Well come to order. Without objection, the chair has authorized to declare recess of the committee at anytime. Good morning and welcome to todays hearing entitled bolstering cybersecurity. I recognize myself for five minutes for an opening statement. I want to welcomethe witnesses here today and elcome chairman smith, Oversight Subcommittee Research and Technology Ranking member lipinski, our expert witnesses and members of the audience. Oversight subcommittee research and Technology Ranking member cyd from wannacry. I recognize myself for five minutes for an opening statement. I want to welcome the witnesses here today and welcome chairman smith, oversight subcommittee Ranking Member lipinski, our expert witnesses and members of the audience. Cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ens e or systems are best positioned to defend against emerging threats. One of the g cybersecurity, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everevolving concept. Maintaining an effective cybersecurity posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of cybersecurity, we are left without concrete steps to take to ensure or systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real, anna cry ransom attack, a new type of ransomware infection which infected over one million unique systems last month in a worldwide attack that impacted nearly every country in the world. Although the concept of ransomware is not new, the type of ransomware employed by wanna cry was novel. Wanna cry worked by encrypting documents on a computer, instructing victims to pay 300 in bitcoin in order to regain access to their users documents. Unlike typical forms of ransomware, however, wanna cry signaled the ushering of a new type of worming. Ransomware which caused the attack to spread faster and more rapidly with each new move. In light of the novelty built into wanna crys method of attack, cybersecurity experts, including those well hear from today, have expressed significant concerns that wanna cry is only a preview of a more sophisticated ransom ware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the wanna cry ransom ware infection moved rapidly across asia and europe. Eventually hitting the United States. The attack infected 7,000 computers in the first hour, 110,000 distinct i. P. Addresses in two days, and in almost 100 country including the u. K. , russia, china, ukraine and india. Experts now believe wanna cry affected approximately one million to two million unique systems worldwide prior to activating the kill switch. In illinois, my home state, cook countys i. T. Systems were compromised by wanna cry. Reportedly one of the few local governments subject to the attack. Although cook county has worked to appropriately patch their systems, it is important that we ensure that all vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hackers responsible for wanna cry mistakenly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. The kryptos logic employee registered the domain linked to the attack. The kill switch prevented 10 knoll 15 million unique system infections and reinfections. Although based on Information Available thus far, the federal Government Systems were fortunately spared by wanna cry. We want to ensure that the government is sufficiently prepared in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee this climate of new and emerging cybersecurity threats. Through the lens of the aftermath of wanna cry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how publicprivate partnerships are an instrumental tool to help bolster the governments cybersecurity posture. Finally, well learn about how the president s recent cybersecurity order which makes nist Cybersecurity Framework mandatory on the executive branch is a significant step in ensuring the cybersecurity posture includes the most up to date measure to defend against threats. It is my hope that we will highlight areas where improvement is necessary while offering recommending as to ensure the federal government is prepared to respond to emerging cybersecurity threats. I look forward to hearing from our distinguished witnesses. I now recognize the Ranking Member of the oversight subcommittee mr. Buyer for an opening statement. Thank you very much, mr. Chairman. Id just like to thank you and chairman comstock for holding this hearing. Cybersecurity should be a chief concern for every government, business and private citizen. Mr. Beyer systems were breached by statesponsored hackers compromising the personal information of millions of americans. That same year, hackers released the personal information of sony picture executives, embarrassing emails between sony executives and employees and even copies of then unreleased sony movies. In 2015 they took over the power grid in ukraine. The cybersecurity breach that was the genesis of this hearing was the wanna cry outbreak. It infected 300,000 Computers Worldwide and could have been much worse. I want to thank c. E. O. Neino for being wise enough to find an employee to find the will switch, unless you did it yourself. Were lucky it was found quickly and were fortunate that federal systems were resistant to wanna cry. We know we may not be as lucky next time. In preparing for this, i learned that i need to upload our security upgrades every time i get a chance on our personal computers and smart phone. The may 11 executive order on strengthening the cybersecurity of federal networks seeks to build on the obama administrations successes in the cybersecurity arena and im happy that the trump administration, i dont agree with them on every topic, but that theyve taken the next good step. The executive action recommends a host of actions and a myriad of reports. My concern is that the understaffed agencies will have significant difficulty meeting the dictates of the executive order. Frankly im also concerned that the proposed budget cuts in the original trumpmulvaney budget across all agencies will make the task a lot harder to strengthen the security of federal Information Systems. Weve got to make sure the froth has the resources and staffing to meet the need in this vital area. The executive order also calls for agencies to begin using the nist framework for cybersecurity efforts and im glad we have nist with us here today they play an Important Role in setting cyberSecurity Standards that can help thwart and impede cybersecurity attacks. Nist is worldrenowned for its expertise in Standards Development and well be wellserved to use their framework. On a precautionary note, i believe some effort to expand beyond the Current Mission are well intentioned but perhaps misplaced. We recently had a debate of h. R. 1224, the nist Cybersecurity Framework and auditing act of 2017 which gives nist audit authority. Currently, this is the responsibility of the Inspector General for each agency. They have the statutory authority, the experience and expertise and respond directly to congress. Nist has no such experience or expertise and i at least remain concerned about this proposal. Id be interested in any of the expert witnesses thoughts on nists role in cybersecurity and auditing. I look forward to hearing from you all today. I look forward to hearing from the former federal csio. Bloomberg reported this week that the russian meddling in our electoral system was far worse than previously reported. According to the report, hackers attempted to delete or alter voter data, alter Software Designed to be used by pollworkers and in at least one instance Access Campaign finance database. This didnt need to change individual votes to change the election and we should take these sorts of attacks seriously. Vice president cheney called it a war on our democracy. Mr. Chairman this Committee Held more than a half dozen hearing on cybersecurity issues including one on protecting the 2016 elections from cyber and voting machine attack. Given what we know about the hacking and meddling in 2016, i heap this hearing will be a precursor for more hearings on how to better protect our voting systems. I yield back. Mr. Lahood thank you for your opening statement. I recognize recognize mr. Abraham for an opening statement. Mr. Abraham over the last few years, we have an an alarming increase in the number and intensity of cyberattack. Its compromised the personal information of millions of americans, jeopardized thousands of businesses and threatened interruption of critical Public Services. The recent wanna cry Ransomware Attack demonstrates that cyberattacks are continuing to go from bad to worse. The most recent largescale cyberattack affected more than one million to two million systems in more than 190 countries. Nevertheless, it appears the impact could have been much more catastrophic, considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destruction of wana cry warns us to expect similar attack in the future. Before those attacks happen, we need to make sure our Information Systems are very ready. In a research and Technology Subcommittee hearing earlier this year, a representative of the g. A. O. Testified, and i quote, over the past several years, g. A. O. Made about 00,000 recommendations to federal agencies to enhance the Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented. Unquote. It is clear that the status quo in federal Government Cybersecurity is a virtual invitation for more cyberattack. We must take strong steps in order to properly secure our systems and databases before another cyberattack like wanna cry happens and puts our government up for ransom. On march 1, 2017, this Committee Approved h. R. 1224, the nist Cybersecurity Framework, assessment, and auditing act of 201. A bill i introduced as part of my ongoing interest over the state of our nations cybersecurity. This bill takes concrete steps to help strengthen federal Government Cybersecurity, the most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, nist, Cybersecurity Framework, which is used by many private businesses and directly and directing nist to initiate cybersecurity audits of priority federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nist inhouse experts developed governmentwide technical standards and guidelines urn the federal Information Security modernization act of 2014 and nist experts also developed through collaboration between government and private sector , the framework for improving Critical Infrastructure cybersecurity that federal agencies are now required to use pursuant to the president s recent cybersecurity executive order. I was very pleased to read that language. Considering the growing attempts to infiltrate information Information Systems, theres an urgent need to ensure americans to assure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. The status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nist cyberexpertise is a singular asset. We should take full advantage of that asset, starting with the very important step of annual nist cyber audits of high priority federal agencies. As cyberattacks and cyber criminals continue to evolve and become more civil sophisticated become more sophisticated our , governments cyber defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. We will hear from our Witnesses Today about Lessons Learned from the wanna cry attack and how the government can bolster the security of its system. We must keep in mind that the next cyberattack is just around the corner and it can a have far greater impact than what we have thus far seen. Our Government Systems need to be better protected and that starts with more accountable, responsibility, and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Mr. Lahood thank you, mr. Abraham. I now recognize the Ranking Member of the research and Technology Subcommittee, mr. Lipinski, for an opening statement. Mr. Lipinski thank you, mr. Lahood, and thank you for this hearing on the wanna cry ransom attack last month. The good news is u. S. Government Information Systems were not negatively impacted by the wanna cry attack. This was a clear victory for cyberdefenses. However, i believe there are lessons to be learned from successes as well as failures. A combination of factors likely contributed to the success, including getting rid of most of our outdated windows operating system, diligently installing Security Patch, securing critical i. T. Assets and maintaining Robust Network perimeter defenses. As we know, microsoft sent out a Security Patch in march. Two months before the wanna cry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wanna cry serves as yet another reminder that we must never be complacent in our cybersecurity defenses. The threats are everevolving and our policies must be robust yet flexible enough to allow our defenses to evolve accordingly. The federal Information Security modernization act laid out key responsibilities for security of civilian Information Systems. Under fisma, d. H. S. And o. M. B. Have central roles in development and implementation of policies as well as an incident tracking and response. Nist develops and updates Security Standards and flines both in forming and responsive to policies established by o. M. B. Each agency is re1307bsable for its own compliance and each Inspector General is required to audit its compliance with fisma on an annual basis. We must continue to support efforts to be compliant with fisma while conducting careful oversight. In 2014, nist released a Cybersecurity Framework for Critical Infrastructure, which is currently being updated to framework version 1. 1. While its still too early to violate the impact, it appears its being widely used across industry sector. They recently reported out h. R. 105 i was pleased to cosponsor that would ensure the Cybersecurity Framework is easily used by the users. I hope we get it to the president s desk quickly. In the meantime, the president s cybersecurity order directs federal agencies to use the framework to manage their own risk. As we have heard in prior hearings, many experts have called for this step and i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the many vacant positions across the agencies that would be responsible for implementing the framework as well as shepherding the many reports required. Finally i take this opportunity to express my disappointment in the administrations Budget Proposal for nist. The top line budget cut of 25 was so severe that if it were implemented, nist would have no choice but to reduce its cybersecurity efforts. This represents the epitome of pennywise, poundfoolish decision making. Nist is among the best of the best when it comes to cybersecurity stan car and they help secure Information Systems not just of our federal government but our entire economy. I trust that my colleagues will join me in ensuring nist receives robust funding and doesnt suffer the drastic cut requested by the president. Thank you to the expert witnesses f