[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


   ENHANCING PREPAREDNESS AND RESPONSE CAPABILITIES TO ADDRESS CYBER 
                                THREATS

=======================================================================

                              JOINT HEARING

                               BEFORE THE
                               
                       SUBCOMMITTEE ON EMERGENCY
                        PREPAREDNESS, RESPONSE,
                           AND COMMUNICATIONS

                                AND THE

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 24, 2016

                               __________

                           Serial No. 114-71

                               __________

       Printed for the use of the Committee on Homeland Security

[[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________
                               
                               
                     U.S  GOVERNMENT PUBLISHING OFFICE
23-243 PDF                     WASHINGTON : 2017                     
___________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  



                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Lou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania            Filemon Vela, Texas
Curt Clawson, Florida                Bonnie Watson Coleman, New Jersey
John Katko, New York                 Kathleen M. Rice, New York
Will Hurd, Texas                     Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

  SUBCOMMITTEE ON EMERGENCY PREPAREDNESS, RESPONSE, AND COMMUNICATIONS

               Daniel M. Donovan, Jr., New York, Chairman
Tom Marino, Pennsylvania             Donald M. Payne, Jr., New Jersey
Mark Walker, North Carolina          Bonnie Watson Coleman, New Jersey
Barry Loudermilk, Georgia            Kathleen M. Rice, New York
Martha McSally, Arizona              Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kerry A. Kinirons, Subcommittee Staff Director
                    Kris Carlson, Subcommittee Clerk
           Moira Bergin, Minority Subcommittee Staff Director

                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                    John Ratcliffe, Texas, Chairman
Peter T. King, New York              Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             Loretta Sanchez, California
Scott Perry, Pennsylvania            Sheila Jackson Lee, Texas
Curt Clawson, Florida                James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York     Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Brett DeWitt, Subcommittee Staff Director
                    Katie Rashid, Subcommittee Clerk
       Christopher Schepis, Minority Subcommittee Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Daniel M. Donovan, Jr., a Representative in 
  Congress From the State of New York, and Chairman, Subcommittee 
  on Emergency Preparedness, Response, and Communications:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Donald M. Payne, Jr., a Representative in Congress 
  From the State of New Jersey, and Ranking Member, Subcommittee 
  on Emergency Preparedness, Response, and Communications:
  Oral Statement.................................................     3
  Prepared Statement.............................................     5
The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Prepared Statement.............................................     8
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     9

                               Witnesses

Mr. Mark Ghilarducci, Director, Emergency Services, Office of the 
  Governor of California:
  Oral Statement.................................................    10
  Prepared Statement.............................................    13
Mr. Daniel J. Cooney, Assistant Deputy Superintendent, Office of 
  Counter Terrorism, New York State Police:
  Oral Statement.................................................    17
  Prepared Statement.............................................    18
Brigadier General Steven Spano, (Retired, USAF), President and 
  Chief Operating Officer, Center for Internet Security:
  Oral Statement.................................................    22
  Prepared Statement.............................................    23
Mr. Mark Raymond, Vice President, National Association of State 
  Chief Information Officers:
  Oral Statement.................................................    28
  Prepared Statement.............................................    30
Mr. Robert Galvin, Chief Technology Officer, Port Authority of 
  New York and New Jersey:
  Oral Statement.................................................    33
  Prepared Statement.............................................    34

 
   ENHANCING PREPAREDNESS AND RESPONSE CAPABILITIES TO ADDRESS CYBER 
                                THREATS

                              ----------                              


                         Tuesday, May 24, 2016

     U.S. House of Representatives,        
      Committee on Homeland Security,      
   Subcommittee on Emergency Preparedness, 
          Response, and Communications, and
     Subcommittee on Cybersecurity, Infrastructure 
             Protection, and Security Technologies,
                                            Washington, DC.
    The subcommittees met, pursuant to call, at 10:07 a.m., in 
Room 311, Cannon House Office Building, Hon. Daniel M. Donovan 
[Chairman of the Subcommittee on Emergency Preparedness, 
Response, and Communications] presiding.
    Present: Representatives Donovan, Walker, McSally, 
Ratcliffe, Watson Coleman, Jackson Lee, Langevin, and Payne.
    Mr. Donovan. The Subcommittees on Emergency Preparedness, 
Response, and Communications and Cybersecurity, Infrastructure 
Protection, and Security Technologies will come to order. The 
subcommittees are meeting today to receive testimony regarding 
efforts to enhance preparedness and response capabilities to 
address cyber threats.
    I now recognize myself for an opening statement. First, I 
would like to thank Chairman Ratcliffe and Ranking Member 
Richmond for working with me and Ranking Member Payne on this 
issue. Also, I would like to thank all out of our witnesses 
today for coming to join us in this important discussion.
    We are all aware the cyber threat is real, from both state 
and non-state actors. The countless cyber attacks against the 
United States and its citizens, including major attacks against 
Target, Home Depot, OPM, and Anthem are just the tip of the 
iceberg.
    I believe that the number and magnitude of attacks will 
only increase, especially as more and more of our lives become 
connected to the internet. It is imperative that we ensure that 
our State and local officials, as well as our first responders, 
are prepared to protect against and respond to a cyber attack.
    Furthermore, we are seeing an increase in the number of 
cyber attacks that, if successful, can cause widespread 
physical damages to a community and require a whole-of-
community response. Already, state and non-state actors have 
attempted to interfere with 9-1-1 call centers, sent out 
inaccurate alerts and warnings, and tried to take over the 
controls of a dam. While we have taken numerous steps to 
enhance our capabilities, we have a long way to go in 
addressing these threats.
    As a member of Chairman Ratcliffe's subcommittee, I have 
heard about the progress the Federal Government, States, and 
localities have made in enhancing our cybersecurity 
capabilities. But I am left scratching my head when I see that 
for the fourth year in a row, the National preparedness report 
released by FEMA indicates that States continue to report 
cybersecurity as the lowest core capability.
    What is preventing us from reaching the appropriate level 
of cybersecurity? What obstacles are States facing, and what 
can we do to help? I am especially interested in learning more 
about what happens after a cyber attack that has physical 
consequences. Who is in charge of the response, and how are 
first responders coordinating with cyber officials who are 
trying to mitigate the attack? I know States like California 
have set up a task force to answer these exact questions.
    Additionally, in 2012, the National-Level Exercise looked 
at the Nation's ability to respond to a large-scale cyber 
attack with physical consequences. One of the key 
recommendations from this exercise was to finalize a cyber 
response plan that clearly defines the roles and 
responsibilities of all of the potential response entities.
    Four years since that exercise and 6 years since the 
interim draft of the National cyber incident response plan was 
released, we do not have a finalized and approved plan. 
Developing and finalizing this plan needs to be a priority of 
the Federal Government. I understand that the Department plans 
to finally begin stakeholder engagement on the development of 
the final plan in the coming weeks. I certainly hope that they 
will be engaging with all of today's witnesses to get their 
feedback.
    Also, I have heard that while sharing cyber information is 
becoming more prevalent, there is still confusion on who States 
should talk to when an incident occurs. The sharing of cyber-
related information with the emergency management and first 
response communities is, at best, ad hoc.
    These people are going to be the first on the scene and 
should have insight into whether the incident they are 
responding to has been caused by a cyber attack. Can States 
utilize their fusion centers to be a force multiplier to 
disseminate critical cyber information? I know that my State is 
taking this approach, and I am interested to hear if it has 
been successful.
    A few years ago, Secretary Johnson made a statement that I 
feel is still true today. He said, ``Cybersecurity is a shared 
responsibility, and it boils down to this: In cybersecurity, 
the more systems we secure, the more secure we are. We are all 
connected on-line, and a vulnerability in one place can cause a 
problem in many other places. So everyone needs to work on 
this. Government officials and business leaders, security 
professionals and utility owners and operators.'' That is why 
we are here today.
    I want to thank all the witnesses for testifying today, and 
I look forward to highlighting the good work that you are all 
doing to enhance your cybersecurity capabilities and learning 
about what areas are still a challenge and how the Federal 
Government can help in mitigating those gaps.
    [The statement of Chairman Donovan follows:]
              Statement of Chairman Daniel M. Donovan, Jr.
                              May 24, 2016
    First, I'd like to thank Chairman Ratcliffe and Ranking Member 
Richmond for working with me and Ranking Member Payne on this issue. 
Also, I would like to thank all the witnesses for coming today to join 
in this important discussion.
    As we are all aware, the cyber threat is real from both state and 
non-state actors. The countless cyber attacks against the United States 
and its citizens, including major attacks against Target, Home Depot, 
OPM, and Anthem, are just the tip of the iceberg. I believe that the 
number and magnitude of attacks will only increase, especially as more 
and more of our lives become connected to the internet. It is 
imperative that we ensure that our State and local officials as well as 
our first responders are prepared to protect against and respond to a 
cyber attack.
    Furthermore, we are seeing an increase in the number of cyber 
attacks that if successful can cause wide-spread physical damages to a 
community and require a whole-of-community response. Already, state and 
non-state actors have attempted to interfere with 9-1-1 call centers, 
send out inaccurate alerts and warnings, and tried to take over the 
controls of a dam. While we have taken numerous steps to enhance our 
capabilities, we have a long way to go in addressing these threats.
    As a Member of Chairman Ratcliffe's subcommittee, I have heard 
about the progress the Federal Government, States, and localities have 
made in enhancing our cybersecurity capabilities, but I'm left 
scratching my head when I see for the fourth year in a row, the 
National Preparedness Report, released by FEMA, indicates that States 
continue to report cybersecurity as the lowest core capability. What is 
preventing us for reaching the appropriate level of cybersecurity? What 
obstacles are States facing and what can we do to help?
    I'm especially interested in learning more about what happens after 
a cyber attack that has physical consequences. Who is in charge of the 
response and how are first responders coordinating with cyber officials 
who are trying to mitigate the attack? I know States like California 
have set up task forces to answer these exact questions.
    Additionally, in 2012, the National Level Exercise looked at the 
Nation's ability to respond to a large-scale cyber attack with physical 
consequences. One of the key recommendations from this exercise was to 
finalize a cyber response plan that clearly defines the roles and 
responsibilities of the all the potential response entities.
    Four years since the exercise and 6 years since the interim draft 
of the National Cyber Incident Response Plan (NCIRP) was released, we 
still do not have a finalized and approved NCIRP. Developing and 
finalizing this plan needs to be a priority of the Federal Government. 
I understand that the Department plans to finally begin stakeholder 
engagement on the development of the final plan in the coming weeks. I 
certainly hope they will be engaging with all of the witnesses at 
today's hearing to get their feedback.
    Also, I have heard that while sharing cyber information is becoming 
more prevalent, there is still confusion on who States should talk to 
when an incident occurs and the sharing of cyber-related information 
with the emergency management and first responder communities is ad hoc 
at best.
    These people are going to be the first on the scene and should have 
insight into whether the incident they are responding to has been 
caused by a cyber attack. Can States utilize their fusion centers to be 
a force multiplier to disseminate critical cyber information? I know my 
State is taking this approach and I'm interested to hear if it has been 
successful.
    A few years ago, Secretary Johnson made a statement that I feel is 
still true today. He said ``[c]byersecurity is a shared responsibility, 
and it boils down to this: In cybersecurity, the more systems we 
secure, the more secure we are. We are all connected on-line and a 
vulnerability in one place can cause a problem in many other places. So 
everyone needs to work on this: Government officials and business 
leaders, security professionals and utility owners and operators.'' And 
that is why we are here today.
    I want to thank all the witnesses for testifying today and I look 
forward to highlighting the good work you all are doing to enhance your 
cybersecurity capabilities and learning about what areas are still a 
challenge and how the Federal Government can help in mitigating those 
gaps.

    Mr. Donovan. The Chair now recognizes the gentleman from 
New Jersey, Mr. Payne, for an opening statement he may have.
    Mr. Payne. Good morning. I would like to thank Chairmen 
Donovan and Ratcliffe for holding today's hearings to assess 
our ability to respond to cyber threats. The last time our 
subcommittee held a joint hearing on the subject was in the 
113th Congress, about 3 years ago. What we have learned is that 
cyber threats are the new frontier of disaster response.
    Our legacy response doctrine from the National Response 
Framework to the Stafford Act are rooted in the era that 
predates reliance on cyber networks and growing threats posed 
by sophisticated actors. Despite our best efforts to ensure 
that our National preparedness doctrine is responsive to 
evolving threats, it has not kept pace with cyber threats.
    My district is rich with critical infrastructure, all of 
which rely on cyber networks. Within 2 miles, we have major 
transit systems, chemical facilities, and refineries mixed 
among homes, schools, and hospitals. A hack of any one of these 
targets could have devastating, cascading effects and could 
risk overwhelming our brave first responders. We know that the 
threat is real.
    Earlier this year, Iranian hackers breached the Bowman 
Avenue's Dam network in Rye, New York. Fortunately, the dam was 
off-line for repair when the authorities discovered this 
breach. But I am worried that it is only a matter of time 
before the hackers are successful, and we need to be prepared 
when they are.
    I applaud efforts at the State level to confront cyber 
threats head on. Some States, like California and my home State 
of New Jersey, have established State-level cyber information-
sharing centers modeled after the National Cybersecurity and 
Communications Integration Center, or NCCIC. I would be 
interested to learn whether these centers facilitate improved 
information sharing and encourage better relationships among 
non-traditional partners who would play an important role in 
cyber response.
    At the same time, I would be remiss if I did not note that 
while States annually indicate that they lack the confidence in 
their cybersecurity capabilities in the National preparedness 
report, very few invest homeland security grant funding to 
address the capability gap. I would be interested in 
understanding why. Is it because the Federal Government has not 
provided adequate guidance on how to address the threat or 
whether the amount of grant funds available after cuts to grant 
programs in the recent years prevent States from investing in 
cyber capability?
    The witnesses at that hearing made two points that stuck 
with me: First, the witnesses emphasized that the response to 
cyber attacks will require people from chief information 
officers to emergency managers to private-sector partners to 
break out of their silos and coordinate with non-traditional 
partners; second, they said that the existing disaster response 
guidance does not adequately address the complexities of 
responding to cyber events these days.
    I look forward to hearing our witnesses' opinions on how 
the National Incident Management System, the National Response 
Framework, and other disaster management doctrine should be 
updated to reflect the unique qualities of a cyber event. I 
appreciate the witnesses for being here today, and I look 
forward to their testimony.
    With that, Mr. Chair, I yield back.
    [The statement of Ranking Member Payne follows:]
            Statement of Ranking Member Donald M. Payne, Jr.
                              May 24, 2016
    The last time our subcommittees held a joint hearing on this 
subject was during the 113th Congress--about 3 years ago. What we 
learned is that cyber threats are the new frontier of disaster 
response.
    Our legacy response doctrine--from the National Response Framework 
to the Stafford Act--are rooted in an era that predates reliance on 
cyber networks and growing threats posed by sophisticated hackers. 
Despite our best efforts to ensure that our National preparedness 
doctrine is responsive to evolving threats, it has not kept pace with 
cyber threats.
    My district is rich with critical infrastructure, all of which rely 
on cyber networks. Within 2 miles, we have major transit systems, 
chemical facilities, and refineries mixed among homes, schools, and 
hospitals. A hack of any one of these targets could have devastating 
cascading effects and could risk overwhelming our brave first 
responders.
    And we know the threat is real. Earlier this year, Iranian hackers 
breached the Bowman Avenue Dam network in Rye, New York. Fortunately, 
the dam was off-line for repair when the authorities discovered the 
breach. But I am worried it is only a matter of time before the hackers 
are successful--and we need to be prepared when they are.
    I applaud efforts at the State level to confront the cyber threat 
head on. Some States--like California and my home State of New Jersey--
have established State-level cyber information-sharing centers modeled 
after the National Cybersecurity and Communications Integration Center. 
I will be interested to learn whether these centers facilitate improved 
information sharing and encourage better relationships among non-
traditional partners who would play important roles in a cyber 
response.
    At the same time, I would be remiss if I did not note that while 
States annually indicate that they lack confidence in their 
cybersecurity capabilities in the National Preparedness Report, very 
few invest Homeland Security Grant funding to address that capability 
gap.
    I will be interested in understanding why--is it because the 
Federal Government has not provided adequate guidance on how to address 
the threat or whether the amount of grant funds available after cuts to 
grant programs in recent years prevents States from investing in cyber 
capabilities?
    While I am on the subject of grant funds, I have been outspoken 
about my opposition to the proposed cuts to the Homeland Security Grant 
Program as well as the Port and Transit Security Grants. I have serious 
concerns that the proposed cuts would only further jeopardize whatever 
progress States and other grantees are making to address cyber threats, 
and I will be interested in the witness' thoughts on that point.
    Finally, as I indicated, our subcommittees held a joint hearing on 
responding to a cyber attack about 3 years ago. The witnesses at that 
hearing made 2 points that stuck with me.
    First, the witnesses emphasized that a response to a cyber attack 
will require people--from chief information officers to emergency 
manager to private-sector partners--to break out of their silos and 
coordinate with non-traditional partners. Second, they said that 
existing disaster response guidance does not adequately address the 
complexities of responding to a cyber event.
    I look forward to hearing our witness' opinions on how the National 
Incident Management System, the National Response Framework, and other 
disaster management doctrine should be updated to reflect the unique 
qualities of a cyber event.

    Mr. Donovan. The gentleman yields.
    The Chair now recognizes the Chairman of the Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security 
Technologies, the gentleman from Texas, Mr. Ratcliffe, for an 
opening statement he may have.
    Mr. Ratcliffe. Good morning, everyone. I want to thank 
Chairman Donovan, Ranking Member Payne, for working with me and 
with Ranking Member Richmond on putting this issue together 
today.
    I also want to thank the witnesses for being here today. I 
am looking forward to hearing your testimony.
    On the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, we talk a lot about the 
variety and high number of growing cyber threats that are out 
there. But today, we are going to hear about the other part of 
the equation, which includes the people, the hours, the 
programs designed and dedicated to preparing for and responding 
to the dangers that these cyber threats pose.
    Hopefully, having this discussion at a National level, will 
help bring to light some of the best practices and most evident 
areas for improvement at every level of government, whether it 
be the Federal, State, or local level. Because the truth is, 
every level of government is constantly having to face and 
respond to these threats, so we all need to be working together 
to understand the tactics and techniques and procedures that 
hackers are using so that we are better equipped to face the 
threats of tomorrow.
    It is important that we spend as much time and energy 
thinking about the solutions that secure Americans as we do 
examining the dangers. The purpose of today's hearing is to 
focus on seeking those solutions to make Americans safer. In 
that spirit, we are constantly seeking to improve upon and 
expand the programs and partnerships in both the private sector 
and State and local governments that function to help keep 
Americans safe. These partnerships are the nuts and bolts to 
secure Americans against the havoc that is possible if a bad 
actor were to successfully disrupt or damage one of the many 
systems that we rely upon for everyday life, like our water and 
our power.
    What we are hoping to gain from today's hearing is what 
more we can be doing to further these partnerships and 
programs. The importance of the flow of information can't be 
stressed enough, as information is the currency with which 
security and insecurity is established in today's digital age.
    As fast as the bad actors are moving in cyber space, we 
have to be constantly moving faster to stay ahead of them, and 
right now we are not. While they have to only be right one time 
to cause damage, we have to always be resilient and stand 
perpetually ready with a plan and with answers. I am glad to be 
having this joint hearing to highlight the interconnectedness 
of the response plans that are in place in case of a 
devastating cyber event, and the first responders who carry 
them out.
    At the Federal level, we have the ability to push out and 
develop plans beyond the capability currently available to the 
50 States. But it is the responders already in those areas who 
will be the first people that those most directly affected will 
see if a catastrophic cyber attack occurs.
    As Chairman Donovan mentioned, the draft National incident 
response plan, or NCIRP, was delivered to the White House in 
fall 2009, and in March 2010, an interim draft was released but 
not approved, subject to on-going review by the administration. 
It has now been 6 years since the release of the interim draft 
with stakeholder engagement just now starting. Six years is 
entirely too long for any type of response plan to sit on a 
shelf in the White House, but it is especially dangerous in the 
case of cyber.
    In 2014, Congress passed a law to require this cyber 
incident response plan to be finalized. Clearly, the 
administration, by not finalizing this plan doesn't seem to be 
taking cyber incident response planning seriously. It begs the 
very obvious questions: What if there is a significant cyber 
attack in the United States? Does every level of government 
know their role? And how cyber response will be coordinated?
    We are neither too ignorant nor too proud to think that a 
major cyber event is outside the realm of possibility right 
now. So I would like to take this moment to convey that we are 
watching the development of this document very closely.
    Look, it is very apparent that we have a lot more work to 
do. Securing our States from cyber threats now includes 
entirely new roles and responsibilities that didn't exist 50 
years ago. Discussing, examining, and encouraging the programs 
and partnerships that Americans rely upon is absolutely 
critical to being able to preserve and guarantee the American 
way of life.
    I look forward to hearing from our witnesses today to learn 
what more we can and what we should be doing to advance the 
security of the American people.
    Thank you. I yield back.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                              May 24, 2016
    Good morning, I want to thank Chairman Donovan and Ranking Member 
Payne for working with myself and Ranking Member Richmond on this 
issue. I also want to thank the witnesses for coming today to speak on 
this important topic. On the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technology, which I chair, we 
often discuss the wide variety and high number of cyber threats that 
are out there and growing. Today, we are going to hear about the other 
part of the equation, which is the people, the hours, and programs 
designed and dedicated to preparing for and responding to the dangers 
that these cyber threats pose.
    Hopefully having this discussion at a National level will help 
bring to light some of the best practices and most evident areas for 
improvement that will be applicable to every level of government 
whether it be at the Federal, State, or local level. Because the truth 
is, every level of government is constantly having to face and respond 
to these threats. We all need to work together to understand the 
tactics, techniques, and procedures of hackers in order to better equip 
ourselves and face the threats of tomorrow.
    It is important that we spend as much time and energy thinking 
about the solutions that secure Americans as we do on the examination 
of the dangers. The purpose of today's hearing is to focus on seeking 
those solutions to make America safer. In that spirit, we are 
constantly seeking to improve upon and expand the programs and 
partnerships with both the private sector and State and local 
governments that function to make Americans safe. These partnerships 
are the nuts and bolts to secure Americans against the havoc that is 
possible should a bad actor successfully disrupt or damage one of the 
many systems that we rely on for everyday life such as our water and 
our power.
    What we are hoping to gain from today's hearing is what more we can 
be doing to further these partnerships and programs. The importance of 
the flow of information cannot be stressed enough as information is the 
currency with which security and insecurity is established in today's 
age. As fast as the bad actors are moving in cyber space, we have to be 
constantly moving faster to stay ahead of them. While they only have to 
be right once to do damage, we must be resilient and stand perpetually 
ready with a plan and with answers.
    I'm glad to be having this joint hearing to highlight the 
interconnectedness of the response plans that are in place in the case 
of a devastating cyber event, and the first responders who carry them 
out. At the Federal level we have the ability to push out and develop 
plans beyond the capability currently available to States, but it is 
the responders already in the area who will be the first people that 
those most directly affected will see when a catastrophic cyber attack 
occurs.
    As Mr. Donovan mentioned, the draft National Incident Response Plan 
or NCIRP was delivered to the White House in the fall of 2009. In March 
2010, a draft interim was released but not approved, subject to on-
going review by the administration. It has now been 6 years since the 
release of the interim draft, with stakeholder engagement just now 
starting. While 6 years is entirely too long for any type of response 
plan to sit on a shelf in the White House, it is especially dangerous 
in the case of cyber. In 2014, Congress passed a law to require this 
cyber incident response plan to be finalized. Clearly, this 
administration, by not finalizing this plan, does not take cyber 
incident response planning seriously. It begs the very obvious question 
``What if there is a significant cyber attack in the United States? 
Does every level of government know their role and how cyber response 
will be coordinated?'' We are neither too ignorant nor too proud to 
think that a major cyber incident is outside of the realm of 
possibility so I would like to take this moment to convey that we are 
watching the development of this document very closely.
    It is very apparent that we have a lot more work to do. Securing 
our States from cyber threats now includes entirely new roles and 
responsibilities that didn't exist 50 years ago. Discussing, examining, 
and encouraging the programs and partnerships that Americans rely on is 
absolutely crucial in guaranteeing the solvency of our ways of life. I 
look forward to hearing from the witnesses to learn what more can and 
should be done to advance the security of the American people.

    Mr. Donovan. The gentleman yields back.
    The Chair recognizes the gentleman from New Jersey, Mr. 
Payne.
    Mr. Payne. Mr. Chairman, I ask unanimous consent to submit 
the gentleman from Louisiana, the Ranking Member, Mr. 
Richmond's statement into the record.
    Mr. Donovan. Without objection, so ordered.
    [The statement of Ranking Member Richmond follows:]
             Statement of Ranking Member Cedric L. Richmond
                              May 24, 2016
    In developing policy and budgeting for cyber preparedness and 
response, it is crucial we know what needs protecting, how badly 
protection is needed, and what kinds of redundancies can be made 
available.
    For critical infrastructure entities, after knowing what machines 
are operating on a network, what applications they are running, and 
what privileges have been established, the posture of cybersecurity for 
each of these entities and systems networks is key.
    Also, for critical infrastructure enterprises and supply chains, 
the advent of, ``bring your own devices'', along with the growing 
sophistication of smart phones and tablets involved in day-to-day 
infrastructure operations, compounds cybersecurity efforts and 
increases our resiliency challenges.
    Knowing where to devote efforts to protect our information security 
in critical infrastructure organizations is a core choice, particularly 
in determining how much defense to commit to the perimeter, and how 
much to commit to internal threats.
    Consider the potential for adversaries to employ countermeasures . 
. . as defenses are installed on our systems, we must acknowledge that 
we are dealing with a thinking and competitive opponent in the cyber 
world . . . and that as we install measures to thwart hackers that very 
act tends to induce countermeasures from our foes, as hackers probe for 
ways around or through our new defenses.
    As new versions of cyber attacks emerge affecting critical 
infrastructure, it will be important to have the DHS Industrial Control 
Systems Computer Emergency Response Teams, or ICS-CERT, and the Joint 
Interagency Task Force consisting of the National Institute of 
Standards and Technology, or NIST, the Department of Defense, and the 
intelligence community, clearly delineate and prioritize their roles in 
protecting critical infrastructure, and to have that as well-defined as 
possible.
    A good place to start is to build a body of cyber knowledge on how 
various critical infrastructure cyber systems are likely to fail, which 
is a necessary prerequisite to preventing failure, and then share that 
information among all sectors.
    Most experts tell us this is a daunting proposition, in light of 
the fast pace and range of cyber threat vectors that present themselves 
daily, but we must try.
    In closing, any critical infrastructure sector that is prepared to 
share what went wrong and what could be done better next time, will 
create the most likely scenario to produce higher levels of 
cybersecurity and resiliency for future regional and National cyber 
emergency situations.

    Mr. Donovan. Other Members of the subcommittees are 
reminded that opening statements may be submitted for the 
record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                              May 24, 2016
    Over the past 15 years, the Nation has experienced man-made and 
natural disasters that caused damage beyond our expectations and 
overwhelmed the response capabilities of the impacted communities. 
After each disaster--from the 9/11 attacks and Hurricane Katrina to the 
Boston Marathon bombings and Hurricane Sandy--we take the lessons 
learned and adjust the response plans so that we are better prepared 
for the next version of the same event.
    Preparing to respond to those kinds of events has become almost 
routine. We assess terror threats and the potential for various natural 
disasters. We conduct vulnerability assessments of our communities, and 
we hone, train, and exercise our disaster response plans. The doctrine 
guiding how we prevent, protect against, mitigate, respond to, and 
recover from more conventional disasters is well-established and 
incorporates important lessons learned from past events.
    Unfortunately, National guidance of a similar caliber is lacking 
for a response to a cyber attack. When I am home in Mississippi, local 
emergency managers tell me that roles and responsibilities are not 
clearly defined for a cyber response and that the statutory authority 
for the Federal Government to render aid to affected States is murky at 
best.
    We need to do better. The frequency of cyber attacks is increasing 
and the attacks are becoming more sophisticated. I fear a cyber Katrina 
if we do not establish a ``whole community approach'' to prevent, 
respond to, and recover from cyber attacks soon, before hackers disable 
part of the electric grid, gain control of one of our transit systems, 
or infiltrate our water treatment facilities.
    Addressing the growing cyber threat and equipping emergency 
managers with the tools they need to effectively respond to disasters 
triggered by hackers will require at least 3 changes.
    First, we have to improve information sharing. Second, we have to 
improve communication among the emergency response community and non-
traditional response partners, including private-sector infrastructure 
owners and chief information officers. Third, we have to do a better 
job defining roles, responsibilities, and authorities related to a 
cyber response.
    Late last year, the House of Representatives took an important step 
advancing those objectives by passing H.R. 3878, the Strengthening 
Cybersecurity Information Sharing and Coordination in Our Ports Act.
    Introduced by Congresswoman Torres, H.R. 3878 would improve 
information sharing and cooperation in addressing cybersecurity risks 
at our Nation's ports by directing DHS to establish voluntary 
guidelines for reporting of cybersecurity risks, implement a maritime 
cybersecurity risk model, and make recommendations on enhancing the 
sharing of cyber information.
    The legislation also directs the Coast Guard to ensure area 
maritime security and facility security plans address cybersecurity 
risks. H.R. 3878, along with several other important pieces of 
cybersecurity legislation from this committee, has passed the House is 
currently pending in the Senate. I urge our Senate colleagues to act on 
these bills before the summer recess.
    In the mean time, I am eager to learn from our witnesses about 
existing challenges in developing response plans for cyber events and 
what the Federal Government can do to help.

    Mr. Donovan. We are pleased to have a distinguished panel 
before us today on this important topic. Mark Ghilarducci 
serves as the director of the California Governors Office of 
Emergency Services, a position he has held since July 1, 2013. 
As a member of the cabinet, Director Ghilarducci serves as the 
Governor's Homeland Security Adviser, and oversees State-wide 
public safety, emergency management, emergency communications, 
counterterrorism efforts, and a State threat assessment system. 
Mr. Ghilarducci previously served as the secretary of the 
California Emergency Management Agency. Welcome, sir.
    Lieutenant Colonel Daniel J. Cooney currently serves in the 
Office of Counterterrorism of the New York State Police. He 
serves as adviser to the director of the New York State Office 
of Homeland Security and oversees the staff of the New York 
State Intelligence Center, New York's fusion center. He has 
been a New York State police officer for 23 years, and has been 
awarded a master's degree in security studies from the Naval 
Postgraduate School. Welcome, Colonel.
    Brigadier General Steven J. Spano is president and chief 
information officer of the Center for Internet Security. Most 
recently, he served as the general manager for defense and 
national security for Amazon Web Services Worldwide Public 
Sector. Prior to Amazon Web Services, General Spano served over 
28 years in United States Air Force in a variety of leadership 
roles. He retired in 2011 from Air Force combat command where 
he served as the director of communications. Welcome, General, 
and thank you for your service to our country.
    Mr. Mark Raymond began serving as the chief information 
officer for the State of Connecticut Department of 
Administrative Services, Bureau of Enterprise Systems and 
Technology on June 2, 2011. He has over 2 decades of technology 
and business experience consulting in New York, Connecticut, 
and Massachusetts; that includes working in the areas of 
finance, payroll, human services, budgeting, procurement, human 
services revenue, and transportation. As a consultant, he has 
worked with Federal agencies, including the United States 
Treasury, Federal Highway Administration, National Highway 
Traffic Safety Administration, and the U.S. Department of 
Transportation. Welcome, sir.
    Mr. Robert Galvin serves as the chief technology officer 
for the Port Authority of New York and New Jersey, a position 
he has held since December 2013. In this capability, he 
provides oversight, direction, and management for all of the 
agency's technology, information systems, and technology 
service delivery. Prior to joining the Port Authority, Mr. 
Galvin served as the chief technology officer at the New York 
City School Construction Authority.
    The witnesses' full written statements will appear in the 
record. The Chair now recognizes Mr. Ghilarducci for 5 minutes.

 STATEMENT OF MARK GHILARDUCCI, DIRECTOR, EMERGENCY SERVICES, 
              OFFICE OF THE GOVERNOR OF CALIFORNIA

    Mr. Ghilarducci. Okay. Well, good morning, Chairman and 
distinguished Members of the subcommittee. Mark Ghilarducci, 
and I am the director of OES in California. I am here today on 
behalf of the National Emergency Management Association, which 
represents State emergency management directors of the 50 
States, territories in the District of Columbia.
    I appreciate the opportunity to come before you today to 
discuss concerns related to the consequences of a cyber attack 
and the role of emergency management community in responding to 
this unique and evolving threat. As our lives, our systems, our 
critical infrastructure, as well as our emergency management 
coordination and communication platforms become more and more 
integrated with and dependent upon the Internet of Things, so 
does the proliferation of threats and complexities from cyber 
attacks, and, of course, the need to continue to evolve 
capabilities and countermeasures.
    These emerging threats, ushered in by advancements in 
technology, are a challenge for emergency management at a time 
when the adversary is unpredictable, asymmetrical, and very 
active. The range of threat actors, the methods of attack, 
targeted systems, and victims are ever-expanding. Because 
information systems are now the backbone of critical 
infrastructure in the United States, we are at an age of 
transitioning into next generation public safety due to its 
significance to National and economic security.
    Of concern to the emergency management community is the 
threat and potential cascading impacts of a cyber attack to our 
critical infrastructure systems. Lifelines and assets, whether 
physical or virtual, by actors with malicious intent to exploit 
vulnerabilities, disrupt or destroy control systems, or 
incapacitate the delivery of essential services, all which 
places the security and safety of our communities, our 
citizens, and the economy at great jeopardy.
    Like the consequences of other asymmetrical terrorist 
threats, consequence management of cyber attacks is challenging 
due to its unpredictable and ubiquitous nature. It requires a 
considered and coordinated effort of collaborative planning, 
risk identification and management, communications, information 
sharing, interdiction, response and mitigation.
    As information technology becomes increasingly integrated 
with physical infrastructure operations, emergency management 
must plan and prepare for the increased risk for large-scale or 
high-impact events and that cascading impacts that could harm 
or disrupt services, or worse, cause fatalities or destruction 
in our communities. Widespread and long-term power outages, 
loss of water telecommunications systems, disruption of public 
health or public safety systems, destruction of control 
systems, interruption of food production and distribution, and/
or the movement of commodities or people are just a few 
potential consequences of a successful cyber attack on our 
critical infrastructure; all consequences emergency management 
must consider, plan, and prepare for.
    There is no doubt that the potential aftermath of a 
significant cyber attack resulting in physical consequences 
will challenge existing hierarchies, dependencies, reporting 
structures, and planning assumptions. Emergency managers will 
need to leverage all necessary local, State, and private-sector 
resources; implement redundant capabilities for continuity of 
operations, and possible continuity of Government; and will 
require Federal support for both technical and Stafford Act 
assistance. But it remains unclear today how the consequences 
of an attack will be defined and meet requirements for Stafford 
Act assistance.
    Another challenge facing State emergency management and 
homeland security organizations is the ability to effectively 
manage cyber risk as it is not possible to eliminate it. Like 
many other hazards, both natural and human-caused, State 
leaders must build cybersecurity systems, communication, and 
information capabilities, and procedures designed to not only 
preempt attacks through adequate cyber defense systems, but 
enable an organization to withstand attacks when they succeed, 
or, in other words, to build cyber resilience.
    A logical approach to cybersecurity preparedness and 
incident response begins at all levels of government and in 
partnership with the private sector. As the Federal Government 
continues to build its capabilities, policies, and strategies, 
it has left States to build cybersecurity capacities with 
limited resources, trained personnel, and guidance or a 
specific blueprint to follow, all while facing threat actors 
who are advanced, nimble, quick to adapt, and overcome defenses 
in intending to do harm to private citizens and government 
services.
    Dedicated cybersecurity grants for planning and operational 
capabilities, developing, training, and supporting the 
blueprint of a workforce of cyber warriors, as well as 
identified post-event, remediation funding streams that do not 
currently exist, but are absolutely necessary to ensure States 
are prepared to adequately build cyber capabilities and 
defenses, this needs to be a priority.
    For example, in California, one key cybersecurity 
capability we recently stood up is the California Cybersecurity 
Integration Center as a way to measure our whole-of-Government 
and public/private sector integration approach. The Cal-CSIC, 
as it is called, integrates critical cybersecurity functions 
directly impacting my ability to manage both the homeland 
security and emergency management portfolios in California.
    It is co-located with the California State Threat 
Assessment Center, our State's primary fusion center, which 
maximizes information sharing and allows for communications to 
be properly vetted and classified, ensuring conductivity and 
information sharing between the intelligence community, law 
enforcement, and California's other 5 regional fusion centers, 
and it expands upon our current capabilities focused 
specifically on protecting California.
    It resides within our homeland security division, aligned 
with DHS's organizational structure, and integrates both the 
academic and private sectors. It provides a State-wide nexus 
for cyber threat information sharing for the State of 
California, our critical infrastructure sector partners that 
provide essential services, our 
9-1-1 system, the intelligence community, and law enforcement.
    It promotes proactive situational awareness of the cyber 
threat, cyber hygiene, and best cybersecurity practices, and it 
augments the State Emergency Operation Center during 
activations for emergency incidents through systems analysis 
and resilient communication. Most importantly, it provides 
support to our State's emergency support Function 18, the 
component of the State emergency plan that focuses on the 
impacts and countermeasures related to a major cyber attack.
    A key element for success of this capability, but, 
nonetheless, a challenge we are working with, is establishing a 
blueprint for integrating desperate agency sector efforts and 
mission sets into a unified, coordinated, and streamlined 
operation that reflects the full intelligence cycle from 
collection analysis to dissemination that supports situational 
awareness and the complete emergency management cycle.
    The Cal-CSIC design forces collaboration between all of the 
major State agencies and sector representatives that have a 
role in cybersecurity through protocols and the integration of 
respective cybersecurity staff. This partnership forces down 
the silos and stovepipes and generates a level of collaboration 
on the cyber front not seen before in our State government, 
which helps to define the roles and responsibilities of each 
organization during cyber events at a State-wide significance.
    As well, through partnerships with the National 
Cybersecurity Communications Integration Center and a multi-
State information-sharing analysis center, the Cal-CSIC 
addresses prevention, protection, response, and recovery while 
providing detail on cyber threats and trends specifically to 
California. The Cal-CSIC can use this analysis to notify 
residents of current threats and how to prevent and mitigate 
those threats.
    The consolidation of National, State, and local cyber 
threat data will provide a more strategic picture benefiting 
prevention and response. To further our resiliency platform, we 
are also moving to implement the DHS and CCIC cyber hygiene 
campaign across California's State agencies and departments.
    In closing, collaboration, coordination, training, 
planning, clear protocols, real-time information sharing, and 
processing of indicators of attack are essential elements of a 
robust cybersecurity and emergency management posture for all 
governments. Linking up critical infrastructure assessors and 
analysis, and analysts with cybersecurity personnel and 
emergency planners also needs to be approached holistically and 
sustainably.
    At all levels, Government must be prepared to deal with an 
ever-changing and increasingly complex set of challenges that 
test our traditional approaches to emergency preparedness and 
response to disasters. Changing demographics, emerging 
technologies, and the interdependencies of our infrastructure 
and systems create vulnerabilities that defer from those of the 
past.
    The cyber threats facing our Nation are not subsiding, but, 
in fact, are evolving in such a way that these threats demand 
purposeful, proactive action, adequate funding support, and a 
more forward-thinking and collaborative approach at all 
government levels and critical infrastructure sectors. This has 
to be one team, one fight.
    Thank you.
    [The prepared statement of Mr. Ghilarducci follows:]
                 Prepared Statement of Mark Ghilarducci
                              May 24, 2016
                              introduction
    Thank you Mr. Chairman, Ranking Member, and distinguished Members 
of the committee. My name is Mark Ghilarducci, and I am the director of 
the Governor's Office of Emergency Services as well as the Homeland 
Security Advisor to Governor Jerry Brown for the State of California.
    I am here on behalf of the National Emergency Management 
Association (NEMA), which represents the emergency management directors 
of the 50 States, territories, and District of Columbia. NEMA's 
members, many of whom, like me, also serve as Homeland Security 
Advisors, are prepared to deal with an ever-changing and increasingly 
complex set of challenges that test traditional approaches to natural 
and man-made disasters. I appreciate the chance to come before you 
today to discuss the current concerns related to consequences of cyber 
attacks and the role of the emergency management community in 
responding to these unique events.
                           where are we now?
    We are witnessing a more diverse array of threats than at any other 
time in history. The skill, speed, and adaptability of these threats 
are challenging our defense in ways we have not seen before. The 
emerging threat landscape for the Nation is characterized both by 
standing threats, as well as dynamic and fluid ones ushered in by 
advancements in technology. As we witness our society make 
unprecedented advancements in innovation, we become more and more 
reliant on information technology and increasingly vulnerable to 
devices that are developed and distributed with minimal security 
requirements. The ranges of threat actors, methods of attack, targeted 
systems, and victims are also expanding.
    We are transitioning into Next Generation Public Safety, and 
information systems are now the backbone of National and economic 
security in the United States. Our success as a Nation depends upon 
critical infrastructure functioning reliably at all times. The threat 
to this infrastructure by those with malicious intent to exploit 
vulnerabilities, steal information and money, and disrupt, destroy, or 
threaten the delivery of essential services are unlike any other. 
Cybersecurity threats exploit the risks associated with the increased 
complexity and connectivity of these systems, which places our Nation's 
security, economy, and public safety at greater risk.
    This risk affects both the private and public sectors. We have seen 
``Ransomware'' in the public and private sector in California and 
across the United States designed to prevent public and private 
institutions from accessing their own data. Criminal tools and malware 
are increasingly being discovered on State and local government 
networks.
    As information technology becomes increasingly integrated with 
physical infrastructure operations, there is increased risk for wide-
scale or high-impact events that could cause harm or disrupt services 
upon which our economy and the daily lives of millions of Americans 
depend. Long-term power outages, loss of water, and disruption in the 
movement of goods, services, and people as a result of disrupted 
transportation systems are a few of the potential consequences of a 
successful cyber attack on our critical infrastructure.
    The aftermath of a cyber event with physical consequences will 
challenge existing hierarchies, reporting structures, and planning 
assumptions. In the event of an incident, most emergency managers will 
turn to the Robert T. Stafford Disaster Relief and Emergency Assistance 
Act (Pub. L. 92-288) for Federal assistance, but unless the 
consequences of a cyber attack have large-scale physical consequences, 
funds from the Stafford Act will be limited.
    Many of the fixes, whether administrative or legislatively 
initiated, throughout the last few years seem to only address the 
prevention and preparedness side of cybersecurity. While the pre-event 
aspects of cybersecurity maintain a high level of importance, so too 
will the post-event considerations especially when considering the 
potential disastrous physical consequences of a cyber attack.
 current challenges facing state emergency management/homeland security
    While cybersecurity and cyber response capabilities continually 
rate very low in FEMA's annual National Preparedness Report, 
identifying the capability gaps and needs is often a difficult task for 
State and local government and has limited measurable improvement 
toward the National Preparedness Goal.
   Cyber risk must be managed as it is not possible to 
        eliminate; the diverse possibilities of malicious actors 
        penetrating, intruding, and circumventing from the inside 
        continue to grow and will hold every internet communication 
        technology system at risk for years to come.
   The risk calculus employed by some State and local 
        organizations does not adequately address the top cyber threats 
        or systemic interdependencies across critical infrastructure 
        sectors.
   State leaders must accept the predictability of cyber 
        attacks, and build security systems and procedures that can not 
        only preempt attacks through cyber defense, but enable 
        organizations to withstand attacks when they succeed, or in 
        other words build cyber resilience.
   A coordinated approach to cybersecurity preparedness and 
        incident response is in its nascent stages, even at the Federal 
        level. As the Federal Government is still working to build 
        Federal institutions, policy, and strategy, it has left States 
        to build cybersecurity capacities with limited resources and 
        trained personnel, and a lack of guidance or successful 
        blueprint to follow--all while facing threat actors who are 
        advanced, nimble, quick to adapt and overcome defenses and who 
        intend to harm private citizens and Government services.
   A dedicated cybersecurity grant funding stream would also 
        ensure States were prepared to adequately build their cyber 
        capabilities and defenses. Currently there is no funding 
        dedicated specifically to this priority.
   States are still playing catch-up in developing a ``whole-
        of-Government,'' State-wide approach to cybersecurity.
     best practices at the state level/on-going efforts to improve 
                               resilience
    I am excited to discuss some California examples of best practices 
we are implementing to ensure the Golden State is safe and secure and 
cyber resilient.
   Cyber Hygiene Partnership with DHS's National Cybersecurity 
        Communications Integration Center (NCCIC).--We are moving to 
        embrace and implement the DHS's National Cybersecurity 
        Communications Integration Center's Cyber Hygiene campaign 
        across California State Agencies. Working with NCCIC staff, we 
        are working to push this program to all of California's State 
        executive agencies as a start. This program is voluntary, but 
        it will allow us to baseline State agencies' vulnerabilities 
        and provide an overall State profile for a majority of public-
        facing assets. This is a good metric for performance and will 
        help our team develop a long-term State strategy. To date, only 
        13 organizations across all of California are taking advantage 
        of this Federal program.
   Integrating and Automating Data Feeds.--One of the things we 
        are spearheading in California is a Cal OES-supported project 
        at our California fusion centers that supports automating cyber 
        threat intelligence, as we believe that is a fundamental facet 
        to cyber resilience on all levels of Government. We must get 
        past the manual human-to-human transactions that continue to 
        dominate State and local cyber information sharing and move 
        towards an automated cyber threat intelligence design, which we 
        believe should anchor States' resilience and inform cyber 
        response efforts. We are also working, in conjunction with DHS/
        NCCIC, on a program called Automated Indicator Sharing 
        Initiative, which shares observable cyber ``indicators'' to 
        also help bolster the State's defense through a machine 
        indicator exchange.
   California Cybersecurity Integration Center (Cal-CSIC).--We 
        recently stood up our California Cybersecurity Integration 
        Center (Cal-CSIC) (pronounced Cal-SICK) as a way to mature this 
        approach, but one of the biggest challenges we face is 
        establishing a blueprint for integrating disparate efforts and 
        mission sets into a unified, coordinated, and streamlined 
        operation that reflects the full intelligence cycle from 
        collection, analysis, to dissemination, and that supports a 
        robust cyber response.
    The Cal-CSIC does the following critical cybersecurity functions, 
directly impacting my ability to manage both the homeland security and 
emergency management portfolios in California:
   Expands upon current capabilities in our State's primary 
        fusion center to build out a cybersecurity center focused 
        specifically on protecting California.
   Resides within the Cal OES Homeland Security Division, 
        aligning with DHS's organizational structure.
   Its co-location with the California State Threat Assessment 
        Center (STAC) allows for communications to be properly vetted 
        and classified, ensuring connectivity between the intelligence 
        community, law enforcement, and fusion centers.
   Provides a State-wide nexus for cyber threat information 
        sharing for the State of California, intelligence community, 
        and law enforcement.
   Promotes situational awareness of cyber threats, cyber 
        hygiene, and best cybersecurity practices for all California 
        organizations.
   Augments the State Operations Center activities during 
        emergency incidents through media analysis and resilient 
        communications.
   Marries our critical infrastructure analysts and assessors 
        to our cybersecurity professionals to create a novel holistic 
        security assessments capability.
    The National Cybersecurity Communications Integration Center 
(NCICC) and Multi-State Information Sharing Analysis Center (MS-ISAC) 
operate as focal points for cyber and physical protection of Federal, 
State, local, Tribal, territorial government (FSLTT) and Critical 
Infrastructure/Key Resources (CI/KR) network, storage, and 
communications systems and seeks to address prevention, protection, 
response, and recovery.
    The Cal-CSIC will address prevention, protection, response, and 
recovery while providing detail on cyber threats and trends 
specifically to California. The Cal-CSIC can use this analysis to 
notify residents of current threats and how to prevent and mitigate 
those threats. The consolidation of National and State cyber threat 
data will provide a more strategic picture benefitting prevention and 
response. The NCCIC will also be a partner in the Cal-CSIC as will 
other Federal agencies to ensure for real-time collaboration and 
coordination that is needed.
    The Cal-CSIC design forces collaboration between all of the major 
State agencies that have a role in cybersecurity because those agencies 
have, or are going to, embed their cybersecurity staff there. This 
partnership will force down the siloes and stove pipes, and generate a 
level of collaboration on the cyber front not seen before in State 
government, which helps to define the roles and responsibilities of 
each agency during cyber events of State-wide significance.
   Governor's Cybersecurity Task Force.--This task force 
        facilitates cybersecurity outreach to private industry, 
        academic, law enforcement, and Government partners both inside 
        and outside of California. The Governor's Cybersecurity Task 
        Force is a public-private partnership that serves as the 
        advisory body to the Cal-CSIC to raise awareness of new threats 
        and mitigation techniques.
    Sometimes, simply assembling the right players to have the tough 
conversations is half the battle. In this case, educating cybersecurity 
professionals about emergency management, and vice versa, remains a 
significant challenge. This is why the State of California created the 
Governor's Cybersecurity Task Force to be wide-reaching, pairing up 
local emergency management experts with cybersecurity professionals to 
collaborate on the bigger strategic questions. It has made a tremendous 
impact, but more work needs to be done to align State and local defense 
with Federal efforts.
                     recommendations for the future
    As a Nation we must map out a comprehensive collaborative strategy 
that delivers timely, cost-effective, and actionable responses. This 
will strengthen our National security by better preparing us to respond 
to potential disruptions that would have cascading consequences on the 
country. Collaboration, employee cybersecurity training, enterprise 
defense-in-depth, and real-time information sharing and processing of 
indicators of attacks are essential elements of a robust cybersecurity 
posture for all governments. Marrying critical infrastructure assessors 
and analysts with cybersecurity personnel also will breed unique and 
nuanced synergies by approaching the problem holistically. This would 
include:
   Review current statutory authorities for emergency 
        management personnel and ensure resources can and will be 
        available to respond to a cyber attack.
   Encourage information sharing between intelligence and 
        operational officials to ensure stovepipes do not unnecessarily 
        hinder collaboration and integrated planning.
   Coordinate with State and local officials to ensure their 
        priorities are included in legislative reforms and changes 
        within the administration's cybersecurity policies.
   Avoid mandating State and local governments without also 
        providing Federal funding.
   Provide adequate and sustainable funding to ensure for the 
        development of robust cybersecurity interdiction, response and 
        preparedness/education systems at the State and local levels, 
        to better inform and empower communities, where the 
        consequences of cyber attacks are most impactful.
   Ensure that we communicate to American citizens our 
        commitment to protecting their privacy, when incorporating 
        emerging technology--specifically, the Internet of Things or 
        ``smart devices.''
    While these devices maximize efficiency and carry the allure of 
convenience, we must incorporate the benefits of innovative technology 
into State and local government with the utmost appreciation for their 
potential to threaten data privacy, data integrity, or continuation of 
services. This also opens vulnerabilities by allowing threat actors to 
not only steal data, but also, manipulate it. Threat actors almost 
certainly will adapt and introduce new tactics that will challenge our 
defenses so we must seize the opportunities to implant past 
intelligence from cybersecurity investigations back into the 
intelligence cycle for further analysis and dissemination.
                               conclusion
    At all levels, Government must be prepared to deal with an ever-
changing and increasingly complex set of challenges that test our 
traditional approaches to emergency preparedness and responses to 
disaster. Capability, experience, and flexibility are critical in 
dealing with emerging issues and the unknown. Changing demographics, 
emerging technologies, and the interdependencies of our infrastructure 
and systems create vulnerabilities that differ from those of the past. 
The cyber threats facing our Nation are evolving in such a way that 
demands purposeful action and a more forward-thinking approach in our 
National preparedness efforts.
    I appreciate the opportunity to testify before you today and stand 
ready to answer any questions the committee may have.

    Mr. Donovan. Thank you, Mr. Ghilarducci.
    The Chair now recognizes Lieutenant Colonel Cooney for 5 
minutes.

STATEMENT OF DANIEL J. COONEY, ASSISTANT DEPUTY SUPERINTENDENT, 
       OFFICE OF COUNTER TERRORISM, NEW YORK STATE POLICE

    Mr. Cooney. Good morning, Chairman Donovan, Ranking Member 
Payne, Chairman Ratcliffe, and Members of the subcommittees. 
Thank you for inviting me to testify today.
    My name is Dan Cooney. I am a lieutenant colonel with the 
New York State Police responsible for overseeing the New York 
State Intelligence Center or NYSIC, the State's designated 
fusion center, which is staffed by approximately 90 
individuals, drawn from nearly 20 law enforcement and homeland 
security agencies at the local, State, and Federal levels.
    Since we opened our doors in 2003 as one of the Nation's 
first fusion centers, NYSIC has maintained an all-crimes 
approach with the ultimate goal of preventing criminal and 
terrorist activity in our State, and supporting our partners' 
on-going law enforcement investigations.
    The New York State Police has long had a computer crimes 
unit. NYSIC incorporated cyber threat intelligence into its 
mission in 2014 by creating a cyber analysis unit when the 
NYSIC had just moved to co-locate with the Center for Internet 
Security and the Multi-state Information Sharing and Analysis 
Center.
    Our approach is based on partnerships, intelligence 
production, and outreach. To further our outreach, NYSIC 
spearheaded creation of the New York State cyber partners 
working group, which meets monthly and is comprised of State 
and Federal Government law enforcement, homeland security, and 
information technology personnel, and a National Guard.
    As the intelligence center, our role is to take the lead in 
developing cyber intelligence products for both the technical 
and nontechnical audiences, and we leverage the partnerships 
formed through this group to accomplish this mission.
    The NYSIC also relies on National cyber information-sharing 
networks. Routinely, we access the National Fusion Center 
Association's cyber intelligence network through which over 250 
Federal, State, and local law enforcement members act as a 
virtual fusion center, utilizing a cloud service provided by 
the homeland security information network to share cyber threat 
intelligence in real time at the ``For Official Use Only,'' or 
FOUO level.
    Within the State, our distribution lists are separated by 
sector and between technical and nontechnical audiences to 
ensure recipients receive exactly the information they need: 
Actionable intelligence for IT staff, so they can deploy 
appropriate prevention or mitigation controls; and more 
strategic information on trends in cyber actors' tactics, 
techniques, and procedures for executives and policy makers to 
better inform policy decisions and resource allocation.
    NYSIC's intelligence liaison officer network maintains 
points of contact in fire, EMS, and emergency management 
agencies in each county with whom we engage in 2-way threat 
information sharing. Additionally, nearly all of the 500-plus 
law enforcement agencies in New York State have a designated 
field intelligence officer that regularly communicates with the 
NYSIC. More technical products are shared directly with county 
chief information security officers.
    At both the fusion center and across State agencies, New 
York State is sharing more information more effectively than 
ever before. Despite a constantly changing environment, we have 
made excellent progress. But I want to highlight two specific 
areas for continued growth from the full statement I submitted 
on the record.
    First, the information-sharing lessons of the last 13 years 
in the counterterrorism space must be applied to cybersecurity 
today. At the State level, the fusion center is DHS's single 
point of contact for terrorism-related information, and we know 
from where within DHS this information is coming. This is not 
yet the case with cyber threat information, and more often than 
not, the fusion centers do not receive cybersecurity 
intelligence information in a timely manner. The more 
information that fusion centers receive, the more we can share 
with agencies and businesses within our State, allowing us to 
close the current intelligence gaps, and push information to 
smaller entities that direct Federal sharing currently does not 
reach.
    Second, we observe a large amount of cyber threat 
information is Classified. While fusion centers have the 
capability to receive Classified documents, we cannot share 
useful contents with many of our customers unless the 
classification is downgraded.
    On behalf of New York's fusion center and as part of the 
larger National network of fusion centers, thank you for this 
opportunity to speak before your subcommittees, and I welcome 
any questions.
    [The prepared statement of Mr. Cooney follows:]
                 Prepared Statement of Daniel J. Cooney
                              May 24, 2016
    Good morning Chairman Donovan, Ranking Member Payne, Chairman 
Ratcliffe, Ranking Member Richmond, and Members of the subcommittees: 
My name is Dan Cooney and I am an assistant deputy superintendent with 
the New York State Police, responsible for overseeing the New York 
State Intelligence Center, the State's designated fusion center. Thank 
you for inviting me to speak today about our cyber threat information 
and intelligence-sharing efforts.
    The New York State Intelligence Center, or ``NYSIC'', is managed by 
the New York State Police and staffed by approximately 90 people 
representing nearly 20 law enforcement, homeland security agencies at 
the local, State, and Federal levels. Since we opened our doors in 2003 
as one of the first fusion centers in the Nation we have maintained an 
``all-crimes'' approach, with the ultimate goal of preventing criminal 
and terrorist activity in our State and supporting our partners' on-
going law enforcement investigations. We are primarily responsible for 
supporting the 57 counties outside New York City, but we work closely 
with our New York City Police Department colleagues on New York City-
based issues.
    NYSIC incorporated cyber threat intelligence into its mission in 
2014 by creating a Cyber Analysis Unit. The catalyst was two-fold: We 
recognized the need to dedicate resources to the growing threat of 
cyber attacks, and we had just co-located with the Center for Internet 
Security and the Multi-State Information Sharing and Analysis Center 
(MS-ISAC), which the U.S. Department of Homeland Security has 
designated as the cybersecurity information sharing and analysis center 
for State, local, Tribal, and territorial governments. This provided a 
timely opportunity for us to learn best practices from top 
cybersecurity experts. Over time, we were able to staff the unit with 
an Investigator and 4 intelligence analysts who possess a mix of 
specialized technical knowledge or intelligence and analysis 
experience, a hiring model that has worked well. Our approach is based 
on partnerships, intelligence production, and outreach, and I will 
highlight a few examples of the benefits to the State's cybersecurity 
efforts.
             best practices in information-sharing efforts
    The New York State Police has long had a Computer Crimes Unit, and 
other agencies in New York have worked on cyber threats for some time. 
We have worked to bolster our relationships with other agencies, not 
only to learn from them, but to ensure proper information sharing, 
identify collaborative opportunities, and avoid duplication of effort. 
To that end, the NYSIC spearheaded the creation of the New York State 
Cyber Partners Working Group. This group of State and Federal 
Government agencies--including law enforcement, homeland security, 
information technology and the National Guard, to name a few--formally 
meets on a monthly basis to review cyber threat intelligence and 
discuss training, exercise and joint project opportunities. As the 
intelligence center, our role is to take the lead in developing cyber 
intelligence products for both technical and non-technical audiences, 
and we leverage the partnerships formed through this group to develop 
and share intelligence. The Cyber Partners Working Group also joins 
together for training and exercises. NYSIC, along with its working 
group partners, has participated in table-top and National-level full-
scale cyber-related exercises, as both observers and participants. 
Examples include GridEx III, Cyberstorm V, and New York agency-specific 
tabletops.
    Effective State and Federal collaboration is also vital to 
confronting these challenges. For example, recently NYSIC and its State 
and Federal partners collaborated on the production and dissemination 
of a joint cyber intelligence bulletin detailing the analyses of 
detected malware. During the analysis, which determined the malware was 
a well-documented downloader and credential stealing Trojan, an 
encrypted file was discovered. Encryption often prevents further 
investigation; however in this case the team obtained a tool from a 
partner agency that allowed us to decrypt the file. The file revealed 
specific and actionable data that could protect IT assets. The NYSIC 
published these findings as a joint cyber intelligence bulletin and 
received positive feedback from recipients.
    The NYSIC also relies on National cyber information-sharing 
networks. Routinely, we access the National Fusion Center Association's 
Cyber Intelligence Network (CIN), which is a relatively new network of 
fusion center cyber analysts, to ascertain whether the intelligence we 
are developing in New York may be part of a broader trend. The CIN is 
comprised of over 250 Federal, State, and local law enforcement members 
who focus on cyber crimes. These members come together and act as a 
Virtual Fusion Center utilizing a cloud service provided by the 
Homeland Security Information Network (HSIN) to share real-time cyber 
threat intelligence in support of an incident, event, or mission. This 
level of cyber threat information sharing was impossible only a few 
years ago, yet now is becoming routine.
    There are several instances in which the CIN collaborated during 
high-profile events to great effect. For example, the CIN launched the 
HSIN's secure, web-conferencing platform, called CINAWARE, in response 
to Distributed Denial of Service (DDoS) attacks launched by cyber 
hacktivists against several State and local government networks which 
included law enforcement and emergency medical service entities that 
were responding to an incident. The CIN immediately began sharing real-
time intelligence on the attacks with the relevant local agencies. The 
National Fusion Center Association reports that more than 350 
individuals from fusion centers and other Federal, State, and local 
agencies around the country participated in the CINAWARE room over a 
period of several weeks, with an average of 50 to 90 users in the room 
at any given time. The room was supported 24/7, which included 
overnight support from the MS-ISAC. During that period, more than 250 
queries were submitted and answered via the CINAWARWE room, enabling 
rapid sharing of information with decision makers. Leaders in State, 
local, and Federal agencies were consistently briefed on the 
information from the CINAWARE room.
    Since that event, the CINAWARE room on HSIN has been opened to 
support the response to the Vikingdom DDoS attacks against State and 
local networks across the country, the sharing of cyber-specific 
information related to the Paris Bombings, and to support the law 
enforcement and homeland security mission for Super Bowl 50. The CIN 
also facilitates daily sharing throughout the country of indicators of 
system-compromise identified in discrete geographic regions, issues and 
responds to Requests for Information, and acts as a team of subject-
matter experts to support local operations. All of this sharing occurs 
between fusion centers utilizing the Federal platform, HSIN, and occurs 
at the For Official Use Only (FOUO) level.
    Similarly, the NYSIC's co-location with the Center for Internet 
Security and the MS-ISAC allows our staff to walk downstairs and talk 
with their intelligence or operations analysts about Nation-wide 
reporting and how it may impact New York State. Any relevant, sharable 
information these networks provide NYSIC ultimately benefits our Cyber 
Partners Working Group and the State's broader cybersecurity prevention 
efforts.
    This intelligence is of limited use, however, if we cannot provide 
it to consumers and decision makers. Equally as important is 
communication with those outside of NYSIC. The NYSIC team is constantly 
meeting and briefing local governments and private critical 
infrastructure sectors on cybersecurity concerns. Participants leave 
with contact information needed to build distribution lists for 
intelligence products. Our distribution lists are separated by sector, 
and between technical and non-technical audiences, to ensure recipients 
receive exactly the information they need. We provide IT staff with 
actionable intelligence that can be cross-referenced with traffic on 
their networks, so they can deploy appropriate prevention or mitigation 
controls. Other partners, such as executives, appreciate more strategic 
information on trends in cyber actors' tactics, techniques, and 
procedures relevant to their sectors that can help inform better policy 
decisions. We listen to their feedback and tailor our intelligence 
products appropriately.
    The NYSIC Cyber Analysis Unit may receive or develop intelligence 
that is particularly relevant to the first responder community, or a 
subset thereof. For the Fire/EMS/Emergency Management agencies in New 
York, our team leverages NYSIC's Intelligence Liaison Officer (ILO) 
network--points of contact in each county from those 3 disciplines that 
participate in two-way sharing of threat information with our center. 
We educate them on cyber threat reporting and the types of technical 
and analytical support NYSIC can provide. For example, we crafted a 
cyber bulletin distributed specifically to 9-1-1 call centers with an 
``E-911'' capability based on our receipt of threat and vulnerability 
information relevant to technology that is employed.
    Information specific to law enforcement is pushed to agencies in 
the field using another outreach program called the Field Intelligence 
Officer (FIO) program. In support of this program, nearly all of the 
more than 500 law enforcement agencies in New York has a designated FIO 
that regularly communicates with the NYSIC to advance the homeland 
security and counter-terrorism mission. We utilize these members to 
share cyber information in their jurisdictions as well. More technical 
products, which may include vulnerability and consequence information, 
are shared directly with county Chief Information Security Officers 
(CISOs).
    New York State is currently working to expand its information 
sharing with the health care sector--both public- and privately-owned 
facilities. The NYSIC is finding that this sector is willing to partner 
with the State to discuss intelligence requirements, information 
sharing, training opportunities, and best practices in mitigating cyber 
threats.
      recommendations for continued growth in information sharing
    New York State has made significant strides in building its 
cybersecurity capabilities, both at the fusion center and across State 
agencies. We are sharing more information more effectively than ever 
before. Policies and best practices have been developed by consensus 
through multilateral and interagency policy bodies and professional 
associations. They are reinforced through daily engagements between 
Federal, State, local, and private-sector partners. Despite a 
constantly-changing environment we have made excellent progress.
    In order to build upon our successful efforts, we have identified 4 
areas for continued growth.
    First, information-sharing regarding cyber threats between the 
Federal Government and the States should be further streamlined. The 
information-sharing lessons of the last 13 years in the counter-
terrorism space must be applied in the cybersecurity today. In 2003, as 
the first New York State fusion center director, I remember working 
through information-sharing issues with DHS, FBI, and others. 
Ultimately, an agreed-upon vertical information-sharing pathway was 
developed between Federal partners and the fusion centers. At the State 
level, the fusion center is DHS's single point of contact for 
terrorism-related information, and we know from which subset of DHS to 
expect information. This is not yet the case with cyber threat 
information. There are many entities within DHS that gather, analyze, 
and disseminate various types of cyber threat intelligence, whether 
it's tactical indicators of compromise, strategic intelligence 
assessments, or organizing outreach campaigns with private-sector 
entities in our jurisdiction. Given this information--whether it is raw 
information or finished intelligence--does not come together in one 
place at the Federal level with a designated unit to ensure rapid 
communication with the fusion centers, more often than not the centers 
do not receive information in a timely manner. This problem is 
exacerbated by the fact that other Federal agencies also have a cyber 
mission, and many have not yet built relationships with the fusion 
centers like DHS or FBI have over the last 13 years. This includes 
sector-specific agencies like Energy, Treasury, and Health and Human 
Services that play an important role in protecting key sectors of the 
Nation's critical infrastructure and economy, and who conduct outreach 
and information dissemination campaigns with private-sector entities 
under their jurisdiction. Any steps that DHS can take to streamline the 
overall Federal cyber intelligence-sharing processes with the fusion 
centers will help States and our local partners better understand the 
current threat landscape and more efficiently align our own cyber 
information sharing with the private sector. Working together will 
better enable us to protect against and respond to inevitable cyber 
attacks. The more cyber threat intelligence that fusion centers 
receive, the more we can share with agencies and businesses in our 
jurisdictions. This will close intelligence gaps and help us 
communicate threats to smaller entities that Federal information-
sharing currently does not reach.
    Second, we must also continue to evaluate how we share Classified 
cyber-threat intelligence from the Federal Government to the fusion 
centers. There is no central Federal system that stores indicators of 
compromise against which fusion center cyber analysts can run 
comparisons and lookups. The National Network of Fusion Centers does 
not have a space on the National Cybersecurity and Communications 
Integration Center (NCCIC) floor, and therefore lacks access to that 
critical data source which is available to other Federal information-
sharing partners. The network has interactions at the DHS Office of 
Intelligence and Analysis' Cyber Intelligence and Analysis Division 
(CIAD), but that interaction primarily occurs at the FOUO level and 
involves information being shared up to the Federal level, but not 
necessarily back down. Additionally, we observe that a large amount of 
cyber threat information is Classified. While the NYSIC understands why 
that might be the case, the Federal community needs to continue to 
focus on creating Unclassified tear lines of actionable intelligence. 
The fusion centers may have the capability to receive Classified 
documents, but cannot share useful contents with many of its customers 
unless the classification is downgraded. We would be pleased to work 
with authors of Classified documents to develop Unclassified actionable 
information for our non-cleared partners. I believe there has been some 
effort to share more Unclassified indicators based on recent production 
efforts by one Federal agency, and I hope that effort continues across 
the Federal community.
    Third, we need to continue our efforts to share information with 
local and county governments and private sector. We need to make sure 
there is consistency, and not confusion, regarding ``who to call'' when 
a local government or private entity experiences a cyber incident. We 
successfully worked through similar issues in the counter-terrorism 
area and I believe collective development of clear guidance would 
better serve our customers.
    Finally, the parallels between counter-terrorism and cyber extend 
beyond information sharing. Adequate cyber preparedness requires wide-
spread implementation of best practices and mitigation efforts, which 
invariably can exceed the capacity of local and county governments 
facing a growing myriad of threats. In our ever-more connected world, 
your network is only as strong as its weakest interconnection, yet 
implementing strong cybersecurity solutions is often costly. As we 
continue the hard work of policy development and adoption of best 
practices, the need for Federal Government support of State and local 
cybersecurity preparedness should not be overlooked. Much the same way 
the DHS Homeland Security Grant Program provides essential Federal 
support for counter-terrorism initiatives, similar support for 
cybersecurity would further enhance the capacity of States, fusion 
centers, and local governments to prevent and respond to cyber 
incidents that threaten our Nation's critical infrastructure and 
economy.
    Thank you for this opportunity to speak before your subcommittees. 
On behalf of New York's fusion center, and as part of the larger 
National Network of Fusion Centers, I appreciate the invitation to 
participate in this discussion and I welcome any questions you may 
have.

    Mr. Donovan. Thank you, Lieutenant Colonel.
    The Chair now recognizes General Spano for 5 minutes.

 STATEMENT OF BRIGADIER GENERAL STEVEN SPANO, (RETIRED, USAF), 
  PRESIDENT AND CHIEF OPERATING OFFICER, CENTER FOR INTERNET 
                            SECURITY

    Mr. Spano. Mr. Chairman, Ranking Members, Members of the 
committee, I am Steve Spano, the president and chief operating 
officer for the Center for Internet Security, or CIS. I 
appreciate the opportunity to share our thoughts on the state 
of National cybersecurity, and offer a number of suggestions 
and address some of the challenges that lie ahead.
    I would like to talk a little bit about our organization, 
what we do, our primary ambition, and how that feeds into our 
assessment of the current state of cybersecurity in the area 
that we know best, which is State, local, Tribal, and 
territorial governments. Then I will talk a little bit about 
how we service and are enhancing that mission, working with our 
partners, like the fusion center, and State and local 
governments, and then offer some ideas moving forward 
strategically that perhaps this committee can begin to address 
as the challenges we face continue to grow.
    About CIS, it began in 2000 out of the passion and the 
belief that everybody deserves a secure on-line experience. The 
100-plus professionals work collaboratively to enhance the 
cybersecurity mission, readiness, and response, and we do that 
in 3 core areas: Beginning from the foundation, we believe that 
it is inherently practical and important to establish a secure 
framework to build your cyber strategy on and evolving to.
    We call that security framework the critical security 
controls, or the CIS controls. They are a set of prioritized 
actions that organizations of any size can take in a priority 
order to deal with the current threats that exist in today's 
environment. That security framework serves as a foundation for 
some of the products and services that we offer, one such being 
the security benchmarks, which are automated configurations 
that lock down devices, operating systems, and software. So 
these security benchmarks help execute and implement the CIS 
controls, along with many of the services and products that our 
partners out in industry also support and provide.
    The controls, the benchmarks, the products, and services 
are put into execution in our primary mission, and that is 
running the Multistate Information Sharing and Analysis Center, 
or the MS-ISAC. The ISAC was established in a partnership with 
DHS in 2010, and we began the journey of beginning to monitor 
all 56 SLTTs, where we are approximately more than two-thirds 
of the way through bringing the States and these local 
governments and Tribal networks onto our network.
    We currently have 41 that we actively monitor that we 
provide network intrusions, that we provide intelligence 
analysis to, that we provide forensics capability and response 
as part of a computer emergency response team. That mission 
continues to grow and strengthen.
    What I would like to talk about now is how that mission 
feeds our assessment of where we believe the current state of 
National cybersecurity is within the SLTTs. We inform it 
through the day-to-day mission and the operation over the last 
several years, our experience, and global situational awareness 
and engagement. We are also responsible for producing the 
National cybersecurity in this report to DHS, which every 2 
years is provided to Congress. We are working to finalize this 
year's report.
    The NCSR is a self-assessment by the States in 13 key 
categories, and we measure those categories in a number of ways 
through the self-assessment amongst these entities. We find 
that in each of the 13 categories, while year to year, there 
has been improvements among the States, there are still 
challenges that reside in all 13 categories to meet the self-
prescribed benchmarks metrics that they want to achieve.
    Progress is being made. I characterize in my written 
testimony that the current state within the SLTTs is improving, 
but there are still a number of challenges that are facing the 
States, to include under-resource budgets, a workforce that I 
would characterize as high-demand, low-density in its assets 
and that is insufficient to address on many of the challenges, 
and a number of other areas of dealing with basic hygiene in 
terms of executing some of their strategies. But progress is 
being made, and I would characterize it as improving.
    I look forward to the dialogue and the questions and to 
diving into some of the specific details on how we can improve 
moving forward in two key areas: One is establishing a basic 
hygiene campaign, whether that is a built upon the critical 
security controls or other frameworks; and the other areas I 
mentioned that I believe is a strategic challenge for us 
Nationally is how to inspire and generate a cybersecurity 
workforce that can grow and meet the challenges. Because as I 
mentioned, they are high-demand, low-density asset across, and 
the trends we are seeing within K through 12 and interest in 
STEM, colleges and universities are offering programs but it is 
insufficient to get to scale. We are seeing that just the basic 
capabilities to keep up with the growing threats and the 
expertise and the training of existing professionals is a 
challenge for a lot of the SLTTs.
    Thank you very much for the opportunity to address you. I 
look forward to your questions.
    [The prepared statement of Mr. Spano follows:]
                   Prepared Statement of Steven Spano
                              May 24, 2016
    Chairmen Donovan and Ratcliffe, Ranking Members Payne and Richmond, 
and Members of the committee, thank you for inviting me today to this 
hearing. My name is Steve Spano, and I serve as the president and chief 
operating officer of the Center for Internet Security--or ``CIS.'' I 
appreciate the opportunity today to share our thoughts on the current 
state of National cybersecurity, focusing in the area we know best: 
State, local, Tribal, and territorial (SLTT) government entities. As 
the Nation addresses the complicated issue of cybersecurity, your 
efforts to assess the current state of National cyber preparedness and 
response capabilities and determine how best to improve our National 
cybersecurity posture is noteworthy. I look forward to offering our 
ideas on how we can collectively build on the progress being made in 
this important area of critical National security.
    Established in 2000 as a not-for-profit organization, CIS's primary 
mission is to advance cybersecurity readiness and response. CIS was 
instrumental in establishing the first guidelines for systems hardening 
at a time when there was little on-line security leadership. In 2010, 
the U.S. Department of Homeland Security (DHS), under the National 
Protection and Programs Directorate (NPPD), partnered with CIS to host 
the Multi-State Information Sharing and Analysis Center, or MS-ISAC. 
Under a cooperative agreement with DHS, the MS-ISAC was established as 
a 24x7 cybersecurity operations center that provides real-time network 
monitoring, threat analysis, and early warning notifications to SLTTs. 
MS-ISAC also consolidates and shares threat intelligence information 
with the DHS National Cybersecurity and Communications Information 
Center (NCCIC), where we have 2 employees serving as liaisons for MS-
ISAC. In 2015, we became the home of the CIS Critical Security 
Controls, previously known as the SANS Top 20. With this expanded 
operational mission, CIS has evolved as a trusted resource to help 
public and private organizations start secure and stay secure.
    Today, CIS collaborates with the global security community to lead 
Government and private-sector entities to on-line security solutions 
and resources. While I will elaborate more fully below, the 100-plus 
professionals at CIS provide cyber expertise in three main program 
areas:
    1. As I just mentioned, the MS-ISAC operates a 24x7 Secure Ops 
        Center to support SLTTs.
    2. The CIS Critical Security Controls (CIS Controls), a consensus-
        driven, prioritized set of cyber best practices created to stop 
        today's most pervasive and dangerous cyber attacks. The CIS 
        Controls are referenced in several policy and security 
        frameworks such as the NIST 800.43; and
    3. The Security Benchmarks, a program that provides well-defined 
        configuration best practices to help organizations world-wide 
        assess and improve their cybersecurity. Over 100 consensus-
        based Security Benchmarks have been developed to date, and 
        Security Benchmarks members can access tools and automated 
        content for both traditional hardware and software as well as 
        cloud-based services.
    More information about CIS is included at Attachment A and 
incorporated herein by reference.
            the current state of cybersecurity preparedness
    CIS's assessment of the current state of cybersecurity preparedness 
and response capabilities is based on our collective daily experience 
with the MS-ISAC, represented by over 1,000 SLTT members (including all 
50 States), as well as our dealings with those using the CIS Security 
Benchmarks and the CIS Controls, all of which provide us unique and 
wide-ranging insight into the cybersecurity posture of those we serve.
    Today, thanks to Congressional and DHS support and SLTT 
participation, the MS-ISAC is actively monitoring the networks of 41 
States and territories. In 2016, our goal is to have all 50 States and 
all 6 territories being monitored by the MS-ISAC. Our members represent 
local governments, public universities, critical infrastructure 
entities, and public authorities that own and operate critical 
infrastructures. In 2015, our monitoring program analyzed over 3 
trillion records, which generated over 56,000 actionable alerts to our 
SLTT partners. In 2015, our CERT team managed 161 incidents for our 
partners, largely focused on computer forensics. Their efforts actively 
identify types of threats, origins of attack, and root causes of the 
attack. Our intelligence team has produced a large number of analytical 
reports that both DHS and the FBI have cited as key resources to help 
in their investigations and high-level threat detection. Our cyber 
support for SLTTs also includes a computer emergency response 
capability, and the issuance of real-time cyber alerts, advisories, and 
intelligence products.
    Based on this work, we can state that since 2004, when the MS-ISAC 
partnership with DHS began, we have seen progress in the state of 
cybersecurity of our SLTT partners that can be characterized as 
improving, with many positive trends. There are, however, significant 
challenges that we are collectively working to improve. These 
challenges include under-resourced cybersecurity budgets, poorly 
crafted and vulnerable software provided by vendors, misconfigured 
networks, and insufficient numbers of qualified professional staff.
    Our assessment of SLTT cybersecurity preparedness and response 
capability is supported in the findings of the DHS-funded Nation-wide 
Cyber Security Review (NCSR). This annual review, tasked to the MS-ISAC 
by DHS, is produced in conjunction with the National Association of 
Counties and the National Association of State Chief Information 
Officers, and is reported to Congress by DHS every 2 years. It is a 
voluntary, self-assessment survey designed to evaluate cybersecurity 
management within, and the cybersecurity posture of, SLTT governments. 
To gauge the Nation-wide level of cybersecurity readiness, the NCSR 
measures maturity of cybersecurity programs within the SLTT community 
by assessing how SLTTs are performing in 13 key cybersecurity areas. 
The 2013 and 2014 NCSRs found SLTT respondents continuing to improve 
towards the highest level of maturity, ``risk aware'', in all 13 of 
these measured functions, but they have not yet reached that maturity 
level in any of the 13 categories. Further support for our assessment 
is found in the DHS 2015 National Preparedness Report (the 
``Preparedness Report''), which acknowledges both that SLTTs place 
significant emphasis on the importance of cybersecurity, but have been 
challenged to find sufficient financial resources and staffing to meet 
growing cybersecurity demands.
    The MS-ISAC, the NCSR and the Preparedness Report all recognize 
that steady progress is being made in many areas of SLTT cybersecurity, 
in the face of cyber threats that continue to increase in scope, 
sophistication, and number, but that challenges remain for SLTTs to 
reach full cybersecurity preparedness. This reality will not change any 
time soon. The strategy and execution of defensive responses must 
evolve at a faster pace. This will require continued investment, strong 
leadership, and collaboration at all levels of government.
    Outside of the SLTT space, our experience with our Security 
Benchmarks customers and those using the CIS Controls also show 
increased efforts to improve organizations' cybersecurity posture. In 
the last 3 years, the number of organizations purchasing Security 
Benchmarks memberships has almost tripled, and the growth in the use of 
automated machine image versions of the Benchmarks has grown tenfold 
since they were first released a year ago. This shows us that there is 
increasing emphasis on ensuring that organizational networks and 
devices are securely configured.
    In October 2015, we released Version 6 of the CIS Controls. In the 
period of time since the release, the CIS Controls have been downloaded 
over 32,000 times. This data, coupled with on-going requests for 
information and assistance in learning more about the Controls, shows 
us that companies and organizations are seeking guidance in how to 
start secure and stay secure, and are looking for the roadmap to tell 
them how to get there.
       how cis is working to increase cybersecurity preparedness
    Since its inception, CIS's mission has been focused on increasing 
cybersecurity preparedness, both for SLTT governments through the MS-
ISAC and for the private sector as well with the CIS Controls and 
Security Benchmarks programs. I appreciate the opportunity to highlight 
our work in these 3 areas, and why we believe our work is making a 
difference.
MS-ISAC
    The on-going work of the MS-ISAC has and will continue to improve 
the cybersecurity posture of SLTT governments. Our continuous 
monitoring of SLTT networks across the country provides us with the 
ability to see and analyze the scope of potential malicious activity 
and identify when there are multiple incidents of the same nature and 
source. As noted above, in 2015 alone, MS-ISAC detected and analyzed 
malicious activity events that generated over 56,000 incident reports. 
We provide response assistance if needed, including CERT team 
assistance. Equally importantly, we provide timely issue alerts to all 
our SLTT members, which include steps to take to avoid or mitigate the 
risk of the identified malicious activity event. We also share SLTT 
event information with Federal agencies and other trusted partners 
through our liaisons on the NCCIC floor, so our work also informs the 
cybersecurity posture of the Federal Government and the Nation as a 
whole.
    In addition to our monitoring and response services, we produce a 
monthly situational awareness report that shares timely cybersecurity 
information with our over 1,000 members. We distribute weekly reports 
of cyber threat indicators and support an automated indicator sharing 
platform (STIX/TAXII). We hold monthly webcasts focusing on particular 
cybersecurity issues. We also offer group purchasing opportunities for 
cybersecurity training and products, with substantially discounted 
pricing for SLTTs, educational and not-for-profit entities. Since 
starting the purchasing alliance in 2012, we have been able to save 
SLTT governments almost $30 million in their purchase of essential 
cybersecurity training and products. Our work with the NCSR is 
providing SLTTs with a tool to monitor and track their progress, both 
internally and against other SLTT entities.
    More information on MS-ISAC services is included in Attachment B 
and incorporated herein; further information is available here: https:/
/msisac.cisecurity.- org/.
CIS Critical Security Controls
    CIS is the home of the Critical Security Controls, the set of 
internationally recognized prioritized actions that form the foundation 
of basic cyber hygiene, demonstrated to prevent 80-90% of all known 
pervasive and dangerous cyber attacks. The CIS Controls were initially 
created, and are regularly updated, by a global network of cyber 
experts based on actual attack data derived from a variety of public 
and private threat sources, so they are informed by both professional 
expertise and real-world threat information.
    The CIS Controls act as a blueprint for network operators to 
improve cybersecurity by suggesting specific actions to be done in a 
priority order. In this regard, we strongly believe that the CIS 
Controls can help all organizations, especially the small- and mid-
sized entities, many of which need help in identifying exactly what to 
do and when.
    The CIS Controls are recognized by a number of cybersecurity 
frameworks and reports as an effective and practical tool for improving 
an organization's cybersecurity preparedness. The CIS Controls are 
specifically called out in the NIST Cybersecurity Framework as one of a 
handful of cybersecurity tools that help organizations implement the 
Framework. Just recently, the California Attorney General released the 
California Data Breach Report (2016), which specifically points to the 
Controls as a tool that if followed, would meet the requirement of 
``reasonable security'' under California law. (The full report can be 
accessed here: https://oag.ca.gov/breachreport2016).
    Additionally, the Controls are included in the following 
foundational frameworks, reports, and documents:
   NIST Framework
   Symantec 2016 Internet Security Threat Report, https://
        www.symantec.com/content/dam/symantec/docs/reports/istr-21-
        2016-en.pdf, pages 75-77
   Verizon DBIR 2015, page 55
   Tripwire, ``The Executive's Guide to the Top 20 Critical 
        Security Controls,'' http://www.tripwire.com/state-of-security/
        featured/20-csc-list-post/
   Zurich Insurance/Atlantic Council ``Risk Nexus: Overcome by 
        Cyber risks? Economic Benefits and Costs of Alternate Cyber 
        Futures''--page 28
   NGA ``National Governors Association Call to Action on 
        Cybersecurity'', page 4
   UK CPNI (the British infrastructure protection directorate--
        entire web page references the Controls)
   Conference of State Bank Supervisors, ``Cybersecurity 101: A 
        Resource Guide for Bank Executives, pages 8, 12, 24, https://
        www.csbs.org/CyberSecurity/Documents/
        CSBS%20Cybersecurity%20101%20Resource%20Guide%20- FINAL.pdf
    We make the CIS Controls available for download at no cost to the 
general public, as well as free companion guides that provide more 
detailed information and support for the implementation of the CIS 
Controls. Find out more information about the Controls and download 
them for free at: https://www.cisecurity.org/critical-controls.cfm. 
Additional information about the CIS Controls is also included at 
Attachment C and incorporated herein by reference.
CIS Security Benchmarks
    CIS is also the world's largest producer of authoritative, 
community-supported, and automatable security configuration benchmarks 
and guidance. The CIS Security Benchmarks (also known as 
``configuration guides'' or ``security checklists'') provide highly 
technical, detailed security recommendations for specific components of 
information technology, such as operating systems and devices, and are 
vital for any credible security program. The Security Benchmarks are 
developed though a collaborative effort of public and private-sector 
security experts. CIS has developed over 100 consensus-based Security 
Benchmarks have been developed today and are available in PDF format 
free to the general public, or in an automated format through the 
purchase of a membership. We have also created a number of Amazon 
Machine Images (AMIs) for the most utilized Security Benchmarks, which 
are available for purchase in the AWS Marketplace and in Amazon 
GovCloud, and we are discussing similar arrangements with other cloud 
providers. CIS Security Benchmarks are used world-wide by organizations 
ranging from small, nonprofit businesses to Fortune 500 companies.
    The CIS Security Benchmarks are referenced in a number of 
recognized security standards and control frameworks, including:
   Payment Card Industry (PCI) Data Security Standard v3.1 
        (PCI) (April 2016)?
   NIST Guide for Security-Focused Configuration Management of 
        Information System;
   Federal Risk and Authorization Management Program (FedRAMP) 
        System Security Plan;
   DHS Continuous Diagnostic Mitigation Program; and
   CIS Critical Security Controls, Version 6
    More information about CIS Security Benchmarks is included at 
Attachment D and incorporated herein by reference.
                         what more can be done?
    The current cyber threat is clear, unmistakable, and unlikely to 
abate anytime soon. Fortunately, much is currently being done to 
improve cybersecurity--but more needs to be done. We would like to 
focus our comments on 2 areas that we believe are of significant 
importance to both SLTT and non-SLTT organizations: (1) Improving cyber 
hygiene; and (2) creating a comprehensive approach to both increasing 
and improving the cybersecurity workforce.
Improving Cyber Hygiene
    Probably the single most important effort that we can undertake to 
dramatically make our networks more secure is to adopt basic cyber 
hygiene. Like personal hygiene, it involves basic, regular routines and 
actions that are needed to maintain basic safety and security.
    Despite a growing understanding of the threats and vulnerabilities 
in the technical community, wide-spread adoption of safe cyber behavior 
in cyber space is the exception, not the norm. It is our experience 
that the vast majority of cyber incidents result from either the 
failure to patch known vulnerabilities in software and web applications 
or failure to adopt proper security configurations on network operating 
systems or devices.
    We believe that part of the difficulty in getting more traction for 
cyber hygiene is the existence of a plethora of defensive tools, 
security frameworks, and guidelines, combined with the complexity of 
our networks, which have simply overwhelmed and confused consumers, 
private-sector companies and governments. For example, while the NIST 
Framework lays out a process for beginning a dialogue on cybersecurity 
measures, it is by design not a framework listing prioritized actions 
based on effectiveness.
    As we have discussed above, we believe that the CIS Controls 
provide the specific, actionable controls in priority order that will 
thwart the most pervasive attacks. This is supported in a study by the 
Australian government Department of Defense, which revealed that 85% of 
known cybersecurity vulnerabilities can be mitigated by deploying the 
Top 5 CIS Controls. Whether by using the CIS Controls or some other 
framework, increased efforts by the Federal Government to promote a 
roadmap for basic cyber hygiene will yield proven results in mitigating 
the most prevalent and pervasive cyber attacks.
Creating a Comprehensive Approach to Improving Our Cybersecurity 
        Workforce
    One of the major reasons that organizations have struggled in 
achieving basic cyber hygiene is the lack of available and qualified 
cybersecurity professionals to undertake the necessary cyber protection 
actions, particularly on an on-going basis. There are simply too few 
qualified cyber professionals in the workforce. This is the result of 
several factors:
   too few students in the K-12 level of education are 
        interested in pursuing further education in computer science 
        and cybersecurity;
   too few universities and colleges are offering cybersecurity 
        degree or certificate programs that offer the practical 
        training needed to meet the qualifications of cybersecurity 
        professional roles;
   there is a need for more continuing cyber education of staff 
        in the current cybersecurity workforce to keep up with the 
        ever-changing technical landscape of cyber threats; and
   for SLTTs and smaller organizations, the ability to hire 
        from the limited existing cybersecurity workforce is hampered 
        by the inability to compete with private-sector salary levels.
    We believe that there are several areas in which the Federal 
Government can assist with increasing and improving the cybersecurity 
workforce:
    1.   Help to increase awareness and promote STEM education at the 
        K-12 level;
    2.   Because of our DHS support, CIS is able to recruit students 
        from the National Science Foundation's Scholarship for Services 
        Program (SFS) for certain MS-ISAC positions. This program has 
        been a great tool in helping us recruit and maintain entry-
        level cyber professionals. We would recommend considering 
        additional funding for the SFS program to open the program up 
        to more students. This would assist in growing the number of 
        students entering cybersecurity studies at the college level. 
        We would also suggest considering broadening the organizations 
        that qualify to hire SFS students to include non-governmental 
        critical infrastructure organizations and not-for-profits, all 
        of whom share the same challenges that Federal and SLTT 
        governments face in recruiting and retaining cyber talent.
    3. Providing more opportunities for cyber exercises and simulations 
        and expand participation by SLTT entities. In addition to 
        allowing SLTTs more opportunities to assess their cyber 
        readiness and response capabilities, these exercises and 
        simulations provide on-going training for the SLTT 
        cybersecurity workforce.
    The threat to our Nation is real and extends down to every 
individual. As such, improving our cybersecurity defense of this 
country demands the combined efforts of us all. We will continue our 
efforts at CIS to help SLTTs protect citizen data at every level of 
Government. We will also continue our excellent partnership with the 
Federal Government as we work to extend monitoring services to all 56 
States and territories as the foundation of best practice in 
cybersecurity information sharing.
    I want to thank the committee for the opportunity to participate in 
this important hearing, and look forward to addressing any questions 
you might have.
    Find out more information about CIS here: https://
www.cisecurity.org/.
Attachment A.--The Center for Internet Security
Attachment B.--MS-ISAC
Attachment C.--CIS Critical Security Controls
Attachment D.--CIS Security Benchmarks

    Mr. Donovan. Thank you, General Spano.
    The Chair now recognizes Mr. Raymond for 5 minutes.

STATEMENT OF MARK RAYMOND, VICE PRESIDENT, NATIONAL ASSOCIATION 
              OF STATE CHIEF INFORMATION OFFICERS

    Mr. Raymond. Thank you, Chairman Donovan, Chairman 
Ratcliffe, and Ranking Members Payne and Richmond for inviting 
me to testify for you today.
    My name is Mark Raymond, and I serve as the chief 
information officer for the State of Connecticut and the vice 
president of the National Association of State Chief 
Information Officers. NASCIO is a nonprofit association that 
represents State CIOs and IT executives and managers from 
States, territories, and the District of Columbia.
    Today, I would like to provide the committee with an 
overview of cybersecurity preparedness in the States, what 
States are doing to improve our resilience, and opportunities 
to enhance the security profile of our Nation.
    State CIOs are Executive branch officials who serve as 
business leaders, advisers of IT policy, and implementation at 
the State level. The most critical role for the CIO today 
includes the security of State networks, protection of State 
data, and helping formulate the response for cyber incident or 
disruption. These responsibilities are shared with the chief 
information security officer, or CISO, a position that exists 
among all 50 States and for whom are becoming increasingly 
standardized in their roles.
    State CIOs and CISOs operate in an increasingly challenging 
environment. In the 2014 Deloitte-NASCIO Cybersecurity Study, 
we found that the top barriers for States addressing 
cybersecurity were insufficient budgets, increased 
sophistication of threats, and the inadequate availability of 
security professionals.
    Regarding insufficient funding, the majority of the States 
spend in the range of 1 to 2 percent of their overall IT budget 
on cybersecurity. The Federal Government spends around 14 to 16 
percent. Combined with recent events, this disparity shows that 
there is no one correct amount or percentage. States must 
assess their cybersecurity risk and spend commensurate with 
that risk.
    The lack of qualified IT security professionals are also a 
challenge for States. People with IT security skills are the 
most difficult to recruit and retain for States, and the State 
government salary rates and pay structures are the biggest 
challenge in bringing on IT talent.
    Another obstacle for CIO and CISOs is the increasing 
sophistication of threats. The top 3 are malicious code, 
hacktivism, and zero-day attacks. State CIOs are playing 
defense, but we have been able to better prepare for known 
threats through information sharing.
    Despite these challenges, States are progressing towards a 
more secure cyber environment. NASCIO has long called for 
States to adopt a cybersecurity framework, and quickly endorsed 
the NIST framework upon its release. From 2015 data, we know 
that 80 percent of the States have adopted a cybersecurity 
framework based on National standards and guidelines.
    States are utilizing public and private resources to 
enhance their cybersecurity posture in both times of relative 
rest and in times of emergency. To better identify and detect 
cyber threats, States are increasingly sharing threat 
information through fusion centers and MS-ISAC. Eighty percent 
of States have established trusted partnerships for information 
sharing and response. Eighty percent of the States have also 
acquired and implemented continuous vulnerability monitoring 
capabilities to better identify and detect malicious cyber 
activity.
    Many States also participate in ALBERT, a joint program 
between MS-ISAC and DHS, which brings an EINSTEIN-based, cyber-
traffic monitoring system to the States. Knowing that the 
ability to identify and detect is our first line of defense, 
Connecticut is the first State to take advantage of DHS's 
threat intelligence offering provided by iSight partners.
    In the realm of response and recoveries, States are also 
showing maturity. In a disaster, State officials expect the 
State CIO to maintain reliable and secure infrastructure, 
coordinate with other State officials, and restore 
communications services. I am responsible for these duties in 
my State as outlined in our disaster response framework.
    Recognizing that States could face a catastrophic disaster 
that coincides with or is caused by a cyber event, NASCIO has 
called on States to develop a cyber disruption plan that 
contemplates massive disruptions to the business of State 
government. States like Michigan have taken the whole-community 
approach and have developed disruption plans that outline roles 
and responsibilities during a disaster.
    A key partner to the States has been DHS. States are heavy 
utilizers of DHS State and local cyber programs like ICS-CERT 
and FedVTE. Also Federal programs like CyberCorps helps shore 
the IT security workforce gap that all States are facing.
    Another way the Federal Government could aid in enhancing 
State's ability to identify, protect, detect, respond, and 
recover is by harmonizing Federal security requirements. CIOs 
must comply with IRS publication 1075, FBI-CJIS, HIPAA, FERPA, 
CMS's MARS-E, amongst others. Regulation harmonization could 
lessen the burden on States, enabling us to focus on providing 
security services rather than checking off boxes.
    Thank you for holding this important hearing and for the 
opportunity to testify today on this truly critical issue.
    [The prepared statement of Mr. Raymond follows:]
                   Prepared Statement of Mark Raymond
                              May 24, 2016
    Thank you Chairmen Ratcliffe and Donovan and Ranking Members Payne 
and Richmond for inviting me to testify before you today.
    My name is Mark Raymond and I serve as the chief information 
officer (CIO) for the State of Connecticut and also as the vice 
president of the National Association of State Chief Information 
Officers (NASCIO). At NASCIO, I also co-chair the cybersecurity 
committee. NASCIO is a nonprofit, 501(c)(3) association representing 
State chief information officers and information technology executives 
and managers from the States, territories, and the District of 
Columbia.
    Today, I would like to provide the committee an overview of the 
status of cybersecurity preparedness in the States, what States are 
doing to improve and enhance resilience to cyber attacks, and 
opportunities to enhance the security profile of our Nation.
    State chief information officers are State executive branch 
officials who serve as business leaders and advisors of information 
technology policy and implementation at the State level.--All States 
have a CIO and all CIOs serve within the executive branch of State 
government. The office of the State CIO takes many forms, some are 
cabinet officials and others are executive directors; regardless of the 
title, all State CIOs share a common function of setting and 
implementing a State's IT policy.
    State CIOs are also responsible for providing IT services to State 
executive branch agencies. This not only includes the more typical 
business of provisioning enterprise data or phone services but also 
securing the digital business of State government. The most critical 
role today for the CIO includes the security of State networks, 
protection of State data, and helping formulate the response for a 
cyber incident or disruption. These responsibilities are shared with 
the chief information security officer (CISO), a position that exists 
among all 50 States and duties for whom are becoming increasingly 
standardized.
    State CIOs and CISOs operate in an increasingly challenging 
environment.--In the 2014 Deloitte-NASCIO Cybersecurity Study, State 
governments at risk: Time to move forward, (2014 Deloitte-NASCIO Study) 
[http://www.nascio.org/Portals/0/Publications/Documents/Deloitte-
NASCIOCybersecurityStudy_2014.pdf], we studied the current 
cybersecurity environment in the States, common challenges, and 
barriers to a strong State cybersecurity posture. The 2014 Deloitte-
NASCIO Study showed that the top barriers to States addressing 
cybersecurity were insufficient budgets, increased sophistication of 
threats, and the inadequate availability of security professionals. 
These challenges remained the same in 2015.
    Insufficient budgets for cybersecurity have been cited as a top 
barrier since the inception of the Deloitte-NASCIO Cybersecurity Study 
in 2010. The majority of States spend in the range of 1-2 percent of 
their overall IT budget on cybersecurity. The Federal Government spends 
around 14-16 percent of their IT budget on cybersecurity. Combined with 
recent events, this disparity shows that there is no one correct amount 
or percentage; States must assess their cybersecurity risk and spend 
commensurate with that risk.
    Funding challenges also affect the ability of States to hire and 
retain skilled IT security personnel. NASCIO's State IT Workforce: 
Facing Reality with Innovation [http://www.nascio.org/Portals/0/
Publications/Documents/NASCIO_StateIT- WorkforceSurvey2015_WEB.pdf] 
survey shows that a shortage in the State IT workforce has been 
predicted for some time and States are finding that those with IT 
security skills are the most difficult to recruit and retain (67.3%) 
followed by application development, programming, and support (57.1%); 
and architecture (55.1%). Ninetey-two percent of respondents reported 
that salary rates and pay structures are a challenge in bringing on top 
IT talent. States are responding to the dearth of qualified IT security 
personnel by getting innovative.
    In Maine, State CIO Jim Smith confronted the reality that 24 
percent of his 480 State IT workers would be eligible to retire in the 
next 2 years thus highlighting the need to recruit and retain new IT 
talent. He has addressed 1 aspect of the workforce issue by updating 
the application process, moving it on-line, and making it mobile 
friendly. He has also created an IT intern program and over 70 percent 
of those interns have become full-time employees. High school students 
are also welcome to visit Maine's Office of Information Technology for 
its annual ``Technight,'' [http://www.maine.gov/oit/technight/
index.shtml] where students participate in a variety of tech-related 
activities, which introduces them to exciting IT careers.
    While insufficient budgets and workforce shortages continue to be 
obstacles for State CISOs, 3 out of 5 also reported that the increasing 
sophistication of threats was also a major barrier to addressing 
cybersecurity. In the 2014 Deloitte-NASCIO Study, CISOs reported their 
top 3 cyber concerns: Malicious code (74.5%), hacktivism (53.2 %), and 
zero-day attacks (42.6%). Malicious cyber activity happens daily in 
State government, but State CIOs have been able to better prepare for 
known threats through information sharing, a concept with which 
emergency managers are acutely aware.
    Despite these challenges, States are progressing toward a more 
secure cyber environment. NASCIO has long called for States to adopt a 
cybersecurity framework and quickly endorsed [http://nascio.org/
Newsroom/ArtMID/484/ArticleID/34/NASCIO-Supports-Adoption-of-the-NIST-
Cybersecurity-Framework] the National Institute of Science and 
Technology's (NIST) Framework for Improving Critical Infrastructure 
Cybersecurity (NIST Cybersecurity Framework) upon its release in 
February, 2014. In the 2014 Deloitte-NASCIO Study, we found that 88 
percent of States were reviewing or planning to leverage the NIST 
Cybersecurity Framework within the year. In the NASCIO, Grant Thornton, 
CompTIA 2015 State CIO Survey, The Value Equation: Agility in Sourcing, 
Software and Services, [http://www.nascio.org/Portals/0/Publications/
Documents/2015/NASCIO_- 2015_State_CIO_Survey.pdf] we found that 80 
percent of States had adopted a cybersecurity framework based on 
National standards and guidelines.
    States are adapting to shared cybersecurity challenges and 
utilizing public and private resources to enhance their cybersecurity 
posture both in times of relative rest and in times of emergency. The 
NIST Cybersecurity Framework identifies 5 basic functions: Identify, 
protect, detect, respond, and recover. States are making progress in 
each of these areas.
    To better identify and detect cyber threats to protect a wealth of 
State digital assets, States are increasingly sharing threat 
information through established forums like fusion centers and the 
Multi-State Information Sharing and Analysis Center (MS-ISAC). From the 
2015 State CIO Survey, we know that 80 percent of States have 
established trusted partnerships for information sharing and response. 
Additionally, 80 percent of States have also acquired and implemented 
continuous vulnerability monitoring capabilities in order to better 
identify and detect malicious cyber activity. Knowing that the ability 
to identify and detect are our first line of defense, NASCIO has called 
on States to invest in advanced cyber analytics as a part of the 
practice of business intelligence and recently published, Advanced 
Cyber Analytics: Risk Intelligence for State Government. [http://
www.nascio.org/Portals/0/Publications/Documents/2016/
NASCIO_AdvancedCyberAnalytics_FINAL_- 4.18.16.pdf] To that end, 
Connecticut is the first State to take advantage of DHS's threat 
intelligence offering provided via iSight Partners. Many States also 
participate in ALBERT, a joint program between MS-ISAC and DHS which 
brings an EINSTEIN-based, cyber-traffic monitoring system to the 
States.
    In my State, in addition to participating in the information 
sharing through MS-ISAC and utilizing ALBERT, Emergency Management 
Deputy Commissioner and State Homeland Security Advisor, William Shea, 
and I co-chair a cybersecurity task force whose membership includes a 
diverse mix of stakeholders including higher education, law 
enforcement, public utilities, private businesses, and others. We meet 
regularly to discuss the latest threat and vulnerability information 
because we know that information sharing is key to cultivating a 
culture of information security and is a best practice to which States 
should conform.
    In the realm of response and recovery, States are also showing 
maturity.--State CIOs are expected to play a role in helping State 
governments respond to and recover from natural and man-made disasters. 
According to the 2015 State CIO Survey, the top 3 functions for which 
State CIOs were responsible are maintaining a robust, reliable, and 
secure infrastructure; coordinating with other State officials; and 
restoring communications services.
    When riots broke out in and Baltimore, Maryland, Governor Larry 
Hogan declared a state of emergency. Maryland's CIO organization, led 
by Secretary of Information Technology David Garcia, assisted with the 
swift deployment of ``Maryland First Responders Interoperable Radio 
System Team (FIRST),'' the State-wide radio communications equipment 
for first responders and stood up a website, ``Maryland Unites'' to 
which State and local leaders could direct members of the affected 
community. They also worked with public and private partners to reverse 
engineer Anonymous' attack on State networks. Information sharing was 
also helpful; officials in Missouri shared their experience with 
Maryland as they had faced a similar crisis. In ways like these, State 
CIOs are showing maturity in response in both the cybersecurity and 
emergency management fronts and especially when those two worlds 
collide.
    Recognizing that States could face a catastrophic emergency event 
that coincides with or is caused by a cybersecurity event, NASCIO has 
called on States to develop a cyber disruption plan and recently 
released the ``Cyber Disruption Response Planning Guide.'' [http://
www.nascio.org/Portals/0/Publications/Documents/2016/
NASCIO_CyberDisruption_040616.pdf] A cybersecurity disruption is 
defined as: ``an event or effects from events that are likely to cause, 
or are causing, harm to critical functions and series across the public 
and private sectors by impairing the confidentiality, integrity, or 
availability, of electronic information, information systems, services, 
or networks that provide direct information technology services or 
enabling and support capabilities for other services; and/or threaten 
public safety, undermine public confidence, have a negative effect on 
the state economy, or diminish the security posture of the state.'' A 
cybersecurity disruption differs from a cybersecurity incident which is 
limited in scope and impact.
    Examples of a cybersecurity disruption include: A cyber attack on 
the power grid which leads to a loss of power for a significant 
population; a cyber attack on water treatment and delivery leading to a 
loss of water supply to a significant population; a cyber attack on 
network capabilities leading to loss of communications which then 
hampers, interrupts, or prevents the operation of government and 
requires implementation of a continuity of operations plan; or a 
hurricane, flood, or other natural disaster that impairs or destroys 
key infrastructure assets that then precipitates the loss of 
connectivity over the internet or internal network.
    With these scenarios in mind, States like Michigan, taking the 
``whole community'' approach, convened State and local government 
representatives and private-sector critical infrastructure owners and 
operators to develop the Michigan Cyber Disruption Response Strategy, 
initially completed in 2013. Michigan's Cyber Disruption Response 
Strategy [https://www.michigan.gov/documents/cybersecurity/
Michigan_Cyber_Disruption_Response_Strategy_1.0_438703_7.pdf] provides 
a common framework to encourage a State-wide effort among public and 
private partners to defend Michigan's critical networks. Specifically 
the plan prompts critical infrastructure owners and operators to 
address: Data backup, disaster recovery/business continuity, halt key 
processes, equipment shutdown, log file, communications, and how to 
activate the cyber disruption response plan.
    States like the Commonwealth of Massachusetts, New Hampshire, and 
Rhode Island have taken a regional approach to cyber disruption 
planning, an effort supported by FEMA's Regional Catastrophic 
Preparedness Grant Program and Urban Areas Security Initiative (UASI) 
funding. In 2012, as part of the New England Regional Catastrophic 
Preparedness Imitative (NERCPI), these 3 States along with the city of 
Boston and Providence completed regional cyber disruption planning and 
created a Cyber Disruption Response Annex which outlines how cyber 
responders will support industrial control system (ICS) structure in 
each jurisdiction, how critical cyber incident information will be 
shared, and how IT organizations can support public safety and each 
other. NERCPI also created cyber disruption teams in each State and the 
city of Boston; these teams are comprised of experts from IT, emergency 
management and public safety and are responsible for coordinating 
resources and information during catastrophic events.
    As these previous examples exhibit, protection from cybersecurity 
attacks requires a ``team'' or ``whole community'' approach and a key 
partner to the States has been the U.S. Department of Homeland Security 
(DHS). States are heavy utilizers of DHS's cybersecurity-focused State 
and local programs including: ICS-CERT, FedVTE (virtual training 
environment), and cybersecurity advisors (CSA). Also, Federal programs 
like ``CyberCorps: Scholarship for Service'' allow qualifying students 
to serve in an IT assurance role with a Federal, State, or local 
government after graduation; this helps shore the IT security workforce 
gap that all States are facing.
    The Federal Government, principally through DHS, has and hopefully 
will continue to provide support for successful cybersecurity programs. 
There is, however, another way the Federal Government could aid in 
enhancing States' ability to identify, protect, detect, respond, and 
recover--by harmonizing Federal security requirements.
    When States receive Federal funds, they are required to certify 
that certain security measures are in place; this is mandated by the 
Federal Information Security Management Act (FISMA). CIOs and CISOs 
must also comply with a variety of Federal regulations, typically 
promulgated in a silo-ed fashion. Some of the Federal regulations with 
which our community must comply include: IRS Publication 1075, FBI-
Criminal Justice Information Services (FBI-CJIS), the Health Insurance 
Portability and Accountability Act (HIPAA), social security 
administration security standards, Family Educational Rights and 
Privacy Act (FERPA), Office of Child Support Enforcement (OCSE) 
security requirements, the Center for Medicare and Medicaid Services' 
Minimum Acceptable Risk Standards for Exchanges (MARS-E), among others.
    The overarching goal of these regulations is data/information 
security. Knowing that the vast majority of States are utilizing 
National standards like those issued by NIST, the Federal Government 
could lessen the regulatory burden on States by harmonizing Federal 
requirements especially since most if not all of these regulations 
share a common security goal.
    Cybersecurity is an issue that will only become more complex as we 
enter an age where the Internet of Things will become more prominent 
and technology like unmanned aerial systems (UAS), body-worn cameras, 
and cloud adoption are a norm. New technologies will require State 
governments to constantly assess security vulnerabilities as citizens 
demand consumer-level technology services to be deployed on a whole-of-
Government or enterprise basis. Given this background, the Congress and 
Federal agencies should continue to partner with State CIOs and CISOs 
when reviewing or promulgating new data security laws or regulations to 
ensure that the goal of security is achieved without undue burden or 
redundancy.
    Thank you for opportunity to testify today on this critical issue.

    Mr. Donovan. Thank you, Mr. Raymond.
    The Chair now recognizes Mr. Galvin for 5 minutes.

  STATEMENT OF ROBERT GALVIN, CHIEF TECHNOLOGY OFFICER, PORT 
              AUTHORITY OF NEW YORK AND NEW JERSEY

    Mr. Galvin. Good morning, Chairman Ratcliffe, Chairman 
Donovan, Ranking Member Payne, and Members of the 
subcommittees. Thank you for this opportunity to discuss 
strategies for strengthening our Nation's cybersecurity.
    Since December 2013, it has been my privilege to serve the 
Port Authority of New York and New Jersey as its chief 
technology officer. The Port Authority builds, operates, and 
maintains infrastructure critical to New York and New Jersey 
transportation and regional trade. These facilities include 
America's busiest airport system, including JFK, LaGuardia, and 
Newark Liberty International Airports, the World Trade Center, 
the PATH rail transit system, 6 tunnels and bridges between New 
York and New Jersey, the Port Authority Bus Terminal, Hudson 
River ferries, and marine terminals.
    For more than 90 years, the Port Authority has worked to 
improve the quality of life for more than 18 million people who 
live, work, and visit New York and New Jersey metropolitan 
region.
    Safety is the No. 1 priority across all of the authority's 
locations. Technology touches virtually all of our operations 
so the secure and reliable functioning of our computing assets 
is vital to public safety.
    In our limited time, I would like to briefly discuss 3 
areas in which I believe the Federal Government can assist 
technology professionals in addressing cyber threats. These 
areas are communication, readiness, and public education. In 
the realm of communication, events like today's public hearing 
play a valuable role. Government and technology leaders need to 
work together to create safe forums to discuss prevention 
strategies and deconstruct cybersecurity incidents. Through the 
avenues of improved communication, best practices can be shared 
across many organizations to the benefit of the whole.
    Turning now to readiness. When I joined the Port Authority, 
the organization was in the planning stages of designing a 
comprehensive cybersecurity program. We adopted a framework, 
the NIST 800-53, which was developed by a joint task force of 
people from the National Institute of Standards and Technology, 
DOD, Department of Homeland Security, intelligence community, 
and Committee on National Security Systems. This was an 
invaluable tool saving us time and money as we put our 
cybersecurity program in place.
    I believe the Federal Government has a similar opportunity 
to assist organizations by coordinating regular drills, 
simulating large-scale cybersecurity events. Facilitating these 
exercises would allow those involved to understand whether they 
have the right procedures in place to respond effectively and 
to identify any deficiencies. At the Port Authority, our Office 
of Emergency Management conducts regular readiness drills 
simulating such things as active-shooter scenarios and aircraft 
emergencies. From these exercises, teams learn how to improve 
their response. Cybersecurity professionals can benefit from 
the same rigorous testing of our readiness.
    Like many organizations, the Port Authority invests 
resources to detect, prioritize, and examine suspicious 
activity on our computer networks. We also use strong, complex 
passwords across all mission-critical systems, restrict 
administrator access to only essential personnel, and staff a 
247 operations center to respond to alarms generated by our 
cybersecurity tools and alerts received from other agencies.
    But probably the single most important thing we do to 
improve our cybersecurity posture is to require all staff who 
access Port Authority computers to participate in mandatory 
cybersecurity training programs. Themes such as ``Think Before 
You Click on Email Links'' and ``Be Aware Before You Share on 
Social Media'' encourage people to contact our help desks and 
the operations center before they open questionable links and 
attachments.
    Education is essential. I believe the Federal Government 
can play a significant role in strengthening America's 
cybersecurity by sponsoring a National public education 
campaign to promote safe computing practices. In my experience, 
people are more likely to exercise good cyber hygiene if they 
understand the important role their individual actions play in 
keeping our computer network secure.
    In the physical world, we rely on the American public to 
see something and say something. We need to develop Nation-wide 
awareness and training programs to empower people to do the 
same in the realm of cybersecurity. I thank the committee and 
look forward to your questions.
    [The prepared statement of Mr. Galvin follows:]
                  Prepared Statement of Robert Galvin
                              May 24, 2016
                              about the pa
    The Port Authority of New York & New Jersey conceives, builds, 
operates, and maintains infrastructure critical to the New York/New 
Jersey region's trade and transportation network. These facilities 
include America's busiest airport system, including: John F. Kennedy 
International, LaGuardia, and Newark Liberty International airports, 
marine terminals and ports, the PATH rail transit system, 6 tunnels and 
bridges between New York and New Jersey, the Port Authority Bus 
Terminal in Manhattan, and the World Trade Center. For more than 90 
years, the Port Authority has worked to improve the quality of life for 
the more than 18 million people who live and work in New York and New 
Jersey metropolitan region.
I. It is important to keep the Authority up and running
    The Authority operates a diverse groups of facilities that can have 
both logistic and economic impacts that can reach across the globe if 
the facilities were to be shut down by a cyber attack. These facilities 
have implemented many different internet-based technologies to add 
efficiencies to how they operate. However, it is these technologies 
that make these facilities more vulnerable to cyber attacks.
II. The Authority relies of its supply chain to operate
    The Authority relies on its supply chain in 2 States (New York and 
New Jersey) in order to operate its facilities. Required resources are 
provided by multiple suppliers. If fuel cannot be provided, or if 
electricity is impacted in either State, the Authority cannot operate 
at full capacity. It is critical that these supply chains are resilient 
to cyber attacks and have resilient business continuity plans.
III. The Port Authority takes cybersecurity seriously and has an 
        evolving program
    The Port Authority takes cybersecurity very seriously. In 2012, the 
Authority conducted an audit of its cybersecurity posture, and as a 
result, immediately started to build a cybersecurity program. Working 
with a consultant to identify the requirements of our cybersecurity 
program, the authority decided to use the NIST SP 800-53 guidelines as 
a standard for organizing teams, and developing and implementing the 
program. Leveraging this existing standard created by a joint task 
force of NIST (National Institute of Standards and Technology), the 
Department of Defense, Department of Homeland Security, the 
intelligence community and the Committee on National Security systems 
saved The Port Authority time and effort we otherwise would have had to 
develop a framework implementing cybersecurity.
    The first step the Authority took to advance the cybersecurity 
program was to implement services from MS-ISAC (Multi-State Information 
Sharing and Analysis Center). MS-ISAC analyzes all the logs generated 
by our perimeter security tools and provides the authority visibility 
into potential indicators of compromise.
    The Authority built and staffs a 24x7 Cybersecurity Operations 
Center (CSOC) that responds to all of the alarms generated by our 
cybersecurity tools, and to alerts received from the agency partners 
and cybersecurity services.
    We created and manage a mandatory cybersecurity awareness and 
training program for all staff who access the authority's computing 
resources.
    Through this process, Port Authority developed and maintains strong 
partnerships with DHS, FBI, NYPD, NJSP, MS-ISAC (multi-State 
information sharing and analysis centers), US-CERT, and ICS-CERT. We 
continue to engage these agencies to perform vulnerability assessments 
and to assist with incident response. We also strengthened internal 
partnerships within the Port Authority between the Chief Security 
Office, Office of Emergency Management, Office of Inspector General and 
the Technology departments. Early on we recognized that no one team or 
group would have the total solution.
    From these efforts, the Port Authority has seen positive results, 
but much work remains to protect critical assets. The technology we put 
in place provides visibility into emerging threats and have shown 
results, such as the ability to detect and automatically block 90% of 
critical incidents. We continue to make improvements in our 
cybersecurity operations. Last year, we reduced our critical incident 
response time by one-third over the previous year.
    However, just as the technology sector continuously innovates, 
criminal organizations, nation-states, and hacktivists are also 
innovating their methods for exploiting vulnerabilities presented by 
new technologies, ``apps'', and new attack surfaces like the Internet 
of Things.
IV. The Port Authority's Biggest Cybersecurity Concerns
   Like many organizations, The Port Authority uses a large 
        number of ICS (Industrial Control Systems) to operate its 
        facilities, for example: tunnel ventilation systems, PATH Train 
        Control Systems and Airport Airfield Lighting Systems. Some of 
        these systems, if compromised, could cause loss of life. This 
        year, the Authority initiated a program to better understand 
        our vulnerabilities and properly patch and mitigate these 
        systems. But, it is an enormous task.
   In order to properly respond to a massive cyber attack or 
        the breach of a partner organization, the PA must be in 
        communication with partner organizations in real time and have 
        specific remediation actions or practices to follow. Today's 
        ISACs while useful, do not provide such real-time breach 
        notification. According to Verizon's 2015 Data Breach 
        Investigations Report, 75% of attacks spread from the first 
        victim to the second victim within 24 hours, and 40% spread 
        from the first victim to the second in 1 hour.
   In order to operate all these diverse facilities and 
        business functions, the Agency hires thousands of contractors. 
        These individuals have access to some of our most critical 
        systems. The Authority has recognized that insider threat is 
        potential attack vector.
   The Authority invests in resources and money to implement 
        cybersecurity tools. We have learned from telecommunications 
        carriers and cybersecurity service providers that it is 
        possible for aggressive nation-states to obtain these tools 
        through third parties and to reverse engineer them to determine 
        how these detection and prevention tools may be circumvented.
V. How can the Federal Government help?
   Education.--I think there is a clear role for the Federal 
        Government to play by launching a massive public education 
        campaign to practice ``Safe Computing''. The weakest link in 
        our cybersecurity chain is the end-user. Phishing scams, e-
        mails with links to malevolent sites are often the first step 
        toward a breach. Two-thirds of cybersecurity incidents that fit 
        a pattern of cyber-espionage feature phishing scams. (DBIR, 
        2015). Raising our internal education & awareness level was a 
        crucial step in improving the security posture at the Port 
        Authority. I think PSAs (public service announcements) to 
        inform the public about how technology works, responsible 
        measures such as good passwords, ``Think before your click'' 
        and other safe computing practices should be taught to the 
        American public, beginning in school.
   Communication.--Events such as today's, not built around an 
        incident or a breach, but a conversation between technology and 
        policy makers to reach understanding go a long way to help both 
        technologists and our Government make better decisions. 
        Government and technology leaders need to work together to 
        create safe forums to discuss prevention strategies and de-
        construct cybersecurity incidents. The Federal Government can 
        conduct in-depth reviews following an organizational breach, 
        similar to the investigations conducted following plane crashes 
        or what hospitals do after a medical mistake. These non-
        punitive approaches have been very successful improving airline 
        safety and in reducing medical mistakes in the hospitals and 
        emergency rooms--I would think it could have a significant 
        impact improving cybersecurity. The name of the breached 
        organization could be withheld, and the Federal Government can 
        inform agencies of findings and recommendations after 
        completing the review. Case studies provide more than technical 
        remediation requirements; they inform industry how to prevent 
        problems over the long term.
   Simulations.--The Federal Government can assist the PA and 
        related agencies by coordinating an exercise or drill 
        simulating a large-scale cybersecurity event. This drill would 
        allow the agencies to understand where our deficiencies lie, 
        and whether we have the right procedures and external 
        relationships in place to respond correctly. For example, the 
        operations of the Port Authority rely on several Federal 
        Agencies: The CBP (Customs & Border Protection), TSA, FAA. If 
        their systems were compromised, the impact on the Port 
        Authority would be substantial. if the TSA cannot perform pre-
        screening, we cannot board passengers, if the CBP cannot review 
        manifests, we cannot transport cargo, if the FAA air traffic 
        controllers are impacted, our regional airports can be shut 
        down. The operational stability of these Federal entities has a 
        direct impact on the Port Authority's ability to provide 
        services to the region. Post-drill, the Fed can assist the 
        agencies to ensure that their comprehensive cybersecurity 
        programs and resilient business continuity plans are complete 
        and coordinate with related agencies.
   Consider oversight of cybersecurity tool developers to 
        ensure their intellectual property is not compromised. The 
        Authority, like many public and private-sector organizations, 
        invests resources and money into their cybersecurity tools. If 
        aggressive nation-states obtained these same tools through 
        third parties and reverse-engineered them to determine how they 
        can be circumvented, the protection we seek from cybersecurity 
        tools would be lost. The tech industry and Federal Government 
        must work together to protect the intellectual capital that 
        represents the vanguard of our security apparatus for it to 
        operate effectively. The Federal Government may be able to 
        provide oversight of the developers of cybersecurity tools to 
        ensure that they are not sold to malicious third parties.
   Consider stopping the Federal Government's participation in 
        ``bug bounty'' programs which encourage grey hat hackers to 
        sell zero-day vulnerabilities to the highest bidder. The amount 
        governments are willing to pay for some vulnerabilities 
        inflates their value and creates a potentially lucrative 
        secondary market for trading vulnerabilities and may even 
        encourage programmers to `build in' vulnerabilities they can 
        later sell.
VI. Challenges related to planning for, and responding to, 
        cybersecurity
    The first challenge of planning for cybersecurity is the wide 
variety of threat scenarios an organization must plan for: Viruses, 
ransomware, hacktivists, nation-states, simple human error, Point-of-
Sale intrusion, payment card skimmers, web app attacks, denial-of-
service attacks, and cyber espionage.
    The second challenge is the size, configuration, and expanding 
nature of the attack surface: Internet presence (websites), internal 
network, desktops and servers, cloud-based software systems & file 
storage, public WiFi infrastructure, portable storage devices, VOIP 
systems, and the looming Internet of Things. This list includes the 
traditional boundary of the organization. However, we are seeing a 
common entry point into an organization being the subcontractors and 
consultants who bring equipment onsite or connect their organization's 
networks to provide services. The computing networks and infrastructure 
of suppliers who provide critical support services to an organization 
should be considered part of any organization's `attack surface' that 
could be exploited by a malevolent entity.
    Another challenge is the speed with which threats evolve and time 
required to detect a breach before damage can be done. This is often 
referred to the ``volume, velocity, and variation'' of malware. At a 
high level, there are approximately 5 malware events globally every 
second (170 million in 2015). Most of this is filtered out by an 
organization's firewalls and other cybersecurity technology, but half 
of all organizations discover malware during 35 or fewer days per year. 
This seems to align with `releases' of malware during specific periods, 
rather than all year long. As for variation, 70-90% of malware samples 
in 2015 were unique to the organizations in which they were found. This 
combination shows that adversaries are getting more sophisticated to 
overcome defenses and more targeted in their approaches.

    Mr. Donovan. Thank you, Mr. Galvin.
    I now recognize myself for 5 minutes for questions. Since 
each of us only has 5 minutes, I would like to give each of you 
an opportunity to answer. I think I would like to just ask the 
entire panel just one question and ask each of you to spend a 
minute on a response.
    States have constantly ranked their cyber capabilities the 
lowest among their core capabilities, and it makes sense that 
States would look towards the Federal Government for 
assistance. Each of you, in 1 minute, can you tell me--and some 
of you hit on it--declassification of information, training as 
we do it, active-shooter demonstrations we should do with cyber 
attacks. Could each of you just tell me what you think the No. 
1 priority of the Federal Government should be for each of the 
States to help them in securing their cyber terrorist 
capabilities?
    Mr. Ghilarducci. Mark Ghilarducci. Really, 2 areas: No. 1, 
information sharing is really critical here so that we are all 
on the same page with regards to the threat streams; and 
dedicated funding to implement that collective footprint or 
blueprint as we move forward working together to minimize the 
threat. There is no dedicated funding for cybersecurity. It 
needs to be raised on the priority scale.
    Mr. Donovan. Lieutenant Colonel.
    Mr. Cooney. In the post-9/11 environment, there was a 
tremendous amount of effort and time put together to create a 
structure and a network for counterterrorism, and that is, you 
know, the National network of fusion centers. I compare the 
cyber environment now to that environment then where, you know, 
we should leverage this structure that took so long to build, 
you know, to share this threat, this cyber threat information. 
I think, as I mentioned in my testimony, I think that is 
something that is there, we just need to take it a little 
further, and I think--if I had to name one thing, that would be 
my one topic.
    Mr. Donovan. Thank you, sir.
    General.
    Mr. Spano. Yeah, I would probably say the workforce is 
probably the biggest challenge and where the Federal Government 
can help. In that area, the States are really struggling, both 
to compete with industry, and so when they do hire cyber 
professionals, because, again, they are in such demand, it is 
hard to compete with industry who also is requiring and 
demanding and hiring of those cyber professionals.
    So looking at the catalyst of how to start in K through 12 
to get more interest in STEM, to look at the scholarship for 
service and how perhaps we can broaden that into other areas of 
not-for-profits and other businesses that surround critical 
security controls and critical infrastructures would be a clear 
role for the Federal Government to sort-of serve as a catalyst.
    I would say very closely to that would be tighten in the 
command and control in the apparatuses that link the State 
governments through the fusion centers, through the ISAC, to 
continue to strengthen the situational awareness that we 
present from the ISAC to DHS, which informs many National and 
international threats and actions and fusing that together and 
presenting it for National action. So they would be my 2 areas.
    Mr. Donovan. General, I suspect that one of your 
frustrations is that all of you train people who then 
eventually go onto industry.
    Mr. Spano. Yeah.
    Mr. Donovan. Yes. Mr. Raymond.
    Mr. Raymond. Thank you. Two areas: No. 1 is, I think, 
continuing to raise the recognition of cyber risks as equally 
as critical as physical infrastructure risk to our critical 
infrastructure. I think the second is to leverage--broader 
leveraging of funding that is available to the States for a 
variety of different directed programs; that if we could 
leverage that more broadly to address the cyber risk across the 
State, that would be tremendously beneficial to the States.
    Mr. Donovan. Thank you, sir.
    Mr. Galvin.
    Mr. Galvin. Chairman, thank you. So I outlined 3 in my 
opening remarks. If I had to narrow it down to--I could narrow 
it down to 2, which I think is in the area of readiness. I 
talked a little bit about coordinating cybersecurity simulation 
incidents. My intent there is really not so much to exercise 
the cybersecurity plans of each organization or agency, but to 
look at the coordination between agencies and organizations. 
For example, the Port Authority relies heavily on Customs and 
Border Protection and the FAA. But there is no one organization 
that is responsible for overseeing a coordinated response to a 
coordinated attack, which is a very high concern for me.
    The other I talked about is public education. So as a 
technology practitioner professional who has been working in 
the technical areas for 30 years, frankly, I don't know how 
most normal individuals who have training in other areas deal 
with the onslaught of technology that comes at them every day. 
We have all been trained as technology professionals in 
information access and security and control mechanisms and so 
on and so forth.
    Today, people buy WiFi devices, they come home, and they 
set them up. They buy televisions that interconnect with their 
WiFi networks and their cable systems. There are protections 
that you can use and leverage, but without some kind of a 
training plan, I don't know how people deal with it. I assume 
that what happens is most of them, if they don't have someone 
in their life that works in the technology sphere to come and 
help them set up, I think they take it out of the box, they 
plug it in, and if it works, they declare victory and they 
leave it until it breaks and they buy another one.
    So I think public education has a huge role in protecting 
individuals' information as well as the information at risk in 
organizations, because what we are seeing is social media being 
leveraged by people who are posing a threat in order to gain 
access to corporate and agency systems.
    Mr. Donovan. Thank you, sir. I thank you, all, for your 
testimony and sharing your expertise with us.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
Payne, for questions.
    Mr. Payne. Thank you, Mr. Chairman.
    Just on Mr. Galvin's last question, I resemble some of 
those remarks. I was the relative back in the 1980s that hooked 
everyone's VCR up. So I went around to all my aunts and uncles 
and that was my job for a while, so I understand what you are 
saying in terms of that.
    I will stay with you, Mr. Galvin. You know, like 
California, we in New Jersey have established a State 
cybersecurity and communications integration cell with the goal 
of bringing together diverse stakeholders, promote State-wide 
awareness and local cyber threats and wide-spread adoption of 
cybersecurity best practices.
    In your opinion, is New Jersey cybersecurity cell carrying 
out its mission effectively? What is it doing well and what 
should it be doing better?
    Mr. Galvin. Great. Thank you.
    One thing I want to make clear is that, you know, the work 
of securing our information assets and ensuring the reliable 
function of our systems is performed by a, in my organization, 
a hardworking staff of technology and security professionals, 
and also in our partners' agencies. I am truly fortunate to 
work with such a talented and dedicated set of public servants. 
I assume that other members of the panel have a similar 
experience.
    This is a team effort. You know, we recognized early on 
putting our cybersecurity program together that there was no 
one group or individual that was going to have the total 
solution. So we have developed strong partnerships with New 
Jersey CISC, New York CIG, New Jersey State Police, NYPD, FBI, 
DHS, the MS-ISAC, US-CERT, and ICS-CERT, and we continue to 
engage with those agencies to perform vulnerability assessments 
and to assist with incident response.
    Likewise, we also, in this process of putting our 
cybersecurity program together, strengthen internal 
partnerships between the chief security office, which the Port 
Authority is responsible for the PAPD, the Office of Emergency 
Management, the Office of Inspector General, and the technology 
departments. So it's definitely a coordinated team approach 
that--I think you said it very well, Mr. Ghilarducci, that it 
is a team solution.
    Mr. Payne. So you feel that you are breaking through the 
silos of these different entities and working together to 
better assess these threats?
    Mr. Galvin. We do. We spent time--I assume this will 
probably be a question--breaking down the NIST 853 framework, 
and we did a RACI diagram--responsible, accountable, consulted, 
and informed--to identify who was in the lead for each of the 
different tasks. It was a very lengthy exercise, but it was 
extremely valuable to us in helping put our plan together.
    Mr. Payne. Thank you.
    Mr. Ghilarducci, every year the National Preparedness 
Report reveals that of the 32 core capabilities, States are 
least confident in cybersecurity. At the same time, States 
invest very little of their homeland security grant funds into 
improving that cybersecurity capability. Why do you think that 
is?
    Mr. Ghilarducci. Well, I think that part of it is because 
really the emphasis from DHS to States, to the State 
administrative agents or to the HSAs that are doing the 
investment justifications, are not necessarily clear.
    The whole concern about cyber, as has been stated here, 
really isn't fully yet understood. This is an evolving threat. 
It is getting more complex. It is getting worse as the days go 
on. I think that we, as DHS and the States, really we need to 
catch up with the fact that this threat is not going away.
    So once the DHS--and of course Congress--allocate funding 
specifically targeted towards the cyber threat, I think that 
then you will start to see States start to implement more of 
that capability.
    Now, I would say that just this year, I, as the SSA, went 
into our investment justification and broadened the investment 
justification to include cybersecurity and countering violent 
extremism to be able to push down to local grant recipients at 
other State agencies and local governments so that they could 
utilize what funds they do have and repurpose those funds. But, 
as you know, funds are pretty limited as they are, and it is 
hard to sort-of move one thing to start working on the other. 
So it is a constant prioritization and reprioritization issue.
    Mr. Payne. Thank you.
    Mr. Chair, I will yield back.
    Mr. Donovan. The gentleman yields.
    The Chair now recognizes the gentleman from Texas, Mr. 
Ratcliffe, for questions.
    Mr. Ratcliffe. Thank you, Mr. Chairman.
    Earlier, I guess the end of last year, we passed an 
information-sharing bill in this Congress aimed at improving 
our ability to timely share cyber threat indicators.
    I want to start with you, General Spano. How would you 
characterize the quality of the information flow that the MS-
ISAC has with the NCCIC?
    Mr. Spano. I would say that the quality, I believe, as 
representative and testified by FBI and other DHS of 
information that we provided from monitoring State networks, is 
very high quality, and it is fused. We have representatives 
from the MS-ISAC that sit on the NCCIC floor as liaison, so 
they are very integrated into that mission.
    Mr. Ratcliffe. So is that how you give feedback in terms of 
what information you are getting that is valuable?
    Mr. Spano. The feedback of what we provide comes from our 
analysis within the MS-ISAC from our monitoring mission. So, 
for instance, 2015, we analyzed 3 trillion records and provided 
56,000 alerts, sifting through all of those that were 
actionable for the States, but we also fed into the NCCIC for 
further analysis and fusing with other sources of intelligence.
    We have supported FBI investigations with some of our 
analysis of what we have seen at the State level. So the 
conduit and the function and the command and control has been 
working extremely well based upon the maturity of the ISAC 
mission and its capabilities year over year.
    Mr. Ratcliffe. Okay. So I am pleased to hear that the 
sharing is going extremely well.
    Can you offer, would you offer anything to improve the 
efficiency or effectiveness?
    Mr. Spano. Again, what we provide is, I think, moving up in 
its intelligence. The processes are lean and getting better as 
we continue to strengthen that relationship. The challenges, I 
think, are more downward into the State levels, as I talked 
about with respect to some of the resources.
    Mr. Ratcliffe. Yes. You talked about the workforce being a 
challenge.
    Mr. Spano. Right.
    Mr. Ratcliffe. I think you characterized it as high-demand, 
low-density.
    So what can DHS do to create a workforce that is well-
trained and fully-equipped to respond to cyber threats?
    Mr. Spano. I don't know that it is any one responsibility 
or one responsibility of any single agency. I believe it is a 
collaborative effort at all levels--public, private, 
facilitated, encouraged by DHS. They have a number of programs 
that the ISAC implements to try to encourage younger students. 
We do a poster contest, and the CIS offers some summer camps to 
try to encourage it. There is a scholarship for service under 
the National Science Foundation, which is really important. We 
believe that looking at that and examining whether we can 
continue to do that.
    It is not any silver bullet that is going to solve this 
problem. It is a generational problem where if the pipeline at 
the K through 12 is not satisfying the growing demand, you are 
sort-of always chasing. Looking at it from a comprehensive 
perspective of how to ignite that STEM capability at all levels 
and then balancing the differences between the public and 
private partnerships, I think will help create a stop-gap with 
programs that are specific to workforce exercises, joint 
exercises, to raise awareness.
    Mr. Ratcliffe. All right. Thank you.
    Let me turn to you, Mr. Raymond. Last month I held a field 
hearing in my district where I got perspectives from fire 
chiefs and local law enforcement officials on how they are 
responding to cyber incidents. I want your perspective from the 
State, the NASCIO perspective.
    What is the greatest limitation out there right now for 
States in terms of defending their cyber networks? I guess part 
2 of that is, are there shared best practices that NASCIO is 
using to coordinate between State CIOs and local first 
responders and law enforcement?
    Mr. Raymond. Thank you for that question.
    I would say that the biggest challenge is the velocity of 
the threat and the changing threat. So continued improvement on 
providing information and actionable information as efficiently 
as it can be provided almost to machine-to-machine level to 
allow us to react will continue to allow the States to be able 
to defend as best we can. It does help with the workforce issue 
in many ways where we can have our machines responding on our 
behalf.
    In terms of working out with the field, NASCIO has put out 
over 31 different publications that are responsible or 
intending to work with both the education aspects, so making 
sure that our leaders understand how important cyber, is all 
the way to practitioners. We have over a 100-page cyber guide 
and a set of information for State information security 
officers on best practices that we have assembled across the 
States to help them as they are new to these rules. We do have 
turnover, that they can pick it up quickly and understand the 
very diverse environment that we have across all States.
    Mr. Ratcliffe. Terrific. Thanks very much.
    I appreciate you all being here and your testimony.
    My time has expired, so I will yield back.
    Mr. Donovan. The gentleman yields back.
    The Chair now recognizes the gentleman from Rhode Island, 
Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank our panel here today. Your testimony was 
excellent, and I appreciate your work that you are doing in 
this field.
    Let me start, if I could, with Mr. Raymond and Mr. Galvin. 
Let's say that the State of Connecticut or the Port Authority 
has experienced what you, Mr. Raymond, in your testimony term a 
cyber disruption event. Whom do you call first?
    Mr. Raymond. For Connecticut, we actually have a cyber 
working group. So the homeland security adviser, Deputy 
Commissioner Bill Shea, and I work closely with this. Our first 
call is to the fusion center and then to MS-ISAC in terms of 
coordinating our events. We pull together a cyber response team 
that includes both homeland security and my office in terms of 
dealing with the response.
    Mr. Langevin. Okay.
    Mr. Galvin. For our organization, we have a cybersecurity 
operations center that would likely be the initial point of 
contact or the discovery point for a potential incident. We 
would assess as much as possible the depth of the breach before 
reaching out. But we would certainly contact MS-ISAC. Usually 
they find out the same time we do. If we identify that the 
breach involves personally identifiable information or 
something of that sort, we would initiate a call to the FBI.
    Mr. Langevin. Okay. Thank you.
    As a follow-up, Colonel Cooney and Mr. Ghilarducci, as 
individuals with emergency management roles, whom do you 
recommend New Yorkers or Californians call in the event of a 
disruption event?
    Mr. Cooney. For us it depends on the nature, but, of 
course, I would say the NCCIC, the fusion center being 
collocated with the MS-ISAC, and then we would take it from 
there depending on the nature of it.
    Mr. Ghilarducci. As well, it depends on the nature. With 
this new integration center we built, this will be the central 
point where all information and reporting will flow into. If 
there is a criminal predicate associated with the intrusion, 
our State police that has a cyber crime investigation unit will 
sort-of take the lead and be supported by the rest of the 
entities that have come together in a collaborative way.
    But that is the process. Because the center also includes 
connections with DHS and FBI, they are right there with us, and 
then we can move on as rapidly as possible.
    Mr. Langevin. Do you all feel comfortable with knowing who 
in particular who to call at the Federal level and who would 
respond to you in the event of a cyber disruption event? I have 
found that that is something that is unclear to many, whether 
it is big businesses or even Government agencies. Are you all 
clear on that, and who would you call?
    Mr. Ghilarducci. Well, this is a question, I mean, we 
typically would turn to the FBI, DHS as information sharing. 
But the FBI would be working with us on the actual analysis of 
the intrusion. But the Secret Service also plays a role in it. 
So there is a little bit of a conflict there. But, typically, 
our next step is to go to the FBI.
    Mr. Langevin. Okay.
    Mr. Galvin. I think your point is well taken, though, that 
in the private sector I think there is less awareness of who to 
call. You have got a panel of people who work in Government and 
who spend time putting together cybersecurity program, so we 
more than anybody are going to know the right individuals to 
call.
    But I think you are correct that depending on the nature of 
the entity, particularly a privately-held organization, I am 
not sure they would know who to reach out to.
    Mr. Langevin. I think that is why we have to work at the 
Federal level here to help get the word out more. One of the 
first places to go, in addition to FBI, would also be the NCCIC 
or US-CERT to request Federal assistance.
    But, Mr. Raymond, if I could, in your testimony you mention 
that NASCIO recommends that the States have a cyber disruption 
response plan. I know you highlighted New Hampshire, 
Massachusetts, and my home State of Rhode Island. I know what 
we have been doing in Rhode Island, that our cyber disruption 
team that we have created has visited all the stakeholders at 
the table, emergency management people, State police. We have 
our colleges and universities, as well as the private sector at 
the table. It has really proven to be very effective at 
bringing the stakeholders to the table to plan for a response 
to a cyber disruption event.
    Is there a way for the Federal Government that we can 
encourage this type of approach?
    Mr. Raymond. I believe as it related to education and 
continuing to hold exercises, continuing to participate through 
homeland security and having the States describe their 
disruption plans, I think all of those encouragement points are 
very helpful in organizing States' response to incidents like 
that.
    Participation. NGA is holding a cyber policy academy for 
several States. Connecticut is one of those participating. That 
helps brings best practices across the States. I know that DHS 
is a good partner in that exercise as well.
    Mr. Langevin. Thank you all.
    I yield back.
    Mr. Donovan. The gentleman yields back.
    The Chair now recognize the Vice Chairman of the 
Subcommittee on Emergency Preparedness, Response, and 
Communications, the gentleman from North Carolina, Mr. Walker.
    Mr. Walker. Thank you, Mr. Chairman.
    Thank you, panel, for being here and the professional 
testimony. Very detailed, very important to us.
    Mr. Raymond, I have a question here. Two-part question, so 
I may break it up. How can the roles of information-sharing 
organizations such as MS-ISAC and ISAC be more strongly defined 
and effectively implemented?
    Mr. Raymond. I know that we actively work with MS-ISAC, and 
we find that it is fairly defined. I am not sure I understand 
how more strongly----
    Mr. Walker. Let me add a little more description. Should 
their responsibilities be strengthened to increase information-
sharing efficiency? Is that fair?
    Mr. Raymond. Yes. I believe the velocity of information 
sharing specifically across all players can be improved.
    Mr. Walker. Okay.
    General Spano, what efforts does the MS-ISAC take to gauge 
customer satisfaction with the States that they are engaging 
with?
    Mr. Spano. Sure. So we have an executive committee that is 
comprised of several of the representatives from the CISO's 
office and the security professionals. We have monthly calls 
with all the members. We have over a thousand members, although 
the 56 are the ones that we actively are pursuing monitoring 
with. We have an annual conference that they attend. We provide 
newsletters, efforts, the NCSR we manage on behalf of DHS to 
get their self-assessments to work. So it is a very strong and 
growing collaborative environment.
    Mr. Walker. In your testimony, I believe you described the 
value add of a State being a member of the MS-ISAC?
    Mr. Spano. Correct.
    Mr. Walker. What additional services or capabilities do you 
see the MS-ISAC being able to provide taking up the next 5 to 
10 years?
    Mr. Spano. The next 5 to 10 years, I believe that as we 
help solidify the basic hygiene of the security framework, such 
as the controls, as the foundations at the State level, and 
begin to help them evolve from the basics of just trying to 
keep their systems patched and configured correctly, I think 
the whole state or posture of cybersecurity will eventually 
begin to increase at a much more rapid pace. That is one 
specific area.
    As technology evolves to the Internet of Things and into 
the cloud environment, there may be a different dimension to 
cybersecurity that has not yet fully matured or evolved or is 
understood.
    Mr. Walker. Sure.
    Mr. Spano. So we have started to move out by offering those 
hardened images within Amazon Web Services, and we are talking 
to the other cloud providers like Microsoft to be able to 
provide the same type of hardened machine images in their cloud 
so that as the States begin to move toward cloud they can do it 
much more securely than they are now, because there are 
tremendous advantages and cost savings that could help fuel 
resources to help in the cybersecurity area.
    Mr. Walker. My next question was, what kind of steps do you 
see there to effectively get us there? But I think you just 
touched on some of that.
    Let me take, if I could, please, going back to Mr. Raymond, 
what do you currently see as the greatest limitation of the 
States' ability to defend just against the general cyber 
attacks? Can you speak to that for a second, talk about the 
problems there?
    Mr. Raymond. Different States are organized very 
differently. We a critical infrastructure provider from State 
data centers to State networks. I think if we look at sort-of 
the complexity of the business that we serve, from schools, 
libraries, in some instances hospitals, so the diversity of the 
population that we serve and that sort of discreet nature of 
how funding comes in, doesn't allow us to leverage things as 
broadly as we would like. So I would say that that is one of 
the primary challenges.
    Mr. Walker. Can I open that up to anybody else on the 
panel? I have got 57 seconds left. Anybody else want to touch 
on the States, sort-of the obstacles there?
    Mr. Spano. I think one of the bigger challenges that they 
have that makes implementing cybersecurity tougher is a more 
strategic problem in how software and applications are 
developed. So many of the software products are coming out of 
the box with inherent vulnerabilities, and I think they are 
poorly crafted and require a lot of lift to continue to sustain 
it.
    That is not going to be solved in any sweeping legislation, 
but it has to be addressed, because the competitive nature of 
providing software and services and applications to get the 
speed and agility that you need to compete means you are 
getting beta versions and you are a little bit sloppier in the 
production. The applications that you are building, even 
internally, to do specific things are oftentimes poorly crafted 
and have security vulnerabilities that tax your cyber 
professionals.
    Mr. Walker. My time has expired.
    Mr. Ghilarducci, you looked like you were in agreement 
there. Did you need to add anything to that?
    Mr. Ghilarducci. I would just say that cyber, what I call 
low-hanging fruit, just cyber hygiene training across the board 
can go a long way in making sure that State employees and State 
networks are as robust against attacks. That is one of the 
things that there is really not a lot of consistent and 
standardized training that is really made available, and I 
think that more of that would help a great deal.
    Mr. Walker. Thank you, Mr. Chairman.
    Mr. Donovan. The gentleman's time has expired.
    The Chair now recognizes the gentlewoman from New Jersey, 
Mrs. Watson Coleman.
    Mrs. Watson Coleman. Thank you, Mr. Chairman.
    Good morning, gentlemen. Thank you for your testimony.
    Mr. Galvin, frequently the first person to decide what to 
do in response to a cyber incident is not the CEO or even 
senior leadership, it is the operational personnel level and 
often physical security professionals who are vastly more 
comfortable protecting against physical threats than threats to 
a network.
    My question is: What are the most important relationships 
emergency responders should maintain with private-sector 
employees at all organizational levels?
    Mr. Galvin. It is a very good question, Congresswoman. 
Thank you for it.
    I think your observation is entirely accurate, that the 
person who is sitting at the facility overseeing operations is 
the person who is going to see the symptoms or the effects of a 
cyber attack first and foremost. I think there are several 
important relationships. One, within any organization, there 
has to be training to make sure that the person who is 
operating the facility is aware of what they should do in order 
to pick up the phone and contact, in our case our help desk or 
our CSOC, cyber security operations center.
    Then from there it goes from a technical professional who 
is going to field the call and take a look at the nature of the 
threat and make a determination as to whether this is an 
opportunistic thing that is just a latent incident that has 
been there active for a while versus something that is 
emergent. Then that person escalates it internally in our 
organization, and I would suspect that a lot of organizations 
are similar. There is a kind of a tiered operation that goes 
on. It goes to a second- or a third-level person in order to 
investigate and follow up further on.
    So I think the relationships are first and foremost between 
the operations personnel and the technical personnel, and then 
second is the escalation in the partnerships that happen within 
an organization as well as awareness as to where to escalate it 
further if the threat cannot be contained.
    Mrs. Watson Coleman. Thank you. This is a question I would 
like to start with you, Mr. Galvin, and then kind-of move on 
down as quickly as we possibly can. This has to do with sort-of 
just imagine a cyber Katrina.
    So our question is, I mean, if we fail to develop, 
implement, and train on doctrine to respond to a cyber event 
with physical or collateral consequences because it is 
something we have not seen before, then we will be inventing 
the wheel as we try to drive the car when we have these 
attacks. So my question is: From your perspective, what is the 
most important action the Federal Government can take to ensure 
that the communities can effectively respond to a cyber event 
of this nature?
    Mr. Galvin. Again, I think it relates to the readiness and 
the preparedness. We haven't really talked about this yet, but 
one of the things that keeps me awake at night, and I am sure 
it keeps a lot of CIOs awake, is industrial control systems or 
operational technology.
    So we have talked a little bit about IT systems and the 
fact that there is patching required. We are used to that as 
technology professionals--oh, there is a fix that came out. You 
know, Microsoft has patch Tuesday, and it has turned into cyber 
threat Wednesday, right? Because they release the 
vulnerability, people know about it, and they try to leverage 
it.
    But there is no analog to the operational technology world, 
the things that control lighting systems or fire alarm systems 
or ventilation systems or things of that nature, and those pose 
a real threat for us.
    I am sorry. I am getting lost in your question. But----
    Mrs. Watson Coleman. What do you see the Federal 
Government----
    Mr. Galvin. Yeah. So, again, I think it has to do with the 
preparedness, making sure that the plans are in place to 
respond and that there is coordination between organizations, 
not just within a single organization.
    Mrs. Watson Coleman. Thank you.
    Is there anyone else who would like to respond to this 
question?
    Mr. Raymond.
    Mr. Raymond. Thank you.
    I think continuing to sponsor and participate in exercises 
that allow the States to demonstrate their preparedness as 
Internet of Things continues to grow, unmanned vehicle systems, 
all of that will continue to get more complex. So being an 
important sponsor to allow us to play and work through these 
exercises in advance and think through them helps us really 
prepare for real events when they do occur.
    Mrs. Watson Coleman. Thank you. Thank you.
    One quick question, since we can't go down there. On a 
scale of 1 to 10 being the very best, how well are we doing in 
incorporating risk into emergency response plans and developing 
contingency operations?
    I should just probably give that to you, Mr. Ghilarducci. 
Did I slay that name?
    Mr. Ghilarducci. You did great. Thanks.
    Well, I appreciate the question, Congresswoman. We don't 
need to reinvent the wheel with regards to all-hazard planning. 
I mean, we have a national construct, a National Incident 
Management System, and having those capabilities in place to 
respond to the consequences, the cascading consequences of a 
cyber attack, should be reinforced and exercised and built 
upon.
    The delta or the challenge is that the traditional systems 
that we depend upon for communications and situational 
awareness may be actually impacted by a cyber attack. So we 
need to make sure we have continuity of operations redundancies 
put in place. This was an area where the Federal Government can 
support States. You want to leverage that public-private 
capability so that you are utilizing the most information you 
can get to be able to make the right decisions.
    So in your training and in your focus you need to also plan 
for--you know, don't just always plan for the technology is 
going to be operational. Start to do exercises and plans where 
you lose all that. How are you going to continue to 
communicate? How are you going to continue to get resources and 
get situational awareness in a timely way to make sure you 
protect lives and property?
    So those are some of the things. But it has to start with 
the construct of that all-hazards environment and our NIMS 
construct.
    Mrs. Watson Coleman. Thank you. Thank you very much.
    I yield back my time, even though I am over it.
    Mr. Donovan. The gentlewoman yields back the time that she 
doesn't have.
    We have a few more moments, and our panel travelled so far, 
I would just like to offer a second round of quick questions 
for my colleagues.
    I just would like to start. We spoke about your challenges, 
and each of you told us about the challenge of lack of 
resources, competing, the competition for talent with industry, 
the inability to share information because of its 
classifications.
    Would each of you just share with us what you think your 
biggest achievement is or your biggest success, without 
divulging trade secrets to our enemies, that maybe some of your 
colleagues would be able to piggyback on and use in their 
various environments?
    Mr. Ghilarducci. I will start. I guess two areas. Again, it 
continues to evolve for us, and we are working hard at it. But 
that is the establishment of a public-private nongovernmental 
academic cybersecurity task force to be able to share 
information and best practices and recommendations and ideas to 
help us as a State drive those ideas forward, and the 
establishment of this integrated cybersecurity fusion center, 
if you would, that collocates with our primary fusion center 
and our critical infrastructure protection team, they can come 
together and all be looking at similar threat streams together 
with an effort to be able to mitigate prior to the event 
actually having the greatest impact.
    So I think those are two areas. Then spinoffs from those is 
working with K through 12 and community colleges. We have 
actually implemented a cyber warrior program in California that 
has just taken off--I hate to use the word like wildfire, 
because we have a lot of those--but has really taken off in 
California. The cyber warrior program for high school students 
and community college students has really been well-received, 
and really we are trying to make that cyber warrior work for 
us.
    Mr. Donovan. Thank you, sir.
    Lieutenant Colonel.
    Mr. Cooney. I think it would be the establishment of our 
cyber analysis unit at our fusion center. I think we were 
fortunate to find the right people and the right mix between 
technical capability and the ability to do intelligence 
analysis. It has worked well for us in an area that, as I 
mentioned in my testimony, that when it comes to cyber 
intrusion and the intel up front in the prevention realm, this 
is still relatively new for us. We got into it in about 2014 
and so far we have made some good progress. So I would say if 
other States could emulate that, then they may find that 
beneficial.
    Mr. Donovan. Thank you, sir.
    General.
    Mr. Spano. Yeah, I would say that the success of the ISAC 
in terms of showing how public and private can come together to 
address an issue of such National importance. Within the ISAC, 
I probably would highlight our CERT function, which is probably 
one of the best, certainly, in the Nation. I would like to say 
that it is probably world-recognized in terms of its ability to 
conduct forensics and analysis for a plethora of customers, 
predominantly, of course, focused at the SLTT.
    Mr. Donovan. Thank you. Mr. Chairman.
    Mr. Raymond.
    Mr. Raymond. Thank you. One of the things that I think we 
are really proud of in Connecticut is that we have been sort-of 
baking telecommunications and networking into our incident 
response teams. So we have had several weather events over the 
past few years and through that it has become really critical 
that citizens rely on communication technology much more so 
than they ever had before.
    So we do have a response team associated with restoring 
commercial networks and communication structures. Having those 
relationships at the ready has allowed us to respond very 
quickly when Superstorm Sandy came and to be able to restore 
communications as much as possible.
    Mr. Donovan. Thank you, sir.
    Mr. Galvin.
    Mr. Galvin. Thank you. At the Port Authority, the 
technology, the policies, the procedures, and the personnel 
that we have put in place, we have been able to detect and 
automatically block 90 percent of the critical incidences that 
we can see on our network, and we have been able to reduce our 
critical incident response time by two-thirds in the past year.
    So we are proud of these things, but there is a lot of work 
that remains to protect our critical technology assets. As many 
people on the panel have already talked about and I won't 
repeat, the threat continues to evolve and the attack surface 
continues to expand with mobile devices and the emerging 
Internet of Things. So we are confident, but we are continuing 
to work diligently.
    Mr. Donovan. Thank you, sir.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
Payne.
    Mr. Payne. Thank you, Mr. Chairman.
    Mr. Galvin, in your testimony you note that the Port 
Authority has undertaken an effort to better understand cyber 
vulnerabilities and address them. What is the biggest challenge 
in carrying out this task? What has the Port Authority learned 
in the process that might help other ports or critical 
infrastructure owners conduct a similar assessment?
    Mr. Galvin. Thank you very much.
    So I think the size of the task is enormous. We have 
approximately 690 applications to assess. I think the lesson 
that I would give to other organizations is to start now. It 
doesn't decrease in effort or size as time goes on, because 
there are new techniques, new technologies that every day get 
introduced into the organization whether or not you are aware 
of them. They do require an assessment.
    So it is a huge effort, and the limiting factor, I think, 
is the size of the staff and the ability of our organization to 
absorb what we learn.
    Mr. Payne. Thank you.
    Mr. Ghilarducci, you have observed that risk assessments 
used by some States do not adequately address the top cyber 
threats or systematic interdependencies. How can we help States 
better assess their cyber vulnerabilities? Should FEMA be 
improving the bureau guidance, or should the Federal Government 
be providing separate guidance on how to conduct cyber 
assessments more thoroughly?
    Mr. Ghilarducci. Well, the guidance, I mean, really, the 
standards for assessments that we are using really are the NIST 
standards. I think that we would all agree that a little bit 
more meat could be put on the bones around doing assessments 
that speak a little bit more to the various aspects of the 
emergency management or public safety spectrum.
    I know we are looking at networks, but when you look at the 
networks' vulnerabilities, we also need to think about in the 
long term what would be the consequences should we lose certain 
networks and sort-of play that out in a little longer bit way. 
So FEMA would be a good entity to be able to provide some 
additional guidance there.
    The other thing is DHS, through their protective service 
analysts that work with our critical infrastructure protection 
folks, they do provide some additional support, and we 
appreciate that. But we probably need to get some area 
associated with the cyber networks, particularly when looking 
at private sector, given that most of the infrastructure is 
owned by the private sector.
    We need to continue to work to link those together with 
regards to the assessment process, because sometimes 
information sharing is a little bit challenging, because of 
proprietary and competitive kind of issues, but we need to find 
a place that we continue to share information to strengthen our 
capability as much as possible.
    Mr. Payne. You also talked about States playing catch-up in 
developing a whole-of-the-government approach to cybersecurity 
and noted that even in California only 13 organizations have 
participated in the cyber hygiene partnership.
    Why do you think more agencies within the States are not 
participating? What can the Federal Government do to encourage 
improved buy-in for cybersecurity efforts among State and local 
agencies or even in the private sector?
    Mr. Ghilarducci. Well, I think maybe Mr. Raymond and others 
may be a little bit more to talk about the challenges in State 
government. I know for us it has been, I think, one, framing 
and understanding of the threat. It means different things to 
different people. We need to be more outgoing, external, like 
we do with a lot of other preparedness programs.
    This is where the Federal Government, through cyber hygiene 
initiatives and other kind of training opportunities to build 
that knowledge base as to what it means to sit at a device or 
get onto the internet and what kind of challenges you could be 
faced with with regards to threats. So training and education 
is one thing.
    The second piece is, I think because there is a lack of 
knowledge, particularly at the Executive level in making 
decisions on funding allocations for doing assessments, quite a 
few times it is, you know, because you don't understand it, it 
is not made as a priority as it should be.
    Let's face it, we as a collective country, and it is just 
across the board, are behind the power curve with regard to 
this threat. We all are working very hard collectively, but we 
do need to do more to step this up. You can't just say it is a 
priority, we need to put resources behind it to really and 
truly make it a priority. Just like we have done with other 
kinds of threats, whether it is natural or human-caused 
threats, we throw a lot of resources at that to make sure that 
we are in front of it and are effectively all knowledgeable 
about it.
    Mr. Payne. Okay.
    I yield back, Mr. Chairman.
    Mr. Donovan. The gentleman yields.
    The Chair recognizes the gentleman from Rhode Island, Mr. 
Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    I just want to go back to something we had talked about in 
terms of knowing who to call.
    Mr. Ghilarducci, maybe I have a question for you. I just 
wanted to follow up with a point that Mr. Galvin had made about 
the private sector knowing who to call.
    So just so I understand, so if PG&E has a cyber incident, 
do you recommend that they contact you or DOE or DHS first? Are 
you concerned about losing visibility if critical 
infrastructure providers go Federal first?
    Mr. Ghilarducci. We have the California Utilities Emergency 
Association, it is an entity that is funded and supported by 
all of the major utilities in California, embedding into your 
cyber integration center. It gives them that one sort of belly 
button, so to speak, to be able to make the call and open all 
of the contacts in a one-call sort-of format.
    It is challenging, I think, for them now because they do 
have a lot of people that they need to be reporting to. 
Inadvertently, what happens is that someone, some entity that 
needs to know what is going on falls through those cracks.
    The other thing is that, historically, there hasn't been a 
lot of desire, I guess, so to speak, to let too many people 
know what is going on because of demonstrating vulnerabilities 
that an organization may have.
    So by utilizing authorities and procedures that are being 
put in place through this integrated approach, it gives the 
utilities and the privates, the health industry similar kind of 
thing, a single belly button to make the call. We are all 
looking at it at the same time, and all of the required 
notifications can be made at one point.
    Mr. Langevin. Okay. Thank you.
    Yeah, I think that the point about being reluctant to 
share, by the way, we have got to work at getting over that, 
because, obviously, if one is vulnerable, everybody is 
vulnerable, and that is what, hopefully, information sharing 
will help to mitigate.
    You know, we have been talking a lot about assessments this 
morning, but equally important is not only knowing the 
vulnerabilities that may exist in your assets, in your systems, 
but also knowing the value of the data that you are holding.
    So for Mr. Spano, Mr. Raymond, in Rhode Island, where I am 
from, our Governor, Governor Raimondo, set up a cybersecurity 
commission to examine the State cyber posture. One of the 
biggest initial findings had to do with managers not 
understanding the value of the data or systems and their 
vulnerability to attack.
    Incidentally, this is the same problem that the Federal 
Government faced with the OPM attack, knowing that their 
systems were vulnerable, but also not understanding the value 
really of the data that they were responsible for protecting.
    In your experience, how well do State agencies, particular 
those that aren't focused on IT, understand their exposure and 
also the value of their data?
    Mr. Spano. The value question is hard to quantify other 
than to say that the question of the scope and standards of 
protection has been one that has been discussed and debated 
since sort-of the evolution of the internet into the challenges 
that we are facing today: What do I protect and how much 
protection is enough?
    We have got the full classification of systems. So I think 
there is a clear understanding of Secret, Top Secret. It is 
within that Unclassified regime of understanding personal 
identifiable information, HIPAA information. I think, by and 
large, there is a rudimentary understanding at sort-of the 
basic masses of employees that deal in those environments and 
with that information.
    There are isolated and pockets of excellence where managers 
are being trained in how to deal with HIPAA and identify PII, 
but by and large it is a challenge with educating your existing 
workforces against the basic cyber threats and the basic 
protections that they can do, as well as sort-of the 
identification of what that value is of information.
    Mr. Langevin. Okay. Thank you.
    Mr. Raymond.
    Mr. Raymond. I think that the States' response--it has been 
my experience that there are sort-of 2 buckets, right? One is 
for those who have regulated data, whether it is HIPAA, 
protected medical information, FERPA data, IRS, those 
organizations are very much aware of the value of the 
information that they have.
    I think for those that have nonregulated data but that may 
be important to protect, I think that the reliability of--or 
the awareness of what they have and the importance to protect 
it may be a little bit less.
    I know in Connecticut we have a data classification policy 
that makes you look at what data you have and how valuable it 
is in terms of treating it for data sharing or at least 
protecting, and I think having that kind of approach for all 
States can really raise that visibility level that you 
describe.
    Mr. Langevin. Very good.
    Thank you, Mr. Chairman. I yield back.
    Mr. Donovan. The gentleman yields back.
    The Chair now recognize the gentlewoman from Texas, Ms. 
Jackson Lee.
    Ms. Jackson Lee. Let me thank the Chair for his courtesies. 
Let me acknowledge the Chair and Ranking Member sitting, 
wearing many hats, Mr. Payne, to the full committee Chair and 
the full committee Ranking Member. We have overlapping 
committees, and I just came out of the Judiciary Committee, so 
I thank you for your courtesies.
    This is a very important hearing, which is one of the 
reasons I did the mad dash, because I chaired this committee 
when it was the Transportation and Infrastructure Committee, 
which included all of the Nation's technological networks. I 
remember visiting water and sewer plants and seeing the 
openness and the expanse and wondering what potential terrorist 
act or manipulation of the technology dealing with it. I just 
came back from Silicon Valley, and they are pleading for 
individuals who can code or to write code.
    So I want to offer to you some thoughts. Obviously, you 
have not looked at it, but I have a bill, H.R. 53, 
Cybersecurity Education and Federal Workforce Enhancement, 
which is to target in and focus in on building up the workforce 
for the Federal Government, dealing with technology. Also H.R. 
60--one is H.R. 53 dealing with education--H.R. 60, the 
National Guard Act to develop a civilian force that can be 
activated in the event of a major cyber attack or event.
    Now, if we were domestic, we know that we have NORTHCOM 
that would rise up and be part of dealing with any attack to 
the United States in a very massive way. I pushed NORTHCOM to 
be engaged on State and local. But this is technology, this is 
a cyber attack.
    So if you can answer the question, the importance of 
building the workforce, and as well the importance of having 
well-experienced individuals for a massive attack that deals 
with infrastructure, such as water and sewer, such as our 
electrical grid, and the one that I live with every day, the 
petrochemical industry, which is highly automated at each stage 
of the process through energy extraction, transportation, 
processing, and distribution. As you well know, that is an arm 
of the movement of the economy in this Nation.
    So if you could answer those, I would appreciate it. I will 
listen to you. Thank you. Is there someone who wants to take--
thank you.
    Mr. Raymond. I think education and workforce are incredibly 
important for us being able to respond. I would just add one 
comment. Specifically around the Guard and Guard response, I 
think that as it relates to us being able to have and retain 
workforce, because many of these folks are highly trained 
individuals and they can gain higher salaries in the private 
sector, having that capability of applying that in the event it 
happens at a State level is important.
    We do work very closely. We have a monthly cyber meeting 
where members of the Guard participate in that for awareness 
capabilities. So it is one sort of creative way for the States 
to be able to utilize that capability and bring those skills to 
bear.
    Ms. Jackson Lee. Thank you.
    Mr. Galvin. I have a comment as well.
    Ms. Jackson Lee. Thank you. I appreciate it.
    Mr. Galvin. I think there are several different skills that 
are involved in doing incident response in cybersecurity. They 
not all of them require coding skills. I think the ability to 
think creatively, to think on your feet, to stay calm under 
pressure, I think those are all important skills that don't 
necessarily require coders.
    On the other side, after an incident is detected and you 
are trying to figure out how to protect yourself in the future 
from similar attacks, because the nature of cybersecurity 
events is you have something that is novel and that is unique, 
and then you have multiple copies of it replicated with slight 
variations. So if you can protect yourself against one, you can 
kind of replicate the protection going forward. That is where 
you need a coder, a skill, someone who can take apart the 
threat or at least work with someone who can take it apart, 
because these are getting increasingly more complex as time 
goes on.
    I think the other thing that you brought up was having a 
well of individuals to respond in the event of an attack on the 
grid or water systems or other such critical infrastructure is 
extremely important. Frankly, I think you have to talk to the 
operations people who would oversee the facilities to talk 
about what kind of staff those people are. If it is an attack 
on the grid, they are not IT people, because we don't function 
when there is no electricity.
    So the question is really back to your response plan, and 
back in the day when a lot of us did initial kind of major 
systems implementations, there was always the plan, like, what 
happens if we are not going to go live and we have to go back 
to the old system? That was an old product that was dusted off.
    So we have to go back and start looking at having those 
kinds of plans in place. Like, if the payroll system goes down, 
you go back to writing checks and doing things like that. So we 
need to start thinking about that in the face of these kinds of 
very major attacks on electrical infrastructure, for example.
    Ms. Jackson Lee. Let me pursue, if I could--thank you for 
that. I think it is important to emphasize calmness, 
creativity, and thinking on your feet. But this whole concept 
of code, what I gleaned from Silicon Valley, they are looking 
at it from one perspective, we don't have enough individuals 
Nation-wide. Maybe you would comment. I want to be able to see 
a far reach to be able to have those that can take apart a 
threat, which I believe that we are susceptible to.
    So anyone want to comment on building that code, coding and 
coders, body of infrastructure in the human resource?
    Mr. Spano. Yeah, we talked about that a little bit earlier 
in terms of sort-of the urgency or the burning platform of it 
is a challenge to look at this problem as we have and other 
challenges where capacity could solve it. The challenges we 
face in cyber are challenges of complexity. Capacity can't 
solve a complexity issue, so we have to think about it in a 
much different way.
    The workforce is not a simple fix of just going out and 
trying to figure out how you are going to compete with the 
availability. It is how do you produce a pipeline where there 
is zero unemployment?
    That starts back from K through 12 and STEM and getting 
much more interest in those areas at a much younger age, 
encouraging colleges and universities to develop more 
curriculum and more degrees. It is tied to loan forgiveness and 
scholarship for service beyond that to encourage them to move 
into those areas.
    So it has to be comprehensive and looked at across a 
broader spectrum of time.
    Ms. Jackson Lee. Yes, sir.
    Mr. Ghilarducci. Thanks for the question. I think it is a 
good one. I agree with everything that has been said.
    I think it is important that we sort-of understand kind-of 
talking about pre-event and post-event. Really the pre-event is 
where you need that workforce multiplier, those folks that are 
the coders, the folks that are going to interdict and mitigate 
prior to the event actually taking place.
    The consequences of power outages or a dam release or 
something where there is infrastructure impact, our systems 
that are in place currently for consequence management need to 
be leveraged, and those are the ones that are going to be 
responding to the consequences. Unless there is an on-going 
series of cyber attacks, the attack itself may be done once and 
then you have got now a resulting series of consequences that 
you have to deal with.
    The key thing, I think, is really in the pre-event phase, 
is trying to have that workforce. You mentioned the National 
Guard. I think the National Guard across the States is a model, 
a good model, that could be utilized for building real-time 
capabilities, where in the case of California there are a lot 
of people that work in Silicon Valley, actually, or in the IT 
industry, that are also guards men and women, and they bring 
them in on State Active Duty and be able work on the cyber 
topic. But they give you a workforce multiplier that you can 
continue to build upon.
    But that is not exclusive, mutually exclusive, to the need, 
as the general was saying, in building out workforce from the 
high school level moving forward.
    So I think that it is important that we think about it from 
the standpoint of, what do we have to prevent, interdict, and 
mitigate to minimize the impact? Then our consequence managers, 
the people who are going to respond, we need to train them with 
an understanding that, unlike a wildfire or earthquake, you may 
be operating in an environment with no IT, no situational 
awareness through the computer network, and you may have to go 
back to pen and paper to be able to get the job done. Those are 
the things that I think are important to understand.
    Ms. Jackson Lee. I want to thank the Chairman for his 
indulgence. If I can just, as I close, I would cite the 
petrochemical industry as one that argues for all that you 
said.
    Anybody just want to comment on that?
    Just because these industries are dealing not only with 
technology, but they are dealing with chemicals, it is just a 
combination that you need this holistic viewpoint.
    Mr. Spano. I think that is shared across finance, health 
care, electricity, and other critical infrastructures equally 
as well. Some are at varying levels of maturity in their 
thought, strategy, and execution.
    Ms. Jackson Lee. Well, let me say that I could listen to 
the experts that are here quite more extensively, but let me 
say that I am hoping to move these bills and also reviewing 
something called COIN technology--you may not have heard of 
it--or may have heard of it--that is supposed to be dealing 
with the bigger picture that you all are looking at.
    Being on this committee for so long, I will just say that 
when we started, we knew that 80 percent of the infrastructure, 
which includes all that you are speaking about, was in the 
private sector. It may have gone up now, maybe 85 percent. So 
we know what our work is, and we know what our work is going 
forward, and this is a very important hearing for collaboration 
between Government and the private sector.
    I thank you to the Chairman and Ranking Member, and I yield 
back.
    Mr. Donovan. The gentlewoman yields back.
    I thank the witnesses for their valuable testimony and the 
Members for their questions. The Members of the subcommittees 
may have some additional questions for the witnesses. We will 
ask you to respond to these in writing. Pursuant to the 
Committee Rule VII(E), the hearing record will be held open for 
10 days.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 12:03 p.m., the subcommittees were 
adjourned.]

                                 [all]