Today remarks by Joseph Dunford on military issues including the ongoing dangers of is isis, cyber war fair and recruiting and up strengthening the u. S. Alliances. They will speak at the National Press club. We will come to order. Without objection, the chair is allowed to declare recess at any time. Good morning and welcome to todays hearing entitled, bolstering the Cyber SecurityLessons Learned from wannacry. I want to welcome the witnesses here today. And i would also welcome chairman smith, oversight subcommittee, Ranking Member buyer, research and Technologies Committee chairman abraham. Research and technology Ranking Member lipinski. Members of the subcommittees, our expert witnesses and members of the audience. Cyber security, a concept we hear mentioned frequently, especially in this period of rapidly emerging threats, is an everinvolving concept. Maintaining an effective Cyber Security posture requires constant vigilance as new threats emerge and old ones return. Too often, however, when we hear about the importance of Cyber Security, we are left without concrete steps to ensure our systems are best positioned to defend against emerging threats. One of the goals of todays hearing is to learn about real tangible measures the government can take to ensure its i. T. Security systems appropriately reinforced to defend against new and emerging threats, including novel and sophisticated ransomware threats. The focus of todays hearing will be the verecent wannacry ransome attacks. This attack impacted nearly every country in the world. Although the concept of ransomware is not new. This conducted by wannacry was instructing people to pay 300 in bitcoin in order to regain access to users documents. Unlike typical forms of ran someware, wannacry signaled the ushering of a new type of worming. Rans ransomware caused this to spread faster and rapidly with each new infection. In light of the novelty built into wannacrys method of attack, Cyber Security experts including those we will hear from today have expressed significant concerns that wannacry is only a preview of a more sophisticated ransomware infection that many believe will inevitably be launched by hackers in the near future. Beginning may 12, 2017, the Wannacry Ransomware infection spread across asia and europe, eventually hitting the United States. The attack infected 7,000 computers in the first hour. 110,000 distinct i. P. Addresses in two days. And in almost 100 countries including the u. K. , russia, china, ukraine and india. Experts now believe wannacry affected approximately 1 in 2 million systems worldwide prior to activating the kill switch. Reportedly one of the few local governments subject to the attack, although cook county has worked to appropriately patch their system, all their vulnerabilities are appropriately remedied in the event of a more sophisticated attack. Fortunately, the hackers responsible for wannacry mistakingly included a kill switch, which was uncovered by an employee of kryptos logic and used to terminate the attack. Krypton logic exploited a key mistake made by the hackers when he registered the domain connected to the ransomware attack. Experts estimate that in the kill switch prevented 10 to 15 million unique worldwide systems, system infections and reinfections. So far the federal Government Systems have been speared by wannacry. We want to ensure the government is efficiently prepare in the likely event of a more sophisticated attack. Additionally, the committee wants to hear what congress can do to appropriately address this committee, im sorry, this climate of new and emerging Cyber Security threats. Through the lens of the aftermath of wannacry, todays witnesses will help shed light on key steps the government should take to ensure its systems are protected. We will also hear today about how Public Private partnerships are an instrumental tool to help bolster the governments Cyber Security posture. Finally, we will learn how the president s recent Cyber Security order, which makes this cyber skruecurity framework on s brach branch, incorporates the most innovative security measures to defend against evolving threats. It is my hope our discussions here today will highlight areas where improvement is necessary while offering recommendations as we move forward to ensure the federal government is prepared to respond to emerging Cyber Security threats. I look forward to hearing from our distinguished witnesses. I now recognize Ranking Member, the Ranking Member of the oversight subcommittee, mr. Booi beyer, for an opening statement. Thank you. I would just like to thank you and mr. Comstalk for holding this hearing. In 2014 the office of personnel managements Information Security systems and two other systems used by contractors were breached by statesponsored hackers compromising the personal information of millions of americans. That same year hackers released the personal information of sony picture executives, embarrassing emails between Sony Pictures employees and copies of the unreleased sony movies. In 2015 hackers took control of the power grid in the western ukraine and shut off power for over 200,000 residents. These three quick examples show the varied and widespread effects of Cyber Security breaches. So we know that Cyber Security breach with the genesis for this hearing was the wannacry outbreak. Wannacry ransomware affected 300,000 Computers Worldwide and could have been much worse. So i want to thank the ceo of kryptos for finding an employee to find the kill switch. Unless you did it yourself. We are thankfully that the physical systems were resistant to wannacry, but we may not be as lucky next time. In preparing for this, i have learned from my staff that i need to upload our security upgrades every time i get a chance on the personal computers and on the smartphones. And the may 11th executive order on strengthening the Cyber Security in networks seeks to build on the Obama Administration successes in the Cyber Security arena. And im happy that the Trump Administration, i dont agree with him on every topic, but they have taken the next good step. The executive order calls for a most of actions in a myriad of reports of federal Cyber Security from every government agency. Simultaneously, the Trump Administration has been slow to fill newly vacant positions in nearly every government agency. And my concern is that the understaffed agencies will have significant difficulty meeting the dictate of the executive order. And im concerned that the proposed budget cuts in the trump mulvaney budget across all agencies will make the task harder to strengthen the Security Federal systems. We have to make sure the federal government has the staffing they need in this viral area. The executive order also calls for agencies to begin using the nist framework for Cyber Security efforts. And im glad we have nist here with us to help thwart and impede Cyber Attacks. They are world trrenown for bei used in this framework. On a precautionary note, though, some efforts to expand the Cyber Security role beyond the Current Mission and expertise are well intentioned but perhaps misplaced. We recently had a debate of hr1224 here in this Cyber Security framework and auditing act of 2017. Which gives nist the Auditing Authority for all civil Information Systems. Currently, this is the responsibility of the Inspector General of this agency. They have the statute authority to experience the expertise and respond to congress. Nist has no such experience or expertise. So i remain concerned about this proposal. I would be interested in any of the expert witnesses thoughts on nists role in cyber auditing. So i look forward to hearing from you today and for hearing from the general, the former ciso, about his experience in these positions and thoughts. One final note, bloomberg reported this week that the russian meddling in our electoral system was far worse than what has been previously reported. According to the hackers attempting to delete or alter data, Access Software to be used by poll workers and in one instance, accessed Campaign Finance database. These efforts need to change votes in order to influence the election and we need to take these Cyber Threats seriously. I think Vice President cheney called this a war on our democracy. Mr. Chairman, this Committee Held more than a half a dozen hearings on the Cyber Security issues during last congress, including the one on protecting the 2016 elections from cyber and voting machine attacks. So given what we know about the hacking and meddle iing, we nee more hearings on how to better promote these hearings. Mr. Chairman, i yield back. Thank you, mr. Beyer, for the opening statement. I recognize mr. Abraham for an opening statement. Thank you, mr. Chairman. Over the last few years we have seen an alarming increase in the number and intensity of our Cyber Attacks. These attacks by cyber criminals and by the unfriendly governments have compromised the personal information of millions of americans and jeopardized thousands of our businesses and employees and threatened interruption of critical Public Services. The recent Wannacry Ransomware attack demonstrates Cyber Attacks continue to go from bad to worse. The most recent largescale cyber attack affected 1 to 2 million systems in more than 190 countries. Nevertheless, it could have been more catastrophic considering how fast that ransomware spread. While organizations and individuals within the United States were largely unscathed, due in part to a security researcher identifying a webbased, quote, kill switch, the potential destructiveness of wannacry warns us to expect similar attacks in the future. Before those attacks happen, we need to make sure is that our Information Systems are very ready. The research and subcommittee heard an arguing this year representing the u. S. Government accountability office, the gao, testified and i quote, over the past several years, gao has made about 2,500 recommendations to the federal agencies to enhance their Information Security programs and controls. As of february 2017, about 1,000 recommendations had not been implemented, unquote. It is clear that this status quo in federal government Cyber Security is a virtual invitation for more Cyber Attacks. We must take strong steps in order to properly secure our systems and databases before another cyber attack like wannacry happens and puts our government up for ransom. On march 1st, 2017, this Committee Approved hr1224, the nist Cyber Security framework assessment and already act in 2017. A bill i spruced is part of my ongoing interest over the state of our nations Cyber Security. This bill takes concrete steps to strengthen the federal governments Cyber Security. The most important steps are encouraging federal agencies to adopt the National Institute of standards and technology, n. I. S. T. , Cyber Security framework used by many private businesses and directly initiates several Cyber Security audits a priority of federal agencies to determine the extent to which each agency is meeting the Information Security standards developed by the institute. Nist inhouse experts developed governmentwide technical standards and guidelines under the federal Information Security modernization act of 2014. And nist experts also developed through collaboration between government and private sector, the framework for improving Critical InfrastructureCyber Security that federal agencies are now required to use pursuant to the president s recent Cyber Security executive order. I was very pleased to read that language. Considering the attempts to infiltrate information Information Systems, theres an urgent need to assure americans that all federal agencies are doing everything they can to protect Government Networks and sensitive data. Status quo simply is not working. We cant put up with more bureaucratic excuses and delays. Nist cyber expertise is a singular asset. We should take full advantage of that asset starting with the very important step of annual nist cyberautics of federal agencies. As cyber criminals and attacks continue to evolve and become more sophisticated, our government Cyber Defenses must also adapt in order to protect Vital Public Services and shield hundreds of millions of americans confidential information. Lessons learned from the wannacry attack and how the government can bolster the security of the systems, we must keep in mind that the next cyber attack is just around the corner. And it could have a far greater impact than what we have thus far seen. Our federal government our Government Systems need to be pet better protected. And that starts with better accountability, responsibility and transparency by federal agencies. Thank you and i look forward to hearing our panel. I yield back. Thank you, sir. My colleague mr. Lipinski has an opening statement. Thank you, mr. Chairman. And thank you, mr. Abraham, for holding the hearing on Cyber Security and less sons learned from the wannacry attack last month. The good news is that the government Information Systems were not negatively impacted by the wannacry attack. This was a clear victory for the Cyber Defenses. The combination of factors likely attributed to the success, including getting rid of most of the outdated windows operating systems, diligently installing Security Patches, securing critical i. T. Assets and maintaining robust perimeter defenses. As we know microsoft sent out a Security Patch for the vulnerability in march, two months before the wannacry attack. These and other factors played a role in minimizing damage to u. S. Businesses as well. However, wannacry and its impact on other countries serves as another reminder that we must never be complacent in the Cyber Security defenses. The threats are ever evolving and our policies must be robust if flexible enough to allow our defenses to evolve accordingly. The federal Information Security act they have roles in developing the implementation of policies as well as an incident tracking and response me. This is an update to the security guidelines. Each agency is responsible for the compliance. In each office of Inspector General that requires office on the annual basis. We must continue to be compliant with fisma while conducting oversight. In 2014 nist released the framework for Critical Infrastructure currently being updated to the framework version 1. 1. While it is still too early to evaluate the full impact, it appears the framework is being widely used across the industry sectors. Our committee recently reported out a bipartisan bill hr2105 to show the framework is easily usable by the nations small businesses. I hope we can get to the president s desk quickly. In the meantime, the president s executive order directs federal agencies to use the framework to use the management security risk. As we have heard in prior hearings, many experts have called to the step. And i applaud the administration for moving ahead. I join mr. Beyer in urging the administration to fill the vacant positions across the agency that is are responsible for implementing the framework as well as shepherding the myriad reports required by the executive orde