b"<html>\n<title> - CYBER INCIDENT RESPONSE: BRIDGING THE GAP BETWEEN CYBERSECURITY AND EMERGENCY MANAGEMENT</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n  CYBER INCIDENT RESPONSE: BRIDGING THE GAP BETWEEN CYBERSECURITY AND \n                          EMERGENCY MANAGEMENT \n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                       SUBCOMMITTEE ON EMERGENCY\n                        PREPAREDNESS, RESPONSE,\n                           AND COMMUNICATIONS\n\n                                and the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 30, 2013\n\n                               __________\n\n                           Serial No. 113-39\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n                  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n87-116 PDF                       WASHINGTON : 2014 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, \n                          Washington, DC 20402-0001\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\n  SUBCOMMITTEE ON EMERGENCY PREPAREDNESS, RESPONSE, AND COMMUNICATIONS\n\n                  Susan W. Brooks, Indiana, Chairwoman\nPeter T. King, New York              Donald M. Payne, Jr., New Jersey\nSteven M. Palazzo, Mississippi,      Yvette D. Clarke, New York\n    Vice Chair                       Brian Higgins, New York\nScott Perry, Pennsylvania            Bennie G. Thompson, Mississippi \nMark Sanford, South Carolina             (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n            Eric B. Heighberger, Subcommittee Staff Director\n                   Deborah Jordan, Subcommittee Clerk\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Filemon Vela, Texas\nSteve Daines, Montana                Steven A. Horsford, Nevada\nScott Perry, Pennsylvania, Vice      Bennie G. Thompson, Mississippi \n    Chair                                (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Susan W. Brooks, a Representative in Congress From \n  the State of Indiana, and Chairwoman, Subcommittee on Emergency \n  Preparedness, Response, and Communications.....................     1\nThe Honorable Donald M. Payne, Jr., a Representative in Congress \n  From the State of New Jersey, and Ranking Member, Subcommittee \n  on Emergency Preparedness, Response, and Communications:\n  Oral Statement.................................................    12\n  Prepared Statement.............................................    13\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................    10\n  Prepared Statement.............................................    11\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security..............................................    14\n\n                               Witnesses\n\nMs. Roberta Stempfley, Acting Assistant Secretary, Office of \n  Cybersecurity and Communications, National Protection and \n  Programs Directorate, U.S. Department of Homeland Security:\n  Oral Statement.................................................    16\n  Prepared Statement.............................................    18\nMr. Charley English, Director, Georgia Emergency Management \n  Agency, Testifying on Behalf of National Emergency Management \n  Association:\n  Oral Statement.................................................    22\n  Prepared Statement.............................................    23\nMr. Craig Orgeron, CIO and Executive Director, Department of \n  Information Technology Services, State of Mississippi, \n  Testifying on Behalf of National Association of State Chief \n  Information Officers:\n  Oral Statement.................................................    27\n  Prepared Statement.............................................    29\nMr. Mike Sena, Director, Northern California Regional \n  Intelligence Center, Testifying on Behalf of National Fusion \n  Center Association:\n  Oral Statement.................................................    32\n  Prepared Statement.............................................    34\nMr. Paul Molitor, Assistant Vice President, National Electrical \n  Manufacturers Association:\n  Oral Statement.................................................    38\n  Prepared Statement.............................................    39\n\n                             For the Record\n\nThe Honorable Susan W. Brooks, a Representative in Congress From \n  the State of Indiana, and Chairwoman, Subcommittee on Emergency \n  Preparedness, Response, and Communications:\n  Statement of National Governors Association....................     3\n\n                                Appendix\n\nQuestions From Chairwoman Susan W. Brooks for Roberta Stempfley..    65\nQuestions From Chairwoman Susan W. Brooks for Charley English....    67\nQuestions From Chairwoman Susan W. Brooks for Craig Orgeron......    68\nQuestions From Chairwoman Susan W. Brooks for Mike Sena..........    69\nQuestion From Chairwoman Susan W. Brooks for Paul Molitor........    70\n\n\n  CYBER INCIDENT RESPONSE: BRIDGING THE GAP BETWEEN CYBERSECURITY AND \n                          EMERGENCY MANAGEMENT\n\n                              ----------                              \n\n\n                      Wednesday, October 30, 2013\n\n     U.S. House of Representatives,        \n      Committee on Homeland Security,      \n   Subcommittee on Emergency Preparedness, \n          Response, and Communications, and\n     Subcommittee on Cybersecurity, Infrastructure \n             Protection, and Security Technologies,\n                                            Washington, DC.\n    The subcommittees met, pursuant to call, at 10:07 a.m., in \nRoom 311, Cannon House Office Building, Hon. Susan W. Brooks \n[Chairwoman of the Emergency Preparedness, Response, and \nCommunications subcommittee] presiding.\n    Present from Subcommittee on Emergency Preparedness, \nResponse, and Communications: Representatives Brooks, Palazzo, \nPayne, and Clarke.\n    Present from Subcommittee on Cybersecurity, Infrastructure \nProtection, and Security Technologies: Representatives Meehan, \nClarke, and Horsford.\n    Mrs. Brooks. The Subcommittees on Emergency Preparedness, \nResponse, and Communications and Cybersecurity, Infrastructure \nProtection and Security Technologies will come to order.\n    I would like to welcome our witnesses, everyone in the \naudience, and those who are watching this webcast to our joint \nhearing today on Cyber Incident Response.\n    I would like to start out by thanking Chairman Meehan and \nRanking Member Clarke for working with me and Ranking Member \nPayne, who we anticipate both of those Members will be here \nshortly, on this important issue.\n    I would like to thank our witnesses for their patience as \nwe have worked to reschedule this hearing, in addition in the \nslight delay this morning.\n    I would also like to thank the staffs who have worked \ntogether in preparing us for this very important hearing this \nmorning.\n    October is Cybersecurity Awareness Month, and I think it is \nso very important that we observe this month in part of our \nawareness because it must be our ability to not only protect \nour networks and our critical infrastructure from intrusions, \nbut also, what is our ability to respond should an intrusion \nbecome successful? After all, we do know that the threat of a \ncyber attack is real and in a speech just prior to her \nresignation former Secretary of Homeland Security Janet \nNapolitano discussed that threat. She forecasted that our \ncountry will face a major cyber event that will have a serious \neffect on our lives, our economy, and the everyday functioning \nof our society.\n    Now, earlier this past week National Geographic Channel \naired a program entitled ``American Blackout''--a program which \nI watched with some interest on Sunday evening. It explored the \ncascading effects of a Nation-wide 10-day power outage caused \nby a cyber attack. For the Members of the committee, if you \nhave not seen that I strongly recommend that you watch this \nshow.\n    The movie was eye-opening and quite scary and happened to \nbe on a topic that I had discussed just recently with Hoosier \nPower Companies in my district just last month. The effects of \nthe blackout depicted in this movie caused serious public \nhealth and public safety issues, including severely impacting \nthe food and water supply; the availability of fuel, which we \nalso saw during Hurricane Sandy, which just 1 year ago \nyesterday when that horrific hurricane came upon our shores; \nthe ability of hospitals to function; the ability to access \nmoney from ATM machines or to use credit cards; and most \nimportantly, the ability to enforce the law and maintain civil \nsociety.\n    Now, I agree with the former Secretary when she noted that \nwe have made some great strides in addressing cyber threat, but \nclearly more work must be done and must be done quickly. This \nassessment that work remains was echoed at a hearing we held in \nthe Emergency Preparedness Subcommittee last month.\n    The 2013 National Preparedness Report released by FEMA \nearlier this year again highlighted States' concerns about \ntheir own cybersecurity capabilities. The 2013 report noted \ngains in cybersecurity at the State level but that the States \ncontinue to report that cybersecurity is among the lowest of \ntheir capabilities. Let me repeat that: It is among the lowest \nof the States' capabilities.\n    At that hearing California's homeland security advisor, \nMark Ghilarducci, noted that cybersecurity is an emerging and \nevolving threat that everybody is still grappling to get their \narms around. He noted that the Federal Government's ability to \nprovide guidance to States has been rather limited.\n    I agree this is not an easy task, but information sharing \nabout the threat and actions to take before, during, and after \na cyber attack is critical. I hope that Ms. Stempfley will tell \nus about the Department's efforts to share information with \nState and local authorities including emergency managers, \nfusion centers, and the private sector to help them work to \naddress and elevate the importance of this evolving threat; and \nthat I hope that our State and local witnesses will also \ndiscuss how they share information and coordinate with relevant \nofficials in their States and localities and with the private \nsector, which, I must note, controls at least 85 percent of our \nNation's critical infrastructure. We must ensure that this \ncoordination is taking place now so we are prepared to respond \nto a cyber incident that will have physical consequences.\n    I am also interested in learning today how DHS, working \nwith other Federal agencies and departments and exercise \nparticipants, is working to address the lessons that were \nlearned in the National-level exercise exercised in 2012, which \nsimulated a large-scale cyber attack.\n    Just as I have noted the challenges we face in addressing \nthe cyber threat, we must also discuss the progress that is \nbeing made. In my own district I am proud to say that the \nIndianapolis division of Homeland Security has established a \ncyber defense force to improve the overall cybersecurity \npreparedness of the Indianapolis metropolitan area, and the \nState of Indiana has included cybersecurity in its threat and \nhazard identification and risk assessment, or in its own THIRA.\n    The National Emergency Management Association is working \nalso with Texas A&M to develop cybersecurity awareness training \nprograms for emergency managers. Fusion centers are also \nbecoming much more engaged in cybersecurity.\n    States are also taking innovative steps to address the \nthreat. For example, Michigan has established the role of a \nchief security officer, which has oversight of both \ncybersecurity and physical security.\n    The National Guard is becoming much more engaged in \ncybersecurity as well. In Maryland the Air National Guard's \n175th Network Warfare Squadron is assisting with the \ndevelopment of State cybersecurity assessments and has worked \nwith Maryland Emergency Management on cybersecurity exercises.\n    Next month the North American Electric Reliability \nCorporation, or NERC, will hold GridEx 2013, an exercise that \nwill test the electricity subsector's readiness to respond to a \ncyber incident including physical consequences.\n    These are all critically important steps, but as I noted \nearlier, much work remains to ensure we are prepared to respond \nto a cyber attack.\n    Chairman McCaul and Chairman Meehan have been working to \ndevelop thoughtful, effective cybersecurity legislation this \nCongress. I am pleased the draft bill that that committee has \nworked on includes provisions addressing cyber incident \nresponse and it is my hope that today's hearing will help to \nfurther inform that committee's work.\n    Before I conclude, I would like to ask unanimous consent to \ninclude in the record a statement from the National Governors \nAssociation, which provides greater details on steps States are \ntaking to enhance their cybersecurity posture.\n    [The information follows:]\n              Statement of National Governors Association\n                            October 30, 2013\n    On behalf of the Nation's governors, thank you for the opportunity \nto comment on bridging the gap between cybersecurity and emergency \nmanagement. Protecting the Nation from cyber threats and their \npotential consequences requires strong partnerships among all levels of \ngovernment, law enforcement, the military, and the private sector. Over \nthe past several years, Governors have been working to improve the \ncybersecurity posture of their States and to improve State-Federal \ncoordination. Based on these efforts and States' interaction with the \nFederal Government, we are pleased to offer the recommendations below.\n                 state efforts to address cybersecurity\n    Since the terrorist attacks of September 11, 2001, and Hurricane \nKatrina in 2005, National preparedness and response activities have \nemphasized a ``whole community'' approach. Despite this progress, \nState-Federal coordination efforts for cybersecurity are still in their \nearly stages. In the absence of unified Federal guidance, States are \nmoving forward to develop methods, strategies, and partnerships to \nimprove their cyber resiliency and strengthen capabilities to prepare \nfor, respond to, and recover from potential cyber attacks.\n    Governors are leading efforts to expand collaboration and drive \nchange at both the State and Federal level. This is taking place \nthrough initiatives such as the National Governors Association (NGA) \nResource Center for State Cybersecurity and the Council of Governors. \nThrough these collaborative forums, Governors have identified a number \nof areas where enhanced Federal support and engagement could further \nassist States in this National effort. For instance, the Federal \nGovernment should:\n  <bullet> Enhance Federal coordination and consultation with States \n        and recognize that Governors have emergency powers and \n        authorities that can benefit the Federal Government.\n  <bullet> Leverage all available resources, such as the National \n        Guard, to support both Federal and State cybersecurity \n        missions.\n  <bullet> Provide flexibility for State investments in cybersecurity \n        through reform of Federal grant programs and support for \n        innovative State solutions that leverage existing resources \n        such as fusion centers.\n  <bullet> Clarify Federal statutes, roles, and authorities to address \n        cyber incident response, taking into consideration the role of \n        States and the impact on current State laws and regulations.\n  <bullet> Improve information sharing and State access to Federal \n        cybersecurity resources, such as those for technical support, \n        education, training, and exercises.\n            encouraging action and promoting best practices\n    Governors' efforts are focused on the need to improve not just \nStates' cybersecurity, but that of the Nation. To help Governors \naddress this challenge, NGA formed the Resource Center for State \nCybersecurity in 2012. The Resource Center, co-chaired by Maryland \nGovernor Martin O'Malley and Michigan Governor Rick Snyder, brings \ntogether experts from key State and Federal agencies and the private \nsector to provide strategic and actionable recommendations Governors \ncan use to develop and implement effective State cybersecurity policies \nand practices.\n    On September 26, 2013, the NGA released Act and Adjust: A Call to \nAction for Governors for Cybersecurity, a paper that provides strategic \nrecommendations Governors can immediately adopt to improve their \nState's cybersecurity posture (attached). NGA also released an \nelectronic dashboard designed to provide Governors with an overview of \ntheir State's cybersecurity environment and assist them in monitoring \nimplementation of the paper's recommendations. The dashboard is \ncurrently being pilot tested in Maryland and Michigan in conjunction \nwith the Multi-State Information Sharing & Analysis Center (MS-ISAC). \nThrough the Resource Center, Governors are exploring other vital areas \nas well, including:\n  <bullet> The role of fusion centers in collecting and disseminating \n        real-time information on cyber threats to State agencies and \n        law enforcement;\n  <bullet> Enhancing the cybersecurity of energy systems and the \n        electrical grid in coordination with utility commissions, \n        owners, and operators at the State level; and\n  <bullet> Developing a trained and enduring cyber workforce within \n        State government.\n                  leveraging resources government-wide\n    Identifying innovative solutions to address cybersecurity and \nsecure the Nation against the growing cyber threat requires engagement \nby senior leaders at all levels of government. In addition to their \nwork within their respective States, Governors also have engaged \ndirectly with the Federal Government through the Council of Governors \n(Council). Currently co-chaired by Governor O'Malley and Iowa Governor \nTerry Branstad, the Council brings together 10 Governors and the \nSecretaries of Defense and Homeland Security to address issues \nregarding the National Guard and homeland defense.\n    Since it was formally established in 2010, the Council has served \nas a valuable forum to facilitate coordination between State and \nFederal military activities, such as a 2010 agreement establishing \ndual-status command authority during major disasters. This authority \nwas employed during recent events such as Hurricane Sandy and the \nColorado floods. The Council is now working to turn this commitment to \ncollaboration into similar actions to address State-Federal \ncoordination on cybersecurity and the development of National Guard \ncyber capabilities.\n    Governors firmly believe the Guard's unique status serving both \nGovernors and the President and its access to civilian-acquired \nskillsets makes it an ideal and cost-effective resource to address our \nNation's growing cyber vulnerabilities. With the flexibility to support \nboth Federal and State-related cyber missions, the Guard can be a force \nmultiplier in support of the Department of Defense, the Department of \nHomeland Security (DHS), the Federal Bureau of Investigation and \nStates. While the National Guard's role in cybersecurity is still being \ndeliberated, Guard cyber units across the country are already \ndemonstrating their unique capabilities including:\n  <bullet> Serving as a key coordinating hub between various \n        stakeholder groups.--Several National Guard cyber units are \n        actively engaged with their Governor's office, State emergency \n        management agencies, State Chief Information Officers and other \n        State, local, and Federal officials in the development of State \n        cyber incident response plans. Several States have also \n        integrated Guard units within their fusion center.\n  <bullet> Providing key support services in planning, testing, \n        training, and exercises.--Guard unit participation is \n        continuing to grow in State and National-level cyber exercises \n        such as Cyber Guard, Cyber Storm, and Cyber Shield. Several \n        State Guard units also are providing risk assessment and \n        vulnerability testing support to State agencies and local \n        critical infrastructure owners and operators.\n  <bullet> Providing a readily available and highly-trained \n        workforce.--National Guard cyber units include personnel from a \n        significant number the Nation's top cybersecurity and \n        information technology companies such as Microsoft, Cisco, \n        Siemens, Intel, GE, Boeing, IBM, and Google. This access \n        provides a unique opportunity to leverage and sustain ``leading \n        edge'' civilian-acquired cyber skillsets not readily available \n        or easily built from within the Federal Government.\n    Earlier this year, Governors secured the commitment of former U.S. \nDepartment of Homeland Security Secretary Janet Napolitano and \ndeparting U.S. Department of Defense Deputy Secretary Ash Carter to \nwork with them to identify new opportunities to strengthen the State-\nFederal partnership on cybersecurity and to better leverage existing \nresources such as the National Guard. This work is on-going, and we \nlook forward to providing the committee an update on our progress early \nnext year.\n               opportunities for state-federal engagement\n    As the development of Federal legislation to address cybersecurity \ncontinues, Governors urge Congress to consider the following \nrecommendations:\n\n  <bullet> Ensure coordination and consultation with States.--Like all \n        disasters, response and recovery begins at the State and local \n        level. Federal cyber incident response guidance such as the \n        National Cyber Incident Response Plan (NCIRP) must not be \n        developed using a Federal-centric approach, but must integrate \n        key State officials and consider Governors' authorities \n        throughout the process.\n  <bullet> Promote the role of the National Guard to support both \n        Federal and State cybersecurity missions.--This includes \n        ensuring that the National Guard is considered concurrently \n        with active duty forces in any new cyber force structure \n        developed by U.S. Cyber Command and the military services.\n  <bullet> Support State investments in cybersecurity through reform of \n        homeland security preparedness grants.--In recent years, \n        decreased funding levels across preparedness grant programs \n        combined with their current rigid requirements has limited \n        States' ability to address emerging threats, such as \n        cybersecurity, or provide adequate support to fusion centers.\n  <bullet> Address ambiguities with cyber incident response.--This \n        includes clarifying current statutory authorities governing \n        disaster management, such as the Stafford Act and the Economy \n        Act. Roles and responsibilities of the various Federal agencies \n        with cybersecurity coordination and operational authority \n        during an incident should be better-defined and corresponding \n        guidance to State and local authorities (such as the NCIRP) \n        should be updated accordingly.\n  <bullet> Improve information sharing with States to provide real-time \n        intelligence on threats.--Improving existing information-\n        sharing capabilities such as the MS-ISAC and State and local \n        fusion centers can further support this effort. DHS also can \n        provide more structured and coordinated access to Federal \n        cybersecurity initiatives such as workforce and training \n        programs, Federal cybersecurity exercises, and forums for \n        public-private partnerships.\n                cybersecurity is a shared responsibility\n    Governors recognize the critical need to improve our Nation's \ncybersecurity posture. This is an immense challenge that requires an \nunprecedented level of coordination among all levels of government and \nthe private sector. Governors are committed to addressing this \nchallenge within their States and are actively seeking to partner with \ntheir Federal counterparts. As the committee continues to consider the \nlegislative path forward for cybersecurity, NGA stands as a ready \nresource for innovative policy solutions that will both support \nGovernors' efforts and enhance the State-Federal partnership to address \nour Nation's most pressing cybersecurity challenges.\n                         Attachment.--NGA Paper\n    act and adjust: a call to action for governors for cybersecurity\nSeptember 2013, Thomas MacLellan, Division Director, Homeland Security \n        & Public Safety Division, NGA Center for Best Practices\n    Cybersecurity remains one of the most significant challenges facing \nthe Nation. Although implementing policies and practices that will make \nState systems and data more secure will be an iterative and lengthy \nprocess, Governors can take a number of actions immediately that will \nhelp detect and defend against cyber attacks occurring today and help \ndeter future attacks.\n    Those actions include:\n  <bullet> Establishing a governance and authority structure for \n        cybersecurity;\n  <bullet> Conducting risk assessments and allocating resources \n        accordingly;\n  <bullet> Implementing continuous vulnerability assessments and threat \n        mitigation practices;\n  <bullet> Ensuring that the State complies with current security \n        methodologies and business disciplines in cybersecurity; and\n  <bullet> Creating a culture of risk awareness.\n    By implementing those recommendations immediately, Governors can \ngreatly enhance States' cybersecurity posture.\nGuiding Principles\n    This Call to Action, as well as the work of the NGA Resource Center \nfor State Cybersecurity (Resource Center), is guided by a set of core \nprinciples:\n  <bullet> Support Governors.--The work of the Resource Center is \n        singular in its focus on supporting Governors' efforts to \n        improve cybersecurity. The Resource Center marks the first \n        large-scale effort exclusively focused on the role of Governors \n        in improving cybersecurity.\n  <bullet> Be Actionable.--The goal of the Resource Center is to \n        provide to Governors recommendations and resources that promote \n        actions that reduce risk.\n  <bullet> Reduce Complexity.--Cybersecurity policy is designed and \n        implemented in a complex environment. The Resource Center aims \n        to reduce that complexity by looking for common principles and \n        practices that are effective in that environment.\n  <bullet> Protect Privacy.--The recommendations made through the \n        Resource Center aim to both improve cybersecurity and protect \n        the privacy, civil rights, and civil liberties of citizens.\n  <bullet> Employ Technologically Neutral Solutions.--The \n        recommendations made through the Resource Center emphasize \n        nonproprietary, open standards.\n  <bullet> Focus on the State as Enterprise.--The work of the Resource \n        Center aims to improve Governors' understanding of the State as \n        an enterprise including the interdependencies among State \n        agencies; between the public and private sector; and regionally \n        across State boundaries.\n  <bullet> Promote Flexible Federalism.--To the extent possible, the \n        Resource Center emphasizes the benefits of and opportunities \n        for flexibility within Federal programs to allow for tailored \n        State solutions.\n  <bullet> Rely on Evidence-Based Practices.--The Resource Center makes \n        recommendations that build on evidence-based practices.\n  <bullet> Use and Generate Metrics.--The Resource Center promotes \n        recommendations that use dynamic performance metrics to manage \n        and improve State processes and practices.\n  <bullet> Promote the Use of Incentives.--The Resource Center makes \n        recommendations that promote the use of incentives to improve \n        cybersecurity practices in a State.\nImmediate Actions to Protect States\n    Domestic and international actors are launching a significant \nnumber of cyber attacks against States. Although many of the actions \nnecessary to reduce the Nation's vulnerabilities to cyber attacks \nrequire long-term structural improvements and business redesign, \nGovernors can take actions now that can immediately improve their \nState's cybersecurity posture. Implementation of the actions described \nbelow will help to ensure strong governance and oversight, a baseline \nof cybersecurity capabilities, and quicker identification of attacks \nand threats; it also will help to improve basic cybersecurity \npractices.\n    Establish a governance structure for cybersecurity.--Because State \nsystems and networks are interconnected, developing a robust \ncybersecurity posture will require an enterprise-wide approach. To that \nend, Governors need to ensure that they have a strong State-wide \ngovernance structure with some degree of central authority that \nprovides a framework to prepare for, respond to, and prevent cyber \nattacks. Several recent attacks reveal that States which fail to put in \nplace a strong governance structure are at a distinct disadvantage.\n    For many States, chief information security officers (CISOs), who \nare responsible for developing and carrying out information technology \n(IT) security policies, have only limited responsibility and authority \nover State-wide cyber networks. CISOs can operate in federated or \ndecentralized environments where technology and security resources are \ndispersed across various agencies and departments. In addition, the \nsharing of cyber threat information with the private sector and local \ngovernments is handled by State homeland security agencies, further \ncomplicating the overall cybersecurity governance structure.\n    According to a survey conducted by Deloitte for the National \nAssociation of State Chief Information Officers (NASCIO), 56 percent of \nState CISOs indicate that they have authority over only their executive \nbranch agencies, departments, and offices.\\1\\ Although most States have \na CISO, if they do not have a visible agency-level security posture, \nthey can encounter obstacles to implementing an effective cybersecurity \nprogram. Among the elements of an effective program are enforcement \nmechanisms to ensure compliance with security policies and audit \nfindings. States without governance structures to build and operate \neffective programs will be limited in their ability to identify an on-\ngoing cyber attacks and respond in a coordinated way.\n---------------------------------------------------------------------------\n    \\1\\ ``State Governments at Risk: A Call for Collaboration and \nCompliance,'' Deloitte and the National Association of State Chief \nInformation Officers, October 26, 2012, accessed March 10, 2013, http:/\n/www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/\nAERS/us_aers_nascio% 20Cybersecurity%20Study_10192012.pdf, 10.\n---------------------------------------------------------------------------\n    Governors can grant their chief information officers (CIOs) or \nCISOs the authority to develop and steer a coordinated governance \nstructure (for example, a task force, commission, or advisory body) \nthat can greatly improve coordination and awareness across agencies \nthat operate State-wide cyber networks. Such an approach also helps \nenable the CIO or CISO to take actions to prevent or mitigate damage in \nthe event of a cyber breach.\n    Michigan has created a centralized security department run by a \nchief security officer (CSO) that brings together both physical \nsecurity and cybersecurity. Directors, managers, and employees within \neach agency coordinate through the centralized governance structure to \nfocus on each agency's need for both physical security and \ncybersecurity. Governance of that type is especially important during \nan incident or a disaster. The approach allows the CSO and CIO to work \nclosely to manage the State's cyber networks and infrastructure and to \nensure that effective governance practices are in place.\n    Although a central authority is essential, it does not obviate the \nimportance of collaboration among local governments, nongovernmental \norganizations, and the private sector. Those relationships are \nessential to understanding the culture, operations, and business \npractices of various agencies and organizations with cyber assets \nwithin the State. In Michigan, for example, in addition to dedicated \nand full-time State employees in the Office of Cybersecurity, a risk \nmanagement team leverages many resources around the State to gather \ninformation and resolve an incident efficiently and effectively.\n    Minnesota is another example of a State that adopted a governance \nframework that stresses teamwork and communication between a \ncentralized information technology organization and stakeholders. The \nState CIO works collaboratively with the Governor, the Technology \nAdvisory Committee, and other agency leaders. Minnesota also has \nseveral governing bodies that have an agency CIO, providing a direct \nlink to the State CIO and operational decisions made at the different \nagency team levels.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ ``State of Minnesota IT Governance Framework,'' http://mn.gov/\noet/images/StateofMinnesotaITGovernanceFramework.pdf (June 2012).\n---------------------------------------------------------------------------\n    Recognizing the need to foster collaboration at all levels of \ngovernment and with the private sector, California recently created the \nCalifornia Cybersecurity Task Force. The task force focuses on sharing \ninformation to improve the security of Government and private-sector IT \nassets.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ ``California Launches Cybersecurity Task Force,'' http://\nwww.govtech.com/security/California-Launches-Cybersecurity-Task-\nForce.html (May 17, 2013).\n---------------------------------------------------------------------------\n    Conduct risk assessments and allocate resources accordingly.--\nGovernors and other key State actors need a comprehensive understanding \nof the risk and threat landscape to make accurate and timely decisions \nwhen allocating scarce resources. Without a comprehensive understanding \nof the risks, including the interdependencies among critical assets, \nStates are vulnerable to interruptions in business operations as well \nas financial and data losses. To gain this awareness, States must \ndevelop security strategies and business practices by conducting risk \nassessments that identify information assets, model different threats \nto those assets, and allow for planning to protect against those \nthreats.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ ``5 Steps to Cybersecurity Risk Assessment'' http://\nwww.govtech.com/security/5-Steps-to-Cyber-Security.html?page=1 (June \n24, 2010).\n---------------------------------------------------------------------------\n    In addition to establishing sound business practices and using \nexisting resources, States also must conduct hands-on activities and \nexercises as a part of their assessments. Those practices include \nregular penetration testing and vulnerability scanning and should be \nreferenced in security policies. States can take advantage of resources \nfrom Federal and private entities to conduct those activities. Once an \nindependent State-wide assessment has been conducted, Governors can \nmake necessary decisions on where scarce resources should be allocated \nto prevent the loss of essential information and resources and to \nprotect critical infrastructure and assets. The initial assessment also \nwill help determine the frequency of such assessments in the future, \nbased on the risk profile of agencies. As an example, agencies with \nsensitive citizen data might require annual assessments and quarterly \nfollow-up in their corrective action plan.\n    Additionally, Governors and their senior staff who have appropriate \nsecurity clearances should receive regular classified cybersecurity \nthreat briefings. The Department of Homeland Security (DHS) can assist \nStates in planning these briefings.\n    Implement continuous vulnerability assessments and threat \nmitigation practices.--Consistently monitoring threats and \nvulnerabilities will help Governors proactively defend cyber networks. \nEvery day, States are exposed to phishing scams, malware, denial-of-\nservice attacks, and other common tactics employed by cyber attackers. \nGovernors must ensure that mission-critical systems are equipped with \ntechnologies and have implemented business practices that will identify \npotential threats, track all stages of cyber attacks in real time, and \noffer mitigation techniques and options for any resulting loss or \ndamage.\n    Maryland leverages the cybersecurity capabilities of the Maryland \nAir National Guard 175th Network Warfare Squadron to support its \ncybersecurity assessments. State agencies participate in collaborative \nweb penetration training exercises with the Maryland Air Guard \nSquadron. The exercises that feature simulated attacks from malicious \noutsiders or insidious insiders are useful in evaluating the security \nof selected State websites and portals. Security issues uncovered \nthrough the penetration tests lead to technical and procedural \ncountermeasures to reduce risks. The Guard also provides network \nvulnerability assessment services to various State agencies while, in \nreturn, it receives beneficial training for the squadron's members. A \nnumber of other States have similar practices in place.\n    The Multi-State Information Sharing and Analysis Center (MS-ISAC) \nhas been designated by DHS as a key resource for cyber threat \nprevention, protection, response, and recovery for the Nation's State, \nlocal, territorial, and Tribal governments. Through its state-of-the-\nart Security Operations Center, available 24 hours a day, 7 days a \nweek, the MS-ISAC serves as a central resource for situational \nawareness and incident response. The MS-ISAC also provides State, \nlocal, Tribal, and territorial governments with managed security \nservices, which are outsourced security operations that include on-\ngoing monitoring of networks and firewalls for intrusions.\n    Another related resource available to State and local governments \nis DHS's newly-launched Continuous Diagnostics and Mitigation (CDM) \nprogram. The CDM program at the Federal level works by expanding \ndeployment of automated network sensors that feed data about an \nagency's cybersecurity vulnerabilities into a continuously updated \ndashboard. To support States in improving their capabilities to prevent \nand detect intrusions, the CDM has a blanket purchasing agreement that \nreduces the cost to States of purchasing tools and services that \nenhance their cybersecurity. It is important to note that such \npurchases are most effective when coordinated with MS-ISAC's managed \nsecurity services so as to maintain collective situational awareness \nacross State and local governments.\n    Ensure that your State complies with current security methodologies \nand business disciplines in cybersecurity.--States can turn to two \nindustry standards for a baseline of effective cybersecurity practices. \nFirst, the Council on CyberSecurity's Critical Controls for Effective \nCyber Defense is an industry standard that provides States with a \nsecurity framework that can strengthen their cyber defenses and \nultimately protect information, infrastructure, and critical assets. \nCompliance with that standard will provide a baseline of defense, deter \na significant number of attacks, and help minimize compromises, \nrecovery, and costs. The controls are based upon five guiding \nprinciples: Using evidence-based practices to build effective defenses, \nassigning priorities risk reduction and protection actions, \nestablishing a common language that measures the effectiveness of \nsecurity, continuous monitoring, and automating defenses.\\5\\ The \ncontrols also identify key network components and how to secure them.\n---------------------------------------------------------------------------\n    \\5\\ ``CSIS: 20 Critical Security Controls,'' http://www.sans.org/\ncritical-security-controls/guidelines.php.\n---------------------------------------------------------------------------\n    The second standard is the Information Technology Infrastructure \nLibrary (ITIL). An ITIL is a set of practices for information \ntechnology service management (ITSM) that are designed to align \ninformation technology (IT) with core business requirements. The latest \neditions of ITIL, which were published in July 2011, form the core \nguidance of best management practices and can greatly strengthen \nStates' IT practices. The ITIL has been adopted by companies in many \nprivate-sector industries, including banking, retail services, \ntechnology, and entertainment. For States, an ITIL will help ensure \nthat States' IT assets correlate with their critical assets.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ ``ITIL: The Basics,'' http://www.best-management-practice.com/\ngempdf/ITIL_The_Ba- sics.pdf.\n---------------------------------------------------------------------------\n    Create a culture of risk awareness.--The best firewalls and most \nadvanced antivirus software cannot deter a cyber attack if the \nindividuals using a network are either careless or inattentive to basic \nsecurity practices. The strongest door and most secure lock will not \nkeep a burglar out if the door is left open or unlocked.\n    Governors have the opportunity to promote a culture of \ncybersecurity awareness that will help to minimize the likelihood of a \nsuccessful cyber attack. Building a strong cybersecurity culture means \nmaking individuals aware of the many risks and on-going threats facing \ntheir networks. Those individuals must understand the potential \nnegative implications of their activities or inattentiveness. To \ndevelop a strong cybersecurity culture, focus should be put on \nincreasing awareness, setting appropriate expectations, and influencing \nday-to-day security practices of end-users. Awareness can be created by \nincluding relevant training and content in the orientation process of \nnew staff as well as annual review of current staff. Expectations about \nusers' behaviors can also be set by adding cybersecurity components to \njob responsibilities.\n    However, creating a culture of awareness will be an on-going \nprocess that will require constant attention and on-going training. \nGovernors have the opportunity to use the bully pulpit to make \ncybersecurity the responsibility of all, including ordinary citizens. \nIn Delaware, State employees conduct cybersecurity presentations for \nelementary school students to reinforce the importance of internet \nsafety practices. The State also hosts video and poster contests that \nencourage the public to create materials that promote cybersecurity \nawareness.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ See http://www.dti.delaware.gov/information/\ncybersecurity.shtml.\n---------------------------------------------------------------------------\n    Effective awareness training and education for end-users is \nrecognized as the single most effective factor in preventing security \nbreaches and data losses. States such as Michigan have launched \nsecurity awareness training for all State employees and have posted on-\nline guides that are available to the public with the goal of reducing \nrisk.\\8\\ More than 50,000 users and partners are currently enrolled in \nMichigan's training program, an on-line interactive program consisting \nof a dozen 10-minute lessons. Other organizations, such as the MS-ISAC, \nalso offer training resources that are readily available on-line.\n---------------------------------------------------------------------------\n    \\8\\ See State of Michigan Security Office website.\n---------------------------------------------------------------------------\n    Michigan also has recently launched a research, test, training, and \nevaluation facility for cybersecurity and cyberdefense. In partnership \nwith State universities, the private sector, and State and local \ngovernments, Merit Network Inc., a 501(c)(3) nonprofit organization, \nbuilt and developed the state-of-the-art center to further advance \ncybersecurity training in Michigan. A wide variety of course offerings \nincludes certifications in incident handling, disaster recovery, \nforensics, and wireless security. Dozens of technical staff have \nalready completed training and received certifications.\n    In addition to offering training, States like Maryland conduct \ntable-top exercises to raise the awareness and response capabilities of \nkey State actors. Maryland, through the State's Emergency Management \nAdministration (MEMA), facilitated an initial cabinet-level table-top \nexercise in which cybersecurity and continuity of operations awareness \nand readiness were assessed. In addition to MEMA, DHS and the National \nSecurity Agency Cyber Command assisted in hosting this exercise.\nThe Path Forward\n    The actions described above are a first step for Governors to \nimprove cybersecurity for State-owned and -operated systems. However, a \nsecure cybersecurity fabric will require an enterprise-wide approach \nthat includes coordination and partnerships with critical \ninfrastructure owners and operators, private industry, and the public.\n    Over the course of the next year, the NGA Resource Center for State \nCybersecurity will issue a series of reports focusing on critical areas \nfor mid- to long-term actions Governors can take to strengthen their \nStates' cyber posture. Those areas include improving coordination \nbetween State and Federal governments, leveraging State fusion centers \nto respond to cyber threats, enhancing the cybersecurity of critical \nenergy systems and infrastructure, and developing a skilled \ncybersecurity workforce.\n    In addition to the work of the Resource Center, NGA also is leading \nefforts through the Council of Governors to collaborate with the \nDepartments of Defense and Homeland Security on how the National Guard \ncould be used to better protect both State and Federal networks. The \nNational Guard's unique role serving Governors and the President, \ncombined with its ability to attract and retain individuals who have \nfull-time employment in IT and related fields, make it an ideal \nsolution to help address the shortage of highly-skilled personnel \nnecessary to protect critical networks and systems.\n    Across the country, several States have established National Guard \ncyber capabilities that are closely aligned with civilian agencies and \ncoordinate regularly with public utility commissions, owners and \noperators of critical infrastructure, and other public and private-\nsector partners.\n\nThe NGA Resource Center for State Cybersecurity is made possible \nthrough the generous support from our grant makers, including the \nAmerican Gas Association, Citi, Deloitte, Edison Electric Institute, \nGood Technology, Hewlett-Packard, IBM, Northrop Grumman, Nuclear Energy \nInstitute, Symantec, and VMware.\n\n    Mrs. Brooks. With that, I look forward to hearing from our \ndistinguished panel of witnesses.\n    The Chairwoman now will recognize the gentlelady from New \nYork, Ms. Clarke, for any opening statement she may have.\n    Ms. Clarke. I thank Chairwoman Brooks and Ranking Member \nPayne as well as Chairman Meehan for holding today's joint \nsubcommittee hearing.\n    We all know that cybersecurity is a matter of National, \neconomic, and societal importance. Present-day attacks on the \nNation's computer systems do not simply damage an isolated \nmachine or disrupt a single enterprise system, but current \nattacks target infrastructure that is integral to the economy, \nNational defense, and daily life.\n    Computer networks have joined food, water, transportation, \nand energy as critical resources for the functioning of the \nNational economy. When one of these key cyber infrastructure \nsystems is attacked, the same consequences exist for a natural \ndisaster or terrorist attack.\n    National or local resources must be deployed. Decisions are \nmade to determine where to deploy resources. The question is: \nWho makes these decisions?\n    The data required to make and monitor the decisions and the \nlocation of available knowledge to drive them may sometimes be \nunknown, unavailable, or both. Indeed, computer networks are \nthe central nervous system of our National infrastructure and \nthe backbone of emergency management is a robust cyber \ninfrastructure. These systems enable emergency management \nagencies to implement comprehensive approaches to natural \ndisasters, terrorist attacks, and law enforcement issues.\n    Mr. Payne has introduced a bill, the SMART Grid Study Act, \nthat will give a fuller picture of the smart grid's role and \nour reliance on it, especially during an event where emergency \nmanagement response is key to our resilience. I am glad to see \nthe strong support that the National Electrical Manufacturers \nhave given this bill and I especially look forward to their \ntestimony today.\n    There is a general lack of understanding about how to \ndescribe and assess the complex and dynamic nature of emergency \nmanagement tasks in relation to cybersecurity concerns. There \nare many issues involving knowledge integration and how to help \nmanagers improve emergency management task performance.\n    Ever since the first computer virus hit the internet it has \nbeen apparent that attacks can spread rapidly. Just as society \nhas benefited from the nearly infinite connections of devices \nand people through the U.S. cyber infrastructure, so has \nmalicious parties with the intent of taking advantage of this \nconnectivity to launch destructive attacks.\n    We must find a way to develop tools that we can use to \nimprove emergency management successes through effective \nhandling, cyber complexity, cyber knowledge, and cyber \nintegration at the ground level of our first responders.\n    Madam Chairwoman, I look forward to today's testimony and I \nyield back.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n    We all know that cybersecurity is a matter of National, economic, \nand societal importance. Present-day attacks on the Nation's computer \nsystems do not simply damage an isolated machine or disrupt a single \nenterprise system, but current attacks target infrastructure that is \nintegral to the economy, National defense, and daily life.\n    Computer networks have joined food, water, transportation, and \nenergy as critical resources for the functioning of the National \neconomy. When one of these key cyber infrastructure systems is \nattacked, the same consequences exist for a natural disaster or \nterrorist attack.\n    National or local resources must be deployed. Decisions are made to \ndetermine where to deploy resources. The question is: Who makes these \ndecisions? The data required to make and monitor the decisions, and the \nlocation of available knowledge to drive them may sometimes be unknown, \nunavailable, or both.\n    Indeed, computer networks are the ``central nervous system'' of our \nNational infrastructure, and the backbone of emergency management is a \nrobust cyber infrastructure. These systems enable emergency management \nagencies to implement comprehensive approaches to natural disasters, \nterrorist attacks, and law enforcement issues.\n    Mr. Payne has introduced a bill, the Smart Grid Study Act, that \nwill give a fuller picture of the smart grid's role and our reliance on \nit, especially during an event where emergency management response is \nthe key to our resilience. I'm glad to see the strong support that the \nNational Electrical Manufacturers have given this bill, and I \nespecially look forward to their testimony today.\n    There is a general lack of understanding about how to describe and \nassess the complex and dynamic nature of emergency management tasks in \nrelation to cybersecurity concerns. And there are many issues involving \nknowledge integration and how it helps managers improve emergency \nmanagement task performance. Ever since the first computer virus hit \nthe internet, it has been apparent that attacks can spread rapidly.\n    Just as society has benefited from the nearly infinite connections \nof devices and people through the U.S. cyber infrastructure, so have \nmalicious parties with the intent of taking advantage of this \nconnectivity to launch destructive attacks.\n    We must find a way to develop tools that we can use to improve \nEmergency Management successes through effectively handling cyber \ncomplexity, cyber knowledge, and cyber integration at the ground level \nfor our first responders.\n\n    Mrs. Brooks. Thank you.\n    I thank the Ranking Member of the Subcommittee on \nCybersecurity, Infrastructure Protection, and Security \nTechnologies and I now turn to the Ranking Member for the \nEmergency Preparedness, Response, and Communications, the \ngentleman from New Jersey, Mr. Payne, for any opening \nstatements.\n    Mr. Payne. Thank you, Madam Chairwoman. Let me apologize \nfor my tardiness, but Amtrak didn't cooperate this morning, so \nI apologize for that.\n    I would like to thank Chairwoman Brooks and Chairman Meehan \nfor calling this hearing today.\n    Yesterday marked the 1-year anniversary of Super Storm \nSandy, which devastated communities all along the Eastern \nCoast, especially in my home State of New Jersey. Although the \npeople of New Jersey, with a lot of help from the Federal \nGovernment, have begun the long effort to rebuild what was \nlost, much work remains. I know that I am not alone when I say \nthat the people affected by Hurricane Sandy can be sure that \nmembers of this panel will continue to work to make sure that \nthe communities are rebuilt and the lessons learned are \nincorporated into future disaster plans.\n    With that, I will turn to the topic of today's hearing, \nresponding to cyber attack. Last month the Subcommittee on \nEmergency Preparedness, Response, and Communications held a \nhearing reviewing the findings of the Federal Emergency \nManagement Agency's 2013 National Preparedness Report. For the \nsecond year in a row, States indicated that of the 31 core \ncapabilities, cybersecurity is one of the capabilities about \nwhich they are least confident.\n    The threats posed by a cyber attack are not new, but the \nimpact of a cyber attack becomes more grave as every aspect of \nGovernment and the private sector become more reliant on cyber \ntechnologies. For example, communications essential to an \neffective emergency response, from the emergency alert system \nto E-911 and eventually FirstNet, all are vulnerable to cyber \nattack. The data networks and computer systems used to \ncoordinate an efficient response to ensure that adequate \nresources are deployed to the appropriate locations are \nsimilarly vulnerable to a cyber breach.\n    A cyber attack on any of these systems could severely \nundercut Federal, State, and local abilities to respond to \ndisasters effectively. Moreover, we have seen a significant \nincrease in cyber threats to our critical infrastructure.\n    We know that disasters like Super Storm Sandy can wreak \nhavoc on our power systems but rarely consider the harm that a \nmalicious cyber attack could do to our electrical grid. \nAccordingly, I have introduced the SMART Grid Study Act, which \nwill provide a comprehensive assessment of actions necessary to \nexpand and strengthen the capabilities of our electrical power \nsystems to prepare for and respond to, mitigate, and recover \nfrom a natural disaster or cyber attack to the electric grid. \nMy legislation will go a long way to provide sector-specific \nawareness of cyber vulnerabilities and how to address them.\n    We must help State governments undertake similar efforts to \nunderstand the cyber threats posed to their networks and how to \naddress them. It is no secret that a lack of funding has \ncontributed to the lack of confidence States have in their \ncybersecurity capabilities. I would be interested in learning \nhow cuts to homeland security grant funding since 2011 has \naffected States' cybersecurity efforts.\n    I have also heard that States have struggled to implement \ngoverning structure for cybersecurity and that finding a \nworkforce with the appropriate training has proven difficult. \nSo I would be interested to learn how the Department of \nHomeland Security is helping States identify best practices for \nan effective cybersecurity governance structure and improve \ntraining for State cybersecurity workforces.\n    I look forward to learning more about how State emergency \nmanagers are working with State chief information officers to \nunderstand the role each play in responding to a cyber \nincident.\n    I want to thank the witnesses for being here today and I \nlook forward to their testimony.\n    Madam Chairwoman, I yield back the balance of my time.\n    [The statement of Ranking Member Payne follows:]\n            Statement of Ranking Member Donald M. Payne, Jr.\n                            October 30, 2013\n    Yesterday marked the 1-year anniversary of Super Storm Sandy, which \ndevastated communities all along the East Coast, and especially in my \nhome State of New Jersey. Although the people of New Jersey--with a lot \nof help from the Federal Government--have begun the long effort to \nrebuild what was lost, much work remains.\n    I know I am not alone when I say that the people affected by \nHurricane Sandy can be sure that members of this panel will continue to \nwork to make sure that the communities are rebuilt and the lessons \nlearned are incorporated into future disaster plans.\n    With that, I will turn to the topic of today's hearing: Responding \nto a cyber attack. Last month, the Subcommittee on Emergency \nPreparedness, Response, and Communications held a hearing reviewing the \nfindings of the Federal Emergency Management Agency's 2013 National \nPreparedness Report. For the second year in a row, States indicated \nthat--of the 31 core capabilities--cybersecurity is one of the \ncapabilities about which they are least confident.\n    The threats posed by a cyber attack are not new. But the impact of \na cyber attack becomes more grave as every aspect of Government and the \nprivate sector become more reliant on cyber technologies. For example, \ncommunications essential to an effective emergency response, from the \nEmergency Alert System, to E9-1-1, and eventually FirstNet, are all \nvulnerable to a cyber attack.\n    The data networks and computer systems used to coordinate an \nefficient response and ensure that adequate resources are deployed to \nthe appropriate location are similarly vulnerable to a cyber breach. A \ncyber attack on any of these systems could severely undercut Federal, \nState, and local abilities to respond to disasters effectively.\n    Moreover, we have seen a significant increase in cyber threats to \nour critical infrastructure. We know that disasters like Super Storm \nSandy can wreak havoc on our power systems but we rarely consider the \nharm that a malicious cyber attack could do to our electric grid.\n    Accordingly, I have introduced the SMART Grid Act, which would \nprovide for a comprehensive assessment of actions necessary to expand \nand strengthen the capabilities of the electrical power system to \nprepare for, respond to, mitigate, and recover from a natural disaster \nor cyber attack to the electric grid.\n    My legislation will go a long way to provide sector-specific \nawareness of cyber vulnerabilities and how to address them. We must \nhelp State governments undertake similar efforts to understand the \ncyber threats posed to their networks and how to address them. It is no \nsecret that a lack of funding has contributed to the lack of confidence \nStates have in their cybersecurity capabilities.\n    I will be interested in learning how cuts to Homeland Security \nGrant funding since 2011 have affected State cybersecurity efforts. I \nhave also heard that States have struggled to implement a governance \nstructure for cybersecurity and that finding a workforce with the \nappropriate training has proven difficult.\n    So I will be interested to learn how the Department of Homeland \nSecurity is helping States identify best practices for an effective \ncybersecurity governance structure and improve training for State \ncybersecurity workforces. I look forward to learning more about how \nState Emergency Managers are working with State Chief Information \nOfficers to understand the role each play in responding to a cyber \nincident.\n\n    Mrs. Brooks. Thank you.\n    Other Members of the subcommittee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                            October 30, 2013\n    In 2010, former White House Counterterrorism Advisor Richard Clarke \nstated that this country's lack of preparation for a cyber attack could \nlead to a breakdown in our critical infrastructure system that would be \nlike an ``electronic Pearl Harbor.'' While some may consider his \nassessment a bit exaggerated, I think we would do well to remember it \nas we begin today's hearing.\n    We should also recall that in the 112th Congress, this committee \nmarked up cybersecurity legislation. Unfortunately, the Republican \nleadership of the House did not allow that legislation to come to the \nfloor of the House. In January, the President issued an Executive Order \nrequiring certain basic steps that will improve this Nation's ability \nto protect and defend against cyber attacks.\n    While I applaud the President's efforts, I must point out that an \nExecutive Order cannot expand existing legal authorities. In May of \nthis year, the Department of Homeland Security testified before this \ncommittee that the ``United States confronts a dangerous combination of \nknown and unknown vulnerabilities in cyberspace.'' DHS also told us the \nDepartment processed approximately 190,000 cyber incidents involving \nFederal agencies, critical infrastructure, and the Department's \nindustry partners--a 68 percent increase from 2011.\n    Mr. Chairman, I think that we should all have concern about cyber \nattacks on critical infrastructure--especially attacks that could \ndisable the electric grid. For most of us, spending a day or two \nwithout electricity is an inconvenience. For others, it can be a matter \nof life or death. That is why I am pleased that Rep. Payne, Jr. \nintroduced H.R. 2962, the SMART Grid Study Act. If enacted, the bill \nwill require a comprehensive study to examine the construction, job \ncreation, energy savings, and environmental protections associated with \nfully upgrading to a SMART Grid System. The information gathered in the \nstudy may help us reduce the frequency and severity of outages during \ndisaster events. I urge my colleagues to support this bill.\n    Still, there is more to be done. We cannot begin to address the \ncurrent threats or anticipate future vulnerabilities if we have not \ninvested in the kind of education and training necessary to develop the \nnext generation of cyber professionals. Federal, State, and local \ngovernments and the private sector are each vulnerable to cyber \nattacks. While the threats from and sophistication of hackers continues \nto grow, initiatives to address this mutual vulnerability must be \ncomprehensive and coordinated. This country's history has repeatedly \nshown that a shared commitment to a common goal is necessary to achieve \nprogress--from bringing electricity to the Nation to walking on the \nmoon. Today, the same kind of commitment and collaboration is necessary \nto address the cyber threat.\n    Like every previous movement that resulted in progress, this first \nstep must be education. That is why I am pleased that yesterday, this \ncommittee marked up Rep. Clarke's bill, H.R. 3107, the Homeland \nSecurity Cybersecurity Boots-on-the-Ground Act. This bill will help \nfoster the development of a National security workforce capable of \nmeeting current and future cybersecurity challenges, and it will \noutline how DHS can improve its recruitment and retention of \ncybersecurity professionals.\n    Mr. Chairman, I urge this committee to continue to put forward the \nkind of legislation that will help this Nation resolve our known \nvulnerabilities. More than any other committee, we must be on the \nforefront of proposing innovations and pushing forward common-sense \nsolutions.\n\n    Mrs. Brooks. We are pleased to have a very distinguished \npanel before us today on this important topic. So with that, I \nwill begin the introductions of our panelists.\n    Ms. Bobbie Stempfley is the acting assistant secretary of \nthe Office of Cybersecurity and Communications, where she plays \na leading role in developing the strategic direction for CS&C \nand its five divisions. Ms. Stempfley previously served as the \ndeputy assistant secretary for CS&C and as director of the \nNational Cybersecurity Division, a legacy CS&C division. Prior \nto her work at CS&S, Ms. Stempfley served as the chief \ninformation officer for the Defense Information Systems Agency.\n    Next on our panel is Mr. Charley English, who was appointed \ndirector of the Georgia Emergency Management Agency/Homeland \nSecurity in February of 2006. He has served in the agency since \n1996. He began his career in public service as a local police \nofficer in 1980.\n    Other current responsibilities include serving as the \npresident of the national Emergency Management Association, \nchair of the Governor's Commission on 9-1-1 Modernization, and \nState point of contact for the Nation-wide Public Safety \nBroadband Network. He earned a master's degree in homeland \ndefense and security from the Naval Postgraduate School in \n2004.\n    I now will yield to the gentleman from Mississippi, Ranking \nMember of our subcommittee, or I am sorry, vice chair of our \nsubcommittee, Mr. Palazzo, to introduce our next witness.\n    Mr. Palazzo. Thank you, Madam Chairwoman.\n    It is my pleasure to introduce Dr. Craig Orgeron. Dr. \nOrgeron is the chief information officer and executive director \nof the State of Mississippi's Department of Information \nTechnology Services. He also has the honor of serving as the \npresident of the National Association of State Chief \nInformation Officers.\n    Dr. Orgeron has over 24 years of information technology \nexperience in both the private sector and the Federal and State \nlevel of the public sector. He began his career as a \ncommunications computer systems officer in the United States \nAir Force, serving from 1988 to 1992.\n    Dr. Orgeron holds a bachelor's degree in management \ninformation systems, a master's degree and a doctorate in \npublic policy and administration from Mississippi State \nUniversity. Dr. Orgeron is a certified public manager and a \ngraduate of the John C. Stennis State Executive Development \nInstitute as well as the Institute of International Digital \nGovernment Research and the Harvard University John F. Kennedy \nSchool of Government executive education series ``Leadership \nfor a Networked World.''\n    Thank you, Dr. Orgeron, for being here today, and I look \nforward to hearing your testimony.\n    I yield back.\n    Mrs. Brooks. Thank you.\n    Next up is Mr. Mike Sena, who is the director of the \nNorthern California Regional Intelligence Center and serves as \npresident of the National Fusion Center Association. He has \nserved in law enforcement for nearly 20 years, including the \nCalifornia Bureau of Investigation Intelligence, the California \nBureau of Narcotics Enforcement, and the California Department \nof Alcoholic Beverage Control. Mr. Sena received his bachelor \nof arts degree in criminal justice from California State \nUniversity, San Bernardino.\n    I now recognize the gentleman from New Jersey, Ranking \nMember Payne, to introduce our next witness.\n    Mr. Payne. Thank you, Madam Chairwoman.\n    Paul Molitor serves as the assistant vice president of \nsmart grid and special projects for the National Electrical \nManufacturers Association. For 450 member companies of NEMA, he \nis responsible for monitoring the National smart grid effort \nand interfacing with electrical utilities, manufacturers, \nFederal agencies, and the U.S. Congress.\n    Paul was the first plenary secretary of the NIST Smart Grid \nInteroperability Panel, is active in the SGIP cybersecurity and \ninternet protocol working groups and the International \nElectronical Commission Strategy Group 3 on the smart grid.\n    Welcome, sir.\n    Say that fast three times.\n    Mrs. Brooks. The witnesses' full written statements--I want \nto thank you all for your written statements--they will appear \nin the record. Just as a reminder with the lighting system, you \neach will have 5 minutes and when you get to 1 minute you will \nsee the yellow light and then the red light when your time is \nup.\n    So I will now recognize Ms. Stempfley for her 5 minutes.\n\n  STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY, \nOFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION \n AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Stempfley. Thank you very much, Chairwoman Brooks, \nChairman Meehan, Ranking Members Payne and Clarke, and \ndistinguished Members of the committee. It certainly is a \nprivilege to appear before you today to discuss the Department \nof Homeland Security's coordination with State, local, Tribal, \nand territorial emergency managers on cybersecurity issues.\n    As the Chairwoman pointed out, it is National Cybersecurity \nAwareness Month. In fact, it is the 10th anniversary of the \nbeginning of National Cybersecurity Awareness Month. This week \nis an important week for us because we also transition in \nNovember to National Critical Infrastructure Security and \nResilience Month, further demonstrating the alliance--the \nintegration and necessary responsibility for looking at cyber \nand physical issues in a cohesive and coherent manner.\n    This month of October is the month where we get to further \nengage in public and private-sector stakeholder conversations \nabout how to create safe, secure, and resilient cyber \nenvironment. Everyone has a role to play in cybersecurity and I \nam pleased to discuss the Department's efforts to engage State \nand local emergency managers as they build cybersecurity \nresilience into the networks and systems which they depend on \nin a daily basis.\n    America's cybersecurity is inextricably linked to our \nNational economic viability. IT systems are interdependent, \ninterconnected, and critical to our daily lives, from \ncommunications, travel, powering our homes, running our \neconomy, and obtaining Government services.\n    DHS serves as the lead civilian Department responsible for \ncoordinating National protection, prevention, mitigation, and \nrecovery from cyber incidents, and we work regularly with \nbusiness owners and operators to take steps to strengthen \nfacilities and communities including the Nation's physical and \ncyber infrastructure. We are also committed to ensuring cyber \nspace is supported by a secure and resilient infrastructure, \nenabling open communications, innovation, and prosperity while \nprotecting privacy, confidentiality, and civil rights and civil \nliberties by design.\n    Protecting this infrastructure against growing and evolving \ncyber threats requires a layered approach. The Government's \nrole in this effort is to share information and encourage \nenhanced security and resilience while identifying and \naddressing gaps not filled by the marketplace.\n    Providing effective cybersecurity services requires \nfostering relationships with those who own and operate \ncommunications infrastructure, members in the emergency \nresponder community, and Federal, State, local, Tribal, and \nterritorial partners. Indeed, as many of the communication \ntechnologies currently used by public safety and emergency \nservices organizations are moving to internet-based--protocol-\nbased environments there is an increasing awareness of the \ncyber limitations and vulnerabilities that our emergency \nservice providers will face in conduct of their mission. It is \nimportant, therefore, for the Department to engage not just \nwith chief information officers or chief information security \nofficers at the State and local level, but also the emergency \nmanagement and other officials for whom a cyber environment is \nequally important to accomplishing their mission.\n    The Department has initiated several activities focusing on \nensuring State, local, Tribal, and territorial emergency \nmanagers are able to build cybersecurity resilience into those \ninformation and technology networks and systems upon which they \ndepend.\n    Several of these efforts include production and delivery of \na cyber infrastructure risk assessment for both the Nation-wide \nPublic Safety Broadband Network and the emergency services \nsector; local pilot projects with emergency managers and \ncritical infrastructure partners to better understand \ninterconnections between those cyber and physical \ninfrastructures and potential risks presented to the Nation; \nupdating the National Emergency Communications Plan in \ncoordination with the public safety community, which will \ndiscuss how cybersecurity has become a key consideration for \npublic safety officials in these new IP-enabled technologies as \nthat is more readily integrated into their operations; and the \ndeployment of regionally-based advisors to promote \ncybersecurity awareness, program and policy coordination, \ninformation sharing, and risk analysis to their partners.\n    These cybersecurity advisors directly engage with State and \nlocal emergency centers; and partnerships with non-Federal \npublic-sector stakeholders to protect critical network--for \nexample, the Multi-State Information-Sharing and Analysis \nCenter, which opened its Cybersecurity Operations Center in \nNovember 2010 and has enhanced the Department's situational \nawareness at the State and local level and allows the \nDepartment to provide cyber risk, vulnerability, and mitigation \ndata quickly to State and local governments.\n    Specifically, since 2009 the National Cybersecurity and \nCommunications Integration Center has responded to nearly half \na million incident reports and has released more than 26,000 \nactionable cybersecurity alerts to public and private-sector \npartners. Of that, 7,270 were released in fiscal year 2013 \nalone. That is more than 20 a day.\n    DHS's servicing capabilities are designed to support \nemergency managers at all levels of engagement across \neducation, planning, cyber incident response, and recovery \nactivities. They are integral parts of reducing risk and \nbuilding capabilities of our partners. As necessary, these \nrelationships have to be leveraged in operational response \nefforts in order to meet those immediate and critical needs.\n    I thank you for the opportunity to testify with you today \nand I look forward to answering your questions.\n    [The prepared statement of Ms. Stempfley follows:]\n                Prepared Statement of Roberta Stempfley\n                            October 30, 2013\n    Chairwoman Brooks and Chairman Meehan, Ranking Members Payne and \nClarke, and distinguished Members of the committee, it is a pleasure to \nappear before you today to discuss the Department of Homeland \nSecurity's (DHS) coordination with State, local, Tribal, and \nterritorial (SLTT) emergency managers on cybersecurity issues. This \nOctober marks the 10th anniversary of National Cyber Security Awareness \nMonth, which is an opportunity to further engage public and private-\nsector stakeholders to create a safe, secure, and resilient cyber \nenvironment. Everyone has a role to play in cybersecurity and I am \npleased to discuss the Department's efforts to engage SLTT emergency \nmanagers as they build cybersecurity resilience into those networks and \nsystems upon which they depend on a daily basis.\n    America's cybersecurity is inextricably linked to our Nation's \neconomic vitality--IT systems are interdependent, interconnected, and \ncritical to our daily lives--from communication, travel, and powering \nour homes, to running our economy, and obtaining Government services. \nDHS is the lead Federal civilian department responsible for \ncoordinating the National protection, prevention, mitigation, and \nrecovery from cyber incidents and works regularly with business owners \nand operators to take steps to strengthen their facilities and \ncommunities, which include the Nation's physical and cyber \ninfrastructure. We are also committed to ensuring cyberspace is \nsupported by a secure and resilient infrastructure that enables open \ncommunication, innovation, and prosperity while protecting privacy, \nconfidentiality, and civil rights and civil liberties by design.\n            cybersecurity support to sltt emergency managers\n    Protecting this infrastructure against growing and evolving cyber \nthreats requires a layered approach. The Government's role in this \neffort is to share information and encourage enhanced security and \nresilience, while identifying and addressing gaps not filled by the \nmarketplace. Providing effective cybersecurity services requires \nfostering relationships with those who own and operate the \ncommunications infrastructure, members of the emergency responder \ncommunity, and Federal, State, local, Tribal, and territorial partners. \nIndeed, as many of the communications technologies currently used by \npublic safety and emergency services organizations move to an Internet \nProtocol (IP)-based environment, there is an increase in the cyber \nvulnerabilities of our emergency services providers in the conduct of \ntheir mission. It is important, therefore, for the Department to engage \nnot just Chief Information Officers (CIO) or Chief Information Security \nOfficers (CISO) at the SLTT level, but also the emergency managers and \nother officials for whom a secure cyber environment is equally as \nimportant to accomplishing their mission.\n    The Department has initiated several activities focused on ensuring \nSLTT emergency managers are able to build cybersecurity resilience into \nthose information and technology networks and systems upon which they \ndepend. Cyber dependencies and interdependencies require interactions \nbetween several different DHS organizations and SLTT partners in order \nto address this complex need. DHS has been forward-thinking as the \nreliance upon cyber systems has grown and our engagements have been on-\ngoing.\n                            previous efforts\n  <bullet> Regionally-Based Cybersecurity Advisors.--The Cybersecurity \n        Advisors (CSA) program was created and implemented by CS&C in \n        2010. The regionally-deployed personnel promote cybersecurity \n        awareness, program and policy coordination, information \n        sharing, and risk analysis to their partners, including \n        emergency managers. Over the last year, CSAs have had direct \n        engagement with 13 State or local emergency centers. In \n        addition, the Department has conducted Cyber Resilience Reviews \n        and assessments and provided support to numerous National \n        Security Special Events, including planning for events such as \n        the Super Bowl, and the G8 with the City of Chicago's Office of \n        Emergency Management & Communications.\n  <bullet> Emergency Services Sector Cyber Risk Assessment.--\n        Encompassing a wide range of emergency response functions \n        carried out by five disciplines,\\1\\ in 2012 the Emergency \n        Services Sector completed a Cyber Risk Assessment, which \n        provides a risk profile to enhance the security and resilience \n        of the Emergency Services Sector disciplines. It is an effort \n        to establish a baseline of cyber risks across the sector, to \n        ensure Federal resources are applied where they offer the most \n        benefit for mitigating risk, and to encourage a similar risk-\n        based allocation of resources within State and local entities \n        and the private sector. Emergency managers from local, State, \n        and Federal government actively participated in the development \n        process to ensure the assessment provided practical guidance \n        for the public safety community. The Department continues to \n        meet with officials from stakeholder associations such as the \n        National Emergency Management Association to discuss next \n        steps, including developing a workforce training program for \n        emergency managers in order to increase cybersecurity \n        capabilities within the emergency management community.\n---------------------------------------------------------------------------\n    \\1\\ Law Enforcement; Fire and Emergency Services; Emergency \nManagement; Emergency Medical Services; and Public Works.\n---------------------------------------------------------------------------\n  <bullet> Local Pilot Projects with Emergency Managers and Critical \n        Infrastructure Partners.--DHS is conducting three pilots to \n        better understand the interconnections between cyber and \n        physical infrastructure and the potential risks to the Nation. \n        The first pilot, initiated in 2012, worked closely with \n        Charlotte, NC emergency planners and neighboring communities to \n        examine how a potential cyber attack could disrupt \n        communications or other infrastructure operations. The work \n        provided additional ways for planners to mitigate potential \n        cyber impacts and, as a result of the pilot, commercial \n        facilities adopted additional security practices to shore up \n        potential weaknesses.\n    The second pilot is underway with the State of New Jersey examining \n        the interrelationship between IT, communications, and physical \n        security. The pilot involves five water and wastewater \n        facilities and has received praise from the State Office of \n        Homeland Security and our water sector partners. As a result of \n        initial findings, water facilities have taken immediate action \n        to mitigate previously unknown vulnerabilities.\n    The third pilot is a joint cyber-physical assessment of a Federal \n        facility in Washington, DC to develop a common approach for \n        identifying cybersecurity vulnerabilities affecting security \n        systems of Federally-protected facilities, including \n        electrical, HVAC, water, telecommunications, and security \n        control systems.\n    The lessons from these pilots have been incorporated into our \n        integrated physical and cyber Regional Resiliency Assessment \n        Program (RRAP). This is helping strengthen the partnership we \n        already have; build new relationships between SLTT CIOs, first \n        responders, and critical infrastructure owners and operators; \n        and lay the foundation increased collaboration to increase \n        cybersecurity resilience.\n  <bullet> Nation-wide Public Safety Broadband Network (NPSBN) Cyber \n        Infrastructure Risk Assessment.--The development and deployment \n        of an IP-based network for public safety will represent a leap \n        forward in communications capabilities for first responders, \n        law enforcement, and other users of the NPSBN. However, the \n        move to such a network presents a challenge for the emergency \n        management community to identify threats to and vulnerabilities \n        of cyber infrastructure in the NPSBN that could affect the \n        network's reliability and security. DHS is working with the \n        First Responder Network Authority (FirstNet) and the public \n        safety community to identify cyber risks and develop potential \n        responses to those risks. In 2013, OEC developed the NPSBN \n        Cyber Infrastructure Risk Assessment to provide FirstNet with a \n        how-to guide to address the top cyber risks that the network \n        may face, and is now working with FirstNet to ensure a more \n        resilient network design that will integrate security and \n        resilience into the overall physical and cyber aspects of the \n        NPSBN.\n  <bullet> Cyber Threat Information Sharing.--In June 2013, DHS \n        established ``sharelines'' in compliance with Executive Order \n        (EO) 13636 and Presidential Policy Directive (PPD)-21 to help \n        increase the volume, timeliness, and quality of cyber threat \n        information shared with U.S. private-sector entities, to \n        include SLTT owners and operators, so that these entities may \n        better protect and defend themselves against cyber threats. \n        Sharelines ``facilitate the creation and dissemination of \n        unclassified cyber threat reports to targeted private-sector \n        entities owned or operating within the United States, as well \n        as Federal, State, local, Tribal, and territorial partners'' in \n        a timely manner.\n                            on-going efforts\n    DHS continues to build upon the relationships we have established \nthroughout the Emergency Services Sector through strategic and \noperational efforts to provide solutions to our SLTT partners. On-going \nefforts within DHS consist of:\n  <bullet> Update to the National Emergency Communications Plan.--DHS \n        is updating the National Emergency Communications Plan (NECP) \n        in coordination with the public safety community to enhance \n        planning, preparation, and security of broadband technologies \n        used during response operations. The Plan will discuss how \n        cybersecurity has become a key consideration for public safety \n        officials as new IP-enabled technology is increasingly \n        integrated into operations. The NECP will endorse a multi-\n        faceted approach to ensure the confidentiality, integrity, and \n        availability of sensitive data. For example, comprehensive \n        cyber training and education on the proper use and security of \n        devices and applications, phishing, malware, other potential \n        threats, and how to stay on guard against attacks will be \n        recommended.\n  <bullet> 9-1-1 Centers: Next Generation 9-1-1 and Telephonic Denial \n        of Service.--Updated 9-1-1 infrastructure utilizes public \n        voice, data, and video capabilities, which introduce new \n        vulnerabilities into 9-1-1 systems. Separately, 9-1-1 centers \n        have been targeted by telephonic denial of service (TDOS) \n        attacks that overwhelm Public Safety Answering Points' \n        administrative lines. These attacks inundate a 9-1-1 call \n        center with a high volume of calls, overwhelming the system's \n        ability to process calls and tying up the system from receiving \n        legitimate calls. DHS, through the NCCIC, has worked on the \n        development and dissemination of techniques for mitigating and \n        managing these TDOS attacks in order to allow emergency \n        management agencies to continue to provide these critical \n        services to the public.\n  <bullet> Protective Security Advisors (PSAs).--Within the Office of \n        Infrastructure Protection, PSAs serve as the nexus of our \n        infrastructure security and coordination efforts at the \n        Federal, State, local, Tribal, and territorial levels and serve \n        as DHS's on-site critical infrastructure and vulnerability \n        assessment specialists. PSAs have also been working with CS&C \n        to better coordinate assessments and as a result approximately \n        half of cybersecurity site assessments administered by CS&C \n        were conducted in tandem with PSAs--an example of how we are \n        working to better and more effectively integrate our physical \n        and cybersecurity efforts across NPPD and the Department.\n  <bullet> Multi-State Information Sharing and Analysis Center (MS-\n        ISAC).--DHS builds partnerships with non-Federal public-sector \n        stakeholders to protect critical network systems. For example, \n        the Multi-State Information Sharing and Analysis Center (MS-\n        ISAC) opened its Cyber Security Operations Center in November \n        2010, which has enhanced the National Cybersecurity & \n        Communications Integration Center (NCCIC) situational awareness \n        at the State and local government level and allows the Federal \n        Government to quickly and efficiently provide critical cyber \n        risk, vulnerability, and mitigation data to State and local \n        governments. Since 2009, the NCCIC has responded to nearly a \n        half a million incident reports and released more than 26,000 \n        actionable cybersecurity alerts to our public and private-\n        sector partners.\n    Membership in the MS-ISAC consists of State and local CISOs and \n        other leadership from all 50 State governments, the District of \n        Columbia, 373 local governments, three territories, five \n        Tribes, and 24 educational institutions. It provides valuable \n        information and lessons learned on cyber threats, \n        exploitations, vulnerabilities, consequences, incidents, and \n        direct assistance with responding to and recovering from cyber \n        attacks and compromises. The MS-ISAC runs a 24-hour watch and \n        warning security operations center that provides real-time \n        network monitoring, dissemination of early cyber threat \n        warnings, vulnerability identification and mitigation, along \n        with education and outreach aimed to reduce risk to the \n        Nation's SLTT government cyber domain. This year the MS-ISAC \n        developed a plan to increase engagement with emergency managers \n        and fusion centers.\n                          operational efforts\n    Assuring the security and reliability of critical information \nnetworks is vital across all critical infrastructure sectors, including \nthe Emergency Services Sector, which is charged with saving lives, \nprotecting property and the environment, assisting communities impacted \nby disasters, and aiding recovery from emergencies. DHS is uniquely \npositioned to improve the cybersecurity posture of our stakeholders.\n              national protection and programs directorate\n    The Offices of the National Protection Programs Directorate \ninteract daily with State and local officials and emergency managers on \ncommunications and cybersecurity issues to strengthen infrastructure, \neducate citizens, and respond to and recover from on-line threats and \nattacks.\n  <bullet> Cybersecurity and Communications.--CS&C maintains an overall \n        focus on reducing risk to the communications and information \n        technology infrastructures and the sectors that depend upon \n        them, as well as providing threat and vulnerability information \n        and enabling timely response and recovery of these \n        infrastructures under all circumstances. We execute our mission \n        by supporting 24\x1d7 information sharing, analysis, and incident \n        response through the National Cybersecurity Communications \n        Integration Center (NCCIC); facilitating interoperable \n        emergency communications through our Office of Emergency \n        Communications (OEC); advancing technology solutions for \n        private and public-sector partners; providing tools and \n        capabilities to ensure the security of Federal civilian \n        Executive branch networks; and engaging in strategic level \n        coordination for the Department with stakeholders on \n        cybersecurity and communications issues. Additionally OEC has \n        strong ties to emergency managers through its outreach to \n        State-Wide Interoperability Coordinators (SWIC) who State \n        officials who are the primary points of contact for \n        communications interoperability issues. These produce State-\n        Wide Interoperability Plans which establish governance, \n        processes, and procedures to support first-responder \n        communication. These strong relationships also help SLTT \n        leverage other resources such as fusion centers.\n  <bullet> Office of Infrastructure Protection.--The Office of \n        Infrastructure Protection within NPPD leads and coordinates \n        National programs and policies on critical infrastructure, \n        including through implementation of the National Infrastructure \n        Protection Plan (NIPP). The NIPP establishes the framework for \n        integrating the Nation's various critical infrastructure \n        protection and resilience initiatives into a coordinated \n        effort, and provides the structure through which DHS, in \n        partnership with Government and industry, implements programs \n        and activities to protect critical infrastructure, promote \n        National preparedness, and enhance incident response. As the \n        NIPP is updated based on the requirements of Presidential \n        Policy Directive 21, Critical Infrastructure Security and \n        Resilience, NPPD will work with critical infrastructure \n        stakeholders to focus the revision on enhanced integration of \n        cyber and physical risk management, requirements for increased \n        resilience, and recognition for the need for enhanced \n        information-sharing and situational awareness. As we work to \n        update the NIPP we will support the Emergency Services Sector \n        to ensure that we inform first responders in their preparation \n        for cyber incidents.\n                  coordinated cyber/physical response\n    While the National Cybersecurity Communications Integration Center \n(NCCIC) processes incident reports, issues actionable cybersecurity \nalerts, and deploys on-site incident response fly-away teams to \ncritical infrastructure organizations to assist with analysis and \nrecovery efforts of a cyber incident, the National Infrastructure \nCoordinating Center (NICC) provides situational awareness of threats to \nphysical critical infrastructure, incident response support, and \nbusiness reconstitution assistance. In addition to this coordination, \nas incidents or threats occur, PSAs living in communities across the \ncountry provide the Department with a 24/7 capability to assist in \ndeveloping a common operational picture for critical infrastructure. \nNPPD efforts to integrate physical and cybersecurity have provided \nbenefits during incidents including:\n  <bullet> Hurricane Sandy.--NPPD operational efforts were able to \n        facilitate much-needed fuel deliveries to critical \n        telecommunication sites in lower Manhattan in order to fuel \n        generators and keep the facilities operational in recent events \n        like Hurricane Sandy. After PSAs were notified of the fuel \n        supply shortage, NPPD provided analysis on the wide-spread \n        impact if the telecommunications facility lost power, while the \n        NCCIC worked with its public and private-sector partners to \n        identify a fuel supply and coordinate its delivery to the \n        critical site.\n  <bullet> Boston Marathon Bombing.--OEC worked closely with public \n        safety agencies in the Metro Boston Homeland Security Region \n        and with the Commonwealth of Massachusetts on several key \n        emergency communications initiatives prior to the 2013 marathon \n        including observing public safety communications during \n        previous marathons and events and offering suggestions to help \n        strengthen the region's capabilities and improve coordination. \n        Three years later, DHS saw many of the recommendations from \n        this assessment in action in response to the bombings, \n        including the region's use of a detailed communications plan \n        (ICS Form 205) for the event that assigned radio channels to \n        various agencies and functions.\n                               conclusion\n    DHS provides a variety of services and capabilities designed to \nsupport emergency managers at all levels of engagement, across \neducation, planning, cyber-incident response, and recovery activities. \nThe services and capabilities are all integral parts of reducing risk \nand building capacity of our SLTT partners. As necessary, those \nrelationships are leveraged in operational response efforts in order to \nmeet immediate, critical needs. As technologies continue to advance and \nthe dependencies and interdependencies between the sectors and systems \ncontinue to advance along with them, DHS will continue to work with \nemergency managers in a holistic fashion to plan, prepare, mitigate, \nand build resilience into those information and technology networks and \nsystems upon which they depend on a daily basis. Thank you for this \nopportunity to testify, and I look forward to answering any questions \nyou may have.\n\n    Mrs. Brooks. Thank you, Ms. Stempfley.\n    The Chairwoman now recognizes Mr. English for 5 minutes.\n\n   STATEMENT OF CHARLEY ENGLISH, DIRECTOR, GEORGIA EMERGENCY \n MANAGEMENT AGENCY, TESTIFYING ON BEHALF OF NATIONAL EMERGENCY \n                     MANAGEMENT ASSOCIATION\n\n    Mr. English. Thank you, Chairman Brooks, Chairman Meehan, \nand Ranking Members Payne and Clarke, for your foresight in \nhaving this hearing on bridging the gap between emergency \nmanagement and the cybersecurity profession.\n    You know, in my profession we all have come to believe that \nthe cyber threat is a very real threat but what we disagree on \nsometimes is what the extent of the consequences of that \nparticular threat could be, whether or not it is just a matter \nof espionage or hackers trying to steal intellectual property \nor nation-states trying to uncover some type of technology that \nwe have, or whether it is more of a theft of credit card and \nbank accounts and things of that nature, or whether or not, as \nMr. Payne mentioned, the 9-1-1 system might be compromised in \nthe middle of an event.\n    So we still have a differing opinion on that but the one \nthing that we don't have a difference of opinion on, and that \nis we can never again underestimate the creativity of those who \nwant to harm us. Because if there is that will they will find a \nway, whether it is the lone hacker behind the computer screen, \nwhether it is a group of terrorists that want to compromise one \nof our water treatment plants or dams, or if it is a nation-\nstate trying to threaten us, we know that it would be a big \nmistake to underestimate that creativity and to underestimate \nthe organizational skills of our enemies.\n    Of course in emergency management we are all about the \nbusiness of warnings and managing the consequences of an event. \nAs I was thinking about our friends in the cybersecurity \nbusiness I thought, you know, it would be great if we could \ndevelop a relationship that exists between the CIOs in the \nState and emergency managers and across the country that is \nsimilar to that of the meteorologists. You know, that \nrelationship is on autopilot. They are monitoring the weather. \nThe conversation exists on a daily basis.\n    I thought about, well, you know, we have forged a new \nrelationship in this country in the past 12 or 14 years with \nthe law enforcement and the intel community and the emergency \nmanagement profession. Early on that was a tough relationship \nto forge because of the security clearances and the lack of \nreciprocity and the whole information sharing and we were \nputting together a clash of cultures, if you will, because the \nemergency manager wants every agency and every person available \nto help alleviate the pain and suffering after an event and to \nhelp keep people out of harm's way. Naturally there are secrets \nthat need to be kept, and so sometimes there was a little clash \nof cultures.\n    But we have made tremendous progress in the past 12 or 13 \nyears in that regard and I think the same is true with the \ncybersecurity professionals and the emergency management \ncommunity. This is a relationship that will mature and it is \nnot a matter of that no one really wanted to--or didn't want to \nwork together. I think everybody wanted to work together; we \njust weren't sure how we were supposed to work together.\n    So I think the challenge moving forward is not necessarily \nto create a new agency or start a new grant program, but maybe \nit is on us to teach one another about our professions and \nfoster that relationship for the betterment of our country.\n    With that, I will yield the rest of my time. Thank you.\n    [The prepared statement of Mr. English follows:]\n                 Prepared Statement of Charley English\n                            October 30, 2013\n                              introduction\n    Chairman Brooks, Chairman Meehan, Ranking Members Payne and Clarke, \nand distinguished members of this panel--thank you for holding this \nhearing today on one of the most critical issues currently facing our \nNation. Cybersecurity and the resultant vulnerabilities and \nconsequences could easily match the impact of any significant natural \ndisaster, so we must analyze these threats carefully and plan to manage \nthem accordingly.\n    The establishment of this committee came about more than a decade \nago in the wake of an attack which came from an under-appreciated \nthreat. This morning, we stand at the precipice of another such \nattack--one from a potentially nameless, faceless, and equally under-\nappreciated adversary. The threat of a cyber attack not only surrounds \nus, but also poses the additional threat of compromising the response \nand recovery efforts to the consequences of such an attack.\n    Last summer, the Chairman of the House Intelligence Committee said \nhe expects what he called ``a catastrophic cyber attack in the next 12 \nto 24 months.''\n    Earlier this year, former Secretary Napolitano said an incident on \nthe scale of September 11 could happen ``imminently.''\n    The Defense Science Board went even further saying ``coming cyber \nattacks could present an existential threat to the country.''\n    As emergency managers, we operate in a world of consequence \nmanagement. Accordingly, we must understand threats, protect \nvulnerabilities, and know how to manage consequences. As we examine the \ncyber threats facing this Nation, we cannot fall into a September 10, \n2001, mindset. Our actions must be pro-active and consider all \npotential outcomes. We must never say, ``it cannot happen here'' nor \nshall we fear being labeled an ``alarmist'' by merely acknowledging the \npotential devastating consequences of this already validated threat.\n                               the threat\n    Plenty of experts remain ready and willing to provide thoughts and \nhypotheses regarding the current cybersecurity threat. The \nvulnerabilities and resulting consequences we face in these threats \nrepresent the ``bottom-line'' for the emergency management community. \nVulnerabilities are points of attack and weaknesses to be exploited. \nThe emergency management community must address the consequences of \nvulnerabilities being exploited, not just the existence of \nvulnerabilities themselves. In his report to Congress of March 12, \n2013, Director of National Intelligence James Clapper outlined how ``we \nare in a major transformation because our critical infrastructures, \neconomy, personal lives, and even basic understanding of--and \ninteraction with--the world are becoming more intertwined with digital \ntechnologies and the internet.''\n    Such analyses are especially concerning as we continue witnessing a \nmetamorphosis of the cyber threat. Once a means by which to conduct \nespionage and steal information, the realm of cybersecurity must now \ninclude an analysis on the security and viability of our critical \ninfrastructure. At the RSA Cybersecurity Conference on March 1, 2012, \nformer FBI Director Robert Mueller stated ``to date, terrorists have \nnot used the internet to launch a full-scale cyber attack. But we \ncannot underestimate their intent. In one hacker recruiting video, a \nterrorist proclaims that cyber warfare will be the warfare of the \nfuture.'' Only through good fortune have organized terrorist groups not \nyet taken a greater interest in cyber attacks. But such a day is \ncertainly coming.\n    Earlier this year, Anonymous petitioned the White House to \nrecognize hacking attacks as a legitimate form of protest. Their \nsolicitation argued hacking is no different than marching in an Occupy \nWall Street protect. We must consider how such an approach can be \ncombatted through our current systems and processes. Even though some \nexperts believe Anonymous represents no true threat, others believe \nsuch an organization could bring down part of the U.S. electric power \ngrid. Most recently, the homeland security community has been concerned \nwith and has devoted significant resources to combatting Homegrown \nViolent Extremists (HVE). It is reasonable to conclude that these \nindividuals, acting alone or in small groups, certainly have the \nmotivation and expertise to conduct a cyber attack.\n    Unfortunately, cyber threats represent risks far more diverse than \nmost any other we face. While nation-states like Iran present a \nsignificant cyber threat, the greatest cyber threat from a nation \nlikely comes from China where hacking stands as an official policy. \nJust recently, the Chief of Staff of the People's Liberation Army put \nthe cyber threat into perspective when he suggested such an attack \ncould be as serious as a nuclear bomb. Even though in his report to \nCongress Director Clapper said ``advanced cyber actors--such as Russia \nand China--are unlikely to launch such a devastating attack against the \nUnited States outside of a military conflict or crisis that they \nbelieve threatens their vital interest,'' the threat alone should be \nenough to garner the attention of the homeland security and emergency \nmanagement community.\n               addressing vulnerabilities & consequences\n    Emergency managers stand increasingly concerned regarding the \ninter-connectedness of the threat and everyday life in America. \nCitizens can evacuate in anticipation of a hurricane. Strong building \ncodes and safe rooms can protect lives in anticipation of earthquakes \nor tornadoes. But as we consider the breadth and depth of our reliance \non the cyber infrastructure, the emergency response efforts regarding \nconsequence management could easily overwhelm local, State, and Federal \nassets due to the interdependencies of critical infrastructure and key \nresource protection as well as the ease of vulnerability exploitation \nfrom a cyber attack. Consider this short list of potential hazards and \nvulnerabilities:\n  <bullet> Computer-controlled dams protecting a low-lying community,\n  <bullet> National power grids and nuclear power plants,\n  <bullet> Emergency Alert Systems (EAS) and 9-1-1 systems,\n  <bullet> Traffic systems utilized to evacuate a population,\n  <bullet> Banking systems ranging from Wall Street to basic on-line \n        transfers and ATM withdrawals,\n  <bullet> The National airline and air traffic control network,\n  <bullet> Complex and simple communications systems from Emergency \n        Operations Centers to the basic smartphone, and\n  <bullet> Water supply networks and waste management systems.\n    Even many of today's commonly-used Global Positioning System (GPS), \nwhich relies heavily on a cyber structure, represents a potential \ntarget vulnerable to attack. Taken by themselves, each of these threats \ncould have devastating effects. But emergency managers must consider a \npotential event impacting any number of combinations of these systems.\n    The connectivity of systems today makes the consequences of a cyber \nattack more significant at all levels of government and throughout the \nprivate sector. Admittedly, emergency managers often defer \ncybersecurity issues to information technology (IT) officials; yet \nState IT professionals and other leaders will rely on emergency \nmanagers to respond to the consequences of an attack. The emergency \nmanagement and IT communities must establish relationships and engage \nin coordinated planning and information sharing long before an event \noccurs.\n    States such as Michigan continue taking a keen interest in how to \nmanage the cybersecurity threat. Through robust coordination and \nplanning at the State level, Michigan approaches cybersecurity with the \nsame concepts as those employed when preparing for and responding to \nnatural or terrorist threats.\n    The Michigan Cyber Initiative brings together many State agencies \nincluding the Michigan National Guard, State Police, and Department of \nTechnology, Management, and Budget in a coordinated effort to enhance \ndetection of cyber attacks and integrate response systems. The Michigan \nCyber Initiative integrates the Michigan Cyber Command Center, Michigan \nCyber Defense Response Team, and Michigan Intelligence Operations \nCenter to enhance prevention, early detection and rapid response, and \ncontrol, management, and restoration. The Michigan Online Cyber Toolkit \nraises awareness and preparedness for all the components of the cyber \necosystem. The toolkit provides best practices and easy steps for \nsafeguarding a vulnerable environment. It also offers the chance for \nusers to quiz themselves, download posters and calendars, and obtain \ntip sheets on how to solve on-line problems. The toolkit is broken down \nby sectors including homes, businesses, Government, and schools.\n    Michigan is clearly working hand-in-hand with various components in \nensuring the addressing of cybersecurity across all disciplines. Even \nas these relationships continue developing in other States, however, we \nmust examine how the consequences of a cyber attack will be addressed. \nFurthermore, we must complete an honest assessment of necessary \nauthorities and whether they represent adequate resources to respond to \nsuch an attack.\n                          current authorities\n    As NEMA received briefings on the Quadrennial Homeland Security \nReview (QHSR ) of the Department of Homeland Security (DHS), we \ninquired as to whether the Department would examine physical impacts of \ncybersecurity. They informed us that while the QHSR would include some \nexamination of the consequences of a cyber attack, the Department's \nanalysis of past cyber attacks reveal very few physical impacts \nconstituting a significant threat to safety and life. We want to ensure \nthat all potential consequences of a cyber attack are thoroughly \nconsidered. We feel like anything less is short-sighted and \nunderestimates the ability and creativity of the enemy whether the \nenemy is foreign or domestic. Our country has on several occasions \nwitnessed the creativity of those who are intent on harming us. There \nhave been shoes, printer cartridges, underwear, and pressure cookers \nused as bombs and, of course, airplanes used as missiles.\n    But even States struggle in addressing this threat. In a survey \ncompleted in February of this year, NEMA learned:\n  <bullet> 79.1 percent of States interpret the consequences of a cyber \n        attack under statutes as ``All Hazards'' versus 20.9 percent \n        which list it as a specific hazard.\n  <bullet> 62.8 percent of States do not maintain a law enforcement-\n        specific component to any of the State statutes relating to \n        cyber-response.\n  <bullet> No clear best practice exists in assigning responsibility of \n        coordination of resources to prepare for, respond to, or \n        recover from a cyber attack with only 41.9 percent of States \n        citing such a directive. Of the 41.9 percent responsibility \n        ranges from the emergency management to IT, homeland security, \n        and the fusion center.\n    With States remaining somewhat unclear on the appropriate course of \naction, the current lack of a cohesive National strategy at the Federal \nlevel is not surprising. We hope that the response strategy matures the \nFederal Government will not over-bureaucratize the process and bury \nState and local governments in a sea of reports, guidance documents, \nand processes.\n    We think it is prudent to continue the insistence of metrics and \nreturn on investment calculations on the millions of dollars in \ninitiatives funded at DHS. Some organizations, however, such as the \nOffice of Cybersecurity and Communication (CS&C) within DHS continue \nadmirable work in their outreach to State and local officials. The \neffort must be comprehensive and coordinated in order to ensure all the \nnuances of the threat receive appropriate attention. Federal efforts \nmust be structured in concert with States and locals rather than \nadopting a top-down approach.\n    But underlying statutory authorities are equally unclear. During \nthe NEMA Annual Emergency Management Policy & Leadership Forum in \nSeattle, Washington last year, a panel of experts addressed the \nstatutory issue. According to the panelists including a former Adjutant \nGeneral, a DHS Deputy Assistant Secretary, and several State Homeland \nSecurity Advisors, the Civil Defense Act of 1950 (81-950) represents \nthe only law potentially applicable to a potential cyber attack. Since \nthe original intent of this Act provided for the response to a nuclear \nattack from the Soviet Union, the time to explore the efficacy of our \ncurrent statutory authorities is now. Current statutory authorities are \nlacking regarding cyber attacks and are currently under revision; \nhowever, the recent remark by President Obama that a cyber attack can \nnow be classified as an ``act of war'' significantly changes the \n``environment.'' This recent change should be taken into consideration \nwhen speaking of statutory authorities and can be used to further \nillustrate the fluid and uncertain nature of the issue.\n    Most emergency managers will turn to the Robert T. Stafford \nDisaster Relief and Emergency Assistance Act (Pub. L. 92-288). Unless \nthe consequences of a cyber attack truly have catastrophic and physical \nconsequences, however, the Stafford Act will be limited. Unfortunately, \ntoo many of the legislative fixes currently under consideration in \nCongress only address the prevention and preparedness side of \ncybersecurity. While the pre-event aspects of cybersecurity maintain a \nhigh level of importance, so too will the post-event considerations.\n                             moving forward\n    The purpose of this hearing is to ensure consequence management \nresulting from a cyber attack is recognized as a priority with emphasis \nequal to preparedness measures. As Congress considers legislative \noptions, the needs of the State and locals ultimately responsible for \nthe consequences of a cyber attack must be first and foremost. In May \nof last year, NEMA joined with the American Public Works Association, \nCouncil of State Governments, International City/County Management \nAssociation, National Association of Counties, National Association of \nState Chief Information Officers, National Association of \nTelecommunications Officers and Advisors, National Conference of State \nLegislatures, the National League of Cities, and the International \nAssociation of Emergency Managers to ask Congress for your \nconsideration of key principles and values when considering \ncybersecurity legislation. The outlined principles and values include:\n    1. State and local governments must be viewed as critical \n        stakeholders in National cybersecurity efforts.--Both execute \n        programs overseen and funded by Federal agencies, and \n        frequently are custodians of Federal data. They also operate \n        and manage critical infrastructure including data centers and \n        networks which are necessary for basic homeland security and \n        emergency management functions. Therefore, the Federal \n        Government must work with State and local government to share \n        threat information and to provide technical support to protect \n        computer networks and other related critical infrastructure.\n    2. The Federal Government must avoid unfunded mandates on State and \n        local partners.--Public budgets are still strained at all \n        levels of government, and while State and local stakeholders \n        wish to contribute to the overall cybersecurity effort, the \n        ability to independently fund initiatives at this time is \n        unlikely. Likewise, Federal program requirements and directives \n        have traditionally hindered State and local governments from \n        potentially achieving economies of scale.\n    3. Federal, State, and local governments should collaborate to \n        invest in cybersecurity awareness, education, and training for \n        public-sector employees, contractors, and private citizens.\n    4. The civil liberties and privacy of all citizens must be \n        maintained while also establishing the safety and stability of \n        the internet and electronic communications.--This is especially \n        critical as governments continue to expand on-line and \n        electronic services. Safeguarding public-sector data that \n        includes personal information of citizens will require \n        cooperation and collaboration on data standards and \n        cybersecurity methodology at all levels of government.\n    5. Many Federal initiatives fund internet and information security \n        programs.--However, without cross-cutting communication and \n        coordinated assets, the efforts will not realize maximum \n        efficiency and impact. If there are privacy and security \n        requirements that are pre-conditions of Federal programs and \n        funding they must be uniformly interpreted and implemented \n        across all agencies and levels.\n    Earlier this year, NEMA attempted an effort to address \ncybersecurity consequences simply from the emergency management \nstandpoint. A workgroup comprised of many NEMA members has worked since \nMarch in developing a doctrine for emergency management directors to \nconsider. Unfortunately, even this effort proved more difficult than \noriginally anticipated, and instead of continuing alone, NEMA has since \njoined forces with the National Governors Association (NGA) in their \ncybersecurity efforts.\n    NGA recently released a ``Call to Action for Governors for \nCybersecurity.'' The document outlines guiding principles, immediate \nactions to protect States, provides multiple examples from various \nStates, and discusses a path forward. The guiding principles include \nsupporting Governors, remaining actionable, reducing complexity, \nprotecting privacy, employing technologically-neutral solutions, \npromoting flexible federalism, generating metrics, and promoting the \nuse of incentives. NEMA looks forward to continuing our work with NGA \nas this complex issue gains increased attention.\n    The combined capacity of Federal, State, and local governments to \nadequately safeguard the Nation's critical infrastructure systems \nremains essential to ensuring effective operations across the full \nspectrum of the threats we face. Furthermore, in order for communities \nto effectively manage emergency situations, cyber systems must be \nresilient to acts of terrorism, attacks, and natural disasters.\n                               conclusion\n    Cybersecurity represents the most complex threat and advanced \nvulnerabilities we as a Nation face. We must ensure consequence \nmanagement resulting from a cyber attack is recognized as a priority \nwith emphasis equal to preparedness measures. The challenge for all of \nus will be to examine it through a new prism, for we will fail if we \nrespond the same way as always. This is not a traditional threat and \nreaches across sectors of our society which may have never before \nworked together. Cyber threats can only be addressed through \ncollaboration, planning, and a deep understanding of the potential \nconsequences. For if we fail either through prevention or response, the \nimpacts truly could be disastrous.\n    Thank you.\n\n    Mrs. Brooks. Thank you, Mr. English.\n    The Chairwoman now recognizes Dr. Orgeron for 5 minutes.\n\n    STATEMENT OF CRAIG ORGERON, CIO AND EXECUTIVE DIRECTOR, \n    DEPARTMENT OF INFORMATION TECHNOLOGY SERVICES, STATE OF \n MISSISSIPPI, TESTIFYING ON BEHALF OF NATIONAL ASSOCIATION OF \n                STATE CHIEF INFORMATION OFFICERS\n\n    Mr. Orgeron. Thank you Chairs Brooks and Meehan, Ranking \nMembers Payne and Clarke, and Members of the committee, for \ninviting me to speak today. I am truly honored by the \ninvitation.\n    As the executive director of the Mississippi Department of \nITS, Information Technology Services, as well as president of \nthe National Association of State Chief Information Officers, \nbetter known as NASCIO, I can report that each year States are \nfacing greater numbers of evolving and sophisticated cyber \nthreats. The State of Mississippi's IT systems, like systems \nfrom all States, face cyber attacks ranging from a few thousand \nattempts to as many as 10 million a day--some domestic, many \ninternational. To win this on-going battle, State IT experts \nhave to be right every time while hackers need to be only right \nonce.\n    As these attacks continue to grow more sophisticated, both \npublic and private-sector entities will need to develop better \ntools and increase collaboration to both deter attacks and plan \na coordinated response to contain the damage from successful \nattacks. This ultimately requires a multi-sector approach with \nall levels of Government and private industry working together.\n    State CIOs are, indeed, at the table in securing State \nsystems. Each year NASCIO surveys its membership. Our 2013 \nsurvey, which I have attached to my written testimony, shows \nhow State CIOs are taking important steps toward building a \nmore secure State IT environment. However, there are still \nknown gaps.\n    According to our survey data, the State CIO role in \ndisaster recovery appears to be increasing yearly. State CIOs \ngenerally coordinate with other State officials in restoring \nand maintaining infrastructure and communication services to \nhelp their State respond to and recover from natural and man-\nmade disasters. When asked about their concerns, State CIOs put \nincreasingly sophisticated threats to their systems followed \nclosely by a lack of funding and inadequate availability of \nsecurity professionals at the top of their list.\n    As the Federal Government and private sector ramp up their \ndefenses against sophisticated hackers, State governments are \nbecoming prime targets of foreign state-sponsored entities and \ninternational crime syndicates. These hackers can remain in \nState systems monitoring data and waiting to unleash \nsignificant harm. In worst-case scenarios, a sophisticated hack \non public safety systems or critical infrastructure could \ncoincide with a physical attack or a natural disaster to impede \nthe ability of authorities to respond to one or both events.\n    It is well-known that when compared with the private sector \nand the Federal Government, States do not have comparable \nresources and tools to provide similar levels of protection to \ntheir systems despite the fact that they often maintain the \nsame sensitive information and key critical infrastructure. \nThis is only partly a financial issue; it is also a policy and \na skilled personnel issue. On the latter two fronts, there is a \ngreat deal the Federal Government can do to help State \ngovernments improve preparedness and respond to cyber attacks.\n    I have included many of NASCIO's policy recommendations in \nmy testimony but here are five areas: First, flexibility at the \nState level. Federal resources in support to States must \nrespect and bolster the State organizations. Public-sector \ncybersecurity is in its infancy. Best practices must be shared \nbut diverse approaches, particularly when it comes to \ngovernance, information sharing, and methodology, should be \nnurtured.\n    Second, increasing the workforce: Expanding Federal \nscholarships to study cybersecurity in exchange for working \nseveral years in the Federal Government or for State or local \ngovernments has a two-fold benefit of both better protecting \nour citizens and expanding available talent pools of \ncybersecurity experts.\n    Third, modernizing Federal regulations: Congress should \nconsider working with NASCIO and the States to update the \nFederal Information Security Management Act, or FISMA, with \ncybersecurity rules that better conform to universal, outcome-\nbased standards that would provide both Federal agencies and \nStates with better security as well as greater efficiencies.\n    Updating homeland security funding: Efforts to utilize \nexisting Federal programs to better State governments in \nprotecting the Nation against cyber attacks should also be \nexplored. More than 10 years out from September 11, 2001, \nhomeland security grants should be reformed to reflect the \ncurrent threats faced by our States and localities.\n    Last, applying what we know: NASCIO believes the National \nCybersecurity Review, or NCSR, is an excellent opportunity to \nreview our National preparedness and provide resources and \ntechnical assistance to fill the gaps in our defenses. Holding \nhearings such as this one and finding ways to share information \nand resources will be crucial moving forward.\n    We ask that Congress continue to work with the States in \nidentifying ways to protect our Nation's digital assets.\n    Thank you for the opportunity to testify and your time \ntoday.\n    [The prepared statement of Mr. Orgeron follows:]\n                  Prepared Statement of Craig Orgeron\n                            October 30, 2013\n    Thank you Chairs Brooks and Meehan, Ranking Members Payne and \nClarke, and Members of the committee, for inviting me to speak to you \ntoday. I am honored by the invitation. As we wrap up Cybersecurity \nAwareness Month it is timely that we are having this hearing on one of \nour Nation's most significant vulnerabilities.\n    As executive director of the Mississippi Department of Information \nTechnology Services (ITS), as well as president of the National \nAssociation of State Chief Information Officers, better known as \nNASCIO, I can report that each year States are facing greater numbers \nof evolving and sophisticated cyber attacks. In addition to States \nserving as a repository of sensitive data about our citizens and \nhomeland, States increasingly utilize the on-line environment to \ndeliver vital services, maintain critical infrastructure such as public \nutilities, and ensure our first responders receive the data they need \nin crisis situations. State government IT systems are a vital component \nof the Nation's critical infrastructure.\n    Today, with this testimony, I want to provide the committee \ninformation on the readiness of our State governments to defend against \nand respond to major cyber attacks, as well as opportunities to \ncollaborate to minimize the risk to our Nation. I hope to give you a \nsense of the threat landscape and how States and the Federal \nGovernment, along with the private sector, can work together to better \nsecure our homeland.\n    State governments are at risk from a host of new and aggressive \nsecurity threats that require a formal strategy, adequate resources, \nand constant vigilance. Cybersecurity continues to be one of the major \n``hot button'' issues for State CIOs and one that receives increasing \nattention from Governors and other elected officials.\n    State CIOs are taking the lead in securing State systems. According \nto NASCIO's 2013 survey of State CIOs conducted by in collaboration \nwith TechAmerica and Grant Thornton LLP, significant improvements have \nbeen made in the last few years. Over three-quarters of States have \nadopted a cybersecurity framework, implemented continuous vulnerability \nmonitoring capabilities, and developed security awareness training for \nemployees and third-party contractors. These are key steps toward \nbuilding a more secure State cyber environment. Unfortunately, less \nthan half of States are documenting the effectiveness of the \ncybersecurity program they have in place, and even fewer have developed \na cybersecurity disruption response plan.\n    In the same survey, CIOs were asked about the major barriers they \nfaced in addressing cybersecurity. The increasing sophistication of \nthreats, followed closely by a lack of funding and inadequate \navailability of security professionals, topped the list. Additionally, \nthe survey data reveals that only 8 percent of States have implemented \nidentity and access management of State data systems across the \nenterprise, although 42 percent of respondents noted an in-process \nimplementation.\n    The State CIO role in disaster recovery appears to be increasing \neach year. According to the NASCIO 2013 survey almost two-thirds of \nStates pursue a federated strategy to disaster recovery, with \nresponsibilities split between the CIO and State departments and \nagencies. The survey also queried State CIOs regarding their role in \nhelping their State respond to and recover from a natural or man-made \ndisaster. The survey results show almost all CIOs see their role as one \nof coordinating with other State officials and restoring and \nmaintaining infrastructure and communications services. I have attached \nthe full results of this survey to my testimony today, along with the \n2012 Deloitte-NASCIO Cybersecurity Study entitled ``State governments \nat Risk,'' for your further review.*\n---------------------------------------------------------------------------\n    * The information has been retained in committee files.\n---------------------------------------------------------------------------\n    The State of Mississippi's IT systems, like systems from all \nStates, face cyber attacks every day, ranging from a few thousand \nattempts to as many as 10 million per day--some domestic, many \ninternational. To win this on-going battle, State IT experts have to be \nright every time, while hackers need to only be right once. As these \nattacks continue to grow more sophisticated, both public and private-\nsector entities will need to develop better tools and increase \ncollaboration to both deter attacks and plan a coordinated response to \ncontain the damage from successful attacks. This ultimately requires a \nmulti-sector approach, with all levels of government and private \nindustry working together. Securing systems in cyberspace, and \nresponding to successful hacking attempts, has little in common with \ntraditional emergency management after a disaster. Advanced cyber \nthreats are much more akin to an aggressive, new strain of virus: The \nthreat is diffuse, and almost impossible to prevent before it comes \ninto being. In addition, just like a new viral strain, it takes time to \nproperly identify and contain the virus, educate the populous about how \nto avoid contracting it, and treat those infected.\n    As the Federal Government and private sector ramp up their defenses \nagainst sophisticated hackers, State governments are becoming a prime \ntarget of foreign, state-sponsored entities, and international crime \nsyndicates. Sophisticated hackers may hide in IT systems for years--\ncreating what is referred to as an ``advanced persistent threat.'' \nThese hackers can remain in State systems monitoring data and waiting \nto unleash significant harm to our Nation's financial systems, \ntransportation systems, supply chain, and key utilities such as the \nelectrical grid, and pipelines, to name a few. In worst-case scenarios, \na sophisticated hack on public safety communication systems or critical \ninfrastructure could coincide with a physical attack or natural \ndisaster to impede the ability of authorities to respond to one or both \nevents.\n    Elected leaders at all levels have come to understand that \ncybersecurity is a significant issue that requires their attention. The \nNational Governors Association (NGA) is working with the National \nEmergency Management Association (NEMA), NASCIO, and members of the \nprivate sector, to build upon this greater understanding. Based on this \ncollaboration, NGA released ``A Call to Action for Governors for \nCybersecurity,'' which provides strategic recommendations Governors can \nimmediately adopt to improve their State's cybersecurity posture. By \ngaining support from the Governor's office, a State can tackle key \nissues of governance and create an authority structure that builds \ncomprehensive cybersecurity across the State enterprise. It is well-\nknown that when compared with the private sector and the Federal \nGovernment, States do not have comparable resources and tools to \nprovide similar levels of protection to their systems, despite the fact \nthat they often maintain the same sensitive information and key \ncritical infrastructure.\n    This is only partially a financial issue--it is also a policy and \nskilled personnel issue. On the latter two fronts, there is a great \ndeal the Federal Government can do to help State governments improve \npreparedness and response to cyber attacks.\n    On policy, perhaps the single key to ensuring a substantial attack \ndoes not blindside us is the Federal Government facilitating greater \ninformation sharing between Federal agencies, the private sector, and \nState and local partners. NASCIO believes the implementation of \nExecutive Order 13636 and Presidential Policy Directive 21 will be a \nfirst step to achieving these goals.\n    As each State's cybersecurity level of maturity and governance is \ndifferent, NASCIO would be concerned about any effort by the Federal \nGovernment to designate a single State entity as the responsible point \nfor sharing and disseminating information between State and Federal \nentities. Such decisions should ultimately be left to each State's \nGovernor to fit their model of cyber governance. Just as each State has \ndifferent geography and vulnerabilities to extreme weather or man-made \ndisasters, State Information Technology systems and the governance of \nthose IT systems are very different. Federal resources and support to \nStates must respect and bolster the State organizations.\n    States rely on multiple external resources for threat information, \nsuch as the Multi-State Information Sharing and Analysis Center (MS-\nISAC), United States Computer Emergency Readiness Team (US-CERT), and \nFBI's InfraGuard. States then act on this information through various \nchannels: Some States have built a sophisticated cyber capacity at \ntheir State fusion center, others have bolstered the authority of their \nOffice of Information Technology, and some coordinate with a cyber \ndivision of their State National Guard. The Federal Government should \nsupport all these approaches. Public sector cybersecurity is in its \ninfancy; best practices must be shared, but diverse approaches--\nparticularly when it comes to governance and methodology--should be \nnurtured.\n    Due to the diverse landscape at the State level, the Federal \nGovernment must be as inclusive as possible in disseminating threat \ninformation, and work outside the public safety and intelligence \nsector's traditional one-to-many comfort zone. Cybersecurity works best \nwhen more people have an understanding of the threats. Therefore, \nNASCIO and its members applaud the on-going effort to provide greater \ndeclassification of cyber threat information. We hope this will be \nfollowed by collaborative effort to standardize information exchange \nmodels for sharing threat data.\n    Classified threats will always exist, though, and therefore, \ngreater access to classified information is needed at the top echelons \nof State government. As of now, the U.S. Department of Homeland \nSecurity (DHS) will only provide State governments with two Top Secret \nclearances. Typically, these go to the Governor and their homeland \nsecurity advisor or director of public safety. This means in many \nStates, chief information officers or their chief information security \nofficers are not cleared to the appropriate level to receive vital \ninformation from the intelligence community on the most advanced \ninternational threats against our networks. This should be remedied.\n    Additionally, while opportunities for limited Federal assistance \nfor cyber threats have been included in the National Preparedness Grant \nProgram (NPGP), the formulaic structure of the program means States do \nnot have enough funding to do much more than maintain legacy homeland \nsecurity investments and administer grants to local governments. For \nNPGP to meet the current threats faced by our States and localities, \nchanges will need to be made by Congress and the administration.\n    Besides fixing funding models to meet the current threat, there are \nother policy efforts that can be undertaken to maximize the impact of \nexisting cybersecurity resources. NASCIO believes the National Cyber \nSecurity Review, or NCSR, is an excellent opportunity to review our \nNational preparedness and provide resources and technical assistance to \nfill gaps in our defenses.\n    The NCSR is a voluntary self-assessment survey designed to evaluate \ncybersecurity management within State, local, Tribal, and territorial \ngovernments. At the request of Congress, DHS has partnered with MS-\nISAC, NASCIO, and the National Association of Counties (NACo) to \ndevelop and conduct the NCSR. The survey is now in the field and we \nexpect final results to be provided in the first quarter of next year. \nMuch like the Threat and Hazard Identification and Risk Assessment \n(THIRA) provides a guide for investment in traditional homeland \nsecurity gaps, the NCSR could be followed up with the promise of \nFederal technical assistance to State and local participants who lag \nbehind in vital areas. This will have the dual benefit of safeguarding \ncitizen data and encouraging greater participation in National-level \nvulnerability assessments.\n    NASCIO also supports efforts to include State governments as a \nparticipant in programs that build the public sector cybersecurity \nworkforce. One of the greatest difficulties States face is attracting \nand retaining talent in this information security sector. States cannot \ncompete with the salaries provided by the private sector, or the allure \nof positions in the U.S. Federal intelligence services. Federal \nscholarships to study cybersecurity in exchange for working several \nyears in the Federal Government, or for State or local governments, has \nthe two-fold benefit of better protecting our citizens and expanding \nthe available talent pool of cybersecurity experts. Scholarships should \nbe expanded to ensure those who take advantage of them can work at any \nlevel of government protecting IT systems.\n    As many successful cyber attacks could be prevented by good cyber \nhygiene and security practices, Federal collaboration with State and \nlocal governments to create a culture of awareness and preparedness \nwould also be a significant step forward. Just like ``see something, \nsay something,'' clicking one's seat belt before driving, or even \ncovering your mouth when you sneeze, public awareness and habit is one \nsimple way to significantly reduce the threat.\n    The Federal Government can also take steps to reduce burdens on \nState and local governments by harmonizing cybersecurity standards and \nrequirements across Federal programs so State governments can provide \nmore efficient and effective security of programs at a lower cost to \ntaxpayers. Under the Federal Information Security Management Act, \nbetter known as FISMA, States are required to check certain boxes \nregarding security when taking Federal grant dollars. However, Federal \nagencies interpret these rules differently, and require different \nsecurity standards. This often means that States must spend money on \nredundant systems to comply with a patchwork of Federal rules. It also \nmeans a lack of compatibility between various systems that States \nmanage, which could otherwise be consolidated and more secure. Congress \nshould work with NASCIO and the States to replace FISMA with \ncybersecurity rules that better conform to universal, outcome-based \nstandards that would provide both Federal agencies and States with \nbetter security as well as greater efficiency.\n    Cybersecurity is a complex issue, and we have a long road ahead of \nus to making our Nation's systems more secure. There is no single \nsolution here--or in tech speak, there isn't a ``killer app.'' With the \ndiffuse threat and diverse actors, cybersecurity requires a many-to-\nmany approach. Most public safety response efforts are command-and-\ncontrol, line-of-command efforts. Such efforts will not work when it \ncomes to cybersecurity and response. With cyber attacks and the \nresultant impact, there is rarely a front line and the ``path of the \nstorm'' is usually not obvious.\n    Holding hearings such as this one and finding ways to share \ninformation and resources will be crucial moving forward. We ask that \nCongress continue to work with the States in identifying ways to \nprotect our Nation's digital assets, including rapidly maturing threat \ninformation-sharing entities and developing a common framework that can \nserve as a roadmap and provide funding justification for State \ncybersecurity. Thank you for the opportunity to testify and your time \ntoday.\n\n    Mrs. Brooks. Thank you, Dr. Orgeron.\n    The Chairwoman now recognizes Mr. Sena for 5 minutes.\n\nSTATEMENT OF MIKE SENA, DIRECTOR, NORTHERN CALIFORNIA REGIONAL \n INTELLIGENCE CENTER, TESTIFYING ON BEHALF OF NATIONAL FUSION \n                       CENTER ASSOCIATION\n\n    Mr. Sena. Thank you, Chairman Brooks and Chairman Meehan \nand Members of the subcommittees. On behalf of the National \nFusion Center Association I would like to thank you for the \nopportunity to share our perspective on this increasingly \nimportant issue.\n    Back in July the Majority staff of this committee released \na report on the National Network of Fusion Centers after \nvisiting more than 30 of them. The report noted that nearly 200 \nJTTF investigations have been created as a result of the \ninformation provided by fusion centers and nearly 300 terrorist \nwatch list encounters reported through fusion centers enhanced \nexisting terrorism cases.\n    Those successes were enabled because the National Network \nhas developed into a mechanism for regular exchange of criminal \nintelligence and terrorism threat information across \njurisdictions. This mechanism is ready made for information \nsharing on cyber threats as well, but we have a long way to go.\n    We need to recognize a couple of realities. First, a \nstreamlined system of reporting, analyzing, and sharing threats \nand incidents requires leadership at the State and local level \nand the clear acceptance of what roles different partners can \nand should play. While the systems of interaction will vary \nfrom State to State, we need to structure relationships so that \nour personnel know where information should be flowing from and \ndisseminated to.\n    Second, our human resource base at the State and local \nlevels has not adapted quickly enough to address the increased \ncyber threats. State and local law enforcement, homeland \nsecurity, and emergency management functions, including fusion \ncenters, must have personnel who are adequately trained to \nrespond quickly and share information rapidly so that \nadditional crimes can be prevented.\n    The NFCA has been working over the past year with the \nInternational Association of Chiefs of Police, the program \nmanager for the information-sharing environment, the Department \nof Homeland Security Office of Intelligence and Analysis, \nprivate-sector partners, and other associations to develop a \npilot program. The pilot will be funded by the PM-ISE through \nDHS to the Center for Internet Securities, MS-ISAC.\n    The pilot will address needs identified by a wide range of \nstakeholders including the need for increased time lines, \nvolume, and quality of information the Federal Government \nshares with State, local, and private-sector partners; the need \nfor standardization of information-sharing processes among \nvarious levels of government; and the development of cyber \nresponse best practices; leveraging current counterterrorism \ntools and processes for cyber incident handling and \nintelligence sharing; and promoting private-sector cooperation \nand information sharing.\n    We expect the pilot to get underway soon and we look \nforward to updating the committee on our progress.\n    I want to raise four issues that we think this committee \nshould be aware of and help us think through.\n    First, enhanced cooperation by Federal partners through \nmore information sharing and Unclassified levels would help \nconnect dots and lead to faster action. Our Federal partners \ntend to operate on the high side, but since threat information \nis coming into fusion centers from State, local, and private-\nsector customers who expect timely responses, operating in a \nclassified environment can slow down information flow.\n    When the Classified document is created, an Unclassified \nversion must also exist for dissemination. We need to get \nclassification issue right so that we can be responsive to our \ncommunities while safeguarding critical infrastructure and key \nresources and information assets from exploitation.\n    Second, building training and maintaining a strong cyber \nanalyst cadre within fusion centers and law enforcement should \nbe a priority. We have great partners like the United States \nSecret Service, whose Hoover, Alabama facility provides cyber \ntraining for fusion centers and other analysts. That program \nshould be a priority for new investment in the immediate future \nso that the training can reach a greatly expanded audience.\n    Third, the Terrorism Liaison Officer program is a \nsuccessful partnership between fusion center and State and \nlocal law enforcement, fire service, first responder, public \nhealth, and private-sector communities within their areas of \nresponsibility. This system maximizes situational awareness and \nprovides a clear mechanism for ground-level suspicious and \ncriminal activity to quickly funnel leads to investigative \nagencies.\n    The success of the TLO program in the physical domain \nshould be extended to the cyber domain in the form of a cyber \nTLO program. Trained TLOs know what to do in the world of \nphysical threats; the same should happen with cyber threats.\n    City, county, and State governments, as well as CIKR owners \nand operators should be part of the cyber liaison program. This \nmechanism would ensure that investigative leads filter up to \nthe appropriate agencies while regular reporting on the latest \ncyber threats can be pushed down through the network.\n    Finally, every fusion center should have the ability to \ntriage threat reports and develop products to help partners \nmitigate threats. Ideally, we need a constantly-updated \nautomatic system that provides partners with the threat \ninformation--both machine- and human-readable--in real time, \naction to identify the attack, identify the associated \nindicators of compromise, and disseminate those indicators of \ncompromise to partners in a timely manner. That is essential.\n    Thank you again for this opportunity to share our thoughts. \nI encourage you to continue to reach out to your fusion center \nin your State or region and find out about their challenges and \nbest practices.\n    Thank you.\n    [The prepared statement of Mr. Sena follows:]\n                    Prepared Statement of Mike Sena\n                            October 30, 2013\n    Chairman Brooks, Chairman Meehan, Members of the subcommittees, my \nname is Mike Sena and I am the director of the Northern California \nRegional Intelligence Center (NCRIC), which is the fusion center for \nthe San Francisco Bay and Silicon Valley region. I currently serve as \npresident of the National Fusion Center Association (NFCA). On behalf \nof the NFCA and our executive board, thank you for the opportunity to \nshare our perspective on the analysis and sharing of information on \nthreats from the cyber domain that we are seeing at a rapidly \nincreasing pace.\n    The National Network of Fusion Centers (National Network) includes \n78 designated State and major urban area fusion centers. Every center \nis owned and operated by a State or local government entity. The \nmajority of operational funding for fusion centers comes from State or \nlocal sources, while Federal grants--primarily through the Homeland \nSecurity Grant Program at FEMA--are a major source of additional \nsupport. Our centers are focal points in the State, local, Tribal, and \nterritorial (SLTT) environment for the receipt, analysis, gathering, \nand dissemination of threat-related information between the Federal \nGovernment, SLTT, and private-sector partners.\n    As the report on fusion centers that was released in July of this \nyear by the Majority staff of the full House Homeland Security \nCommittee noted, nearly 200 FBI Joint Terrorism Task Force \ninvestigations have been created as a result of information provided to \nthe FBI through fusion centers in recent years, and nearly 300 \nTerrorist Watchlist encounters reported through fusion centers enhanced \nexisting FBI terrorism cases. Most fusion centers are ``all-crimes'' \ncenters, meaning that they do not focus on just terrorism-related \nthreats. Most centers are supporting law enforcement and homeland \nsecurity agencies in their States and regions through analysis and \nsharing of criminal intelligence to address organized criminal threats \nand to support intelligence-led policing.\n    Because the National Network of Fusion Centers has developed into a \nmechanism for regular exchange of criminal intelligence and threat \ninformation across jurisdictions, we are increasingly involved in \naddressing cyber threats. My center--the NCRIC--is actively involved in \ncyber threat analysis and information sharing with our Federal \npartners, other fusion centers, State and local governments in our \nregion, and private-sector partners. As with any other successful law \nenforcement or intelligence effort, good relationships are at the heart \nof the matter. We must develop strong and trusting relationships with \nour customer agencies as well as with the private sector to ensure \ntimely information flow. As an example of partnership development, the \nNCRIC is working with a major utilities service provider--that faces \nsignificant persistent cyber attacks--to assign personnel inside the \nfusion center. Once in place, this partnership will result in the \ndevelopment of capabilities to improve internal security for the \ncompany, but also new threat analysis and prevention capabilities for \nother critical infrastructure partners across the sector. The NCRIC \nhosts a working group including private-sector CIKR owners that meets \nregularly to discuss threats and share information.\n    But my center is not the norm across the National Network. Today, \nless than half of the fusion centers have a dedicated cyber program. We \nexpect that number to grow as the threats grow, but we must have \nadditional resources to support the specialized training and personnel \nto further that mission. We cannot take away from our established \nmissions to tackle new ones. We also must coordinate closely with other \nentities that play roles in cyber threat awareness, analysis, and \ninformation sharing--including the organizations my fellow panelists \nhere today represent.\n    The reality is that we are dealing with a growing category of \ncriminal activity featuring different impacts as compared to \ntraditional crime. Because the impacts are ``quieter'' and--to date--\nmost often bloodless, it is more difficult to make a clear case for \ninvestments in systematic improvements in law enforcement and criminal \nintelligence capacity to deal with these threats.\n    But as we all know, the threats and their consequences are very \nreal. And the threats are growing--from small, targeted operations that \nimpact a family's finances to large operations that threaten an \nelectric grid. Large critical infrastructure owners know who to call \nwhen something happens--they are likely to have existing partnerships \nwith Federal law enforcement and investigative bodies. But who does a \nfamily call when they notice they have been violated? What about a \nsmall business or, even more concerning, a smaller vendor that may be \npart of an important supply chain? State and local law enforcement \nacross the country are reporting increased calls related to cyber \ncrime. Questions related to jurisdiction and investigative capacity are \ndifficult to answer in many of these cases. But the analysis and \nsharing of threat information is essential to prevent more \nvictimization.\n    As the NFCA has worked with our partners in State and local law \nenforcement on this issue over the past year, it has become clear that \nwe have significant needs for capability and capacity enhancements. As \nI wrote in a blog post for the Program Manager for the Information \nSharing Environment (PM-ISE) last week, the NFCA is working with the \nInternational Association of Chiefs of Police (IACP), the PM-ISE, \nprivate-sector partners, and other professional associations to assess \nneeds across the country. I want to specifically acknowledge the office \nof the Program Manager for the Information Sharing Environment, DHS \nIntelligence & Analysis, and FEMA for their recognition of the \nimportance of this effort, and for moving the ball downfield. These are \noutstanding partners in our efforts and we rely on them daily.\n    In August 2012, the NCRIC hosted a roundtable for cybersecurity \nstakeholders that included representatives from the financial and IT \nsectors, as well as Federal, State, and local officials. These \nparticipants identified two types of information sharing: (1) Fusion \ncenters engaged in sharing tactical information on company or sector-\nspecific situational awareness; and (2) fusion centers sharing \nstrategic information on threats, risks, and trends through strategic \nforums that involve both the public and private sectors. IACP partnered \nwith the Department of Homeland Security to facilitate a December 2012 \nroundtable to further clarify requirements for cybersecurity \ninformation sharing.\n    Building on the momentum of the August and December events, the \nNCRIC and the IACP held the Cybersecurity Evaluation Environment Pilot \nKick-off Event in February 2013. The first day of this 2-day event \nfocused on soliciting cybersecurity information-sharing requirements \nfrom industry partners and developing potential Federal, State, and \nlocal government processes for cybersecurity information sharing with \nthe private sector. Participants also discussed Government requirements \nfor cybersecurity information sharing. On the second day, the \nGovernment participants worked to design a ``cybersecurity pilot'' that \nwould advance fusion center cybersecurity information-sharing \ncapabilities.\n    The pilot will be funded by DHS through the Multi-State Information \nSharing and Analysis Center (MS-ISAC) and executed in coordination with \nall appropriate stakeholders. It will focus on addressing needs \nidentified by stakeholders including:\n  <bullet> the need for increasing the timeliness, volume, and the \n        quality of the information the Federal Government shares with \n        State/local/Tribal government and private-sector partners;\n  <bullet> the need for standardization of information-sharing \n        processes between the Federal and State/local/Tribal \n        governments and the development of cyber response best \n        practices;\n  <bullet> leveraging current counterterrorism-developed tools and \n        processes for cyber incident handling and intelligence sharing;\n  <bullet> enhancing the protection of State/local/Tribal networks;\n  <bullet> supporting cyber crime investigations; and\n  <bullet> promoting private-sector cooperation and information \n        sharing.\n    We expect the pilot to get underway soon and we look forward to \nkeeping the committee apprised of our actions.\n    We believe it is important to recognize a couple of realities. \nFirst, a streamlined system for reporting, analyzing, and sharing \nthreats and incidents requires leadership at the State level in each of \nour States and a clear acceptance of what roles fusion centers can and \nshould play. Roles, responsibilities, and capabilities should be \nclearly understood--including by private-sector partners--and we have \nto acknowledge that we are not where we need to be. That is why efforts \nlike the pilot project we are about to engage in with the leadership of \nPM-ISE and IACP are so important. While the systems of interaction may \nvary from State to State, we need structured relationships so that our \npersonnel know where information should be flowing from and \ndisseminated to.\n    Second, our human resource base in investigative and intelligence \nsettings at the State and local levels has not adapted quickly enough \nto address the increased cyber threat. Again, citizens report crimes to \nlaw enforcement no matter the type. Federal agencies cannot possibly \ninvestigate all of those crimes, even as they have a need to be aware \nof them in case they relate to other incidents in other locations. \nState and local law enforcement, homeland security, and emergency \nmanagement functions--including fusion centers--must be resourced to \nrespond to those crimes quickly and share information rapidly so that \nadditional crimes can be prevented.\n    As the July, 2013 committee staff report on fusion centers noted, \n``Ultimately, it is the FBI's responsibility to conduct \ncounterterrorism investigations. However, no single government entity \nhas the mission and capacity to coordinate, gather, and look \ncomprehensively across the massive volume of State and locally-owned \ncrime data and SARs and connect those `dots', particularly those \nrelated to local crime and, potentially, the nexus between those \ncriminal activities and terrorist activity. This is the principal value \nproposition for the National Network.'' This reality extends to the \ncyber threat domain.\n    Next week the National Fusion Center Association will host a major \nevent across the river in Alexandria, Virginia. The NFCA Annual \nTraining Event will bring together fusion center directors and analysts \nfrom nearly all 78 centers, as well as Federal partners including DHS, \npartner associations from State and local law enforcement and emergency \nresponse, fire service representatives, and industry to receive \ntraining and share best practices. Among the training sessions are two \nseparate sessions on cyber threat analysis and information sharing. \nRepresentatives from the Kanas City Terrorism Early Warning Group, the \nOrange County (CA) Intelligence Assessment Center, the Louisiana State \nAnalytical and Fusion Exchange (LA-SAFE), the San Diego Law Enforcement \nCoordination Center, and my center--the NCRIC--will present to other \nfusion centers on effective practices and partnerships they are \nimplementing in their centers. This indicates the level of interest \nacross the National Network in advancing our capabilities to address \ncyber threats.\n    The State of Louisiana's fusion center--LA-SAFE--has taken an \nactive role in cyber threat analysis and information sharing. State, \nlocal, and private entities reach out to LA-SAFE when a cyber event \noccurs in their AOR. The fusion center's lead cyber analyst \ndisseminates block-list information to those partners to quickly help \nstrengthen their protections. LA-SAFE conducts analysis of cyber \nthreats and develops intelligence reports for dissemination to relevant \npartners. To date, the LA-SAFE Cyber Unit has developed more than 40 \nreports that have been shared with Federal, State, and local partners. \nFeedback to LA-SAFE--including from our Federal partners--clearly \nindicates that the information coming out of the fusion center is of \nhigh value.\n    In one example from earlier this year, the Louisiana State \nlegislature was receiving numerous phone calls from a foreign \nindividual asking for the payment of a supposed debt. The numerous \nmalicious calls clogged the phone lines, preventing legitimate calls \nfrom going in or out. The ``telephone denial-of-service attack'' \ndisrupted the legislature's communications. LA-SAFE determined that \nthis TDOS attack was similar to others that had occurred across the \nUnited States and produced and disseminated an advisory to its \npartners. Immediately afterwards LA-SAFE received numerous phone calls \nand emails from public safety answering points (PSAPs) across the \ncountry that had suffered similar attacks. LA-SAFE was contacted by the \ndeputy manager of the National Coordinating Center for Communications \n(NCC). The NCC had received the LA-SAFE advisory from the NCCIC and \nexpressed serious concern. The NCC then initiated a conference call \nwith LA-SAFE, the NCRIC, NCC, NCCIC, Association of Public-Safety \nCommunications Officials (APCO), National Emergency Number Association \n(NENA), FBI, and other industry representatives to coordinate a \nresponse.\n    As a result of the coordination, multiple advisories were \ndistributed from participating organizations to their customer bases. \nIt has since been determined that over 200 of these attacks have been \nidentified Nation-wide. These attacks have targeted various businesses \nand public entities, including the financial sector and other public \nemergency operations interests, such as air ambulance, ambulance, and \nhospital communications.\n    This example of cyber threat analysis and information sharing is \noccurring on a more frequent basis across the National Network of \nFusion Centers. Some fusion centers are collecting and analyzing \ninstances of cyber attacks in their AOR, and developing products that \nare sent to other fusion centers, which enables a much larger set of \nstakeholders to prevent damaging attacks.\n    LA-SAFE's recent experiences demonstrate both the opportunity and \nthe need for additional focus and capacity within the network. Like \nother fusion centers that provide cyber threat analysis and sharing \nservices, LA-SAFE needs more cyber analyst positions. The increasing \nthreat level has already translated into increased demand for \ninvestigative and analytical services from fusion centers, and there is \nno sign of any slowing-down in that demand. A significant challenge for \nLA-SAFE and other centers is that cyber analysts are typically more \nexpensive than traditional analysts. While physical terror threats and \ncriminal activity are the primary focus of most fusion centers, the \ngrowing category of cyber crime means that cyber threat analysis \nresources must be strengthened at all levels of government.\n    In addition, LA-SAFE and other centers believe that the system for \ninteracting with Federal partners on cyber threats needs to be \nimproved. Enhanced cooperation by Federal partners through more \ninformation sharing at the Unclassified or Sensitive-But-Unclassified \nlevels would help connect dots and lead to faster information sharing \nto prevent attacks. Our Federal partners tend to operate on the ``high \nside,'' but since threat information is coming to fusion centers from \nState, local, and private-sector customers who expect timely responses, \noperating in a classified environment can slow down information flow. \nSpeed is important in all investigations and prevention activities--\nespecially in the cyber domain. We must work with our partners to \nidentify the right path forward on classification so that we can be \nappropriately responsive to our communities while safeguarding CIKR and \ninformation assets from inappropriate exploitation.\n    Building, training, and maintaining a strong cyber analyst cadre \nwithin fusion centers and law-enforcement entities should be a \npriority. We have great partners like the United States Secret Service \nwhose Hoover, Alabama training facility provides beginning and \nintermediate training for fusion center and other analysts. That \nprogram should be prioritized for new investment in the immediate \nfuture so that its training can reach a greatly expanded audience. The \nMulti-State Information Sharing and Analysis Center (MS-ISAC) provides \ntraining to State and local law enforcement to enhance cyber awareness \nand analytical capabilities. We need more of this type of training to \nensure our analysts have the skills required to act quickly so that \naccurate, timely information can be shared broadly.\n    The Terrorism Liaison Officer (TLO) program is a successful \npartnership between fusion centers and the State and local law \nenforcement, first responder, public health, and private-sector \ncommunities within their AORs. TLO programs train thousands of \nindividuals on indicators of possible terrorist activity and reinforce \na system of reporting of suspicious activity through the fusion centers \nand the Nation-wide Suspicious Activity Reporting (SAR) Initiative. \nThis system maximizes situational awareness and provides a clear \nmechanism for ground-level suspicious activity to quickly funnel up to \nlead investigative agencies.\n    The success of the TLO program in the physical terrorism domain \nshould be extended to the cyber domain in the form of a ``cyber TLO'' \nprogram. Trained TLOs know what to do in the world of physical threats. \nThe same should happen with cyber threats. City governments, county \ngovernments, State governments, and CIKR owners and operators should be \npart of this network. Again, maximizing situational and threat \nawareness through a systematized reporting mechanism will ensure that \ninvestigative leads filter up to lead investigative agencies, while \nregular reporting on the latest cyber threats by fusion centers and \nother partners can be pushed down through that network.\n    Every fusion center should have the ability to triage threat \nreports and develop products to help State, local, and private-sector \nentities to mitigate the threats. Ideally, we need a constantly updated \nautomated system that provides partners information--machine and human-\nreadable--in real time as events are happening. Investigation into the \nsource of cyber attacks will occur after the fact, but action to \nidentify the attack, identify the associated indicators of compromise, \nand disseminate those indicators of compromise to partners in a timely \nmanner is essential.\n    It will take time and money for that vision to be realized--and we \nhave too little of both in the near term. In the mean time, the \npartners at this table and around the country must work together \nthrough the pilot project and other settings to develop policies, \nprotocols, and requirements that will result in the kind of information \nsharing and threat analysis our citizens expect. In addition, a concept \ncalled analytical centers of excellence is being built out across the \nNational Network. If a particular fusion center does not have dedicated \ncyber capabilities, then that center's personnel should know exactly \nwhere to go for support. Relationships should be developed and \nformalized so that centers with cyber capacity can be tapped when \nneeded by other members of the National Network. This same concept is \nbeing applied to traditional criminal intelligence information by \nfusion centers today.\n    On behalf of the National Fusion Center Association, thank you \nagain for the opportunity to testify today. The members of the NFCA \nexecutive board and I are happy to provide you with on-going input and \nanswer any questions you have. I also encourage you to reach out to the \nfusion center in your State or region and find out about their \nparticular challenges and best practices related to cyber and other \nthreats. We look forward to working with you on this issue.\n\n    Mrs. Brooks. Thank you, Mr. Sena.\n    The Chairwoman now recognizes Mr. Molitor for 5 minutes.\n\n STATEMENT OF PAUL MOLITOR, ASSISTANT VICE PRESIDENT, NATIONAL \n              ELECTRICAL MANUFACTURERS ASSOCIATION\n\n    Mr. Molitor. Thank you, Madam Chairwoman, Mr. Chairman, and \nthe Ranking Members and all of the committee Members and staff \nwho have joined us today. We would like to acknowledge the \nsubcommittee for holding this important hearing on a very \ntimely topic, which is cybersecurity and emergency management.\n    NEMA sees safe and reliable electric power as an enabler \nfor first responders and supporting life-sustaining services \nlike communications, food, fuel, and water in the event of a \ncyber attack. As we discuss the impacts of the cyber attack, \ndirect parallels can be drawn to grid outages caused by natural \ndisasters. Nothing shapes the discussion more than the lessons \nlearned through the 2003 Northeastern blackout, the recent \ntsunami in Japan, the recent earthquake in Haiti, and the two \nevents which affected the Congressional districts of many of \nthe Members here today, Hurricanes Sandy and Katrina.\n    Large-scale outages are extremely disruptive to the health \nand well being of the affected population regardless of the \ncause. The question becomes: What are the most effective steps \nwe can take to prepare for and mitigate this impact?\n    In much the same way as new information in communications \ntechnologies are reshaping how we work, learn, and stay in \ntouch with one another, these same technologies are being \napplied to the electric grid, giving utilities new ways to \nmanage the flow of power. Many people refer to this as the \nsmart grid. This allows us to minimize the footprint of an \noutage, maintain power to critical facilities, identify those \naffected, shunt around downed power lines to increase public \nsafety, and enable faster restoration of services.\n    Many of these technologies are detailed in a storm \nreconstruction guide that we produced in the wake of Hurricane \nSandy a year ago, and we had a seminar on Capitol Hill earlier \nthis year where we went through this in a fair amount of \ndetail.\n    When the U.S. Department of Energy established their seven \ncharacteristics for smart grid in 2008 it included: Optimize \nasset utilization and operate efficiently; anticipate and \nrespond to system disturbances--essentially, be self-healing; \nand also, operate resiliently against attack and natural \ndisaster. The key to this kind of performance is rooted in \nconsensus-based industry standards.\n    Standards define the interaction between entities to create \nboth interoperability and cybersecurity. They allow electrical \nmanufacturers to build security into the grid, which is \npreferable to installing free and open devices that are secured \nafter installation. We want security built into the objects and \nnot bolted on afterwards. Moreover, the standards-based \nmonitoring features of the smart grid will facilitate \ncommunications between grid operators, emergency crews, and \nfirst responders.\n    The bill introduced by a Member of this committee, the \nSMART Grid Study Act, by Congressman Payne, would go a long way \nto evaluating the breadth and effectiveness of the solutions \nthat have been deployed to date. Since 2009 we have invested \nbillions of dollars in the smart grid, and if you want to \nimprove something you need the measurement. We have been \nbuilding; it is time to measure.\n    Additional considerations for the cyber future of the grid \nare contained in Executive Order 13636 and the National \nplanning scenarios developed by the various sector-specific \nagencies of the Federal Government in conjunction with the \nDepartment of Homeland Security. Scenario 15 is entitled \n``Cyber Attack'' and it provides a doomsday scenario for a \npervasive attack on major elements of the Nation's \ncommunications infrastructure, weighing this scenario against \nthe cybersecurity framework being developed by NIST under \nExecutive Order 13636, the implementation of which is being \nsupervised by DHS. This will give our industry an appropriate \nplatform to ensure that we are as prepared as possible for an \nattack.\n    Finally, as a 20-year veteran of the U.S. Army and a former \ncompany commander and battalion operations officer I can say \nthat it is one thing to have a plan but another thing to \nexecute it. We should regularly conduct large-scale virtual \nexercises, like the National-level exercises in 2012, to test \nour response capabilities under the cyber attack scenario or \nthe natural disaster planning scenario or a combination of the \ntwo. The greatest fear of our industry is that someone would \nlaunch a cyber attack in conjunction with a natural disaster, \nwhich would increase its impact.\n    The military performs these kind of exercises with great \nfrequency and great success. It would be a good idea for us to \nfigure out how we can structure regional, more detailed \nexercises under DHS for the civilian agencies and companies \nassociated with the critical infrastructure, like the upcoming \nNERC event you mentioned earlier.\n    I want to thank the subcommittees for allowing us to \ntestify today and I look forward to your questions and \ncomments.\n    [The prepared statement of Mr. Molitor follows:]\n                   Prepared Statement of Paul Molitor\n                            October 30, 2013\n    Chairmen Brooks and Meehan and Ranking Members Payne and Clarke, I \nthank you and the Members of the subcommittees for inviting me to \ntestify today on cybersecurity and emergency management.\n    I am Paul Molitor, assistant vice president at the National \nElectrical Manufacturers Association (NEMA). NEMA is the association of \nelectrical equipment and medical imaging manufacturers, founded in 1926 \nand headquartered in Arlington, Virginia. Its 400-plus member companies \nmanufacture a diverse set of products including power transmission and \ndistribution equipment, lighting systems, factory automation and \ncontrol systems, and medical diagnostic imaging systems. The U.S. \nelectroindustry accounts for more than 7,000 manufacturing facilities, \nnearly 400,000 workers, and over $100 billion in total U.S. shipments.\n    On behalf of the 400-plus member companies of NEMA, I am \nresponsible for all internal and external communications relating to \nNEMA's Smart Grid strategic initiative including interfacing with \nelectrical utilities, manufacturers, State and Federal agencies, and \nthe U.S. Congress. Prior to coming to NEMA, I had an established career \nin the communications industry building data networks in Top Secret \nenvironments and large, commercial public networks for the internet \ndivisions of both BellSouth in the southeastern U.S. and globally for \nWorldCom. More recently, I spent time working with artificial \nintelligence systems in several Federal programs dealing with systems \nof systems, intelligence analysis, and National defense. Having this \nbackground has been a good fit for Smart Grid as we seek to bring \nadditional communications and intelligence to the electric grid.\n    I was the first plenary secretary of the NIST Smart Grid \nInteroperability Panel (SGIP), founded the SGIP's International Task \nForce, participated in the cybersecurity committee, and served as the \nfounding director for SGIP's industry-operated successor SGIP 2.0, Inc. \nI've also served as secretary of the U.S. Technical Advisory Groups for \nthe International Electrotechnical Commission (IEC TAGs) for the Smart \nGrid strategy group (SG3) and the Smart Grid user interface committee \n(PC 118). I was named to the Canadian Task Force on Smart Grid \nTechnologies and Standards (TF-SGTS) and serve on the Carnegie Mellon \nUniversity Software Engineering Institute's Smart Grid Maturity Model \n(SGMM) stakeholder panel.\n    NEMA believes this hearing is incredibly important. Our Nation \nfaces unprecedented cybersecurity threats that endanger not only our \nway of life, but our very health and safety as well.\n    One year ago Superstorm Sandy struck the eastern seaboard and had a \ndevastating impact on so many lives and the economies of a wide swath \nof States. Sandy brought out the best in our first responders, \nemergency managers, Government officials, and everyday Americans.\n    The electric grid is essential to public health and welfare. So \nwhen Sandy knocked out power for millions of Americans, first \nresponders, utility operators, and emergency managers sprung into \naction. Restoring power is part and parcel of emergency management.\n    Of course, it is not difficult to imagine a scenario in which the \nelectric grid is shut down not by a natural disaster but instead, \nthrough a cyber attack.\n    Whatever the cause, resilient and reliable power is critical for \nfirst responders, communications, health care, transportation, \nfinancial systems, water and wastewater treatment, emergency food and \nshelter, and other vital services.\n    Much of our electric grid was built in the 20th Century but is \nfacing 21st Century threats. New technologies are being manufactured \nand implemented today to transform the grid. When smart technologies \nare in place, power outages are avoided or minimized and lives, homes, \nand businesses are better protected.\n                         the smart grid's role\n    In much the same way as new information and communications \ntechnologies are reshaping how we work, learn, and stay in touch with \none another, these same technologies are being applied to the \nelectrical grid, giving utilities new ways to manage the flow of power.\n    A Smart Grid is an electrical transmission and distribution system \nthat uses technologies like digital computing and communications to \nimprove the performance of a grid, while enabling the features and \napplications that directly benefit the consumer.\n    A Smart Grid is not an all-or-nothing proposition; there are \ngradations of ``smartness.'' As the electrical grid is modernized with \nadvanced technologies, it becomes smarter. Given the diversity in \nelectrical systems and the wide range of available Smart Grid \ntechnologies, there is no one method to measure the smartness of an \nelectrical system. What matters is performance.\n    The basic operation of Smart Grid technologies is designed to give \nthe utility company and the consumer (residential, commercial, and \nindustrial) more control over the electricity supply.\n    On the consumer side, this means more information about--and thus \ngreater control over--the charges that appear on individuals' electric \nbills.\n    For utility companies and other grid operators, this means \nacquiring better situational awareness to know what is happening on the \ngrid and to better manage it.\n    By applying information and communications technologies and basic \ncomputing power to the electrical grid, utilities can not only minimize \nthe footprint of an outage, but also identify those affected, shunt \naround downed power lines to increase public safety, and enable faster \nrestoration of services.\n    For example, when disturbances are detected in the power flow, \nmodern circuit breakers can automatically open or close to help isolate \na fault. Much like a motorist using his GPS to find an alternate route \naround an accident, this equipment can automatically route power around \nthe problem area allowing electricity to continue to flow to the \ncustomer.\n    Circuit breakers and other electrical devices in the field have the \nability to communicate their status to help utilities identify \npotential problem areas, including outages or conditions that might \nresult in an outage. Coupling this kind of automated activity with \nfeedback from advanced electric meters would help restore service to \nthe greatest number of customers even before the first truck rolls out \nof the utility service shop.\nThe Cyber Threat and the Electric Power Industry's Response\n    Like any infrastructure that is connected to a network, the \nelectric grid faces cybersecurity threats which are increasing as each \nday goes by.\n    Protecting the Nation's electric grid and ensuring a reliable, \naffordable supply of power are the electric power industry's top \npriorities. Cybersecurity incidents have the potential to disrupt the \nflow of power to customers or reduce the reliability of the electric \nsystem. Key to the success of this effort is the ability to protect the \ngrid's digital overlay against interruption, exploitation, compromise, \nor outright attack of cyber assets, whether through physical or cyber \nmeans, or a combination of the two.\n    The electric power industry takes cybersecurity threats very \nseriously. While new digital automation and technological advancements \ncan introduce new vulnerabilities, these technologies also provide \nbetter situational awareness and help detect threats before an attack. \nAs such, protecting the grid requires a collaborative effort among \nelectric utility companies, the Federal Government, and the suppliers \nof critical electric grid systems and components--both hardware and \nsoftware. Utilities are required to deliver affordable, reliable, and \nsecure electricity, while manufacturers have an obligation to ensure \nthat the same qualities are present in their equipment.\n    An infrastructure as massive as the electric grid which has been \nreferred to as the world's largest machine cannot be simply taken out \nand replaced with the ultimate in cybersecurity. In other words, we \ncannot ``gold plate'' the entire electric grid, implementing the \nhighest levels of security at every point along the distribution \nnetwork. But a few techniques that have proven to be effective in \nsensitive operating environments in the Nation's Information Technology \n(IT) infrastructure will help ensure greater resiliency.\n    The first is segmentation. In order to control the cost of \ndeployment, regulators need to consider the overall security \narchitecture in their rulemaking decisions. As with the electric grid \nitself, the ability to isolate security issues and insulate core grid \nfunctionality from their effects is equally important as the strength \nof the security measure.\n    A second is layering. As with segmentation, the aspect of security \nlayering needs to be considered during rulemaking. Individual security \nmeasures should not be considered in a vacuum, but rather in the \ncontext of how they contribute to the overall security architecture of \nthe system. It would be important to define rules and guidelines for \nthe levels of layered security required as a function of the \ncriticality of a device, its functions, the impact on the surrounding \nsegments of the grid, etc.\n    A third is decentralization. When we think about the computing \nenvironment of the 1960's, 70's, and 80's, it was dominated by \nmainframe systems and centralized control of information and \nprocessing. With the advent of the personal computer, this migrated to \na much more decentralized model in the 1990's and beyond making access \nto computing resources much easier and more reliable for everyone. The \nsame hold true with electricity as distributed generation, energy \nstorage, microgrids, and net-zero energy designs and technologies \nbecome more available.\n    When an outage strikes, the effects often stretch far beyond the \ninitial impact zone. Regional outages inhibit the ability to protect \nthose in danger and provide basic needs such as food, sanitation, and \nshelter. We could recover more quickly if islands within each area \ncould maintain power and serve as centers for critical services and \nrecovery.\n    A microgrid can isolate itself via a utility branch circuit and \ncoordinate generators in the area, rather than having each building \noperating independently of grid and using backup generators. Using only \nthe generators necessary to support the loads at any given time ensures \noptimum use of all the fuel in the microgrid area.\nImportance of Codes for Grid Resiliency\n    Of course, electric infrastructure isn't only transmission lines, \nsubstations, and transformers. It doesn't stop at the electric meter \noutside the building. Indeed, you could argue the grid extends to any \nend-use device you have plugged into an electrical outlet. Buildings \nconsume some 70% of all energy produced and are the place where so much \nof modern life exists.\n    Emergency managers should recognize the importance of adopting the \nlatest electrical code. The National Electrical Code (NEC) ensures that \nnew construction and major renovations are built with the latest \ntechnology; which will make a facility as safe as possible for either \nthose who become trapped in it during the emergency as well as the \nfirst responders who may have to breach the building envelope in order \nto stage a rescue operation. A robust emergency plan involves ensuring \nthat updated codes are in place today to improve the outcome should \ndisaster strike.\n    A corollary here is the energy efficiency of a building; energy \ncodes establish baseline levels of efficiency. In the event of cyber \nattack, the best-prepared buildings will have a degree of back-up \ngeneration or may be part of a microgrid which is connected to some \nback-up generation. It stands to reason that a given amount of \ngeneration during the wider grid outage will be able to power more \ncritical electrical loads or a given number of electrical loads for a \nlonger period of time, as those loads' levels of energy efficiency are \nimproved. In other words, energy efficiency allows us to do more with \nless during a grid outage.\n    NEMA is encouraging States and localities to stay current on code \nadoption.\nRecent Congressional Activity\n    Some recent Congressional activity is worth noting.\n    Speaking of energy efficiency, Sen. Gillibrand has legislation \nwhich amends the Stafford Act to allow a recipient of assistance \nrelating to a major disaster or emergency to use the assistance to \nreplace or repair a damaged product or structure with an energy-\nefficient product or energy-efficient structure. When disaster strikes \nwe should take the opportunity to prepare for future disasters by \nrebuilding the smart way, and energy efficiency is part of this, as \ndescribed earlier.\n    Emergency managers and State and local officials are on the front \nlines for weeks after a major disaster. Often they are supported by the \nFederal Government in terms of resources, coordination, and manpower, \nbut also in terms of funding to rebuild.\n    In the wake of Superstorm Sandy, NEMA encouraged Congress to allow \nFederal rebuilding funds to be used not only to replace damaged \nelectrical equipment but to replace it with advanced technologies that \nallow the grid to become more resilient going forward.\n    The Senate version (H.R. 1, 112th Congress) of the Sandy \nSupplemental appropriations bill included the following language.\n\n``SEC. 1105. Recipients of Federal funds dedicated to reconstruction \nefforts under this Act shall, to the greatest extent practicable, \nensure that such reconstruction efforts maximize the utilization of \ntechnologies designed to mitigate future power outages, continue \ndelivery of vital services and maintain the flow of power to facilities \ncritical to public health, safety and welfare.''\n\n    Unfortunately the bill that passed the House and was signed into \nlaw did not include such language. This approach should be considered \nin the any future disaster bill as a way to boost the resiliency of the \nelectric system and ultimately lessen the impact of cybersecurity and \nother grid-impacting events.\n    Finally, on a much broader level, NEMA believes that Congressman \nDonald Payne's SMART Grid Study Act (H.R. 2962), which authorizes a \nstudy of the costs and benefits of developing a Smart Grid, would go a \nlong way in proving the case--to those who remain unconvinced--that the \nSmart Grid is an investment worth making to make the electric grid \nstronger, safer, and more resilient. Investment in the Smart Grid is \nhappening today across the country and around the world. Yet policy \nbarriers remain to its full implementation.\n    A comprehensive study such as this, to be conducted by the National \nResearch Council with input from the Department of Homeland Security \nand other relevant agencies, includes an in-depth review of the \nvulnerabilities of the electric grid to cyber attack.\n                the importance of industry-led standards\n    In addition to the obvious human toll a breach in cybersecurity \ncould bring, from a manufacturers perspective it could involve \ncountless hours of research and development staff time, contractors, \nand consultants, which would be a considerable financial burden on the \nutilities and manufacturers alike. The implementation of those patches \nwould involve potential changes to the manufacturing process, \ndeployment of patches to the installed base, product recalls, rebates \nand many other expensive options, not to mention the potential for \nlawsuits, both valid and frivolous, based on the potential outages \ndescribed above.\n    An additional interest of the manufacturers is standardizing on \ncommon approaches to cybersecurity across utility areas of control as \nwell as State boundaries. It is critical to invest the time and \nresources upfront to select the optimal architecture, minimize risks, \nand attain a reasonable balance between costs and security. \nAdditionally, there exists a need for States to work together in order \nto provide utilities with a uniform security implementation approach. \nIf public utility commissions do not lead with a common approach, then \nit will be very difficult for utility companies, manufacturers, the \nNational Institute of Standards and Technology (NIST), and Standards \nDevelopment Organizations (SDOs) to coordinate their security standards \ndevelopment efforts increasing the level of difficulty for \nmanufacturers to provide interoperable solutions. The corresponding \ndrop in interoperability could also lead to a lower quality of service \nto electricity customers.\n    The key to achieving the kinds of success described in this \ntestimony is to rely on proven, industry-based standards. NEMA, along \nwith a number of our NGO peers retains accreditation through the \nAmerican National Standards Institute as a standards developing \norganization (SDO). Products made from consensus-based industry \nstandards are the first step in achieving interoperability.\nSmart Grid Interoperability Panel: Private-sector-led Voluntary \n        Standards Processes for Cybersecurity\n    Because we live in an increasingly-connected world, \ninteroperability has become a bedrock concept. The NIST effort through \ntheir Smart Grid Interoperability Panel (SGIP) focused on industry \nstandards and their role in delivering the features and functionality \nfor Smart Grid. Consensus-based standards ensure that devices achieve a \nminimum level of performance, whether that is in terms of safety or \nelectricity delivery, with consistency and reliability. They also \nprovide a uniform management information base (MIB) that allows \noperators to seamless trade management data to achieve successful \noperations in the segmented, layered, and distributed environment \ndescribed above. Industry-based security standards further ensure that \nsecurity measures can be properly vetted by the global security \ncommunity. The practice of ``security by obscurity'', where security \nmeasures were individually developed and implemented without review, is \nnot nearly as reliable as a publicly-tested and fully-vetted security \nscheme. Identifying cybersecurity standards through a body like NIST \nallows manufacturers to make sure that cybersecurity is built into the \nproductions and solutions they offer rather than being bolted-on by the \ngrid operator at installation.\nNIST Cybersecurity Framework\n    The recently-released Executive Order for cybersecurity in the \ncritical infrastructure (EO 13636) provides a template for the \nrelationship between industry and Government. EO 13636, along with its \npredecessor legislation the National Technology Transfer and \nAdvancement Act (NTTAA, Pub. L. 104-113) and its implementation through \nOMB Circular A-119 describe the role of Federal agencies for securely \nimplementing information technologies in the Federal Government. \nEssentially these laws stipulate that the Government shall use industry \nstandards to the greatest extent possible, vetted through NIST, and \ninstalled under the practices identified by the sector-specific Federal \nagency. The NIST framework developed under the guidance of EO 13636 \nadheres to this convention establishing an effective public-private \npartnership for the implementation of cybersecurity measures in \ncritical infrastructure.\nIncentives for Voluntary Participation in NIST Framework and/or \n        Information Sharing\n    As we've seen in the information technology industry, information \nsharing about persistent electronic threats is a key component of \nsecurity performance. When an electronic attack is in process, \ncompanies like Internet Security Systems and Dell SecureWorks detect \nand analyze those threats and provide that threat information to their \ncustomer base. The only way they can be successful in this is if their \ncustomers openly and willingly provide threat and attack information to \nthem.\n    In order for threat analysis of critical infrastructure to be \nsuccessful, electric utilities and others involved in the electricity \nsupply chain need to be similarly forthcoming. This may mean that some \nform of inducement may be necessary in order to secure maximum \nparticipation. These don't necessarily need to come in the form of tax \npolicy or direct financial incentives from the Federal Government, but \nsomething as simple as liability limitations for manufacturers and grid \noperators who have access to threat information that share it willingly \nwith DHS or the appropriate sector-specific agency.\nPrivacy\n    NEMA member companies are dedicated to the protection of \nelectricity subscriber privacy and personally identifiable information \n(PII). This is another area where consensus-based industry standards \nwill play a role. Effective legislation or regulation regarding \nsubscriber privacy needs to be based on common terminology and privacy \nconcepts. This has previously been applied to other areas such as \npatient information in the administration simplification section of the \nHealth Insurance Portability and Accountability Act (HIPAA, Pub. L. \n104-191). Adaptations of these principles should apply to the \nelectrical subscribers.\n                      responding to a cyber event\n    A front-line resource from the manufacturers of electrical \nequipment during any emergency is the NEMA Field Representative \nProgram. NEMA field reps are building code and electricity subject \nmatter experts. As experience masters in electrical systems, they have \nthe kind of jack-of-all-trades knowledge necessary to deal with \nemergency situations. The NEMA field reps serve as a gateway to all \n400-plus members of the association and can provide company- and \nproduct-specific advice as well as contacts within member companies who \ncan help respond. The member company technical resources can then work \nwith their utility company customers to safely restore power and \nultimately repair the damage.\nNational Planning Scenarios Must Focus on Interoperability\n    DHS's work on the National Planning Scenarios gives them an \nappropriate entry point into the cybersecurity policy discussion. \nScenario 15 of the National Planning Scenarios is titled ``Cyber \nAttack'' and includes the following General Description:\n\n``This scenario illustrates that an organized attack by the Universal \nAdversary (UA) can disrupt a wide variety of internet-related services \nand undermine the Nation's confidence in the internet, leading to \neconomic harm for the United States. In this scenario, the UA conducts \ncyber attacks against critical infrastructures reliant upon the \ninternet by using a sophisticated C2 network built over a long period \nof time.''\n\n    This, coupled with their role as defined in EO 13636 makes DHS the \nideal place to host the analysis and evaluation of emergency \npreparedness testing for all elements of the critical infrastructure \nbased on the current global threat profile.\n    NEMA has worked with DHS in this capacity in the past including a \ncontract for the Digital Imaging for Communications in Security (DICOS) \nprotocol associated with TSA electronic screening systems for airport \noperations. Two important features of DICOS are that it contains the \nappropriate protections for information privacy (being based on a \ncorresponding medical imaging protocol named DICOM), and that an \nintegrated threat model was part of the design consideration.\n    Essentially all of the tools and roles for DHS exist in other \ncontexts, so the challenge will be to bring them together for the \nparticipation in cybersecurity event management. A future consideration \nshould be a large-scale virtual exercise to test our response \ncapabilities under the cyber-attack or natural disaster planning \nscenarios, or a combination of the two. The military performs this kind \nof exercise frequently with great success. It would be a good idea for \nus to figure out how we can structure a counterpart under DHS for the \ncivilian agencies and companies associated with the critical \ninfrastructure. Performed in real time, DHS can inject cyber events \ninto the scenario exercise that would stress the communications and \nmanagement capabilities of infrastructure service providers as well as \nFederal, State, and local agencies. The participants would then be \ncompelled to respond to make sure they had the appropriate protections \nand contingency plans in place.\n    In closing, let me restate NEMA's commitment to improving the \nresiliency of the electric grid. We are willing partners with \nGovernment and industry in the effort to protect Americans from the \nthreat of cyber attack and to help our country respond when disasters \nstrike.\n\n    Mrs. Brooks. Thank you, Mr. Molitor.\n    I now will recognize myself for 5 minutes of questions. \nLike to start out with Ms. Stempfley.\n    The After-Action Report for the National Level Exercise \n2012 was released this summer. Can you please give us an update \non the Office of Cybersecurity and Communications' efforts to \nwork with other Federal agencies--specifically FEMA--as well as \nthe State, local, and private-sector stakeholders to address \nthe issues that were identified after this cyber exercise?\n    Ms. Stempfley. Thank you, ma'am. Yes. Absolutely.\n    The National-Level Exercise was the first exercise where we \nhad a cyber and physical scenario performed at this level. It \nwas the attempt to bring together all of our stakeholders and \nlook at how clear we had put roles, responsibilities, and \nexecution and resources towards the specific problem. We were \npleased to learn a number of lessons from that exercise, to \ninclude how to partner and the role the private sector must \nplay in this very important mission area.\n    We have been undergoing a series of after-action \nactivities, which range from the development of specific, more-\nfocused exercises and action plans so that when a particular \nevent might occur either in a sector or at a location we have \nplaybooks available for that. These are being developed as a \ncommunity, so not just DHS with FEMA but DHS with our \nstakeholder partners in the private sector, as well, with State \nand locals and other activities.\n    As a matter of fact, we worked with the energy sector to \nexecute what we called the Poison Apple exercise not too long \nago, which was one of these exercises testing a playbook of a \nparticular scenario in the electric sector.\n    Mrs. Brooks. Specifically, I am glad you bring up the \nelectric sector, because as I mentioned, I just met with \nrepresentatives from our energy sector just this last month and \nan issue that they brought up, which actually came up in a \nmark-up of bills yesterday, involved security clearances and \nthe difficulty and the backlog in the issuance of security \nclearances for the private sector.\n    Can you please discuss that issue a bit and whether or not \nyou are aware of the clearance backlog on the issuance process \nand are there anything that we can do to help you address--\nbecause it was my understanding from--and I had a number of \nprivate-sector companies that expressed that frustration, and \nit seems to me that if we are truly going to have this \npartnership, particularly with respect to a response, can you \naddress this issue of security clearances?\n    Ms. Stempfley. So one of the things that we all know and my \ncolleague pointed out is we are not going to clear ourselves \ninto solving these problems. So we are actively working on \nshare lines and reducing information to FOUO and Unclassified \nactivities. That is not to say that there are not times when \nclearances are required nor are we walking away or any of that \nfrom the security clearance issue.\n    My colleague, the assistant secretary for infrastructure \nprotection, is very focused on this. Respectfully, I would like \nto take the question for the record and have her help----\n    Mrs. Brooks. Who would that be?\n    Ms. Stempfley. Caitlin Durkovich.\n    Mrs. Brooks. Okay. Thank you. We would be very interested \nbecause it appears to be an issue that is causing a lot of \nconcern in the private sector and we certainly respect the \nimportance of security clearances but we must find a way to \ncommunicate and work together.\n    Ms. Stempfley. Yes, ma'am.\n    Mrs. Brooks. Thank you.\n    Like to ask Mr. Sena: When you talked about the fusion \ncenters--and I have visited my fusion center and also would \nencourage others on the committees to visit their fusion \ncenter--yours is one of the small number of fusion centers in \nthe National Network proactively incorporating cybersecurity \ninto its mission, and I applaud you for that. What Federal, \nState, and local partnerships have you developed to help the \nNCRIC contribute to this important mission?\n    Mr. Sena. Thank you, Madam Chairwoman.\n    As far as the development of our fusion center capability--\nsorry. Thank you.\n    As far as our--still getting a little feedback here, but--\nthe development of our center, we have been able to work \nclosely with actually centers across the country to develop a \ncyber information network for exchanging information and then \ndeveloping partners from the private sector to collaborate and \nactually provide them with timely information as well as \nworking with our Federal partners from the FBI, from our \npartners in the Secret Services who are working the criminal \nangles of cyber threats, to be able to develop a network.\n    We are actually in the process right now of bringing in \nprivate-sector personnel to support that effort so that they \nare in an environment where we can share that information with \nthem and develop products that they need. We have been working \non that over the past year-and-a-half to develop a program and \nwe are working right now to that National pilot to involve \nother centers and really develop centers of analytical \nexcellence in the field of cybersecurity.\n    Mrs. Brooks. Well, we look forward to you sharing that work \nwith other fusion centers around the country.\n    I see that my time is expired and I am now going to \nrecognize the gentleman from New Jersey, Mr. Payne, for any \nquestions he might have.\n    Thank you.\n    Mr. Payne. Thank you, Chairwoman Brooks.\n    First I would like to thank Ms. Stempfley for discussing \nthe New Jersey pilot project with critical infrastructure and \nemergency managers. I am very interested in learning, you know, \nabout the pilot and hope that you can come back and discuss \nthat with me at a later date.\n    Let's see. This question is for you, as well. Each witness \nhere has discussed the urgent threat a cyber attack poses and \nthat it is critical that the Government and the private sector \ntake immediate action to beef up its cybersecurity efforts.\n    Earlier this month the Government was shut down for 16 days \nand I am interested in learning how that affected our cyber \nactivities. Can you discuss how the Government shut-down \naffected cybersecurity efforts and which programs were \nfurloughed and what projects were delayed as a result of that?\n    Ms. Stempfley. Certainly the Government shut-down was a \ntraumatic event for the staff in the Office of Cybersecurity \nand Communications. Important functions that were considered \nexempt associated with immediate loss of life or property were \nsustained during that period, including functions in the \nNational Cybersecurity and Communications Integration Center, \nso our important information-sharing activities on threats that \nwere on-going in that moment continued during this time frame.\n    Unfortunately, we had to suspend efforts in some other \nimportant activities, including workforce development, \nincluding outreach and awareness, and including engagement with \nmany of our partnership and stakeholder engagement efforts. So \nall of our sector-coordinating council activities and planning \nactivities were suspended during this time period.\n    Mr. Payne. Okay. So those are the programs that were \nfurloughed?\n    Ms. Stempfley. Yes, sir.\n    Mr. Payne. Okay. So how did it affect us in terms of our \nability to thwart off these attacks?\n    Ms. Stempfley. We focused during the furlough period on \nthose efforts that were instantaneous or immediate--those \nmonitoring of Government networks against threats and \nprotection and defense measures about activities that were \ncurrently on-going. No progress was made during that period on \nprogrammatic activities and so future efforts nor planning \nactivities occurred. So during this period we were required to \nfocus exclusively on the near-term and real-time efforts of the \nDepartment.\n    Mr. Payne. So we could only focus on what was right before \nus at that time.\n    Ms. Stempfley. Yes, sir. The requirement was we had to \nconsider as exempt activities only things were about the \nimmediate loss of life or property.\n    Mr. Payne. Would you consider us being more vulnerable at \nthat time?\n    Ms. Stempfley. It certainly was a time where there were not \nas many eyes on the Federal networks and it was a period where \nthe vulnerability and the threat environment are something we \nare concerned about.\n    Mr. Payne. At our full capability do you feel there are \nenough eyes on it when we are at full deployment?\n    Ms. Stempfley. I don't believe you will hear anyone from \nthe Office of Cybersecurity and Communications acknowledge that \nthe resources in this particular mission area are commiserate \nwith the threat that we undergo, and so there certainly is more \nwork to be done in that area. We have important programs, \nincluding continuous diagnostics and mitigation and the \nEinstein programs, which are a part of helping put automation \ninto the Federal networks, and the Enhanced Cybersecurity \nService, which is about helping to share information for \nprotection with critical infrastructure.\n    Mr. Payne. Okay. Thank you.\n    Mr. Molitor, as you know, I have been a strong proponent of \nsmart grid technology. Can you talk about how smart grid \ntechnology will improve resiliency in the event of a cyber \nincident?\n    Mr. Molitor. Yes, sir. Thank you.\n    The nature of a smart grid--and it comes from those \nperformance objectives that were laid out by D.E., the whole \nidea that the grid should be able to react to disturbances and \nbe somewhat self-healing. So the idea that if a cyber attack \nhappens when the more intelligent grid than what we have today \nwill be able to do is to be able to shunt around the areas that \nare affected. It doesn't matter whether that is an effect that \nis caused by a natural disaster, a man-made disaster, or a \ncyber attack.\n    So ideally what we want to do is contain the damage, and \nMadam Chairwoman this morning cited the television program this \nweekend, and that is an example of a cascading event, and what \nwe really want to do is avoid that and that is what the \ntechnologies through the smart grid will enable.\n    Mr. Payne. Right. So in layman's terms, I, you know, was \ninterested, you know, when you say you have a blackout at your \nhome, you contact the utility, utility has to contact workers \nto go out to your home and start from that point and work their \nway back.\n    Mr. Molitor. Right.\n    Mr. Payne. What the smart grid technology would allow is \nalmost for that affected area to contact the utility to say, \n``There is a problem in this area,'' which alleviates that \nworking back and finding the issue and then figuring out what \nwas wrong and then correcting it and getting it--so the smart \ngrid technology would allow us to be proactive in protecting \nthe grid and almost alerting us prior to the issue being \ncreated.\n    Mr. Molitor. Yes. Absolutely. The analogy that we have used \nin the past is like the dashboard on your car. You know, you \nhave got the regular speedometer, tachometer, all of the things \nthat tell you how the grid is functioning at the time.\n    But what we are really adding with the smart grid are the \nidiot lights--the things that come on when your oil pressure \ngets dangerously low and those kind of things. So yes, those \nare the automated notifications that can come off the grid and \nit can actually tell the emergency response crews in the \nutility companies where to go in order to fix and restore power \nto the greatest number of people.\n    There is a great example from Vermont Electric Cooperative, \nwho was hit by Hurricane Irene in 2011 and then again by \nHurricane Sandy in 2012. They had rebuilt smart in the interim \nperiod, and so they had a much easier time restoring service \nand they had much fewer consumers who were affected as a result \nof Hurricane Sandy than they were during Hurricane Irene. So we \nknow that it works just exactly the way you described.\n    Mr. Payne. All right. Thank you.\n    Mrs. Chairman, I yield back.\n    Mr. Meehan [presiding]. I thank the gentleman from New \nJersey and I want to thank each of the panelists for being \nhere.\n    I am pleased to share the podium today with my colleagues \nfrom both sides of the aisle but particularly Mrs. Brooks. She \nand I served together as United States attorneys prior to our \nservice in Congress, and as a result of that had the \nopportunity to work with a number of the fusion centers and \nothers in the beginning of the process of creating what we \nhoped would be a robust capacity to respond to threats of \nterrorism both on the National as well as the local level.\n    One of the things that is eye-opening has been the \ntremendous success that has been realized in this country by \nvirtue of, since September 11, we have been relatively free of \nthe same kind of scope of a threat actually carrying itself \nout. But we have seen so many of the natures of the threats \nchange, and I think this area of cyber is the one that probably \ncreates, in my mind, the greatest concern. So there is a lot of \neffort that is going on and I am interested in hearing a little \nbit about your perspectives.\n    Let me start with you, Mr. Molitor, first. Just, you know, \nwe have spent a great deal of time working here on cyber \nlegislation, the purpose of which is to ease the ability for \nthe private sector to communicate in a meaningful, two-way \ncommunication through the National--what we call the NCIC, the \nCyber Information Center, with real-time information, and also \nthe ability for you to be able to work it through in a way in \nwhich there are protections for sharing information and \notherwise.\n    Have you had a chance to look at some of the proposed \nlegislation and do you have any sense as to whether it would be \nbeneficial to member companies like your companies within your \norganization and others similar across the country?\n    Mr. Molitor. Yes, absolutely. We are at the tip of the \nspear--the electrical manufacturers--in terms of cyber attacks. \nSo when the attack comes in they are going after our members' \ngear as it sits in the electric grid. We need to be able to \ncapture that information and then forward it, so that the folks \nat the fusion centers and the other panelists at this table can \nrespond and react to it.\n    So it would be extremely helpful, just in terms of clearing \nthe communications. During my opening testimony I mentioned \nsomething about how industry-based standards are the best way \nto do that. So we have to be able to communicate across \nmultiple entities, between the electric utilities, between the \nGovernment agencies.\n    So yes, absolutely. It would be most helpful so that we \nknow how to communicate with each other so we can standardize \nthe messages and respond to the threat.\n    Mr. Meehan. Well, we are already dealing with it in real \ntime, and I appreciate that. I think one of the realities is \nthere is almost a triage, as you often do when you are dealing \nwith an issue, and because of the threats that took place \nagainst the banking system and the, you know, in New York and \nother kinds of sort of major threats, the concern has been how \nwe alleviate the potential for the drastic attack. But there is \na lot of things that are going on that are impacting, as I \nthink was well-articulated, State and local authorities who \nhave a great deal of information, have a great deal of assets, \nare equally being probed, and otherwise.\n    So how are things working today with regard to the sharing \nof information? You have expressed some frustrations and some \nhopes, and I would like you to spend a little bit more time \nsaying, well, suppose something happens right now.\n    Mr. English, Mr. Orgeron, and Mr. Sena, you are already, in \nvarious capacities, your fusion centers are working with some \nof the State and local organizations. Let us say you have an \nenterprise from another country--a criminal enterprise that is \nprobing your data systems. How are you communicating today and \nwhat is it that allows you to work effectively together, or \nnot?\n    Mr. Orgeron. Mr. Chairman, from a CIO perspective, I think \nthat we are communicating with our fusion center. But one of \nthe things that we have advocated is governance structures that \nare more clearly defined in terms of paths of communication.\n    The cyber component is, for all intents and purposes, is \nsort of the newer thing that we are adding into these threats, \nbuilding into the processes that exist. So if there is an \nemergency management plan there should be a cyber annex to it \nin terms of key actors and what the roles those actors have----\n    Mr. Meehan. Are you telling me now that that is what your \nconcern is, that that is not clearly identified right now?\n    Mr. Orgeron. I don't think that the governance is clearly \nidentified across the States from a CIO perspective. That is \ncertainly something, when we worked with NEMA and the National \nGovernors Association in the cybersecurity call to action, that \nwe certainly advocate. Governance was the top of the list in \nterms of paying close attention to authority and \nresponsibility.\n    To your point about that, you know, what is happening at \nthe State level, how those flows of communications are \nhappening is something that we still think needs effort.\n    Mr. Meehan. What is your idea of a way to make it work?\n    Mr. Orgeron. I think you have to have a framework, and I \nthink the framework has to be something that can be easily \ncommunicated in----\n    Mr. Meehan. What would it spell out?\n    Mr. Orgeron. Well, as an example, one of the things from a \ntechnology perspective is the NIST framework.\n    Mr. Meehan. Yes.\n    Mr. Orgeron. You know, a more common framework with which \nyou can have a very effective conversation----\n    Mr. Meehan. Have you been following the meetings that have \nbeen taking place in California and other places and you are \nsatisfied that they are working towards that direction?\n    Mr. Orgeron. It certainly seems so from the CIO \nperspective.\n    Mr. Meehan. Good. Good.\n    Mr. Sena.\n    Mr. Sena. Yes, sir.\n    Mr. Chairman, we do have an issue. You know, it took us a \nlong time to get suspicious activity reporting worked out with \na unified message, and there is currently a unified message \ntask team working on the issue of cyber. But at the National \nlevel we have six different cyber centers and people are all \nsaying, ``Well, who do you call?''\n    Right now the message that is being developed, ``Call any \nof them.''\n    Mr. Meehan. Is this among your fusion centers--six of them \nare cyber centers, as well?\n    Mr. Sena. This is Nationally, at the Federal level--those \ndifferent cyber centers that--and trying to work on who do you \ncall?\n    Mr. Meehan. Who do you include as the National cyber \ncenters? Because one of the parts of the legislation--and Ms. \nStempfley's working very, very hard on this with DHS--is to \ncreate the NCIC as that central point, which everybody knows \nthey go to one place.\n    Mr. Sena. Well, we have the NCIC and then there are \ninvestigative--National cyber investigative joint task force \nthat is out there along with some of the other organizations \nthat we have that have investigative responsibilities and \nagency responsibilities within their organizations.\n    Mr. Meehan. Who would you consider to be among them?\n    Mr. Sena. Within DHS, within FBI, within Secret Service----\n    Mr. Meehan. You are not trying to say there is any kind of \njurisdictional issues going on among the Federal agencies----\n    Mr. Sena. Not at all. They are working very diligently \ntogether but it still causes confusion.\n    At the local level when you ask folks--when you go to an \norganization the companies that we have brought in said, ``Who \ndo you call?'' and they go, ``We have a rolodex of 100 \npeople.''\n    Mr. Meehan. Well, that is just counter to any kind of \neffective capacity to do things, isn't it?\n    Mr. Sena. Absolutely, sir. That is what we have been \nstriving to do is to say, all right, let's create a unified \nmessage on where this information should go--and not just the \ntelephone calls, but also the machine-readable information. \nThis information moves quickly. The threat moves quickly. We \nhave to respond to that as quickly.\n    Mr. Meehan. In fact, and I am--my time is up--but that is \nactually, in real time we do not have the ability, if we are \nresponding to a threat which is happening in the cyber world, \nto rely on telephone calls to do it. It needs to be, in many \nways, as they say in the old days, machine-to-machine to be \nable to mitigate these things, and oftentimes just identifying \nthe nature of the threat, where it is emanating from and how we \nalleviate it in and of itself requires that kind of tremendous \nengagement.\n    Mr. Sena. Absolutely, sir.\n    Mr. Meehan. Well, I am grateful. That is a very, very good \npoint. We are appreciative of your testimony today because this \nis exactly the kinds of things that we need to be able to look \nat to create that connection that works effectively, and that \nis something that we will work towards.\n    I am going to, appropriately, if you know anything about--\nMrs. Brooks is going to take over the chairmanship of this \nhearing again. I am going to get back in my rightful place to \nher right.\n    So at this point in time I will return the chairmanship of \nthe hearing to Mrs. Brooks and I thank you for your testimony.\n    Mrs. Brooks [presiding]. Thank you, Chairman Meehan, for \nsitting for me while I quickly went to another hearing. This \nhappens to us occasionally here as Members of Congress. We are \ncalled to other hearings that are also important and I actually \nmay be called back because they were not ready for me. So we \nmay be doing this musical chairs once again.\n    I now will, I believe, recognize the gentleman from \nMississippi, Mr. Palazzo, for 5 minutes of questions. Thank \nyou.\n    Mr. Palazzo. Thank you, Madam Chairwoman.\n    Again, I want to thank the chairs for holding this joint \nhearing. I believe that cyber attacks could be as devastating \nas 9/11 and more widespread.\n    Just look at what happened a few weeks ago in Louisiana \nwhen the EBT card system went down for just a few hours. \nWidespread panic and confusion ensued. Just imagine what a \ncyber attack on our power grids or utilities would do to the \nstability of this Nation.\n    It is vital to America's interests to address our \ncybersecurity risks sooner rather than later. I think we must \nutilize all of our resources in preparing and responding to a \ncyber attack. It is not a matter of ``if''; it is a matter of \n``when'' that will happen.\n    I believe a good resource we could use is our Nation's \nNational Guard. I am a proud original cosponsor of H.R. 1640, \nthe Cyber Warrior Act. This bill establishes a cyber and \ncomputer network incident response team within the National \nGuard of every State and the District of Columbia, allowing the \nNational Guard to assist in responding to cyber attacks.\n    It would also allow the Governor of the State to activate \nthe incident response team to help train State and local law \nenforcement and other responders in cybersecurity and help them \ndevelop best practices. I am going to ask all the questions to \nweigh in on what they think of that bill and the utilization of \nthe National Guard.\n    But before I do that I would like to ask Dr. Orgeron, could \nyou speak to what Mississippi has done to prepare for a cyber \nattack?\n    Mr. Orgeron. Thank you, Congressman. Be happy to.\n    One of the things that we advocate at NASCIO and that we \nhave done in Mississippi is risk assessment. So with the help \nof the Department of Homeland Security, in August of this year \nwe had a tabletop exercise in our State. That tabletop brought \nin multiple agencies, our fusion center, and others to kind-of \nrun through a scenario--multiple scenarios over about 2\\1/2\\ \ndays.\n    It is in our document--in our call to action document that \nNASCIO worked with with NEMA and NGA. One of the things that is \nadvocated is looking at what that risk portfolio looks like.\n    I will tell you that the outcome of that table-top really \nproved out some of the things that we have talked about here \ntoday--the fuzziness in some instances of understanding who \nneeds to communicate with who, where those lines of authority \nand responsibility start and stop. We were very appreciative to \nthe Department of Homeland Security for coming down to our \ngreat State and working with us and facilitating that process. \nWe found it of great value.\n    It is one of the things that made its way into the call to \naction of States doing those kinds of exercises, so I certainly \nwould advocate for that. I think the great State of Mississippi \nhas benefited from it.\n    Mr. Meehan. Will the gentleman yield for 1 second on this?\n    Mr. Orgeron--\n    Mr. Palazzo. Can you give me extra time towards--fantastic. \nI yield to the Chairwoman.\n    Mr. Meehan. I just cleared that with the Chair.\n    Did you do an After-Action Report after you----\n    Mr. Orgeron. I believe my chief security officer did, yes, \nsir.\n    Mr. Meehan. Would you make that available to us, please?\n    Mr. Orgeron. Of course.\n    Mr. Meehan. I would like that. Thank you.\n    Mr. Palazzo. Dr. Orgeron, did the State CIOs typically have \naccess to Top Secret security clearances to help protect their \nState from cyber attacks?\n    Mr. Orgeron. No, sir, typically not. It is my understanding \nthat there are, I believe, two designated in each State--of \ncourse the Governor, many times it is the director of homeland \nsecurity or potentially public safety. NASCIO certainly \nadvocates that, given the rise of the impact of cyber that the \nState CIO be considered if more clearances were going to be \nallocated.\n    Mr. Palazzo. So you say States get two clearances?\n    Mr. Orgeron. That is my understanding, Congressman.\n    Mr. Palazzo. Ms. Stempfley, would you like to add to that, \nand why they only receive two security clearances?\n    Ms. Stempfley. Sir, I am not familiar with the limitation \nin that situation. I know we have actively worked to get \nclearances at the Secret level for State CIOs so that we can \nshare the threat information, and generally that includes \nfulsome content for protection measures. So we have been \nactively working with NASCIO and others to get State CIOs \ncleared at that Secret level.\n    Mr. Palazzo. Well, I have been to the TS/SCI process and I \nknow it is lengthy, but you don't want to cut corners because \nyou do want to make sure we have the proper people accessing \nthat information. So, of course, if we could lift any undue \nrestrictions that would be nice so the States can be well \nprepared to access these threats.\n    If I may sneak in a question, you know, begin the \nutilization of the National Guard, the Cyber Warrior Act, if--I \nwould just like if you all would want to share your thoughts? I \nwill start with Mr. Molitor on the end, a fellow soldier.\n    Mr. Molitor. Yes, absolutely. I spent some time in the \nWisconsin National Guard so I appreciate that. That is an ideal \nplace. When I heard it earlier during the testimony I thought \nthat is an ideal place to house that kind of capability because \nthat State Governor can call on the National Guard for the \nresponse locally. That is where you bring together the civilian \nassets, the intelligence assets, and also the military assets \nto address natural disasters.\n    I was actually called out one time after a tornado in \nWisconsin for recovery efforts, so it is the same kind of thing \nin my previous testimony, where the parallels between natural \ndisasters and cyber attacks are--it is the same impact on the \ncitizenry, and that would be a great place, I think, to house \nthat kind of capability on each State.\n    Mr. Palazzo. I definitely agree with you.\n    I guess we will keep going down anybody that wants to \nvolunteer until the Chairwoman takes away my time.\n    Mrs. Brooks. Important topic, so----\n    Mr. Sena. From the fusion center perspective, and also \nbeing a high-intensity drug trafficking area director in my \ncenter, we have had great support from the National Guard. They \nhave been very good. That is the one thing that we are \nlacking--those folks that can go out there and help support, \neither through assessments or actually in reacting and \nresponding to the threat issues.\n    Every day we are bleeding a million cuts from the cyber \nattacks. They are doing telephone denial of services combined \nwith cyber attack on institutions and really cutting us to the \ncore. They move much quicker than we can.\n    But having the Guard, having additional resources to deal \nwith those threats is tremendous, so I appreciate that. Thank \nyou, sir.\n    Mr. Orgeron. Same sentiment, Congressman. I know Chairwoman \nBrooks mentioned in the beginning, Maryland. Maryland is one of \nthe States highlighted in document that has a relationship with \nour National Guard.\n    My own personal experience post-Hurricane Katrina was the \nformation of a wireless commission in our State, of which the \nNational Guard had a seat at the table. We have built 144 \ntowers across the State to communicate in the event of another \ndisaster. That partnership has been wonderful for the States. I \nwould certainly expect that this one would be equally as good.\n    Mr. English. Congressman, we certainly support that in \nGeorgia and our troops are readying for that mission as we \nspeak. I would say, though, that we need to give consideration \nto it being a symbol, similar to the civil support teams and \nthe homeland security response forces that are now known as a \nfull-time effort on a daily basis that we can work with all the \ntime versus a weekend-type assignment.\n    Mr. Palazzo. That is a good point.\n    Ms. Stempfley. We have heard this morning about the need \nfor competent, skilled resources in the cyber environment. I \nknow in the National Initiative for Cybersecurity Education we \nhave really been focused on understanding the State and local \nneeds in cybersecurity, as well. I understand the Defense \nDepartment and DHS and others are studying how to best apply \nthese particular resources and these patriots to this problem.\n    Mr. Palazzo. I want to thank our witnesses.\n    Madam Chairwoman, I yield back.\n    Mrs. Brooks. Thank you. A very important point with respect \nto the National Guard and the critical role they could play and \nthat they do play in many States.\n    I am going to start on our second round of questioning, and \nif I--and this is to Mr. English. As I mentioned in my opening \nstatement, you know, I did watch that movie that aired--not \ncertain if others did--the ``American Blackout,'' this past \nweekend, and it really did portray the physical consequences of \na cyber attack on the electrical grid. One of the issues that \nwas highlighted in that movie and that I actually had a \ndiscussion with folks in my district last week was the impact \non hospitals.\n    As a leader in emergency management, I recently visited \nwith representatives from a hospital, and as I was getting a \ntour of this hospital, and particularly in the emergency \ndepartment, we began talking about if there were to be an \nincident of a cyber attack and its effect on a hospital system. \nWhile the physicians talked about the fact that, you know, they \nhave operated, you know, until most recently without electronic \nmedical records and could certainly perform their duties, what \nthey would have the most difficulty with were their diagnostic \nequipment--the imaging technology and all of the ability to get \nall of the diagnostics that they now are so accustomed to \nreceiving in real time, very, very fast turnaround, whether it \nis test results or lab results.\n    So I am curious from the emergency manager's perspective \nand the cybersecurity professionals, how do you coordinate with \nhospital systems and has there been a focus on that beyond \nmaking sure they have back-up generators and the fuel? What \nkind of coordination are we really doing with our hospitals? \nBecause I have to tell you, this emergency department, while it \nhas been discussed, I think they acknowledged and recognized \nthat most have not really prepared for that possibility.\n    Any discussion on that, Mr. English?\n    Mr. English. Yes, ma'am.\n    Whereas we can always do a lot more work--that is for \nsure--the NEMA, the association I represent, and the State \npublic health directors have been, for the past 18 months, \ninvolved in a relationship where we meet at least twice a year \nwith the leadership and discuss issues. Most recently, one of \nthe issues that we are talking about are--is mission-ready \npackaging for hospitals so that in a disaster they have already \nquantified the type of assets that they need through our mutual \naid compact that can go from one State to the next, or from a \nimpacted area to a--or a non-impacted area to an impacted area.\n    So I feel like the relationship is good. I am thankful that \nthroughout the past 10 years that States have been able to get \nmore capability with the grant programs that have been \navailable, and certainly a lot of those have gone toward \nhospitals and readiness and communication.\n    Now, the issue of the imaging and that type of thing, I am \nnot familiar with that. But I do know that the dialogue exists.\n    Mrs. Brooks. Well, and I--the hospitals certainly said they \nhave done a tremendous amount of exercising on triaging and \nmass casualty events and so forth, but I think the possibility \nof truly a power--a significant and/or long-term power outage, \nI am just curious whether or not anyone else has discussed with \ntheir hospital systems this very potential possibility.\n    Anyone else have any discussions with their hospitals or \nwith their public health officials about that possibility?\n    Mr. Molitor.\n    Mr. Molitor. Well, I haven't had those specific discussions \nbut there was an article in a magazine about 2 years ago \nfocusing on a hospital in Japan in the wake of the tsunami \nthere, and they had a micro-grid in place, and so this goes to \nMr. Payne's point about the smart grid. A micro-grid is a self-\nsustaining--it includes electricity generation and also \nmanagement for the load so that you can fuel critical loads \nlike imaging diagnostics during an outage.\n    So this whole idea of a micro-grid, a self-contained, \npowered administration unit within the hospital is a very real \nprospect. It exists today and there are hospitals, even in the \nwake of Hurricane Sandy, that were able to continuously operate \nin the middle of the rest of the area where the power was down \nbecause they had those kind of micro-grids, that smart grid \ntechnology in place.\n    Mrs. Brooks. Do you have any idea roughly how many \nhospitals in our country might actually employ micro-grids?\n    Mr. Molitor. I do not, but we have a medical imaging \ndivision within my NEMA--you have got two NEMAs up here; get a \nlittle confusing.\n    Mrs. Brooks. Sure.\n    Mr. Molitor. But we have a medical imaging division and I \ncan certainly check with them to see if they have any data and \nreport back.\n    Mrs. Brooks. Okay. Thank you very much.\n    At this time I will ask Ranking Member Mr. Payne if he \nmight have any further questions.\n    Mr. Payne. Thank you.\n    Let's see. Mr. English and Mr. Orgeron--I am sorry.\n    Mr. Orgeron. Orgeron.\n    Mr. Payne. Orgeron. I apologize.\n    Mr. Orgeron. That is okay.\n    Mr. Payne. In 2013, the National Preparedness Report, \nStates reported to FEMA that the lack of funding to develop \nrobust cybersecurity capabilities significantly contributed to \nthe lack of confidence in State cybersecurity capabilities. Can \nyou talk about the role of Homeland Security--the homeland \nsecurity grant money in developing State cybersecurity programs \nand how reduced funding levels have affected the States' \nefforts to develop those cybersecurity capabilities?\n    Mr. English. The lack of funding I don't think--or the \ncutback in funding hasn't impacted that situation, in my \nopinion. I think Mr. Orgeron mentioned earlier that maybe if \nthe grant guidance was a little broader and could entertain a \nmore robust effort in the cybersecurity realm would be what we \nwould like to see. Not necessarily more money, but maybe \nflexibility within the money that we get to be able to build \nout the cybersecurity assets.\n    Currently in my State we do use grant money to provide \ncybersecurity analysts to our fusion center, but that is really \na drop in the bucket on the financial side.\n    Mr. Orgeron. Mr. Payne, we would agree. I mean, I think our \nbasic position is that the formulaic nature with the way the \ngrants work, it may not be as appropriate in terms of the cyber \nthreat, and we think some alterations there, much to Mr. \nEnglish's point, would benefit programmatically as a whole \ncyber initiatives in States.\n    I should mention, too--it may be a good point to mention, \ntoo, that, I mean, the States are struggling with workforce \nissues as well. Not exactly related, but, you know, it is very \ndifficult to recruit credentialed and excellent people.\n    There is, I have been told, in essence nearly zero \nunemployment in this sector. So, you know, we have a very \ndifficult time in recruitment, as well, which can impact \nmission.\n    Mr. Payne. Okay. For you gentlemen, as well, with respect \nto the activities aimed at helping States prepare for, prevent, \nrespond to, and mitigate the effect of cyber attack, what is \nthe Federal Government doing well and what needs to be \nimproved?\n    Mr. English. I have got to sing the MS-ISAC praises. I \nthink they are doing very well, and without great detail, had \nup-close and personal experience with their deployment to our \nState, along with our chief CIO--our CIO and the FBI and DHS \nand others. So I am more aware that that really worked well.\n    Mr. Orgeron. I agree. We have a great relationship with MS-\nISAC.\n    Two other quick points: I mentioned our table-top cyber \nexercise that the Department--we got funding for, I think is a \ngreat, great tool at the State level to bring parties together \nto kind-of walk through, you know, exercises of various sorts. \nI think it is exceedingly beneficial to us.\n    Mr. Payne. The other end, what needs to be improved?\n    Speak now.\n    [Laughter.]\n    Mr. English. I really don't have a lot of heartburn with \nwhat is going on in the coordination effort. I think we always \nwant to make sure that States and local governments are \nincluded in the plans before they are made so that we can have \ninput and that we are at the table. As I mentioned earlier, \ncreating those reasons to collaborate I think go a long way.\n    Mr. Payne. So you say we are doing everything right?\n    Mr. English. Out of ignorance, I would say yes.\n    Mr. Payne. Okay.\n    Mr. Orgeron. Well, you know, being the IT guy at the table, \nI think we want to be at the table when those conversations \nhappen. I think it does vary from State to State on how those \ndialogues occur, but I think whether it is talking about the \nclearance issue or formulaic changes in grant programs, I think \nCIOs, or maybe even the chief security officers if not the CIO, \ncertainly we would want them to be at the table during some of \nthose dialogues, given the threats that we face.\n    Mr. Payne. Thank you.\n    Thank you, Mrs. Chairman. I yield back.\n    Mr. Meehan [presiding]. Thank you. I appreciate the \ngentleman from New Jersey exploring those areas.\n    Let me ask about the relationship that exists with the \nprivate sector, because one of the realities is 85 to 90 \npercent of the resources are really tied up in the private \nsector. We have heard numerous concerns about resources that \nare available, both with trained personnel and otherwise. Yet \noftentimes--Mr. Molitor may be able to speak to--there are a \nlot of members of industries and others who have already made \nsignificant investment in individuals with skills who are there \nto--if we can share information appropriately--it also includes \nexpertise.\n    What is your experience in terms of--Mr. Molitor, you can \njump into this question but I am interested in those who are \nrepresenting State or fusion centers--what is your experience \nin terms of working with the private sector and how you are \ntaking advantage of any of their assets or information sharing \nin your local regions?\n    Mr. Sena. From my perspective I am probably the most \nblessed because my fusion center is in Silicon Valley area, so \nwe have got some of the best technology companies in the world \nthere. So we have got lots of resources and oftentimes they \nknow better and more ways about dealing with a threat than we \ndo in the Government or could ever think of.\n    So trying to, you know, bring them on-board to make them \npartners with what we are doing in the fusion center, so that \nway when they ask us a question we can provide them with an \nanswer. If they have the answer we can share that answer with \nothers.\n    They have, you know, bonded together over the last few \ndecades in building Silicon Valley and the resources there, but \nthe networks go well beyond there; they go across our country \nand across the world where they have, you know, resources. So \ntrying to work closely with them, trying to give them those \nresources.\n    The question always comes up about the clearances, and even \nwithin the fusion center ourselves, it takes us a long time to \nget our own people clearances, so but also trying to get them \nup to speed and actually physically bringing them in so we can \ngive them briefings and actually help them solve these problems \ntogether. That is my goal.\n    Mr. Meehan. So are there parts of your fusion center which \ninclude a regular seat from private industry as a member?\n    Mr. Sena. We have. In fact, one of our first folks that we \nbrought in was from the health care industry. So right now we \nare working with some of our power partners and utility \npartners to bring them into the center to get them the \nbackgrounds, to get them the resources they need.\n    Oftentimes some of these people already had worked in \nGovernment for one of the other, you know, organizations that \ndealt with cyber and now they are working for the private \nsector. So we are trying to use those resources they have to \nhelp us in our center.\n    Mr. Meehan. Mr. Orgeron, are you working at all with the \nindividuals in the private sector in your capacity?\n    Mr. Orgeron. We do, Mr. Chairman. You know, States rely on \ntelecom providers, big system integrators daily to get the work \ndone in the States, so that reliance is absolutely there. I \nwould expect not only in my State but in many of the States the \nneed for dialogue and inclusion is imperative.\n    Mr. Meehan. Have you worked with CERT teams at all?\n    Mr. Orgeron. We have.\n    Mr. Meehan. Have they been helpful?\n    Mr. Orgeron. They have.\n    Mr. Meehan. Ms. Stempfley, Secretary, you have been a \nstalwart supporter of efforts to do some of these things, but \none of the council recommendations from your own advisory \ncouncil was taking advantage of some of the skilled alumni in \nDHS, among other things, and there was an idea of trying to do \noutreach to make some of them available. Has there been any \nprogress made in the idea of looking for those who have been in \nservice at DHS and are no longer there but are still able to \nlend a hand at times of crises?\n    Ms. Stempfley. I regret, sir, I am not familiar with the \nrecommendation that you speak of. But one of the things we work \nvery closely with is keeping in touch with both former DHS \ncolleagues and those individuals in the private sector who are \na part of the owners and operator community of critical \ninfrastructure, particularly those in the IT, communications, \nenergy, electric, and other sectors.\n    I know you have been to our National Cybersecurity and \nCommunications Integration Center, where we are very focused on \nintegrating our private-sector partners into our operations \nactivities and we work very closely with our private-sector \npartners in not just protection and planning efforts but in the \nresponse efforts, as well.\n    Mr. Meehan. Yes. This was a recommendation that was called \nthe Cyber Reserve Program that was run through DHS, and it may \nor may not be implemented. I know what happens. There are a lot \nof good ideas that sound--they get laid on your plate in the \nmidst of all of these, and I just wondered if you had any \ninsight on that program.\n    Ms. Stempfley. Thank you for making that connection in my \nbrain. We actually post that set of recommendations. The then-\ndeputy secretary established a task force to look at all of the \nrecommendations from that Homeland Security Advisory Council--\nset of recommendations on workforce activities. We have moved \nforward on many of them. The cyber reserve efforts and the \npotential utilization of current and former DHS colleagues in \nexecution of this mission is one that planning activity has \nbeen underway.\n    Mr. Meehan. All right. Well I thank you for that \nclarification.\n    My time is expired and I will turn to the gentleman from \nNevada, Mr. Horsford.\n    Mr. Horsford. Thank you very much, Mr. Chairman, to you, to \nChairwoman Brooks, to the Ranking Member Mr. Payne and Ranking \nMember Clarke, for holding this important and crucial hearing.\n    I want to commend my colleague, Mr. Payne, for his \nlegislation on the study for the smart grid. I know in my State \nand in regions throughout the country we have heard time and \ntime again about the need to protect critical infrastructure, \nincluding, you know, our electric grid and water systems and \nother things that play into the grid. So I look forward to \nworking with you on that legislation and commend you and your \nleadership for bringing it forward.\n    After hearing the opening remarks I wanted to delve into a \ncouple of questions that aren't on my prepared questions.\n    Mr. Sena, right?\n    Mr. Sena. Sena, sir.\n    Mr. Horsford. So I have been in my fusion center. I am from \nLas Vegas--40 million visitors a year, 2 million residents in \nClark County, and sheriff took me on a tour, met with all of \nour emergency management, first responders--local, State, \nFederal, and private-sector participants at that fusion center.\n    What is troubling to me is you say all the right things \noperationally for what is needed--the integration, the sharing \nof information--but then we have policy that doesn't support \nthat approach. For example, the UASI money. In my State, Las \nVegas was eliminated from the top-tier funding communities for \nour fusion center and lost several million dollars. My hope is \nwe will get that back and I am working with the Department and \nFEMA and other agencies to make the case, but the policy \ndoesn't support the practice that you envision.\n    So I would like for you to touch on how funding like UASI \nis critical in supporting your needs, particularly with the \ncybersecurity focus, which, as far as I reviewed in the primary \nfactors of the UASI money allocation, I didn't hear \ncybersecurity come up enough even though it is the most \nemerging threat to our critical infrastructure. So can you \nspeak to that, please?\n    Mr. Sena. Absolutely, sir. Congressman, just to let--as you \nknow, with the reductions in UASIs and the inconsistencies and \nhow the funding goes for those grant projects to support fusion \ncenters, fusion centers are owned and operated by State and \nlocal agencies. I myself work for the San Mateo County \nsheriff's office. But it is up to those regions how they \ndevelop those programs and some are highly dependent on Federal \nfunding.\n    We have some fusion centers that totally support their \noperations based on their own State budgets, local budgets. But \nwhen we are trying to develop programs that have a National \nimportance, that have--meet those National priorities, those \nNational missions, we have to develop the funding stream to \nsupport those programs.\n    Basing it on--and UASIs have been great across the country, \nbut if you have no money they have got no way to give anything \nto the fusion center, and therefore the fusion center cannot \nsupport their programs. That is where we are at right now.\n    The other issue we have is the grant time line cycle of 2 \nyears now, which basically means that once you get through with \nall the management issues of trying to move funding you have \nabout 8 months to spend your money. Well, most people's \nsalaries go for 12 months. That creates a little bit of a \nproblem.\n    But we have those huge issues between how the money gets to \nthe fusion centers and how it gets devoted to those programs. \nRight now there is no consistency across the country in how \nthat money is delved through. Not just in the case of the Las \nVegas fusion center, but other fusion centers across the \ncountry that lost their UASI funding--to the point of some, 30 \npercent. How do you run an operation when you have lost 30 \npercent of your money or 100 percent?\n    Mr. Horsford. Right.\n    Mr. Sena. It is difficult.\n    Mr. Horsford. Well, it is difficult when you have these \nemerging threats, which are ever changing. Everything you all \ntalked about today is, you know, the people we are trying to \nprevent from attacking us are more creative, more resourceful, \nare working around the clock, and yet we are not putting in the \nresources to combat that.\n    I think the UASI funding, Mr. Chairman, is one area that \nneeds to still be reviewed and, you know, I am committed to \ndoing my part in bringing forward solutions for how it needs to \nbe reviewed. But I think the cybersecurity factor in how \ncommunities rank should be reevaluated. So I will put that on \nthe table.\n    Mr. Chairman, can I have just 1 more minute?\n    Mr. Meehan. Yes. The Chairman will recognize the gentleman \nfor a follow-up question.\n    Mr. Horsford. I just want to ask about this interrelation \nbetween State and Federal entities. Given the inherently \ninterconnected nature of the cyber landscape, why is it that \nharmonizing standards for the Federal Government is beneficial \nbut requiring the same of State governments which may interface \nwith Federal systems is not? I wanted Mr. Orgeron to answer \nthat question.\n    Mr. Orgeron. Sure. We talked about NIST earlier, and I \nthink from a framework perspective we certainly think that \nhaving a common framework would be most beneficial, whether it \nis at the State level or the Federal level. Certainly a \nframework that would help the two entities communicate, you \nknow, I think we believe would be a good thing.\n    Mr. Horsford. Thank you.\n    Mr. Meehan. I thank the gentleman.\n    The Ranking Member has a follow-up question and so I \nrecognize the Ranking Member for----\n    Mr. Payne. Thank you, Mr. Chairman.\n    This was a question that Congresswoman Clarke had: \nCybersecurity technologies have made a major advancement over \nthe last decade, just as the IT industry has. But the \nelectrical grid has been built over the course of 100 years.\n    So, Mr. Molitor, in terms of cybersecurity, how do we deal \nwith the legacy equipment that was installed before anyone was \nthinking about cyber threats and what was to come and is here \nnow?\n    Mr. Molitor. Yes. That is a great question. Fortunately, a \nlot of the legacy gear doesn't have the kind of communications \ncapabilities that makes it hackable to begin with. But if you \nhave got a dead zone in the middle where you don't have \ncybersecurity capabilities built in you have to build your \ncyber perimeter around it. So the objective is--and especially \nthrough these smart grid technologies--is that you have the \ncommunications ability and the sensing ability on the adjacent \ndevices so that you can identify when that device in the middle \nstarts to underperform. So that would be the best indication \nthat you have.\n    The challenge that we have is that a lot of these assets \nthat were installed in the electric grid have a 20-, 30-, or \n40-year life span before they can be replaced by the utility \ncompanies. So, you know, part of the cure to this is being able \nto fix the accounting rules and the other financial rules so \nthat they can depreciate those assets, get them out of the \ngrid, and replace them with the ones that can respond properly \nto a cyber attack.\n    Mr. Payne. So in your opinion--and I will close with this \nand I will ask each of the witnesses--you know, the legislation \nI have introduced, the SMART Grid Study Act, do you think that \nis the direction we should go so we can understand what we need \nto do to ensure the critical infrastructure is cyber safe?\n    Mr. Molitor. Absolutely. I am a firm believer that if you \nwant to improve something you need to measure it. You provide \nthe mechanism to obtain that measurement.\n    Mr. Payne. Mr. Sena? Same question.\n    Mr. Sena. We definitely--I mean, for years we have been \nbuilding a great castle with physical--sorry, sir--building a \ngreat castle with physical security issues, but we have got \nthis moat around us that has a stream that goes right into our \ncritical infrastructure and we are so vulnerable, but the \nresources are not going there. We do have to have that \ncapability.\n    We do have to have better electronic resources to deal with \nthreat in real time but we also need analysts and people that \ncan accept the information and know what we are looking for. \nRight now that is our big problem, from the high-end technical \nside to the people who are operating the computers within the \nlocations, whether it is Government, whether it is critical \ninfrastructure, you know, spear fishing, opening up the wrong \ne-mail can open up your network to huge issues.\n    When it is considered to be the electrical grid or any of \nour other critical infrastructure, that can be our fall down. \nMy goal is to prevent that as best we can, so thank you.\n    Mr. Payne. Mr. Orgeron.\n    Mr. Orgeron. I agree. I mean, State government, especially \nfrom a technology perspective, whether it is consolidated data \ncenters or networks, are highly reliable on the grid, so \nabsolutely.\n    Mr. Payne. Mr. English.\n    Mr. English. Absolutely. We have to have the power to make \nthings work, and thank you for doing that.\n    Mr. Payne. Okay.\n    Ms. Stempfley.\n    Ms. Stempfley. So we certainly have talked about the \nlinkages between the cyber and physical environment, and one of \nthe things that we are focused on at DHS is helping as \ninfrastructures are upgraded--as our aging infrastructure is \nupgraded and takes advantage of the technology that exists \ntoday, helping them understand how to be more resilient in this \ncyber environment. So I think that is an important focus area.\n    Mr. Payne. Well, I thank all of you witnesses.\n    Just for the record, this study would not cost any more \nmoney. The money is already in place and we have offsets that \nwould take care of the cost of the study.\n    I yield back.\n    Mr. Meehan. I thank the gentleman.\n    I am just about prepared to gavel the hearing down but I \nhave one question that I want to ask for those who are involved \nin the State side, because I know that there has been some \ndiscussion about the need we have for people who are capable of \nworking with you in both understanding and then addressing \nthese kinds of concerns, and then simultaneously we have got, \nyear after year, students that are graduating from colleges and \nuniversities, junior colleges all throughout our country and \nthey are looking for a job.\n    It stuns me that we have educational institutions on the \none side that are already--not looking for grant programs; they \nare already taking tuition. Some of these kids are going into \ndebt to do this, and then they come out and they are saying, \n``Where do I get my first job?''\n    Then here you are running organizations which are saying, \n``Boy, we need people in here.'' What are you doing even with \nyour own State university systems to implement some kind of \nconnection between the training that could take place and the \navailability of a workforce?\n    Mr. Sena. Sir, I have to mention--and thanks in great part \nto our partners in the Department of Homeland Security, MS-\nISAC, and our other State organizations--we actually had a \npilot, you know, internship program this summer--brought some \nof the most brilliant people into my center. Great employees, \ngreat interns. Did some tremendous work for us.\n    So we brought them in but, of course, we have no funding to \npay for interns. We have no money to pay for, you know, those \nanalysts. You know, eventually we are getting some money from \nour UASI to bring on some analytical staff, but, you know, we \nbrought in eight interns who did great work and those interns \nacross the country were also deployed--recruited by DHS, \nrecruited through, you know, cyber exercises that they would do \non the weekends to see who could, you know, do the best \ninfiltration of systems.\n    So we had the best minds out there but we have no money to \nhire these people and that is--you know, that is the tragedy of \nit. You know, great interns and, you know, free labor force for \nus, but we need them long-term and there is just no sustainment \nfor that right now.\n    Mr. Meehan. Do they get directed to private-sector \nopportunities?\n    Mr. Sena. We do. We give them, you know, pass their \ninformation along to the private sector. But as was said \npreviously, you find very few open jobs in that sector. But \nright now it would be great if we had that ability even to pay \nthe interns for the time they spend with us, but also to bring \nthem into Government work. They are just--you know, from the \nState perspective, you know, money has always been tight, and \nespecially nowadays it has been tight, so trying to have \nfunding to bring in those brilliant minds is difficult.\n    Mrs. Brooks. Would the Chairman yield one moment?\n    Mr. Meehan. Sure. Absolutely.\n    Mrs. Brooks. I am curious, before others might respond, \nwhether or not you are educating your governors, your mayors, \nyour councils who appropriate the funds for your departments to \nunderstand what the cyber threat might be? Because obviously, \nyou know, there is always a push for more police officers on \nthe street, more fire fighters, but yet there needs to be--and \nwhen we may be calling them analysts is part of the problem in \nthat they appear to be support staff when, in fact, they are a \ncyber force and can be like a street officer. How are you \neducating the executives and those, you know, with the \nappropriations authority to, you know, make sure that they \nunderstand what the needs are, just out of curiosity?\n    Mr. Sena. I can tell you that after we made a presentation \nto our UASI on what the threat was, it immediately voted to \ngive us $400,000 right off the bat. So they see the threat. But \nthat is only if they have the funding available to allocate, \nand in this case they had the funding.\n    That funding may not be there next year, but that is the \nproblem we have. There has to be a funding source and currently \nmost States don't have the funding source other than \npotentially through those Federal grants. Those, the allocation \nvaries between those centers, like in Las Vegas, that they just \ndon't have any money for it.\n    Mr. Orgeron. We certainly do advocate with the Governor, \nelected officials, the legislature, the importance of a topic \nlike this and potentially the disconnect between really doing \ngreat Government and needing great people to do great \nGovernment that have the right skills, and this is a marked gap \nto the point.\n    To the other question, all the things Mr. Sena said--\nworking with universities on co-op programs to get students in, \ninternship programs. It is really at the local level--at the \nlocal-State level--I think more, you know, just that you can \nget them interested. I mean, States are doing phenomenal things \nacross all kinds of projects, especially in our State with a \nnew data center.\n    It tends to be keeping them is the thing. They are great \nkids, and so we do. We go to the universities regularly, go to \nrecruiting fairs regularly, and so--and we will continue both \nof those things.\n    Mr. Meehan. Well, I want to say, I think on behalf of all \nof my colleagues here, we appreciate your service. In many ways \nyou, as was articulated by one bit of testimony, are out of \nthere on the tip of the spear, and the experiences that you \nhave, as well, not only in what you are doing each day but by \nvirtue of analyzing the nature of the threat and the challenges \nthat we have, and then by taking the time to both prepare your \ntestimony and be responsive to our questions helps us educate--\nhelps you educate us to be your partners in working for better, \nmore efficient, more effective ways to deal with what we all \nagree, I believe, is one of the great challenges that we face \nhere and an emerging and ever-changing nature of the threat, \ndifferent from, in many ways, from those which we have been \naddressing over the course of the recent decade.\n    So I thank the witnesses for your valuable testimony and \nthe Members for their questions. The Members may have--from the \nsubcommittee may have additional questions for the witnesses, \nand if they do we ask that you would take the time to respond \nin writing. We are certainly free for any further follow-up \ninformation you would like to forward to us for the record. We \nwill keep the record open for 10 days for that purpose.\n    So without objection, the subcommittees stand adjourned. \nThank you for your testimony.\n    [Whereupon, at 11:52 a.m., the subcommittees were \nadjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n    Questions From Chairwoman Susan W. Brooks for Roberta Stempfley\n    Question 1a. FEMA has a number of incident annexes to the National \nResponse Framework, including a Cyber Incident Annex. The current Cyber \nIncident Annex was developed in 2004, nearly 10 years ago, when \ntechnology and the cyber threat were very different.\n    The draft NCIRP states that it was developed in conjunction with \nthe update of the Cyber Incident Annex. However, according to FEMA, the \nAnnex has not yet been updated and will be not updated until later this \nfiscal year, with an anticipated completion in fiscal year 2015.\n    Will CS&C be involved in this update?\n    Answer. The Office of Cybersecurity and Communications (CS&C), \nworking with a broad set of partners, to include the Federal Emergency \nManagement Agency, will continue to advance the dialogue around \ncoordinated planning through development of operational playbooks and \nother planning frameworks. We anticipate that CS&C would be deeply \ninvolved in any updates to the National Response Framework's Cyber \nIncident Annex.\n    Question 1b. In a broader sense, how do you work to coordinate \ncyber doctrine within the Department to ensure that the plans and \nprocedures in place are up-to-date and applicable to the current \nthreats we are facing?\n    Answer. CS&C works with the Department of Homeland Security (DHS) \nHeadquarters and other DHS components on a continuous and on-going \nbasis to coordinate cyber issues. Many of these interactions take place \nat the working level in order to keep pace with the dynamic cyber \nthreat environment. There are weekly leadership meetings consisting of \nboth internal DHS organizations as well as our interagency partners \nspecifically to coordinate on cyber issues.\n    In November 2011, DHS completed the Blueprint for a Secure Cyber \nFuture: The Cybersecurity Strategy for the Homeland Security Enterprise \n(Blueprint). The Blueprint provides a process to create a safe, secure, \nand resilient cyber environment for the homeland. The Blueprint \nidentified capabilities necessary to achieve DHS's cybersecurity goals. \nThe development of the Blueprint was truly a cross-organizational, \nintegrated process that brought together elements of the following \ncomponents and sub-components of DHS:\n  <bullet> DHS/NPPD Office of Strategy and Policy (S&P);\n  <bullet> DHS/PLCY Office of Strategy, Policy, Analysis, and Risk \n        (SPAR);\n  <bullet> DHS/CFO Office of Program Analysis and Evaluation (PA&E);\n  <bullet> DHS/Office of Intelligence and Analysis;\n  <bullet> DHS/Office for Civil Rights and Civil Liberties (CRCL);\n  <bullet> DHS/Office of Operations Coordination and Planning (OPS);\n  <bullet> DHS/NPPD Office of Budget, Finance, and Acquisition;\n  <bullet> DHS/NPPD Office of Cybersecurity and Communications (CS&C);\n  <bullet> DHS/NPPD Office of Infrastructure Protection (IP);\n  <bullet> DHS/Science and Technology Directorate (S&T).\n    Accompanying the Blueprint is a Mission Management Plan that \nprioritizes the Blueprint capabilities that DHS will mature over the \nnext several years. The Mission Management Plan serves as a baseline \nfor coordination and assignment of tasks based upon the capabilities \nand responsibilities across the Department. An example of this would be \nleveraging the skills and resources of the U.S. Secret Service along \nwith Immigrations and Customs Enforcement to investigate cyber \ncriminals. The results of these efforts are used internally within DHS \nas well as a baseline for discussions with our partners across the \ninteragency, State, local, Tribal, and territorial governments and the \nprivate sector.\n    Question 2a. In reviewing the National Cyber Incident Response Plan \n(NCIRP), I am a little unclear of the link and cooperation between the \nNCCIC and FEMA and have a couple questions regarding that link and \ncooperation.\n    Does FEMA currently have personnel that are stationed full-time at \nthe NCCIC?\n    Answer. The Federal Emergency Management Agency (FEMA) does not \ncurrently have personnel who are stationed full-time at the National \nCybersecurity and Communications Integration Center (NCCIC).\n    The DHS Office of Operations Coordination and Planning has a full-\ntime employee stationed at the NCCIC and another full-time employee \nstationed at the FEMA National Response Coordination Center (NRCC). The \nNational Operations Center (NOC) is also staffed by a full-time desk \nofficer from the NCCIC and another full-time desk officer from the FEMA \nNRCC. This exchange of personnel facilitates real-time coordination and \ncollaboration in the event of a cyber-related incident. The NOC, NCCIC, \nand NRCC continuously share information and have access to the DHS \nCommon Operating Picture (COP) for situational awareness. Additionally, \nthe NOC receives and integrates daily reporting from the NCCIC and the \nNRCC. Also, the three operations centers conduct coordination calls at \nleast three times daily via the NOC's Operations Centers conference \ncalls (NOC Blast Calls).\n    Question 2b. If ``YES'': Who is this person--from what office \nwithin FEMA? If ``NO'': Do you think it would be a good idea to have a \nFEMA representative at the NCCIC?\n    Answer. Recognizing the potential significance of a cyber-physical \nevent and the value of close FEMA-NCCIC synchronization, staffs from \nthe two organizations meet often to discuss planning and exercise \nactivities and to maintain watch center-to-watch center communications. \nIn response to Emergency Support Function-2 activations, NCCIC \nregularly deploys staff to FEMA operations centers. In the event of a \nsignificant cyber incident, FEMA would deploy appropriate staff to the \nNCCIC.\n    Question 2c. How does the NCCIC communicate with FEMA on the \npotential threats the NCCIC is seeing and their possible consequences \nthat may require FEMA to respond?\n    Answer. NCCIC and FEMA communicate via watch center-to-watch center \ncommunications. FEMA receives NCCIC situational reports and awareness \nproducts, which highlight more significant cyber and communications \nincidents and the NCCIC receives FEMA situation reports on a recurring \nand routine basis.\n    The DHS NOC, NCCIC, and NRCC all have access to the DHS Common \nOperating Picture (COP) and Homeland Security Information Network \n(HSIN). The COP and HSIN are the primary systems used for sharing and \nviewing Unclassified information along with other situational awareness \nproducts. Also, all three operation centers participate in coordination \ncalls at least three times daily via the NOC's Operation Centers \nconference calls (NOC Blast Calls).\n    Question 3. The draft National Cyber Incident Response Plan (NCIRP) \nstates that it ``was developed in close coordination with Federal, \nState, local, territorial, and private-sector partners.'' I am \ninterested in hearing more about the Department's outreach process \nduring the development of the NCIRP because we have heard from \nstakeholders that there wasn't sufficient outreach and that this is \nmore of a ``Federal plan'' than a ``National plan.''\n    Answer. The Department of Homeland Security (DHS) developed the \nNational Cyber Incident Response Plan (NCIRP) in close coordination \nwith public and private-sector stakeholders. During the early stages of \ndevelopment, DHS asked for volunteers through the Cross-Sector Cyber \nSecurity Working Group (CSCSWG), which includes Federal and private-\nsector representatives from each of the critical infrastructure sectors \nand convenes under the auspices of the Critical Infrastructure \nPartnership Advisory Council. The Department also sought collaboration \nthrough intergovernmental partners, the information sharing and \nanalysis organization community and among Federal interagency partners. \nDHS drafted the document by sending out discussion papers--generally \ndraft sections of the NCIRP starting with scope and purpose--and \ncaptured notes from subsequent discussions with public and private-\nsector participants. In addition to incorporating review comments into \niterative drafts of the NCIRP, DHS also held table-top exercises and \nthe Cyber Storm III National Exercise to further inform versions of the \ndraft plan. Among the participants in the table-top exercises were the \nInformation Technology Information Sharing and Analysis Center (ISAC), \nthe Communications ISAC, the Financial Services ISAC, and the Multi-\nState ISAC (MS-ISAC). The MS-ISAC includes among its membership the \nchief information security officers from each of the 50 States as well \nas several U.S. territories and local Government representatives. Cyber \nStorm III included participation from eight Cabinet-level departments, \n13 States, 12 international partners, and 60 private-sector companies \nand coordination bodies. Together, these entities participated in the \ndesign, execution, and post-exercise analysis of the cyber exercise. \nParticipation focused on the information technology, communications, \nenergy (electric), chemical, and transportation critical infrastructure \nsectors and incorporated various levels of play from other critical \ninfrastructure sectors. In addition, Cyber Storm III included the \nparticipation of States, localities, and coordination bodies, such as \nISACs, and international governments to examine and strengthen \ncollective cyber preparedness and response capabilities. During the \nexercise, the participant set included 1,725 Cyber Storm III-specific \nsystem users.\n     Questions From Chairwoman Susan W. Brooks for Charley English\n    Question 1a. How are State officials responsible for cybersecurity \nand emergency management coordinating to ensure awareness of the cyber \nthreats you face?\n    Answer. The type and scope of coordination occurring between State \nofficials responsible for cybersecurity and emergency management \nofficials vary widely by State. In a survey NEMA conducted in February \n2013, we learned no clear best practice exists in assigning \nresponsibility of coordination of resources to prepare for, respond to, \nor recovery from a cyber attack. Only 41.9 percent of States cited a \nspecific director. Of the 41.9 percent, responsibility ranges from the \nemergency management officials to IT, homeland security, and the fusion \ncenter. Where those responsibilities diverge, coordination occurs much \nin the same way as it would with any other all-hazards risk.\n    Question 1b. What support are you getting from DHS in that regard?\n    Answer. Programmatic offices such as the Office of Cybersecurity \nand Communications (CS&C) within DHS continue admirable work in their \noutreach to State and local officials. The larger challenge however is \nthat the overall DHS effort, to include agencies such as FEMA, must be \ncomprehensive and coordinated in order to ensure all the nuances of the \nthreat and impact of consequences receive appropriate attention. In \nrecent years, as the issue of cybersecurity grows, agencies have a \ntendency to create niches within the Department instead of adopting a \ncomprehensive approach. Without a cohesive strategy from the National \nlevel addressing the consequences of a cyber attack, we run the risk of \nbeing unprepared should an event occur.\n    Question 1c. What more could they be doing?\n    Answer. DHS must recognize the impacts of a cyber attack extend \nbeyond public-private relationships or simply securing networks. To \ndate, the Department offers little guidance on the potential depth and \nbreadth of cyber consequences. A deeper analysis must be accomplished \non current disaster-related statutes such as the Stafford Act to \nconsider whether such attacks would be eligible for Federal assistance. \nIf so, guidance must be provided to the States. If not, an on-going \ndialogue must occur so all interested parties understand the current \nlimitations of State and local governments in these economically-\nconstrained times.\n    Question 1d. Is there anything Congress can do to help?\n    Answer. As Congress considers legislative options, the needs of the \nState and locals ultimately responsible for the consequences of a cyber \nattack must be first and foremost. In May of last year, NEMA joined \nwith nine other associations to ask Congress for your consideration of \nkey principles and values when considering cybersecurity legislation. \nIn addition to consideration of the principles and values, Congress \nmust work with DHS ensuring all potential consequences of a cyber \nattack are thoroughly considered in appropriate authorities such as the \nStafford Act.\n    Question 2. A movie titled ``American Blackout'' that aired in \nOctober portrayed the physical consequences of a cyber attack on the \nelectrical grid. One of the major issues highlighted was the impact on \nhospitals.\n    I recently visited with representatives from a hospital in my \ndistrict and we discussed cybersecurity. The doctors, particularly \nthose from the emergency department, are extremely concerned with their \nability to function in the event of a cyber attack that impacts their \npower supply. This goes beyond medical records. They are very concerned \nabout access to imaging technology that saves lives.\n    In the event of a cyber incident that impacts the electric grid, \nhow would emergency managers and cybersecurity professionals coordinate \nwith each other and the private sector to determine how soon the \nproblem could be fixed and in turn properly identify necessary \nresources to assist hospitals beyond the generators and fuel they \nregularly keep on hand?\n    Answer. We would typically treat this type of incident just as any \nother. Emergency managers operate in an all-hazard environment and \nwould coordinate with the cybersecurity professionals as we would any \nother Emergency Support Function (ESF). The resources would be done the \nsame way. There are many disasters that affect our power grid, from ice \nstorms to major storm fronts. It takes a Federal-State coordinated \napproach to create and improve a threat-specific annex to State \nEmergency Operation Plans. Emergency management plans are intended to \naddress impacts of all hazards, regardless of cause.\n    Question 3. States have repeatedly identified cybersecurity as the \nlowest core capability in their State preparedness reports. To your \nknowledge, when developing this assessment, were State chief \ninformation officers or chief information security officers involved in \nthe process?\n    Answer. While the exact number is not known, the collaboration and \ninclusion between chief information officers and emergency management \nofficials is increasing due to the threat and the increasing awareness \nof the issue. For example, in the State of Ohio, the State Security \nInformation Officer was involved in the responses to cybersecurity in \nthe State preparedness report. In Arkansas, the Chief Information \nOfficers as well as the Chief Information Security Officers are \ninvolved in the process of identifying core capabilities.\n      Questions From Chairwoman Susan W. Brooks for Craig Orgeron\n    Question 1a. How are State officials responsible for cybersecurity \nand emergency management coordinating to ensure awareness of the cyber \nthreats you face?\n    Answer. Coordination on cybersecurity varies drastically from State \nto State. This has to do with different models of State governance and \ncenters of authority for cybersecurity response and emergency \nmanagement. This is not only reflective of the different maturities \nregarding readiness to respond to cyber threats in the States, but also \nthe diverse topography of State governments. There is increasingly \ncoordination between State CIOs with emergency managers and other \nagency officials regarding disaster continuity, recovery, and emergency \nmanagement. As referred to in my testimony, NASCIO's 2013 State CIO \nSurvey states:\n\n``Not surprisingly, disaster recovery and business continuity are \nissues that continue to receive increased attention in the State CIO \ncommunity . . . We asked CIOs how they approached these initiatives \nwithin their State. As Figure 13 shows, almost two-thirds of States \npursue a federated strategy with responsibilities split between the CIO \nand State departments and agencies.''\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    While our research shows increasing collaboration between State \nemergency managers and State CIOs, it is difficult to describe how a \nState would react to a cyber incident impacting a hospital as described \nin the question. The primary reason: With public-sector cybersecurity \nbeing such a nascent area, States have divergent governance and \nprocedures in place to deal with significant attacks on critical \ninfrastructure. Virtually every State has some means to provide \nsupport, whether through State police, its fusion center, or another \nState agency.\n    Further complicating matters, data does not exist to make extensive \nclaims to best practices when it comes to governance. While several \nStates have held cybersecurity exercises and learned from the \nexperiences, the effectiveness of one governance model over another has \nnot been thoroughly and publicly tested by real-world events.\n    Beyond this uncertainty, there are significant legal questions to \nbe considered. For instance, a private hospital may not be able to take \nadvantage of certain public resources. It is unclear a private entity \ncould receive support from the National Guard without the declaration \nof a state of emergency by a Governor. Other questions come into play, \nas well: Legal liabilities, cyber forensics of a virtual crime scene, \nand more. The area simply has not been defined. The legal implications \nis an area that is ripe for Congress to explore.\n    Question 1b. What support are you getting from DHS in that regard?\n    Answer. There are several venues and tools from DHS or funded by \nDHS that provide State governments with additional awareness of and \nsupport in thwarting cyber threats. Perhaps the most prominent of these \nare the National Cybersecurity and Communications Integration Center \n(NCICC), United States Computer Emergency Readiness Team (US-CERT), and \nMulti-State Information Sharing and Analysis Center (MS-ISAC). \nComplementing and supporting State fusion centers and similar technical \nsupport is also of significant value as long as DHS ensures it is \nsupporting the State's cybersecurity governance model. Broader efforts \nsuch as the National Initiative for Cybersecurity Education (NICE) are \nalso vital for States to receive the type of talent they need to secure \ntheir systems, and should be expanded.\n    Question 1c. What more could they be doing?\n    Answer. In many States, neither Chief Information Officers nor \ntheir Chief Information Security Officers are cleared to the Top Secret \nlevel--only the Secret level. Therefore, they cannot receive vital \ninformation from the intelligence community on the most advanced \ninternational threats against our networks without explicit intention \nand additional pre-clearance. While DHS certainly would include a State \nCIO or his CISO in such a conversation, it is not so certain the rest \nof the intelligence community would know to reach out to the State CIO \nand clear them for such a briefing. This should be remedied.\n    NASCIO hopes that greater information sharing and better tools to \ndisseminate this information will be released as part of the \nimplementation of Executive Order 13636 and Presidential Policy \nDirective 21. NASCIO and its members are pleased with the on-going \neffort to provide greater declassification of cyber threat information \nas part of the EO, and look forward to seeing greater results.\n    In addition, we believe the National Cyber Security Review could be \nfollowed up with the promise of Federal technical assistance to State \nand local participants who lag behind in vital areas. This will have \nthe dual benefit of safeguarding citizen data and encouraging greater \nparticipation in National level vulnerability assessments.\n    Efforts to provide support for cyber education among public \nemployees in the States and broader social awareness of on-line \nthreats, similar to public awareness campaigns in the vein of ``see \nsomething, say something,'' are also valuable.\n    Question 1d. Is there anything Congress can do to help?\n    Answer. While opportunities for limited Federal assistance for \ncyber threats have been included in the National Preparedness Grant \nProgram (NPGP), its shrinking pool of resources coupled with a \nformulaic structure that favors hardening targets against attacks at \nthe jurisdictional level means States typically only have enough \nfunding to maintain legacy homeland security investments and administer \ngrants to local governments. For NPGP to meet the current threats faced \nby our States and localities, changes will need to be made to this \nprogram by Congress.\n    Greater resources for technical programs that support information \nsharing, technical assistance, and cyber threat exercises would be \nvaluable, as well. Efforts to increase the public sector cyber \nworkforce, ranging from targeted initiatives such as the DHS National \nInitiative for Cybersecurity Education to supporting computer science \neducation in schools at every level, are extremely valuable. Such \nprograms should be expanded and supported--both for the sake of our \nNation's homeland security and our economic security. Larger public \nservice campaigns to increase knowledge of the risks on-line, in the \nmodel of ``see something, say something'' or ``click-it or ticket'' \nwould help reduce risk to both public and private-sector networks.\n    Question 2. As you may know, as a condition of receiving State \nHomeland Security Grant Program funding, the State Administrative \nAgency (SAA), which is usually either the State Homeland Security \nAdvisor or Emergency Manager, must complete a Threat and Hazard \nIdentification and Risk Assessment, which, as the name suggests, \ndetails threats and hazards facing each State. Some States, including \nmy home State of Indiana, have included cybersecurity in their THIRAs.\n    To your knowledge, have your colleagues been included in this \nprocess to ensure the SAAs have the best picture of the cyber threats \nthey face?\n    Answer. Unfortunately, NASCIO has no data on how many States \ninclude cybersecurity in their THIRAs, and whether SAAs have included \ntheir State CIOs in the THIRA process. NASCIO will to review this \nquestion with its membership and attempt to provide the committee with \na well-researched answer in the near future.\n        Questions From Chairwoman Susan W. Brooks for Mike Sena\n    Question 1a. Your fusion center is one of a small number of fusion \ncenters in the National Network proactively incorporating cybersecurity \ninto its mission. I applaud you and your fusion center's efforts in \nthis challenging environment.\n    What Federal, State, and local partnerships have you developed to \nhelp the NCRIC contribute to this important mission?\n    Answer. Response was not received at the time of publication.\n    Question 1b. What analytical products and situational awareness \nreports has the NCRIC produced? Do you have a sense as to how have \nthese products been perceived by your partners?\n    Answer. Response was not received at the time of publication.\n    Question 1c. How is the National Fusion Center Association working \nto advance cybersecurity efforts across the National Network?\n    Answer. Response was not received at the time of publication.\n       Question From Chairwoman Susan W. Brooks for Paul Molitor\n    Question. Mr. Molitor, in your testimony you mention the NEMA Field \nRepresentative Program.\n    Would you please tell us more about this program and how, if at \nall, these experts are available as a resource to emergency management \nofficials during an emergency?\n    Answer. NEMA is the association of electrical equipment and medical \nimaging manufacturers, founded in 1926 and headquartered in Rosslyn, \nVirginia. Its 400-plus member companies manufacture a diverse set of \nproducts including power transmission and distribution equipment, \nlighting systems, factory automation and control systems, and medical \ndiagnostic imaging systems. The U.S. electroindustry accounts for more \nthan 7,000 manufacturing facilities, nearly 400,000 workers, and over \n$100 billion in total U.S. shipments.\n    The NEMA Field Representative Program is geared toward providing \ninformation and training to government officials (including building \ncode officials, electrical inspectors, and emergency managers), \nmaintaining the lines of communications between these individuals and \nthe manufacturing community, and assisting in the wake of disasters. \nThe relationships forged in advance of the disaster are invaluable in \nthe ensuing confusion and turmoil. As advocates of safe electrical \nsystems and installations, NEMA Field Representatives make a valuable \ncontribution to public safety.\n    NEMA has four Field Representatives located in regional offices \naround the country. Their regions of coverage are aligned with the \nInternational Association of Electrical Inspectors (IAEI) Section \nRegions. The representatives are:\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    (1) Mike Stone.--Region: AK, AZ, CA, HI, ID, MT, NV, NM, OR, UT, \n        WA.\n    (2) Donald Iverson.--Region: WY, CO, ND, SD, NE, KS, MN, IA, MO, \n        AR, WI, IL, MI, IN, KY, OH, WV.\n    (3) Paul Abernathy.--Region: TX, OK, LA, MS, TN, AL, FL, GA, SC, \n        NC, VA.\n    (4) Jack Lyons.--Region: ME, NH, VT, NY, MA, RI, CT, NJ, PA, MD, \n        DE, DC.\n                       preparing for emergencies\n    One of the most important functions of the field representatives is \nto support a 3-year adoption cycle by States and local jurisdictions \nfor National model building codes--including electrical, life safety, \nand energy--to coincide with the 3-year National revision cycles. These \ncodes are:\n  <bullet> NFPA 70 National Electrical Code;\n  <bullet> NFPA 101 Life Safety Code;\n  <bullet> NFPA 99 Health Care Facilities Code;\n  <bullet> NFPA 72 National Fire Alarm and Signaling Code;\n  <bullet> NFPA 720 Carbon Monoxide Detection Code;\n  <bullet> International Building Code (IBC);\n  <bullet> International Residential Code (IRC);\n  <bullet> International Energy Conservation Code (IECC);\n  <bullet> International Green Construction Code (IgCC);\n  <bullet> International Fire Code (IFC).\n    National model building codes provide the blueprint for \nconstructing residential, commercial, and institutional buildings and \nother structures. They prescribe the minimum safety and performance \nstandards which allow occupants to live and operate in a safe and \noptimally-performing building. Model building codes also prescribe the \nlatest advancements in energy efficiency, resiliency in building \nstructure, and life safety through the use of hazardous elements \ndetection. The codes are revised through an open and transparent \nstakeholder process led by the International Code Council (ICC) and \nNational Fire Protection Association (NFPA) every 3 years to \nincorporate advances in safety and technology in homes and buildings. \nTherefore, timely adoption in accordance with the National model \nrevision schedule is vitally important.\n    Direct adoption and enforcement of the latest building codes every \n3 years provides:\n  <bullet> enhanced safety to homeowners and building occupants through \n        the use of the latest technology and knowledge in life safety \n        (i.e., emergency lighting; fire, smoke, and carbon monoxide \n        detection) and electrical hazard protection (i.e., arc fault \n        circuit interrupters, ground fault circuit interrupters);\n  <bullet> utilization of the latest advancements in technology, \n        enabling the use of on-site energy generation for back-up power \n        and for ensuring the structural integrity of buildings.\n    Proper installation of electrical equipment is key to safety and \nresiliency. The NEMA Field Representative Program provides training to \nState and local code officials, inspectors, and installers on the \nlatest codes and on the proper installation and use of NEMA member \nproducts.\n                       recovering from disasters\n    While preparation is essential, loss of life and damage to property \nwill inevitably occur. One responsibility of a NEMA Field \nRepresentative is to make himself available to Government officials \nafter a natural disaster.\n    Because safety is of paramount importance to our member companies, \nall time, travel, and materials associated with the Field \nRepresentative Program is paid for by NEMA members. In years past, NEMA \nField Representatives have visited areas destroyed by Hurricanes Irene, \nKatrina, and Sandy. They've also responded to both flood and snow \nemergencies in the Midwest, as well as the Colorado flood earlier this \nyear. In January of 2010, NEMA offered its Field Representatives to \nassist in Haiti after its devastating earthquake.\n    When disaster strikes, NEMA promotes a number of resources for \npublic officials addressing major infrastructure damage. NEMA's user-\nfriendly Evaluating Water-Damaged Electrical Equipment \\1\\ and \nEvaluating Fire- and Heat-Damaged Electrical Equipment guides are \ncritical resources for protecting life and property after a disaster. \nAdditionally, Storm Reconstruction: Rebuild Smart offers strategies for \nreconstructing electrical infrastructure in such a way that mitigates \nfuture disasters. All of these resources are available on NEMA's \nwebsite, www.nema.org.\n---------------------------------------------------------------------------\n    \\1\\ http://www.nema.org/Standards/Pages/Evaluating-Water-Damaged-\nElectrical-Equipment.- aspx#download.\n---------------------------------------------------------------------------\n    As rebuilding commences, NEMA Field Representatives assist in \nsolving problems involving the installation of NEMA member products by \nserving as intermediaries between Government officials and NEMA member \ncompanies. Decision makers should involve NEMA in the wake of disasters \nand a recent example highlights this.\n    In the wake of Superstorm Sandy, the New Jersey Department of \nConsumer Affairs (DCA) issued a directive for installers. The DCA \nstated that for wiring that had been submerged under water, ``If \nundamaged, no replacement is necessary.''\\2\\ This directive is at best \nunclear and the DCA implied on its web page the continued use of \npreviously submerged wire is fine by stating that equipment was safe to \nuse for 90 days.\n---------------------------------------------------------------------------\n    \\2\\ http://www.nj.gov/dca/divisions/codes/alerts/pdfs/\nhurricane_sandy_guidance_11_- 2012.pdf.\n---------------------------------------------------------------------------\n    This position does not comport with the NEMA recommendations in \nEvaluating Water-Damaged Electrical Equipment.\n    The guide states:\n\n``Electrical equipment exposed to water can be extremely hazardous if \nreenergized without performing a proper evaluation and taking necessary \nactions. Reductions in integrity of electrical equipment due to \nmoisture can affect the ability of the equipment to perform its \nintended function. Damage to electrical equipment can also result from \nflood waters contaminated with chemicals, sewage, oil, and other \ndebris, which will affect the integrity and performance of the \nequipment. Ocean water and salt spray can be particularly damaging due \nto the corrosive and conductive nature of the salt water residue.\n`` . . . \n``4.6 Wire, Cable and Flexible Cords When any wire or cable product is \nexposed to water, any metallic component (such as the conductor, \nmetallic shield, or armor) is subject to corrosion that can damage the \ncomponent itself and/or cause termination failures. If water remains in \nmedium voltage cable, it could accelerate insulation deterioration, \ncausing premature failure. Wire and cable listed for only dry locations \nmay become a shock hazard when energized after being exposed to water.\n``Any recommendations for reconditioning wire and cable in Section 1.0 \nare based on the assumption that the water contains no high \nconcentrations of chemicals, oils, etc. If it is suspected that the \nwater has unusual contaminants, such as may be found in some \nfloodwater, the manufacturer should be consulted before any decision is \nmade to continue using any wire or cable products.''\n\n    NEMA Field Representatives expressed their objection to the DCA \ndirective after it was issued, but NEMA's concerns were not addressed, \nand have yet to be. Subsequent to issuance of the directive, tragedy \nstruck Seaside Park and Seaside Heights, New Jersey, when more than 50 \nbusinesses on the boardwalk were destroyed by fire. Investigators have \nruled the fire accidental and believe electrical wiring that had been \nsubmerged by seawater during Superstorm Sandy is the culprit.\n    NEMA continues to advocate for electrical safety in New Jersey and \nacross the country.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"