[Senate Hearing 115-310]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-310

                 CYBERSECURITY REGULATION HARMONIZATION

=======================================================================

                                 HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             JUNE 21, 2017

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs

       
       
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

       
       
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
27-395PDF                  WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].       
       
       
       
            
       
       
       
       COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana                KAMALA D. HARRIS, California

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
              Colleen E. Berny, Professional Staff Member
               Margaret E. Daum, Minority Staff Director
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Bonni E. Dinerstein, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator McCaskill............................................     2
    Senator Daines...............................................    16
    Senator Heitkamp.............................................    18
    Senator Lankford.............................................    21
    Senator Peters...............................................    24
Prepared statements:
    Senator Johnson..............................................    29
    Senator McCaskill............................................    30

                               WITNESSES
                        Wednesday, June 21, 2017

Christopher F. Feeney, President, BITS, Financial Services 
  Roundtable.....................................................     4
Dean C. Garfield, President and Chief Executive Officer, 
  Information Technology Industry Council........................     5
Daniel Nutkis, Chief Executive Officer, Health Information Trust 
  (HITRUST) Alliance.............................................     7
James ``Bo'' Reese, Vice President, National Association of State 
  Chief Information Officers, and Chief Information Officer, 
  Information Services, Office of Management and Enterprise 
  Services, State of Oklahoma....................................     9

                     Alphabetical List of Witnesses

Feeney, Christopher F.:
    Testimony....................................................     4
    Prepared statement...........................................    33
Garfield, Dean C.:
    Testimony....................................................     5
    Prepared statement...........................................    58
Nutkis, Daniel:
    Testimony....................................................     7
    Prepared statement...........................................    74
Reese, James Bo:
    Testimony....................................................     9
    Prepared statement with attachment...........................    79

                                APPENDIX

Email submitted for the Record by Senator Lankford...............    92
Responses to post-hearing questions for the Record
    Mr. Feeney...................................................    93
    Mr. Garfield.................................................    98
    Mr. Nutkis...................................................   109
    Mr. Reese....................................................   111

 
                 CYBERSECURITY REGULATION HARMONIZATION

                              ----------                              


                        WEDNESDAY, JUNE 21, 2017

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to other business, at 10:29 
a.m., in room SD-342, Dirksen Senate Office Building, Hon. Ron 
Johnson, Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, Daines, McCaskill, 
Carper, Tester, Heitkamp, Peters, Hassan, and Harris.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will be called 
to order. I want to welcome our witnesses. Thank you for your 
testimonies.
    I would ask consent that my written statement be entered 
into the record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 29.
---------------------------------------------------------------------------
    I will just keep my remarks brief.
    Cybersecurity is an enormous threat facing this Nation As 
General Keith Alexander, the former Director of the National 
Security Agency (NSA), said, the loss of industrial information 
and intellectual property through cyber espionage constitutes 
``the greatest transfer of wealth in human history.''
    I believe this is either our fifth or sixth hearing on 
different aspects of the problem associated with cybersecurity. 
We are looking at different parts of this, looking for a proper 
definition of the problem, certainly laying out the reality of 
what General Alexander was referring to, but also looking for 
solutions.
    This is an interesting hearing because it combines our 
concentration on this real threat, cybersecurity, one of the 
top priorities on the homeland security side of our Committee, 
with a top priority on the governmental affairs part of this 
Committee, overregulation--the $2 trillion regulatory burden, 
about $15,000 per year per household, and how that 
overregulation is making us less secure in cyberspace.
    It is interesting. We had Comptroller General Gene Dodaro 
here at our annual duplication report hearing, and we had the 
chancellor of UW-Madison come and testify. The last 2 years she 
has visited me in my office, she has complained of 
overregulation. This year she came in armed with a study 
commissioned by the research universities that said that 42 
percent of researcher time in these universities on Federal 
Government grant programs--these are the grants that are 
supposed to cure diseases and help advance human knowledge and 
science--42 percent of researcher time is spent filling out and 
complying with Federal regulations. And, I think what is 
interesting is that in testimony today from our witnesses, one 
of the witnesses will testify that about 40 percent of his time 
or his cybersecurity group's time is spent--guess what?--
complying with often contradictory Federal regulations.
    So, we obviously have to streamline this. We have to 
understand the enormous opportunity cost of overregulation, of 
contradictory regulations. If we want to truly address this 
very complex problem of the threats we face because of the 
cyber attacks and our challenges in securing our cyber assets, 
we have to look to all levels of government, consolidating 
their regulatory framework, to streamline that regulatory 
regime as much as possible so professionals within industry and 
within government, quite honestly, can concentrate on the 
primary task at hand, which is securing our cyber assets.
    With that, I will turn it over to Senator McCaskill.

           OPENING STATEMENT OF SENATOR MCCASKILL\1\

    Senator McCaskill. Thank you, Chairman Johnson. One of my 
top priorities as a Senator is focusing on how we can make 
government work better and more efficiently. Eliminating waste, 
fraud, and abuse in an effort to save taxpayer dollars and 
improve government services and make government less intrusive 
into the lives of operating businesses in this country are a 
priority.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator McCaskill appears in the 
Appendix on page 30.
---------------------------------------------------------------------------
    Today's hearing allows for us to hear from representatives 
from the private sector and the States about how they manage 
compliance with the variety of regulations they face relating 
to data and cybersecurity. There is currently no clearinghouse 
for mitigating conflicts between regulators, and as a result, 
States and industry bear the burden for ensuring compliance 
between sometimes redundant and often conflicting regulations.
    Regulators play an essential role in mandating security 
measures like notifications after a data breach and requiring a 
minimum level of security to protect personally identifiable 
information (PII). However, as these witnesses will attest, 
while the goal of the regulation is improved security, due to a 
lack of harmonization between regulations industry spends too 
much valuable time sorting through compliance when it could be 
investing those hours and resources into improving their 
security systems and services.
    We will hear today about how centralized information 
technology (IT) systems can play a key role in improving 
efficiency and security. The same can be said about 
centralizing cyber policy across the Federal Government. We 
have made significant strides in recent years to authorize and 
operationalize the Department of Homeland Security's (DHS) 
National Cybersecurity and Communications Integration Center 
(NCCIC). President Obama also mandated the creation of National 
Institute of Science and Technology (NIST) Cybersecurity 
Framework, which creates a common language for government and 
industry.
    We have spent years working to make DHS the central 
cybersecurity information sharing entity. We finally passed the 
Cybersecurity Information Sharing Act (CISA) in 2015, providing 
liability protection to encourage industry to share threat 
information with DHS. But, now the Department of Health and 
Human Services (HHS) has decided that the NCCIC and the 
existing information sharing structure have limitations. Rather 
than examining what the private sector was doing to address 
potential gaps, HHS went ahead and built a health-specific 
version called the ``Health Cybersecurity and Communications 
Integration Center'' (HCCIC). That is the essence of 
duplicative. It is exactly the problem that we are trying to 
address in this hearing.
    I have questions about the utility of this new entity. It 
is also not clear that this new cyber center is necessary or 
that it adds value. We should be looking to enhance information 
sharing participation and the NCCIC's capabilities, not 
sprouting a new ``kick'' for every industry or critical 
infrastructure sector. This could go on ad nauseam, handcuffing 
business even more in terms of sharing important threats with 
people who need to know.
    I am glad Chairman Johnson is joining me in sending a 
letter to HHS asking questions about the genesis of this new 
HCCIC and how it has been and will coordinate with DHS on the 
liability protections offered to those that share information 
with the HCCIC and why this new entity is even necessary. I 
hope we can stop this before it goes too far.
    I look forward to hearing from the witnesses today about 
other ways we can work to simplify and harmonize their 
regulatory burden.
    Thank you, Mr. Chairman, for holding this hearing.
    Chairman Johnson. Well, thank you, Senator McCaskill. And, 
again, I appreciate the leadership you have taken on that. It 
just kind of proves the point that, bottom line, the government 
wants to grow, regardless of the Administration. I believe this 
was started under Obama, and the Trump administration is kind 
of moving right forward with it. So, hopefully we can prevent 
that and consolidate this, and that is the purpose of the 
hearing.
    It is the tradition of this Committee to swear in 
witnesses, so if you will all stand and raise your right hand. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Feeney. I do.
    Mr. Garfield. I do.
    Mr. Nutkis. I do.
    Mr. Reese. I do.
    Chairman Johnson. Please be seated.
    Our first witness is Christopher F. Feeney. Mr. Feeney is 
currently president of BITS.
    The technology policy division at the Financial Services 
Roundtable (FSR). Mr. Feeney has over 30 years of experience in 
technology, business, sales, executive management, and 
operating roles at a variety of companies. Before starting at 
BITS, Mr. Feeney served as Chief Executive Officer (CEO), 
president, and in executive roles at Thomson Financial, Bank of 
America, Telerate, Multex, and Broadridge Financial. He is 
currently on the Board of Directors at Scottrade, Incorporated, 
and an executive committee member of the Financial Services 
Sector Coordinating Council (FSSCC). Mr. Feeney.

    TESTIMONY OF CHRISTOPHER F. FEENEY,\1\ PRESIDENT, BITS, 
                 FINANCIAL SERVICES ROUNDTABLE

    Mr. Feeney. Chairman Johnson, Ranking Member McCaskill, 
thank you for inviting me to testify on this critically 
important and timely subject.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Feeney appears in the Appendix on 
page 33.
---------------------------------------------------------------------------
    The Financial Services Roundtable represents 100 of the 
leading financial firms in our country, including banks, 
insurance companies, asset managers, payment firms, and finance 
companies.
    Make no mistake: Cybersecurity is a top-of-mind issue for 
every one of our CEOs, and the industry is committed to making 
the investments necessary to protect our critical 
infrastructure and, ultimately, the information and assets of 
our customers.
    Our industry is one of the most heavily regulated sectors. 
Nine independent Federal regulators, three self-regulatory 
organizations, and the State insurance, banking, and securities 
agencies oversee the industry. With that level of regulatory 
oversight, it is imperative that financial firms develop 
strong, collaborative relationships with regulators. In no 
space is that more relevant than in cybersecurity.
    The cybersecurity requirements across the financial 
industry are, like the sector itself, very diverse in terms of 
business size, type, and geographic footprint. That said, we 
have heard from both our members and regulators that 60 to 80 
percent of the cyber issuances could be considered common 
across all regulators. For any regulated entity, words matter. 
For the financial sector, with our waterfront of State and 
Federal regulators, it becomes a tangible problem when those 
tasked with creating cybersecurity rules do not follow a common 
language and instead approach the shared components of 
cybersecurity regulations with their own variations addressing 
the same cyber issues but from different perspectives.
    Think about it this way: As you all know, English is the 
universal language of air traffic controllers, and controllers 
all over the globe speak to pilots using the same agreed-upon 
language. Imagine if a pilot flying to Paris, the Middle East, 
and China had to know every native language as well as the 
different variations in expectations and protocols for every 
airspace they pass through.
    To put it in the context of this hearing, over the last 2 
years State and Federal financial regulators have put forth 46 
cybersecurity regulations, updates to guidance, or new tools. 
Individually, these regulations have merit. However, while we 
recognize the need to have cyber regulations tailored to the 
different firms and the markets in which they operate, these 
regulations do not follow a common language or a common set of 
exam procedures. This is counterproductive and introduces 
tremendous inconsistency and duplication of effort for 
technology operators, governance architects, and executive 
leadership.
    More specifically, firms already burdened by a shortage of 
skilled cyber professionals must take resources away from 
protecting their platforms to interpret the language of diverse 
regulations. Ultimately, we hold ourselves accountable, and the 
financial firms must ensure compliance with the regulatory 
process.
    As for a solution, you might be surprised to hear me say 
that it is not necessarily fewer regulations but instead 
rationalized and harmonized regulation around a common approach 
and a shared language. Our industry is committed to working 
with regulators to address this issue. In fact, FSR BITS and 
our industry partners have developed a model cyber framework 
using consistent language specific to our sector. The 
foundation of this effort is the NIST Cybersecurity Framework, 
which has been used in a similar way by other industries.
    We were very pleased to see this issue highlighted in the 
Treasury's report on modernizing financial regulation, which 
called for better coordination on cybersecurity regulation and 
examination across State and Federal financial Agencies.
    In conclusion, until that goal can be reached, we encourage 
the regulators to pause any additional cyber regulation which, 
if issued, will only serve to extend the problems I have 
described. When a chief information security officer (CISO) at 
one of our largest member firms estimates that 40 percent of 
his group's time is spent trying to unravel the web of 
cybersecurity regulations rather than focusing on protecting 
systems, that is a serious problem. We must ensure this issue 
does not fall prey to regulatory oneupmanship or jurisdictional 
turf battles. We must collaborate to maintain the cyber 
integrity of the U.S. financial system.
    Thank you, Mr. Chairman, and I look forward to your 
questions.
    Chairman Johnson. Thank you, Mr. Feeney.
    Our next witness is Dean Garfield. Mr. Garfield currently 
serves as president and CEO of the Information Technology 
Industry (ITI) Council. Through this role, ITI has helped 
defined the national and international technology agenda, 
expanded its membership, and launched a leading innovation 
foundation. Before joining ITI, Mr. Garfield served as 
executive vice president and chief strategic officer for the 
Motion Picture Association of America (MPAA) and vice president 
of legal affairs at the Recording Industry Association of 
America (RIAA). Mr. Garfield.

TESTIMONY OF DEAN C. GARFIELD,\1\ PRESIDENT AND CHIEF EXECUTIVE 
        OFFICER, INFORMATION TECHNOLOGY INDUSTRY COUNCIL

    Mr. Garfield. Thank you. Chairman Johnson, Ranking Member 
McCaskill, and Members of the Committee, on behalf of 60 of the 
most dynamic and innovative companies in the world, I would 
like to thank you for engaging us in this conversation. The 
issues we are talking about today are immensely important, and 
so I would like to thank you as well for putting the focus on 
this issue.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Garfield appears in the Appendix 
on page 58.
---------------------------------------------------------------------------
    We have submitted my testimony for the record, so rather 
than repeat it, I will presume you have already read it and 
hone in on three things: one, our definition of the problem; 
two, what we are doing to help solve for it; and, three, where 
we see gaps that Congress, and this Committee specifically, can 
be helpful.
    Our definition of the problem is really how do we go about 
preserving the vibrancy and vitality of the Internet while 
protecting it against those who seek to do damage to the 
ecosystem through cyber insecurity. For us, success looks like 
enhancing the societal and economic benefits of the Internet, 
its openness, its interoperability, its integrated and 
international nature, while making sure we are protecting it 
against cyber insecurity.
    Like many shared spaces, whether it is a community play 
area or the Internet, we know that when there are 
encroachments, the instinct is to react by adding regulation 
and adding new rules. In the case of Internet and cyberspace, 
to do so would be a colossal mistake.
    What are we doing to try to help? We are focused on a 
multifaceted approach, largely targeted in three areas:
    One, doing what we do best, which is innovating, making 
sure that we are thinking about cybersecurity in the first 
instance as a design feature both at the hardware and software 
level.
    Second is recognizing that because this is a shared space, 
it is a shared responsibility, and so working in public-private 
partnerships to make sure that we are advancing cybersecurity. 
My colleague Mr. Feeney referenced the NIST framework, which we 
think should be the foundational strategy for how we go about 
protecting cyberspace.
    Third, we are endeavoring to cascade best practices through 
our supply chains and more broadly. For businesses like the 
ones I represent, cybersecurity is a CEO issue, and we put the 
emphasis and the resources that are necessary behind it. For 
small businesses, they may not have the resources or the know-
how to do so, and so we are endeavoring to do what we can to 
help solve for that.
    How can this Committee and Congress help? There are a 
number of gaps that we have identified, including the ones that 
are the point of this hearing.
    One, there is a lack of coordination. There are three 
Executive Orders (EO) in the last 5 years focused on 
cybersecurity and driving greater coordination. That has not 
occurred.
    Second, the point that I made earlier about small 
businesses and making sure that they are contemplated as part 
of the solution in this area is another gap that we see.
    What we recommend this Committee and Congress do generally 
is using its oversight powers to ensure that the level of 
coordination that is called out in those Executive Orders 
actually happens, built around the strategy that exists in the 
NIST framework, which is incredibly flexible, adaptable. In the 
same way that those who are endeavoring to create cyber 
insecurity are adapting all the time, the NIST framework is 
really a broader strategy around which we can build.
    Second is streamlining. The Department of Homeland 
Security, which Ranking Member McCaskill noted earlier is 
working on these issues, last year I spent some time looking at 
all of the different Federal cybersecurity initiatives around 
the Internet of Things (IOT), and recognized and identified 
that there were 30, often competing, different initiatives 
built solely around IOT. That is simply emblematic of the 
broader problem, and I know Mr. Feeney's exhibit over there to 
our right, in the context of his world, in the financial 
services sector I think does a good job of capturing the 
redundancies that occur more broadly.
    Third, it is critical, since this is a shared issue, that 
we take a multifaceted approach. Part of the solution here, 
including 
for the private sector but government as well, is our 
procurement practice. The procurement system actually helps to 
create these redundancies and complexities, and so streamlining 
and simplifying our procurement process will help to advance 
our goals in this area. I know this Committee is contemplating 
and considering the MGT Act, and from our perspective, moving 
that in a way that is consistent with your goals is a part of 
the solution in this area as well.
    I thank you for the opportunity to testify, and I look 
forward to your questions.
    Chairman Johnson. Thank you, Mr. Garfield.
    Our next witness is Daniel Nutkis. Mr. Nutkis currently 
serves as founder and chief executive officer at the Health 
Information Trust Alliance (HITRUST) Alliance. Mr. Nutkis has 
over 25 years of experience in risk management and health 
information technology. Before founding HITRUST, he served as 
executive vice president of strategy and president of care 
delivery at Zix Corporation, a security technology company. He 
also served as the national director for Ernst & Young LLP's 
health care emerging technology practice. Mr. Nutkis.

TESTIMONY OF DANIEL NUTKIS,\1\ CHIEF EXECUTIVE OFFICER, HEALTH 
              INFORMATION TRUST (HITRUST) ALLIANCE

    Mr. Nutkis. Chairman Johnson, Ranking Member McCaskill, and 
Members of the Committee, I am pleased to appear today to 
discuss the health care industry's experiences in engaging with 
government Agencies relating to cybersecurity regulatory 
harmonization and efforts we believe will provide the greatest 
benefit to industry. I am Dan Nutkis, CEO and founder of the 
Health Information Trust Alliance. HITRUST was founded in 2007 
and endeavored and continues to endeavor to elevate the level 
of information protection in the health care industry and its 
collaborators, especially between industry and government. 
While I prepared my written statement for the record, in my 
testimony today I will highlight three areas where 
cybersecurity regulatory harmonization should occur to reduce 
redundancy, unnecessary expense, and delays to better support 
the private sector in defending against cyber threats, thereby 
improving cyber resilience and management of cyber risk.
---------------------------------------------------------------------------
    \1\ The prepared statment of Mr. Nutkis appears in the Appendix on 
page 74.
---------------------------------------------------------------------------
    First is the area of information sharing. In 2010, HITRUST 
established a mechanism to share Indicators of Compromise 
(IOCs) and other cyber threat information with organizations of 
varying cyber maturity. HITRUST has led the industry in the 
collection and distribution of cyber threat information and 
continuously evaluates and innovates to support organizations 
in managing their cyber threats.
    From the beginning, HITRUST participated with the DHS Cyber 
Information Sharing and Collaboration Program (CISCP). We 
operate the largest and most active Information Sharing and 
Analysis Organization (ISAO) in health care. We are the first 
health care organization to begin sharing bidirectionally with 
the Department of Homeland Security's Automated Indicator 
Sharing (AIS) program.
    It was a surprise to learn that the Department of Health 
and Human Services recently established its healthcare-specific 
cybersecurity and communications center to focus its efforts on 
analyzing and disseminating cyber threats across the health 
care industry.
    There is a significant level of effort required for 
organizations like HITRUST in coordination with its thousands 
of constituents to engage in cyber information sharing programs 
with government. We undertake these efforts because we see the 
value in the program and participation with government and 
believe we are all operating toward a common goal. More can and 
should be done to ensure the role of industry and government 
are clearly defined when it comes to information sharing.
    The second is the area of government as a partner. HITRUST 
values its partners and recognizes the burden, responsibility, 
and authority beholden on them to protect the private sector. 
However, we should expect in areas where the private sector has 
made a significant investment in establishing an effective 
program or approach, the government would give it due 
consideration before seeking a government alternative that 
replicates or devalues industry efforts.
    For instance, last year, the Health and Public Health 
Sector Coordinating Council (SCC) and Government Coordinating 
Council (GCC), with input from HITRUST and other sector members 
including the DHS Critical Infrastructure Cyber Community, 
developed the Health Sector implementation guide for the NIST 
Cybersecurity Framework, specifically referred to as the 
``Healthcare Sector Cybersecurity Framework Implementation 
Guide.'' Yet despite the significant public and private effort 
that went into its publication, HHS is working toward the 
development of yet another health care-based implementation 
guide of the NIST Cybersecurity Framework despite the broad 
adoption of the existing guidance by private sector 
organizations. We are perplexed as to why HHS would not partner 
with industry by leveraging programs already in place and 
offering assistance to improve them instead of replicating and 
dismissing the hard work of industry. We would ask that 
Congress require Federal Agencies to give due consideration to 
existing standards and best practices already in place before 
developing new ones.
    The third is the area of government as a regulator. The 
Department of Health and Human Services is responsible for 
overseeing the implementation of the Health Insurance 
Portability and Accountability Act (HIPAA), and the HHS Office 
for Civil Rights (OCR) is responsible for assessing compliance 
with and enforcement of the HIPAA Privacy, Security and Breach 
Notification Rules, including issuance of civil and criminal 
penalties.
    In support of their role, they conduct annual random audits 
that are designed to enhance industry awareness of compliance 
obligations. We have documented that these random audits are, 
in fact, causing organizations to divert their attention and 
resources from enhancing their information protection programs 
based on the potential for random audits.
    We propose that policymakers consider a system whereby 
organizations that can demonstrate a comprehensive information 
security program that complies with the privacy and security 
provisions of HIPAA can receive some form of safe harbor or 
similar relief, and focus HIPAA audits on those organizations 
that cannot demonstrate their compliance in meeting the 
criteria.
    I hope my testimony illuminates areas where individual 
activities may seem innocuous, but in totality begin to create 
confusion and concern. I have highlighted where additional 
clarity in regulation and guidance will ensure the private 
sector understands how to best engage with government and also 
the complex issues that arise when a regulator is partnering 
with industry.
    Thank you again for the opportunity to join you today and 
share these insights. I look forward to your questions.
    Chairman Johnson. Thank you, Mr. Nutkis.
    Our final witness is Bo Reese. Mr. Reese currently serves 
as the chief information officer (CIO) for the State of 
Oklahoma and vice president of the National Association of 
State Chief Information Officers (NASCIO). Mr. Reese has been 
in State government for 25 years and was appointed the Oklahoma 
State CIO by Governor Mary Fallin in 2014. Prior to this role, 
he was CIO and deputy administrator and chief operations 
officer at HealthChoice, the State's self-funded health plan. 
From 2013 to 2014, Mr. Reese served as the chief operations and 
accountability officer at the Office of Management and 
Enterprise Services, Information Services. That is a pretty 
good mouthful. Mr. Reese.

 TESTIMONY OF JAMES ``BO'' REESE,\1\ VICE PRESIDENT, NATIONAL 
  ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS, AND CHIEF 
INFORMATION OFFICER, INFORMATION SERVICES, OFFICE OF MANAGEMENT 
           AND ENTERPRISE SERVICES, STATE OF OKLAHOMA

    Mr. Reese. Chairman Johnson, Ranking Member McCaskill, and 
Members of the Committee, thank you for inviting me to testify 
before you today on Federal data security regulations and their 
impact to State governments.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Reese appears in the Appendix on 
page 79.
---------------------------------------------------------------------------
    My name is Bo Reese, and I serve as the chief information 
officer for the State of Oklahoma. I also serve as the vice 
president of the National Association of State Chief 
Information Officers. All 50 States and 2 territories are 
members of NASCIO, and we represent the interests of Governor-
appointed State CIOs who act as the top IT official for State 
government.
    Today, I would like to provide the Committee an overview of 
how Federal cybersecurity regulations impact our work to 
introduce efficiencies and generate savings for State 
taxpayers. I will also touch upon how the complex Federal 
regulatory environment is duplicative in nature, contributes to 
inconsistent Federal audits, and drives cybersecurity 
investments based on compliance and not risk, which is the more 
secure approach.
    Based on a 2009 assessment and prior to IT consolidation, 
the State of Oklahoma was supporting 76 financial systems, 22 
unique time and attendance systems, 17 different imaging 
systems, 48 reporting and analytic applications, and 30 data 
center locations.
    Over the past 5 years, we have reduced these redundancies, 
made large strides in unifying technology, and completed 
consolidation of 76 of the 78 mandated State Agencies and more 
than 30 voluntary agencies. Consolidation has resulted in $283 
million of estimated reduced spending and projected savings. 
One of the biggest hurdles in achieving savings through IT 
consolidation has been compliance with Federal security 
regulations.
    State CIOs and chief information security officers must 
comb through thousands of pages of Federal regulations to 
ensure that States are in compliance with rules from our 
Federal partners, and even though many Federal regulations are 
similar in nature in that they aim to protect high-risk 
information, they are mostly duplicative and have minor 
differences which can obscure the goal of IT consolidation, the 
whole point of which is to streamline IT applications and 
simplify the enterprise IT environment to produce savings for 
taxpayers.
    For example, Internal Revenue Service (IRS) Publication 
1075 and the Federal Bureau of Investigation (FBI) both protect 
very high risk information, but their password policies vary 
enormously. Also, the IRS requires incident notification within 
24 hours, but Center for Medicare and Medicaid Services (CMS) 
requires notification of a breach without unreasonable delay.
    Additionally, the FBI requires us to keep audit logs for 
one year. The IRS requires us to retain audit records for 7 
years.
    Further, duplicative regulations also contribute to 
inconsistent Federal audits. State governments are often 
audited multiple times by the same Federal agency and have 
different audit findings, even though they are auditing the 
exact same IT environment. For example, in Oklahoma, the IRS 
audited one of the State Agencies twice because it viewed two 
programmatic elements of the agency as separate entities. My 
office had to answer questions, attend meetings, and deliver 
additional explanatory materials twice for one agency because 
it is seen as two by the IRS auditors. Additionally, one audit 
team had a finding, and the other did not, despite only one IT 
environment being the subject of both audits.
    In Louisiana, five State Agencies were assessed by five 
different IRS auditors and ended up with five different 
outcomes. One agency had 32 findings; another, 27; one had 23; 
one had 14; and another had only 11. We have several more 
similar examples in our attachment to the written testimony.
    Inconsistent regulations in audits are problematic because 
it leads CIOs to make cybersecurity investments based on 
compliance and not risk. When Federal data security audits are 
conducted and produce findings of a critical nature, State CIOs 
must direct their attention and resources to remediating and 
addressing those findings to satisfy Federal auditors and avoid 
any potential negative impact to citizens. This approach is 
problematic for State government cybersecurity because it 
encourages State CIOs to make check-the-box compliance 
investments instead of ones based on risk, which is the more 
secure approach to managing sensitive data.
    We appreciate efforts by the Federal Government to secure 
and protect sensitive citizen information because we also share 
that responsibility at the State level. But, we must accomplish 
our shared goal without overly burdening State governments, 
ensuring that we are delivering government services to citizens 
in the most efficient and cost-effective manner. In recognition 
of that shared mission and responsibility, we want to work with 
our Federal Government partners to harmonize disparate 
regulatory requirements and normalize the audit process.
    Thank you for your attention, and I look forward to 
answering your questions.
    Chairman Johnson. Thank you, Mr. Reese.
    If we could put that diagram back up on the board, I would 
appreciate it.
    I think the witnesses have really laid out through 
anecdotal stories the problem here that I think is pretty 
obvious and pretty clear. I think the solution is actually 
pretty clear as well, but, as a diagram, this is pretty good. I 
do not know how long we actually had printers that could print 
something this complex. [Laughter.]
    But, Mr. Garfield, you mentioned the fact that there have 
been three Executive Orders basically asking the Federal 
Government to harmonize the regulation in the space, and you 
went on to testify that they have not been implemented.
    First of all, describe why not. I mean, is there any 
explanation of why a step that is so obvious, something that is 
just so imperative that we do, why has it required three 
Executive Orders and those Executive Orders have gone 
unimplemented?
    Mr. Garfield. I think in part it is because of the 
challenge of putting someone in charge. So, in order to have 
the level of coordination that is needed to avoid the kind of 
redundancy that we see reflected in that chart, you need 
someone who is a center point for coordination. So, we have a 
strategy, which is the NIST framework, around which we can 
build, but that strategy has to be driven by a particular 
entity or person.
    For example, in the most recent Executive Order, 13800, 
from President Trump, he pushes all of the Agencies and 
actually requires the Agencies to say what they are doing to 
act consistent with the NIST framework. The second part of it 
is not asked, and that is, What are the additional regulations 
that you are advancing related to cybersecurity? It is one 
thing to say you are implementing the NIST framework. It is 
another thing to actually do so in a fashion that does not 
create replication, redundancy, and complete lack of 
coordination.
    So, I think having a center point that is coordinating and 
advancing this to avoid duplication is central to helping to 
solve for this.
    Chairman Johnson. You are not saying there has been some 
bureaucratic infighting in terms of who wants--so let us--I 
mean, who should coordinate this? Because in the end, you need 
some department, some agency, somebody in the Federal 
Government to take charge of this, to be given the 
responsibility, to be held accountable to coordinate this 
action, to make sure that everybody comes into line so that 
the--again, Mr. Reese, I cannot remember how many you said, the 
number of different requirements that are required are actually 
answered in the same way. Who do you think is the best--and I 
will have all of you answer that question. Which agency, which 
department of government ought to take control of this? We will 
start with you.
    Mr. Feeney. I think for us it is important to keep Treasury 
in the role they are in. They are chartered to be our sector-
specific agency through DHS, and that has been very useful. 
They sit between both the industry and also the regulators. 
They chair the Federal Banking Infrastructure Council (FBIC), 
that specifically works with the Federal regulators, plus 
others like market regulators. So, in our world, that is the 
logical place. They understand us; they know our business. They 
understand financial systems and have been a good steward.
    Chairman Johnson. But, again, the problem with that is you 
are the financial industry. Then you have the health care 
industry over there.
    Mr. Feeney. Right.
    Chairman Johnson. And, now you have different Agencies of 
government basically trying to ask the same questions, trying 
to do the same type of regulation to ensure cybersecurity. And, 
Mr. Nutkis' group's regulators is going to have something 
completely different. Is that not the problem, Mr. Nutkis?
    Mr. Nutkis. Well, I think for us there are multiple 
problems. I think some of the guidance that is out there puts 
DHS squarely in the middle when it comes to cyber information 
sharing. So, we did not think we had any ambiguity, which I 
testified in March in a similar hearing, which was we were 
somewhat confused because we thought the Presidential directive 
created the ISAOs and then CISA clarified the role of 
government, which the Presidential directive kind of said you 
share with government, CISA clarified which part of government 
you shared with, so industry started moving down a path to do 
that.
    We may see things slightly different. We see HHS as a 
regulator. They fine, they enforce. So, sometimes when it comes 
to how openly and willingly you want to share with your 
regulator makes things a little tough as well. So, I think 
there is a role for the regulator in the role that they play, 
but as we look at looking for things like standards and how we 
apply these, we want them to be applicable across all 
industries. They can apply to ours as well.
    I think also health care is not a box. You have 
organizations that make fitness equipment. You have 
organizations that have supplements. You have organizations 
that deliver care. The lines get fuzzy, so we sometimes find 
that they do not work in small boxes.
    Chairman Johnson. So, again, you have the departments, you 
have the Agencies regulating different industries, and, again, 
that would be appropriate. What we are talking about here is 
something over all of those to completely coordinate and 
harmonize cybersecurity.
    Mr. Reese, as a State, you are not dealing with just one 
Federal agency. You are dealing with a bunch of them. I mean, 
industries might be dealing with a limited number. You are 
dealing with all of them. Is that not what you are asking for, 
give us basically kind of a one-stop shop to go to, to pretty 
well dictate--and I hate to say this--within the Federal 
Government, this is how you are going to develop--this is the 
framework under which you are going to regulate cybersecurity 
so we do not have that?
    Mr. Reese. Right, so most of the discussions we have had in 
the past have not been so much about who but how. And, as 
States, we have an organization like NASCIO where we as States 
come together and collaborate on a regular basis, and they help 
facilitate opportunities where we can begin conversations. And, 
we have begun some conversations with our Federal partners. We 
have not made a whole lot of headway, and we certainly are 
looking to this group to help champion some real change, 
hopefully; but really the how, and I think that is through a 
collaborative effort. We really want to avoid making those kind 
of decisions in a vacuum, getting everybody at the table, and 
making sure that we are in a collaborative environment where we 
are looking across the board at the different industries and 
then looking at the impact to States and looking for that true 
collaboration and shaping and sculpting something maybe from 
the ground up that is more functional and efficient.
    Chairman Johnson. Yes, from the ground up, but it has to 
come eventually to a point, to the top of that pyramid where 
the decisions are made and things are harmonized. Mr. Garfield, 
I will let you have the last word on this.
    Mr. Garfield. Yes, the infrastructure is there, so NIST 
develops the standards. You do not want a regulatory body 
developing the standards, as Mr. Nutkis pointed out. And so, 
the actual strategy, the framework, NIST is there. They are 
doing it. They are doing it well.
    Chairman Johnson. But, everybody is going off in different 
directions on that.
    Mr. Garfield. Yes.
    Chairman Johnson. So great, you have NIST. But, you still 
need somebody to have the power to make sure that everybody is 
handling it the same way.
    Mr. Garfield. We also have a cybersecurity coordinator. In 
the previous Administration, it was Michael Daniel. Now it is 
Mr. Joyce. I think part of what we are encouraging is that that 
role or some other role play this part in driving coordination 
and avoiding redundancy.
    That does not mean we are getting rid of the Agencies and 
their role in cybersecurity. This is multifaceted, and it has 
to be dealt with in that way. But, it would be helpful to have 
an entity, a person, a group of people coordinating all of the 
Agencies, bringing it together, making sure it is working in a 
holistic risk management approach.
    Chairman Johnson. The last point I will make is if it is 
just a person in an Administration, that could change every 4 
years, or sooner than that. I think we really need to identify 
a department--if that is going to be DHS and the NCCIC, we need 
to identify that. We need to empower that department so that 
there is consistency long term in this. Senator McCaskill.
    Senator McCaskill. Thank you, Mr. Chairman.
    Yes, in fact, the ``I'' in CCIC stands for ``Integration,'' 
and when we passed the bill, I think we envisioned that DHS 
would be the locus of the integration, while NIST provided the 
standards. That is why I am so concerned about this effort at 
Health and Human Services.
    Mr. Nutkis, when did you learn about the effort at HHS to 
essentially duplicate what we were trying to accomplish through 
the legislation that we signed into law at the Department of 
Homeland Security?
    Mr. Nutkis. I am not exactly sure when I found out, but I 
do know I found out through the media. I did not find out 
through our partnership with HHS, and it was not that long ago.
    Senator McCaskill. And, are you confident that it is going 
to duplicate efforts that are already underway? Is there any 
additional benefit you see coming from HHS trying to create its 
own entity for integration of cybersecurity policy?
    Mr. Nutkis. I cannot state that there is no value and I am 
not sure that I am cognizant of all the potential that--and 
what they want to focus on. I can only talk about what we 
understood the rules to be and how the role of industry and the 
role of government were supposed to play and now we have 
changed the rules.
    The rules were there was supposed to be information sharing 
organizations that we established either at a sector level, a 
segment level, or a community of interest level to be able to 
facilitate information sharing and share with government, and 
that provided the organizations to be able to understand which 
ones provided the most value. And, we could have sub-
information sharing organizations so that they were value-based 
and there was transparency around--as a matter of fact, DHS was 
establishing a standard. So, it was not one size fits all, and 
you could have a best of breed, so if you felt that you were a 
small organization, there was a community of interest for you. 
So, those ISAOs were able to innovate.
    What we have now done is say we are just going to--the 
government is going to come in and help us, and we are not sure 
exactly where the help is needed. There is no question more can 
be done. The question is: Did we evaluate what was going on and 
where the help is really needed?
    Senator McCaskill. I think this is probably another issue 
around this we have to talk about. One of the reasons the 
Cybersecurity Act of 2015 is so important is because of the 
safe harbor it provides. We are trying to incentivize this 
integration so that we can evaluate real risk and real threats. 
And, some of the briefings we have had around here in the last 
few months, classified briefings, have only tightened my grip 
on the sense of urgency that this is a real danger that our 
country faces, this threat from cyber warfare.
    Do you have confidence that the safe harbor liability 
protections that we put in that act that apply to DHS even 
apply to the HHS effort, HCCIC?
    Mr. Nutkis. I only know from reading the CISA Act, like 
everybody else. It is not a listed agency in CISA.
    Senator McCaskill. Right. So, are you all currently sharing 
information with HCCIC?
    Mr. Nutkis. We do not. We share information with the NCCIC.
    Senator McCaskill. And, I assume that this is a common view 
of people that are regulated by HHS that it is safer and my 
understanding is that they want you to share directly without 
redacting?
    Mr. Nutkis. I am not aware of the expectations of the 
HCCIC. I do know that the expectations of the thousands of 
organizations that share with us is we anonymize the 
information before sending it on to DHS and that we also spent 
a considerable amount of time having to go back to thousands of 
organizations to ask them to provide us with the waiver 
necessary for them to do that.
    Senator McCaskill. Have you voiced the concern you have 
about a regulator that has the ability to levy fines also being 
the point for information sharing? Have you shared that with 
HHS?
    Mr. Nutkis. I believe we have.
    Senator McCaskill. And, what was their response?
    Mr. Nutkis. I am not fully sure we ever got an answer.
    Senator McCaskill. Let me talk to you, Mr. Reese. While I 
would hope that we would all kind of join hands and try to 
force as much integration as possible through the NCCIC, 
through the Department of Homeland Security, because of the 
efforts we made to codify not only protections for the private 
sector but also integration in that locus for cybersecurity 
information sharing with the private sector, but maybe the help 
that might kind of tell HHS to back off or tell other Agencies 
we are going to do integration through NCCIC, we are going to 
do standards through NIST, would maybe be the Federal CIO. Do 
you believe that the Federal CIO--it would be important for the 
President to nominate a new Federal Chief Information Officer 
so that you would have an identified contact that has similar 
responsibilities at the Federal level that you have in your 
State?
    Mr. Reese. I think that is certainly a very interesting 
conversation because that is one of the challenges we certainly 
have, is when we are dealing with so many different Agencies 
and so many different disparate frameworks and regulations, 
where do you contact, who do you contact, who do you call for a 
particular one, and that they all overlap. And, when you are 
dealing in our environments where we have unified across a 
State an entire Executive Branch, we are dealing with public 
safety information, health information, IRS information, all 
collectively on similar systems. And so, when we have some of 
these challenges, we are not even sure who we should be seeking 
out guidance from because there is not a single contact. And, 
when we often get that guidance, it is usually not something 
that is very consistent.
    Senator McCaskill. Well, I certainly would like to join 
with the Chairman in a bipartisan effort to contact the 
Administration and let them know that not only are we anxious 
for them to nominate someone, that we would like to empower 
them to be somebody who is identifying the conflicts and 
identifying this issue of NCCIC versus HCCIC, and why is this 
even happening, because then maybe they would be in a position 
that they could throughout the government be a point of contact 
to deconflict and help all of these various private sector 
entities that are struggling with we want to do the right thing 
but we just cannot--we cannot do all of the right things 
because they are not even consistent with one another. Maybe 
you and I could join----
    Chairman Johnson. I am happy to work with you. In fact, we 
have three Executive Orders on this. It is obviously recognized 
as a problem.
    Senator McCaskill. Yes, but we do not have the guy in 
charge.
    Chairman Johnson. Right. So, we will work with you on that.
    Senator McCaskill. So, it would be great if we could get 
that nomination done, and maybe this would be a letter they 
would look at since maybe you would sign it.
    Chairman Johnson. They are looking at all your letters. 
[Laughter.] Senator Daines.
    Senator McCaskill. I winked when I said that. I was not 
being confrontational to my friend, the Chairman. [Laughter.]

              OPENING STATEMENT OF SENATOR DAINES

    Senator Daines. Thank you, Mr. Chairman, Ranking Member 
McCaskill, and thank you all for testifying today about this 
critical area of national security. I was struck by the chart. 
I thought we were going to be talking about regulations. I did 
not know it was about spaghetti today. [Laughter.]
    That is a sobering-looking flow chart. I am not sure you 
could use the word ``flow'' with that chart. Let us just say 
that redefines complexity.
    Policymakers continue to debate the best approach to 
implement cybersecurity standards. Despite Congress' attempt to 
get ahead of cyber crimes in 1986--that is going back to 
President Reagan's second term--with the Computer Fraud and 
Abuse Act, most legislation and regulation in this area has 
been in response to a high-profile breach, arguably very 
reactionary.
    Over the years, best practices have emerged. They apply 
broadly but certainly, as we all know here, it is all about the 
details, and the devil is in those details. I spent 12 years in 
the cloud computing industry before I came to the Hill. I 
understand how important it is for business to guard networks 
and sensitive data. And, I do not believe we can mitigate this 
threat by burdening companies with more one-size-fits-all 
regulations. If there is something that ought to frighten the 
private sector, it is when Congress, who does not really grasp 
the details and the challenges, dictating technologies to 
industry. Some of our best and brightest in the tech sector 
are, I am always a bit nervous with tech mandates. To quote 
Senator Mike Mansfield of Montana, he used the words ``Tap 'er 
light.'' I think that is appropriate advice as we think about 
this. However, we need to encourage and share best practices 
and, importantly, punish the criminals and enforce the law.
    The debate over cybersecurity standards typically leads 
policymakers to one of two conclusions: first, the Federal 
Government should mandate baseline requirements; or voluntary 
standards, such as the NIST framework should be kept for 
companies to apply as they see fit. I might argue there is 
perhaps a third option. There is an old adage in the private 
sector: ``If you aim at nothing, you will hit it.'' Consider 
your credit score for a moment, an industry-recognized ranking 
system based on quantitative data, so taking something that can 
be somewhat complex and qualitative in nature and quantifying 
it, your credit score. It enables informed decisions about 
risk. A score that ranks an organization's cybersecurity 
practices based on empirical data would allow consumers to make 
informed decisions. This approach allows the market to decide 
and incentivize companies to strive beyond the threshold of 
regulatory compliance to become industry leaders in 
cybersecurity.
    I know when we were running a cloud computing company, we 
hosted in our data centers many Fortune 500 companies. We had, 
as is the best practice in the industry, outside groups that 
would seek to penetrate our systems here and issue reports to 
us good guys acting like bad guys and telling us what they 
found. That is a very helpful way to think about security, and 
I know it is generally a best practice in the industry.
    Mr. Garfield, would you agree that neither purely voluntary 
frameworks nor overly specific Federal mandates are the best 
approach?
    Mr. Garfield. I think the answer to that is yes. As it 
turns out, NIST is engaged in an exercise in updating the 
cybersecurity framework where it is looking at metrics and 
measurements. To the point you made earlier about ``tap 'er 
light,'' I think we have to be thoughtful in the approach that 
we take.
    For example, the Fair Isaac Corporation (FICO) score that 
you mentioned is fairly straightforwardly quantitative. How we 
do that and turn something that is complex, sometimes 
spaghetti, into something that is fairly straightforward and 
makes sense will require the kind of multi-stakeholder 
engagement that you are talking about.
    Senator Daines. The only thing worse than doing nothing is 
doing something that drives the wrong behaviors, the wrong 
outcomes, certainly, and it will take thoughtful dialogue. And, 
I am pretty confident--spending some time with our best and 
brightest in the private sector, and as well engaging those in 
the Federal Government and State governments--we could come up 
with something here that would be a quantitative indicator. 
But, it is just an idea to throw out there, something that 
would be actionable going forward.
    I want to talk about the support for Rapid Innovation Act. 
This concept for an empirically driven cybersecurity score was 
the product of research funded by DHS's Science and Technology 
Directorate. Through technology transfer, this investment is 
becoming a viable market-based solution that can adapt to 
trends in cybersecurity as they emerge. I believe as a 
government we should be investing in forward-looking solutions 
like these as precisely the objective of my Support for Rapid 
Innovation Act, which would allow DHS to foster and enable 
progress rather than impeding it by setting these static 
requirements that oftentimes would be obsolete by the time 
Congress got around to acting.
    To the panel, the question is: Where is the Federal 
Government currently expanding resources for negligible 
benefit? And, where should it focus its resources as it relates 
to cybersecurity? I am throwing that question out to see who 
would like to take it first.
    Do not jump all at once.
    Mr. Garfield. Well, I think we have given some examples. 
For example, the--and by saying ``negligible,'' I do not mean 
to suggest that it is not important. So, whenever there is a 
new area of innovation, there is a rush to jump in and 
regulate. So, the Internet of Things is one area. As I pointed 
out earlier, there are 30 different initiatives aimed at 
regulating that. I think there is negligible benefit to 
approaching IOT and IOT security in that fashion. And so, I 
would say that is one area where resources are being 
misdirected. The National Highway Traffic Safety Administration 
(NHTSA) is undertaking an effort looking at cybersecurity 
solely in the automobile instead of engaging and coordinating 
its efforts through NIST, which is advancing an initiative 
based on cyber physical systems, and so the very thing that 
they are also advancing. And so, I think that effort is also 
going to be negligible because the experts are elsewhere and 
the likelihood that you are going to be as forthcoming with a 
regulator as you would with a scientist I think is misguided, 
as some of the other witnesses have pointed out. So, those are 
two examples where I think we can streamline and reduce 
redundancy.
    Senator Daines. That is very kindly put. Thank you.
    Mr. Feeney. I think it is good money spent when you fund 
NIST, especially relative to some of their innovation work. So, 
they are doing considerable work in quantum. For instance, they 
are looking at IOT. Both of those are relevant and important. 
They will be upon soon, if not already. So, when you can focus 
on programs like that, they make real sense for the fuller 
marketplace. So, that is where I would spend time and effort.
    We are a little bit unique in that we are working with 
independent regulators. They are not subject to the Federal 
mandates, if you will. So, our view of it is really 
concentrated within the industry. But, innovation is important. 
A number of our regulators are working on innovation as well.
    Senator Daines. Thank you. I am out of time. The thoughtful 
conversation, I appreciate it. This is a town that has a 
culture of rewarding activity and not results, and we have to 
get focused back on outcomes here versus checking a box, well, 
we did all these things here and think that Members of Congress 
are going to nod their head and think they are bluffed. But, I 
think we need to focus on the result.
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Heitkamp, and I do want to thank 
you for switching the order here to accommodate Senator Daines.

             OPENING STATEMENT OF SENATOR HEITKAMP

    Senator Heitkamp. You bet. Not a problem.
    I am going to give you another analogy, and one is a bike 
lock. When I was in college, you had a chain. It had a little 
padlock, right? And, that was enough of a deterrent. And then, 
pretty soon people came with wire cutters, and, now we have 
titanium locks, and people are taking their bike seat off, and 
the bottom line is it is always going to change. And, if we do 
not have a system that is adaptable, if we do not have 
communication and adaptability, then all of this means nothing, 
I mean, because there is a back door somewhere.
    And so, the innovation that Steve talked so eloquently 
about is absolutely critical, staying ahead of where the threat 
is and being nimble and being diverse. And, that is the 
challenge that I see, which is one size fits all may be the 
most dangerous thing we can do, is applying, one system to all 
of this because, number one, it will tap down innovation, but 
it also will create greater vulnerabilities if we are only 
doing the same thing over and over again.
    And so, this is an area that I think there is incredible 
bipartisan concern, but also a willingness to look at that, and 
we can all say that is not where we want to be. And, as a 
former State official, I can only say I feel your pain. Back in 
the day before we had all of this technology, I was the tax 
commissioner--and he nods, and he knows what those IRS audits 
are, and rightfully so. They want to protect their information. 
There is a lot of great information sharing. We could not do 
what we do in terms of enforcement without a relationship with 
the IRS. But, a lot of that is box checking. It is not real 
security. It is you have the checklist, you go out there, you 
ding someone because there is the wrong kind of door as opposed 
to what is the actual breach.
    And so, I want to go to what you are seeing in State 
government because State government is not as complicated as 
this, but it definitely is a laboratory for innovation and a 
laboratory for coordination. And, I want to give you a chance, 
Mr. Reese, to tell us what you have learned in your role not 
just in Oklahoma but your role as heading up the Chief 
Information Officers organization and give us the five things 
you want us to do.
    Mr. Reese. Fantastic. So, what a great opportunity, right? 
Because being a part of NASCIO, we work with all 50 States and 
2 territories, and I assure you what we hear across every State 
is the same story over and over again. There is overregulation, 
there is duplicity, there is inefficiency. We can give multiple 
examples where we are making check-the-box decisions instead of 
being allowed to work with our Federal partners and make good 
business decisions.
    Things like cybersecurity and dealing with these odds is 
not just a simple check-the-box type of technology. You have to 
look at the opportunities. I have had scenarios where, in 
Oklahoma, because for the last 5 years we have been in a State 
of flux--we have been going through this consolidation of all 
of our IT within the Executive Branch and have made tremendous 
strides and have found tremendous savings and efficiencies. 
However, we still run up against a lot of hurdles because it 
becomes very troublesome trying to align with our Federal 
partners who still treat us as if we are siloed. Here I am 
working and am incentivized by our Federal partners to 
consolidate, but when I go engage with my Federal partners, 
they are not consolidated, and they still treat me as if I am 
siloed, and, therefore, I end up losing all of my efficiencies 
because I have to do these repetitive processes.
    Senator Heitkamp. Right.
    Mr. Reese. I also make these decisions where, if I know I 
am working with an agency, and I have great examples of some 
aging hardware at an agency that was reaching end of life, and 
I knew I had a plan during the consolidation that I was going 
to be moving all of that network infrastructure over onto our 
on-prem shared solution, and, therefore, would be on a newer 
solution. But, when the auditors came in and identified that 
hardware was not on their list of approved versions of 
hardware, they said no, we have to replace that. We said, wait 
a minute. We are going to replace it. We have purchased 
extended maintenance on it so we have mitigated the risk, and 
we would like to take those dollars and go apply them somewhere 
else, say on an application layer security, because we know 
that we are also going to be absorbing it later. Did not 
matter. We had to check the box. We were forced with making a 
decision of spending the money to go ahead and replace a piece 
of hardware before we were prepared, before it was even an 
appropriate return on investment, and we ended up making that 
check-the-box decision instead of getting to make a good 
business decision, which is what I was charged to do in this 
role, was to go make good business decisions with our Agencies. 
Those type of scenarios come up over and over and over.
    Senator Heitkamp. So, if we gave you a place that was 
responsive to this, that was an override that was looking at a 
broader kind of spectrum of concerns--so let us say in that 
case they say go buy this equipment, you go, I am going to take 
this to the Council of, You Are Crazy, and I am going to plead 
my case that that is not reasonable. I think one of these 
things that you get is that when things are siloed here, the 
right hand does not know what the left hand is doing. They are 
not familiar. They are just like do not confuse me with the 
facts and your problems. This is my problem, and I have to make 
sure that you have this.
    So, if there were a place, and maybe thinking about this, 
if there were a place where you could go or industry could go 
to say, no, I am not going to do that, and I do not want to be 
dinged for it; I have a logical reason; I am going to appeal 
your decision someplace so that you have to be accountable for 
the disruption that you are creating that does not make a lot 
of sense, because States are very similar in this role to 
industry. They are the users. They are the regulated in this 
case.
    And so, it seems to me that if we had some place where you 
could go to say this is not smart in terms of overall security, 
and you did not get forced into this by the time crunch of an 
audit or dinged on an audit, that might be helpful.
    Mr. Reese. Absolutely. Timing is such a challenge. The 
Oklahoma Tax Commission is a fantastic partner to me and my 
organization. They have been great at working with us to find 
efficiencies in what we can do together, and we have been able 
to achieve some really good things with those folks. But, yet 
it comes down to some things that you think would be simple, 
but because the technology is ahead of the regulations, we find 
ourselves struggling for guidance.
    The Oklahoma Tax Commission recently worked with us on 
moving to a hosted voice solution, and in trying to determine 
how we deploy and meet all the Federal requirements for the IRS 
and others for this solution, we found ourselves struggling 
with trying to determine what set of standards do we use. Is it 
the voice regulations or is it cloud-based or hosted solution-
type regulations? They do not match. And so, we end up seeking 
guidance, and it takes months.
    Senator Heitkamp. I think Mr. Garfield wants to add to 
this.
    Mr. Garfield. If I could just add that what Mr. Reese is 
saying is so real, and we hear it so often at the State level, 
but we also experience and see it at the Federal level as well. 
And so, this is a broad-based problem that requires a solution.
    Senator Heitkamp. I just want to make one final point, and 
that is about risk taking. Everybody has a checklist, and they 
want to meet that checklist because if something happens, they 
want to say, ``I did my job''; as opposed to ``I am part of an 
evolving, necessary, very dynamic industry that needs to be 
mobile and agile,'' and we need to tolerate to some degree--and 
I am not saying that this--but we need to tolerate that this 
will not be perfect, and we are going to learn as time goes on. 
And so, we need to tell people, ``Do not do things that do not 
make sense, and if it did not make sense, we are not going to 
ding you if something happens.''
    So, that is part of the problem here, that when you have 
enforcement actions, the dinging or the risk taking does not 
happen because people are so afraid that they will be held 
accountable.
    Mr. Nutkis. Can I add one more thing? Because I think in 
industry we have tried to innovate, and I think this has been 
the concern that we have had is we have looked at things for 
years from risk. We transitioned from compliance-based to risk-
based. We have worked with cyber insurance actually to be able 
to understand how risk scores actually work and how we can 
develop better frameworks to do this. But, we are driven by a 
compliance and a regulatory environment that says, just as you 
said, here is the box. But, I would not--I would certainly look 
at what industries are doing because there is a lot of work 
already in place. In industries, we have been doing it for 10 
years. We have thousands upon thousands of organizations, tens 
of thousands, that get assessed against this every year, and it 
does meet the requirement of HIPAA, but, again, the requirement 
here is to manage risk, not to check the box.
    Senator Heitkamp. And, we need to be sending the message to 
the people who are reviewing it, because they are box checkers 
and they need to be in the risk assessment business. I totally 
agree.
    Chairman Johnson. At an earlier hearing on a separate 
subject, at the end of Senator Heitkamp's questioning--and I am 
paraphrasing. Maybe this is not an exact quote. ``This is 
crazy. This is insane.'' I was kind of actually waiting for 
that. I think what you are seeing here is we are kind of 
working toward what hopefully will be a bipartisan solution and 
working together on this. So, thank you, Senator Heitkamp. 
Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman. And, I thank all 
of you for being here. Mr. Reese, good to see you again. Glad 
you are here. Thank you for the work that you do in Oklahoma 
all the time.
    I want to be able to highlight several things with you 
today. One is a point of reference on different Agencies and 
entities that you interact with. DHS and the FBI, just to be 
able to give you a point of reference for all of the four of 
you as well, I just walked out of an Intel hearing that is an 
open hearing today dealing with cyber attacks from Russia and 
how they are influencing that, and specifically going after 
State election systems.
    There is this myth that all of you know well is just a myth 
that foreign actors, whether they be North Korea, Iran, Russia, 
or China, are interested in hacking into the Pentagon, but they 
are really not interested in anyone else. That is completely 
false. We have 21 States during the last election time period 
that Russians were trying to hack into specific State election 
systems. They were not able to get to any of the vote tally 
areas or controlling voting machines, but they were able to get 
to things like voter registration rolls. And, it raises the 
question: If they can get into a voter registration roll, could 
they add people? Could they delete people? Could they change 
data? Could they complicate the process on election day? If 
they can get to that data, what else could they get to?
    So, you have in front of you the now famous--I should say 
``infamous''--email that was sent to a DNC employee named Billy 
Rinehart.\1\ Billy never intended to be a national example, but 
he suddenly became a national example as an employee of the 
DNC. He was on vacation, was in Hawaii, actually, and he opened 
up his email and saw this email from Google. And, the email 
simply reads, ``Someone just used your password to try to log 
into your Google account,'' had his email address there, and 
said the location was from the Ukraine. So, it encouraged him 
to change his password, which he promptly clicked on that, 
changed his password, and went back to bed. What he actually 
did was just opened up a portal from Russia into the DNC, and 
they began exfiltrating data of large quantities based on that. 
Billy was not the only one that clicked on that. There were 
others that did from that same email.
---------------------------------------------------------------------------
    \1\ The email submitted by Senator Lankford appears in the Appenidx 
on page 92.
---------------------------------------------------------------------------
    So, the question is for the Federal Government and for 
State governments, it is always the conversation about the 
weakest link. And, you have regulators hanging over you asking 
you how many connection points, how many possibilities of 
logging in. Where is your latest hardware? Have you updated 
this router in this place? There is a vulnerability. Do you use 
certain software for virus protection? Where does that 
information get routed? Has it stayed in the United States? Is 
it routed through Russia? All of those basic questions that are 
coming at you all the time.
    The issue that we are trying to figure out is how to be 
able to give you a consistent voice and where does that even 
go.
    Mr. Reese, your statement before that in the consolidation 
that we did in Oklahoma, which was a very real consolidation 
where we saved a quarter billion dollars through the work that 
you did and the others that are around you did through the work 
that happened there, your testimony that the biggest hurdle 
that you had was not the consolidation; it was the Federal 
Government and the regulations and the multiple answers that 
you were trying to get in the multiple audits that are now 
coming at you. How do we manage this? This is a real threat. 
Ninety-one percent of the hacks that come into our Agencies 
come in through a phishing attack just like that. Some employee 
clicked it; they now have access. If they now have access to 
health care data, to tax data, it is connected by forms to 
other places. How do we manage this best? And, do we need a 
single point of contact to be able to manage this from a 
Federal side, as all of you are doing on the State sides? Or 
what is the best way to be able to continue to manage how that 
data flows rather than having multiple entities?
    That is a long, rambling question, but somewhat I want to 
be able to expose this issue, because I think a lot of 
Americans think somehow it is some hack that got into a system. 
Most often it looks just like that. That is just how they got 
into the system.
    Mr. Reese, do you want to try to attack my rambling 
question?
    Mr. Reese. Absolutely. So, to be able to manage these types 
of scenarios, which we see every day, when we tackle this one, 
there will be another one tomorrow, right? That takes a 
tremendous amount of resources. Today we find ourselves--
training and awareness is in the forefront of how we protect a 
State. We have 33,000-plus employees statewide that have access 
to some degree or level to secure State information. And so, 
obviously things like this are very difficult because it is 
about end-user awareness and training, and all the systems we 
have put in place may not be able to protect us from this.
    However, being able to commit those resources and the team 
that we have and being able to manage the staffing, that is a 
huge challenge to manage, to actually retain staff, the talent 
we need in Oklahoma to do this.
    Now, NASCIO, polling all 50 States, finds on average the 
State CIO's office for each State has anywhere from 5 to 15 
cybersecurity analysts full-time. That is not a very deep 
bench. And, where we are constantly struggling to be able to 
train and retain these folks and trying not to lose them to 
private industry for sometimes better, higher-paying jobs, we 
also find that they get very frustrated because when they are 
working within the State government, they are working with all 
the different Federal Agencies that we touch. We find this 
scenario kind of like a well-trained physician who has gone to 
school for many years and practiced and wants to go heal 
people, and he finds himself in a practice where he is being 
told, ``Just put a Band-aid on it and move on. You do not have 
time to treat the illness. You have to just put a Band-aid on 
it.''
    Our cybersecurity folks feel like that is what they are 
being told, ``Put a Band-aid on it. Check the box. Move on.'' 
There are too many things behind this to worry about, so they 
cannot go focus on the true issues. They cannot go out and find 
the next innovative solutions, look at the tools that are 
available to them, or develop the tools that are necessary in 
many cases to protect the way we know we could. And, that is 
kind of the struggle we have, which is----
    Senator Lankford. So, how do we fix that?
    Mr. Reese. So, I think we have to simplify the 
communication, first off, like you said. I can just only 
imagine the man-hours that could be saved within a State if we 
were to simplify these regulatory challenges we have. I could 
focus these folks more on these type of issues and less on just 
doing audits alone.
    Some great examples we have, like the State of Maine 
documented last year they spent over 11,000 hours in audits. 
These are the same folks that are trying to address these 
problems. Eleven thousand hours were spent on audits, working 
with six Federal Agencies and trying to review over 1,000 pages 
of regulatory compliance. They could do some pretty amazing 
things if those man-hours could have been truly focused on 
forward-thinking solutions rather than just trying to check the 
box and appease----
    Senator Lankford. Filling out paperwork, trying to track 
down answers to someone's questions, yet another audit from yet 
another agency, multiply the audit that just came 6 months ago 
from somebody else, and on and on.
    Mr. Reese. Exactly.
    Senator Lankford. Let me make just a quick comment, and 
then let me get this back to the Chair. I can assure you the 
Russians were probing our systems in 2016. They are actively 
pursuing what they are going to do for 2018 elections. Each 
State manages their State's integrity of their voting systems 
and what happens there. I know you are all actively involved in 
that. But, if they are able to engage in any State election 
system, alter any data or exfiltrate any data in 2018, I cannot 
imagine the pressure both on that State and on the Federal 
Government to be able to explain when we had 2 years of 
warning.
    So, that is all something you are all aware of. That is 
nothing new to any of you. You deal with those issues all the 
time. But, it is something that we have to pay attention to 
here, and I know you are paying attention to, and I appreciate 
what you are doing to be able to protect the integrity of the 
systems and a lot of very personal data that our systems have.
    Chairman Johnson. Thank you, Senator Lankford.
    I will also point out, just pay attention to the trial in 
Montenegro about what Russia did, basically a coup attempt 
prior to their election. So, this is not something unusual or 
they just do in America. They are attacking countries across 
the world. Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Well, thank you, Mr. Chairman, and I will 
concur with that last comment. I just came back from Lithuania 
and Latvia, which are also subjected to constant attacks from 
the Russians as well, and very concerned about their security, 
and being right on the border with Russia puts them at 
significant risk. This is something we have to grapple with in 
a broad-based way, and I appreciate this hearing. And, I 
certainly appreciate each of the folks who have testified 
today. I think without question cyber is the most significant 
national security risk that we face, and the fact that we are 
coming together to figure out how to do this in a more 
effective way is incredibly important.
    But, I want to focus on one particular industry that I have 
been actively engaged with, will continue to be actively 
engaged with as a Senator from Michigan, and it is the auto 
industry. Perhaps the most transformative new technology that 
is coming down the pike that will be every bit as big if not 
bigger as when the first car came off of the assembly line, and 
that is autonomous vehicles, which will be changing how we 
think about mobility. It is going to offer some incredible 
promises in terms of safety. We can eliminate most auto 
accidents, and at a time when 40,000 people die on our highways 
every year, that is a big deal, in addition to all of the other 
injuries that occur. You will be able to change the way 
vehicles are out on the road as far as spacing, as well as how 
we organize our communities, all of those wonderful things. 
But, by the same token, all these vehicles are going to be 
connected to each other, and it only works with vehicle-to-
vehicle technologies, where a Ford is speaking to a Toyota and 
a Toyota is speaking to a Nissan and then a GM, and the 
infrastructure will be talking to these vehicles as well. We 
will have bridges that will tell our cars that they are icing 
over, and the cars will automatically respond to that 
incredibly important and exciting technology.
    But, with a shift in technology, we also have to make sure 
our policies are keeping up with that and, in particular, when 
it comes to cyber. As I have often said, it is one thing for 
someone to break into your bank account and steal your money. 
You are pretty angry about that. If someone breaks into your 
car and drives you into a wall, that is existential. That is 
considerably worse. So, we have to make sure we are hardening 
these systems.
    SAE International, a standards development organization for 
engineering professionals, has begun to promulgate some basic 
standards for the automobile industry, such as taxonomy and 
definitions that currently have been serving as a basis for 
Federal AV guidance. In fact, I am working on legislation now 
with Senator Thune to deal with some AV guidance issues as 
well.
    But, Mr. Feeney, I am going to start with you. For the auto 
industry, even a small number of conflicting or duplicative 
regulations would obviously significantly impact AV technology 
development. To maintain the current pace of innovation, what 
are your thoughts on the role of voluntary risk-based 
guidelines as a technical basis for future AV cybersecurity 
standards?
    Mr. Feeney. Right. Thank you for that question. I think it 
is critical. I have been a control owner, if you will, in cloud 
operations. I have been a CIO, and now I am doing more work on 
the policy and governance side. And, what I find is that the 
closer you get to a framework--we happen to like NIST, and we 
actually think about it in a customized way. It incorporates 
risk, it incorporates judgment, it incorporates flexibility to 
adapt, which is something that is critical in the space you 
just described, and it will adapt fast. It allows you to be 
nimble.
    So, I think if you set standards, you adopt them ahead of 
time, you build in by design the approach you want to take 
versus bolting it on later, that is a critical aspect of 
getting it right. It will never be 100 percent right. We 
mentioned some of the things that go on in this space. It is a 
dynamic threat environment from the external side. But, you 
have to have those bases in place in order to accomplish what 
you are looking to do, and I think that is an appropriate and 
probably best practices way to go about it.
    Senator Peters. Any thoughts?
    Mr. Nutkis. Yes, I would agree with that. So, from our 
perspective, we certainly develop and are based on risk-based. 
Because we saw the whole threat landscaping and our previous 
iterations were based on our breach data and how we looked at 
the threat based on a retrospective, we actually went 
prospective now to say that we are going to look at the 
emerging threats and actually build those into our framework so 
the framework becomes more threat-based, even risk-based. So, 
based on the threats that we see emerging, the framework 
actually evolves.
    The one caution I would make is understanding how you 
measure the effectiveness of the framework and then also 
transparency. Just because you have a framework, how do you 
ensure that they are actually complying with it effectively? 
And then, when one person looks at it, just as we heard from 
Mr. Reese, you could have 14 audits using the exact same set of 
guidance and get 14 different results. So, ensuring that 
everybody knows how to do that.
    Senator Peters. Mr. Garfield.
    Mr. Garfield. Yes, I think the example that you just gave 
speaks to the convergence that is taking place in our world, 
but also the lack of convergence that is taking place on the 
policy side. And so, that is why standards are so important, 
because they speak to and accomplish all of the things that the 
other witnesses have pointed to. But, as well, the oversight 
both from the Congressional level but a central point in the 
Executive Branch where we can avoid these redundancies on top 
of that broader strategy and that flexible framework is 
absolutely essential and important as well.
    Senator Peters. Mr. Reese.
    Mr. Reese. So, in Oklahoma, from a State perspective, when 
we look at things such as autonomous vehicles, you start 
looking at from a State perspective the intelligent 
transportation systems, we work very closely with our Oklahoma 
Department of Transportation, and we have done a great job 
focusing on where we can help them with financial systems and 
administrative systems alike. And, when we get into things that 
are really specific niche areas, such as intelligent 
transportation systems and how they manage and share those, the 
challenges we get into when we sit down at the table and we 
start talking about how we are going to leverage the State's 
infrastructure or how we are going to leverage the State's 
cybersecurity efforts and the things that our security 
information officer has put in place to protect all of these 
systems, they start feeling challenges and pushback from their 
Federal partners who tell them, ``No, no, no, no, no. When it 
comes to intelligent transportation systems, you are basing a 
lot of that infrastructure and building it out on Federal 
dollars.'' And, their Federal partners are telling them if that 
control in any way shifts to a centralized IT office, such as 
the CIO's office, they are going to lose funding. And, that is 
truly the mind-set that a lot of Agencies have because they are 
basing that on past audit experiences they have had, from 
third-party auditors that came in, and they are making the 
determinations and setting that example of how those Agencies 
now interpret what they should be doing and how they should be 
engaging with my office and moving forward, and often, without 
proper guidance and being able to get questions answered 
timely, we end up using the most restrictive interpretation of 
the Federal guidelines and it costs us more money, and it slows 
us down.
    Senator Peters. All right. Well, thank you for your 
thoughtful responses from all of you. I appreciate it.
    Chairman Johnson. Thank you, Senator Peters.
    I want to thank all of our witnesses. Normally, I say this 
before the hearing, but we had the business meeting. But, I 
talk to the witnesses, and I say the purpose of this hearing, 
of every hearing, literally is to lay out a reality, to define 
the problem so that you can find areas of agreement, to work 
toward a bipartisan solution. I think you saw that is exactly 
what happened here today. I want to thank all the Committee 
Members, Senator Peters, my Ranking Member--who is at a Finance 
Committee hearing. We are juggling a lot of balls here. But, I 
think what you have witnessed here is by laying out a reality, 
by defining the problem, by looking for areas of agreement, I 
think this is an important hearing. I will encourage everybody 
to take a look at your thoughtful testimony, which is in far 
greater detail than what you were able to provide just in terms 
of your verbal testimony. We have really described the problem 
in a way that we can all take a look at what the solution needs 
to be. And, it is about harmonizing. It is about integrating.
    And so, I am looking forward to working with my colleagues 
that were here and asked great questions, and let us write a 
piece of legislation. Working with the witnesses, working with 
your groups, let us get that central point within government so 
we can streamline this, so that we can certainly take the 
burden off of States, the health care industry, the financial 
industry, every industry, so that we can secure our cyber 
assets. This is an enormous threat. We have to recognize that. 
But, again, that is what this hearing really pointed out. So, 
again, I just want to thank all of our witnesses for your 
written testimony, your thoughtful answers to our questions, 
and your verbal testimony.
    With that, the hearing record will remain open for 15 days 
until July 6th at 5 p.m. for the submission of statements and 
questions for the record. This hearing is adjourned.
    [Whereupon, at 11:51 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]