Homeland security subcommittee on cybersecurity and Infrastructure Protection will come to order. The purpose of this hearing is to receive testimony from jen easterly, director of cybersecurity and Infrastructure Security Agency, or cisa. I now recognize Ranking Member swalwell for the purposes of seeking unanimous consent. Mr. Swalwell thank you, chairman. I ask unanimous consent that the gentlelady from new york, ms. Clarke, be permitted to participate in todays hearing. Mr. Garbarino without objection, so ordered. I now recognize myself for an opening statement. Welcome back for our second subcommittee hearing of the congress. Last month, we hosted Industry Leaders to give their perspective on the state of american cybersecurity and particularly how the cybersecurity and Infrastructure Security Agency or cisa has developed since its creation five years ago. Im glad that well hear directly from cisa director jenest easterly on. Director easterly and i have had a fantastic relationship since i started last congress. I look forward to continuing our strong bipartisan relationship this congress. In our last hearing, there were some common theme from our witnesses that id like to explore with the director this afternoon. First, we learned that cisa must work with industry and partners to ease compliance. The compliance burden that industry faces from duplicative regulation. Its clear that our nation must increase resilient cyber risks across the board, particularly within our Critical Infrastructure sectors. But we must find the right balance between Regulatory Burden and improving security outcomes. We also heard a lot about one of cisas newest initiatives, the joint Cyber Defense collaborative, jcdc. We learned that it is a value add to the private sector but additional transparency around its mission and processes would benefit both the jcdc and industry. Finally and perhaps most foundationally. We heard about the need for robust cybersecurity workforce. We need not only enough people but the right people with the right skills in the right jobs. This is one of my Top Priorities this congress. Im looking forward to hearing director easterlys perspective on how cisa can best contribute to our National Cyber workforce. This hearing is timely and comes as we are evaluating the president s fiscal year 2024 budget request. Cisa is requesting 3. 1 billion. 145 million increase over fiscal year 2023. Enacted fiscal year 2023 enacted funding level. The dialogue we have during this hearing will help inform our committees review of the budget, particularly the new program cisa proposes within including the evolution of the National Cybersecurity protection system. I think i speak for all members on this dais when i say we want cisa to succeed. Its mission is too important to fail. It is our responsibility to ask pointed but productive questions about the Authorities Congress has given it. As i said in our last hearing, congress intends to be a partner to cisa to ensure the agency meets its full potential. Director easterly, i look forward to your testimony thank you and i thank you for being here. I now recognize the Ranking Member, the gentleman from california, mr. Swalwell, for his opening statement. Mr. Swalwell thank you, chairman. And welcome, director. It was just 12 hours ago that the chairman and i were here early in the morning with our colleagues voting. I dont think we voted the same way on many of the amendments yesterday. But on this issue and your success there is no daylight between the chairman and i and my colleagues. Your success is americas success in this space. And that is something we are rooting for and want to enable. I also represent a east Bay California district that is home to tech giants like trinet and workday but also an emerging cybersecurity Insurance Company called cow bell cyber, and worked with them to protect not those companies but small and Mediumsized Companies from emerging threats. As the chairman said, cisa is at an inflection point, and congress made cisa an operational component of d. H. S. Five years ago. Since then its budget has nearly doubled and congress has provided it with a range of new authorities. From mandatory cyber Incident Reporting to persistent Threat Hunting on federal networks to cyber century and cisa has ambitiously taken on new responsibilities to meet the demands of an evolving threat landscape, building trusted relationships with new stakeholders in the process. For that i and our team commend cisa for its Proven Ability to dynamically respond to evolving threats, ranging from Election Security to open Source Software vulnerabilities to the campaigns. As it relates to Election Security, i hope to hear an update from cisa on some recent successes. It is promising new initiatives including the National RiskManagement Center and the joint Cyber Defense collaborative. A collaboration that so many outside organizations, private sector folks are asking, how do we get in . How do we participate . Which to me means you are a victim of your own success in that regard. And that theres high interest in growing and expanding the ability to share information and collaborate to take on our threats. All of these are worthy efforts. I support them and am committed to their success. Today i look forward to hearing how cisa will continue to deliberate in the work it takes on and the commitments to our partners. As people become aware of cisa, they place more rehands on demands on its resources. Cisa, as you know, cannot be everything to everyone and it certainly doesnt have the resources to boil the ocean. Becoming the powerhouse cybersecurity and critical defense agency, cisa has the potential to be requires what cisa has the potential to be requires clear Strategic Direction and determined leadership. I have every confidence that director easterly has both and i will be interested in learning more about your vision for cisa moving forward. Im also interested, as i referenced, in the future of jcdc. Stakeholders have applauded jcdc as an innovative tool for cisa to foster realtime collaboration and push out security practices through initiatives like its shield up campaign. Over the past year and a half, cisa has expanded jcdcs focus to include open Source Software security and protecting highrisk communities by journalistic or Civil Society organizations. Although these are worthwhile efforts, its unclear what criteria jcdc is using to select which areas to focus on, which organizations to partner with, and not how these activities are tied to the jcpos original purpose of streamlining, cyber planning and operational collaboration. I look forward to candid conversations about defining jcdcs core functions, how their partners are involved in the decisions about its future and how it can bring a more proactive posture to cisas defense activities. Formalizing the answers to these questions through authorization will ensure jcdc has enduring value for years to come. On a related note, i understand that cisa is in the process of revamping the National RiskManagement Center and look forward to learning more about plans to make it cisas analytical hub. Finally, its critically important that cisa do more to have other Operational Technology. I appreciate cisas support for my legislation in a we passed into law last year, the Industrial Control Systems cybersecurity training act which will solidify training courses to ensure o. T. Remains at the forefront of our security focus. As im sure youll agree, cisa must develop that workforce now. Not five years from now. While also doing more to promote to understand threats to o. C. Steps, push out its cyber performance goals and grow things like cyber century. Thank you, again, to the chairman for conving us today. Thank you convening us today. Thank you, director easterly. I look forward to a robust conversation about attacking the threats that we face. I yield back. Mr. Garbarino thank you, Ranking Member swalwell. I do not see the chairman or the Ranking Member of the full committee. Other members of the committee are reminded that Opening Statements may be submitted for the record. I am pleased to have director easterly before us today to discuss this very important topic. I ask that our witness please rise and raise their right hand. Director easterly, do you solemnly swear that the testimony you will give before the subcommittee of Homeland Security of the house of representatives will be the truth, the whole truth, and nothing but the truth so help you god . Ms. Easterly i do. Mr. Garbarino i would like to formally introduce our witness, jen easterly, director of the cybersecurity and Infrastructure Security Agency at d. H. S. She was nominated by President Biden in april, 2021, unanimously confirmed by the senate on july 12, 2021. No easy feat. As director, director easterly leads cisas efforts to manage, reduce risk to the cyber and physical infrastructure americans rely on every day. Before serving in her current role she was the head of Firm Resilience at Morgan Stanley, responsible for ensuring preparedness and response to business disrupting operational incidents and risks. She has a long tenure in Public Service to include two tours at the white house. Director, thank you for being here today. I now recognize you for five minutes to summarize your opening statement. Ms. Easterly thank you so much. Chairman garbarino, Ranking Member swalwell, members of the subcommittee, for the opportunity to appear before you today. Im really excited to share what were doing to ensure that the cisa of today and of tomorrow is the agency that our nation deserves. As americas Cyber Defense agency, cisa leads the National Effort to understand, manage, reduce risk to the cyber and physical infrastructure that americans rely on every day. Since cisa was established in 2018, the threats we faced have become more complex, more geographically disbursed and dispersed and affect businesses from sizes large and small and ultimately the american people. Cisas mission has never been more urgent and its a sense of urgency that each of us at cisa feels every day to ensure that we are making the best use of the resources and authorities that congress has pro generously provided to us in the past several years and having a car return on investment both to you and the american people. As youre well aware, the past two years have been pretty intense. From the solar Wind Supply Chain compromise to the Ransomware Attack on Colonial Pipeline, to vulnerabilities in Microsoft Exchange servers, from our shield up campaign, from russia militia cybersecurity, to help state and local Election Officials secure election infrastructure during the 2022 midterms. Cisa, along with our partners, have been front and center on each. Weve aggressively leveraged all of the authorities weve had to enhance our operational vulnerability to hunting to conduct planning and operations with our Industry Partners including our Operational Technology and Industrial Control System partners through the joint Cyber Defense collaborative to identify vulnerable systems through oured a minute admin subpoena process. To serve as both a sector Risk Management agency for eight sectors and one subsector and more broadly as the National Coordinator for Critical Infrastructure security and resilience working with our sisters to reduce crosssector risk. Even as we maintained the highest operational tempo in an increasingly complex and threat environment weve been growing and maturing as a new agency. Cocreating a culture of collaboration to enable us to attract and retain the best talent in the nation. And indeed, growing that talented workforce by nearly 1,000 new teammates in the last couple years. Meticulously executed our rapidly expanding budget to ensure we remain responsible stewards of taxpayer dollars. And last september we published our firstever Strategic Plan which outlines our Ambitious Goals through 2025 across four key pillars Cyber Defense, Risk Reduction and resilience, agency reunification. I greatly appreciate this committees steadfast work to help cisa achieve these goals and also appreciate that the tenetess outlined in the cisa 2025 plan from optimizing the organization, growing an expert Cyber Workforce, advancing our capabilities, harnessing partnerships and measuring outcomes to determine progress are all well aligned. So our efforts together can advance a shared vision for cybersecurity in america. Were aggressively executing this plan working with our trusted partners to enable a collective defense of our Critical Infrastructure to include working with those target rich cyber poor entities like Small Businesses and School Districts and water facilities and hospitals and local election offices to ensure that they have the resources and tools they need to improve their cybersecurity and build resilience. Needless to say, theres much, much more to be done to protect and defend our nations Critical Infrastructure from driving adoption of secure by Design Principles in our Technology Products to championing corporate cyber responsibility in every board room to implementing a groundbreaking cyber Incident Reporting regime and much more done torp done to mature our great team and optimize our value to our partners. With perhaps no partner more fundamental to our sesquicentennial than you success than you all. We would not be here today without tremendous bipartisan congressional support, especially from this committee and this subcommittee. We are very grateful for your commitment to ensuring cisa is armed with the talent, the resources and the authorities necessary to meet our mission of reducing risk to the Critical Infrastructure americans rely on every day. This is truly a nofail mission. And thanks to your support, we are thriving. And while were proud of what weve accomplished to date, we recognize the crith cality of crith kalt of continued support in terms of authorities and budget to ensure that we sustain this progress. We must and we will continue pushing hard under your oversight and with your support to strengthen this agency and by extension the security and resilience of our nation. Thank you for the opportunity to appear before you today. I look forward to your questions. Mr. Garbarino thank you, director easterly. Members will be recognized by seniority. An additional round of questioning may be called after all members have been recognized. And i just not going to call myself first because my vice chair has another hearing she has to go through and i know she has some very interesting questions. I would like to yield i recognize ms. Lee from florida for five minutes. Ms. Lee thank you, mr. Chairman. Thank you, director easterly, for being here today. As my former role as florida secretary of state i had an opportunity to work with you, your predecessor, your team over at cisa in working to secure election infrastructure. So id like to begin there with a couple of questions about that sector. And the work of cisa in the elections arena. Starting out, would you describe to the committee what cisa does in collaboration with state and local Election Officials as it relates to cyberspecific risk assessments and then also where appropriate the deployment of hunt and Incident Response teams to state and local elections offices . Would you please describe those services, when theyre utilized and whether you see the need of them increasing or decreasing . Ms. Easterly thanks so much. Thank you for your partnership and leadership on this issue in particular. So as you know, weve been in this role now since 2017, and we have been lea