[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



 
                 EXAMINING DHS'S CYBERSECURITY MISSION

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 3, 2017

                               __________

                           Serial No. 115-30

                               __________

       Printed for the use of the Committee on Homeland Security
       
       
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
                               
                   U.S. GOVERNMENT PUBLISHING OFFICE
                   
 28-419 PDF                 WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                                    
                               
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Lou Barletta, Pennsylvania           William R. Keating, Massachusetts
Scott Perry, Pennsylvania            Donald M. Payne, Jr., New Jersey
John Katko, New York                 Filemon Vela, Texas
Will Hurd, Texas                     Bonnie Watson Coleman, New Jersey
Martha McSally, Arizona              Kathleen M. Rice, New York
John Ratcliffe, Texas                J. Luis Correa, California
Daniel M. Donovan, Jr., New York     Val Butler Demings, Florida
Mike Gallagher, Wisconsin            Nanette Diaz Barragan, California
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
                   Brendan P. Shields, Staff Director
                 Steven S. Giaier, Deputy Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia     Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania   Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
             
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    10

                               Witnesses

Mr. Christopher Krebs, Senior Official Performing the Duties of 
  the Under Secretary, National Protection and Programs 
  Directorate, U.S. Department of Homeland Security:
  Oral Statement.................................................    12
  Joint Prepared Statement.......................................    14
Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................    18
  Joint Prepared Statement.......................................    14
Ms. Patricia Hoffman, Acting Assistant Secretary, Office of 
  Electricity Delivery and Energy Reliability, U.S. Department of 
  Energy:
  Oral Statement.................................................    20
  Prepared Statement.............................................    22

                                Appendix

Questions From Chairman Michael T. McCaul for Christopher Krebs..    41
Questions From Chairman John Ratcliffe for Christopher Krebs.....    41
Questions From Chairman Michael T. McCaul for Jeanette Manfra....    42
Questions From Chairman John Ratcliffe for Jeanette Manfra.......    42


                 EXAMINING DHS'S CYBERSECURITY MISSION

                              ----------                              


                        Tuesday, October 3, 2017

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:04 a.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, McCaul, Garrett, 
Fitzpatrick, Donovan, Katko, Richmond, Thompson, Demings, and 
Langevin.
    Mr. Ratcliffe. The Committee on Homeland Security's 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order. First of all, I am sure I speak for all of 
us here on the dais in expressing our deepest condolences to 
all of the family members and all of the victims of yesterday's 
tragedy in Las Vegas.
    Events like the one yesterday really demand the utmost 
humanity in response to such blind hate and evil, and hopefully 
it will give us all a renewed sense of purpose today as we 
approach the tasks of the day.
    The subcommittee is meeting today to receive testimony 
regarding the Department of Homeland Security's cybersecurity 
mission. I recognize myself for an opening statement.
    We are here today at the start of National Cybersecurity 
Awareness Month to discuss what I believe is one of the 
defining public policy challenges of this generation, the 
cybersecurity posture of the United States.
    We have seen cyber attacks hit practically every sector of 
our economy, with devastating impacts to both Government 
agencies and the private sector alike. It is our shared duty to 
ensure that we are doing our very best to defend against the 
very real threat our cyber adversaries are posing.
    But make no mistake. The cybersecurity challenges we face 
are about much, much more than simply protecting bottom lines 
or intellectual property or even our Nation's most Classified 
information. They also impact the personal and often 
irreplaceable information of every American.
    This year we have seen on a grand scale just how much 
damage can be done by a single individual or entity looking to 
conduct a cyber attack. The Equifax breach shows that it takes 
only one bad actor and only one exploitable vulnerability to do 
something to compromise the information of 145 million 
Americans. This is not the first cyber attack that has garnered 
National attentions, and unfortunately it almost assuredly will 
not be the last.
    As the members of this panel and as our witnesses here 
today know well, there is no silver bullet or guaranteed 
technology to fix the cybersecurity problem. Rather, we need to 
be part of an on-going, sustained, dedicated, persistent, and 
comprehensive campaign to ensure the United States remains the 
world's cybersecurity superpower.
    We will continue to need a sharp work force, collective 
efforts in public-private partnerships and the leadership of 
our Government agencies to leverage our resources and to 
counter our highly sophisticated cyber adversaries.
    Today, the subcommittee meets to hear from the Government 
officials that are charged with meeting these cyber threats. 
These are the folks on the front lines day in and day out.
    DHS is the Federal Government's lead civilian agency for 
cybersecurity, and within it, the National Protection and 
Programs Directorate, or NPPD, leads our National effort to 
safeguard and enhance the resilience of our Nation's physical 
and cyber infrastructure, helping Federal agencies and, when 
requested, the private sector harden their networks and respond 
to cybersecurity incidents.
    NPPD partners with critical infrastructure owners and 
operators and other homeland security enterprise stakeholders 
to offer a wide variety of cybersecurity capabilities, such as 
system assessments, incident response and mitigation support, 
and the ability to hunt for malicious cyber activity.
    This collaborative approach to mitigating cyber incidents 
is meant to prioritize meeting the needs of DHS's partners, and 
is consistent with the growing recognition among Government, 
academic, and corporate leaders, that cybersecurity is 
increasingly interdependent across sectors and must be a core 
aspect of all risk management strategies.
    This committee has been working hard to ensure that NPPD 
and DHS in its entirety has the necessary authorizations and 
organization it needs to combat growing cyber threats. DHS 
needs a strong and sharp work force and an efficient 
organizational structure to support both its cybersecurity and 
its infrastructure protection missions.
    Earlier this year, the committee marked up and passed H.R. 
3359, the Cybersecurity and Infrastructure Security Agency Act 
of 2017, to reorganize and to strengthen NPPD.
    As the cyber threat landscape continues to evolve, so 
should DHS. In doing so, H.R. 3359 is the tool that we will use 
to bring NPPD to a more visible role in the cybersecurity of 
this Nation.
    As a committee and as a Congress, we have taken important 
steps in the right direction with legislation on information 
sharing, on modernizing the Federal Government's information 
technology, and in getting our State and local officials the 
cybersecurity support that they need.
    Some of these programs have been years in the making. Real-
time collaboration between the Government and the private 
sector is a lofty and worthwhile goal. Through the automated 
indicator-sharing program, or AIS, DHS has been partnering with 
industry to create and enhance that broader information-sharing 
environment, and we have made progress in the right direction.
    While we know that proactive information sharing is only as 
good as the information being provided, that type of 
relationship can only be made possible with a strong foundation 
of trust.
    I am looking forward to a robust discussion today, not only 
about how the Department can be best organized and equipped to 
ensure that we are leveraging the resources of the Federal 
Government toward this immense challenge, but also how the 
Government can forge and grow the necessary partnerships to 
achieve the greater cybersecurity for our Nation.
    We have to get this right, because new technologies, the 
internet of things, driverless cars, artificial intelligence, 
and quantum computing are all rapidly evolving. So we need to 
be securing at the speed of innovation and not at the speed of 
bureaucracy. We are in an era that requires flexibility, 
resiliency, and discipline, and I hope that I will hear those 
values operationalized in the forthcoming testimony.
    Cyber space plays an increasingly dominant role in the 
fabric of the American society, and it will take continued 
collaboration across the public, private, international, and 
domestic spaces, to keep making the advancements needed to 
prioritize cybersecurity for our country.
    I know this is a responsibility that everyone on this 
subcommittee takes extraordinarily seriously, and I look 
forward to the discussion today with our witnesses.
    [The prepared statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                            October 3, 2017
    We are here to today, at the start of National Cybersecurity 
Awareness Month, to discuss what I believe is one of the defining 
public policy challenges of our generation--the cybersecurity posture 
of the United States. We have seen cyber attacks hit practically every 
sector of our economy with devastating impacts to both Government 
agencies and the private sector alike--and it's our shared duty to 
ensure we're doing our best to defend against the very real threat our 
cyber adversaries pose.
    But make no mistake--the cybersecurity challenges we face are about 
much, much more than simply protecting bottom lines, or intellectual 
property, or even our Nation's most Classified information. They also 
impact the personal, often irreplaceable information, of every 
American.
    This year, we've seen--on a grand scale--just how much damage can 
be done by a single individual or entity looking to conduct a cyber 
attack. It may take only one bad actor and only one exploitable 
vulnerability to do something such as compromise the information of 143 
million Americans.
    This is not the first cyber attack that's garnered National 
headlines, and unfortunately--it almost assuredly will not be the last.
    As the members of this panel and as our witnesses here today know 
well, there is no silver bullet or guaranteed technology to ``fix'' the 
cybersecurity problem. Rather, this is part of an on-going, sustained, 
and comprehensive campaign to ensure the United States remains the 
world's cybersecurity superpower.
    We will continue to need a sharp workforce, the collective efforts 
in public-private partnerships, and the leadership of our Government 
agencies to leverage our resources and counter our highly sophisticated 
cyber adversaries.
    Today, this subcommittee meets to hear from the Government 
officials charged with meeting these cyber threats. These are the folks 
on the front lines day in and day out.
    DHS is the Federal Government's lead civilian agency for 
cybersecurity, and within it, the National Protection and Programs 
Directorate, or NPPD, leads our National effort to safeguard and 
enhance the resilience of the Nation's physical and cyber 
infrastructure, helping Federal agencies and, when requested, the 
private sector harden their networks and respond to cybersecurity 
incidents.
    NPPD partners with critical infrastructure owners and operators and 
other homeland security enterprise stakeholders to offer a wide variety 
of cybersecurity capabilities, such as system assessments, incident 
response and mitigation support, and the ability to hunt for malicious 
cyber activity.
    This collaborative approach to mitigating cyber incidents is meant 
to prioritize meeting the needs of DHS partners, and is consistent with 
the growing recognition among Government, academic, and corporate 
leaders that cybersecurity is increasingly interdependent across 
sectors and must be a core aspect of risk management strategies.
    This committee has been working hard to ensure that NPPD--and DHS 
in its entirety--has the necessary authorizations and organization it 
needs to combat growing cyber threats.
    DHS needs a robust workforce and an efficient organizational 
structure to support both its cybersecurity and infrastructure 
protection missions.
    Earlier this year, this committee marked up and passed H.R. 3359--
the Cybersecurity and Infrastructure Security Agency Act of 2017 to 
reorganize and strengthen NPPD.
    As the cyber threat landscape continues to evolve, so should DHS, 
and in doing that, H.R. 3359 is the tool we'll use to bring ``NPPD'' to 
a more visible role in the cybersecurity of this Nation.
    As a committee, and as a Congress, we have taken important steps in 
the right direction with legislation on information sharing, 
modernizing the Federal Government's information technology, and in 
getting our State and local officials the cybersecurity support they 
need.
    Some of these programs have been years in the making.
    Real-time collaboration between the Government and the private 
sector is a lofty and worthwhile goal. Through the Automated Indicator 
Sharing program, or AIS, DHS has been partnering with industry to 
create and enhance that broader information-sharing environment--and 
we've made progress in the right direction.
    While we know that proactive information sharing is only as good as 
the information being provided, that type of relationship can only be 
made possible with a strong foundation of trust.
    I'm looking forward to a robust discussion today, not only about 
how the Department can be best organized and equipped to ensure that we 
are leveraging the resources of the Federal Government toward this 
immense challenge, but also how the Government can forge and grow the 
necessary partnerships to achieve greater cybersecurity for our Nation.
    We have to get this right because new technologies--the internet of 
things, driverless cars, artificial intelligence, and quantum 
computing--are rapidly evolving.
    We need to be securing at the speed of innovation--not of 
bureaucracy.
    Because we are in an era that requires flexibility, resiliency, and 
discipline and I hope I will hear those values operationalized in the 
forthcoming testimony.
    Cyber space plays an increasingly dominant role in the fabric of 
our society, and it will take continual collaboration across the 
public, private, international, and domestic spaces to keep making the 
advancements needed to prioritize cybersecurity for our country.
    I know this is a responsibility that everyone on this subcommittee 
takes extraordinarily seriously, and I look forward to the discussion 
today with our witnesses.

    Mr. Ratcliffe. The Chair now recognizes the Ranking 
Minority Member of the subcommittee, the gentleman from 
Louisiana, Mr. Richmond, for his opening statement.
    Mr. Richmond. Thank you, Mr. Chairman.
    Good morning. I am pleased that we are kicking off 
Cybersecurity Awareness Month by talking to the Department of 
Homeland Security about its cybersecurity mission and how 
Congress can help ensure DHS is well-positioned to protect 
critical infrastructure from cyber attacks.
    Before I begin, however, I would like to send my 
condolences to the families of the victims of Sunday night's 
horrific shooting. To the survivors, you are in our thoughts 
and prayers. To the brave first responders who ran into danger 
when everyone else was running away from it, we are grateful.
    The Democrats on this committee have said this before, but 
it bears repeating. At some point, we are gonna have to come 
together and enact sensible gun legislation. As the Congressman 
representing New Orleans, I cannot sit silently as the 
President insults the hurricane survivors of Puerto Rico and 
the San Juan mayor who is trying to help them.
    I have been through Katrina, and I know what it is like 
when you are at your most vulnerable moment and you have lost 
everything. What you are looking for is assistance because it 
is beyond your capacity to respond to a storm of that 
magnitude.
    So having seen the people grieve the loss of their homes 
and businesses and struggle to piece their lives back together, 
I can tell you that the last thing the people in Puerto Rico 
and the Virgin Islands need are insults. I urge the President 
to take a break from Twitter, roll up his sleeves and get to 
work.
    Turning to the issue at hand, as I mentioned, I represent 
New Orleans, which has significant energy sector assets. Last 
month, we heard disturbing reports of a new wave of efforts to 
breach energy sector networks in the United States.
    According to Symantec, in some cases, hackers achieved 
unprecedented access to operational systems. In light of these 
reports, I am interested to know how the Department of Homeland 
Security and the Department of Energy are working together to 
secure energy sector networks and make them more resilient.
    Additionally, as a Member of this committee and the 
Congressional Task Force on Election Security, I am eager to 
hear about DHS's activities to secure our election systems.
    Although the administration's commitment to the critical 
infrastructure designation appeared to waver earlier this year, 
I was encouraged when acting Secretary Duke told committee 
Democrats last month that there are no plans to rescind the 
designation.
    With that comment, I look forward to hearing about the 
progress DHS is making to help State and local governments 
secure election infrastructure and whether the Department has 
adequate resources to carry out its responsibilities in that 
space.
    For example, I understand there is a 9-month wait for a 
risk and vulnerability assessment and that some Secretaries of 
State have complained about the lengthy clearance process for 
election officials. I am concerned that these kinds of 
challenges may deter some States, particularly those hostile to 
the critical infrastructure designation, from taking full 
advantage of the resources DHS can bring to bear.
    To that point, DHS has struggled to build some of the 
relationships necessary to executing its election security 
mission. Although I have heard that DHS is making progress in 
this regard, I am concerned mistakes made notifying certain 
Secretaries of State that their election infrastructure had 
been targeted, though it had not been, may have undermined the 
trust that DHS has sought to build.
    I would be interested in learning, what do you need from 
Congress to address election infrastructure requests more 
quickly and build trust with the election infrastructure 
community?
    Finally, when Ms. Manfra testified before the subcommittee 
in March, I asked when I could expect the DHS cybersecurity 
strategy. The strategy required pursuant to legislation I 
authored was due March 23. It still has not been submitted to 
Congress.
    I understand the Trump administration did not fill 
leadership positions relevant to the execution of DHS 
cybersecurity strategy with any real sense of urgency and on-
going vacancies may be contributing to the delays. But the 
strategy is 6 months overdue, and that is not acceptable.
    With that, Mr. Chairman, I yield back the balance of my 
time.
    [The prepared statement of Ranking Member Richmond 
follows:]
             Statement of Ranking Member Cedric L. Richmond
                            October 3, 2017
    I am pleased that we are kicking off cybersecurity awareness month 
by talking to the Department of Homeland Security about its 
cybersecurity mission and how Congress can help ensure DHS is well-
positioned to protect critical infrastructure from cyber attacks.
    Before I begin, however, I would like to send my condolences to the 
families of the victims of Sunday night's horrific shooting in Las 
Vegas. To the survivors, you are in our thoughts. To the brave first 
responders who ran into danger when everyone else was running away from 
it, we are grateful.
    The Democrats on this committee have said this before, but it bears 
repeating: At some point, the Majority is going to have to stand up to 
the gun lobby and enact responsible gun control legislation.
    And, as the Congressman representing New Orleans, I cannot sit 
silently as the President insults the hurricane survivors of Puerto 
Rico and the San Juan Mayor who is trying to help them.
    Having seen people grieve the loss of their homes and businesses 
and struggle to piece their lives back together, I can tell you the 
last thing the people of Puerto Rico need are insults from the 
President. I urge the President to take a break from Twitter, roll up 
his sleeves, and get to work.
    Turning to the issue at hand, as I mentioned, I represent New 
Orleans, which has significant energy sector assets. Last month, we 
heard disturbing reports of a ``new wave'' of efforts to breach energy 
sector networks in the United States. According to Symantec, in some 
cases, hackers achieved unprecedented access to operational systems.
    In light of these reports, I am interested to know how the 
Department of Homeland Security and the Department of Energy are 
working together to secure energy sector networks and make them 
resilient.
    Additionally, as a Member of this committee and of the 
Congressional Task Force on Election Security, I am eager to hear about 
DHS's activities to secure our election systems.
    Although the administration's commitment to the critical 
infrastructure designation appeared to waver earlier this year, I was 
encouraged when Acting Secretary Duke told committee Democrats last 
month that ``[t]here are no plans'' to rescind the designation.
    With that commitment, I look forward to hearing about the progress 
DHS is making to help State and local governments secure election 
infrastructure and whether the Department has adequate resources to 
carry out its responsibilities in that space.
    For example, I understand there is a 9-month wait for a Risk and 
Vulnerability Assessment and that some Secretaries of State have 
complained about the lengthy clearance process for election officials. 
I am concerned that these kinds of challenges may deter some States--
particularly those hostile to the critical infrastructure designation--
from taking full advantage of the resources DHS can bring to bear.
    To that point, DHS has struggled to build some of the relationships 
necessary to executing its election security mission. Although I have 
heard that DHS is making process in this regard, I am concerned 
mistakes made notifying certain Secretaries of State that their 
election infrastructure had been targeted----though it had not been--
may have undermined the trust DHS has sought to build.
    I will be interested in learning what do you need from Congress to 
address election infrastructure requests more quickly and build trust 
within the election infrastructure community.
    Finally, when Ms. Manfra testified before the subcommittee in 
March, I asked when I could expect the DHS Cybersecurity Strategy. The 
strategy, required pursuant to legislation I authored, was due March 
23. It still has not been submitted to Congress.
    I understand the Trump administration did not fill leadership 
positions relevant to the execution of a DHS Cybersecurity Strategy 
with any real sense of urgency, and on-going vacancies may be 
contributing to the delays. But the strategy is 6 months overdue, and 
that is not acceptable.

    Mr. Ratcliffe. I thank the gentleman.
    The Chair now welcomes and recognizes the Chairman of the 
full committee, my colleague from Texas, Mr. McCaul, for any 
opening statement that he might have.
    Chairman McCaul. Thank you, Chairman Ratcliffe.
    I also would like to extend my thoughts and prayers to the 
victims and family members of the horrifying tragedy in Las 
Vegas. I am hopeful that as Americans we can come together and 
prevent such violence from happening in the future.
    I am pleased to be here at this important hearing today, 
with our distinguished guests here at this hearing. America's 
National security is threatened by Islamist terrorists, 
tyrannical regimes building and proliferating weapons of mass 
destruction, human traffickers, and transnational gang members 
like MS-13 who stream across our border.
    These threats are well-known, and we need to do everything 
we can to stop them as we see them coming. However, we also 
find ourselves in the crosshairs of invisible attacks and 
sustained cyber war from nation-states and other hackers.
    As we become more and more reliant on computers and 
smartphones in both our personal and professional lives, 
everyone is a potential target. Sadly, many of us have already 
been victims.
    Over the past few years, we have seen many successful 
large-scale cyber attacks take place. In early September, 
hackers were able to breach Equifax, a credit reporting agency, 
gaining access to sensitive information on as many as 143 
million people.
    In 2016, we know that Russia tried to undermine our 
electoral system and democratic process, and in 2015, we 
learned that China stole over 20 million security clearances, 
including mine, and probably some here at this dais. These 
kinds of violations are simply unacceptable.
    I am proud to say that over the last few years this 
committee, the Committee on Homeland Security, has recognized 
these threats and has led the charge in the Congress to 
strengthen the defense of our Nation's networks.
    In 2014, we enacted several important bills and empowered 
DHS to bolster its work force, codified DHS's cyber center, and 
updated FISMA for the first time in 12 years. A year later, the 
Cybersecurity Act became law, which enhances information 
sharing and makes DHS the lead conduit for cyber threat 
indicators and defensive measures within the Federal 
Government.
    While information sharing has come a long way, the WannaCry 
ransomware attack recently illustrated just how important and 
beneficial these relationships are. Just last week, Rob Joyce, 
the cybersecurity coordinator at the White House, noted that we 
needed to find a way to provide the private sector with more 
expansive access to cyber threat information in a controlled 
setting, something I believe we need to strengthen.
    Moreover, issues relating to the sharing of Classified 
information with the private sector, like accrediting SCIF 
space, granting security clearances to key personnel and 
enabling consistent two-way communications are issues we are 
looking at closely.
    In other words, we have made great progress in the way 
indicators are shared. But I want to examine if we can do more 
regarding the overall sharing of Classified information.
    Earlier this year, I was pleased to see President Trump 
issue an Executive Order to strengthen the cybersecurity of 
Federal networks and critical infrastructure. Going forward, I 
am hopeful that the House can advance legislation that I have 
introduced to elevate NPPD as a stand-alone agency and better 
support the cybersecurity mission at DHS.
    This month is National Cybersecurity Awareness Month, a 
time to learn more about these threats and offer ideas on how 
we can best secure ourselves against these growing threats. 
While we have had some success on this issue, we must do more.
    Our cyber enemies, including terrorists, are always 
evolving, looking for new ways to carry out their next attack. 
Fortunately, this is an issue that I believe transcends party 
lines. It is not a Republican or Democrat issue. So let's work 
together to make our cybersecurity strong and keep the American 
people safe.
    Again, I would like to thank the witnesses for being here 
today, and thank you for your service. A very important 
component of the Department that often, as I mentioned in my 
opening, we focus a lot on counterterrorism and the border 
among other things. But I consider this mission that the 
Department has to be one of the most important that this Nation 
faces.
    So I look forward to the conversation on how Congress and 
the Executive branch can work together, and how we can work 
with leaders in the private sector to enhance the Nation's 
cybersecurity. So, with that I would like to yield back to the 
Chairman, and if I may, submit my questions for the record.
    [The statement of Chairman McCaul follows:]
                Statement of Chairman Michael T. McCaul
                            October 3, 2017
    Thank you, Chairman Ratcliffe. I would also like to extend my 
thoughts and prayers to the victims and family members of the 
horrifying tragedy in Las Vegas. I am hopeful that as Americans, we can 
come together and prevent such violence from happening again.
    America's National security is continually threatened by Islamist 
terrorists, tyrannical regimes building and proliferating weapons of 
mass destruction, and human traffickers and transnational gang members 
like MS-13 who stream across our border. These threats are well-known, 
and we need do everything we can to stop them as we see them coming.
    However, we also find ourselves in the crosshairs of invisible 
attacks in a sustained cyber war from nation-states and other hackers. 
As we become more and more reliant on computers and smartphones in both 
our personal and professional lives, everyone is a potential target and 
sadly, many of us have already been victims.
    Over the past few years we have seen many successful large-scale 
cyber attacks take place. In early September, hackers were able to 
breach Equifax, a credit reporting agency, gaining access to sensitive 
information on as many as 143 million people.
    In 2016, we know that Russia tried to undermine our electoral 
system and democratic process and in 2015, we learned that China stole 
over 20 million security clearances including mine. These kinds of 
violations are simply unacceptable.
    I am proud to say that over the last few years, the Committee on 
Homeland Security has recognized these threats and led the charge to 
strengthen the defense of our Nation's networks.
    In 2014, we enacted several important bills that empowered DHS to 
bolster its work force, codified DHS's cyber center, and updated FISMA 
for the first time in 12 years. A year later, the Cybersecurity Act 
became law, which enhances information sharing and makes DHS the lead 
conduit for cyber threat indicators and defensive measures within the 
Federal Government.
    While information sharing has come a long way, the WannaCry 
ransomware attack recently illustrated just how important and 
beneficial those relationships are.
    Just last week Rob Joyce, the cybersecurity coordinator at the 
White House, noted that we need to find a way to provide the private 
sector with more expansive access to cyber threat information in a 
controlled setting; something I believe we need to strengthen.
    Moreover, issues relating to the sharing of Classified information 
with the private sector, like accrediting SCIF space, granting security 
clearances to key personnel, and enabling consistent two-way 
communication, are issues we are looking at closely.
    In other words, we have made progress in the way indicators are 
shared but I want to examine if we can do more regarding the overall 
sharing of Classified information.
    Earlier this year, I was pleased to see President Trump issue an 
Executive Order to strengthen the cybersecurity of Federal networks and 
critical infrastructure. Going forward, I am hopeful that the House can 
advance legislation that I have introduced to elevate NPPD as a stand-
alone agency and better support the cybersecurity mission at DHS.
    This month is National Cybersecurity Awareness Month, a time to 
learn more about these threats and offer ideas on how we can best 
secure ourselves against these growing threats. While we have had some 
success on this issue, we must do more.
    Our cyber enemies, including terrorists, are always evolving, 
looking for new ways to carry out their next attack. Fortunately, this 
is an issue that transcends party lines. Let's work together to make 
our cybersecurity strong and keep the American people safe.
    I would like to thank today's witnesses for their time and their 
service. I look forward to our conversation about how Congress and the 
Executive branch can work together and also with leaders in the private 
sector to enhance our Nation's cybersecurity.
    I would also like to work with you, Chairman Ratcliffe, and our 
witnesses to bring our Members to the NCCIC before the end of the year 
to see the progress first-hand.
    Thank you.

    Mr. Ratcliffe. I thank the Chairman.
    The Chair now welcomes and recognizes the Ranking Minority 
Member of the full committee, the gentleman from Mississippi, 
Mr. Thompson, for his opening statement.
    Mr. Thompson. Thank you very much. Good morning. I would 
like to thank Chairman Ratcliffe and Ranking Member Richmond 
for holding today's hearing to examine the work DHS is doing to 
shore-up our Nation's cyber defenses.
    There is no doubt that our country is facing an ever-
evolving rate of cyber threats. As we stand here today, our 
enemies are thinking of new and novel ways to strike at 
everything from banks to hospitals and chemical facilities. 
Nefarious actors even want to disrupt some of our most basic 
institutions.
    Last year, we learned that our Nation's election system 
served as a new frontier for cyber attacks. With every passing 
day, we learn of new ways cyber operatives are looking to 
exploit everything from the media we consume to the databases 
that store voter registration data.
    In this country, there is nothing more sacred than the 
ability to engage in civic activity, and cyber criminals are 
seeking to undermine our democracy. Furthermore, as I watch the 
devastation unfold in Texas, Florida, Puerto Rico, and the 
Virgin Islands, I am reminded of the fragility of our systems.
    Disrupting the systems we rely on for power, fuel, food, 
and water, can be deadly, regardless of whether it is caused by 
a cyber attack or a natural disaster. In short, the digital 
networks we rely on for our day-to-day life are facing a 
multitude of threats. To respond to these treats, Congress has 
put its trust in DHS.
    Over the past few years, Congress, by way of this 
committee, has consistently expanded DHS's cybersecurity 
mission, giving the Department a key role in securing Federal 
networks, as well as the systems that support our Nation's 
critical infrastructure.
    The Department made huge strides in implementing these new 
authorities, including by standing up an automated system to 
share cyber threat data and advising the new election 
infrastructure subsector on how to promote cyber hygiene with 
election administrators throughout the country. We cannot, 
however, expect DHS to carry out these responsibilities with 
both hands tied behind its back.
    To be successful, the Department needs adequate resources, 
a robust staff, strong leadership and a clear strategy. 
Unfortunately, this administration has been gravely unfocused 
when it comes to cybersecurity.
    President Trump falsely promised to deliver a comprehensive 
plan to protect America's vital infrastructure from cyber 
attacks on the first day in office. It took months for the 
President to get around to issuing an Executive Order on 
cybersecurity.
    Also a quarter of the 28-person National Infrastructure 
Advisory Council resigned in protest to President Trump's 
insufficient attention to cyber threats. President Trump 
floated the idea of an impenetrable cyber unit with Russia. At 
the same time, members of his administration were considering 
and ultimately deciding to ban the use of the Kaspersky 
products on Federal networks.
    Within DHS, the chief information officer resigned after 
serving only 4 months. The National Programs and Protection 
Directorate, the Department's main cyber arm is still operating 
without a permanent under secretary.
    Whether the men and women in this room are willing to 
acknowledge in an open setting, that they are struggling 
without this leadership, we can be certain that these gaps are 
making their job harder. I look forward to hearing from the 
panel today about how the Department is carrying out its cyber 
mission.
    I hope that you will be candid with us about the obstacles 
you face. If there are areas where you need additional 
resources or legislative clarity, tell us how we can help. I am 
especially eager to hear from Ms. Hoffman about how DHS works 
with one of its key partners in securing critical 
infrastructure, the Department of Energy.
    With that Mr. Chairman, I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                            October 3, 2017
    There is no doubt that our country is facing an evolving array of 
cyber threats. As we stand here today, our enemies are thinking of new 
and novel ways to strike at everything from banks to hospitals and 
chemical facilities. Nefarious actors even want to disrupt some of our 
most basic institutions.
    Last year, we learned that our Nation's election system served as a 
``new frontier'' for cyber attacks.
    With every passing day, we learn of new ways cyber operatives are 
looking to exploit everything from the media we consume to the 
databases that store voter registration data.
    In this country, there is nothing more sacred than the ability to 
engage in civic activity and cyber criminals are seeking to undermine 
our democracy.
    Furthermore, as I watch the devastation unfold in Texas, Florida, 
Puerto Rico, and the Virgin Islands--I am reminded of the fragility of 
our systems. Disrupting the systems we rely on for power, fuel, food, 
and water can be deadly, regardless of whether it's caused by a cyber 
attack or a natural disaster.
    In short, the digital networks we rely on for our day-to-day life 
are facing a multitude of threats. To respond to these threats, 
Congress has put its trust in DHS.
    Over the past few years, Congress--by way of this committee--has 
consistently expanded DHS's cybersecurity mission--giving the 
Department a key role in securing Federal networks as well as the 
systems that support our Nation's critical infrastructure.
    The Department made huge strides in implementing these new 
authorities--including by standing up an automated system to share 
cyber threat data and advising the new Election Infrastructure 
subsector on how to promote cyber hygiene with election administrators 
throughout the country.
    We cannot, however, expect DHS to carry out these responsibilities 
with both hands tied behind its back. To be successful, the Department 
needs adequate resources, a robust staff, strong leadership, and a 
clear strategy.
    Unfortunately, this administration has been gravely unfocused when 
it comes to cybersecurity. President Trump falsely promised to deliver 
``a comprehensive plan to protect America's vital infrastructure from 
cyber attacks'' on his first day in office. It took months for the 
President to get around to issuing an Executive Order on cybersecurity.
    Also, a quarter of the 28-person National Infrastructure Advisory 
Council resigned in protest of President Trump's ``insufficient 
attention'' to cyber threats.
    President Trump floated the idea of an ``impenetrable cyber unit'' 
with Russia at the same time members of his administration were 
considering--and ultimately decided--to ban the use of Kaspersky 
products on Federal networks.
    Within DHS, the chief information officer resigned after serving 
only 4 months, and the National Programs and Protection Directorate, 
the Department's main cyber arm, is still operating without a permanent 
under secretary.
    Whether the men and women in this room are willing to acknowledge, 
in an open setting, that they are struggling without this leadership--
we can be certain these gaps are making their jobs harder.
    I look forward to hearing from this panel today about how the 
Department is carrying out its cyber mission, and I hope that you'll be 
candid with us about the obstacles you face. If there are areas where 
you need additional resources or legislative clarity, tell us how we 
can help.

    Mr. Ratcliffe. I thank the gentlemen. Other Members of the 
committee are reminded that opening statements may be submitted 
for the record.
    We are pleased to have a distinguished panel of witnesses 
before us today on this very important topic. Mr. Christopher 
Krebs is the senior official performing the duties of the under 
secretary of the National Protection and Programs Directorate 
at the United States Department of Homeland Security. Great to 
see you today Mr. Krebs, and great to see you in your new roles 
at DHS.
    Ms. Jeanette Manfra is the assistant secretary for 
cybersecurity and communications in the National Protection and 
Programs Directorate at DHS. Also great to have you back before 
our subcommittee, Ms. Manfra.
    Finally Ms. Patricia Hoffman is the acting assistant 
secretary for the Office of Electricity Delivery and Energy 
Reliability at the U.S. Department of Energy. Thank you for 
being here with us today.
    I would now like to ask the witnesses to stand and raise 
your right hand so that I can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. Let the record reflect that each of the 
witnesses has answered in the affirmative. You may be seated. 
The witnesses' full written statements will appear in the 
record.
    The Chair now recognizes Mr. Krebs for 5 minutes for his 
opening statement.

STATEMENT OF CHRISTOPHER KREBS, SENIOR OFFICIAL PERFORMING THE 
DUTIES OF THE UNDER SECRETARY, NATIONAL PROTECTION AND PROGRAMS 
       DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Krebs. Chairman Ratcliffe, Ranking Member Richmond, 
Ranking Member Thompson, Members of the committee, good morning 
and thank you for today's hearing.
    In this month of October, we recognize National 
Cybersecurity Awareness Month, a time to focus on how 
cybersecurity is a shared responsibility that affects all 
Americans. The Department of Homeland Security serves a 
critical role in safeguarding and securing cyber space, a core 
Homeland Security mission.
    I want to begin my testimony by thanking the committee for 
taking action earlier this summer on the Cybersecurity and 
Infrastructure Security Agency Act of 2017. If enacted, this 
legislation would mature and streamline the National Protection 
and Programs Directorate, or NPPD, and rename our organization 
to clearly reflect our central mission. The Department strongly 
supports this much-needed effort and encourages swift action by 
the full House and Senate.
    NPPD's mission statement is clear. We lead the Nation's 
efforts to ensure the security and resilience of our cyber and 
physical infrastructure. We collaborate with other Federal 
agencies, State, local, Tribal, and territorial governments 
and, of course, the private sector.
    Our three goals are as follows: Secure and defend Federal 
networks and facilities; identify and mitigate critical 
infrastructure systemic risk; incentivize and broadly enable 
enhanced cyber and physical security practices. No question 
this is an expansive mission.
    As we meet today, I am proud to share with you the tireless 
efforts of so many at NPPD and in coordination with our 
interagency partners to accomplish this mission: The targeting 
of our elections, WannaCry, NotPetya, intrusions into energy 
and nuclear sector infrastructure, Harvey, Irma, Maria, soft-
target attacks in London, Barcelona, Orlando, and most 
recently, Las Vegas.
    As threats to our critical infrastructure evolve and in 
many ways remain the same, our people are partnering with 
owners and operators across America. We are engaging the public 
to raise awareness because our security is truly a shared 
responsibility.
    Today's hearing is about DHS's cybersecurity mission. 
Earlier this year the President signed an Executive Order on 
strengthening the cybersecurity of Federal networks and 
critical infrastructure. This Executive Order set in motion a 
series of these assessments and deliverables to improve our 
defenses and lower our risks to cyber threats.
    DHS is organized around these deliverables by working with 
Federal and private-sector partners. We are emphasizing the 
security of Federal networks. Across the Federal Government, 
agencies have been implementing the industry standard NIST 
cybersecurity framework.
    Agencies are reporting to DHS and the Office of Management 
and Budget, or OMB, on their cybersecurity risk management and 
mitigation acceptance choices. DHS and OMB are evaluating the 
totality of these agency reports in order to comprehensively 
assess the adequacy of the Federal Government's overall 
cybersecurity risk management posture.
    In addition to our efforts to protect Federal Government 
networks, we are focused on how Government and industry work 
together to protect the Nation's critical infrastructure. We 
are prioritizing deeper, more collaborative public-private 
relationships and partnerships.
    In collaboration with civilian, military, and intelligence 
agencies, we are developing an inventory of authorities and 
capabilities. We are prioritizing entities at greatest risk of 
attacks that could result in catastrophic consequences. We 
commonly call this our Section 9 efforts.
    Before closing, let me also discuss our continued efforts 
to address cybersecurity risks facing our election 
infrastructure. Facing the threat of cyber-enabled operations 
by a foreign government during the 2016 elections, DHS and our 
interagency partners conducted unprecedented outreach and 
provided cybersecurity assistance to State and local election 
officials. Information shared included indicators of 
compromise, technical data, and best practices.
    Through numerous efforts before and after election day, we 
declassified and shared information related to Russian 
malicious cyber activity. These steps have been critical to 
protecting our elections, enhancing awareness among election 
officials, and educating the American public.
    The designation of election infrastructure as critical 
infrastructure provides a foundation to institutionalize and 
prioritize services and support. We are working with Federal, 
State, and local partners to develop information, sharing 
protocols and establish key working groups. Yet there is more 
to be done and we shall not waiver.
    In the face of increasingly sophisticated threats, NPPD is 
focused on defending our Nation's critical infrastructure. The 
risks are complex and dynamic with interdependencies. 
Technological advances, such as the internet of things, and 
cloud computing, increased access, and streamlined 
efficiencies.
    However, they also increase access points that could be 
leveraged by adversaries to gain unauthorized access to 
networks. As new threats emerge and our use of technology 
evolves, we must integrate cyber and physical risk in order to 
effectively secure our Nation. Expertise around cyber physical 
risk and cross-sector critical infrastructure interdependencies 
is where NPPD brings unique expertise and capabilities.
    Thank you for inviting me here today, and I look forward to 
your questions.
    [The joint prepared statement of Mr. Krebs and Ms. Manfra 
follows:]
   Joint Prepared Statement of Christopher Krebs and Jeanette Manfra
                            October 3, 2017
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
committee, thank you for the opportunity to be here today. In this 
month of October, we recognize National Cybersecurity Awareness Month, 
a time to focus on how cybersecurity is a shared responsibility that 
affects all Americans. The Department of Homeland Security (DHS) serves 
a critical role in safeguarding and securing cyber space, a core 
homeland security mission. The administration recognizes the 
committee's work to provide DHS with the authorities necessary to carry 
out this mission. The National Protection and Programs Directorate 
(NPPD) at DHS leads the Nation's efforts to ensure the security and 
resilience of our cyber and physical infrastructure. Earlier this year, 
this committee voted favorably on H.R. 3359, the ``Cybersecurity and 
Infrastructure Security Agency Act of 2017.'' If enacted, this bill 
would mature and streamline NPPD, and rename our organization to 
clearly reflect our essential mission and our role in securing cyber 
space. The Department strongly supports this much-needed effort and 
encourages swift action by the full House and the Senate.
    NPPD is responsible for protecting civilian Federal Government 
networks and collaborating with other Federal agencies, as well as 
State, local, Tribal, and territorial governments, and the private 
sector to defend against cyber threats. We endeavor to enhance cyber 
threat information sharing across the globe to stop cyber incidents 
before they start and help businesses and Government agencies to 
protect their cyber systems and quickly recover should such an attack 
occur. By bringing together all levels of government, the private 
sector, international partners, and the public, we are taking action to 
protect against cybersecurity risks, improve our whole-of-Government 
incident response capabilities, enhance information sharing on best 
practices and cyber threats, and to strengthen resilience.
                                threats
    Cyber threats remain one of the most significant strategic risks 
for the United States, threatening our National security, economic 
prosperity, and public health and safety. The past year has marked a 
turning point in the cyber domain, at least in the public 
consciousness. We have long been confronted with a myriad of attacks 
against our digital networks. But over the past year, Americans saw 
advanced persistent threat actors, including hackers, cyber criminals, 
and nation-states, increase the frequency and sophistication of these 
attacks. Our adversaries have been developing and using advanced cyber 
capabilities to undermine critical infrastructure, target our 
livelihoods and innovation, steal our National security secrets, and 
threaten our democracy through attempts to manipulate elections.
    Global cyber incidents, such as the ``WannaCry'' ransomware 
incident in May of this year and the ``NotPetya'' malware incident in 
June, are examples of malicious actors leveraging cyber space to create 
disruptive effects and cause economic loss. These incidents exploited 
known vulnerabilities in software commonly used across the globe. Prior 
to these events, NPPD had already taken actions to help protect 
networks from similar types of attacks. Through requested vulnerability 
scanning, NPPD helped stakeholders identify vulnerabilities on their 
networks so they could be patched before incidents and attacks occur. 
Recognizing that not all users are able to install patches immediately, 
NPPD shared additional mitigation guidance to assist network defenders. 
As the incidents unfolded, NPPD led the Federal Government's incident 
response efforts, working with our interagency partners, including 
providing situational awareness, information sharing, malware analysis, 
and technical assistance to affected entities.
    Historically, cyber actors have strategically targeted critical 
infrastructure sectors including energy, financial services, critical 
manufacturing, water and wastewater, and others with various goals 
ranging from cyber espionage to developing the ability to disrupt 
critical services. In recent years, DHS has identified and responded to 
malware such as ``Black Energy'' and ``Havex,'' which were specifically 
created to target industrial-control systems, associated with critical 
infrastructure such as power plants and critical manufacturing. More 
recently, the discovery of ``CrashOverride'' malware, reportedly used 
against Ukrainian power infrastructure in 2016, highlights the 
increasing cyber threat to our infrastructure.
    In one recent campaign, advanced persistent threat actors targeted 
the cyber infrastructure of entities within the energy, nuclear, 
critical manufacturing, and other critical infrastructure sectors since 
at least May 2017. In response, NPPD led the asset response, providing 
on-site and remote assistance to impacted entities, help them evaluate 
the risk, and remediate the malicious actor presence. In addition, 
NPPD, the Federal Bureau of Investigation, and the Department of Energy 
(DOE) shared actionable analytic products with critical infrastructure 
owners and operators regarding this activity. This information provides 
network defenders with the information necessary to understand the 
adversary campaign and allows them to identify and reduce exposure to 
malicious activity. In addition, DHS has been working together with DOE 
to assess the preparedness of our electricity sector and strengthen our 
ability to respond to and recover from a prolonged power outage caused 
by a cyber incident.
                        cybersecurity priorities
    Earlier this year, the President signed Executive Order (EO) 13800, 
on Strengthening the Cybersecurity of Federal Networks and Critical 
Infrastructure. This Executive Order set in motion a series of 
assessments and deliverables to understand how to improve our defenses 
and lower our risk to cyber threats. DHS has organized around these 
deliverables, working with Federal and private-sector partners to work 
through the range of actions included in the Executive Order.
    We are emphasizing the security of Federal networks. Across the 
Federal Government, agencies have been implementing action plans to use 
the industry-standard Department of Commerce's National Institute of 
Standards and Technology Cybersecurity Framework. Agencies are 
reporting to DHS and the Office of Management and Budget (OMB) on their 
cybersecurity risk mitigation and acceptance choices. In coordination 
with OMB, DHS is evaluating the totality of these agency reports in 
order to comprehensively assess the adequacy of the Federal 
Government's overall cybersecurity risk management posture.
    Although Federal agencies have primary responsibility for their own 
cybersecurity, DHS, pursuant to its various authorities, provides a 
common set of security tools across the civilian Executive branch and 
helps Federal agencies manage their cyber risk. NPPD's assistance to 
Federal agencies includes: (1) Providing tools to safeguard civilian 
Executive branch networks through the National Cybersecurity Protection 
System (NCPS), which includes ``EINSTEIN'', and the Continuous 
Diagnostics and Mitigation (CDM) programs, (2) measuring and motivating 
agencies to implement policies, directives, standards, and guidelines, 
(3) serving as a hub for information sharing and incident reporting, 
and (4) providing operational and technical assistance, including 
threat information dissemination and risk and vulnerability 
assessments, as well as incident response services. NPPD's National 
Cybersecurity and Communications Integration Center (NCCIC) is the 
civilian government's hub for cybersecurity information sharing, asset 
incident response, and coordination for both critical infrastructure 
and the Federal Government.
    EINSTEIN refers to the Federal Government's suite of intrusion 
detection and prevention capabilities that protects agencies' 
Unclassified networks at the perimeter of each agency. EINSTEIN 
provides situational awareness of civilian Executive branch network 
traffic, so threats detected at one agency are shared with all others 
providing agencies with information and capabilities to more 
effectively manage their cyber risk. The U.S. Government could not 
achieve such situational awareness through individual agency efforts 
alone.
    Today, EINSTEIN is a signature-based intrusion detection and 
prevention capability that takes action on known malicious activity. 
Leveraging existing investments in the Internet Service Provider 
``ISP'' infrastructure, our non-signature based pilot efforts to move 
beyond current reliance on signatures are yielding positive results in 
the discovery of previously-unidentified malicious activity. DHS is 
demonstrating the ability to capture data that can be rapidly analyzed 
for anomalous activity using technologies from commercial, Government, 
and open sources. The pilot efforts are also defining the future 
operational needs for tactics, techniques, and procedures as well as 
the skill sets and personnel required to operationalize the non-
signature-based approach to cybersecurity.
    State, local, Tribal, and territorial governments are able to 
access intrusion detection and analysis services through the Multi-
State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC's 
service, called ``Albert,'' closely resembles some EINSTEIN 
capabilities. While the current version of Albert cannot actively block 
known cyber threats, it does alert cybersecurity officials to an issue 
for further investigation. DHS worked closely with MS-ISAC to develop 
the program and considers MS-ISAC to be a principal conduit for sharing 
cybersecurity information with State and local governments.
    EINSTEIN, the Federal Government's tool to address perimeter 
security will not block every threat; therefore, it must be 
complemented with systems and tools working inside agency networks--as 
effective cybersecurity risk management requires a defense-in-depth 
strategy that cannot be achieved through only one type of tool. NPPD's 
Continuous Diagnostics and Mitigation (CDM) program provides 
cybersecurity tools and integration services to all participating 
agencies to enable them to improve their respective security postures 
by reducing the attack surface of their networks as well as providing 
DHS with enterprise-wide visibility through a common Federal dashboard.
    CDM is helping us achieve two major advances for Federal 
cybersecurity. First, agencies are gaining visibility, often for the 
first time, into the extent of cybersecurity risks across their entire 
network. With enhanced visibility, they can prioritize the mitigation 
of identified issues based upon their relative importance. Second, with 
the summary-level agency-to-Federal dashboard feeds, the NCCIC will be 
able to identify systemic risks across the civilian Executive branch 
more effectively and closer to real-time. For example, the NCCIC 
currently tracks Government-wide progress in implementing critical 
patches via agency self-reporting and manual data calls. CDM will 
transform this, enabling the NCCIC to immediately view the prevalence 
of a given software product or vulnerability across the Federal 
Government so that the NCCIC can provide agencies with timely guidance 
on their risk exposure and recommended mitigation steps. Effective 
cybersecurity requires a robust measurement regime, and robust 
measurement requires valid and timely data. CDM will provide this 
baseline of cybersecurity risk data to drive improvement across the 
civilian Executive branch.
    DHS conducts a number of activities to measure agencies' 
cybersecurity practices and works with agencies to improve risk 
management practices. The Federal Information Security Modernization 
Act of 2014 (FISMA) provided the Secretary of Homeland Security with 
the authority to develop and oversee implementation of Binding 
Operational Directives (BOD) to agencies. In 2016, the Secretary issued 
a BOD on securing High-Value Assets (HVA), or those assets, Federal 
information systems, information, and data for which unauthorized 
access, use, disclosure, disruption, modification, or destruction could 
cause a significant impact to the United States' National security 
interests, foreign relations, economy, or to the public confidence, 
civil liberties, or public health and safety of the American people. 
NPPD works with interagency partners to prioritize HVAs for assessment 
and remediation activities across the Federal Government. For instance, 
NPPD conducts security architecture reviews on these HVAs to help 
agencies assess their network architecture and configurations.
    As part of the effort to secure HVAs, DHS conducts in-depth 
vulnerability assessments of prioritized agency HVAs to determine how 
an adversary could penetrate a system, move around an agency's network 
to access sensitive data, and exfiltrate such data without being 
detected. These assessments include services such as penetration 
testing, wireless security analysis, and ``phishing'' evaluations in 
which DHS hackers send emails to agency personnel and test whether 
recipients click on potentially malicious links. DHS has focused these 
ssessments on Federal systems that may be of particular interest to 
adversaries or support uniquely significant data or services. These 
assessments provide system owners with recommendations to address 
identified vulnerabilities. DHS provides these same assessments, on a 
voluntary basis upon request, to private sector and State, local, 
Territorial, and Tribal (SLTT) partners. DHS also works with the 
General Services Administration to ensure that contractors can provide 
assessments that align with our HVA initiative to agencies.
    Another BOD issued by the Secretary directs civilian agencies to 
promptly patch known vulnerabilities on their internet-facing systems 
that are most at risk from their exposure. The NCCIC conducts Cyber 
Hygiene scans to identify vulnerabilities in agencies' internet-
accessible devices and provides mitigation recommendations. Agencies 
have responded quickly in implementing the Secretary's BOD and have 
sustained this progress. When the Secretary issued this directive, NPPD 
identified more than 360 ``stale'' critical vulnerabilities across 
Federal civilian agencies, which means the vulnerabilities had been 
known for at least 30 days and remained unpatched. Since December 2015, 
NPPD has identified an average of less than 40 critical vulnerabilities 
at any given time, and agencies have addressed those vulnerabilities 
rapidly once they were identified. By conducting vulnerability 
assessments and security architecture reviews, NPPD is helping agencies 
find and fix vulnerabilities and secure their networks before an 
incident occurs.
    In addition to efforts to protect Government networks, EO 13800 
continues to examine how the Government and industry work together to 
protect our Nation's critical infrastructure, prioritizing deeper, more 
collaborative public-private partnerships in threat assessment, 
detection, protection, and mitigation. In collaboration with civilian, 
defense, and intelligence agencies, we are identifying authorities and 
capabilities that agencies could employ, soliciting input from the 
private sector, and developing recommendations to support the 
cybersecurity efforts of those critical infrastructure entities at 
greatest risk of attacks that could result in catastrophic impacts.
    For instance, by sharing information quickly and widely, we help 
all partners block cyber threats before damaging incidents occur. 
Equally important, the information we receive from partners helps us 
identify emerging risks and develop effective protective measures.
    Congress authorized the NCCIC as the civilian hub for sharing cyber 
threat indicators and defensive measures with and among Federal and 
non-Federal entities, including the private sector. As required by the 
Cybersecurity Act of 2015, we established a capability, known as 
Automated Indicator Sharing (AIS), to automate our sharing of cyber 
threat indicators in real-time. AIS protects the privacy and civil 
liberties of individuals by narrowly tailoring the information shared 
to that which is necessary to characterize identified cyber threats, 
consistent with longstanding DHS policy and the requirements of the 
Act. AIS is a part of the Department's effort to create an environment 
in which as soon as a company or Federal agency observes an attempted 
compromise, the indicator is shared in real time with all of our 
partners, enabling them to protect themselves from that particular 
threat. This real-time sharing capability can limit the scalability of 
many attack techniques, thereby increasing the costs for adversaries 
and reducing the impact of malicious cyber activity. An ecosystem built 
around automated sharing and network defense-in-depth should enable 
organizations to detect and thwart the most common cyber attacks, 
freeing their cybersecurity staff to concentrate on the novel and 
sophisticated attacks. More than 129 agencies and private-sector 
partners have connected to the AIS capability. Notably, partners such 
as information sharing and analysis organizations (ISAOs) and computer 
emergency response teams further share with or protect their customers 
and stakeholders, significantly expanding the impact of this 
capability. AIS is still a new capability and we expect the volume of 
threat indicators shared through this system to substantially increase 
as the technical standards, software, and hardware supporting the 
system continue to be refined and put into full production. As more 
indictors are shared from other Federal agencies, SLTT governments, and 
the private sector, this information-sharing environment will become 
more robust and effective.
    Another part of the Department's overall information-sharing effort 
is to provide Federal network defenders with the necessary context 
regarding cyber threats to prioritize their efforts and inform their 
decision making. DHS's Office of Intelligence and Analysis (I&A) has 
collocated analysts within the NCCIC responsible for continuously 
assessing the specific threats to Federal networks using traditional 
all-source methods and indicators of malicious activity so that the 
NCCIC can share with Federal network defenders in collaboration with 
I&A. Analysts and personnel from the Department of Energy, Treasury, 
Health and Human Services, FBI, DoD, and others are also collocated 
within the NCCIC and working together to understand the threats and 
share information with their sector stakeholders.
                         mitigating cyber risks
    We also continue to adapt to the evolving risks to critical 
infrastructure, and prioritize our services to mitigate those risks. 
Facing the threat of cyber-enabled operations by a foreign government 
during the 2016 elections, DHS and our interagency partners conducted 
unprecedented outreach and provided cybersecurity assistance to State 
and local election officials. Information shared with election 
officials included indicators of compromise, technical data, and best 
practices that have assisted officials with addressing threats and 
vulnerabilities related to election infrastructure. Through numerous 
efforts before and after Election Day, DHS and our interagency partners 
have declassified and publicly shared significant information related 
to the Russian malicious cyber activity. These steps have been critical 
to protecting our elections, enhancing awareness among election 
officials, and educating the American public. The designation of 
election infrastructure as critical infrastructure serves to 
institutionalize prioritized services, support, and provide data 
protections and does not subject any additional regulatory oversight or 
burdens.
    As the Sector-Specific Agency, NPPD is providing overall 
coordination guidance on election infrastructure matters to subsector 
stakeholders. As part of this process, the Election Infrastructure 
Subsector Government Coordinating Council (GCC) is being established. 
The Election Infrastructure Subsector GCC will be a representative 
council of Federal, State, and local partners with the mission of 
focusing on sector-specific strategies and planning. This will include 
development of information-sharing protocols and establishment of key 
working groups, among other priorities.
    The Department also recently took action against specific products 
which present a risk to Federal information systems. After careful 
consideration of available information and consultation with 
interagency partners, last month the Acting Secretary issued a BOD 
directing Federal Executive branch departments and agencies to take 
actions related to the use or presence of information security 
products, solutions, and services supplied directly or indirectly by AO 
Kaspersky Lab or related entities. The BOD calls on departments and 
agencies to identify any use or presence of Kaspersky products on their 
information systems in the next 30 days, to develop detailed plans to 
remove and discontinue present and future use of the products in the 
next 60 days, and at 90 days from the date of this directive, unless 
directed otherwise by DHS based on new information, to begin to 
implement the agency plans to discontinue use and remove the products 
from information systems. This action is based on the information 
security risks presented by the use of Kaspersky products on Federal 
information systems.
    The Department is providing an opportunity for Kaspersky to submit 
a written response addressing the Department's concerns or to mitigate 
those concerns. The Department wants to ensure that the company has a 
full opportunity to inform the Acting Secretary of any evidence, 
materials, or data that may be relevant. This opportunity is also 
available to any other entity that claims its commercial interests will 
be directly impacted by the directive.
                               conclusion
    In the face of increasingly sophisticated threats, NPPD stands on 
the front lines of the Federal Government's efforts to defend our 
Nation's critical infrastructure from natural disasters, terrorism and 
adversarial threats, and technological risk such as those caused by 
cyber threats. Our infrastructure environment today is complex and 
dynamic with interdependencies that add to the challenge of securing 
and making it more resilient. Technological advances have introduced 
the ``internet of things'' (IoT) and cloud computing, offering 
increased access and streamlined efficiencies, while increasing our 
footprint of access points that could be leveraged by adversaries to 
gain unauthorized access to networks. As our Nation continues to evolve 
and new threats emerge, we must integrate cyber and physical risk in 
order to understand how to effectively secure it. Expertise around 
cyber-physical risk and cross-sector critical infrastructure 
interdependencies is where NPPD brings unique expertise and 
capabilities.
    We must ensure that NPPD is appropriately organized to address 
cybersecurity threats both now and in the future, and we appreciate 
this committee's leadership in working to establish the Cybersecurity 
and Infrastructure Security Agency. As the committee considers these 
issues, we are committed to working with Congress to ensure that this 
effort is done in a way that cultivates a safer, more secure, and 
resilient homeland.
    Thank you for the opportunity to testify, and we look forward to 
any questions you may have.

    Mr. Ratcliffe. Thank you, Mr. Krebs.
    Ms. Manfra you are now recognized for 5 minutes.

     STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY FOR 
   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Manfra. Chairman Ratcliffe, Ranking Member Richmond, 
Ranking Member Thompson, Members of the committee, thank you 
for holding today's hearing.
    I also want to begin my testimony by thanking this 
committee for taking action earlier this summer of the 
Cybersecurity and Infrastructure Security Agency Act of 2017. A 
name for our organization that reflects our mission is 
essential to our work force recruitment efforts and effective 
stakeholder engagement.
    We must also ensure that NPPD is appropriately organized to 
address cybersecurity threats, both now and in the future, and 
we appreciate this committee's leadership.
    Cyber threats remain one of the most significant strategic 
risks for the United States. Cyber risks threaten our National 
security, economic prosperity, and public health and safety. 
Our adversaries cross borders at the speed of light.
    Over the past year Americans saw advanced persistent threat 
actors, including hackers, criminals, and nation-states 
increase in frequency, complexity, and sophistication. In my 
role at DHS, I head the Department's Office of Cybersecurity 
and Communications, which includes our 24/7 watch center and 
operations at the National Cybersecurity and Communications 
Integration Center.
    Our role goes along three work streams: Instrumenting 
agency networks through the deployment of sensors; assessing 
and measuring agency vulnerabilities and risks, as well as 
critical infrastructure; and directing and advising actions 
that Federal agencies and critical infrastructure entities can 
take to better secure their networks.
    As you well know, the NCCIC is a civilian-Government hub 
for cybersecurity information sharing, asset incident response, 
and coordination for both critical infrastructure and the 
Federal Government.
    As my colleague noted, we are emphasizing the security of 
Federal networks. NPPD's assistance to Federal agencies 
includes first providing tools to safeguard civilian Executive 
branch networks through our National cyber protection system 
and the continuous diagnostics and mitigation programs; second, 
measuring and motivating agencies; and third, serving as a hub 
for information sharing and incident reporting; and finally, 
providing operational and technical assistance.
    Einstein, the sensors deployed as a part of the National 
cyber protection system, refers to the Federal Government's 
suite of intrusion detection and prevention capabilities that 
protects the agencies' Unclassified networks at the perimeter 
of each agency. Today Einstein is a signature-based intrusion 
protection and prevention capability that takes action on known 
malicious activity.
    Our non-signature-based pilot efforts to move beyond 
signatures are yielding positive results. These capabilities 
are essential to discovery of previously-unidentified malicious 
activity. We are demonstrating the ability to capture data that 
can rapidly be analyzed for anomalous activity, using 
technologies from commercial, Government, and open sources.
    The pilot efforts are also defining the future operational 
needs for tactics, techniques, and procedures, as well as the 
skill sets and personnel required to operationalize the non-
signature-based approach to cybersecurity.
    Einstein is our tool to address perimeter security, but it 
will not detect or block every threat. Therefore we must 
complement it with systems and tools working inside agency 
networks.
    Our continuous diagnostics and mitigation program provides 
those tools and integration services to Federal agencies. These 
tools are enabling agencies to manage risks across their entire 
enterprise. At the same time, these tools are also going to 
provide DHS visibility into our enterprise risk across the 
Federal Government through a common Federal dashboard.
    NPPD is also working with our interagency partners to 
prioritize high-value assets, or those systems for which a 
cyber incident could cause a significant impact to the United 
States.
    As part of this effort, we conduct security architecture 
reviews to help agencies assess their network architecture and 
configurations. We conduct in-depth vulnerability assessments 
of these prioritized assets to determine how an adversary would 
penetrate a system, move around an agency's network to access 
sensitive data, and exfiltrate such data without being 
detected.
    These assessments provide system owners with 
recommendations to address identified vulnerabilities, 
protecting them before an incident occurs.
    When necessary, the Department also is also taking targeted 
action to address specific cybersecurity risks through the 
issuance of binding operational directives. We are working to 
enhance cyber threat information sharing across the globe to 
stop cyber incidents before they start.
    These actions help businesses and Government agencies 
protect their systems and quickly recover should such an attack 
occur. By bringing together all levels of government, the 
private sector, international partners, and the public, we are 
taking action to protect against cybersecurity risks, improve 
our whole-of-Government incident response capabilities, enhance 
information sharing on best practices and cyber threats, and to 
strengthen resilience.
    Thank you for the opportunity to testify and I look forward 
to any questions you may have.
    Mr. Ratcliffe. Thanks, Ms. Manfra.
    Ms. Hoffman you are recognized for 5 minutes.

  STATEMENT OF PATRICIA HOFFMAN, ACTING ASSISTANT SECRETARY, 
  OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. 
                      DEPARTMENT OF ENERGY

    Ms. Hoffman. Chairman Ratcliffe, Ranking Member Richmond, 
and Members of the subcommittee, thank you for the opportunity 
to discuss the continuing threats facing our Nation's energy 
infrastructure, and the Department of Energy's role.
    Cybersecurity and resilience of the energy sector is one of 
the Secretary's top priorities and a major focus of the 
Department. The Department of Energy is the sector-specific 
agency for cybersecurity of the energy sector.
    DOE works with DHS and jointly with other agencies, the 
private-sector organizations, for a whole-of-Government 
response to cyber incidents by protecting assets and countering 
threats.
    In addition, the Department of Energy serves as the lead 
agency for Emergency Support Function 12, which is energy, 
under the National response framework. As a lead, ESF 12 is 
responsible for facilitating restoration of damaged energy 
infrastructure. The Department works with industry, Federal, 
State, and local partners to facilitate response and 
recoveries.
    Combining DOE's role as the SSA for cybersecurity with 
National response activity, ensures that incidents, both cyber 
and physical, impacts are coordinated in the energy sector.
    At this moment in time I would like to acknowledge that the 
Secretary does express his support for the victims of 
Hurricanes Harvey, Irma, and Maria, and I would also like to 
express my gratitude for all the utility workers that have been 
working very hard in the regions for restoring power.
    In extreme cases the Department can also use its legal 
authorities, as those in the Federal Power Act as amended by 
the Fixing America's Service Transportation Act, to assist in 
response and recovery operations. Congress enacted several 
important new energy security measures in this act as it 
relates to cybersecurity.
    The Secretary of Energy was provided a new authority upon 
declaration of a grid security emergency by the President, to 
issue emergency orders to protect or restore critical electric 
infrastructure, or defense critical electric infrastructure. 
This authority allows DOE to respond as needed to the threat of 
cyber and physical attacks to the grid.
    DOE has collaborated with the energy sector for nearly two 
decades in voluntary public-private partnerships that engage 
owners and operators at all levels, technical, operational, and 
executive, along with State and local governments, to identify 
and mitigate physical and cyber risks to the energy systems.
    In the energy sector, the core partnerships have consisted 
with the electric sector coordinating council and the oil and 
gas coordinating council. In these meetings, interagency 
partners, including DHS, States, international partners come 
together to discuss important security and resilience issues 
for the energy sector.
    The electric sector, specifically, has been very forward-
leaning and aggressive in trying to address cybersecurity 
issues. DOE plays a critical role in supporting the energy 
sector's cybersecurity by building in security.
    Specifically we have been looking at building capabilities 
in the sectors in three areas. The first area is preparedness, 
enhancing the visibility and situational awareness in 
operational networks as well as I.T. networks, increasing the 
alignment of cybersecurity preparedness across multiple States 
and Federal jurisdictions, response and recovery activities, 
and supporting the whole-of-Government effort, and leveraging 
the expertise of the Department of Energy's National labs to 
drive cybersecurity innovation.
    Threats continue to evolve. DOE is working diligently to 
stay ahead of the curve. The solution is an ecosystem of 
resilience that works in partnership with State, local, and 
industry stakeholders to advance best practices, strategies, 
and tools.
    To accomplish this we must accelerated information sharing 
to better inform local investment decisions, encourage 
innovation, and the use of best practices to help raise the 
energy sector's security maturity and strengthen local incident 
response and recovery activities, especially through the 
participation in training programs and exercises.
    I appreciate the opportunity to be here before the 
subcommittee and represent one of the sector's specific 
agencies and the energy sector's cybersecurity capabilities.
    However I would be remiss not to take a moment and stress 
the interdependent nature of our infrastructure. It requires 
all sectors to be constantly focused on improving their 
cybersecurity posture. So DOE looks forward to continue working 
with the Federal agencies to share best practices and build a 
defense in-depth.
    So with that I would like to thank you for being here today 
and look forward to answering your questions.
    [The prepared statement of Ms. Hoffman follows:]
                 Prepared Statement of Patricia Hoffman
                            October 3, 2017
                              introduction
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
subcommittee, thank you for the opportunity to discuss the continuing 
threats facing our National energy infrastructure and the Department of 
Energy's (DOE's) role in supporting the cybersecurity of the Nation's 
energy infrastructure. Cybersecurity and the resilience of the energy 
sector is one of the Secretary's top priorities and a major focus of 
the Department.
    Our economy, National security, and even the well-being of our 
citizens depend on the reliable delivery of electricity. The mission of 
the Office of Electricity Delivery and Energy Reliability (DOE-OE)--
which I oversee in my roles as the acting under secretary for science 
and energy and acting assistant secretary for DOE-OE--is to strengthen, 
transform, and improve energy infrastructure to ensure access to 
reliable and secure sources of energy. The Secretary of Energy and DOE 
are committed to working with our public and private-sector partners to 
protect the Nation's critical energy infrastructure from physical 
security events, natural and man-made disasters, and cybersecurity 
threats.
      doe's role as the energy sector's ``sector-specific agency''
    In preparation for, and response to, cybersecurity threats, the 
Federal Government's operational framework is provided by Presidential 
Policy Directive 41 (PPD-41). A primary purpose of PPD-41 is to clarify 
the roles and responsibilities of the Federal Government during a 
``significant cyber incident,'' which are described as cyber incidents 
that are ``likely to result in demonstrable harm to the National 
security interests, foreign relations, or economy of the United States 
or to the public confidence, civil liberties, or public health and 
safety of the American people.''
    Under the PPD-41 framework, as the Sector-Specific Agency (or SSA) 
for cybersecurity of the energy sector, DOE works jointly with other 
agencies and private-sector organizations, including the Federal 
Government's designated lead agencies for coordinating the response to 
significant cyber incidents by protecting assets and countering 
threats: The Department of Homeland Security (DHS) acting through the 
National Cybersecurity and Communications Integration Center (NCCIC) 
and the Department of Justice (DOJ), acting through the Federal Bureau 
of Investigation (FBI) and the National Cyber Investigative Joint Task 
Force, respectively. In the event of a cybersecurity emergency in the 
energy sector, closely aligning DOE's activities with those of our 
partners at DHS and DOJ helps to ensure that DOE's deep expertise with 
the sector is appropriately leveraged.
    Under Presidential Policy Directive-21 (PPD-21): Critical 
Infrastructure Security and Resilience, later codified in part in the 
Fixing America's Surface Transportation Act, DOE is designated as the 
SSA for cybersecurity of the energy sector. As the SSA, DOE coordinates 
with DHS and other Federal agencies and collaborates with industry and 
State, local, Tribal, and territorial partners on matters of cyber 
resilience, incident response, and planning. For any risk to the energy 
sector, DOE thus acts to ensure unity of effort across government, 
including States, and industry partners.
    In addition, DOE serves as the lead agency for Emergency Support 
Function 12 (ESF-12) under the National Response Framework. As the lead 
for ESF-12, DOE is responsible for facilitating the restoration of 
damaged energy infrastructure. The Department works with industry and 
Federal, State, and local partners to facilitate response and recovery. 
Combining DOE roles as the SSA in cybersecurity with National response 
ensures incidents with both cyber and physical impacts can be 
coordinated for the energy sector.
    In extreme cases, the Department can use its legal authorities such 
as those in the Federal Power Act, as amended by the Fixing America's 
Surface Transportation (FAST) Act, to assist in response and recovery 
operations. Congress enacted several important new energy security 
measures in the FAST Act as it relates to cybersecurity. The Secretary 
of Energy was provided a new authority, upon declaration of a ``Grid 
Security Emergency'' by the President, to issue emergency orders to 
protect or restore critical electric infrastructure or defense critical 
electric infrastructure. This authority allows DOE to respond as needed 
to the threat of cyber and physical attacks on the grid.
    DOE is working to address public comments received regarding the 
rules of procedure to issue an order under this new authority. The Grid 
Security Emergency authority is unique to DOE and an important element 
in partnering with DHS and DOJ to fully address the cybersecurity risks 
to the energy sector.
          the special nature of energy security cybersecurity
    Cyber attacks targeting ``information technology'' or IT, including 
computing and business applications, to cause disruptions, obtain 
access to email accounts and personal information, exfiltrate data to 
release to the world at large, and exploit information for private gain 
are growing increasingly common. The energy sector is not immune to 
such attacks.
    However, our adversaries understand that the energy sector is a 
valuable target not because of its IT systems, but because of the 
assets that the sector controls. Accordingly, we have seen an increased 
interest in vulnerabilities of the ``operating technology,'' or OT, of 
energy delivery systems and other critical infrastructure as well. OT 
systems consist of industrial control systems (or ICS), programmable 
logic controls, and its associated supervisory control and data 
acquisition software (known as SCADA). The heavy use of OT systems has 
made electric utilities, oil and natural gas providers, hydro and 
nuclear facilities, and water utilities prime targets for OT-related 
cyber attacks. The disruption of any one of these is not only 
inherently problematic, it also hampers the ability to respond to any 
type of emergency event.
    The Department's focus on OT systems specific to the energy sector 
makes our activities both distinct from, and complementary to, the 
activities of DHS and our other Federal agency partners. The 
cybersecurity of energy sector OT systems requires specific and focused 
attention because of their need for extremely high reliability and 
availability, the fact that any significant reduction in the speed of 
the systems is unacceptable, and because these systems are so critical 
to underpinning the Nation's economic health, public safety, and 
National security.
    In December 2015, the first known successful cyber attack on power 
grid OT took place in Ukraine. Over 225,000 residents were left without 
power for several hours in the coordinated attack, and a second attack 
occurred in December 2016 that left portions of Kiev without 
electricity. More recently, publicly-available information about 
threats such as the Crash Override malware used in Ukraine and the 
nation-state activities described under the name ``Dragonfly 2.0'' are 
just two of many examples that illustrate the threat to the Nation's 
energy infrastructure is real and growing more concerning by the day.
                       importance of partnerships
    Before I describe the details of the Department's activities in 
support of the energy sector's cybersecurity, I must first focus on the 
most foundational aspect of our activities: Partnerships. The Federal 
Government does not own or operate the vast majority of the assets in 
the Nation's energy sector, and DOE does not hold a monopoly on 
protecting the Nation's critical infrastructure from cyber threats. As 
such, we cannot function effectively unless we have strong partnerships 
throughout the public and private sectors and with our Federal 
colleagues at DHS and other law enforcement- and National security-
oriented agencies.
    DOE has collaborated with the energy sector for nearly two decades 
in voluntary public-private partnerships that engage energy owners and 
operators at all levels--technical, operational, and executive, along 
with State and local governments--to identify and mitigate physical and 
cyber risks to energy systems.
    These partnerships are built on a foundation of earned trust that 
promotes the mutual exchange of information and resources to improve 
the security and resilience of critical energy infrastructures. These 
relationships acknowledge the special security challenges of energy 
delivery systems and leverage the distinct technical expertise within 
industry and Government to develop solutions.
    The security and integrity of energy infrastructure is both a State 
and Federal Government concern because energy underpins the operations 
of every other type of critical infrastructure; the economy; and public 
health and safety. The owners and operators of energy infrastructure, 
however, have the primary responsibility for the full spectrum of 
cybersecurity risk management: Identify assets, protect critical 
systems, detect incidents, respond to incidents, and recover to normal 
operations.
    When the lights go out or gasoline stops flowing in pipelines, the 
first responder is usually not the State or Federal Government but, 
rather, industry or local government. This is why public-private 
partnerships regarding cybersecurity are paramount--they recognize the 
distinct roles and capabilities of industry and Government in managing 
our critical energy infrastructure risks.
    In the Energy Sector, the core of critical infrastructure partners 
consists of the Electricity Subsector Coordinating Council (ESCC), the 
Oil and Natural Gas Subsector Coordinating Council (ONG SCC), and the 
Energy Government Coordinating Council (EGCC). The ESCC and ONG SCC 
represent the interests of their respective industries. The EGCC, led 
by DOE and co-chaired with DHS, is where the interagency partners, 
States, and international partners come together to discuss the 
important security and resilience issues for the energy sector. This 
forum ensures that we're working together in a whole-of-Government 
response.
    As defined in the National Infrastructure Protection Plan, the 
industry coordinating councils or ``SCCs'' are created by owners and 
operators and are self-organized, self-run, and self-governed, with 
leadership designated by the SCC membership. The SCCs serve as the 
principal collaboration points between the Government and private-
sector owners and operators for critical infrastructure security and 
resilience coordination and planning, as well as a range of sector-
specific activities and issues.
    The SCCs, EGCC, and associated working groups operate under DHS's 
Critical Infrastructure Partnership Advisory Council (CIPAC) framework, 
which provides a mechanism for industry and Government coordination. 
The public-private critical infrastructure community engages in open 
dialog to mitigate critical infrastructure vulnerabilities and to help 
reduce impacts from threats.
           doe's cybersecurity strategy for the energy sector
    To address these challenges, it is critical for us to be proactive 
and cultivate what I call an ecosystem of resilience: A network of 
producers, distributors, regulators, vendors, and public partners, 
acting together to strengthen our ability to prepare, respond, and 
recover. We continue to partner with industry, DHS and other Federal 
agencies, States, local governments, and energy stakeholders broadly to 
quickly identify threats, develop capabilities to support mitigation 
strategies, and rapidly respond to any disruptions.
    DOE plays a critical role in supporting energy sector cybersecurity 
to enhance the security and resilience of the Nation's energy 
infrastructure. As part of a comprehensive strategy for energy 
resilience, the Department is focusing cyber support efforts to: 
Enhance visibility and situational awareness of operational networks; 
increase alignment of cyber preparedness and planning across local, 
State, and Federal levels; and leverage the expertise of DOE's National 
Labs to drive cybersecurity innovation.
Enhance visibility and situational awareness of operational networks
    It is necessary for partners in the Energy Sector and the 
Government to share emerging threat data and vulnerability information 
to help prevent, detect, identify, and thwart cyber attacks more 
rapidly. An example of this type of collaboration is the Cybersecurity 
Risk Information Sharing Program (CRISP), a voluntary public-private 
partnership that is primarily funded by industry, administered by the 
Electricity Information Sharing and Analysis Center (E-ISAC), and 
enhanced by DOE through intelligence analysis by DOE's Office of 
Intelligence and Counterintelligence. One of DOE's National 
Laboratories--the Pacific Northwest National Laboratory--is a key 
partner for the E-ISAC in accomplishing the goals of the CRISP program.
    The purpose of CRISP is to share information among electricity 
subsector partners, DOE, and the intelligence community to facilitate 
the timely bi-directional sharing of Unclassified and Classified threat 
information to enhance the sector's ability to identify, prioritize, 
and coordinate the protection of critical infrastructure and key 
resources. CRISP leverages advanced sensors and threat analysis 
techniques developed by DOE along with DOE's expertise as part of the 
intelligence community to better inform the energy sector of the high-
level cyber risks. Current CRISP participants provide power to over 75 
percent of the total number of continental United States electricity 
customers. The Department is currently in the early stages of taking 
the lessons learned from CRISP and developing an analogous capability 
to monitor network traffic on OT networks.
    If CRISP has demonstrated one finding to DOE, the E-ISAC, and our 
industry partners, it is that continuous monitoring of critical 
networks and shared situational awareness is of utmost importance in 
protecting against malicious cyber activities. Programs such as CRISP 
are critical for facilitating the identification of and response to 
advanced persistent threats targeting the energy sector.
    Advancing this project to improve situational awareness of OT 
networks is a key focus of DOE's current activities. Observing 
anomalous traffic on networks--and having the ability to store and 
retrieve network traffic from the recent past--can be the first step in 
stopping an attack early in the cyber kill chain. Continuous monitoring 
of IT and OT networks, in coordination with Federal partners and 
industry, is a critical component of protecting the Nation against 
cyber threats.
Increase alignment of cyber preparedness and planning across local, 
        State, and Federal levels
    As the Energy SSA, DOE works at many levels of the electricity, 
petroleum, and natural gas industries. We interact with numerous 
stakeholders and industry partners to share both Classified and 
Unclassified information, discuss coordination mechanisms, and promote 
scientific and technological innovation to support energy security and 
reliability. By partnering through working groups between Government 
and industry at the National, regional, State, and local levels, DOE 
facilitates enhanced cybersecurity preparedness.
    As a recent example, DOE-OE and the National Association of 
Regulatory Utility Commissioners (NARUC) sponsored the third edition of 
a cybersecurity primer for regulatory utility commissioners. This 
document was published in January of this year and is publicly 
available on the NARUC Research Lab website, benefiting not only 
regulators, but State officials focused on the sector as well.
    The updated cyber primer provides best practices, access to 
industry and National standards, sample questions, and easy reference 
materials for commissions in their engagements with utilities to ensure 
their systems are resilient to cyber threats.
    We are continuing to work with the NARUC Research Lab to support 
regional trainings on cybersecurity throughout the year, with the goal 
of building commissioner and commission staff expertise on 
cybersecurity so they ensure cyber investments are both resilient and 
economically sound.
    DOE also continues to work closely with our public and private 
partners to ensure that our response and recovery capabilities fully 
support and bolster the actions needed to help ensure the reliable 
delivery of energy. We continue to coordinate with industry through the 
SCCs to synchronize DOE and industry cyber incident response playbooks.
    DOE-OE also engages directly with our public and private-sector 
stakeholders to help ensure we all are prepared and coordinated in the 
event of a cyber incident to the industry. Innovation and preparedness 
are vital to grid resilience. This past December, DOE and the National 
Association of State Energy Officials (NASEO) co-hosted the Liberty 
Eclipse Exercise in Newport, Rhode Island, which focused on a 
hypothetical cyber incident that cascaded into the physical world, 
resulting in power outages and damage to oil and natural gas 
infrastructure. The event featured 96 participants from 13 States, and 
included representatives from State energy offices, emergency 
management departments, utility commissions, as well as Federal 
partners, such as FEMA, and private-sector utilities and petroleum 
companies.
    In November, we are looking forward to participating in GridEx IV, 
which is the biennial exercise lead by the North American Electric 
Reliability Corporation (NERC) and is designed to simulate a cyber and 
physical attack on electric and other critical infrastructures across 
North America. Coordination with Federal partners and participation in 
preparedness activities enable DOE to identify gaps and develop 
capabilities to support cyber response as the SSA.
Leverage the expertise of DOE's National Labs to drive cybersecurity 
        innovation
    Beyond providing guidance and technical support to the energy 
sector, DOE-OE also supports an R&D portfolio designed to develop 
advanced tools and techniques to provide enhanced cyber protection for 
key energy systems. Intentional, malicious cyber threat challenges to 
our energy systems are on the rise in both number and sophistication. 
This evolution has profound impacts on the energy sector.
    Cybersecurity for energy control and OT systems is much different 
than that of typical IT systems. Power systems must operate 
continuously with high reliability and availability. Upgrades and 
patches can be difficult and time-consuming, with components dispersed 
over wide geographic regions. Further, many assets are in publicly-
accessible areas where they can be subject to physical tampering. Real-
time operations are imperative and latency is unacceptable for many 
applications. Immediate emergency response capability is mandatory and 
active scanning of the network can be difficult.
    The CEDS R&D program is designed to assist the energy sector asset 
owners by developing cybersecurity solutions for energy delivery 
systems through a focused research and development effort. DOE-OE co-
funds projects with industry partners to make advances in cybersecurity 
capabilities for energy delivery systems. These research partnerships 
are helping to detect, prevent, and mitigate the consequences of a 
cyber-incident for our present and future energy delivery systems. Of 
course, our National Laboratories are critical partners in executing 
this work.
    To select cybersecurity R&D projects, DOE constantly examines 
today's threat landscape and coordinates with partners, like DHS, to 
provide the most value to the energy sector while minimizing overlap 
with existing projects. For example, the Artificial Diversity and 
Defense Security (ADDSec) project will develop solutions to protect 
control system networks by constantly changing a network's virtual 
configuration, much like military communications systems that rapidly 
change frequencies to avoid interception and jamming. As a result, 
ADDSec can harden networks against the mapping and reconnaissance 
activities that are the typical precursors to a cyber attack.
    Another project, the Collaborative Defense of Transmission and 
Distribution Protection and Control Devices against Cyber Attacks 
(CODEF), is designed to anticipate the impact a command will have on a 
control system environment. If the commands would result in damage to 
the system or other negative consequences, CODEF will have the ability 
to prevent their execution. This type of solution is especially 
intriguing as it can detect malicious activity regardless of the 
source, be it an insider threat or an external actor.
    Since 2010, DOE-OE has invested more than $210 million in 
cybersecurity research, development, and demonstration projects that 
are led by industry, universities, and the National Laboratories. These 
investments have resulted in more than 35 new tools and technologies 
that are now being used to further advance the resilience of the 
Nation's energy delivery systems.
                               conclusion
    Threats continue to evolve, and DOE is working diligently to stay 
ahead of the curve. The solution is an ecosystem of resilience that 
works in partnership with local, State, and industry stakeholders to 
help provide the methods, strategies, and tools needed to help protect 
local communities through increased resilience and flexibility. To 
accomplish this, we must accelerate information sharing to inform 
better local investment decisions, encourage innovation and the use of 
best practices to help raise the energy sector's security maturity, and 
strengthen local incident response and recovery capabilities, 
especially through participation in training programs and preparedness 
exercises.
    Building an ecosystem of resilience is--by definition--a shared 
endeavor, and keeping a focus on partnerships remains an imperative. 
DOE will continue its years of work coordinating with DHS and fostering 
vital energy sector relationships and investing in technologies to 
enhance security and resilience in order to support industry efforts to 
respond to, and recover quickly from all threats and hazards.
    I appreciate the opportunity to appear before the subcommittee to 
discuss the cybersecurity of the energy sector. I would, however, be 
remiss if I did not take a moment to stress that the interdependent 
nature of our infrastructure requires that all sectors be constantly 
focused on improving their cybersecurity posture. Collaboration among 
DOE, DHS, and the rest of the Federal family is absolutely critical to 
ensuring that we remain both ahead of the curve and resilient to any 
potential cyber attack. DOE, as always, looks forward to our continued 
partnership to share best practices, collaborating where appropriate 
and possible, and helping to protect our civilian infrastructure from 
the Nation's cyber adversaries.

    Mr. Ratcliffe. Thanks, Ms. Hoffman.
    I now recognize myself for 5 minutes of questions.
    Ms. Manfra, I want to start with you. You mentioned 
Einstein and CDM in your testimony and the role that they play 
in securing Federal networks. So I want to give you an 
opportunity to provide some public clarity on the 
implementation of CDM specifically.
    So can you give us some idea of how many departments and 
agencies have fully implemented CDM phase one and how many 
agency dashboards are up and running? Is the DHS dashboard up 
and running? Give us some perspective on that.
    Ms. Manfra. Yes, sir. Thank you for the question. We are in 
the process of deploying both phase one and phase two. Phase 
one being focused on hardware software asset management, sort-
of identifying what is on the networks internal to the 
agencies, and phase two looking at who is on the network. So 
dealing with issues like access and identity management.
    We can get back to you with the specific numbers of agency 
deployment. They are all in various stages of deployment. We 
have made it available to all agencies, but each individual 
agency is in different stages of deploying.
    We are nearing 20 agencies that have an agency dashboard up 
and running. This month the Department of Homeland Security 
will be standing up the Federal dashboard, so that we will be 
receiving feeds from those agency dashboards.
    That will then allow us to have more near-real-time 
understanding of what those sensors are identifying on those 
agency networks and allow us to better prioritize vulnerability 
management for our agencies.
    Mr. Ratcliffe. Terrific. Thanks. So one of the other points 
I wanted to cover today was, last week the GAO came out with a 
fairly critical report on the current state of Federal 
cybersecurity.
    One of the most, would appear to be, at least, troubling 
aspects of that was a statistic that said only 7 of the 24 CFO 
Act agencies have programs with any functions considered 
effective per the NIST standards for cybersecurity control. So 
that doesn't sound very good.
    I want to give either you, Mr. Krebs, or you, Ms. Manfra, 
the opportunity to, you know, as we talk about the 
cybersecurity posture of the dot.gov reconcile that with that 
GAO report.
    Ms. Manfra. Sir, I think that we have learned a lot over 
the years about agency capacity to manage cybersecurity risks 
and the resources they have to do so. I can say that agencies 
have prioritized the management of their cyber risk at their 
highest level across the Government.
    What we have learned in both the deployment of CDM, our 
engagement and partnership with OMB in measuring agencies is 
that there remain some significant gaps.
    We have built over the last couple years and are continuing 
to build a technical assistance capabilities, things like 
design and engineering, architecture reviews, helping agencies 
getting much more in-depth insight into their networks and 
providing them with a greater level of assistance, both 
engineering and on the governance side to help them address 
their often very complicated networks with the limited 
resources we have.
    But we do see a lot of potential for CDM in the ability to 
deliver tools at a lower cost across agencies and this is the 
first time that many agencies have had access to this level of 
automated data to understand what is on their network.
    So we see a lot of potential for this, but for many 
agencies there is a lot of capability that has to be built. We 
are continuing to take advantage of things like shared service, 
more capability from DHS to deploy to agencies who need it 
most.
    Mr. Ratcliffe. So your comment about shared services and 
resources, I want to follow up on that a bit because I think it 
is important to look where we are but also look to where we are 
going.
    So looking forward a bit, how do you see DHS's Federal 
network protection tools evolving past, say, signature-based 
threat detection tools and particularly where my conversations 
with the administration and the cybersecurity advisors to the 
President, really putting an emphasis on cloud computing and 
shared I.T. services and resources?
    So I guess, in a sense, what is Einstein future 
generations--Einstein 10.0 look like?
    Ms. Manfra. Well, sir, I am not exactly sure what Einstein 
10.0 will look like yet, but I can tell you where we are 
looking to evolve. As agencies, and the President's key 
initiative around modernizing our I.T. and that is not just the 
technology.
    There are large challenges with legacy technology, but we 
also need to modernize the way we govern and procure I.T. 
services within the Government. As we do that we are working 
very closely to modernize our security processes.
    So as we take advantage of things like cloud services we 
ensure that we are modernizing our security approach, but also 
not losing the insight that we have into traffic, either 
traversing internal networks or in and out of agency networks.
    Importantly we have learned on CDM some key lessons from 
the first phases of deployment. We now have a new contract 
vehicle in place that will enable the deployment of cloud and 
mobile security technologies in addition to the on-premise 
sensing capability that we have right now.
    So we are evolving. We are building on what industry is 
learning from behavioral-based detection methods, and we have 
had some successful pilots. We look forward to continuing to 
build that capability.
    Mr. Ratcliffe. Terrific. Thanks very much. My time has 
expired.
    The Chair now recognizes Mr. Richmond for his questions.
    Mr. Richmond. Ms. Manfra or Mr. Krebs, either one, you all 
know that I authored legislation that called for a Department-
wide cybersecurity strategy within DHS. That strategy and 
report was due in March. We still don't have it.
    So what is the status of it; if you are running into 
problems in getting it done, what are those problems? How can 
we help?
    Mr. Krebs. Sir, thank you for the question. The Office of 
Policy has the pen, so to speak, for drafting the Department 
cybersecurity strategy. It rolls in components across the 
Department, between the Secret Service, ICE, Homeland Security 
Investigations, the U.S. Coast Guard, Transportation and 
Security Administration, as well as NPPD.
    So while we don't necessarily lead the development of that 
strategy because it is a Department-wide strategy, we are a 
significant player.
    Now, to speak to the status of the strategy itself, my 
understanding of where it sits is influenced by the President's 
Executive Order 13800 that was released back earlier in the 
spring.
    Now that report puts DHS at the front or in the lead for 
almost all of the reports, particularly in the first two and 
the fourth work stream, Federal networks' critical 
infrastructure and cyber work force. So while those reports and 
assessments are under way, they are anticipated to have 
significant impacts on some of the priorities perhaps of the 
Department, including NPPD.
    So I believe the decision on finalizing the strategy has 
been to let's get through the cybersecurity assessments related 
to the E.O., as well as the administration's anticipated 
National security strategy and National cybersecurity strategy 
that are expected in the next several months.
    Then, when we have a broader understanding of where the 
Department is going, that will then feed into the cybersecurity 
strategy.
    That said, rolling it all back to the requirement in the 
NDAA--that you offered, it still is a priority to finalize that 
report. That said, as a Department, we are moving forward with 
a number of our priorities.
    I do want to touch on a couple things you mentioned early. 
As the senior official performing the duties of the under 
secretary, while we do not have a permanent under secretary for 
NPPD, I have been authorized and given the very clear direction 
by acting Secretary Duke to move out and execute every aspect 
of NPPD.
    So while we do not have a permanent under secretary right 
now, I have all authority that I believe I need to execute the 
Department's mission within NPPD.
    Mr. Richmond. With regards to a strategy, and we talk about 
in terms of report, let me just take that aside.
    Mr. Krebs. Yes, sir.
    Mr. Richmond. Do we have a Department-wide strategy with 
how we deal with cybersecurity and our needs and challenges 
that we are going to continue to face in the near future?
    Mr. Krebs. Sir, my understanding is that there is a 
Department-wide cybersecurity strategy in draft form, yes, sir.
    Mr. Richmond. So and again with--I don't want to get into 
the weeds. I am just saying are you all operating with some 
comprehensive strategy----
    Mr. Krebs. Yes.
    Mr. Richmond [continuing]. On a day-to-day basis to protect 
the cybersecurity?
    Mr. Krebs. I understand, yes, sir. So going back to my 
opening remarks, I indicated that NPPD is in the lead for 
ensuring the Nation's critical infrastructure, both 
cybersecurity and physical threats, and under that are three 
goals.
    I mentioned the top goal, which is securing our Federal 
networks and facilities. For me and with Assistant Secretary 
Manfra, that is at the very top of our minds every, single day.
    The second piece is identifying and mitigating systemic 
risk across the infrastructure, the Nation's infrastructure. 
When I think about that, I am thinking about the Section 9, 
critical infrastructure at greatest risk, but I am also putting 
election infrastructure in there.
    As I mentioned in my opening comments, that, for me, is the 
No. 1 priority for NPPD from a critical infrastructure 
perspective. We cannot fail there.
    Third and finally, is enabling and incentivizing better 
security practices across the broader critical infrastructure 
community to include State, local, small, and medium-sized 
businesses.
    Mr. Richmond. Ms. Hoffman, there has been a great deal of 
concern among National security experts that Russia's goal in 
disrupting the Ukraine's power supply in 2015 and 2016 was to 
test its capabilities in preparation for a large attack on the 
United States.
    Last month we learned that Russia may have been responsible 
for Dragonfly 2.0, which exploited and targeted some of our 
energy sector. How is the energy sector responding and what is 
their capabilities to prevent a wide-spread attack?
    With that, I yield back.
    Ms. Hoffman. Thank you, Congressman, for the question. The 
Ukraine attack was very much an eye-opening event for the 
energy sector. The energy sector, specifically the electric 
sector, got very organized in recognizing that we had to 
continue to step up our continuous monitoring capabilities, our 
ability to detect behavior on the system, but also building 
inherent protections as we develop new technologies.
    Recognize that the core of anything is protecting against 
spearfishing and passwords and credentials and that starting to 
really go after where do we need to be with respect to 
preventing an attack from occurring on the system. So we have 
been working very actively with the electric sector to build 
some tools and capabilities and for protections of their 
system.
    Mr. Ratcliffe. The Chair now recognizes the gentleman from 
New York, Mr. Donovan for 5 minutes.
    Mr. Donovan. Thank you, Mr. Chairman. I would just like to 
ask one question of all of you. In 2015, Congress passed the 
Cybersecurity Act of 2015. In 2017, the committee passed the 
Cyber and Infrastructure Security Agency Act, and the President 
also issued an Executive Order back in May to strengthen our 
abilities.
    What do you guys need? What can Congress do to help you 
protect our Nation, our Federal agencies, our private entities, 
as Mr. Richmond said, our energy industries? What do you guys 
need from us to help you protect our Nation better than we are 
able to do now?
    Mr. Krebs. Sir, thank you for the question. The very first 
thing I would start with is, as you mentioned, the 
Cybersecurity and Infrastructure Security Agency Act in 2017. 
Passing out of the full committee was a significant step 
forward. What we need, as I mentioned in my opening comments, 
is quick action by the full House and the Senate. Let me give 
you a little anecdote about why that is important. That bill 
will give us three things.
    One, it will allow us to introduce some operational 
efficiencies, looking at common infrastructure across the 
organization, push them together so that we are more 
streamlined in how we engage and deliver services from a 
customer service orientation.
    Second, it will help with our branding and clarify roles 
and responsibilities not just within NPPD, but more 
importantly, with our Federal partners, State and local 
partners, and the private sector. I want to come back to that 
in just a second.
    Finally what that is going to do is give us the ability to 
attract talent. We have talked a little bit about work force, 
we talked about hiring, and we talked about partnership. But on 
that clarity of roles and responsibilities, let me talk about 
that for just a second.
    I have been down to Puerto Rico twice in the last week. I 
was there last Monday with Administrator Long and the 
President's Homeland Security Advisor Tom Bossert, and then I 
was there last Friday with Acting Secretary Duke.
    On Friday, meeting with Acting Secretary Duke, Governor 
Rossello and his key staff, we were discussing a number of the 
critical infrastructure challenges in Puerto Rico.
    When it came around to me, I talked about communications 
infrastructures. As you all know, the National Communication 
Center resides within the Office of Cybersecurity and 
Communication, Assistant Secretary Manfra's organization.
    Now when we talked about the status of things, what I was 
talking about was how we are assisting the communications 
carriers, whether it is AT&T, Sprint, Claro, T-Mobile, Verizon, 
helping them get back in, prioritize deliveries of temporary 
capabilities, this cell on wheels, cell on light trucks, things 
like that, to helping temporarily pop up the communications 
coverage, but at the same time helping them get resources in 
for cell towers.
    Now as I briefed out where we were on helping those 
companies get resources back in, I introduced myself as the 
senior official performing the duties of the under secretary 
for the National Protection and Programs Directorate. Now, try 
repeating that back. It is not easy.
    So someone that has never heard that before, immediately 
went on to a press interview and alongside the TSA 
administrator, vice commandant of the Coast Guard, the 
secretary of Homeland Security, the FEMA regional 
administrator, she said, ``We at FEMA, TSA, Coast Guard, and 
the COMS guy.'' She didn't know how to describe me.
    When I am out engaging my stakeholders, they don't 
understand the mission I deliver. I need help in clarifying 
that and providing very front, up front clear what I do and 
what my team delivers. That is a significant advancement. So 
any help I can get there, please, help me out.
    But more broadly though, in terms of additional authorities 
and clarification of authorities, we are in the process of 
running that kind of stocktaking of where the Department sits 
in cybersecurity.
    Department of Energy in the FAST Act got significant 
authorities that could come to bear in the event of a grid 
incident. DHS has authorities in terms of incident response, 
information sharing. Thank you for those authorities.
    Going forward, we are not quite sure just yet what we need, 
but I am going to tell you this. The cybersecurity threat is 
not going away. Our adversaries are getting better, they are 
getting faster, they are getting more agile.
    We need to be resourced, we need to be staffed, we need to 
be positioned to respond to that, because I also know one more 
thing. We are not going to use less technology going forward.
    As you indicated earlier, we are going to the cloud. We are 
going to shared services. We are going to be relying upon these 
cross-cutting technology capabilities in the information 
technology sector. We need to ensure that from a digital 
defense perspective, we have what we need.
    So we welcome that conversation, and you can believe that 
you will see me again and we are going to be talking about 
that.
    Mr. Donovan. Ms. Manfra, I have 2 seconds left in my--would 
you contribute, please?
    Ms. Manfra. Yes, sir. Very briefly just to complement what 
Chris talked about, we are working within the Federal 
Government to understand what is the full breadth of our 
authorities? How can we lean into the existing authorities that 
they have to deploy more capability?
    With the critical infrastructure sectors, we are working to 
understand now that we have identified these most critical 
assets at greatest risk, are there legal and operational and 
policy hurdles that we need to address in order to ensure that 
we have appropriate prevention and response and recovery 
capabilities in place? So we look forward to working with you 
as we conclude these analyses.
    Mr. Donovan. Please don't wait until another hearing. Let 
us know how we can help you.
    Ms. Manfra. Absolutely, sir.
    Mr. Donovan. Mr. Chairman, I yield back the time I don't 
have left.
    Mr. Ratcliffe. Thank the gentleman.
    The Chair recognizes the gentleman from Mississippi, Mr. 
Thompson.
    Mr. Thompson. Thank you, Mr. Chairman. The last two 
speakers have talked about being resourced and staffed from an 
agency standpoint. Last March we held a hearing talking about 
staffing at the Department. Can you give us the number of 
unfilled positions in the cyber division right now?
    Ms. Manfra. Sir, we are currently staffed at 76 percent of 
our fully-funded billet.
    Mr. Thompson. So we are 24 percent under. Can you tell us 
why we are understaffed at this point?
    Ms. Manfra. Yes, sir. There are a variety of reasons. The 
first, largely thanks to the work in this committee and our 
appropriations staff in Congress in building the billets that 
are allocated to my organization, we have grown significantly. 
We have worked very hard to build according to that growth in 
billets, but we have had some challenges.
    We have worked with our management, colleagues, and our 
human capital colleagues to identify areas where we can reduce 
the time to hire. I can say that looking at the statistics from 
fiscal year 2016 hiring to fiscal year 2017 hiring, we have 
been able to reduce the time to hire by 10 percent.
    Many of these requirements have to do with security 
clearances. It does take a long time to process people through 
that security clearance process, but we have made significant 
progress. We are continuing to work with our security office to 
identify ways that we can continue to shorten that.
    We are also diversifying our recruitment path, looking at 
the scholarship for service. The CyberCorps program has been a 
great pipeline for us to bring to--after we, the Government has 
funded scholarships, bringing these individuals in as interns 
and then hiring them full-time.
    They are already fully qualified for our direct hire 
authority. Looking at other programs such as Pathways, 
Presidential Management Fellows and other recent graduate 
programs. We are also looking at partnerships with industry 
where they can----
    Mr. Thompson. I don't mean to cut you off, but----
    Ms. Manfra. Yes, sir.
    Mr. Thompson [continuing]. So is the problem we have too 
many programs to attach people to? Or I am just trying to find 
out why when we give you the authority to hire, why we have not 
been able to come closer to whatever that authority is. Is 
there something----
    Ms. Manfra. I see, sir.
    Mr. Thompson [continuing]. We need to do to get you to that 
point?
    Ms. Manfra. Sir, I separate the authority that we were 
given by Congress to build an accepted service program. What I 
was referring to was I did not believe a couple of years ago we 
were fully leveraging the authorities we already had and the 
programs that we already had to bring people in and tightening 
the time line that it takes to bring people on.
    The accepted service program is led by our chief human 
capital officer, who I know this is a high priority for her. We 
did not probably appropriately expedite the development of that 
program 4 years ago. We have now done so.
    My understanding is that we will now be able to hire 
against that program beginning in fiscal year 2019, but there 
is a regulatory process that we do have to undergo as a part of 
that.
    Mr. Thompson. Just for the sake of the committee, can you 
provide us with a time line between when somebody who is 
considered for employment and when that is completed? Is it--
just get back to us.
    Ms. Manfra. Yes, sir.
    Mr. Thompson. Was it 3 months, 6 months, a year? I think 
that would be instructive for us so we can kind of see if there 
are some bottlenecks involved.
    Ms. Manfra. Yes, sir.
    Mr. Thompson. The reason I say that, Mr. Chairman, I mean, 
all of us are constantly bombarded by people looking for 
employment opportunities. If we have potential opportunities 
here, is it something we are not doing? Are we not going out 
recruiting in a broader view or just what? But we just need 
to----
    Ms. Manfra. Sure.
    Mr. Thompson [continuing]. Kind-of figure something out.
    Ms. Manfra. Right. If I could, sir, just clarify that the 
76 percent is just indicating people that are on-board right 
now. If you include the people that are in the full pipeline, 
that brings us about to 85 percent.
    So for us, we are averaging about 224 days to hire. That 
sounds long, but that is to include a Top Secret SCI clearance 
process, which is actually fairly for the benchmark of the rest 
of the Government, we are actually doing quite well.
    We want to continue to work with you sir, though. We will 
come back with you.
    Mr. Thompson. Just, please get back----
    Ms. Manfra. Yes, sir.
    Mr. Thompson [continuing]. With us.
    Mr. Krebs we have a Congressional Task Force on Election 
Security, and we may request of the Department to provide us a 
Classified briefing around this issue. We have been told that 
it has to be bipartisan, that you can't just brief Democrats. 
Are you aware of that?
    Mr. Krebs. Sir, I am not aware of any existing policy, but 
let me say this. I share your concern on election 
infrastructure. I think I have made that clear today, and I 
want to say it directly to you as well, that it is my top 
priority at the Department.
    Again, if we can't do this right, if we can't dedicate 
every single asset we have to assisting our State and local 
partners, then, frankly, you know, I am not sure what we are 
doing day-to-day.
    So in terms of what we have done in terms of engagements, 
we are prioritizing delivery of those briefings, information 
sharing to our State and local partners. We are doing it in a 
bipartisan manner because my opinion is that this does 
transcend party lines, and we should be doing this, all pull in 
the same direction.
    So going forward, I would encourage any additional 
briefings. We have provided a series of bipartisan briefings to 
the House Homeland Security Committee, both Classified and 
Unclassified. The real crux of this issue, the underpinning 
issue here, is a trusted relationship.
    Now, did we have some--yes, sir----
    Mr. Thompson. I appreciate it, but we have established a 
working group within the Democrats on the committee, and we are 
just trying to get a briefing. So I think it is nice to say I 
don't want to brief you because there are no Republicans, but 
we are Members of Congress. All we are trying to do is get 
access to the information.
    If your interest is there, I am convinced that you will 
provide it. That is the spirit in which the request was made. 
So we will make it again.
    Mr. Krebs. Yes, sir.
    Mr. Thompson. I look forward to you coming back. Just bring 
us what information you have as Members of Congress, and that 
is all we ask.
    Mr. Krebs. Thank you.
    Mr. Thompson. I yield back, Mr. Chairman.
    Mr. Ratcliffe. Thank the Ranking Member.
    The Chair now recognizes the gentleman from Virginia, Mr. 
Garrett.
    Mr. Garrett. Hit my talk button. My voice sounds better 
with the microphone on. But I want to piggyback on what my 
friend and colleague, Ranking Member Thompson said, and suggest 
that I would agree with you that election infrastructure, 
cybersecurity as it relates to partnering with States whose 
responsibility it is to overseeing and conduct elections is a 
priority that crosses and transcends the aisle.
    I would ask that any briefing that you give to Democrat 
Members you also perhaps invite me to or give the exact same 
briefing to Republican Members, which I think is inconsiderate 
of your time given that that would be a great redundancy.
    But I can't fathom why one party should be briefed on 
cybersecurity as it relates to our elections in the absence of 
another in the United States of America.
    So if you do, in fact, and I hope you will, respond to the 
Ranking Member's request to brief on electoral security as it 
relates to cyber issues, please invite me, because I can't 
fathom that one party has a monopoly on hoping that we can have 
free and fair and trustworthy elections.
    I am sure that my colleague didn't mean it that way, but I 
just want to be very clear in suggesting that that should not 
be a partisan issue and that perhaps maybe people from both 
parties should be invited. Or we can just make you give the 
same briefing twice which, again, I think is inconsiderate and 
shortsighted.
    Having said that, transitioning to what we know as it 
relates to malicious Russian cyber activity, specifically with 
relation to Estonia and the Ukraine, based on my understanding, 
the bulk of the platforms used to infiltrate infrastructure--I 
say, platforms--malware, it would appear, based on my ability 
to speak in this forum, were off the shelf, if you will, Kill 
This, or example, Black Energy were known entities that were 
discovered as it relates to these attacks as part of a 
coordinated attack. How well do we stay ahead or try to stay 
on-line with it?
    I understand that it is a moving target, the malware that 
might be implemented because to the extent that there is any 
hope, and again, I understand the format that we are in might 
limit the conversation that we have, a lot of the malicious 
activity to this point conducted we presume and data would 
indicate by the Russians has used off-the-shelf technology.
    So I guess the question there is how quickly can we pick up 
on the advancements in malware and then sort-of inculcate them 
into our preventative measures? That is wide open to whichever 
one of you wonderful folks would like to address it.
    Mr. Krebs. Thank you, sir. So if I may, I will start and 
provide a bit of a broader approach and then defer to my expert 
colleague from the Department of Energy on anything specific to 
the grid and electricity.
    Mr. Garrett. I am subject to a time limit, so, I apologize 
but----
    Mr. Krebs. So I will do this quickly.
    Mr. Garrett. Yes, sir.
    Mr. Krebs. Generally speaking when we talk--we have already 
talked about advanced persistent threat here. When we think 
about threats, it is not necessarily generally speaking 
advanced. It is just persistent.
    Companies are--organizations are still not doing the basic 
blocking and tackling. When you think about WannaCry, when you 
think about NotPetya, some of those exploitations were based on 
open, known vulnerabilities. They just weren't patched.
    So the concept of a zero-day exploit, while it is out 
there, it is not actually the primary exploit that we tend to 
see in the wild.
    Mr. Garrett. Sorry to interrupt you. I am a big fan of 
limited government, but in this arena, because the entire 
Nation hangs in the balance, not just our elections but 
everything as it relates to our grid, might it not be effective 
to hit the particular power providers where it counts?
    That is essentially make it cost something, perhaps 
metaphorically and literally, for entities that don't patch 
those open known threats. That is something that would be 
within the purview of the Government, right? You will be up to 
date on X, Y, and Z or it will cost you. Would that be 
something that has been explored?
    Mr. Krebs. So my colleague, Jeanette Manfra, can speak to 
the Government piece. Then----
    Ms. Manfra. OK, just very briefly----
    Mr. Garrett. Again, I am not trying to--you guys are great, 
I just, 5 minutes.
    Ms. Manfra. No problem. So very briefly, the first binding 
operational directive we issued for Federal agencies was 
reducing the time to patch critical vulnerabilities, as you 
said, 30 days.
    We have actually seen a complete cultural change as a 
result of that. We are now seeing the Government highly 
prioritizing patching those critical vulnerabilities. So I just 
wanted to throw that out there.
    Mr. Garrett. So there is a carrot and a stick, right?
    Ms. Manfra. Correct, sir.
    Mr. Garrett. I am guessing the stick, but the carrots--I 
would rather the carrot. But I am glad to hear you say you are 
addressing that. Again Mr. Hoffman, I don't mean to cut you 
short. I have got 15 seconds.
    I wanna speak to the nature of NERC and whether or not the 
fact that it is a semiprivate autonomous pseudo-entity 
compromises intelligence tactics, techniques, procedures, et 
cetera.
    Ms. Hoffman. So I don't think NERC as an organization 
compromises any sort of intelligence. It does have the 
information-sharing analysis center, which is our mechanism for 
sharing information to the sector writ large. It also has 
capabilities to compel and look at the industry to respond so 
we can get the information we need.
    Mr. Garrett. Thank you all, and I apologize for going 
briefly over.
    Mr. Ratcliffe. Thank the gentleman.
    The Chair recognizes my friend from Rhode Island, 
Congressman Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank our 
witnesses for your testimony here.
    Before I go into my questions, I just wanted to mention 
publicly and particularly to Mr. Garrett, so I am a member of 
the elections task force that certain Democrats have put 
together on how to go forward and improving election security.
    I would say to my colleague that there was an initial 
effort in outreach to Republicans to make this a bipartisan 
effort, which was not accepted. It was not--we didn't find 
anyone that was receptive. But I would say this. The task force 
meetings are open to the public. My colleague Mr. Garrett is 
welcome to participate fully with that.
    With respect to the Ranking Member's question on the 
Classified briefing both on Russian interference in our 
elections and how we are better securing our election systems, 
that is whether it was a Democrats only or Democrats and 
Republicans, I would prefer it as a Democrat and Republican 
briefing.
    But however we get the briefing, unless I am 
misunderstanding what the Ranking Member was asking, we just 
want the briefing. So we have asked that you provide that to 
us.
    Mr. Krebs. Yes, sir. Thank you. I do believe we have 
provided a Classified briefing in the past and welcome the full 
committee briefing and the subcommittee briefing on that as 
well. Yes, sir.
    Mr. Langevin. So the other thing I wanted to mention that, 
Mr. Krebs, I appreciate your comments, that you have all the 
authorities in your acting role to do the job necessary in 
cyber. But I would reiterate that it is vitally important that 
we get key people appointed and in place permanently.
    I respect the work that you are doing and your team, but we 
need permanent people in place. It both inspires confidence and 
clarity to what the mission is.
    So let me get into my questions very quickly. I am gonna 
try to go through them. For the ones you can't answer fully 
because of time constraints, I would request a follow-up in 
writing.
    So on September 13, DHS issued a binding operational 
directive, 1701, which directed Federal Executive branch 
departments and agencies to remove Kaspersky products from 
their systems within the next 90 days.
    In doing so, DHS for the first time issued a public 
statement to coincide with the establishment of the directive 
and which I would like to commend the Department for this added 
transparency. I thought that was important.
    My question is: What analysis led to the removal of 
Kaspersky from Federal networks? This is the case--I understand 
that this answer may be Classified, in which case I would 
request it that you and your team provide briefing to Members 
on the deliberations behind it. I think that is something 
vitally important that this committee, both sides of the aisle, 
understand what went into that.
    Next Mr. Krebs, the SEC was breached in late 2016. We now 
know that the attackers had access to corporate filings prior 
to their public release. The announcement of this breach was 
made nearly a year after it was first discovered.
    My question was: When was DHS informed of the breach? What 
was DHS's involvement in detecting, responding, and recovering 
from this attack?
    Finally, how could DHS improve its integration with Federal 
agencies to ensure these types of attacks are detected and 
notified quicker in the future?
    Mr. Krebs. Thank you, Congressman Langevin. Let me briefly 
touch on the Kaspersky piece, and then I will kick it over to 
Assistant Secretary Manfra. So on Kaspersky, that determination 
was based on the totality of evidence including by, on the most 
part open-source information.
    In terms of a Classified briefing, I believe we are on the 
schedule for some point in the next month or so with the full 
committee, the monthly intel briefing. So with that, if I may, 
I would like to turn it over to Assistant Secretary Manfra.
    Mr. Langevin. Thank you. I would appreciate it. Thank you.
    Ms. Manfra. Sir, welcome to support a briefing on 
Kaspersky. As far as the SEC, we are also happy to come in and 
have a more fulsome conversation with you about that. They did 
notify us last year on November 4 of an issue.
    It was, at the time, the extent of the issue was not well-
understood and given the time limits here, I think it might be 
more useful if we sat down with you and other staff members as 
appropriate to walk through specific details.
    Mr. Langevin. OK. What do you think--what was the DHS 
involvement, though, in detecting and responding to the 
recovery though?
    Ms. Manfra. Sir, we have very limited involvement with the 
SEC. They did not request our follow-on assistance for a 
response.
    Mr. Langevin. OK. On the issue of how they can work better 
in the future?
    Ms. Manfra. Sir, in addition to this incident, as well as 
several others, we are reviewing our procedures to ensure that 
it is clear that when an incident happens, what role that the 
Department needs to play in a response, not just at the request 
of an agency.
    That if we are looking at specific critical services and 
functions then the Department needs to have a more active role 
in that response, regardless of whether the agency requests it.
    Mr. Langevin. Thank you. In August, Congressman Will Hurd 
and I traveled to DefCon as a bipartisan trip to that security 
conference. I think we both were impressed by the willingness 
of security researchers to report vulnerabilities in order to 
improve overall internet security.
    What efforts has the Department made to establish a 
vulnerability reporting process for DHS sites and software? 
Again, one of the things that I found with sort-of the 
Pentagon's bug bounty program was very helpful in identifying 
security vulnerabilities and getting the attention of the right 
individuals to close those vulnerabilities.
    In talking to security researchers, one of the things that 
impressed me the most is that they just want to make the 
internet work better. But they wanna know that when they find a 
vulnerability, there is a path forward that they can report it 
and that someone is actually gonna do something about it and 
they are actually gonna be heard.
    So what progress has DHS made in this respect?
    Ms. Manfra. Sir, we actually have a very long-standing 
program on both operational technology vulnerabilities, so 
industrial control systems as well as enterprise technologies.
    We have been working with security researchers in both 
communities for years to provide them a space for them to 
identify that vulnerability and also to advocate with the owner 
of that software for a patch. Much of the alerts that we issue 
are the result of collaboration with security researchers.
    We also have our own organization within my group that 
conducts penetration testing and risk and vulnerabilities 
assessments across the Government to include DHS networks.
    So while bug bounty programs can be useful, we need to 
ensure that they are supplemented with a broader risk and 
vulnerability analysis and testing that my organization does to 
ensure organizations are appropriately prioritizing what they 
are addressing.
    Mr. Langevin. OK. What about DHS's specifically-owned 
systems?
    Ms. Manfra. My organization also supports penetration 
testing and vulnerability assessments within the DHS, 
particularly the high-value assets that DHS owns.
    But I do know that our leadership and the management is 
interested in learning from what the Department of Defense has 
done in their bug bounty program and how that might apply to 
DHS. So we are continuing to work through how that might be 
applied for our organization.
    Mr. Langevin. Mr. Chairman, I had one more on election 
security. Can I ask that? Thank you.
    So I know we have touched on this a bit, but for the record 
I really wanted to dive a little deeper into this. So I am very 
interested, obviously, in ensuring that State and local 
election officials have access to resources from DHS to protect 
the vital systems that represent the cornerstone of our 
democracy.
    So can you further describe how DHS is working with 
election officials to protect networks? Do you believe that 
DHS's response to the unprecedented appearance in our elections 
last year really has been sufficient?
    Finally, how can we improve the relationship and access to 
resources? Are there additional funds or resources that the 
Department needs in this respect?
    Mr. Krebs. So thank you for those questions. Let me start 
at the end with your improving relationships. While I was not 
at the Department last summer as this all manifested, I can 
speak to generally the relationships with State election 
officials.
    That was not an existing relationship between the 
Department of Homeland Security in the State and locals. 
However, we do have strong relationships, of course, with the 
Homeland Security advisors and the chief information officers 
and chief information security officers.
    But to square the circle on this specific threat, we need 
to develop partnerships that are, you know, three or four legs 
on the stool within each specific State. Each State is going to 
be a little bit different in terms of how, you know, who they 
designate as the chief election official, as well as you roll 
in the vendors of technology.
    So in terms of how to improve relationships, it is gonna 
take a lot of effort and a little bit of time. Those are things 
that we are working on right now. We don't have much time, but 
we are dedicating resources.
    In fact, just this morning I sent out a notice across my 
organization, NPPD, reflecting some changes we made 
organizationally last week by establishing an election task 
force.
    Previously, the election infrastructure piece had been held 
within the Office of Infrastructure Protection as a program.
    Again, matching my words with our execution, we are 
elevating it as a task force, bringing components or pieces 
from across the DHS components, including the Office of 
Intelligence Analysis and resourcing it appropriately.
    This is speaking to a lot of resources. We are pulling the 
resources together in recognition that we don't have a lot of 
time, given there are three elections this year.
    Mr. Langevin. The number of FTEs and money that is it 
actually committed to this?
    Mr. Krebs. I don't have the FTEs on hand right now. But I 
can get back to you on that one. I believe Miss Manfra has 
them.
    Mr. Langevin. The funds as well, specifically?
    Ms. Manfra. Yes. If I could just make one additional point 
on the resources, Ranking Member Richmond noted that his 
understanding was that there was a 9-month wait for risk and 
vulnerability assessments. I don't know whether that is the 
exact current number.
    But that speaks to the high demand that we are experiencing 
for our assessment services. That is everything from 
penetration testing to the cyber hygiene scans that multiple 
States and localities have participated and continue to 
participate in, as well as these more in-depth risk and 
vulnerability assessments.
    We are growing that program. We are diverting resources. We 
are building infrastructure so that we can more scale that. But 
these are services that we are providing not just to Federal 
agencies, but also to State and local governments, as well as 
critical infrastructure. We are experiencing much more demand 
for those services, and we are continuing to look for ways to 
scale that capability.
    Mr. Langevin. Thank you. Thank you for your answers. Again, 
if there are follow-ups that you can provide to give us in 
writing or in briefings, I appreciate that.
    Mr. Chairman, thank you for your indulgence.
    Mr. Ratcliffe. You are welcome. The gentleman yields back.
    I wanna thank all three of our witnesses today for your 
valuable and insightful testimony. I thank all the Members for 
their questions today. The Members of the committee do have 
some additional questions for witnesses, and we will ask you to 
respond to those in writing.
    Pursuant to committee rule VII(D), the hearing record will 
be held open for a period of 10 days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 11:28 a.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

    Questions From Chairman Michael T. McCaul for Christopher Krebs
    Question 1a. What is DHS doing and what more is planned for the 
future to assist in and refine the process of providing clearances for 
those in the private sector?
    Answer. Response was not received at the time of publication.
    Question 1b. Has there been talk of allowing for more clearances if 
the private sector were willing to pay for each additional clearance 
for individuals who qualify via the current standards?
    Answer. Response was not received at the time of publication.
    Question 1c. There also seem to be issues in clearing secure 
facilities. Is the Department making the appropriate relevant 
information available to the private sector on what the qualifications 
are for obtaining a cleared facility?
    Answer. Response was not received at the time of publication.
    Question 2a. When it comes to information sharing, DHS has a 
variety of programs from CISCP, to AIS, to the individual agreements 
with the Information Sharing and Analysis Centers. How is DHS 
incorporating stakeholder feedback to understand what information is 
most useful and actionable for companies?
    Answer. Response was not received at the time of publication.
    Question 2b. What are the greatest challenges faced by the 
information-sharing programs?
    Answer. Response was not received at the time of publication.
    Question 2c. Has there been any operational change to the amount, 
type, or context around the cyber threat information shared to address 
these challenges?
    Answer. Response was not received at the time of publication.
    Question 3. The protection of Federal networks was a large element 
of the President's cyber Executive Order (EO). As DHS is currently 
implementing the Continuous Diagnostics and Mitigation (CDM) program to 
protect Federal networks, what is the role CDM in executing the EO?
    Answer. Response was not received at the time of publication.
      Questions From Chairman John Ratcliffe for Christopher Krebs
    Question 1. In 2014, DHS was provided authority to establish 
excepted service positions relating to cybersecurity; what is the time 
line for implementation and operationalization of this authority?
    Answer. Response was not received at the time of publication.
    Question 2a. In 2015, Congress passed important legislation 
authorizing the Automated Indicator Sharing program, or AIS. Is AIS 
currently meeting the benchmarks that have been had laid out for the 
program?
    Answer. Response was not received at the time of publication.
    Question 2b. What are the reasons for the successes DHS has had 
with AIS and what are some impediments that the program is currently 
facing?
    Answer. Response was not received at the time of publication.
    Question 2c. What are the latest benchmarks that DHS has set for 
AIS and what can we in Congress do to support these efforts?
    Answer. Response was not received at the time of publication.
    Question 3. There seems to be a consensus that in order to keep 
pace with the threats our networks face, collaboration between the 
public and private sector will need to be strengthened. How do you see 
engagement and collaboration with the private sector changing?
    Answer. Response was not received at the time of publication.
    Question 4. As part of the cyber Executive Order, the DHS Secretary 
will be reviewing the capabilities and resources that can be and 
currently are being offered to designated companies within the most 
critical of critical infrastructure sectors (Section 9 companies). 
Please provide a general overview of what is currently offered. Do you 
expect any additional capabilities to be developed or implemented by 
DHS for companies designated as ``Section 9'' in response to this 
review?
    Answer. Response was not received at the time of publication.
     Questions From Chairman Michael T. McCaul for Jeanette Manfra
    Question 1a. What is DHS doing and what more is planned for the 
future to assist in and refine the process of providing clearances for 
those in the private sector?
    Answer. Response was not received at the time of publication.
    Question 1b. Has there been talk of allowing for more clearances if 
the private sector were willing to pay for each additional clearance 
for individuals who qualify via the current standards?
    Answer. Response was not received at the time of publication.
    Question 1c. There also seem to be issues in clearing secure 
facilities. Is the Department making the appropriate relevant 
information available to the private sector on what the qualifications 
are for obtaining a cleared facility?
    Answer. Response was not received at the time of publication.
    Question 2a. When it comes to information sharing, DHS has a 
variety of programs from CISCP, to AIS, to the individual agreements 
with the Information Sharing and Analysis Centers. How is DHS 
incorporating stakeholder feedback to understand what information is 
most useful and actionable for companies?
    Answer. Response was not received at the time of publication.
    Question 2b. What are the greatest challenges faced by the 
information-sharing programs?
    Answer. Response was not received at the time of publication.
    Question 2c. Has there been any operational change to the amount, 
type, or context around the cyber threat information shared to address 
these challenges?
    Answer. Response was not received at the time of publication.
    Question 3. The protection of Federal networks was a large element 
of the President's cyber Executive Order (EO). As DHS is currently 
implementing the Continuous Diagnostics and Mitigation (CDM) program to 
protect Federal networks, what is the role CDM in executing the EO?
    Answer. Response was not received at the time of publication.
       Questions From Chairman John Ratcliffe for Jeanette Manfra
    Question 1. In 2014, DHS was provided authority to establish 
excepted service positions relating to cybersecurity; what is the time 
line for implementation and operationalization of this authority?
    Answer. Response was not received at the time of publication.
    Question 2a. In 2015, Congress passed important legislation 
authorizing the Automated Indicator Sharing program, or AIS. Is AIS 
currently meeting the benchmarks that have been had laid out for the 
program?
    Answer. Response was not received at the time of publication.
    Question 2b. What are the reasons for the successes DHS has had 
with AIS and what are some impediments that the program is currently 
facing?
    Answer. Response was not received at the time of publication.
    Question 2c. What are the latest benchmarks that DHS has set for 
AIS and what can we in Congress do to support these efforts?
    Answer. Response was not received at the time of publication.
    Question 3. There seems to be a consensus that in order to keep 
pace with the threats our networks face collaboration between the 
public and private sector will need to be strengthened. How do you see 
engagement and collaboration with the private sector changing?
    Answer. Response was not received at the time of publication.
    Question 4. As part of the cyber Executive Order, the DHS Secretary 
will be reviewing the capabilities and resources that can be and 
currently are being offered to designated companies within the most 
critical of critical infrastructure sectors (Section 9 companies). 
Please provide a general overview of what is currently offered. Do you 
expect any additional capabilities to be developed or implemented by 
DHS for companies designated as ``Section 9'' in response to this 
review?
    Answer. Response was not received at the time of publication.