I recognize myself for five minutes for an opening statement. Mr. Lahood i want to welcome the witnesses here today and welcome chairman smith, Oversight Subcommittee Research and Technology Ranking member lipinski, our expert witnesses and members of the audience. Cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ensure or systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real, tangible measures the government can take to ensure its i. T. Security systems are appropriately reenforced, to defend against new and emerging threats, including novel and sophisticated ransomware threats. The specific focus of todays hearing will be the recent wanna cry ransom attack, a new type of ransomware infection which infected over one million unique systems last month in a worldwide attack that impacted nearly every country in the world. Although the con soacht ransomware is not new, the type of rain someware ememployed by wanna cry was novel. Wanna cry worked by encrypting documents on a computer, instructing victims to pay 300 in bitcoin in order to regain access to their users documents. Unlike typical forms of ransomware, however, wanna cry signaled the ushering of a new type of worming. Ransomware which caused the attack to spread faster an more rapidly with each new unfiction. In light of the novelty built into wanna crys method of attack, cybersecurity experts, including those well hear from today, have expressed skig isnt significant concerns that wanna cry is only a preview of a more sophisticated ransom ware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the wanna cry ransom ware infection moved rapidly across asia and europe. Eventually hitting the United States. The attack infected 7,000 computers in the first hour, 110,000 distinct i. P. Addresses in two days, and in almost 100 country including the u. K. , russia, china, ukraine and india. Experts now believe wanna cry affected approximately one million to two million unique systems worldwide prior to activating the kill switch. In illinois, my home state, cook countys i. T. Systems were compromised by wanna cry. Reportedly one of the few local governments subject to the attack. Although cook county has worked to appropriately patch their systems, it is important that we ensure that all vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hack wers the hackers responsible for wanna cry mistakenly included a kill switch, which was uncovered by an employee of cryptos logic and used to terminate the attack. Al cryptos logic employed tissue when he registered the domain linked to the attack. The kill switch prevented 10 knoll 15 million unique system infections and reinfections. Although based on Information Available thus far, the federal Government Systems were fortunately spared by wanna cry. We want to ensure that the government is sufficiently prepared in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee this climate of new and emerging cybersecurity threats. Through the lens of the aftermath of wanna cry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how publicprivate partnerships are an instrumental tool to help bolster the governments cybersecurity posture. Finally, well learn about how the president s recent cybersecurity order which makes nst Cybersecurity Framework mandatory on the executive ranch is a significant step in ensuring the cybersecurity po posture includes the most up to date measure to defend against threats. It is my hope that we will highlight airsa areas where improvement is necessary while offering recommending as to ensure the federal government is prepared to respond to emerging cybersecurity threats. I look forward to hearing from our distinguished witnesses. I now recognize the Ranking Member of the oversight subcommittee mr. Buyer for an opening statement. Thank you very much, mr. Chairman. Id just like to thank you and chairman comstock for holding this hearing. Cybersecurity should be a chief concern for every government, usiness and private citizen. Mr. Beyer systems were breached by statesponsored hackers compromising the personal information of millions of americans. That same year, hackers released the personal information of sony picture executives, embarrassing emails between sony executives and employees and even kohly copies of then unreleased sony movies. In 2015 they took over the power grid in ukraine. The cybersecurity breach that was the genesis of this hearing was the wanna cry outbreak. It infected 300,000 Computers Worldwide and could have been much worse. I want to thank c. E. O. Nino for being wise enough to find an employee to find the will switch, unless you did it yourself. Were lucky it was found quickly and were fortunate that federal systems were resistant to wanna cry. We know we may not be as lucky next time. In preparing for this, i learned that i need to upload our security upgrades every time i get a chance on our personal computers and smart phone. The may 11 executive order on strengthening the cybersecurity of federal networks seeks to build on the obama administrations successes in the cybersecurity arena and im happy that the Trump Administration, i dont agree with them on every topic, but that theyve taken the next good step. The executive action recommends a host of actions and a myriad of reports. My concern is that the understaffed agencies will have significant significant difficulty meeting the dictates of the executive order. Frankly im also concerned that the proposed budget cuts in the original trumpmulvaney budget across all agencies will make the task a lot harder to strengthen the security of federal Information Systems. Weve got to make sure the froth has the resources and staffing to meet the need in this vital area. The executive order also calls for agencies to begin using the nst framework for cybersecurity efforts and im glad we have nst with us here today they play an Important Role in setting cyberSecurity Standards that can help thwart and impede cybersecurity attacks. Nst is worldrenowned for its expertise in Standards Development and well be wellserved to use their framework. On a precautionary vote note, i believe some effort to expand beyond the Current Mission are well intentioned but perhaps misplaced. We recently had a debate of h. R. 1224, the nst Cybersecurity Framework and auditing act of 2017 which gives nst audit authority. Currentlies the responsibility of the Inspector General for each agency. They have the statutory authority, the experience and expertise and respond directly to congress. Nst has no such experience or expertise and i at least remain concerned about this proposal. Id be interested in any of the expert witnesses thoughts on nsts role in cybersecurity and auditing. I look forward to hearing from you all today. I look forward to hearing from the former federal csio. Bloomberg reported this week that the russian meddling in our electoral system was far worse than previously reported. According to the report, hackers attempted to delete or alter voter data, alter Software Designed to be used by pollworkers and in at least one instance Access Campaign finance database. This tnt need to change individual votes to change the election and we should take these sorts of attacks serely. Vice president cheney called it a war on our democracy. Mr. Chairman this Committee Held more than a half dozen hearing on cybersecurity issues including one on protecting the 2016 elections from cyber and voting machine attack. Given what we know about the hacking and meddling in 2016, i heap this hearing will be a precursor for more hearings on how to better protect our voting systems. I yield back. Mr. Lahood thank you for your opening statement. I recognize recognize mr. Abraham for an opening statement. Mr. Abraham over the last few years, we have an an alarming increase in the number and intensity of cyberattack. Its compromised the personal information of millions of americans, jeopardized thousands of businesses and threatened interruption of critical Public Services. The recent wanna cry Ransomware Attack demonstrates that cyberattacks are continuing to go from bad to worse. The most recent largescale cyberattack affected more than one million to two million systems in more than 190 countries. Nevertheless, it appears the impact could have been much more catastrophic, considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destruction of wana cry warns us to expect similar attack in the future. Before those attacks happen, we need to make sure our Information Systems are very ready. In a research and Technology Subcommittee hearing earlier this year, a representative of the g. A. O. Testified, and i quote, over the past several years, g. A. O. Made about 00,000 recommendations to federal agencies to enhance the Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented. Unquote. It is clear that the status quo in federal Government Cybersecurity is a virtual invitation for more cyberattack. We must take strong steps in order to properly secure our systems and databases before another cyberattack like wanna cry happens an puts our government up for ransom. On march 1, 2017, this Committee Approved h. R. 1224, the nst Cybersecurity Framework, asetsment, and auditing act of 201. A bill i introduced as part of my on fwoing interest over the state of our nations cybersecurity. This bill takes concrete steps to help strengthen federal Government Cybersecurity, the most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, nst, Cybersecurity Framework, which is used by many private businesses and directly and directing nst to initiate cybersecurity audits of priority federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nst inhouse experts developed governmentwide technical standards and guidelines urn the federal Information Security modernization act of 2014 and nst experts also developed through collaboration between government and private sector the framework for improving Critical Infrastructure cybersecurity that federal agencies are now required to use pursuant to the president s recent cybersecurity executive order. I was very pleased to reed that language. Considering the growing attempts to infiltrate information Information Systems, theres an urgent need to ensure americans to assure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. The status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nst cyberexpertise is a singular asset. We should take full advantage of that asset, starting with the very important step of annual nst cyber audits of high priority federal agencies. As cyberattacks and cyber criminals continue to evolve and become more civil so fist kated, our governments cyber defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. We will hear from our Witnesses Today about Lessons Learned from the wanna cry attack and how the government can bolster the security of its system. We must keep in mind that the next cyberattack is just around the corner and it can a have far greater impact than what we have thus far seen. Our Government Systems need to be better protected and that starts with more accountable, responsibility, and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Mr. Lahood thank you, mr. Abraham. I now recognize the Ranking Member of the research and Technology Subcommittee, mr. Lipinski, for an opening statement. Mr. Lipinski thank you, mr. Lahood, and thank you for this hearing on the wanna cry ransom attack last month. The good news is u. S. Government Information Systems were not negatively impacted by the wanna cry attack. This was a clear victory for cyberdefenses. However, i believe there are lessons to be learned from successes as well as failures. A combination of factors likely contributed to the success, including getting rid of most of our outdated windows operating system, diligently installing Security Patch, securing critical i. T. Assets and maintaining Robust Network perimeter defenses. As we know, microsoft sent out a Security Patch in march. Two months before the wanna cry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wanna cry serves as yet another reminder that we must never be complacent in our cybersecurity defenses. The threats are everevolving and our policies must be robust yet flexible enough to allow our defenses to evolve accordingly. The federal Information Security modernization act laid out key responsibilities for security of civilian Information Systems. Under fisma, d. H. S. And o. M. B. Have central roles in development and implementation of policies as well as an incident tracking and response. Nst develops and updates Security Standards and flines both in forming and responsive to policies to o. M. B. Each agency is re1307bsable for its own compliance and each Inspector General is required to audit its compliance with fisma on an annual basis. We must continue to support efforts to be compliant with fisma while conducting careful oversight. In 2014, nist released a Cybersecurity Framework for Critical Infrastructure, which is currently being updated to framework version 1. 1. While its still too early to violate the impact, it appears its being widely used across industry sector. They recently reported out h. R. 105 i was pleased to cosponsor that would ensure the Cybersecurity Framework is easily used by the users. I hope we get it to the president s desk quickly. In the meantime, the president s cybersecurity order directs federal agencies to use the framework to manage their own risk. As we have heard in prior hearings, many experts have called for this step and i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the many vacant positions across the agencies that would be responsible for implementing the framework as well as shepherding the many reports required. Finally i take this opportunity to express my disappointment in the administrations Budget Proposal for nst. The top line budget cut of 25 was so severe that if it were implemented, nst would have no choice but to reduce its cybersecurity efforts. This represents the epitome of pennywise, poundfoolish decision making. Nst is among the best of the best when it comes to cybersecurity stan car and they help secure Information Systems not just of our federal government but our entire economy. I trust that my colleagues will join me in ensuring nst receives robust funding and doesnt suffer the drastic cut requested by the president. Thank you to the expert witnesses for being here this morning and i look forward to your testimony. I yield back. Thank you, mr. Lipinski. At this time i recognize the chairman of the full committee, mr. Smith. Mr. Ship thank you, mr. Chairman mr. Smith thank you, mr. Chairman. Appreciate you holding this hearing. In the wake of last months wanna cry Ransomware Attack, todays hearing is a necessary part of an important conversation the federal government must have as we look for ways to improve our federal cybersecurity posture. While wanna cry failed to compromise Government Systems its almost certain the outcome was due in part to a measure of chance. Rather than seing this outcome as a sign of bulletproof cybersecurity defenses, we must instead increase our vigilance to better identify constantly evolving cybersecurity threats. This is particularly true since many cyberexperts predict that we will experience an attack similar to wanna cry thats more sophisticated in nature, carrying wit an even greater possibility of widespread disruption and destruction. Congress should not allow cybersecurity to be ignored across Government Agencies. I am proud of the work the committee has fleshed to improve the federal governments cybersecurity posture. During the last congress the Committee Conducted investigations into the federal deposit insurance corporation, the Internal Revenue service and the office of personnel management. As well as passed key legislation aimed at providing the government with tools it needs to strengthen its cybersecurity posture. President trump understands the importance of bolstering our cybersecurity he signed a recent executive order on cybersecurity which is a vital step toward ensuring the federal government is positioned to detect, deter and defend against emerging threats. Included in the president s executived orer is a provision mandating that executive Branch Departments and agencies implement nst Cybersecurity Framework. While continuously updating its Cybersecurity Framework, nst takes into account innovative cybersecurity measures from its private sector partners. Nsts collaborative efforts help ensure that those entities that follow the framework are aware of the most pertinent, effective and cutting edge cybersecurity measures. I believe the president s decision to make nst framework mandatory for the federal government will serve to strengthen the governments ability to defend its systems against advanced cyberthreats like with the recent wana wanna cry Ransomware Attack. Similarly the committees nst Cybersecurity Framework and assessment of 2017, sponsored by representative abraham, draws on find frgs the committees numerous hearings an investigations relating to cybersecurity which underscore the immediate need for a rigorous approach to protecting u. S. Cybersecurity infrastructure and capability. Like the president s recent executive order this legislation promotes federal use of the nst Cybersecurity Framework by providing guidance that agencies may use to incorporate the freshmanwork into Risk Mitigation efforts. Additionally the bill directs nst to establish a working up with group with the responsibility of developing key metrics to use. I hope our discussions here today will highlight distinct areas where cybersecurity improvement is necessary while offering recommendations to ensure cybersecurity objectives stay at the forefront of our National Security policy discussions. And with that, i yield back, mr. Chairman. Mr. Lahood thank you, chairman smith. At this time let me introduce our witnesses here today. Our first witness is mr. Salim nino, founder and chief executive officer of cryptos logic. Hes credited with discovering new solutions for Companies Like i. B. M. , dell and avaya. He received a bachelors degree in science from university of californialong beach. Cryptos is credited with largely stopping the wanna cry attack. Well hear more about that during his testimony today. Our second witness today is dr. Charles romine director of the Technology Laboratory at nst hsm earee so rsh received a masters degree in mathematics and ph. D. In apply mathematics from the university of virginia. Our third witness, mr. Tuhill is a retired Brigadier General in the United States air force. Hes an adjunct professor of cybersecurity at Carnegie Mellon university. Previously he was chosen by president obama to serve as the nations chief Information Security office. He received his bachelors degree from Penn State University and a masters degree in systems management and Information Systems from the university of university of Southern California and our final witness today is dr. Hugh thompson, chief technology fficer for smbingts ymantec. He also serves as an Advisory Board member for the antimallware Testing Standards Organization and on the Editorial Board of ieee security and privacy magazine. He received his bachelors degree and masters degree and ph in applied mathematics from the Florida Institute of technology. Were glad youre all here today and look forward to your valuable testimony. I now recognize dr. Nino for five minutes to protect to present his testimony. Thank you, chairman lahood. Thank you for the opportunity to appear before you today at this joint subcommittee hearing, we greatly appreciate your interest in cybersecurity and look forward to sharing our thoughts and perfect i haves with you and members. A threat was identified. The intent of the threat was unclear it was immediately evident that its approach was unusually reckless. This threat has now popularly become known as wanna cry. It was at this time that our director of Threat Intelligence for breach monitoring platform notified me of our teams active monitoring of the developing situation. On this date at approximately 10 00 a. M. Eastern time while investigating the code wanna cry we identify what had looked like an antidetection mechanism which tested for certain do main name. Our team registered this domain name and directed it to one of our sink holes. We noticed that the pop gation of the attack came to a standstill because of what we refer to as a kill switch being activated by our domain registration efforts. While our efforts stopped the attack and prevented wanna cry from deploying the ransom component, we knew it had propagated freely for many hour at minimum. Based on our estimates, we believe that anywhere threen one knoll two million systems may have been infected in the hours prior to activated the activating the kill switch. Contrary to widely reported and more conservative estimates of 200,000 systems. We have mitigated over 60 million infection attempts. Approximately seven million of those are in the United States. And we estimate that these could have impacted at minimum 10 million to 15 million unique systems. I will note that the largest attack we thwarted and measured to date from wanna cry was not on may 12 or may 13 when the attack started but began suddenly on june 8 and 9 on a wellfunded hospital on the east coast of the United States. It is very likely the Health System is still unaware of the event. We measured approximately 275,000 thwarted infection attempts within a twoday period, another hospital was also hit on may 30, in another part of the country. A high school in the midwest was hit at the beginning of june 9. Presumably every system at this location would have had its data held hostage if not for the kill switch. Moreover, we have been under attack by those attempting to knock us offline thus propagating the attack. Many of these came from a wellknown botnet which took down parts of the United Kingdom and the east coast. Despite tease attempts our systems remain resilient. We believe the success of wanna cry illustrates two key facts about our nations systems. Vulnerabilities exist at virtually every level of computer infrastructure, ranging from operating systems to browsers, from Media Players to internet routers. Exploiting and weaponizing such vulnerables has a surprisingly low entry barrier. Anyone can join in, including rogue teenagers, nation states, and anyone in between. So how to we adapt an overcome and mitt geas at the threats and weaknesss . While many cybersecurity experts have come who come before me offer that offer the usual gloommy there are no silver bullets. I have had the opportunity to see both sides. Our attack responses must be more agile and with higher velocity and intensity. While the nation has considerable risks the actual resources for cyberdefense are scarce an there are simply and there simply is not presently an adequate level of highly skilled, highly experienced and highly available operators in the cybersecurity field. While theres no shortage of good ideas which claim to be able to solve the problem and every subsequent idea Needs Development and support and tethsing and maintenance etc. , all of which we characterize as developer debt. Many of these take too long to procure and end up being outdated and essentially useless before the ink is dry on the paper its written on. I am hopeful that there is a ath forward. Itigations are effective and have increased the cost of attacking systems. Other mitigations include various design approaches, including data systems and transmissions. Such they measurably raise the bar for Critical Software like internet browsers, web servers and every protocols which are fundamental to business continuity. Investigating investing in technology doesnt necessarily guarantee any actual improvement. In fact, one could argue that introducing more Intel Technology exacerbates the maintenance an creates immediate monetary loss because there are few metrics to measure the effectiveness of any particular tech nothing. This is because we are typically years behind the attacks in terms of the sword and shield battle. As these resources ebb and flow, knowledge debts are also created knowledge gaps are also created. We muls be less risk averse in terms of the defensive operations we undertake, more open to failure and ready to adapt and learn from failure. We need a stronger stronger focus on threat modeling and fire drill simulation that will focus on the events of magnitude which will cause significant damage. A significant response with the wanna cry incident was there was no real cry for the course of action well communicated. The media focused on points contrary to the defense whodunit and this could have resulted in a complete breakdown of processes had this been an unpatched zero day vulnerability and there was no luxey of luxury of a kill switch. The largest success, though incomplete, was the ability for the f. B. I. And ncsc of the United Kingdom to disseminate the information we provide sod affected organizations could respond. Information sharing can be valuable but our framework could be vastly improved by triaging cybersecurity threats in a clear and repeatable scale. Not too dissimilar to the rickster scale which measures the energy released in an earthquake. Likewise a scale that takes technical and social into allows o evaluate its First Responders, us, to focus on the most important areas of risk. While there do exist various scoring systems for evaluating the purely technical element, they fall short in terms of clear information. We focus too much on vulnerables with names like emmitt172010. None of these impact the wider environment. We need an easier to grasp method to prioritize threats that largescale destructive potential. To this end, once we determine a method to evaluate the risk, we can do we can apply the appropriate mitigation. In conclusion, one of the largest issues the transer to ature of the crisis. We think this can be explained by the fact that organizations are too slow to adapt. Theres a vast Human Resource shortage and lit bill way of metrics to demonstrate return on investment in defensive technologies. Again, i thank the subcommittee for inviting me here today to discuss our involvement and the Lessons Learned from wanna cry and i welcome the opportunity to answer any questions you may have when theyre fielded. Mr. Lahood thank you, mr. Neino. I now recognize dr. Romine for his opening statement. Chairman lahood, raking member smith and others, thank you for the opportunity to appear before you today to discuss nsts key roles in cybersecurity and how they relate to recent incidents. In the area of cybersecurity we have worked with federal agencies, industry and academia since 19. Nsts role to deploy standards to protect the federal governments Information Systems against threats to the confidentiality, integrity and availability of information and services was recently reaffirmed in the federal Information Security modernization act of 2014. Nst provides ways to recover from these attacks by ensuring that the recovered system is trustworthy and capable. Nsts guide for cybersecurity event recovery provides guidance to help recover from a cyberevent and integrate the processes and procedures into the Enterprise Risk Management plan. The guide discusses hypothetical cyberattack scenarios including one focused on ransomware and steps taken to recover from the attack. Thee years ago, nist issued the framework for issued the frame wrk. It created through tight collaboration between industry nd government promotes guidelines and practices. The framework prompts decisions affecting infection by the ransomware, propagation of the ransomware and recovery from it. While the framework does not prescribe a baseline of cybersecurity, for example a base lin that would have prevented wanna cry, it does prompt a sequence of interrelated cybersecurity Risk Management decisions which should help prevent virus, infection, and propagation and support expeditious response and recovery activities. On may 11, President Trump , gned executive order 13800 that mandates federal agencies to use the framework. Under the executive order, every federal agency or department will need to manage their cybersecurity risk by using the framework and provide a Risk Management report to the director of the office of management and budget and to the secretary of Homeland Security. On may 12, nist released a draft interagency report, the Cybersecurity Framework implementation guidance for federal agencies which provides guidance on how the framework can be used in the United States federal government in conjunction with the current and planned suite of nist security and privacy Risk Management demrines and practices developed in response to the federal Information SecurityManagement Act as amended, or fisma. Another nist resource that can assist in protecting against similar future attacks is the most recent release of the nist National SoftwareReference Library or nsrl. It provides a collection of software from various sources and unique file profiles, most often used by Law Enforcement, government and industry organizations to review files on a computer by matching the profiles profiles in the system. Nist retains a database of all known vulnerabilities, such as the one exploited by the wanna cry mallware. The list is a an authoritative source of security vulnerabilities that nist updates dozens of times daily. Nist analyzes and provides a common severity metric to each identified as a rule initial. We recently initiated a project at our National Center of excellence focused on recovering from cyberattacks. Organizations will be able to use the results of the research to recover trusted backups, roll back data to a known good state, alert administrators when theres a change to a critical system, and restore Services Quickly after a wanna crylike cyberattack. Nist is extremely proud of its role in establishing and improving the comprehensive cybersecurity Technical Solutions standards and flines to address cyberthreats. In general and ransomware in particular. Thank you for the opportunity to testify today on nists work in cybersecurity and in preventing ran comeware attacks. Id be happy to answer any questions you may have. Mr. Lahood thank you, dr. Romine. Now recognize dr. Tohill. Good morning, chairman lahood, Ranking Member beyer, members of the committee, thank you for the opportunity to appear today to discuss cyberRisk Management. Im retired air force Brigadier General greg touhill. I serve on the faculty of Hines College where i instruct on cybersecurity and Risk Management. Prior to my current appointment i served as the United States chief Security Officer and before that in the United States department of Homeland Security where i served as Deputy Assistant secretary for cybersecurity and communications. During that period i also served as director of the National Cybersecurity integration system, commonly referred to by its acronym, n. K. During my air force career i served as one of the air forces first Cyberspace Operations officers and i currently maintain both the certified Information Systems security ofession and and certified Information Systems management. Many people mistakenly view this as solely a technology concern. Cybersecurity is a multidisciplinary management issue and an essential part of an Enterprise Risk Management program. I recognize we have a very full agenda of topics today and im sensitive to your time. I have submitted for the record a written statement and in that i discuss the recent wanna cry attack and assess how it may impact the public and private sectors. I view wanna cry as a slow pitch softball while the next one may e a high an fast fastball. The discuss publicprivate partnership. And i urge the congress to continue its great efforts to strengthen our enterprise risk posture. I urge you to authorize and empower the federal chief Information Security officer position which currently is not authorized for specified position. I also suggest that instead of calling it the nist cybersecurity frame without objection and im a huge fan of this framework, i suggest we call it the national Cybersecurity Framework. To reinforce the fact that it applies to everyone. Further, nist did a brilliant job in crowd sourcing the go this framework but it was really people from around the country that brought to the table best practices. Nist was a great trail boss for this but it is really a national Cybersecurity Framework. Finally, in regards to the proposed h. R. 1224 legislation, i congratulate the committee and the members of the congress for taking the initiative to really reinforce the need to implement the flamework across the federal government. I do suggest based upon my experience in beth the military and the government sectors of the federal government, that we do two things with that act. To is we amend that act make it apply to National Security systems as well. Having served extensively in the military and in the federal government, i believe that the national Cybersecurity Framework applies equailly to National Security systems and i recommend you make that amendment. Further, i concur with my colleagues who suggest that lets leverage the Inspector General and auditing communities hat are currently in the different departments and agencies and reinforce their need to conduct appropriate audits using that Cybersecurity Framework. Again, i thank you for inviting me to discuss cyberRisk Management with you today and i look forward to answering any questions you may have. Mr. Lahood thank you. I now recognize dr. Thompson to present his testimony. Mr. Thompson thank you for having me. Airman lahood, vice chairman abraham, Ranking Member lipinski and Ranking Member beyer, i appreciate being here today to talk about what is a critical subject. Understanding the current threat environment is essential to crafting good policy and effective defenses. Last months wanna cry Ransomware Attack is one of the manifest cases of the kinds of disruptive attacks we are now facing the timeline of wanna cry i think has been well covered by the other folks on this panel. But i did want to share with you a graphical timeline that hopefully you can see in the monitor, apologies for the small print. Whats interesting, i think, about that and where id like to add some color is to give you some is to give you symantecs perspective on events as they unfolded. We are the Worlds LargestCybersecurity Company, with technology protecting over 90 of the fortune 500 and being used extensively by Government Agencies around the world. In addition, we protect tens of millions of home users through our norton and lifelock branded products. He threat to the threat telemetry we get from these represents the largest in the world. Wanna cry was unique and dangerous. Because of how quickly it could spread. It was the first ransomware as a worm that had such a rapid global impact. Once on a system it propagated autonomously by exploiting a vulnerability in microsoft windows. After gaining access to a computer, wanna cry installs the ransomware package. This payload works in the same ashion as most crip toe ransom ware. To it demands payment from those infected. Symantec worked closely with the u. S. Government from the first hours of the outbreak. We connected d. H. S. Researchers if our experts, provided analysis and received the same back. During the outbreak, d. H. S. Held twice daily calls with private sector to coordinate operational activities. From our perspective this was one of the most successful publicprivate collaborations that weve been involved in our analysis of wanna cry revealed that some of the tools and infrastructure it used had s to a group referred to as lazarus by the Security Community. Which the f. B. I. Has connected with north korea. Lazarus was linked to the destructive attack on Sony Pictures in 2014. And also the theft of approximately 81 million from the Bangladesh Central Bank last year. The links we saw between wanna cry and lazarus include shared code, the reuse of i. P. Addresses and similar code obfuscation techniques. As a result, we belief it is highly likely that the Lazarus Group was behind the spread of wanna cry. Beyond wanna cry, the Threat Landscape continues to evolve very quickly. Were seeing attacks become more sophisticated, not just in technology but in the social engineering of social engineering approaches these attacks use. Were also seeing more attacks being leveraged against i. O. T. Devices such as the massive weaponization of i. O. T. Devices at we saw with the morai botnet last fall. Moria launched one of the argest distributed denial of services ever. The explosive growth of attacks like wanna cry and morai underscores the need for preparation and employing integrated and layered defenses. These attacks showed the response and recovery planning and tools as an essential part of cyber Risk Management because when good defenses will stop any attacks, we have to be prepared that a determined adversary may get through those initial defenses and we must lay a foundation for recovery. Theres no question that wanna cry was an important event but unfortunately it will not be the last of its kind. In fact, its more likely an indicator of whats to come. Good fortune played a significant role in minimizing its impact, particularly in the u. S. , but we will not always have luck on our side. Which is why we must learn the lessons of wanna cry and make the necessary improvements to our defenses and response capabilities. This hearing is an important part of that effort and we appreciate the opportunity to be here. Look forward to answering any questions that you may have. Thank you. Mr. Lahood thank you, dr. Thompson. Thank all the witnesses for your testimony. The chair recognizes himself for five minutes and well begin questioning. As i talked about in the begin, the title of this hearing is Lessons Learned from wanna cry. And weve talked a lot this morning about wanna cry and how that played out across the world. But in terms of what we learned about the genesis and origin of where this came from, i know the Washington Post came out with an article yesterday that the n. S. A. Linked the wanna cry computer worm to north korea. Im wondering if, dr. Neine, you can talk about the genesis and origin of where this came from, particularly because it appears its from a nation state and i know theres references to what occurred with Sony Pictures and also with the Bangladesh Bank and what we know about it and what is being implemented, i guess, on the government side to prevent this or hold an entity or the government accountable. Dr. Neino thank you, mr. Chairman. I think if i understand your question, youre asking about one, the origin, and our conjecture to that, and number two perhaps if i understood also correctly what would be the rules of engagement for Something Like that with another nation state. Ile we think its ambiguous, to conjecture over the origin of wanna cry, there are codes in there that suggest some nation state could be responsible. Unfortunately, anyone could have created this level of attack and often misdirection is found, typically in binaries like these attacks we see. I would compare it perhaps an analogy to photo shop being a program to look a certain way, or it could have simply been what it is, which is exactly what we see. Its hard to tell. So we wont i wont say that i know the origin of the attack, nor should i conjecture on it. What i can say is that these attacks are very difficult to attribute. We are a Cybersecurity Company not an intelligence agency. It would be difficult for us to pursue an answer to that. As far as rules of engagement, i think the question segues the same way. It would be difficult to create attribution or origin to any attack and therefore rules of engagement would be difficult for us to give an assessment on. Mr. Lahood dr. Thompson . Dr. Thompson this is an interesting attack. We spent a lot of time in our resorgee labs looking at both the code used in wanna cry but also where wanna cry communicated out to. And there were very, very close similarities to other kinds of attacks that we have seen. Specifically attacks that we attribute to a group called lazarus. Malware, the cks, reuse of strings in that malware, the reuse of command and control infrastructure out on the internet by that malware led our researchers to believe this is strongly linked to the Lazarus Group. Now similar to my colleague on the end, were not the Intelligence Community either. And i agree with those comments that attribution is often difficult. But what weve seen leads us to believe it was a part of this Lazarus Group. Separately the f. B. I. Has linked the Lazarus Group with north korea. And i think chairman lahood, the article that youre referring to from yesterday is another potential evidence point on that as well from the n. S. A. Mr. Lahood thank you. Dr. Neino, we talked about the kill switch and how that stopped the attack but we also referenced the fact that last week a hospital on the east coast and a high school were subject to attack. Can you explain how, if the kill switch was implemented correctly how the hackers responsible for wanna cry were able to continue to perpetuate the attack despite registration of the kill switch . Dr. Neino absolutely. Though id like to be a doctor, its mr. Neino. Mr. Neino you have to understand the makeup of the malware. Why wanna cry was so significant is that its selfpropagating. Thats what givests it the title the worm. Meaning the actors dont need to be in existence. Sometimes we refer to these things as zombies, zombie botnets, because they continue to proliferate regardless of the actors that were parents or creators of the attack. In the case of the examples i gave in the testimony regarding Health Systems, of which there are many, that was just a case that was very significant, the worm continues to propagate because it is scanning and seeking to expand itself and that portion of the worm is not subject to the kill switch. So its ex so its expansion and spreading, which in effect, its still exploiting systems worldwide. What its not trigger is the payload, the ransom component. And that component therefore doesnt trigger most of these organizations worldwide right now dont know theyre getting actively exploited still. But its because they dont see the ransom portion of it. So thats why we have 60 million attacks thwarted to date. If not more. Just nobody knows its still happening. Thats why i said, i dont think the message has resonated, given those figures, that this still needs to be patch and this again points to the to be patched and this again points to the question of resources. Mr. Lahood thank you, mr. Neino. I yield to Ranking Member beyer. Mr. Beyer im so impressed by congratulations to dr. Romine and dr. Thompson for being ph. D. Mathematician. Mr. Neino congratulations on winning the hacking tournament, i never had a chance to say that before, its very cool. And general touhill this is its tool that now after all the things youve done in your life, combat and diplomacy and first ciso to be at Carnegie Mellon with their buggy races around the park. Every university has something that makes it cooler than every place else. And general, i want to start with you. You talked in your long written stimony about h. R. 1224, cosponsored, a bipartisan bill here. But we have expressed a lot of concern about the audit function that nist would be asked to take on. I was particularly fascinated by your points which we didnt raise when we had the hearing here that it would make it much more difficult for nist to be viewed as an honest broker, that this would change the perceptions about their current and future roles. And have a Chilling Effect on many of the relationships nist has within government and industry. A lot of these relationships are quoteunquote learning relationships based on a common quest to identify and incorporate best practices and this would change those relationships not in a good way, might inhibit or stifle the Free Exchange of information from public and private entities to nist. Can you expand on that at all . It seems to be a powerful argument against that audit unction. Mr. Touhill im a fan of the legislation, section 20a in making sure folks are in fact using the Cybersecurity Framework across the federal government is brilliant. We need to follow through on that, big time. Frankly it was something i was promoting while i was the United States chief Information Security officer. As a matter of fact, my last federal chief Information Security officer Council Meeting in january of this year, i proposed and we had a unanimous vote amongst counsel to do Risk Assessment based on the framework. That portion of the legislation im wholly supportive of. Section 20b, the proposal to do the auditing and compliance activity, im also a fn of. I think its important that we do auditing and compliance. However, i do stand by what i wrote in the written testimony that i think that nist is not the best place to put that. It doesnt have the culture. It doesnt have the mission. It doesnt have the personnel. To do it as effectively as the existing Inspector General and auditing functions. From a practical standpoint, nist is a Great Organization that ive been working with for the last 35plus years. And the relationships that nist has is in fact as a neutral party that is on the quest to choreograph efforts to find the best ways of doing things. An auditing function or compliance function on the other hand is looking to see if you are in fact following the checklist. I think that if we want to have an auditing and compliance function, which i definitely think we should be doing, we should be giving direction to those folks that whose job it is to do that auditing and compliance function. And frankly, this is an operational issue. Inspector generals have always been in my book the folks that do performance inspections that are the ones that are going to help those commanders in the field in the military as well as the executives in the federal government. Do their job better and have better visibility into their risk posture. I believe we need to have the Inspector Generals and auditing functions currently in place be the ones who execute the intent of the committee and congress. Thank you, general, very much. Mr. Neino. Based on your testimony you should be a doctor, its filled with interesting things. Your threepart conclusion that the largest issues were, a, that organizations are too slow to adapt, b, that we have a vast Human Research shortage, and c, there are lit bill way of met recks to demonstrate return on investment, an you talk about creating a method to prioritize threats, Something Like the richter scale, magnitude in a clear and repeatable scale. Who should put this together, who should manage it, who should maintain it, how do we make this happen . Mr. Neino i think it would be interesting to see nists participation in Something Like this, or basically crowd sourced but various commercial and private entities to see how their prioritizing how theyre prioritizing risks and threats and see if that could be put into some where people as a resource is not scaleable. Technology can be and that would be an effective area. And i see the commercial sector alone can produce that as well and that could be adopted. But i think any time you have some sort of regulatory mandate that is taken much more seriously. What i mean by that, if we had an event that was measured and put an arbitrary number with a 7. 5 magnitude, some arbitrary figure, shouldnt that particular event be required to be fixed by organizations . Mostly voluntary. With the water system or a power grid doesnt fix it, post, shouldnt we see that sort of mandate where we can know that is regulated because that has context versus you cant boil the ocean. We arent going to win that war. But we should be able to win the war. I now recognize chairman abraham. I stand on the brain cell on our panel and we could use a couple of those as we go through our budget process. If north korea has a role in virus exploitation, i find it ironic that it suppresses and uses a libly call name. My question to you, when news started spreading did nist take to ensure that Information Systems were protected and was nist involved in any government meeting that took place around that time . Thank very much for the question. E response for an event like wannacry, the primary goal as an institution that provides guidance is to learn as much as we can about the incident not the origin, but the technical origins and to determine whether the guidance that we issue is sufficiently robust to help organizations prevent this kind of attack. Im not aware of specific meetings that we were involved in that were discussing the operational side of the wannacry. I think the Law Enforcement and intelligence communities you heard reference to d. H. S. Being quite active in helping the private sector to deal with this issue. From our perspective its more learning whether we can improve the guidance we make available to entities to try to not only prevent these attacks but recover from them and to be prepared from them in the future. In your testimony, which i did read, you said nist recommendation in the nist guide Cybersecurity Framework would sufficiently address the wanna cry incidents, will the executive order to agencies to implement the framework help them be better prepared in the future to prevent against these types of incidents and will this be enough or should more be done . Thanks for the question. Its difficult to know whether it will be enough for the next event. One of the important things that emerged in our discussions with the private sector in the development of the framework was the we are often thinking about detection and prevention of attacks. Sometimes we dont pay enough attention to response and recovery. And so one of the things that the framework does is to spell out the five functions to identify, respond and protect and we are providing with the guidance we provided. To help different organizations be better prepared to respond and recover. One of the analogies that i have drawn recently, the boy and girl scouts are right. Their motto is be prepared. And the better prepared an organization is prepared through its Risk Management activities, which we think the Risk Management framework from fsma coupled with federal agencies and under the umbrellas of the Cybersecurity Framework, we think those are the tools necessary to implement the kind of preparedness that organizations should have. What specific steps in lieu does nist take to help agencies be better prepared . We are looking at some of the consequences associated and some of the Incident Response work that we have. Some of the data integrity work. We launched the integrity project. It has a very strong tiein with attacks. We launched it before the wanna cry came out. We are accelerating the work thats going on so we hope to be able to provide very practical guidance or practical examples of how to be prepared so that organizations can see how its done. Thank you for your service to the country. I yield back. I recognize Ranking Member lipinski for his questioning. Mr. Lipinski i thank the witnesses for their testimony and all the work that you do. We are i think taking cybersecurity more seriously in washington although there is much more we need to do. Part of the problem is understanding what this really means and the impact it can have. We also need to make sure the American Public knows the significance of cybersecurity and what could happen. We know when we are dealing with cybersecurity that technology is part of the solution. What often merits is more that is personal behavior and organizational behavior. Individuals and Information System managers must regularly install security passes. Organizations prioritize cybersecurity for a quick response. These are social science issues. Another social science angle is understanding criminal and terror networks. Using that understanding to help inform our intelligence gathering and our cyber defenses. I would like to hear from each of our witnesses your thoughts on whether we are investing enough in the Human Factors of cybersecurity and what more you like to see us do so we are taking care of these issues . Thank you, mr. Lipinski. I think it is a great point that you bring up. There are other issues other than technology at play. Cybersecurity is hard. One thing that we know will be quite difficult is resources, resources to fully maintain their need for quite some time and technology is evolving. Systems are changing. We have to relearn our resources and people. This makes it very difficult for those responsible in those areas to manage risk to actually keep up with the actual threat, the pragmatic threat, not just the way we measure our own threats. In that case, i think we could see a huge value if we were to see investments in things that allow for threat prioritization, again going back to the event magnitude. You cant boil the ocean but look at the areas that can hurt you the most and the people that hurt you the most. And we will have a better chance of being more resilient. I would like to talk with r about two nist programs. One is nist is privileged to host the Program Office of the National Initiative for cybersecurity which is an Interagency Program which is dedicated to building a larger Cybersecurity Work Force and we have made Great Strides in that area. The second part of the program is you are absolutely right that one of the key components in achieving key security is how humans interact with technology. You can be secure through technology, but if the people that are trying to get their jobs done are focused on that and not taking advantage of or in some cases circumventing security, they have to know about that and understand how to build systems that have the human in the loop. Nist views a systemslevel approach for cybersecurity, but the users are part of the system. We have an active program. We have Human Factors, engineers on our staff whose entire mission is to ounce how we interact with technology so we can do better with security ecurity. Four make sure that you are continuously innovating and investing wisely and making sure you are making Risk Management decisions. If you give me an extra dollar, going to spend it on people. And people are the greatest resource and weakest link. , you of the incidents could track back to a human failure, failure to patch configure correctly. So i think hardening the work force should be a priority and it was one of my top ones and the top one. Further, if you ask for where else can we invest well, exercises. People should not necessarily be confronting crisis without having practiced ahead of im. And the time to Exchange Business cards is not in times of crisis. We should be doing exercises and investing more into them. And further, Everybody Needs to play. Too off enwe see Senior Executives dismiss that. Its a risk issue and risk decisions are made at the board level. By the time i left two years later up to 270 exercises. But i think more needs to be done and i encourage the committee and the congress to help reward these types of practices because it will bite down our risk. Thanks for that question, because what i think you are hitting on is probably one of the most important and underinvested areas in cybersecurity in general. This Human Element cannot be separated from the technology. Often in the Security Community we talk about advanced persistent threats and most people when they think about that, think about very sophisticated code. What we are seeing is the root of many of these persistent threats is the initial way a company got infected or a person got infected is that an individual made a bad choice. They clicked on a link and downloaded a file and seeing attackers becoming more sophisticated in the way they attack. They personalize attacks, looking for information on social networking sites, for example, so they can create credit built, an email or text message they may send you so that you are convinced that this is a reasonable thing to do. From an industry perspective it is a place we need focus. I want to give you one data point that may be useful. I served as the Program Committee chairman for our conference for the past 10 years. That conference had 40,000 Security Professionals that showed up last year, which is a sign of how important how i think this industry has become. And three years ago we started to track the Human Element and it has become one of the most popular tracks for cyberSecurity Professionals because we all realize and i love the comments that the general made about this topic, i think we all realize that is one of the most critical areas that we need to focus ongoing forward, Human Element of the people that are cybersecurity and element of users and ill make a final comment here. It is easy for a user to understand that there is an increase in utility. If i leave the door unlocked, very easy, dont have to carry keys around. If i make it more secure, peoples view point, you make it more secure and more painful and more things you have to do. So they can measure utility but cant easily measure risk. And we need to do a better job of helping the individual and citizen of recognizing risk. Had that kill switch not been i can only give a thumb nail. But given today, we are seeing millions of thwarted attacks a day. The velocity of the attack slowed significantly as a result of the kill switch. So they will say these are attacks. This could have been a massive attack. Mr. Higgins most cyber experts agree that it appears north korea was behind wannacry, do you degree . Tails in the Software Program that you could use to associate it. But intelligence is cumulative. You need other areas to mr. Higgins whats your opinion . Is north korea behind that . I dont want to comment. And i have seen people saying it was china and others saying it has been people. Im not an expert in intelligence. Mr. Higgins when Security Software design, how easy is it to build a back door access that would be virtually undetectible within that cyberSecurity Software . We have seen that a multitude of times and seen it from a variety of areas. The level of entry to do that is very low. Mr. Higgins thank you for oncluding that, my question to you Brigadier General. Thank you for your service. Are you familiar with the labs out of moscow, manufacturer of cybersecurity products. A long list of cybersecurity products that top intelligence officials at the f. B. I. , c. I. A. , n. S. A. And others advise this body that they dont trust the lab, and will not use their product on their personal devices. However its still used widely across the United States government. Can you explain that to this committee. I dont know what kind of conversation my colleagues from those agencies had with this committee. However, as i go and take a look at the different products that are in the market today, i believe the American Products are the best ones out there and just on a value proposition, i buy american. Mr. Higgins i concur. Thats the Brigadier General speaking right there. Thats an american speaking, sir. Mr. Higgins let me say, although there is no public evidence of collusion between the labs and the russian government, it is not a large leap. And eugene has suggested that have no ties to the russian government. However as part of the national conversation, mr. Chairman, and its widely known that the russians have been involved efforts to influence governments across the world with cyberattacks and he has suggested that he would testify before this body and i suggest that we take him up on his offer. I would like to talk to him switch. G the tail that having been rather glaring error on the part of the designer that that worm cyberattack, what do you think should happen to that guy in north korea . It was a kill switch, wasnt it . This message should it get to experts in yber north korea, if you can get out of the country, you are welcome in the west and would love to have you before this committee and give you some real good food. Mr. Chairman, i yield back. I now yield to congresswoman esty. Ms. Esty there are a couple of points i want to return to and drill down on and one is the Human Element because it is important because you can buy all the great equipment in the world and if you leave the door open, it doesnt do you any good. And i think a little bit about the analogy in hospitals about people washing their hands and it may be low tech, but it works. But one thing we have to emphasize, hygiene. What are proper hygiene practices. And how we make that standard operating procedure. Government and nongovernment. We have an issue in the federal government in particular, in all levels of government of really old systems and look at the fact a s was exploiting vulnerability. Local and state governments are still using these old systems so that makes it an even greater issue. Your point about threat triage help e knee o recognize. Everybody gets those notes on those phones and i dont have time to upgrade my system. And thats the reality. I suggest a couple of things. We ought to be social media dr. S to your point, thompson. Stay ahead of the game. We need to do it. We had a briefing where some of the folks from the top level of the private sector talking about how our emphasis has been the incentive for us to be on attack mode. We are developing our attacks. We have left it to the private sector. Obviously, we need to be doing more defense. It is lessncentivize sexy and what can we do to the cultural change . Is that out of nist to put the incentive there and make sure we are getting the broader sector talent pool. It may not strike people bringing in people who dope snapchat for figuring out how do we make sure people dont click on that link. If we dont do that. If we look at the hacking on the electoral system and last year with john po december tas email. And going to be the strongest and weakest link at the same time. What happens when you are at the end of the hearing and batting cleanup and raise a number of issues. Thank you for your efforts and in joining with us and figuring out how to do better for america. Ill make two quick points. We have active Research Going on now under the program we just talked about, trying to understand susceptibility to phi shing attacks and what are the factors of people not recognizing it is a fishing attack. With regard to culture change, it is going on in board rooms and among c. E. O. s in light of the framework as a catalyst for this, but i think this might have been on their radar. Ut the framework is a means of cataloging the understanding of board rooms and c. E. O. s managing risk to financial reputation and business Operational Risk and all the other risks that you are managing as a c. E. O. , you now have the tools that you can use to incorporate cybersecurity risk into that entire Risk Management. I would like to pile on. The cyber hygiene, we all need to do better. And we work very closely with nist to help promote the National CyberEducation Programs that we have. And i think we need to do better on that. I propose that we probably need a wood si owl. Lets get kids out there fully educated out there and bring that pipeline up. And been working with nist and across the agency to do that. We need to incentivize. We shouldnt see as the government but overregulate and need to encourage to do the right thing and buy down their enterprise risk. Risk is an intrinsic part of management of any business and we have to be careful we dont ham shack will the boards from actually managing their risk and need to give them the tools and support to be good wing men. And finally, we have had a lot of discussions publicly in this town over the last two, three, four years about who does what. As for me, having served in uniform for over 30 years and done some Public Service on top of that, it takes team work and i view the d. O. D. And n. S. A. And intelligence communities mission to help us with deterrence and interdiction and stop them and take the fight to the bad guys but protecting Hometown America that is more appropriate for d. H. S. To cor yeoh graph different activities across the federal government. The kinds of folks that are hunting the malicious Networks Today arent just computer ientists and experts but computational psychologists and and flow poll gifts and people who are looking at the Human Behavior of an attacker group. Thats one side. On the consumer side, which seem to ignore, we spend an amazing amount of time thinking about how do we make security similar to the ipad . And i call it the ipad because its the only piece of technology i have ever given to my mom and i didnt have to give her any instruction about how to use it. She just understood it. And we spend a massive amount of time now today on design, how do we make it intuitive and make it more secure than less secure. And that is where a lot of effort must go in in the Security Community today, how do we make it easier to be more secure than less secure. I was thinking as you referenced smokey the bear, ght be smokey the bear malware. I recognize mr. Palmer for his questions. Mr. Palmer accept our thinks that allowed the kill switch to prevent so many inif he cans but with regard to your measurements, 200,000 infections is too low and before the implementation there may have een one or two million infections. How do you explain practically ran e tried to pay the delem som. The measure of success is hard to determine. Mr. Palmer what you got from large portion of the companies do pay the ransoms. But monitoring the bit coin, less than 500 people did so. 1 . s 200ths of that is inconsistent what what you are saying. It is hard to associate the payments to the actual spread and ill tell you for a variety of reasons. When you look at the actual attack and magnitude of the attack and trace it to the payments, if you look to the mechanisms, not clear whether you would get your system back and at this point, the attacks have been abandoned. If you paid it, you didnt go anywhere. Most of the media and experts ere asked not to pay the attack. What i can say the data we are receiving is absolute. Its not just one, but doing this close to a decade and we see analyzed data. It is accurate. Mr. Palmer i would like to address this question to the general and i would like to thank you for your service. Our testimony refers to people that people were running windows 95, but most infected was windows 7. The main people was infected was because a vulnerability was eaked to the public . Sir, thanks for the question. Just for clarity sake. I highlighted windows 95 being used as an exemplar, but there were plenty of operating systems hat were susceptible including windows me, mr. Palmer im asking about Intelligence Community vulnerability that was leaked to the public. If we look at it from that standpoint, im concerned about that and this highlights a couple of things. We have been telling you all along to do that. Second of all, that as we take a look at the leakage of information or the attribution of leakage of information that is unacceptable. Mr. Palmer with regard to the and that happened in january, 2017 and microsoft released a patch that addressed that vulnerability three months later. So it was not a problem. Seems out of date and if you hadnt put all the recommended patches on, all the machines within 60 days, you would become a victim. And there was no way to protect the computer from it. I dont believe i would characterize this one as a full zero day attack. From my perch, frankly because the fact that we had some patches and microsoft went through extraordinary measures to go out and create those patches for operating systems that had previously been declared unsupportable many years before and i used windows 95 in my testimony because windows 95 had been online for 19 years before it was retired. And for the last three years, microsoft had not been supporting it and for them to come back and put out that patch in march was extraordinary. And through federal government and other organizations around the world, we went out and we clearly communicated and carnegie melon was one of them, communicated to the communities of interest, this is an important patch. Mr. Palmer i have one more question. No one was actually paying the rans omp m it was to allow access to machines. Thanks for your question. Its difficult to anticipate what the true intention was of his attack, whether it was ran somware. But what is interesting as a characteristic of the attack which i think goes back to your first question of why didnt we see the quote normal or expected payment, it omware was very weak compared to the ware we piece of ransome see out there in the wild. It is incredible that these attacks have a very robust infrastructure behind them. They have almost the equivalent of success mere support for people that have been infected with the ransomware and didnt see that level of sophistication on the back end. I yield to congressman webster for his questions. Mr. Weber thank you for having this mr. Webster my mind has been on Something Else and the statements that were given here were similar to that in that they fit. There was an attack yesterday and i thought about the fact that it was an advanced persistent threat and not only that, it was a personal idsed attack. And there are some people who acted heroicically to turn it around. And so i just that was on my mind. The Capitol Police service who protected life and heroic acts by members of this congress, maybe its a different kind of threat, but it was real. And in this case, there was no human error. And so i want to take this time i have just a few minutes and say thank you for our people who work here and for the members who serve here who prove there. Re still heroes in our country so thank you, mr. Chairman. I yield back. We have a couple of more questions and go for a short second round. I yield myself five minutes. You note in your written testimony that the national vullingnerkt data base that nist maintains and updates dozens of times daily of all known and ublicly vulnerabilities that vullingnerkts were exploited. A recent report notes 75 of the vulnerabilities were disclosed elsewhere first and takes seven days between the discovery of a vulnerability and reporting. What is the reason for the delay there if you talk about that and is nist working to get rid of that lag time . Thank you for the question. We are interested in trying to shorten time to deliver Important Information to our stakeholders. Our goal is not first to disclose or first to disseminate although we want to do it as early as we can, our real goal is accurate occuration, including assessment of the impact that a vulnerability might have and that requires a certain analysis before we can include something in the National Vulnerability data base. The disclosures are often from sources that are not necessarily eliable. I know the Trump Administration any reason why you left at the time that you did and whether it will be refilled . Thank you for the question. I believe this is a best practice to have a chief Information Security officer in different organizations. The first chief Security Organization was created in the private sector 20 years ago and took 20 years for the federal government to create one. I think it is important as part of an Enterprise Risk Management approach that you have someone who is focused on Information Security and the risk to the enterprise and advising the Corporate Community as it were, up, down and across as far as what those risks are and best practices to buy down and manage that risk. We still dont have an authorization for a federal chief Information Security officer in statute. It was my position was appointed as administrative appointment and i think as we take a look at as we move forward and the executive order that recently came out is a great step forward. I think we need to firm up and make sure that this position is an enduring position and we need to authorize and empower the position such that that chief Information Security officer can. Ve the authority to direct i look forward to see who the administration brings forward and i will coach and serve as wing man. You made the interesting case that we overclassify. That the fault is to make the highest thing and we should make the default position at the lower level and argue our way up. Alize that . Peration thank you for the question. Because i was responsible for public and private partnerships and the information sharing between the Public Sector and private sector. And frankly, we overclassify too much timesensitive information. And i believe that the solution set is going to have to be a combination of legislation as well as executive action. I think both branches of depoft are going to need to partner up to determine the best means of getting the information out to folks and take timely and actionable actions in this environment. You had one intriguing line in your testimony. Points contrary to defense, who did it. And what i understood from that we spend so much time who is louisiana ar us rather than trying to defend ourselves. Could you spend on that . Naturally nat curious person. I think the barrier of entry anyone could do it. Conjecture of who has done it is a very difficult task because cybersecurity is something that could be misdirected. You never know who the attack is and focusing on that doesnt solve the problem we are vulnerable. You leave the door open. There could be thousands of people who walk by your house every day, would it matter because you leave yourselves exposed . They do it because they can and should not make it that way. We should make it so we are resilient and strong nation in regards to defense. Do you want to pile on at all . I do. We dont look at who is the country behind it and who is the person behind it but it is very critical of us to associate atterns of behavior. It will let us learn more about that group and the tactics and make us better prepared to protect against a new attack sight unseen and that was the case with a. V. Engines because of previous training on this malware andwannacry leave it up to the Intelligence Community to decide who that group actually belongs to. Mr. Lipinski, any followup questions . Mr. Lipinski i thank the witnesses for the testimony and all the work as i said and im sure we will be continuing this discussion. So thank you. In closing, i want to thank all the Witnesses Today for your important, insightful and impactful testimony. And as our committees looks to cybersecurity and the issues of National Security, economic vullingnerkts, privacy, we look forward to work with you on those issues and appreciate you taking time out of your busy schedule to be here today. And the record will remain open for two weeks for additional written comments and questions from members. At this time, the hearing is adjourned. [captions Copyright National cable satellite corp. 2017] captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org the annual congressional baseball game is live this evening here on cspan starting at 7 00 eastern. Today, the house approved a resolution by voice vote commending the Capitol Police and other First Responders for their actions at the republican baseball practice yesterday where five people were injured including congressman Steve Scalise who remains in Critical Condition at a washington hospital. After that vote, steny hoyer and Kevin Mccarthy spoke about what happened at the practice and tonights baseball game. Is house and indeed the nation was shaken by the horrificot