Today remarks by Joseph Dunford on military issues including the ongoing dangers of is isis, cyber war fair and recruiting and up strengthening the u. S. Alliances. They will speak at the National Press club. We will come to order. Without objection, the chair is allowed to declare recess at any time. Good morning and welcome to todays hearing entitled, bolstering the Cyber SecurityLessons Learned from wannacry. I want to welcome the witnesses here today. And i would also welcome chairman smith, oversight subcommittee, Ranking Member buyer, research and Technologies Committee chairman abraham. Research and technology Ranking Member lipinski. Members of the subcommittees, our expert witnesses and members of the audience. Cyber security, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everinvolving concept. Maintaining an effective Cyber Security posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of Cyber Security, we are left without concrete steps to ensure our systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real tangible measures the government can take to ensure its i. T. Security systems appropriately reinforced to defend against new and emerging threats, including novel and sophisticated ransomware threats. The focus of todays hearing will be the verecent wannacry ransome attacks. This attack impacted nearly every country in the world. Although the concept of ransomware is not new. This conducted by wannacry was instructing people to pay 300 in bitcoin in order to regain access to users documents. Unlike typical forms of ran someware, wannacry signaled the ushering of a new type of worming. Rans ransomware caused this to spread faster and rapidly with each new infection. In light of the novelty built into wannacrys method of attack, Cyber Security experts including those we will hear from today have expressed significant concerns that wannacry is only a preview of a more sophisticated ransomware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the Wannacry Ransomware infection spread across asia and europe, eventually hitting the United States. The attack infected 7,000 computers in the first hour. 110,000 distinct i. P. Addresses in two days. And in almost 100 countries including the u. K. , russia, china, ukraine and india. Experts now believe wannacry affected approximately 1 in 2 million systems worldwide prior to activating the kill switch. Reportedly one of the few local governments subject to the attack, although cook county has worked to appropriately patch their system, all their vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hackers responsible for wannacry mistakingly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. Krypton logic exploited a key mistake made by the hackers when he registered the domain connected to the ransomware attack. Experts estimate that in the kill switch prevented 10 to 15 million unique worldwide systems, system infections and reinfections. So far the federal Government Systems have been speared by wannacry. We want to ensure the government is efficiently prepare in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee, im sorry, this climate of new and emerging Cyber Security threats. Through the lens of the aftermath of wannacry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how Public Private partnerships are an instrumental tool to help bolster the governments Cyber Security posture. Finally, we will learn how the president s recent Cyber Security order, which makes this cyber skruecurity framework on s brach branch, incorporates the most innovative security measures to defend against evolving threats. It is my hope our discussions here today will highlight areas where improvement is necessary while offering recommendations as we move forward to ensure the federal government is prepared to respond to emerging Cyber Security threats. I look forward to hearing from our distinguished witnesses. I now recognize Ranking Member, the Ranking Member of the oversight subcommittee, mr. Booi beyer, for an opening statement. Thank you. I would just like to thank you and mr. Comstalk for holding this hearing. In 2014 the office of personnel managements Information Security systems and two other systems used by contractors were breached by statesponsored hackers compromising the personal information of millions of americans. That same year hackers released the personal information of sony picture executives, embarrassing emails between Sony Pictures employees and copies of the unreleased sony movies. In 2015 hackers took control of the power grid in the western ukraine and shut off power for over 200,000 residents. These three quick examples show the varied and widespread effects of Cyber Security breaches. So we know that Cyber Security breach with the genesis for this hearing was the wannacry outbreak. Wannacry ransomware affected 300,000 Computers Worldwide and could have been much worse. So i want to thank the ceo of kryptos for finding an employee to find the kill switch. Unless you did it yourself. We are thankfully that the physical systems were resistant to wannacry, but we may not be as lucky next time. In preparing for this, i have learned from my staff that i need to upload our security upgrades every time i get a chance on the personal computers and on the smartphones. And the may 11th executive order on strengthening the Cyber Security in networks seeks to build on the Obama Administration successes in the Cyber Security arena. And im happy that the Trump Administration, i dont agree with him on every topic, but they have taken the next good step. The executive order calls for a most of actions in a myriad of reports of federal Cyber Security from every government agency. Simultaneously, the Trump Administration has been slow to fill newly vacant positions in nearly every government agency. And my concern is that the understaffed agencies will have significant difficulty meeting the dictate of the executive order. And im concerned that the proposed budget cuts in the trump mulvaney budget across all agencies will make the task harder to strengthen the Security Federal systems. We have to make sure the federal government has the staffing they need in this viral area. The executive order also calls for agencies to begin using the nist framework for Cyber Security efforts. And im glad we have nist here with us to help thwart and impede Cyber Attacks. They are world trrenown for bei used in this framework. On a precautionary note, though, some efforts to expand the Cyber Security role beyond the Current Mission and expertise are well intentioned but perhaps misplaced. We recently had a debate of hr1224 here in this Cyber Security framework and auditing act of 2017. Which gives nist the Auditing Authority for all civil Information Systems. Currently, this is the responsibility of the Inspector General of this agency. They have the statute authority to experience the expertise and respond to congress. Nist has no such experience or expertise. So i remain concerned about this proposal. I would be interested in any of the expert witnesses thoughts on nists role in cyber auditing. So i look forward to hearing from you today and for hearing from the general, the former ciso, about his experience in these positions and thoughts. One final note, bloomberg reported this week that the russian meddling in our electoral system was far worse than what has been previously reported. According to the hackers attempting to delete or alter data, Access Software to be used by poll workers and in one instance, accessed Campaign Finance database. These efforts need to change votes in order to influence the election and we need to take these Cyber Threats seriously. I think Vice President cheney called this a war on our democracy. Mr. Chairman, this Committee Held more than a half a dozen hearings on the Cyber Security issues during last congress, including the one on protecting the 2016 elections from cyber and voting machine attacks. So given what we know about the hacking and meddle iing, we nee more hearings on how to better promote these hearings. Mr. Chairman, i yield back. Thank you, mr. Beyer, for the opening statement. I recognize mr. Abraham for an opening statement. Thank you, mr. Chairman. Over the last few years we have seen an alarming increase in the number and intensity of our Cyber Attacks. These attacks by cyber criminals and by the unfriendly governments have compromised the personal information of millions of americans and jeopardized thousands of our businesses and employees and threatened interruption of critical Public Services. The recent Wannacry Ransomware attack demonstrates Cyber Attacks continue to go from bad to worse. The most recent largescale cyber attack affected 1 to 2 million systems in more than 190 countries. Nevertheless, it could have been more catastrophic considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destructiveness of wannacry warns us to expect similar attacks in the future. Before those attacks happen, we need to make sure is that our Information Systems are very ready. The research and subcommittee heard an arguing this year representing the u. S. Government accountability office, the gao, testified and i quote, over the past several years, gao has made about 2,500 recommendations to the federal agencies to enhance their Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented, unquote. It is clear that this status quo in federal government Cyber Security is a virtual invitation for more Cyber Attacks. We must take strong steps in order to properly secure our systems and databases before another cyber attack like wannacry happens and puts our government up for ransom. On march 1st, 2017, this Committee Approved hr1224, the nist Cyber Security framework assessment and already act in 2017. A bill i spruced is part of my ongoing interest over the state of our nations Cyber Security. This bill takes concrete steps to strengthen the federal governments Cyber Security. The most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, n. I. S. T. , Cyber Security framework used by many private businesses and directly initiates several Cyber Security audits a priority of federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nist inhouse experts developed governmentwide technical standards and guidelines under the federal Information Security modernization act of 2014. And nist experts also developed through collaboration between government and private sector, the framework for improving Critical InfrastructureCyber Security that federal agencies are now required to use pursuant to the president s recent Cyber Security executive order. I was very pleased to read that language. Considering the attempts to infiltrate information Information Systems, theres an urgent need to assure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. Status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nist cyber expertise is a singular asset. We should take full advantage of that asset starting with the very important step of annual nist cyberautics of federal agencies. As cyber criminals and attacks continue to evolve and become more sophisticated, our government Cyber Defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. Lessons learned from the wannacry attack and how the government can bolster the security of the systems, we must keep in mind that the next cyber attack is just around the corner. And it could have a far greater impact than what we have thus far seen. Our federal government our Government Systems need to be pet better protected. And that starts with better accountability, responsibility and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Thank you, sir. My colleague mr. Lipinski has an opening statement. Thank you, mr. Chairman. And thank you, mr. Abraham, for holding the hearing on Cyber Security and less sons learned from the wannacry attack last month. The good news is that the government Information Systems were not negatively impacted by the wannacry attack. This was a clear victory for the Cyber Defenses. The combination of factors likely attributed to the success, including getting rid of most of the outdated windows operating systems, diligently installing Security Patches, securing critical i. T. Assets and maintaining robust perimeter defenses. As we know microsoft sent out a Security Patch for the vulnerability in march, two months before the wannacry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wannacry and its impact on other countries serves as another reminder that we must never be complacent in the Cyber Security defenses. The threats are ever evolving and our policies must be robust if flexible enough to allow our defenses to evolve accordingly. The federal Information Security act they have roles in developing the implementation of policies as well as an incident tracking and response me. This is an update to the security guidelines. Each agency is responsible for the compliance. In each office of Inspector General that requires office on the annual basis. We must continue to be compliant with fisma while conducting oversight. In 2014 nist released the framework for Critical Infrastructure currently being updated to the framework version 1. 1. While it is still too early to evaluate the full impact, it appears the framework is being widely used across the industry sectors. Our committee recently reported out a bipartisan bill hr2105 to show the framework is easily usable by the nations small businesses. I hope we can get to the president s desk quickly. In the meantime, the president s executive order directs federal agencies to use the framework to use the management security risk. As we have heard in prior hearings, many experts have called to the step. And i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the vacant positions across the agency that is are responsible for implementing the framework as well as shepherding the myriad reports required by the executive order. The tap line budget cut of 20 was so severe that if it were implemented, nist would have no choice but to reduce the Cyber Security efforts. This represents the epitome of foolish decision making. This is among the best of the best when it comes to Cyber Security research and standards. And our modest taxpayer investments and their efforts secure the Information Systems, not just of the federal government, but of our entire economy. I trust that my colleagues will join me in ensuring this receives robust funding in the fiscal year 18 budget and doesnt suffer the drastic cut requested by the president. Thank you to the expert witnesses for being here this morning. And i look forward to your testimony. I yield back. Thank you, mr. Lipinski. This time i now recognize the chairman of the full committee, mr. Smith. Thank you, mr. Chairman. Appreciate your holding this hearing as well as the research and Technology Subcommittee rice chairman Ralph Abraham holding the hearing as well. In the wake of the Wannacry Ransomware attack. Today is the necessary part of the conversation the federal government should have to look for ways to improve the Cyber Security prosture. While wannacry failed to rather than seeing this outcome as Cyber Security defenses, we must then increase this to better identify constantly evolving Cyber Security threats. This is particularly true since many cyber experts predict that well experience an attack similar to wannacry that is more sophisticated in nature carrying with it an ever greater possibility of wider spread destruction. Congress should not allow Cyber Security to be ignored across Government Agencies. And im proud of the work the committee has accomplished to acquire the Cyber Security prosture. During the last congress, the Committee Conducted investigations into the federal deposit insurance corporation, the Internal Revenue service and the office of personnel management. As well as passed key legislation with providing the government with the tools it needs to strengthen its Cyber Security posture. President trump understands the importance of bolstering our Cyber Security. He signed a recent executive order on Cyber Security which is a vital step towards ensuring the federal government is going to detect, deter and defend against emerging threats. Included in the president s executive order is a provision mandating that executive Branch Departments and agencies implement missed Cyber Security framework. While continuously updating its Cyber Security framework, nist takes in measures from the private sector partners. Nist collaborates efforts to hope to ensure that those entities that follow the framework are aware of the most pertinent, effective and cutting edge Cyber Security measures. I strongly believe that the president s decision to make ni is, t framework for the federal government will serve to strengthen the governments ability to defend its systems against advanced Cyber Threats like with the recent Wannacry Ransomware attack. Similarly, the committees nist act of 2017 sponsored by representative abraham draws on findings from the committees numerous hearings and investigations related to Cyber Security, which underscored the immediate need for a rigorous approach to protect a u. S. Cyber security infrastructure and capabilities. Like the president s recent executive order, this legislation promotes federal use of the nist Cyber Security framework by providing guidance that agencies may use to incorporate the framework and to Risk Mitigation efforts. Additionally, the bill directs nist to establish a working group with the responsibility of developing key metrics for federal agencies to use. I hope that our discussions here today will highlight distinct areas where Cyber Security improvement was necessary while offering recommendations to ensure Cyber Security objectives stay at the forefront of our National Security policy discussions. And with that, i yield back, mr. Chairman. Thank you, chairman smith. At this time, let me introduce our witnesses here today. The first witness is mr. Salim nino, founder and chief executive officer of krynos logic. Hes credited with finding new solutions for ibm, dell, microsoft and avaya. He received a bachelors degree from the California University at long beach. The kryptos logic employee is credited with largely stopping the wannacry attack. Well hear more during mr. Ninos testimony today. The second witness is dr. Charles roni who works in a laboratory at ni is,st. He received his ph. D. From the university of virginia. And the third witness, mr. Tuhill is a retired general in the United States air force and is an adjunct professor in Cyber Security and Risk Management at carnegie university. Previously he was chosen by president obama to serve as the nations chief Information Security officer. Mr. Tuhill received his bachelors degree from Penn State University and a masters degree in systems management and Information Systems from the university of southern california. And our final witness today is dr. Hugh thompson, chief Technology Officer for symantec. He serves as an Advisory Board member for the antimalware testing organizations and on the board of ieee, security and privacy magazine. Dr. Thompson received his bachelors degree and masters degree and ph. D. In applied mathematics from the Florida Institute of technology. Were glad you are all here today and look forward to your valuable testimony. Now i recognize dr. Nino for five minutes to present his testimony. Thank you, chairman. Vice chairman abraham, chairman smith, Ranking Member beyer and Ranking Member la xin skoipinli. We greatly appreciate your interest in Cyber Security and look forward to sharing our thoughts and perspectives with you and your members. On may 12, 2017, kryptos logic identified the Global Security threat with the immediate potential to cause an immeasurable amount of damage while the intents of this threat are unclear and they are ambiguous. It is immediately shown that it is reckless. This threat has become popularly known as wannacry. At this time marcus hutchens, director for kryptos management, notified me of our teams active monitoring of the developing situation. On this day as approximately 10 00 a. M. Eastern time, while investigating the code wannacry, we looked at what seemed to be a make anymore echanism of a doma. It was a sinkhole controlled by the kryptos logic infrastructure. Then we noticed the wannacry had come to a standstill because of what we refer to as a killswitch activated by the domain registration efforts. While our efforts effectively stopped the attack and prevented wannacry from continuing to deploy the ransom component, we knew by then that the attack had already propagated freely for many hours at minimum. Based on the velocity of the attack estimated by sampling data we collected from the infrastructure, currently blocking the attack, we believe anywhere from 1 to 2 million systems may have been affected in the hours prior to activated the killswitch. Contrary to widely reported and more conservative estimates of 200,000 systems. One month after registering the killswitch domain, we have mitigated over 60 million infection attempts. Approximately 7 million of those are in the United States. And we estimate that these could have impacted at minimum 10 to 15 million unique systems. I will note that the largest attack we have thwarted and measured to date from wannacry was not on may 12th or 12th when the attack started, but it began suddenly on june 8th and 9th on a wellfunded hospital in the east coast of the United States. It is very likely that the system is still unaware of the event. We measured approximately 275,400 infection attempts within a twoday period. Another hospital was also hit on may 30th. And another part of the country, a high school in the midwest was just hit at the beginning of june 9. Presumably, every system at this location would have had its data held hostage if it were not for the killswitch. They have been identified by attackers attempting to knock our systems offline, thus perpetrating the attack. Many happened in germany and parts of the east coast of the United States earlier this year. Despite these attempts, our systems remain resilient and we increase the Counter Intelligence measures to attack the measures against us. Vulnerabilities exist at virtually every level of computer infrastructure ranging from operating systems to browsers, from Media Players to internet routers. Exploiting and weaponizing such vulnerabilities has a surprisingly low entry barrier. Anyone can join in including rogue teenagers, nation states and anyone in between. So how do we adapt and overcome and mitigate the threats and weaknesses . While many Cyber Security experts who have come before we offer the usual gloomy there are no silver bullets, ive had both chances on read Team Competitions and on the defense providing protections to Global Enterprises with high risks. We must be more agile and have higher intensity. While the nation has considerable literature on various models and frameworks, the actual resourceses for Cyber Defense while theres no shortage of good ideas that claim to solve the problems and subsequent ideas, needs development, support, testing maintenance, et cetera. All of which we characterize as developer death. Unfortunately, many of the Solutions Take too long to procure and end up being outdated before the ink dries on the paper as a writtenon. I am optimistic that theres application for those to protect against the techniques used by the hackers to move the needle to protect against exploitation of the very fabric on which we build our defense assumptions. Many of these are incomplete and nonetheless effective. And have increased the cost of developing programs to exploit them. Other mitigations include various approaches like compartmentilizations of web softwares and other property co proper protocols. One could argue that introducing more technology exacerbates the maintenance date and creates monetary loss because there are few metrics and analytics to measure the effectiveness of any technology. This is because we are typically years behind the attacks in terms of the sword and shield battle. As these resources ebbed and flowed, knowledge gaps are created and the loss of knowledge specialists who cannot fill the gaps and replace them. We must be less riskaverse in terms of the options we take. More open to failure and ready to adapt and learn from the failures. We need a stronger threat on drill assimilations to focus on the defense magnitude to cause significant damage. The significant response with the wannacry incidence was there was no real course of action that was well communicated. The media focused on points contrary to the defense who have done it. In this incident, it could have result in a complete breakdown of processes had this been an unpatched zero day vulnerability. And there was no luxury of a killswitch. The largest success though incomplete was the ability for the fbi and the ncsc of the United Kingdom to aggregate and disseminate information. Our framework can be vastly improved by Cyber Security threats and events of magnitude through a clear and repeatable scale, not too dissimilar from the richter scale, that measures the energy released during an earthquake. Likewise, a scale that takes the social elements into account to look at the destruction power that enable first responders, us, to better focus on the most important areas of risk. While there do exist various systems for evaluating the purely technical element of the threat, they fall short in terms of clear actionable information outside. We focus too much on applicationspecific vulnerabilities with obtruse names. And none of these values are going to look into the impact on the wider global environment. We need an easier to grasp method of prioritizing threats that have a large scale destructive potential in objects like wannacry. Once we have determined a method to evaluate the risk with respect to technical specifics, we can do, we can apply the appropriate mitigations. In conclusion, one of the largest issues is the transit nations of crisis. We think this can be explained simply by the fact that organizations are too slow to adapt to such a vile cry on the landscape. Theres a vast Human Resource storage and little by way of metrics to demonstrate return on investments in technologies. Again, i thank the subcommittee for inviting me here to appear today to discuss the kryptos logic and welcome the opportunity to answer the questions you have when they are fielded. Thank you, mr. Nino. Now i recognize dr. Romine for five minutes to present his testimony. Chairman lahood and abraham, Ranking Members lipinski and members of the subcommittee, thank you for the opportunity to appear before you today to discuss nists key role in how they relate to recent incidents. In the area of Cyber Security, nist worked with the federal industry since 1972. Starting with the development of the data encryption standard when the potential benefit of this became clear. Nists role to research, development and deploy Information Security standards and technology to protect the federal governments Information Systems against threats to the confidentiality, integrity and availability of information and services was recently reaffirmed in the federal Information Security modernization act of 2014. Nist provides resources to assist organizations in preventing or at least quickly recovering from Ransomware Attacks with trust that the recovered data are accurate, complete and free of malware and the recovery system is capable. Nists guide for event recovery provides guidance to help organizations plan and prepare for recovery from a cyber event and integrate the processes and procedures into their enterprise Risk Management plans. The guide discusses hypothetical cyber attack scenarios including one focused on ransomware and steps taken to recover from the attack. Three years ago nist issued the framework for improving Cyber Security or the framework. The framework created through tight collaboration between industry and government consists of voluntary standards, guidelines and practices to promote the protection of Critical Infrastructure. In the case of wannacry and similar ransomware, the framework prompts decisions affecting infection by the ransomware, propagation of the ransomware and recovery from it. While the framework does not prescribe a baseline of Cyber Security for organizations, for instance, a baseline that would have prevented wannacry, it does prompt a she quinequence of interrelated decisions to prevent virus infection and propagation and support expeditious response and recovery activities. On may 11th, President Trump signed executive order 13800 strengthening the Cyber Security of federal works and Critical Infrastructure that mandated federal agencies to use the framework. Under the executive order, every federal agency or department will need to manage their Cyber Security risk by using the framework and provide a Risk Management report to the director of the office of management and budget and to the secretary of Homeland Security. On may 12th, nist released a draft interagency report, the Cyber Security framework implementation guidance for federal agencies. Which provides guidance on how the framework can be used in the United States federal government in conjunction with the current and planned suite of nist security guidelines and practices developed in response to the federal Information SecurityManagement Act as amended or fisma. Another to help protect against similar future attacks is the most recent st National Software library. It has unique profiles used by government or Police Organizations to review files on computer by matching the profiles in the system. Nist maintains a repository of all known and publiclyreported i. T. Vuler in blg nenerabilitiv the one reported with the Wannacry Malware. This is standardized security information on security vulnerabilities that missed updates dozens of times daily. Nist provides a common severity network to identify the vulnerabilities. Most recently, a project at the National Security focused on recovering from Cyber Attacks. Organizations will be able to use the results of the ncc research to recover trusted backups, roll back data to a known good state, alert administrators when theres a change to a critical system and restore Services Quickly after a wannacrylike cyber attack. Nist is extremely proud of its role in establishing and improving the comprehensive set of Cyber Security technical solutions, standards and guidelines to address Cyber Threats. In general, and ransomware, in particular, thank you for the opportunity to testify today on nists work in Cyber Security and in preventing Ransomware Attacks. I would be happy to answer the questions you may have. Thank you, dr. Romine. I recognize dr. Truhill to present his system. Turn on your mike, please. Thank you. Good morning, chairman lahood. Chairman smith, vice chairman abraham, Ranking Member beyer, Ranking Member lipinski and members of the committee. Thank you very much for the opportunity to appear today to discuss cyber Risk Management. Im retired air force breeder general tuhill. I instruct on Cyber Security and Risk Management. Prior to minute current appointment, i served as the United States chief Information Security officer. And before that, in the United States department of Homeland Security, where i served as the Deputy Assistant security for Cyber Security communications. During that period, i also served as the director of the national Cyber Security and Communications Integration center, which is commonly referred to by its acronym. During my air force career, i served as one of the air forces officers. And i currently maintained both the certified Information Security professional and Security Management certifications. Cyber security is an issue. And it is a technology concern. Cyber security involves Risk Management issues as well as a management program. I realize we have a full agenda of topics today and am sensitive to your time. I have submitted for the record a written statement. And in that statement, i discussed the recent wannacry attack and my assessment of how future attacks may impact the Public Sectors. In short, wannacry is a slow pitch softball, where has the next one could be a high and tight fastball coming in. We need to be ready. I also discuss the topics the Committee Identified for the agenda, including the president s recent executive order, public and private sector partnerships, the Cyber Security framework and proposed legislation. In short in that, i urge the congress to continue its great efforts to strengthen our enterprise posture. I urge you to authorize and empower the federal chief informations Security Officer position, which currently is not authorized or a specified position. I also suggest that instead of calling it the nist Cyber Security framework, and im a huge fan of this framework, i suggest we start to call it the National Security framework. To reinforce the fact that it applies to everyone. And further, nist did a brilliant job in crowdsourcing the development of this framework, but it was really people from around the country that brought to the table the best practices. Nist was the trailboss for this, but it really is a national Cyber Security framework. And finally, in regards to the proposed hr1224 legislation, i congratulate the members of committee for taking the initiative to really reinforce the need to implement the framework across the federal government. I do suggest based upon my experience in both military and the government sectors of the federal government, that we do two things with that act. One, is we amend that act to make it apply to national Security Systems as well. Having served extensively in the military and in the federal government, i believe that the national Cyber Security framework applies equally to national Security Systems. And i recommend that you make that amendment. Further, i con cur with my colleagues who suggest that we need to work with the inspeck sore generals in the different departments and agencies and reinforce their need to conduct appropriate audits using the Cyber Security framework. Again, i thank you for inviting me to discuss cyber Risk Management with you today. And i look forward to answering any questions you may have. Thank you, mr. Tuhill. I recognize dr. Thompson for five minutes to present his testimony. Good morning. Thanks for having me. And chairman lahood, vice chairman abraham, chairman smith, Ranking Member lipinski and Ranking Member beyer. I really appreciate the opportunity to be here today to talk about what is a critical subject. Understanding the current threat environment is essential to crafting policy and effective defenses. Last months Wannacry Ransomware attack is one of the latest manifestations of the kinds of disruptive attacks that we are now facing. The time line of wannacry i think has been well covered by the other folks on this panel. But i did want to share with you a graphical timeline that hopefully you can seen the monitor. Apologies for the small print. Whats interesting i think about that and where id like to add color is to give you context, samantech is the largest Cyber Security company with technology protecting over 90 of the fortune 500, anding used extensively by Government Agencies around the world. In addition we protect tens of millions of home users through our norton and lifelock branded products. The threat we get from these deployments represent the largest civilian Threat Intelligence network in the world. Wannacry was unique and dangerous because of how quickly it could spread. It was the first ransomware as a worm that had such a rapid global impact. Once on a system, it propagated autonomously exploiting a vulnerability in microsoft windows. After gaining access to a computer wannacry installs the ransomware package. This payload works in the same fashion as most crypto ransomware. Itty encrypts files and display as ransom neat victims demanding payment this time in bit coin. Salmymantec worked with the u. S government from the first hours of the outbreak. We connected dhs researchers with our experts, provided indicators of compromise and analysis to dhs, and received the same back. During the outbreak, dhs held twice daily calls with private sector to coordinate operational activities. From our perspective, this was one of the most successful publicprivate collaborations that weve been involved in. Our analysis of wannacry revealed that some of the tools and infrastructure it used have strong links to a group referred to as lazerreth by the fbi connected with north korea. It was linked to the destructive attacks against Sony Pictures in 2014, and also the theft of approximately 81 million from the Bangladesh Central Bank last year. The links we saw between wannacry and lasseth include similar code obfuscation techniques. We believe it is highly likely that the lasserreth group was behind the spread of wannacry. Beyond wannacry, the Threat Landscape continues to evolve quickly. Were seeing attacks become more sophisticated, not just in technology but in the social engineering approaches that these attacks use. Were also seeing more attacks being leveraged against iot devices such as the massive weaponization of iot devices we saw with the bot net last fall. Marye launched one of the largest denial of service att k attacks on record and led to disruption of major clad services. The explosive growth of attacks i think underscores the need for preparation and deploying i want grated and layered defenses. These attacks also show the response and recovery planning and tools is an essential part of cyber Risk Management because when good defenses will stop many attacks, we have to be prepared that a determined adversary may get through those initial defenses, and we must lay a foundation for recovery. Theres no question that wannacry was an important event. But unfortunately it will not be the last of its kind. In fact, its more likely an indicator of whats to come. Good fortune played a significant role in minimizing its impact, particularly in the u. S. But we will not always have luck on our side. Which is why we must learn the lessons of wannacry and make the necessary improvements to our defenses and response capabilities. This hearing is an important part of that effort. And we appreciate the opportunity to be here. Look forward to answering any questions that you may have. Thank you. Thank you, doctor thompson and thank all the witnesses for your testimony. The chair recognizes himself for five minutes and will begin questioning. As i talked about in the beginning the title of this hearing today is Lessons Learned from wannacry. And weve talked a lot this morning about wannacry and how that played out across the world. But in terms what if weve learned about the genesis and origin of where this came from, i know the Washington Post came out with an article yesterday that the nsa linked the wannacry worm to north korea. Im wondering if doctor anyoninu can talk about where this came from, it appears its from a nation state and theres references to what occurred with Sony Pictures and the bangladesh bank, and what we know about it and whats being implemented i guess on the government side to prevent this or hold an entity or the government accountable. Thank you, chairman. I think if i understand your question, youre asking about one the origin, and our conjecture to that. And two, perhaps if i understood also correctly what would be the rules of engagement if there was another nation state. While i may not be we think its ambiguous and to conjecture over the origins of wannacry there are tells that suggest one way or another that some nation state could have been responsible. Unfortunately, and as i said in my written testimony, any one could have created this level of attack, and often misdirection is found typically in binaries like these attacks we see. I would compare it perhaps analogy to photo shopping a program to look a certain way. Or it could have simply been what it is, which is exactly what we see. Its hard to tell. So i wont say that i know the origin of the attack nor should i conjecture on it but what i can say is that these attacks are very difficult to at tribute. Its a company not Intelligence Agency so it would be difficult for us to pursue an answer to that. As far as rules of engagement i also think that the question segways the same way, it would be difficult to create attribution or origin to any attack and therefore rules of engagement difficult for us to give any assessment on. Dr. Thompson. This was truly an interesting attack. We spent a lot of time in our Research Labs looking at both the code that was used in wannacrysh but also where wannacry communicated out to. And there were very, very close similarities to other kinds of attacks weve seen. Specifically attacks we attribute to a group called lasarus. These attacks, the reuse of strings in that malware, the reuse of command and control infrastructure on the internet by that malware, led our researchers to believe that this is strongly linked to the lasarus group. Similar to my colleague on the end, were not the Intelligence Community either. And i agree with those comments that attribution is often difficult, but what weve seen leads us to believe that it was a part of this lasarus group and separately the fbi has linked the lasarus group with north korea. And another evidence point on that as well from the nsa. Thank you. Dr. Nino, we talked about the kill switch and how that stopped the attack. But we also referenced the fact that last week a hospital on the east coast and a high school were subject to attack. Can you explain how if the kill switch was implemented correctly, how the hackers responsible for wannacry were able to continue to perpetuate the attack, despite the registration of the kill switch . Absolutely. Although id like to be a doctor its mr. Nino. So, you have to understand material makeup of the actual malware and how it works. Why wannacry was so significant is that it is self propagating, that gives it the title a worm, meaning the actors dont need to be in existence and sometimes we refer to these as zombies, zombie bot nets because they continue to proliferate regardless of the actors or parents or creators of the attack. In the case of the examples i gave in the testimony, regarding the Health System which there are many, that was just lets say a corner case that was very significant. The worm continues to propagate because it is scanning and seeking to expand itself and that portion of the worm is not subject to the kill switch. So its expansion and spreading which in effect is still exploiting systems worldwide. What is not triggering is the pay load if you will, the ransom component, and that component therefore doesnt trigger most of these organizations worldwide right now dont know they are getting actively exploited still. But its because they dont see the ransom portion of it. So thats why we have 60 million attacks thwarted to date if not more. And nobody knows its still happening. Thats why i said it was i dont think the message reson e resonated given those figures. This needs to be patched and points to the point of resources. Thank you. Im out of time. Ill yield to the Ranking Member mr. Beyer. Thank you, chairman lahood. And i am so impressed by our panel. So much information here. And congratulate dr. Omin and dr. Thompson being ph. D. Mathematicians. Jerry was here, a member of congress i believe our only mathematician in congress. And mr. Nin, 0, congratulations on winning the hacking tournament. I never had a chance to say that before. Its very cool. And general tuhill its cool that after all of the things youve done combat and diplomacy and first ciso to be up there at Carnegie Mellon with their buggy races around the park. Every university has something that makes it cooler than even place else. And general, ill start with you. You talked in your long written testimony about hr 1224 cosponsored here but we expressed a lot of concern about the audit function that nist would be asked to take on. I was fastynated by your points which we didnt raise when we had the hearing here, that it would make it much more difficult for nist to be reviewed as an honest broker, that this would change the perceptions about their current and future roles, have a Chilling Effect on many of the relationships that nist has in government and describe that a lot of these are quote unquote learning relationships based on the common quest to identify, incorporate best practices and nist would change this relationship not in a good way, might inhibit the Free Exchange of knowledge. Can you expand on that . Seem as powerful argument against that audit function. Yes, sir. Frankly, im a fan of the intent of the legislation. Section 20a in making sure that folks are in fact using the Cyber Security framework across the federal government i think is brilliant. We need to follow through on that big time. Frankly, it was something i was promoting while i was the United States chief informations Security Officer. And as a matter of fact my last federal chief Information Security officer Council Meeting in january of this year i proposed and we had a unanimous vote among the counsels tool do a Risk Assessment for the federal government based on the framework. So that portion of the legislation im supportive of. Section 20b, the proposal to do the auditing and compliance activities im also a fan of. I think its important that we do auditing and compliance. However, i do stand by what i wrote in the written testimony that i think that nist is not the best place to put that. It doesnt have the culture, it doesnt have the mission, it doesnt have the personnel to do it as phoenixtively as the ex t existing Inspector General and auditing functions. Nist is a Great Organization that ive been working with for 35 plus years. And the relationships that nist has is in fact as a neutral party that is on the quest choreograph efforts to find the best ways of doing things. Auditing function or compliance function on the other hand, is looking to see if you are in fact following the check list. I think that if we want to have an auditing and compliance function which i definitely think we should be doing, we should be giving direction to those folks that whose job it is to do that auditing and compliance function. And frankly, this is an operational issue. Inspector generals have always been in my book the folks that do performance inspections, that are the ones that are going to help those commanders in the military as well as the executives in the federal government do their job better and have better visibility into their risk posture. I believe we need to have the Inspector General and auditing functions currently in place be the ones who execute the intent of the committee and the congress. Thank you, general. Mr. Nino, based on your testimony you should be a doctor, filled with really interesting things. And your threepart conclusion that the largest issues were a, that organizations are too slow to adapt, b, we have a vast Human Resource shortage and c, little by metrics to demonstrate return on investment. You talk about creating a method to prioritize threats, like the richter scale. Who should put this together, who should manage it, who should maintain it . How do we make this happen . I think it would be interesting to see nist participation in something of this where its basically crowd sourced through entities that could look together and see how they are prioritizing threatses and risk and in some way put in some sort of simulation system that allows to be scalable where people as a resource is not scalable, technology can be and that would be an effective area. I also see that the commercial sector alone can produce that as well and that could be adopted but i think that any time you have some sort of regulatory mandate its taken much more seriously. And what i mean by that is for instance, if we had an event measured and if we put arbitrary number on wannacry, say 7. 5 by some arbitrary figure, shouldnt that particular event be required to be fixed by organizations . Whereas right now its mostly voluntary. So if a water system or a power grid doesnt fix it each after wannacry, post, shouldnt we see that sort of mandate where we can know that is regulated because that event of magnitude has context versus you cant boil the ocean when it comes to patching vulnerabilities, were not going to win that war. Its infinite. We should be able to win the war of the attacks we know about. Thank you very much. Mr. Chair, yield back. Thank you. Now recognize chairman abraham. Thank you, mr. Chairman. I also stand in awe of the brain cell power on our panel. We could probably use a couple of you guys as mathematicians when we work through our budget process. Dr. Thompson, if indeed north korea has a role in this virus exploitation, i find it ironic that a country as north kree that not only suppresses but quashes religious freedom would use a biblical name, lasarus as a code name. My question to you, when news of wannacry started spreading what if any steps did nist take to ensure federal Information Systems were protected and was nist involved in any government meeting that took place around that time . Thank you very much for the question. The response for an event like wannacry from the nist perspective, the primary goal as a Scientific Institution and institution that provides guidance is to learn as much as we can about the incident and about the not origin from a country point of view but the technical origins and to determine whether the the guidance that we issue is sufficiently robust to help organizations prevent this kind of attack. Im not aware of specific meetings that we were involved in that were discussing the operational side of the wannacry. I think you know, Law Enforcement and intelligence communities were meeting, you heard reference to dhs being quite active in helping the private sector to deal with this issue. From our perspective its more learning whether we can improve the guidance that we make available to entities to try to not only prevent these attacks but also recover from them. And to be prepared for them in the future. Ill stay with you for my second question. In your testimony which i did read you said that nist recommendation in the nist guide for the Cyber Security event recovery and Cyber Security framework, would sufficiently address the wannacry incidents. Will the requirement in the cyber executive order to agencies to implement the framework, help them be better prepared in the future to defend against these types of incidents and will this be enough or should more be done . Thanks for the question. Its difficult to know whether it will be enough. For the next event. But i can say this. One of the important things that emerged in our discussions with the private sector during the development of the framework was we are often thinking about detection and prevention of attacks. Sometimes we dont pay enough attention to response and recovery. And so one of the things that the framework does is to spell out the five functions of identify, protect, detect, respond and recover and were providing a lot of guidance now with the Incident Response guidance that we provided for example, to help different organizations be better prepared to respond and recover. One of the analogies ive drawn recently is the boy and girl scouts are right, their motto is be prepared. And the fact is the better prepared an organization is through its Risk Management activities which we think the Risk Management framework from fisma coupled with for federal agencies and under the umbrella of the Cyber Security framework now, we think those are the tools necessary to implement the kind of preparedness that organizations should have. One quick followup. What specific steps in lieu of this wannacry should nist take to help federal an state agencies as well as the private sector. Were already looking at some of the consequences associated with it. Some of the Incident Response work that we have. Some of the data integrity work i talked about earlier, we launched the data integrity project at the national Cyber Security center of excellence which has very strong tiein with ransomware type attacks. We launched that before the wannacry came out but in light of this new event, were accelerating the work thats going on in the nccoe, so we hope to be able to provide very practical guidance or practical examples of how to be prepared so that organizations can see how its done. Thank you. General, thank you for your service to the country. Mr. Chairman, i field back. Thank you. Now recognize Ranking Member lipinski for his questioning. Thank you, mr. Chairman. I thank the witnesses for their testimony and all of the work that you do. We are i think finally beginning to take Cyber Security more seriously here in washington although there is much more that i think we need to do. Part of the problem is understanding what this really means, and the impact that it can have. We also need to make sure that the American Public knows the significance of Cyber Security and what could happen. We know when were dealing with Cyber Security that technology is just part of the solution. What often matters more as we saw with wannacry is personal behavior and organizational behavior. Individuals and Information Systems managers must install Security Patches and phase out outdated software. Organizations prioritize Cyber Security and have plans for Quick Response when they are attacked. These are social science issues. Another social science angle is understanding criminal and Terror Networks as well as foreign state actors. Using that understanding to help inform our intelligence gathering and defenses. Id like to hear from each of our witnesses your thoughts on whether we are investing enough in the Human Factors of Cyber Security and what more can be done, what more would you like to see us do so that we are taking care of these issues . Thank you, mr. Lipinski. I think its a great point that you bring up. There are other issues other than technology at play. Cyber security is hard. It really is. Software is hard, security is hard. When you put them together its very hard. One thing that we know will be quite difficult is resources. Resources will maintain their need for quite some time. And technology is rapidly evolving. We have eroding boundaries, systems are changing, we have Digital Transformation that continuously happens so we have to relearn our resources and people. This makes it very difficult for those responsible in those areas to manage risk to keep up with the actual threat, the pragmatic threat, not just the way we measure our own threats but like wannacry. In that case i think we could see a huge value if we were to see investments in things that allow for threat prioritization. Going back to the events of magnitude. You captain boil the ocean, but you can look at the areas that can hurt you the most. And the people that will hurt you the most. Investigating those things and putting them together allows you to start to formulate a picture that allows you to prioritize threats. The investments you make in those people and those resources will be maximized and have a better chance of being more resilient. Thank you. Id like to describe two important nist programs that directly address the human part of this problem. One is nist is privileged to host the Program Office for the National Initiative for Cyber Security education or nice, an Interagency Program dedicated to building a larger Cyber Security workforce. And we made Great Strides in that area, very proud of the work weve done there. The second part of the program is you are absolutely right that one of the key components in achieving true security is understanding how humans i want act with technology. You can be theoretically secure through technology, but if the people that are trying to get their jobs done are focused on that and not taking vac of or in some cases circumventing security thats in place in order to get their jobs done you have to know about that and understand how to build systems that have the human in the loop. Nist views a systems level approach for Cyber Security but we think the users are part of the system so we have an active Research Program in understanding, we have psychologists, sociologists, Human Factors, engineers on our staff whose entire mission is understand how people interact with technology so we can do better in security and useability. Thank you. Thank you. When i was still in Public Service as Information Security officer i point out five lines of effort. One was harden the work force. Two, free throw information as an asset do the things in the right way at the right time, 4, make sure you are innovating and investing and five, make Risk Management decisions at the right level. The first one was harden the work force. You give me an extra dollar in Cyber Security you spend it on people. Frankly, your people are your greatest resource but they are also your weakest link. We see it time and time again. 95 of the incidents, responded to you could track back to a human failure. Failure to patch, failure to configure correctly, failure to read the instruction book. So i think hardening the work force should be a strategic priority, one of my top one, actually the top one. Further, if you ask for where else could we invest, exercises. People should not necessarily be confronting crisis without having practiced ahead of time. And my friend admiral thaad allen likes to say the time to Exchange Business cards is not in time of crisis. We should be doing exercises more often than we are and be investing more into them. Further, Everybody Needs to play. Too often we see Senior Executives who go dismiss that off to the younger folks and the kids in the server room to play. Its a risk issue and risk decisions are may have had at the board level. So i think we need to invest in exercises, we already are doing a lot. During the time i was at dhs when i got there the year before we had done 44. The time i left two years later we were up to 270 exercises. I think more is to be done and i encourage the committee and the congress to help reward these type of practices because i think it will buy down our risk. If the chairman will tells me dr. Thompson. Thank you. Thanks for that question. I think what youre hitting on is probably one of the most important and underinvested areas in Cyber Security in general. This Human Element cannot be separated from the technology. Often in the Security Community we talk about advance persistent threats, and most people when they think about that think about sophisticated code, malware. But in fact, what were seeing is the root of many of these advanced persistent threats is the initial way a company got infect ordinary a person got infected was it an individual made in retrospect a bad choice, they clicked on a link, downloaded a file and were seeing attackers becoming more socially sophisticated in the way they attack. Were seeing them personalize attacks, looking for information on social networking sites for example, so they can create credibility and email a message so that you are convinced this is a reasonable thing to go and do. I think from an industry perspective it is a place that we desperately need focus. I want to give you one data point i think may be useful. Ied that pleasure to serve as the program Committee Chairman for rsa conference for the past 10 years. That conference had 40,000 people, Security Professionals that showed up last year. Which is a sign of how important i think this industry has become. Three years ago we started a track called the Human Element. And it is become one of the most popular tracks for Cyber Security professionals braus i think you all realize and i love the comments that the general made about this topic, i think we all realize that is one of the most critical areas that we need to focus on going forward. Human element of the people that are advance for Cyber Security but also the Human Element of users. And a final comment here. It is very easy for a user to understanding that theres an increase in utility. I know its easier to get in my house if i leave the door unlocked. Very easy. Dont have to carry keys around. If i make it more secure, generally peoples viewpoint is youre making it more secure, you make it more painful. There are more things to do so. They can measure utility but cant measure risk. We need to do a better job at helping the individual, the citizen, recognize risk. Thank you very much. Thank you, mr. Lipinski. I recognize congressman higgins for his questions. Thank you, mr. Chairman. Mr. Nino, congratulations on shutting down wannacry. That was a big mistake by whoever designed that worm, was it not, believed it, due main unregistered. Hard to say what it is, could have been intentional, nonintentional. We think it was nonintention but it was definitely a mistake. Congratulations on discovering it. Wa would wannacry had done to the world had that kill switch not been discovered. I can only give a thumbnail what if that might look like. Given today were seeing millions of particularitied attacks per day. You have to realize that the velocity of the attack slowed significantly as a result of the kill switch, so generally mathematicians will say these are expo nen shall attacks. This could have been a massive attack. I concur. Most experts agreed that it appears that north korea was behind wannacry. Do you agree . I think that there are tales in the Software Program you could use to associate it but i do believe that intelligence is cumulative beyond cyber. Cyber is difficult to attribute. You need other areas to attribute. Whats your opinion . Is north korea behind wannacry . I dont want to comment. I have seen people make good conjectures about china, others about it being random people but i dont think its worth commenting because im just not a subject due main expert. Intelligence, safe answer sir. When Security Software is designed how ees it is it for the designer to build a back door access that would be virtually undetectible in that siver Security Software. Weve seen that multitattooed of times and good studies from a variety of areas. The level of entry to do that is very low. Thank you for concluding that. Brigadier general, my question to you sir, thank you for your service, are you familiar with casp casperkye labs. Manufacture of Cyber Security products of a long list of Cyber Security products that top intelligence officials at the fbi, cia, and the nsa, others advise this body that they dont trust kaspersky. They would not use the product on their personal devices. However, its still used widely across the United States government. Various departments. Can you explain that . Well sir, i dont know what kind of conversation my colleagues from those agencies had with this committee. However, as i go and i take a look at the different products that are in the market today, i believe that the person products are the best ones out there. And just on a Value Proposition i buy american. I concur. Thats a big a dear general speaking right there. Thats an american speaking, sir. Let me say that although theres no public evidence of collusion between Kaspersky Labs and the russian government, its not a large leap. And Eugene Kaspersky suggested that his products have no ties to the russian government, however, as part of the National Conversation mr. Chairman, that and its widely known, that the russians have been involved in efforts to influence governments across the world with cyber attack, and mr. Kasper ski would testify before this body. I strongly suggest that we take him up on his offer. Id sure like to talk to him regarding the kill switch in north korea. That having been or rather glaring error on the part of the designer of that worm cyber atta attack, mr. Nino, what you think happened to the guy in north korea . It was a kill switch, wasnt it . So this message is should it get to any of the cyberp attack, cyber experts in north korea, if you can get out of the country, youre welcome in the west. Wed love to have you before this committee. Well give you some real good food. Mr. Chairman. I yield back. Thank you. I now yield to congresswoman este. Thank you very much. This has been very enlightening and extremely helpful. There are a couple of points i want to return to and maybe drill down on. One is on the Human Element. Which i think is unbelievably important. Because you can buy all of the great equipment in the world and as you said dr. Thompson if you leave the door open it doesnt do you any good. I think a little bit about the analogy in hospitals, people used to washing hands and may be low tech but it works. So one of the things i think we need to emphasize for all americans is hygiene, its just what are proper hygiene practices so thats one in getting peoples thoughts and how we make that absolutely Standard Operating Procedure for all organizations, government and nongovernment. Two, we have an issue in the federal government in particular and all levels of government, of really old systems. So we look at the fact that this was exploiting a vulnerability in windows. Who is using those, overwhelmingly, local and state governments that dont have money and using these old systems, thats an even greater issue. Mr. Nino, your point about threat assessment and understanding levels of assessment, we need triage help. We need triage help to recognize what defconlevel is this. Everybody gets those notes and were looking like i dont have time to upgrade my system. Thats the reality of Human Behavior. So id suggest a couple things. We ought to get behavioral economists and social media experts to your point dr. Thompson, and i think that needs to be part of what the federal government, part of what nist is doing to stay ahead of the game, we need to do that. A number of us were in aspen briefing a couple months ago with some of the folks from the top levels of the private sector talking about how so much of our emphasis at the federal government has been and frankly the incentives have been for us to be on attack mode. Were developing our attack cyber capability. We left it to the private sector to be defense. We need to do more defense. How do we incentivize defense attention, its less sexy but a lot more important. So what can we do as a culture change, where does that have to come out of . Is that out of nist, out of dod, nsa, to put the incentive there is, how do we make sure were getting the broader sector of talent pool . Again, it may not strike people bringing in people who do snapchat for figuring out how do we make sure people dont click on that link but it strikes me if we dont do that, if we look at what happened in the hacking on the electoral system, and last year, what happened with John Podestas email. Someone who clicked on a link. And it is going to be the weakest link and the strongest at the same time. Any one who has thoughts on that whole bunch of stuff thats what happens when youre at the end of the hearing. Youre batting cleanup and you want to raise a number of issues. Again, thank you very much. I look forward to following up with all of you and thank you for your efforts and in joining with us in figuring out how we can do better for america. Thanks. Thank you, congresswoman. Ill make two quick points. One is we have active Research Going on now under the program that i talked about to understand Human Behavior, trying to understand susceptibility to phishing attacks. And sort of what are the things that factor into people not recognizing that something is a phishing attack. Theres research coming out about that. With regard to culture change i think maybe its under appreciated sometimes the culture change going on in board rooms and among ceos who in light of the framework, as a catalyst for this, but i think this might have been on their radar but the framework is a means of cattlizing the understanding on the part of board rooms and ceos that managing risk to representation and financial risk and business Operational Risk and all of the risks that youre already managing as a ceo, you now have the tools that you can use to incorporate Cyber Security risk into that Risk Management. Id like to pile on to that. First of all, on the cyber hygiene, we all need to do better. And you know, we work closely with nist to help promote the National CyberEducation Programs that we have. I think we really need to do better on that. I propose that we probably need a woodsy owl smoking the bear type of thing i call it bite. Lets get kids out there fully educated and bring that pipe line up. Weve been working with nist and across the interagency to do that. We also need incentivize. We shouldnt necessarily be seen as the government thats here to help but not really help but overregular you late. We need encourage and incentivize to buy down their enterprise risk. We have to recognize that risk is an intrinsic part of any management of any business. And we have to be careful that we dont ham shackle the different boards from managing their risk. We need to give them the tools and the support to be good wing men to help them make those risk decisions. Then finally, you know, weve had a lot of discussions, publicly in this town over the last two, three, four years about who does what in helping. As for me, having served in uniform over 30 years and then having done some Public Service on top of that, i think it really takes team work, and i view the dod and nsa and intelligence Communities Commission to help wisconsin deterrence and interdiction. Stop them and take the fight to the bad guys out in the foreign shores. But when it comes to protecting hometown america, i believe thats more appropriate for dhs and the work thats currently done in the endkick to choreograph activities across the federal government in better serving its citizens. Just a quick comment. First, i support the general suggestion that we resurrect smokey the bear. I think it would be great to see him again and maybe repurpose him for this effort. But i will say first congresswoman, thank you so much for your comments. I very much agree with what you said about this Human Element. I can tell you that the practice of security i think is changing very much because of that. And i think about the folks that we hire at symantec as an example. The kinds of folks that are hunting down the malicious Networks Today arent just the computer scientists and mathematicians. But they are computational linguists, behavioral psychologists, anthropologists, people that are looking at the Human Behavior of an attacker group. So thats one side. On the consumer side, which we sell to at norton, we spend an amazing amount of time thinking about how do we make security similar to the ipad. I call it the ipad because its the only piece of technology i think ive given to my mom and i didnt have to give her instruction about how to use it. She just understood it. And we spend a massive amount of time now, today, on design. How do we make in the to youtive, how do we make it easier to be more security than less secure. And i think that is where a lot of effort must go in in the Security Community today. How do we make it easier to be more secure than less secure. Thank you, congresswoman. I was thinking as you referenced smokey the bear maybe a new company smokey the bear malware. Well register the domain. Mr. Palmer. First, accept our thanks for the quick thinking that allowed the kill switch to prevent so many infections. But with regard to your measurements, you suggest that the number of 200,000 infections is too low and that before the implementation of the kill switch may have been 1 to 2 million infections. How do you then explain that practically no one tried to pay the ransom . If there were that many more . I think there were some who tried to pay the ransom. Be it the measure of success of that is hard to determine. What youve got is from many studies that a large portion of the companies do pay the ransoms when their computers are encrypted but by monitoring the bit coin wallets advertised in the malware seems less than 500 people did so. Thats. 02 . Sure. Thats inconsistent with what youre saying. I think that when you look at its hard to associate the payments to the spread and ill tell you for a variety of reasons. One when you look at the actual attack, and the magnitude of the attack and try to trace it to the payment if you look at the mechanisms to make the payment it was one not clear whether you would get your systems back. And at this point the attacks have been abandoned. So we know that if you paid the ransom you didnt go anywhere. Most of the media and many of the experts suggesting it new pay the attack. We were asked the same question and you would have to base your own risk and determine if you should pay. What i can say is the data we are receiving is absolute, when we get this data, its not just wannacry, were doing this close to a decade we see and visibly analyze data. It is accurate. Id like to address this question to general tuhill as wean of our members said thank you for your service, sir. Your testimony refers to people who were infected by running windows 95 but published reports saying almost everyone that was infected was running windows 7. So isnt it true that the main reason people were infected because Intelligence Community vulnerability was leaked to the public . Sir, thanks for the question. Just for clarity sake, in my written testimony i highlighted windows 95 as being used as an exemplar. However there were plenty of operating systems that were susceptible to this type of attack clugd windous me, 7. A lot of unpatched systems. But im asking about an Intelligence Community vulnerability leaked to the public. If we take a look at it from that standpoint yeah, im very concerned about that. And i think that this highlights a couple of things. First of all, patch your systems. Weve been telling you all along to do that. Second of all, i think that if we take a look at the leakage of information or attribution of leakage of information thats serious and unacceptable. In regard to the patch, the reality is that a team of hackers calling themselves shatter brokers published an nsa exploit called the turn of blue on the internet. That happened january 2017 and microsoft released a patch that addressed that vulnerability three months later. March, the patch was called ms 17010, so it was not a problem machines being out of date, the problem was that if you had not put all of the recommended patches on, all of the machines within 60 days you would become a victim and it was a zero day attack. Thats when the code was release there had was no way to protect from it. I dont know i dont believe i would characterize this one necessarily as a full zero day attack. I from my perch, frankly because the fact that we had some patches that had been put out and microsoft went through extraordinary measures by the way to create those patches for operating systems that had previously been declared unsupportable many years before. And i use windows 95 in my written testimony as an exemp r exemplar. Was on line for 19 years before it was retired. For the last three years, microsoft had not been supporting it and then for them to come back and put out that patch in march was extraordinary. And through federal government and other organizations around the world, we went out and we clearly communicated and Carnegie Mellons one of them, communicated to all of the communities of interest patch your systems. This is an important patch. It was labeled as a critical patch, sir. One more question for mr. Thompson. Could you address the double pulsear feature, no one was paying the ransoms is it possible the real goal was to allow Remote Access to the machines that the double pulser was installed on by becoming infected. Thanks for the question. Its difficult to anticipate what the true intention was of this attack. Whether it was ransomware, whether it was a test, whether it was the ability to propagate some kind of back door. But what is i think interesting as a characteristic of the attack which i think goes back to your first question, of why didnt we see, quote, normal or expected rates of ransomware payment . The backhand infrastructure that was set up was very weak compared to the typical piece of ransomware that we see out there in the wild. And it is pretty incredible many of these ransomwear attacks have a very robust infrastructure behind them, almost the equivalent of Customer Support for people that have been infected with the ransomware. We didnt see that level of sophistication here in the back end. I thank the witnesses for their answers. I yield back. Thank you. Now yield to congressman webster for his questions. Thank you, m chairman. Thank you for having this meeting and a joint meeting and thank you each of you for coming. Ill tell you, my mind has been on something else, and the statements that were given here were similar to that. In that they fit. There was an attack yesterday and i thought about how the fact that it was an advance persistent threat. Not only that was it a personalized attack. And there are some people, my seat mate here, who acted heroically to turn it around. And so i just thats what was on my mind. These Capital Police whose service, protected life yesterday along with heroic acts of many of the members of this congress. Maybe its a different kind of threat, but it was real. And in this particular case there was no human error. I wanted to take this time i have just a few minutes and say thank you for our people that work here and for the members who serve here who proved there still are heroes in our country and they havent been exposed yet. There were some yesterday that were exposed. Thank you, mr. Chairman. Yield back. Thank you. I think we have a couple more questions who are going to go for a short second round. Island yield myself five minutes. Dr. Romine, you note in your written testimony that the National Vulnerability data base, nvd, that list maintains and quote updates dozens of times daily, unquote, of all known and publicly reported i. T. Vulnerabilities, documented that vulnerability that the Wannacry Malware exploited. A recent report notes that 75 of the vulnerabilities documented last year were disclosed elsewhere first and that it takes on average seven days between the discovery of a vulnerability and its reporting on the nvd. What is the reason for the delay there . If you could talk about that. And is nist working to get rid of that lag time . Thank you for the question. Were always interested in trying to shorten time to deliver really Important Information to our stake holders. In the case of nvd, our goal is not first to disclose or first to disseminate though we want to do it as early as we can. Our real goal is accurate curation including an assessment of the impact that a vulnerability might have. And that assessment requires a certain amount of analysis that has to be done before we can include something in the National Vulnerability data base. The other reason is that the disclosures are often from sources that are not necessarily reliable from our perspective, and including information about vulnerabilities from sources that were not that we dont view as authoritative would not be in our best interest for the nvd, i dont think. And was there a delay in reporting the vulnerability that the Wannacry Malware exploited . I dont know the exact duration between the time that we received the report and the time we put it in the nvd. Im sure it was a matter of days. Thank you. Those are all my questions. I yield to m beyer. Thank you. General, you are the first chief Information Security office and you took that position i guess last september under the Obama Administration. Yes, sir. Do you believe the federal government should have this federal ciso position . And i know the Trump Administration hasnt filled it yet. But do you any reason why you left at the time you did and any concerns whether it will be refilled . First of all, thank you for the question. I believe that this is a best practices to have a chief Information Security officer and different organizations, the first chief Information Security officer position was created in the private sector over 20 years ago. And it took about 20 years for the federal government to create one. I think it is critically important as part of an enterprise Risk Management approach that you do in fact have someone who is focused on information, security and the risk to the enterprise. And advising the Corporate Community as it were. Up, down and across as far as what those risks are and best practices to buy down and manage that risk. Within the federal government we still dont have an authorization for a federal chief Information Security officer. In statute. It was my position was appointed as administrative appointment. And i think that as we take a look at, as we move forward and the executive order that just recently came out is a great step forward. I think we need to firm up and make sure that this position is an enduring position but we need authorize and empower the position such that chief Information Security officer can in fact have the authorities to choreograph and direct activities that are necessary to better manage risk. The appointment goes, i look forward to seeing who the administration brings forward and i will coach and swerve as wing man for that person. While were talking executive orders you made the interesting case that we overclassify, that the default is to make everything the highest thing. And that we should instead make default position the lower level classification and argue our way up. How do we operationalize that . Is this executive order, legislation, memorandum of understanding . Thank you for that question. Im very passionate about it because i was responsible for public and private sector partnerships while i was at dhs and the information sharing between the Public Sector and the private sector. And frankly, we overclassify too much time Sensitive Information in the federal government in my view. And i believe that the solution set is going to have to be a combination of legislation as well as executive action. So i think the really both branches of government that are going to need to partner up as far as to determine the best means of getting information out faster to folks so that we can take timely and fastpaced cyber environment. Great, thank you. Mr. Nino, you had one very intriguing or many intriguing lines in your testimony. One said, quote, points contrary to defense, who did it. And what i understood from that is we spend too much time trying to figure out who is lazarus or who is rather than trying to defend ourselves. Can you expand on that . Because i confess, as a naturally curious person, watches law order and csi and all this stuff, i want to know who did it. I think the barrier of entry at this point is that anyone could do it. So conjecturing over who has done it is a very difficult task because cybersecurity is something that could be easily misdirected. You never really know who the attack is. And focusing on that doesnt solve the problem that were vulnerable. We are vulnerable. So if you leave the door open, there could be thousands of people that walk by your house every day. Would it really matter if its because you leave yourself exposed who has done it. They do it because they can. And we should not make it that way. We should make it so we are resilent and we are a very strong nation regards to defense. Thank you. Dr. Thomas son, do you want to pile on at all . I do, thank you. You know, its interesting, we dont spend very much time looking at who did it as in who is the country behind it, who is the enterprise behind it, who is the person behind it. But its very critical for us to associate patterns of behavior. So if we associate attack a with attack b, and then believe that these two things are connected, it will let us learn more about that group, the tactics that they use, and make us better prepared to protect against a new attack sight unseen. And that was the case with see man tacks av engines and our Artificial Intelligence engines because of previous training on this against the wanna cry malware so its critical for us to have that grouping together. And then well leave it up to the Intelligence Community to decide who that group actually belongs to. Great, thank you very much. Mr. Chairman. Yield back. Do you have any followup questions . No, i think i took plenty of time on my first round. I think that i thank the witnesses for your testimony. All the work as i said im sure well be continuing this discussion so thank you. In closing, i want to thank all of the witnesses here today for your important insightful and impactful testimony. And as our two subcommittees look at legislation and Public Policy as it relates to cybersecurity and the ancillary issues of National Security, economic vulnerability, privacy, we look forward to continuing to work with you on those issues and appreciate you taking time out of your busy schedule to be here today. And the record will remain open for two weeks for additional written comments and written questions from members. And at this time, the hearing is adjourned, thank you. Mr. Chairman. Yes. Good subject matter. Recently on c span, new orleans mayor on the removal of a robert e. Lee statue. To actually lay out the reasons why these statues were erected in the first place. Why we were taking them down. What we can do to recover from the age old battle also that had divided us for so long. And because of new orleans role in that dark period of our history, we were after all one of the countrys largest slave markets. I felt that i and other people in this city had a special responsibility to help our nation continue to move through racial discourse. Actress Marissa Hargitay at a Bipartisan Task force aimed at ending sexual violence. To hear these stories, to hear words like you said, dehumanizing, these lives derailed, the way that lives go off track, these are not kits sitting on a shelf. These are peoples lives. Sitting on a shelf. Getting derailed. Children getting derailed of what is this life supposed to be. I was on this track. I cant even make sense of whats happened to me. And we have been letting perpetrators go by not testing these kits and saying we dont care about this issue. And senator rand paul on the proposed arms sale to saudi arabia. We will discuss something even more important than an arms sale. We will discuss whether we should be actively involved. Should the United States be actively involved with refueling the saudi planes, with picking targets, with having advisers on the ground. Should we be at war in yemen . Cspan programs are available at c span. Org. Right on our homepage or by searching the video library. Up next, testimony from Homeland Security secretary john kelly on President Trumps 2018 bubl budget request for his department. Including border security, drug and Human Trafficking and the president s executive order on immigration. Held by the Homeland Security security committee, this is about two hours