Require a near constant struggle to stay ahead of events and the real danger lies in getting complacent. Effective cybersecurity is an ongoing line of effort. The Threat Landscape is diverse, the best practices are changing, the information you get may not always be reliable. The task can seem overwhelming and the stakes are high. In this context, i have found myself thinking effective cybersecurity cannot move at, quote, the speed of government. By that i mean cybersecurity is a 21st century Public Policy program just not manageable by 20th century government means. Regulations, mandates and centralized action in general, these approaches are inadequate to match the pace of change. Congress needs to make sure that the governments role in detecting and responding to cyberattacks is clearly defined, that theyre focused first and foremost on the security of federal information networks. Today well hear from the department of Homeland Security and their cybersecurity work. How it is evolving about their approach to this complex range of threats. With respect to individual actors and industries that are at their greatest risk of cyberattack, health care, education, financial services, retail, Critical Infrastructure, the proliferation of Ransomware Attacks have made clear that these entities have to take on the responsibility themselves on a daytoday, minutebyminute basis. All cybersecurity is essentially local. Today well hear from experts in state government, the Health Care Sector, public education, on their experience with cyberthreats and incidents and see the state of cybersecurity in these industries. Fortunately for both government and the private sector, the marketplace for Cybersecurity Services is continuing to grow and mature. Well hear from one firm that consults with private and public entities and works with themo respond to cyber incidents. I would like to thank the Ranking Member for suggesting this hearing and i look forward to hearing from our panelists. Senator . Thank you very much, mr. Chairman, for working with me to arrange this hearing and for your opening comments. I deeply appreciate the portunity to continue working on an issue that i believe is critical to our economic security. State and local governments ve been prime targets for cyberattacks for a number of years. But the stakes have only grown as covid19 has forced millions of americans to migrate their eryday activities to the line world. Many stunts now learn from their teachers on a computer instead of in thclassroom. Doctors treat many patient through telemedicine instead of in person. Governments handle many essential Services Online instead of at city hall. The massive increase in online activities over these past nine months mea that the targets for cybercriminals have increased commensutely. Unfortunately, cybercriminals have taken advantage. One firm that tracks cyberattacks on schools and School Districts report that 44 attacks have occurred so far this school year and many more likely went unreported. We will hear fm the superintendent of one of these schools today. In the spring, interpol warned that Ransomware Attacks against hospitals have grown significantly as hackers sensed an opportunity to extort money inansom with hospitals overwhelmed with covid patients. About a month ago, a cyberattack hit the university of vermt medical center, forcing it to divert patients to other facilities, thereby jeopardizing the care of many patients, especially those in nearby rural areas who do not have the resources to travel to the next the federal government has a. Responsibility to help protect our communities from the threats. The cybersecurity and frastructure Security Agency has done a commendable job helping our state and local governments, the number and severity of attacks on our commities continues to increase. This heari will help us identify ways for congress d the federal government to better assist state and local governments set fending off these cyber atcks on our communities. We have great witnesses who can help us work through these challenges, including the acting director, who we are happy to have here today. We are missing our original federal witness, chris krebs, because he was fired abruptly by the president two weeks ago. In a nonpartisan manner, and approached the most important task, securing the u. S. Election infrastructure with professionalism and tenacity. Job,s fired for doing his and we are less safe because of it. Strong,perative we have independent leadership going forward. As the Biden Administration seeks to fill this position in 2021, i would encourage them to look to director krebs when considering his successor. Witnesses, i appreciate your willingness to testify. I want to thank you all for the role you play in keeping us safe. I look forward to learning from your experiences, as well as your expertise. Thank you, mr. Chairman. I will proceed with introductions. We will start in the first panel with our federal witness. Im pleased to introduce brandon wales,cting dirtor for the cybersecurity and infrastructure Security Agency at the United States department of Homeland Security. Person to serve as the executive director of the agency before being very recently elevated to acting director. In this role, he oversees cisas efforts to defend civilian networks, mage risk to National Critical functions and work wh stakeholders to raise the securi baseline of the nations cyber and physical infrastructure. Acting director wales, thank you for coming before the subcommittee today and i look forward to hearing your testimony. Chairman paul, Ranking Member hassan, and members of the subcommittee. Thank you for the opportunity to testify regarding the cybersecurity and infrastructure Security Agency support to state, local, tribal and territorial stakeholders in mitigating a broad range of cyberthreats facing our nation. Whether focused on Election Security, responding to the digital transformation, or addressing the plague of ransomware, i believe sustaining capacity will be the defining cybersecurity challenge of the next decade. This is my first appearance before the committee and im honored to lead the men and women of our agency as we defend today and secure tomorrow. I want to begin by thanking the cisa workforce and the Election Security community for their work over the last four years, culminating in the november 3rd election. Our goal was simple, to make the 2020 election the most secure in modern history. We succeeded in building a Robust Community made up of state and local Election Officials, key federal agencies and private sector election vendors, in surging the technical capacity of cisa to improve defenses nationwide and harnessing the capabilities of cisa, the fbi, the national Security Agency, the u. S. Intelligence community and the department of defense to identify threats, respond to incidents, and take action when necessary. As a result, layers of security measures are put in place by Election Officials and the community acted quickly. For example, we were able to rapidly share information on russian intrusions into state and local networks and attempts by iranian government actors to send spoofed voter intimidation emails were outed within 27 hours. Our Election SecurityMission Continues and cisa will remain in an enhanced coordination posture until after Election Results have been certified in every state. We also stand ready to support States Holding runoff elections in the coming months such as georgia and louisiana. This year has not only been focused on elections. Beginning in february we have been working to support the nations response to covid19, including helping to security the development and distribution of potential vaccines. Since the pandemics earliest day, we have seen cyberactors exploiting remote work. Cisa ramped up informationsharing efforts, established a telework resource hub and surged Cybersecurity Services to highrisk entities. Now under the hhs warp speed, were prioritizing service to companies to protect u. S. Vaccine development and distribution. Recently, hospitals across the country with hit with ransomware looking to profit from disruptions of health care delivery. This was appalling but not surprising given the growth of ransomware incidents. Ransomware is quickly becoming a national emergency. We are doing what we can to raise awareness, share best practices, and assist victims. But improving defenses will only go so far. We must disrupt the ransomware Business Model and take the fight to the criminals. While Election Security, a pandemic response, and ransomware may look different, the one thing they have in common is the reliance on the networks at the state and local level. These Networks Keep our communities running, despite global challenges. These are the networks that help us to respond to emergencies, these are the netwks that run local hospitals and schools and they are in need of urgent assistance. Sa is taking action by operationalg partnerships, hiring additional coordinators to boost engagement in sta capitals across the country, supporting cyber proposals and the fema grant making process, and continuing to push cisa resources out from hequarters to our where our partners are in states and communities. In conclusion, i want to thank the mmittee for its leadership on legislation that has advanced the authorities on legislation, and for your support for legislations pushing through congss that will push cisa further. This committee has been an essential partner our mission, and i look forward to continuing to work with you to defend today and secure tomorrow. Thank you, again, for th opportunity to appear before you and i look forward to your questions. Thank you. Senator hassan had to go vote. Shell be back in a few minutes. You mentioned russia and iran and it went by quickly. You said they were attempts to change votes or to interfere in the election somehow . What did you exactly s . Sure. The activity was different i both cases. In the case of russia, russia had launched a fairly Broad Campaign to target state, local, private sector, and federal tworks using exposed vulnerabilities. Using what . Exposedulnerabilities. Fairly well known vulnerabilities there were oking for to get inside of networks. Yore talking about election networks that count votes . Were talking about general networks, these could be private Sector Networks and things unrelated to ections. In one case, it did include where they compromised a local coty network and downloaded information that had to do with the election. This was not tabulation of the election . Absolutely not. What did you say about iran . Spoofed voter intimidation emails. To your knowledge, there were no votes changed by a foreign actor, in fact, was that true . No votes were changed by a foreign actor that you know of . We have no evidence that votes were changed by a foreign actor. No attempts were directly stopped . Is there an existing Voting Network . You cant hack into a Voting Network that is sort of there . We have numerous advantages in part because we have a highly decentralized system. Theres not an election network. There are hundreds and thousands of election networks across the country. In addition, the actual vote tabulation systems, those are not networked on the internet. The places where we see the most activity tends to be those highly centralized internetenabled systems, Voter Registration or Election Night reporting. But in those cases, we did not see any adversary capable of compromising those systems it sounds like a general rule of thumb, if we are looking for advice on how to protect ourselves, the whole push of modern technology is to make us more connected and maybe part of the advice is we dont need to be too connected, having separate systems, is some of that advice taken within the federal government . You said were protected in the electoral system because we have states and counties and there isnt theyre not completely integrated. We probably dont want to integrate or federalize things with elections. Is it true within the federal government that theres compartmentalization on purpose to try to protect against cking . One of the mar recommentions to any entity is to be thoughtful about how you network your systems, where you should segment your systems, where you should air gap you systems. Theres a reason why the classified networks that are operated by the Intelligence Community are not accessible readily througthe internet. You want to keep those things parate. Samehing for Industrial Control Systems that operate the most sensive infrastructure in the country. You want to build additional barriers to prevent people from moving to small compromises onto parts of networks that could have more significant consequences. How much of the problem with attacking a network is coming through an email versus another way of attacking a network . Frankly, it varies. Coming through an email, that normally includes things like spearfishing where you get an email that says click on this and all of a sudden, its malicious payload comes and compromises your computer. Right now that has been one of the more significant ways we have seen networks compromised. Over the last year, we have seen a dramatic growth in people compromising networks by exploiting private network software. This is a result of the expansion of people teleworking, remote working, and a dramatic increa in the number what does that mean . You are not attacking it through email, you are attacking it through the cloud, somehow . Not necessarily the cloud, but if you are connecting through a virtual private network, which is the way that yocall into your companys network, im atome on my laptop calling into my compas network, virtual private network, vpn software, and there are vulnerabilities inome of the more common vpn software, mo of which have been patched. If a cpany has not patched the vulnerability, an actor may be able to exploit the vulnerability theyre not logging io your computer. Theyre logging into yo network and bouncing back into your computer more importantly, they want to get into the network. Theyre exploiting that vulnerability to gain access. On theyre inside, using a variety of other vulnerabities, theyre trying to elevate their privileges. Th have administrative capabilities, so they can create new accots and they can do whatever they want. Whats a guess on the percenta . How much of this is an email problem . Is half of it email . 75 . 25 . I would say half is spearfishing relat intrusions. It seems like there would be a technological solution in some of that in trying to protect email networks, maybe you have a separate network that never communicates. It comnicates with each other, talks to each other, but never commicates with almost somehow completeeparation of yo email network from the rest of your network. s hard today given the amount of terconnection between the various tools that you use, in terms of any business. But most of the ways iwhich networks are compromised today are exploiting vulnerabilities that where patches are available and where the solutions to mitigate these problems are readily available and theyre not being implemented by the. T. Security professionals at companies. How rapidly does it change . How rapidly does someone have to figure out, you knowtheres a brandnew phishing or, you know technology you need to stay on top of it. Every day, new patches are released for software. It may not be every single day for every piece of software. But on any given day, there are new patches that come out for software. I. T. Security professionals need to stay on top of that, understand the vulnerabilies, prioritize their efforts to close those vulnerabililities. The bigger theetwork you have, the more complicated it is. When you come up with a patch, are you able to keep that secret from the criminals are they can see the patch and respond to the patch . They can see it these patches are made publicly available. As many indivials can protect their networks. Its a catandmoe game. Every change we make on th defensive side, offensive cyber actors are going to look to see what they need to do to get ound that. When we have a state actor that is going after classified , and we have creative ways that state actors aresing, are we able to share them with the private sector or are we too worried that getting that knowledge out reveals that we know how to combat certain things . Are we sharing on a consistent basis knowledge that you gain with therivate sector . Absolutely. So the partnersh that we have with the intelligenccommunity , in particular, the national Security Agency, is better than any time in my entire history with the department. We are getting a significant amount of information from them. Things they are seeing over seas, activity they are seeing from foreign nations, gettg that information to be declassified so we can get it out to people, whether it is a specific incident at an individual location or more importantly, information that could benefit the entire community. A lot of the alerts that we are pushing out, alerting the community to different tactics th our adversaries are using, are based on intelligence sources we are severing from the intelligence commuty. That process is happing quickly. Does it work both ways as private industry getting b