company pays out a ransom . As a general rule, we have recommended against paying ransom, in part because it furthers the Business Model, as i indicated in my opening remarks. Ransomware will not go away as long as the Business Model is viable. As long as they can do it. We generally focus our efforts on ransomware before an event happens. Helping companies prepare themselves, states prepare themselves. We are generally not involved in decisions related to whether ransom is paid. That tends to be an individual decision, and they do not consult cisa. Generally speaking, you may not know if a ransom or Insurance Payment has been made . Thats correct. Are the Cyber InsuranceCompanies Working with you to tackle any of these negative incentives that drive mo attacks . Im not aware of engagement with Cyber Insurance companies on that issue. Do you think theres a role for congress to play to help address this . I think it is an incredibly challenging problem. No one has cracked the code on what the answer is yet. Its going to take more work between congress and the executive branch to figure out the right tools we have to change the Business Model and disrupt the Business Model on ransomware, and make more progress in this spac thank you. Im out of time. If we have a second round on this witness, ill have one more question. Senator rosen. For holding a hearing on protecting our communities from cyber tack. During the covid19 ndemic, the number of Cyber Attacks have significantly ineased. Cyber attacks are exnsive and debilitating, especially for small organizations like schools, hospitals, and local governments. Im glad were coming together in a bipartisan way to talk about how we can protect vulnerable communities in this challenging time. I want to focus on school Cyber Security, becauselementary schools, secondary schools face many challenges as they transition to Online Learning during the pandemic, including the constraint budgets, bridging the digil divide, and continuing to educate and support our students. Ashey struggle to meet the challenges, they remn particularly vulnerable to hostile cyber actors. Earlier this spring, the fbi warned k12 institutio represent an opportunistic target to hackers. Many School Districts lack the budget and expertise to dedicate to network integty. Last august, the Clark County School district, nevadas Largest School district, and our countrys fifth Largest School district, was the victimf a ransom ware attack. The hacker published documents online containing sensite information, including Social Security numbers, students names, addresses, and grades. It is solutely unacceptable. Government must to help schools obtain the tools and resourceto protect and combat these kinds of Cyber Threats. Something i have raised with cisa and the department of education. Can you speak to what steps this taking to prevent Cyber Attacks, includi the Ransomware Attack like the Clark County School district, against k12 schools . How are you ensuring we are not having more of these in the future . Thank you you, senator. Cisaw some members of the team and department of education are planning on briefing you in your office later this week on this topic. In the meantime, the first thing i would say we have expanded our focus on k12 education from the beginning, putting out Additional Information on how schools can improve their cybersecurity with their distance learning. Encouraging we are schools to participate through the information sharing mechanisms that have been created. For example, the multistate information and analysis center, a free resource available that we have invested in from the department for state and local governments. District,0 school schools, and i. T. Service organizations are part of that. There are Additional Resources and tools states and School Districts can take part in that can help ensure their protection against ransomware and other attacks. For example, it offers malicious domain blocking so known malicious domains used by ransomware operators would be blocked from activity on those networks. But only about 120 schools are actively using that service that is offered for free today. What i want to see is much like we have done in the past four years in Election Security context, how do we build a National Community with the School Districts to get them focused on the security aspects related to their networks that is not going to go away even after the pandemic is over . We need to arm them with the same information, resources, and that will start with them taking advantage of the nocost Services Currently offered across the country to state and local governments and the entities that exist within them. This is obviously a big problem, there are over 13,000 School Districts across the country. It will take time, attention, and focus. I am confident if the executive branch and Congress Work together, we can find creative ways of leveraging the capabilities we have and getting more School Districts signed up for these servic. I appreciate that, because i was gog to ask you. I know there are school wes the 13,000 talk about malicious ransomware, the districts may not have the capacity or any expertise to even take advantage of the free services. Gnts, that you can get to be sure the folks really sitting in those Administrative Offices can take advantage of the offer . But not all of them have technicallyso whaare you doing, what kind of programs are you offering . What we had put in place trlier th year, these are basic, bare mimum things you need to put in place to ge from baseline level to cybersecurity. It is geared for the small and mediumsize businesses and also geared for Large Companies to send out to their smaller suppliers to get them to the level of baseline security. Stepbyep guides for how to baseline levele for cybersecurity. What are the things you can make sure you have challenging passwords, or to factor identification. How to set that up on your network to make itore clear and easy for you to walk through. Communitiess and push those out even to their smaller School Districtsthis is a kind of information that is powerful in the hands of Small Companies because the reality is, random operators are looking to make money. Ifouve done the basics, i put in place the bare minimum levels othe security theres a good chance they will go onto the next victim and not target you. So at even a bear level you can have an impact and dividend for your overall level of security. I appreciate that, and my next question would be the same kinds of things for our Small Businesses around the country as well. I look forward to speaking with you offline about how we can get your message out for training and programs and all of these cyber to as many folks as possible. We cant afford not to communicate your hard work and what you have been doing. And people do need to take advantage of these programs. Any help we can get an amplifying the work that is out there the tools that congress is , invested in are available through all of the country to utilize. We want more people to take up and use them. So anything you can do to get the message out and amplify the work were doing, our agency is going to be grateful for. Thank you. Thank you, mr. Wells. I hope youll be willing to respond to any questions we have in writing. I want to thank you for reminding us that decentralization is a part of our defense against hacking of ouelections and as a great fan of the federalist system we had set up from the very beginning , even in our modern age, centralization compartmentization is part of r defense. And can make our elections more or more reliable. Thank you very much for your testimony. Thank you. I join the chairman in thanking you for your testimony and your service. Please to all the women and men you work with, take back our thanks as well. I appreciate that. Thank you. [inaudible] were ready for our other panel of whoever is in charge of that. [indiscernible] lets get started. Were doing the whole panel together. Everybody can come in. I misunderstood. These are virtual. Thank you. To all of our witnesses for the panel. Second thank you for being here today. I will introduce each witness directly before your testimony. I will start with your first witness, dennis gla. Im pleased to introduce you who serves as commissioner of the department of Information Technology from my home state of New Hampshire. The commissioner has served admirably since he was appointed in february of 2015. He also serves as president of the National Association of state cios. Thanks for joining us commissioner and thank you for your exemplary leadership to strengthen Cyber Security efforts in New Hampshire and across the country. I look forward to your testimony. Good afternoon and thk you. Thank you for inviting me on the to speak today on the Cyber Security challenges that are facing state government. Theshave been amplified during the covid19 pandemic. As commiioner for the department of Information Technology in New Hampshire and esident of the national asciation of state chief informion officers, i am grateful for the opportunity to highlight the vital role that state Information Technology agencies have provided in Critical Services and ensuring the continuity of government throughout this health crisis. Cyber security has remained the top priority for nearly decade. Theres growing recognition in all levels ogovernment that Cyber Security is no longer an i. T. Issue. Its a Business Risk that impacts the daily functioning our society and economy as well as the potential threat to our nation security. State and local governments continue to be attractive target r Cyber Attacks as evidence by the highrofile Cyber Attacks. Inadequate resources for cybersecurity have been most significant challenge facing state and local governments. Its straightforward. States are the primary agent for the delivery of a vast array of federal prrams and services. According to our recent national survey, state Cyber Security budgets are less than 3 of their overall i. T. Budget. Half of states will have lika dedicatedyber Security Budgets as state cios are tasked with providing cyber serity assistance to local government. They are aed to do so with shortages in funding and cyber talent. Almost all the ciohave the authority and directly responsible for Cyber Security in their state andave taken multiple initiatives to enhance the status of their Cyber Security programs. These initiaves include creation of cyber disruption reonse plan. Obtaining cyber insurancand the implementation of security areness Training Programs for employees and contractors. These initiatives are crucial as congress conside the implementation of a Cyber Security program for state and local governments. For the past decade nscio has advocated for a whole approach. A whole state approach to cybersecurity. We define it as coaboration among state and federal agencies, local governments, the National Guard, educion, k through 12 and higher, Critical Infrastructure providers and private sector entities. By approaching Cyber Security as a team sport, information is widely shared abdomennd each nd each stakeholder has a clearly defined role to play. I would like to reiterate my appreciation to this subcmittee for its attention to Cyber Security issues impacting state and local governments. If passed, these bills would greay improve our Cyber Security posture and create ne dedicated funding streams. The pandemic has exarbated the Cyber Security challenges for state i. T. Since march, my colleagues and i have rapidly implemented technology to allow state lows state employees ttele work safely and effectively in this new vironment. We have helped our state agency quickly dever critical Digital Government svices to citizens, including unemployme insurance. In New Hampshire, i work closely with our public heal agencies to ensure they have the necessary tools to improve capabilities in the area of testing, contact tracing, case management, Data Analytics and ppe inventory. Colleagues and i are honored to play a role in fighting covid19. We have taken on aitional responsibilities and incurred new expenses while continuing to face unrelentsing cyber threat environments. I am truly concerned about how crucial i. T. AnCyber Security initiatives will remain funded in the coming months a years. States have se significant declines in refrvenue and will be forced to make difficul budgetary decisions. I know i speak for all of my colleagues around the country when i say that dedicated, federally funded Cyber Security grant ogram for state and local governme is over due. Additionally, state and governments should follow the lead of the federal governme and begin providing consistent and dedicated funding for Cyber Security which will also require them to match a portion of federal grant funds. I look forward to continuing to work with the members of this subcmittee in creation of a grant ogram to improve our Cyber Security pture. This concludes my formal testimony. Im happy to answer your questions. Thank you. I think we will move onto the next two witnesses, three witnesses and then we will return for questions. Is dr. Torres driguez available now . Shes back online. Dr. Torresrodriguez is the superintendent of hartford Public Schools, one of the largest urban School Districts in the state. Dr. Toesrodriguez was raised in hartforand attended hartford pubc schools. She has served as an education leader in the greater hartford area for more than two decades. In september the hartford scho district was the victim of a cyber attack. Dr. Torresrodriguez, thank you for coming before the committee today, and i look forward to your testimony. Doctor, you might need to unmute yourself. Ok. So shes having connectivity issues, so why dont i do t other introductions ansee if shes ready in a mine or two. Our next witness will be john ridgy, Senior Adviser for cybersecurity and risk for the American Hospital association. Mr. Richy is the Senior Adviser for e cybersecurity and risk for the a, and he brings nearly 30 years ofxperience for the fbi including serving as Senior Executive for the Fbi Cyber Division program developing missioncritical partnerships with the health care and other Critical Infrastructure sectors. Mr. Ridgy, i look forward to yo testimony as well today, and i think we should probably proceed with tt while superintendent tres is yes. So mr. Ridgy, please feel ee to proceed. Good afternoon, and thank you members of the subcommittee. On behalf of our nearly 5,000 member hospitals and Health Systems, themerican hospit association anks the subcommittee f the opportunity to testify on this important issue and we stand by ready to assist as needed a has a uniqunational perspeive, stemming with health care with the trusted relatiships with the field and Government Agencies. The ongoing pandemic has resulted in a significantly ineased cyber threat environment for healthare providers. For ample, this past october 28th, fbi and hhs issued an urgent warning of a Ransomware Threat to hospitals and this threat remains ongoing as of today. This threat also com as hospitals and systemare dealing with the covidinded cyber triple threat. The first threat is an expanded tech surface. In preparation and response to covid19 the Health Care Sector rapidly deployed and expanded neorkconnected technologies su as telehealth, telemedicine and telework. Unfortunately,his also greatly expanded network accespoints and opportunities for the cyber criminals to attack. The second threat is increased Cyber Attacks in conjunction with the expanded attack surface, cyber criminals have unched increase in relentless attas on hospitals and Health Systems. Hhs Office Civil Rights has reported a significa increase in hospital hacks since september 2020 september 1, 2020, impacting millions of patients. Reign Intelligence Services from china, russia and iran have launch cyber campaigns targeting health care to steal covid19 related datand vaccine research. Of all of the attacks, Ransomware Attacks are of top concern. These attacks could disrupt patient carend deny access to medical records and resulting in cancel surgeries and the diversion of ambulances, thats putting patient ves and the community at risk. The thirthreat hospitals face is resource constraints as a result of canceled socled elective serviceand those seeking dical treatment during the pandemic. Iteaves limited Funds Available recruit and retain scarce cybersecurity professionals. The above factors create the perfect storm for Health Systems. Regarding Ransomware Attack, we believe the ransomwear attack crosses the line from an Economic Crime and therefo to a threat t live crime and , therefore should be aggressively pured as such by the government. Most times they reach for adversarial agents. Combined use of the intelligence cabilities along with econom sanctions to augment Law Enforcement efforts and reduce threats to the nation and the government caneter and disrupt these Cyber Attacks bere they attack. We believe a hospital victim of cyber attack is a victim of crime and should be provided assistance, not sign blame. Despe Regulatory Compliance and implenting cyber best practices,ospitals and Health Systems will ctinue to be the targets of sophisticatedttacks which will inevitably succd and the government often repeats the phrase its not a matter of if, but when . Unfortunately, when a breach curs a federal governments apprch toward the victims of cyber attackis sometimes inconsistent across agencies and may be counterproductive. For example, federal Law Enforcement agencies often request a need for the cooperation of victims of breaches to further their investigations to further disrupt a threat to the nation. Subsequently or concurrently a hospital or Health System may become the subject of an adversarial investigation by the hhs office of cil rights. This can be disruptive and confusing for the victim and stifle cooperation with federal Law Enforcement. Given the crical need to defend health care during the pandemic along with cyber that , environment, we need strongly recommend that additional safe harbor protections frocivil and regulatory liability we available to help victimof Cyber Attacks. In conclusion, hospita, systems and patients are heavily targeted by cyber, crinal and sophisticated nati states. However, we cannot do it alone healthcare needs more active support from the government including consistent and automated threat information sharing to help us defend patients and their data from Cyber Threats. Conversely, e federal government cant protect our nation from Cyber Attacks alone, either. They need the expeise and exchange of cyber threat information from the field to effectively combat Cyber Threats. What is needed is an effective and efficient Public PrivateCybersecurity Partnership and a truly allout nation approach. Thank you. Well, thank you so much, and i want to turn now back to dr. Torresrodriguez, if you are able to join us, doctor, we look forward to your testimony. Yes. Good afternoon. We hear you loudly and clearly. Good afternoon, chairman paulson and senators of the committee. I am dr. Leslie torresrodriguez, superintendent of hartford Public Schools. We are the third Largest School district in connecticut with approximately 18,000 students. I appreciate your invitation to address the committee in regard to the cyber attack that occurred september. The cyber attack had extremely disruptive effects on our School System, our students and our staff. We were forced to postpone our first day of school on september 8th following a month of intense planning for inperson learning amidst the covid19 pandemic. While our students have been attending school either in person or remotely for nearly three months now, we are still repairing and recovering from lingering effects of the attack. Hartford Public Schools and the city of hartford were informed by our shared i. T. Department and the Metro HartfordInformation Services that early in the Morning Hours of saturday september 5th, we experienced a severe cyber attack, specifically a Ransomware Attack, which aims to take control of targeted servers and sell access back to the owner, back to us. The attack was unsuccessful overall because Metro HartfordInformation Services regained control of its servers without complying with the attackers demands thanks to recent cybersecurity investments and quick work by the Metro HartfordInformation Services team. Based on initial analysis by the Connecticut National guard and the fbi, the attack was likely conducted by a highly sophisticated actor, and so in one sense we were fortunate that we avoided the worstcase scenario. So our district team, Metro HartfordInformation Services and our Mayors Office worked late into the night on labor day, and in the early hours on tuesday, september 8th to ensure that hartford Public SchoolsCritical Systems were restored so that the first day of school could proceed. Our student Information System was restored around midnight, but as of 3 00 a. M. Our Transportation System was still not accessible and our Transportation Company and our schools had no access to the student bus schedules, and so around 4 00 a. M. In the morning i did have to make a difficult call to postpone the first day of school. Fortunately, we were able to get our Transportation System back online the evening of september 8th and we opened schools for the First Time Since march on wednesday, september 9th. However, two weeks later our systems were still not yet fully operational and the costs to address the problem financially and in terms of resources and staff time have been significant. While we have regained control of servers and data, preventative measures are ongoing and present significant challenges to getting operations back to normal. So, for example, all of our servers needed to be taken offline and reimagined or restored from backups. The total amount of information that needed to be restored was over 70 terabytes across the city and School System which is a massive amount of information. Additionally, every computer that had connected to the District Network before the attack, just before the start of the school year had to be individually restored to Factory Settings before reconnecting with the network. So this required a very fast deployment of new laptops to hundreds of Staff Members which then depleted the stack of laptops that we had to provide to students at a very critical time in the school year. While we had ordered laptops with the intention of ensuring every student had a district device at the start of the school year that plan was set , back as a result of the cyber attack. This was an especially difficult consequence as the attack as many of the students as those who needed to engage in their learning. These preventative measures impeded our ability to operate normally and for teachers to provide student instruction or impairing basic functions like scanning and printing and having access to lesson plans. I am proud of the work that has been done by our i. T. Team and the support from the Connecticut National guard and the fbi. However, we do have to project protect our Critical Infrastructure by preventing such attacks in the future. And i thank you again for inviting me to participate. While it was unexpected and damaging in many ways, i am grateful for the way that our state and federal agencies collaborated to address the cyber attack and assisted with the restoration efforts. We are all committed to serving our constituents, our students in the best way possible. Thank you and ill be happy to answer any questions that you may have. Thank you, superintendent. Ill turn to the chairman for an introduction. Our final witness this afternoois bill segal, ceo and cofounder of coveware. Mr. Segal founded coveware to provide services to small and mediumsized businesses threatened by ransomware. They offer a fullspectrum suite of services from identifying and closing vulnabilities before an attack happento decryption and navigation of an attacthat has happened to recovery after an attack. Coveware and other private sector firms provide solutions that keep pace with the criminals. So we are excited to hear from mr. Segal about the state of cybersecurity marketplace and what to do if your organization is attackeand about lowcost steps that organizations of all sizes can take to ennce their Cyber Security posture. Mr. Segal, you are recognized. Mr. Sega if you are with us, you are recognized. Is he disconnected . All right. Why dont we begin a round of questions with senator hassen and well get back to mr. Segaltestimony when he gets back on . Thank you, mr. Chair, and i want to start with a question to commissioner goulet. Commissioner glet, you and i know all too well e challenges of putting together a state budget, giving more funding to the states Information Technology budget might mean giving less funding to emergency services, education, Public Transportation or other critical iorities. Moreov, when sessions when recessions happen state , revenues decrease which leaves budget officials with even harder decisions to make commissioner goulet, can you talk about the challenges states face funding cybersecurity upgrades as they deal with reduced state revenues from the recent economic downturn. Do states have the ability to adequatelyund budgets and better protect against Cyber Threats . Thank you for the question, senator. We had recent data on the cybersecurity study, and ill share with you the top five barriers to overcome cybersecurity challenges to the government. Number one, lack of sufficient Cybersecurity Budget. Number two, inadequate cybersecurity staffing which really relates to number one. Number three, legacy infrastructure and solutions to support emerging threats. The older systems tend to be much more vulnerable. A lack of dedicated Cybersecurity Budget and finally, inadequate availability of cybersecurity professionals. So i think that pretty well covers the gamut of the answer to that question. Thank you. I appreciate that. Ill go on to complete this round. So dr. Torresrodriguez, i want to thank you for participating in this hearing. All educators are facing challenges right now, but to suffer a Ransomware Attack on top of Everything Else you are contending with means that you are busier than most other educators. I want to start by getting a sense of where cybersecurity falls in the very long list of priorities that a School District like yours has. You mentioned in your testimony that there is a Metro Hartford information service. What sort of assistance do you get from them . Do you think that theres enough cybersecurity professionals to help the School District with the system you already have and what sort of assistance from the federal government would be helpful and did you receive before and after the attack . Yes. Just to give you a little more context, we have about 18,000 students in 3,400 aff members and here in the public School System and the shared i. T. Department, which is managed by the city of hartford has six field i. T. Technicians in all and there is one staff member assigned full time to cybersecurity, and that is across all of the city, you kn, services. So there is an opportunity, if you will, for adtional support there and with regard the assistance from the federal government, Hartford Police and the fbi liaison there did investigate the attack and gather Additional Information anthe Connecticut National guard provided assistance with the recovery effort for about four weeksprimarily helping to mitigate and reimage our district devices. At was prioritized and we are deeply, deeply grateful for that. The national National Guard was has a team that specializes in defensef Cyber Operations and their support was critical in assessing the attack and helping the Metro Hartford team recover operations and help ensure security. Overl, this was their assessment that this was a highly sophisticated and complex atck that the Information System team took a wide range of appropriate measur, but nonetheless did Impact School operations. Well, thank you for that. Im going to turn now to mr. Ridgy. Thank you for your work for our nations hospitals both in terms of your current position and from your time working for the fbi. As a cybersecurity professional who focuses on preventing Cyber Attacks to hospitals, can you please lay out for us the type of attack that most worries you . Thank you, senator. As i mentioned in my testimony, the attack that im st concerned about are Ransomware Attacks which have the ablity , ability to disrupt patient care and risk patient safety. These type oattacks can lead to medical records becoming inaccessible at critical moments and treatment, even understanding drug allergies for a patient may not be available and in certain instances weve , had ambulances being diverted Emergency Rooms which were further ay from the original intended destination. So in the medical field, obviousl any delay in urgent treatment ineases the risk of a negative outcome. So Ransomware Attacks especial as we have seen the increase is the top concern that worries us at the moment. Well, thank you. If i have a chance, im gog to return to you with one more question, but first i do want to turn back to commissioner goulet. Ov the past decade, cyber attackhave increased in both their frequencand their ability to threan our national security. Just as we have experiend with terrorism, the impacts of thes Cyber Threats are not confined to faroff battlefields, but to our states, our cities and communities. Wever, as the threat has incrsed, federal support for state d local governments has not increased mmensurately. As you note in yr testimony, only 4 of homeland secuty grant dollars have gone to support state and local cybersecurity over the past decade. Can you provide your analysis for why you think that federal funding for local efforts have not been commensure with the threat what do yorecommend that congress do in order to address this . Thank you. I so wanted to address that question in more detail. Myself and my colleagues around the country have a queue of initiatives that we would do to help state and local governments and education and really all of the state if we had access to more funds. So weve done as much as we could with federal Homeland Security grant funds that we were able to access with increasing building. In new hampshi we built a nice Cyber Response program where we did a whole state approach, but we really could do so much more with dediced Grant Funding that flowed in in a separate stre, and i think that although ware slowly improving our cyber posture in the state, we could very much aelerate the improvement of cyber posre with a dedicated Grant Funding. And i would also like to reiterate that any such funding should incde in incentives to states to invest in a continuous manner. Thank you, mr. Chair. Introduction. At and if youre there, wed love to hear your testimony. Ok. Thank you. Thank you, mr. Chairman, Ranking Member, and members of the sub committee. Thank you for the opportunity to share the cybersecurity threats to state and local governments and Small Businesses. My testimony today is about a [indiscernible] cybersecurity incidents and the perspectives of handling thousands of these incidents have given us over the years. Before we can try and solve this problem after we founded the company, we saw something was missing and there was no clear data of being collected on these incidents and you cant build safe cars without visiting crash sites and measuring skid marks and figuring out what happened. The company was set out to build a large data center. It actually happens during these attacks. Right in the middle of these cybernts, we work with Insurance Companies and Law Enforcement branches of all kinds. Data is collected from these incidents and it has given us a fresh perspective. Contextualize the victims of these crimes. Second, we aggregate the data findings and try to publish our research to raise awareness of the common Attack Records that these actors used and lastly, we provide a large subset of our data to Law Enforcement for to augment their active investigations. A typical Ransomware Attack involves three phases are access. Theyre manually carried out. That means the threat actor is physically inside the network of the victim typically using harvested credentials and second is the Encryption Program that locks up computers, servers and delete and encrypt backup as part of the process and the third is extortion. This is where the company is not able to restore backups they are forced with a difficult decision of either having to pay a ransom or rebuild their network from scratch. This is the decision that hundreds of businesses faced every single day. So who are these criminals who carry out these attacks and afterat drives them thousands of cases and much study, we have a clear picture of who carries out these attacks and why . By and large the criminals that carry out Ransomware Attacks were financially motivated. Cyber extortion is their business and the manner in which they conduct their business, and they follow strategies that maximize the increase of the cost. Why is cyber crime proliferating so rapidly . We estimate that the given Ransomware Attack can earn a single criminal tens of thousands of dollars with almost no risk and a profit margin of 90 . Economics 101 dictates the more activity will occur when the margins are driven in this economy. Theyre too profitable and too low risk to be ignored by wouldbe criminals. The cyber crime industry has innovative and aims to attract new purchase lowering the barrier to entry for criminals. Ransom ware is a service [ indiscernible ] this combination of a highly profitable with low barriers to entry, and growing population is why these attacks are proliferating so much. There are various ways to apply pressure to cyber crime. We offer one that would be effective means of curtailing activity. When we look at our own data, one number stands out. Quarter after quarter for the last two and a half years, the Remote Desktop protocol is consistently the most used by ransomware actors. It is free and all it requires is a bit of time and effort. As an example, how effective closing the vulnerability can be and we cited in our written testimony where a group set out to proactively reduce the Ransomware Attacks that occurred. They contacted these companies after staying in network and advised them of the vulnerability with this issue. It was a 60 reduction in ransom a ware attacks. This is a free fix. All it took was a bit of elbow grease. The recommendation is just one example. We feel that there are further ways to attack economics of cyber crime while proactive security and new policy initiatives and relentless pursuit of these criminal Law Enforcement will never have substitutes in this fight. We think working big to small and reducing the profitability of cyber crime can produce immediate and material results. Thank you to the chairman, and i look forward to your questions. Thank you for your testimony, and i will turn it over to further questions to senator hassen. Thank you, mr. Chair. I do want to return to our witnesses th some followup questions, andr. Torresrodriguez,d like to start with you. You talked about the Ransomware Attack that the hartford School System experienced. Now that it has been a few months since the cyber attack. Could you please share with us what steps you taken so far to prevent future attacks and what lessons have you learned . So prior to the attack, the city of hartford had invested 500,000 upgrading the Security System from the hartford Information Services which is the shared services. So that alone, you know, helped us actually not have as a significant of an impact as we would have had and since then new Endpoint Security software called carbon black has also been implemented and installed in approximately 4,000 of our devices and what carbon black does is to leverage predictive security and is designed to detect Malicious Behavior and help prevent malicious files from attacking an organization and can also assist with Rapid Restoration which was one of our Lessons Learned of Critical Infrastructure should an attack happen again in the future. Thank you. And i want to talk again to mr. Riggi as well. You mentioned in your testimony some of the critical need for information sharing. Can you please lay out for us your assessment of cyberthreat information sharing between the federal government and hospitals across the country and between hospitals, is it adequate or could there could more be done to improve cyberthreat information sharing . Thank you, senator. Well, i think i would characterizet as greatly improved compared to when one of , the functions that i r at the fbi was to disseminate information as we were just understanding how vital that information sharing is. It is, i think, in one area that itas been improved has been the timely and actionable notices highlighng the october 28th notice. For that information to be declassified and come out so quickly, i think is very commendable and to come out jointly by all three agencies, ve commendable. However, there needs to be more improvement in sharing of cyberthreat informatn, sharing it in a more automated and broad manner and also the sharing of the classified information where possible to trusted health care contacts. So it has improved but i think we still have a long way to go. Thank you. Can you also give us because i understand that you work with hospitals across the country to help secure them from cyberthreats. Can you give us the typical profile of a hospital cybersecurity staff and how do small and rural hospitals differ in terms of cybersecurity professionals and resources as compared with major metropolitan hospitals, for example. Yes. There is quite the range and spectrum of resources available. And the profile varies widely, generally from small to large, urban centers. Generally smaller hospitals have less resources in terms of less financial human and Technical Resources to devote to cybersecurity. In many instances, these smaller more financially challenged hospitals add on cybersecurity as the duty to, for instance, the chief Information Officer or i. T. Director, larger systems may have the luxury of having a very large staff. Some may have multistate systems may have hundreds of people devoted to cybersecurity. However, they have vastly many more complex systems and networks to protect and defend. So it varies widely. What i can say is that almost all hospitals now highly prioritize cyber risk as an enterprise risk issue and are seeking to bolster their defenses. But they do struggle under the reduced revenue that theyre facing as a result of covid19. And is that reduced revenue the major impact that youve seen with covid19 on this particular issue or are there other ways that covid19 has affected for instance, the , staffing for hospital security, cybersecurity. I think the reduced revenue has impacted staffing in the sense that certain hospitals may not have the Financial Resources to recruit and retain individuals. We have not seen a direct impact on covid19 reducing hospital cybersecurity staff. Although there have been scattered reports of just general reduction in staff. But ultimately i think that the i think that the staffing issue is a challenge for all sectors. Quite frankly theres a zero Unemployment Rate for cybersecurity professionals and hospitals are competing with other hospitals to recruit and retrain but other sectors in the government. Thank you. And i know that the Health Care Sector has an information sharing and analysis center. Can you provide an assessment of how effective its been in assisting hospitals and what are its limitations particularly for small and rural hospitals . I think theyve done a good job of getting information out. I know the folks over there. Good folks. They do a pretty good job. Some of the limitations may be in their reach because they are a memberdriven organization. They do require a membership fee. That fee is a sliding scale and may be fairly reasonable depending on the size of the organization. But, again, i think that the issue there is the reach in timely dissemination. Often they rely on the government for the threat caters indicators as well. So i think part of the mission is to increase automated sharing of threat indicators. Because the ability to share human to human and peer to peer is too slow. There still needs to be quite a bit of a work done there from both the government side and on the private sector side to increase that electronic bridge for cyberthreat information sharing. Thank you. I have a couple moreuestions, but i understand that one of my colleagues, senator sinema is online and ready to ask questions. Ill recognize you for your round of questions. Thank you very much, senator hassan. Thank you to our witnesses for participating today. Even before this pandemic, cybersecurity was a critical issue in arizona with Ransomware Attacks on arizona medical, education and government organizations. During the coronavirus pandemic, as more people go online for school, work and social interactions, weve seen an increase in system vulnerabilities across the country and in arizona. Spending has also gone up as state, local and tribal governments work to support their communities Information Technology needs. As such, federal cybersecuri support for state, local and tribal entities during this pandemic is critical. So today im going to direct my questions to mr. Riggi. Medical devices with connectivity features are coming more common in hospitals. In recent years, Ransomware Attacks on the medical community pacted not just hospital come computers but also storage and refrigerators. As coronavirus vaccines are approved hospitals and health , care systems across the country will be asked to accept shipments and store the vaccines under very precise conditions. Has the American Hospital association and its member hospitals created sound stragies to protect storage refrigerators and other systems that will be part of the storage and Distribution Plan . Thankou, senator. I think what we are our general guidance has been ncern terms of protecting all medil devices and to ensure that when th are if they are in fact connected to networks that any potential vulnerabilities be identifd and that they be network segmented. Well be closely monitoring the Vaccine Development and distribution and we will ceainly offer guidance to the field how to protect those refrigerat devices. One of the main ways to protect them is to ensure thatheyre not networkconnected and th they if they are network connected, to ensure they are segmented and isolated from main networks and potential threats. Thank you. And in 2019, as you may or may not be aware, Wickenburg Community hospital was hit by a Ransomware Attack. It serves a community of 8,000 residents. The hospitals fourperson i. T. Staff did not contact the cybercriminals to hear their demands. Instead they began rebuilding , the Computer Systems from scratch using data the hospital had backed up onto physical tapes. The attack happened on a friday. By monday, the systems were almost fully functional again. They were unique for a small hospital in that it had an i. T. Team with the expertise to rebuild the system. You mentioned constrained resources and shortage of qualified personnel as challenges to hiring qualified help i. T. Security experts. What needs to be done to overcome these challenges and how can Congress Help . Thank you. I think further incentives perhaps for to recruit and retain cybersecurity professionals to work in health care, perhaps modeling other programs across government and offering incentives for Health Care Professionals for doctors to work in rural areas, perhaps, we need something similar to that for cybersecurity professionals. As i said, unfortunately, there is a zero Unemployment Rate for cybersecurity professionals. Increased training, perhaps, of folks displaced from other services, increased training perhaps, or retraining of veterans as cybersecurity professionals may also be a another plausible route to staff these positions. Thank you. Thuniversity of Arizona Medical School has studied the vulnerabilities of medical devices and theyve invited doctors, security experts, and Government Agencies to simulate an attack on an insulin pump in 2017. As you know, medical devices are regulated by the fda for both safety and effectiveness. What discussions have occurred between your hospital members, government regulators and Device Manufacturers to prioritize the medical Device Security needs . Weve been engaged quite a bit with the fda concerning their premarket and postmarket guidance. Although this still remains guidance, our position has been that we would like to see most of that, if not all of that, made mandatory so that the manufacturers would have to comply with some of the guidance involving security by design, making sure those features are built in, that a software bill of materials is provided by the manufacturer to the end user so they can understand what the potential vulnerabilities may be in there, and also to provide lifetime support for the medical device, especially in terms of security upgrades. So were constantly monitoring that. One of the things we advise our hospitals and Health Systems is to ensure that there is adequate communication between clinical engineering staff in the Information Security staff as well, to keep an accurate inventory of medical devices, identify vulnerabilities which may be present in those devices and ensure that they are network segmented and of course the most precious lifesaving support devices like ventilators are the ones that are most protected and segregated. Thank you. Thank you so much. Madam chair, i yield back the balance of my time. Thank you for taking the time to talk to me about these concerns in arizona. My pleasure, thank you. Thank you very much, senator. I have a couple of more questions and then assuming we dont have any other senators join us, we will adjourn. But i wanted to take the opportunity, dr. Torresrodriguez, to turn back to you, to get a sense about the impact that the recent Ransomware Attack has had on your community. As you discussed, it delayed the start of the school year. Can you share with us how teachers, support staff, parents, and the rest of the community have been impacted by this cybersecurity attack and how has the pandemic exacerbated these effects. Yes. In terms of the ongoing operational effect of the attack, shutting down functions and servers did have da did have debilitating consequences for a number of departments. For example, we did not have access to our Financial Management software for 17 days. So this caused delays in numerous financial processes including our supply orders, yearend filing with our state requirements, grant filings, payroll, among other operations. And, you know, when i think about the broader implications, the disruptions to your School District, including that sudden delay to the first day of school after weeks of preparation, was disruptive to our families given that already as part of our mitigation efforts regarding our covid mitigation, we did have a staggered, phasedin approach to return back to school. It caused disruption and confusion there. And the process of restoring well over 10,000 devices, right, laptops and desktops for both students, teachers, and support staff was tremendous. It did require a heavy lift in terms of Human Capital and time which is, you know, why the role of our i. T. Department and the National Guard and a Third Party Technical support that we had to contract out for because otherwise we could not have done it. It would have taken, you know, additional weeks to start our school year. And so during this time, our teachers did struggle to deliver quality instruction to both the 10,000 students that were learning online at home as well as the 8,000 in their classrooms. As part of the planning last spring and into the summer, we did make the decision to become a one to one district, meaning one device per each student. Meaning that every student would have a districtissued device. There were over 2,000 devices that were no longer available for our students at the beginning of the school year because we had to prioritize getting our teachers to have their devices to deliver the instruction. And as i think about those early weeks, some of our students kids some of our students did not have access to learning and we serve communities that have concentrated levels of need. And so every minute, every day matters to us in terms of having access to instruction and the other social and emotional supports that our students need to have. Thank you vy much. Helpful. Eally i nt to follow up on the issue of k12 schools with you. Can you give us yo thoughts from the prospect of state governments onow to best protect k12 schools and hospitals . What role if any should state governments be playing . Thank you, senator. This is a great opportunity to highlight the whole state approach we advocate. Back to astart going constant that senator rosen brought up earlier, which was the concept of making our activities consumable by those folks we want to help. We have a smallstaff school. You cant throw sophisticated things for them to absorb and have to do. We have been working with we have been working with multistate information sharing on how we scale up from their programs as originally designed for state governments, they need to be tweaked, to be absorbed and it is being collaborative, on the school side, really being involved in the rollout of minimum standards for security, privacy in schools enacted by state legislature in New Hampshire. On the hospital side, we did involve local hospitals in the grant fund, dh of grant fund disruption funding so what is going on in vermont, and cyber professionals in the hospitals in New Hampshire, whether they are preparing to launch carefully to avoid in the hospital, as he heard is tremendous so those are small examples of collaborative approach. There is no i in cyber. Thank you for that and your continued work for the people of New Hampshire. Going to go ahead at the chairmans request and adjourned the hearing. I particularly want to thank his staff for their work in making this happen. I think the witnesses for their testimony for the role you play in helping secure the nation from cyberattacks at the state and local level has never been more important and incumbent on all of us for the unique challenges challenges posed. State and local governments, Additional Resources and support to be able to achieve their missions in the face of cyberattacks, on potential solutions such as cyberGrant Programs in federal government, schools and hospitals. I know how busy you are at this challenging time. Seeing there are no other members seeking recognition, the committee record will remain until december 16th. The subcommittee stands adjourned, thank you very much. [inaudible conversations] [inaudible conveations] with coronarus cases increasing across the country use our website, cspan. Org coronavirus to follow the trends, track the spread with interactive maps and watch updates on demand any time, cspan. Org coronavirus. Booktv on cspan2 has top nonfiction books and authors every weekend. This weekend, saturday at 8 15 eastern coverage of the 70 First Annual National book awards. Sunday live at noon eaern on in depth a cversation with author and chair of African Studies at princeton university, the author of several books including begin again, james baldwins american and urgent lessons for our own exodus, democracy and black and an uncommon faith. Here we are in this moment after electing the first bck president in 2008 the country responded by Voter Suppression law, voter id law, the vriol of the tea party and elected donald trump. We are at a crossroads. Who are we going to be . At the heart of all is this moral question. Who do we shape ourselves to be . Join the conversation wit your calls, tweets and facebook messages. At 9 00 pm eastern on after words National Review correspondent Kevin Williamson and his book big white ghetto on the politics and everyday lives of white workingclass americans in appalachia interviewed by Washington Examiner columnist and cnn contributor, watch booktv on cspan2 this weekend. In about 90 minutes on cspan2, House Speaker john e boehner talks about the transition to a biden presidency at 8 30 eastern. Now more about the coronavirus pandemic, Pharmaceutical Company executives and cyber officials talk about securing the development and distribution of covid19 vaccines, part of the aspen security summit. Im pleased introduce my friend dina templeraston who will speak to fbi assistant the beauty director, j and j achieve Information Security officer at eli lilly chief Information Security officer meredith harper. Welce. Over to you. Thanks very much, nice to see you even virtually