[Senate Hearing 115-506]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 115-506
 
                     PRIVATE SECTOR AND GOVERNMENT
                    CHALLENGES AND OPPORTUNITIES TO
                     PROMOTE THE CYBERSECURITY AND
                       RESILIENCY OF OUR NATION'S
                     CRITICAL ENERGY INFRASTRUCTURE

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 1, 2018

                               __________
                               
                               
                               
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              
                               
                               


                       Printed for the use of the
               Committee on Energy and Natural Resources

        Available via the World Wide Web: http://www.govinfo.gov
        
        
        
                            ______

             U.S. GOVERNMENT PUBLISHING OFFICE 
 29-767               WASHINGTON : 2019
        
        
        
        
        
               COMMITTEE ON ENERGY AND NATURAL RESOURCES

                    LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho                RON WYDEN, Oregon
MIKE LEE, Utah                       BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan
STEVE DAINES, Montana                JOE MANCHIN III, West Virginia
CORY GARDNER, Colorado               MARTIN HEINRICH, New Mexico
LAMAR ALEXANDER, Tennessee           MAZIE K. HIRONO, Hawaii
JOHN HOEVEN, North Dakota            ANGUS S. KING, JR., Maine
BILL CASSIDY, Louisiana              TAMMY DUCKWORTH, Illinois
ROB PORTMAN, Ohio                    CATHERINE CORTEZ MASTO, Nevada
SHELLEY MOORE CAPITO, West Virginia  TINA SMITH, Minnesota

                      Brian Hughes, Staff Director
                Patrick J. McCormick III, Chief Counsel
  Brianne Miller, Senior Professional Staff Member and Energy Policy 
                                Advisor
             Mary Louise Wagner, Democratic Staff Director
                Sam E. Fowler, Democratic Chief Counsel
                David Gillers, Democratic Senior Counsel
           Scott McKee, Democratic Professional Staff Member
           
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1
Cantwell, Hon. Maria, Ranking Member and a U.S. Senator from 
  Washington.....................................................     3
Duckworth, Hon. Tammy, a U.S. Senator from Illinois..............     5

                               WITNESSES

Walker, Hon. Bruce J., Assistant Secretary, Office of Electricity 
  Delivery and Energy Reliability, U.S. Department of Energy.....     6
Matheson, Hon. Jim, Chief Executive Officer, National Rural 
  Electric Cooperative Association...............................    17
Endicott-Popovsky, Dr. Barbara, Executive Director, Center for 
  Information Assurance and Cybersecurity, University of 
  Washington.....................................................    30
Sanders, Dr. William H., Donald Biggar Willett Professor of 
  Engineering, and Head, Department of Electrical and Computer 
  Engineering, University of Illinois at Urbana-Champaign........    59
Lee, Robert M., Chief Executive Officer and Co-Founder, Dragos, 
  Inc............................................................    67

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Cantwell, Hon. Maria:
    Opening Statement............................................     3
Duckworth, Hon. Tammy:
    Opening Statement............................................     5
Endicott-Popovsky, Dr. Barbara:
    Opening Statement............................................    30
    Written Testimony............................................    32
    Responses to Questions for the Record........................   167
Lee, Robert M.:
    Opening Statement............................................    67
    Written Testimony............................................    70
    Responses to Questions for the Record........................   205
Matheson, Hon. Jim:
    Opening Statement............................................    17
    Written Testimony............................................    19
    Responses to Questions for the Record........................   164
Murkowski, Hon. Lisa:
    Opening Statement............................................     1
Sanders, Dr. William H.:
    Opening Statement............................................    59
    Written Testimony............................................    61
    Responses to Questions for the Record........................   202
Walker, Hon. Bruce J.:
    Opening Statement............................................     6
    Written Testimony............................................     9
    Responses to Questions for the Record........................   154


     PRIVATE SECTOR AND GOVERNMENT CHALLENGES AND OPPORTUNITIES TO

        PROMOTE THE CYBERSECURITY AND RESILIENCY OF OUR NATION'S

                     CRITICAL ENERGY INFRASTRUCTURE

                              ----------                              


                        THURSDAY, MARCH 1, 2018

                                       U.S. Senate,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:00 a.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Lisa 
Murkowski, Chairman of the Committee, presiding.

           OPENING STATEMENT OF HON. LISA MURKOWSKI, 
                    U.S. SENATOR FROM ALASKA

    The Chairman. Good morning, everyone. The Committee will 
come to order as we begin our hearing on the cybersecurity and 
resiliency of our critical energy infrastructure.
    Cyberattacks are a well-documented and continuing threat. 
Every day we seem to hear of yet another incident. 
Increasingly, it appears that the bad actors are nation-states 
and sophisticated entities, such as organized crime or terror 
groups. These attacks are across-the-board and not limited, of 
course, to energy infrastructure.
    Just last week, according to the news reports out there, 
U.S. intelligence identified efforts by Russian military spies 
to attack computers used by Olympic officials during this 
year's games. Reportedly, their goal was to make it look as if 
North Koreans were leading the cyberattack. Acts of cyber 
intrusion such as these can jeopardize diplomatic relations and 
could have more serious repercussions.
    Just a couple days ago, the Director of the Division of 
Elections in my home State of Alaska again informed the public 
that Russian cyber actors made a failed attempt to access the 
Division's public website prior to the 2016 election. 
Apparently they merely scanned the state's system so this was 
not a `breaking and entering' scenario, but it clearly 
underscores the persistence of the problem.
    Here in the United States, the energy sector is clearly a 
high value target for cyberattacks. Earlier this month 
Entergy's security monitoring system detected a cyber intrusion 
on the company's corporate network. Thankfully, the intrusion 
was on the corporate side and did not affect energy delivery or 
reliability, but again, bad actors will test any available 
avenue in an attempt to infiltrate energy networks.
    Our Committee has spent a lot of time, many hours, 
examining the threats to energy infrastructure. We have learned 
about the potential challenges of increased digitalization of 
the energy sector and opportunities to improve cybersecurity by 
engineering in protections and developing strong cybersecurity 
protocols.
    We have repeatedly heard how protection of our nation's 
critical assets is a shared responsibility, with federal, state 
and private sector partners working together to improve cyber 
defenses and sharpen responses to cyberattacks. We know there 
is more work to be done to improve that collaborative work. We 
are alert to the danger that ``shared responsibility'' can, in 
practice, be the hardest responsibility to consistently and 
accountably discharge.
    Now we have also legislated to help address the 
cybersecurity problem. In the Energy Policy Act of 2005, 
Congress imposed mandatory reliability standards, including 
cyber standards, on the electric industry. And today we will 
hear testimony that these standards have led to meaningful 
improvements. The electric sector is still the only sector that 
has such stringent requirements, but we will also hear that 
keeping the nation safe from major cyber threats goes well 
beyond regulation.
    Last Congress, in the FAST Act, we enacted provisions 
authored by this Committee to codify the Department of Energy 
as the sector-specific agency for the energy sector and we 
provided the Secretary with the authority to address grid-
related emergencies, including cyberattacks. We also sought to 
facilitate greater information sharing by protecting sensitive 
information from disclosure. I am pleased to report that public 
and private sector efforts not only to identify threats and 
share information but also to improve the capabilities for 
detecting and responding, are intensifying.
    So the question this morning is, ``What do we do next?'' 
What should the Federal Government do, or refrain from doing, 
to meet this dynamic and evolving threat? And how can the 
government help improve the cyber resiliency of critical energy 
infrastructure if a threat becomes a reality?
    Mr. Walker's testimony states that Secretary Perry is 
establishing a distinct ``Office of Cybersecurity, Energy 
Security, and Emergency Response.'' This new office, which will 
be known by the acronym C.E.S.E.R.--we are already referring to 
it I guess as Caesar, big shoes here.
    [Laughter.]
    But much of CESER's lineage is from the Department's 
current office, the Office of Electricity Delivery and Energy 
Reliability, which was established after the 2003 Northeast 
Power Blackout.
    Mr. Walker, we appreciate the Department's attention to 
this important topic and certainly look forward to learning 
more about this new office and how you intend it operate and 
function.
    Protecting our nation's energy infrastructure, we all 
agree, is critical to maintaining so much of the American way 
of life. We must determine what the next appropriate steps will 
be to further identify and prevent cyber intrusions and 
increase resiliency in the event of an attack. Those solutions 
may not require more regulation, but rather more common sense 
and cooperation.
    I appreciate the expert witnesses that we have before us 
today, that you have made time to be before the Committee. I 
will introduce them after Senator Cantwell's opening comments, 
but we appreciate you being here.
    Senator Cantwell.

               STATEMENT OF HON. MARIA CANTWELL, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Cantwell. Thank you, Madam Chair, and thank you for 
holding this important hearing. I am sure that the Chair has 
probably grown weary of how many times I bring up 
cybersecurity.
    [Laughter.]
    Both in our negotiations on an energy bill, now almost two 
years ago, the need to be more expeditious about the process, 
and my continued concern about it from the perspective of one 
of the greatest threats facing our nation.
    So I am delighted to have the panelists before us today to 
focus on what our nation needs to do to be more expeditious in 
our agenda on cybersecurity.
    Obviously, cybersecurity, as it impacts our energy 
infrastructure, is one of the key issues for this Committee. We 
used to say that we were worried about foreign entities 
entering our airspace, our shipping lanes, or any kind of 
unwanted provocations. Now they come in the form of 
cyberattacks.
    So make no mistake, our nation's energy infrastructure is 
under that attack from Russians and other state actors. We 
know, according to the Ukrainians, Russia took out part of the 
Ukraine electricity grid in 2015 and 2016 through cyber means. 
WIRED magazine, at the time, chillingly suggested that the 
entire nation of the Ukraine was becoming a Russia test lab for 
cyber war.
    As one of our witnesses will say today--Dragos has said 
that the Russian government has devised a cyber weapon that has 
the potential to be one of the most disruptive yet against our 
electricity system. So we look forward to hearing more on that.
    In the last year, the Washington Post reported that Russian 
government hackers were behind cyber intrusions into a nuclear 
power plant's business system. We know from our own northwest 
lab that the firewall that protects much of our information, 
they have communications of something like 25,000 a day, 
cyberattacks against that system.
    We know what is happening and, as the Chair mentioned, we 
know that the Administration has set up a cyber office which we 
appreciate but we want the Administration to be much more 
aggressive.
    We have been pushing for over a year now asking for a 
threat assessment to our electricity grid. I think it was June 
22, 2017, that we wrote the White House asking them to perform 
a required assessment on protecting the grid from cyberattacks.
    I know, Mr. Walker, you are here today and you will try to 
enlighten us on the work that you have been doing in your short 
period of time, which is a lot given the Puerto Rico situation, 
so we appreciate that. Nonetheless, we want the Department of 
Energy to respond to this letter of a year ago asking them what 
we are doing to protect the reliability of our electricity grid 
from Russian hacking. This was sent by many U.S. Senators and 
we have yet to have a response.
    Why is this so important? We saw just this morning the 
German government was hacked by Russian actors. According to 
the German Interior Ministry, we can confirm that the Federal 
Office of Information Security and Intelligence Services were 
part of a cyber hack.
    So this issue is not going away. It is only growing in 
incredible importance. We don't want to have an Administration 
asleep at the computer terminal while we are sitting here 
worrying about American business and government interests and 
national security interests being attacked by state-owned 
actors.
    I also hope that we can see, as we specifically asked 
Secretary Perry during his confirmation hearing, that the 
Administration will support a robust infrastructure investment 
as it relates to cybersecurity. I know he told the Committee at 
the time that he believed that we should do that and we want to 
see in this next budget legislation, that commitment. I know 
that the Chair and I had a chance to talk to the President at 
an infrastructure discussion a couple weeks ago, and we 
emphasized how much energy infrastructure needed to be part of 
a national infrastructure investment bill. So now is the time 
for action.
    We also discussed, and the Chair and I have in legislation, 
a clear focus on how important workforce is to a critical 
energy infrastructure for the future, including cybersecurity.
    Our state, the State of Washington, has been a leader in 
developing a cyber workforce training, and I would like to 
welcome Professor Barbara Endicott-Popovsky to testify today. 
She is the Executive Director at the Center for Information 
Assurances and Cybersecurity at the University of Washington, a 
national leader in pioneering cyber education.
    We were able to have a forum there recently to see how 
business, education and the cybersecurity community was coming 
together to try to focus on cybersecurity solutions. She has 
been shaping cybersecurity education policy and has authored 
more than 100 peer-
reviewed articles. So we welcome what you have to say today on 
this issue.
    She recognizes, as I do, that one of the biggest challenges 
to the nation's cyber preparedness is a skilled workforce and 
that by 2020 IBM estimates that there will be 1.5 million 
unfilled cybersecurity positions across all industries. That is 
mind boggling, mind boggling, to think about but not hard to 
imagine given that we live in an information age and how 
connected everything is going to be and how every layer will 
also need security and reinforcement.
    I hope that today's hearing will help illuminate for us how 
much investment we really need to make to make that part of our 
energy infrastructure work cost-effectively.
    We know that some of the challenges that we face is getting 
that curriculum well established and also making sure that 
different aspects of the cybersecurity challenge are addressed 
everywhere from two-year degrees to PhDs. I do think the 
Department of Energy has a role to play here in defining for 
individuals interested in this area, the partnerships that will 
be necessary to skill that workforce in a timely fashion.
    All in all, Madam Chair, thank you so much for the hearing 
today. Thank you for the attention to this issue. I know you 
and I keep hoping that there will be some cybersecurity 
legislation that moves through the Full Congress as it has 
already moved through the Senate. So, maybe, I don't know if 
the third time is the charm, but hopefully we will be able to 
use these very important events that have transpired across the 
entire world to get our colleagues to see the urgency of the 
situation.
    So again, thank you for the hearing.
    The Chairman. Thank you, Senator Cantwell, and thank you 
for your persistent push on the cybersecurity piece of it.
    As you mention, we think we have a good, strong, bipartisan 
bill. We would like to see that be more than just a bill. We 
would like to see it be law and to put in place some of these 
protections that we have been working on so hard, but I greatly 
appreciate your continued focus on this.
    We have a good, strong panel with us this morning. Again, 
welcome.
    We have our Assistant Secretary for the Department of 
Energy, Mr. Bruce Walker. It is good to have you back before 
us.
    We are also joined by former Congressman Jim Matheson. 
Congressman Matheson represented Utah from 2001 to 2015. He is 
now the CEO of the National Rural Electric Cooperative 
Association (NRECA). It is good to have you before the 
Committee.
    Dr. Barbara Endicott-Popovsky with the Center for 
Information Assurance and Cybersecurity at the University of 
Washington has just been introduced by Senator Cantwell. We are 
very pleased that you could join us this morning.
    Dr. William Sanders is from the University of Illinois, and 
I will let Senator Duckworth introduce him.
    But let me also welcome Mr. Robert Lee, who is the CEO of 
Dragos Incorporated. It is good to have you with the Committee.
    Senator Duckworth, if you would like to introduce your fine 
constituent.

              STATEMENT OF HON. TAMMY DUCKWORTH, 
                   U.S. SENATOR FROM ILLINOIS

    Senator Duckworth. Thank you, Chairwoman Murkowski.
    I would like to extend a very warm welcome to Dr. Sanders, 
who is joining us from the University of Illinois at Urbana-
Champaign. They have some great farm-to-table restaurants 
there, by the way.
    I am proud that the University of Illinois was one of the 
very first universities to recognize the importance of ensuring 
that cybersecurity and cyber resiliency of our energy 
infrastructure.
    Dr. Sanders serves as the head of the Department of 
Electrical and Computer Engineering and is an expert on 
computing and critical infrastructure, such as the power grid.
    Over the past several decades, Dr. Sanders has published 
over 270 technical papers in these areas and received the 2016 
IEEE Innovation and Societal Infrastructure Award.
    He has used his expertise to assist the government's 
efforts to make the grid more secure and resilient. This work 
includes leading an initiative of the Department of Energy and 
the Department of Homeland Security on building a better, more 
secure and resilient power grid.
    Dr. Sanders, I am thrilled that you are able to join us 
today. I think your voice will be a very valuable one to 
today's discussion.
    We all know that future battles will increasingly exist in 
cyberspace and that cybersecurity is a critical aspect of our 
national security, and I look forward to hearing your testimony 
and your recommendations concerning this very important issue.
    Welcome.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator.
    Again, thank you all.
    I would ask that you try to keep your comments to about 
five minutes. Your full statements will be included as part of 
the record.
    I will note for colleagues that we are scheduled to have 
votes. I think it is 11:45 when we have a series of three votes 
that are set up. My intention this morning is to try to move as 
quickly as we can so that we can get in as many questions as we 
can to this fine group of experts.
    Assistant Secretary Walker, if you would like to lead off.
    Thank you.

STATEMENT OF HON. BRUCE J. WALKER, ASSISTANT SECRETARY, OFFICE 
OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. DEPARTMENT 
                           OF ENERGY

    Mr. Walker. Thank you. Good morning.
    Chairman Murkowski, Ranking Member Cantwell, and 
distinguished members of the Committee, thank you for the 
opportunity to discuss the continuing cybersecurity threats 
facing our national energy infrastructure and the Department of 
Energy's role in protecting it.
    Establishing a resilient energy infrastructure is a top 
priority of the Secretary and a major focus of the Department; 
hence, our focus on cybersecurity is paramount.
    Our national security and economy depend on the 
availability of a reliable and resilient energy infrastructure. 
The mission of the Office of Delivery and Energy Reliability, 
OE, is to strengthen, transform and improve the resiliency of 
energy infrastructure to ensure access to reliable and secure 
sources of energy.
    The Secretary and DOE are committed to working with our 
public and private sector partners to protect the nation's 
critical energy infrastructure from physical security events, 
natural and man-made disasters and cybersecurity threats.
    To demonstrate our focus on the aforementioned mission, the 
Secretary announced last month he's establishing an Office of 
Cybersecurity, Energy Security and Emergency Response, better 
known as CESER. This organization change will strengthen the 
Department's role as the energy sector-specific agency for 
cybersecurity thereby supporting our national security 
responsibilities.
    The creation of this office will build upon what we do 
today, significantly increase the Department's focus on energy 
infrastructure protection and will enable more coordinating 
preparedness and response to physical and cyber threats as well 
as natural disasters. Furthermore, the CESER Office will play 
an essential role in coordinating government and industry 
efforts to address these energy sector threats.
    The President has requested slightly more than $95 million 
in FY2019 for CESER with a focus on early stage R&D activities, 
working with our national labs to improve cybersecurity and 
resilience, to harden and evolve critical grid infrastructure. 
These activities will develop the next generation of 
cybersecurity control systems, components and devices, 
including enhancing our ability to share time-critical data 
with industry to detect, prevent and recover from cyber events.
    Our national intelligence agencies have noted the 
increasing number and sophistication of cyber threats. Our 
adversaries understand the energy sector is a valuable target 
because of the assets that the sector controls, including our 
defense critical energy infrastructure.
    DOE's role in energy sector cybersecurity was codified by 
Congress under the FAST Act. That legislation designated DOE as 
the sector-specific agency for cybersecurity. As a result, the 
Secretary of Energy is authorized upon the declaration of a 
grid security emergency by the President to issue emergency 
orders to protect or restore critical electric infrastructure 
or defense critical electric infrastructure.
    In order to properly plan for this type of occurrence, it 
is critical that we continue to work closely with our energy, 
industry and federal agency partners. In the energy sector, the 
core of critical infrastructure partners consists of the 
Electricity Subsector Coordinating Council, the Oil and Natural 
Gas Subsector Coordinating Council and the Energy Government 
Coordinating Council.
    The Energy Government Coordinating Council is led by CESER 
and DHS and it is where the interagency partners, states and 
international partners come together to discuss the important 
security and resilience issues for the energy sector. 
Collectively, we all work together under DHS' Critical 
Infrastructure Partnered Advisory Council which provides a 
mechanism for industry and government coordination.
    As a part of the Comprehensive Energy Cybersecurity 
Resiliency Strategy, the Department of Energy, working with our 
industry partners, is focusing cyber support efforts to enhance 
visibility and situational awareness of operational networks, 
increase alignment of cybersecurity preparedness and planning 
across local, state and federal levels and leveraging the 
expertise of our national labs to drive cybersecurity 
innovation.
    In conclusion, cyber threats continue to evolve and DOE is 
working diligently to eliminate and mitigate the potential 
consequences of these threats. Establishing the CESER Office is 
a result of our laser-focused attention to cyber and physical 
security.
    Our long-term vision is significant and will positively 
impact our national security. The establishment of this office 
will be the first step in the transformational change necessary 
to meet the ever-changing cyber landscape highlighted by our 
national intelligence agencies.
    Finally, I would like to highlight that the risk of 
physical and cyber threats is continuingly exacerbated by a set 
of circumstances that are increasingly interdependent of the 
various energy systems throughout the nation. This 
significantly increases our overall risk due to the increased 
number of penetration points that can significantly impact 
national security and economy.
    As always, I appreciate the opportunity to appear before 
this Committee to discuss cybersecurity in the energy sector 
and I applaud your leadership.
    I look forward to working with you and your respective 
staffs to continue to address cyber and physical security 
challenges.
    Thank you.
    [The prepared statement of Mr. Walker follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The Chairman. Thank you, Secretary Walker.
    Congressman Matheson, welcome.

   STATEMENT OF HON. JIM MATHESON, CHIEF EXECUTIVE OFFICER, 
        NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION

    Mr. Matheson. Good morning, Chairman Murkowski and Ranking 
Member Cantwell, members of the Committee. I appreciate the 
invitation to testify before you on what is a very important 
topic.
    I'm testifying today on behalf of more than 900 electric 
cooperatives who are working together to protect our U.S. 
electricity system from cyber threats. I just returned last 
night from the NRECA annual meeting with our membership and we 
also had a TechAdvantage conference, and I'm happy to share 
with you that cybersecurity was a significant topic of 
discussion of both of those meetings.
    We had several breakout sessions on cybersecurity to share 
information with our members about the latest in policy and 
technology, and our members shared with each other examples of 
what they are doing to keep their systems secure. That peer-to-
peer learning is a hallmark of the electric cooperative 
program.
    Protecting the nation's complex interconnected electric 
power system while ensuring reliable, secure and affordable 
electricity has always been a top priority for electric co-ops 
and, quite frankly, for the entire electric power industry. 
Maintaining the resilience and security of the electric grid 
requires a flexible approach that draws upon a variety of 
tools, resources and options.
    As threats and threat actors continue to evolve, so must 
the industry's capability to defend against them. The 
possibility of a cybersecurity attack affecting grid operations 
is something for which the electric sector has been preparing 
for years.
    These preparations are built on the need for a flexible 
approach and they include implementing security standards and 
technologies to protect systems, forging close partnerships to 
identify threats and solutions and to respond to incidents, 
engaging in active information sharing about threats and 
vulnerabilities, participating in industry and cross sector 
disaster planning exercises such as DOE's clear path and the 
North American Electric Reliability Corporation's Grid X 
biannual exercise. We also partner with DOE, the National Labs 
and other federal agencies on cybersecurity research to improve 
tools and resources needed by the industry to address these 
threats.
    Protecting the electric grid from threats that could affect 
national security and public safety is a responsibility shared 
by both the government and the electric power sector. As we 
continue working together to protect the electric system from 
cyber threats, there are a couple of areas that can benefit 
these partnerships and the sector that I'd like to highlight in 
these comments.
    First, these efforts can be enhanced through continued 
cybersecurity research and development, including support for 
developing resources for small and medium-sized utilities. The 
Rural Electric Cooperative Association is active in 
cybersecurity research programs and initiatives supported by 
the DOE's Office of Electricity Delivery and Energy 
Reliability. Strong research and development programs are 
essential to developing new technologies to keep pace with the 
rapidly changing cybersecurity threats that our industry faces. 
The DOE is our industry's primary source for federal funding to 
develop cybersecurity tools and resources.
    Currently, one of the most valuable research programs for 
electric cooperatives is the funding partnership between DOE 
and the Rural Electric Co-ops, called the Rural Cooperative 
Cybersecurity Capabilities Program, or we call it RC3 for 
short. This partnership is specifically focused on addressing 
the unique cybersecurity needs of small and mid-sized 
distribution utilities. And in addition to developing 
cybersecurity resources and tools appropriate for these 
utilities, we have provided cybersecurity training to more than 
150 of our members through the RC3 program.
    The second area I'd mention in these comments is the need 
to continue improving information sharing between the 
government and electric utilities. In some circumstances, there 
are situations where the government possesses information on 
intelligence on a particular threat or vulnerability that could 
be timely and actionable for the industry. We support efforts 
aimed at increasing electric cooperatives access to this type 
of information thereby helping us to do an even better job of 
protecting the grid. The FAST Act and Cyber Information Sharing 
Act from last Congress were excellent and appreciated steps in 
this direction.
    Information sharing, of course, is a bidirectional issue 
and assurances that sensitive information shared from industry 
to government will be properly protected and free of liability 
concerns when shared in good faith is also necessary. In 
addition, the government also holds information on terrorist 
activities. A voluntary process that allows utilities to have 
the FBI perform enhanced background investigation screening for 
critical employees in our industry could go a long way in 
helping to address some of the potential insider threat 
concerns.
    So again, thank you for inviting me to testify today. We 
look forward to working with Congress on these issues and 
continuing in our successful partnerships with the DOE and 
other federal agencies.
    I'm happy to answer any questions.
    [The prepared statement of Mr. Matheson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The Chairman. Thank you, Congressman Matheson.
    Dr. Endicott-Popovsky, welcome.

STATEMENT OF DR. BARBARA ENDICOTT-POPOVSKY, EXECUTIVE DIRECTOR, 
CENTER FOR INFORMATION ASSURANCE AND CYBERSECURITY, UNIVERSITY 
                         OF WASHINGTON

    Dr. Endicott-Popovsky. Thank you.
    Good morning, Chairman Murkowski and Ranking Member Maria 
Cantwell and distinguished members of the Committee. I want to 
thank you for the opportunity to speak with you today about 
examining cybersecurity in our nation's critical energy 
infrastructure.
    My name is Dr. Barbara Endicott-Popovsky. I'm the Executive 
Director of the Center for Information Assurance and 
Cybersecurity at the University of Washington, and we are an 
NSA Center of Academic Excellence in cybersecurity as well as a 
regional resource center for dissemination of best practices. 
We convene industry, government and military around shared 
problems, but to provide context for my remarks, we're driven 
by four major ideas.
    First of all, in cyberspace everyone is your neighbor. This 
is going to require new ways of thinking about partnerships 
with military, industry and government.
    Secondly, cybersecurity involves rules and tools. While it 
came from technology, there are still humans in the system and 
there's no firewall for stupid. So, it's going to require 
policies, procedures, awareness training that's going to really 
deal with that human element.
    Thirdly, all of this is exacerbated by not enough talent. 
And I can't emphasize that enough. This is a systemic problem, 
and it is not going to be fixed with a Band-Aid. This is going 
to be equivalent to the moon shot project that we had back in 
the Kennedy era. Now, we were able to do it back then. We 
should be able to pull the resources together to do it now, but 
this is a serious problem.
    And besides that, cybersecurity is becoming a profession 
and I want to caution the Committee about balkanizing the field 
with its own definitions and its own educational procedures. 
There are differences, infrastructure to infrastructure, yes.
    I would refer the Committee to work that was done by the 
FCC CSRIC that was designed to look at how they could leverage 
existing NIST and NSA, DHS, work that's been done on 
cybersecurity educational standards and I think you'll find 
that much is already there, but there will be a delta.
    How did we get here? Certainly, cyberattacks are daunting. 
We're living through digital transformation. That's what's 
going on. And we're still clinging to mental models from the 
physical world and the information world that simply don't 
work. Cross sector collaboration, for example, is something we 
talk about, but it's not easily done because all sectors have 
their own missions. It's very difficult to get everyone on the 
same page.
    However, there's one thing we can all agree on. There is no 
cyber fire department. There is no cyber 911. In a cyber 
disaster the DoD is prepared to protect its own networks and 
maintain its mission, but who is there on the civilian side and 
the private sector side? No one.
    This vacuum is a national security threat. And toward this 
end H.R. 3712 has been proposed by our delegation that deals 
with proliferating the Cyber Civil Support teams across the 
country which is going to require extensive education of the 
National Guard so that they're prepared to do what's necessary 
in the event of an attack.
    The case of cyber war is a case of mutually assured 
destruction. Make no mistake. At some point, we're going to 
need the equivalent of the Kennedy and Khrushchev red phone and 
nuclear disarmament talks, but getting everybody to agree on 
enforcement is going to be a problem and I'm not sure that 
nation-states right now have an appetite for stepping up to the 
table. But this will have to happen so we don't mistake each 
other. This is a tragedy of the commons where a shared resource 
is used individually by users to the detriment of the whole and 
to the ruination, perhaps, of the whole.
    In addressing the talent deficit, this is a problem across 
all sectors and, in particular, with utilities. We need to be 
mindful that industry is competing for the same talent and 
their salaries are much higher. So I suggest that we consider 
ways to incentivize students to go to work for utilities 
through, perhaps, funded scholarship programs. The bottom line, 
again, is that this is no easy fix. This is no Band-Aid. We 
need commitment over the long haul to really develop what's 
necessary to transform our educational processes so that we 
prepare people adequately and quickly to do what's necessary to 
protect our vital infrastructure.
    Thank you.
    [The prepared statement of Dr. Endicott-Popovsky follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
   
   
    
    The Chairman. Thank you, Doctor.
    Dr. Sanders, welcome.

  STATEMENT OF DR. WILLIAM H. SANDERS, DONALD BIGGAR WILLETT 
 PROFESSOR OF ENGINEERING, AND HEAD, DEPARTMENT OF ELECTRICAL 
  AND COMPUTER ENGINEERING, UNIVERSITY OF ILLINOIS AT URBANA-
                           CHAMPAIGN

    Dr. Sanders. Good morning, Chairwoman Murkowski, Ranking 
Member Cantwell and distinguished members of the Committee. 
Thank you for inviting me to speak today.
    My name is Bill Sanders, and I'm the Head of the Department 
of Electrical and Computer Engineering at the University of 
Illinois at Urbana-Champaign. As was also said earlier when I 
was introduced, I've led or co-lead major centers funded by the 
Department of Energy, the Department of Homeland Defense and 
the National Science Foundation for the last 12 years working 
in this area.
    I want to focus my comments today on cyber resiliency. 
Resiliency is a fundamental concept that differs from 
traditional metrics, such as reliability or cybersecurity. In 
the context of electric power, resiliency is not just about 
being able to lessen the likelihood an outage will occur, but 
it's about managing and coping with outage events when they do 
occur.
    With resiliency, we attempt, to the greatest extent 
possible, to avoid a blackout, but understand and accept it may 
not be possible to totally avoid its occurrence. Thus, we work 
to respond as quickly as possible to the event when it occurs, 
preserving critical and individual societal services during the 
period of degraded operation and over time striving for full 
recovery and enhanced robustness.
    An important new concern for the resiliency of this is the 
cyber portion of the grid and how it affects overall grid 
resiliency. The electric power system has become increasingly 
reliant on its cyber infrastructure to deliver electricity to 
consumers. A compromise of power grid control systems or other 
portions of the grid cyber infrastructure can have serious 
consequences ranging from a simple disruption of service with 
no damage to the physical components to permanent damage to 
hardware that can have long lasting effects on the performance 
of the system. Any consideration of improved power grid 
resiliency requires consideration of ways to make the grid 
cyber infrastructure resilient.
    Over the last decade, much attention has rightly been 
placed on grid cybersecurity, but much less has been placed on 
grid cyber resiliency. It's now, however, becoming very 
apparent that protection alone by cybersecurity is not 
sufficient and it can never be made perfect.
    Given the relentless attacks and the challenges of 
prevention, successful cyber penetrations are inevitable and 
there's evidence in increases of the rates of penetration.
    The resiliency goals for the cyber infrastructure thus 
require a clear understanding of the interaction between the 
cyber and conventional physical portions of the grid and how 
impairments on either side, cyber or physical, could impact the 
other.
    Specific guidance about cyber resiliency research that is 
critically needed comes from a consensus study published in 
July 2017 by the National Academies of Sciences, Engineering 
and Medicine, entitled, Enhancing the Resilience of the 
Nation's Electricity System.
    As one of the co-authors on this report, I helped craft 
seven overarching recommendations. Overarching recommendation 
number five is particularly relevant to the concept of cyber 
resilience. I'll paraphrase. The Department of Energy, together 
with the Department of Homeland Security, academic research 
teams, national labs and the private sector should carry out a 
program of research, development and demonstration activities 
to develop and deploy capabilities for the continuous 
collection of diverse, both cyber and physical sensor data, 
diffusion of sensor data with other intelligence information, 
visualization techniques, analytics, restoration techniques and 
the creation of post-event rules. In summary, the cyber threat 
to grid resiliency is real. The time to act is now.
    It is critical that the Committee understand the following:
    Number one, grid resiliency is different from cybersecurity 
and requires a fundamentally new approach.
    Two, protection as a cybersecurity mechanism alone is not 
sufficient and can never be made perfect. The grid can only be 
resilient if its cyber infrastructure is also resilient. So, 
research and development are critically needed to provide 
assured mechanisms to ensure cyber resiliency.
    Three, six capabilities--continuous data collection, the 
fusion of sensor data, visualization, analytics, restoration 
and post-event tools--are critical to creating an effective 
strategy for cyber resiliency. Those capabilities can only be 
achieved if academia, industry and government work closely 
together in a focused research and development program.
    And finally, Congress should continue to fund and increase 
funding to the Department of Energy and other government 
agencies to advance this research and development.
    Thank you very much. I would be happy to answer any 
questions.
    [The prepared statement of Dr. Sanders follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The Chairman. Thank you, Dr. Sanders.
    Mr. Lee, welcome to the Committee.

  STATEMENT OF ROBERT M. LEE, CHIEF EXECUTIVE OFFICER AND CO-
                     FOUNDER, DRAGOS, INC.

    Mr. Lee. Chairwoman Murkowski, Ranking Member Cantwell and 
members of the Committee, thank you for providing me the 
opportunity to present before you today.
    I want to briefly explain my background which informs the 
testimony I bring before you. I started my career at the United 
States Air Force Academy, was commissioned and then took a 
position as a cyber warfare operations officer tasked out to 
the National Security Agency (NSA).
    While at the NSA I was tasked with building a mission to 
identify new nation-state threats breaking into environments. 
It was there that I built and led a first-of-its-kind mission 
looking at the nation-states breaking into industrial 
environments. I did so with the hypothesis that we would find 
the new threats, and we did. It was there I came to understand 
that there was a significant collection bias in the U.S. 
intelligence community and in the larger information security 
community. That means, as we typically prioritize and report on 
things where we collect and can see, but we're blind to the 
environments that we're not collecting like industrial control 
networks.
    I left to build Dragos to gain insights and develop 
technology to help people.
    Over the last three years, we've seen these type of attacks 
take place: The Ukraine power grid attack of 2015, I was one of 
the lead investigators there to solve the first-ever 
cyberattack that could halt grid operations; the Ukraine attack 
of 2016, where my firm and I helped identify and analyze 
CRASHOVERRIDE--the software that was purposely built to disrupt 
electric grids; and, in 2017 in the Middle East a more 
concerning thing to me is that a first piece of malware that 
was developed to specifically target human life was deployed. 
So with my experience in the military and intelligence 
community, training the world's defenders and leading the 
world's best against the world's worst, I want to highlight a 
few points for you today.
    First, as scary as all this sounds, our infrastructure is 
extremely resilient today. We have to do more, but I do want to 
note that there's a lot of good work happening in the 
community. My team often strives for nuance in our analysis and 
reporting on the threats, but we have observed a disservice to 
the community over the last couple decades, even the most 
casual phishing email deployed to a corporate network of a 
nuclear power plant gets headlines about cyberattacks taking 
down infrastructure and killing people. This is not accurate. 
These scenarios presented are often nonsense and full of hype 
and unintended misinformation, but the threats are real.
    Today, my firm released three reports detailing the 
industrial threats of vulnerabilities and our lessons learned 
and response. We detailed five such threat activity groups or 
teams specifically targeting industrial control networks. This 
is in addition to the much larger number of teams that are 
targeting the corporate networks of infrastructure companies 
but this specific trend is worrying.
    Equally important though, we must be careful of 
technologies and approaches which sound like silver bullets and 
they sound too good to be true. These approaches are often 
referred to in the industry as buzzwords making immense 
traction and buzz and attention when used in conversations and 
they do have an application, but they're obviously and usually 
extended far past that application. And the context of 
cybersecurity, block chain, machine speed, automated response 
and artificial intelligence are three such examples that are 
thrown around frequently as a panacea for our problems when 
they are simply not.
    On to my second point today which is the role of 
regulation. The NERC CIP standards are often highly discussed 
topics, but it is undeniable that the efforts in the community 
to comply with these standards have made the North American 
bulk electric system the most resilient and well defended in 
the world. However, regulations serve as a base level of 
security. They're obviously on the trailing end of what is 
going on and they, in no way, can regulate the human adversary. 
Malware and vulnerabilities are not our threats, the human 
adversary is our threat.
    For that, we must take an approach that also appreciates 
the workforce development that's required. I recommend for a 
period of three to four years that no new regulations be 
imposed under NERC--it would allow companies to catch up with 
current regulations as well as identify the threat landscape 
before them and come up with their own best practices for the 
type of innovation that we need for industrial-specific 
networks.
    On my third point my recommendations for DOE's CESER. 
First, provide multi-year funding and greater operational 
support to efforts that are prioritized to make foundational 
changes to the fundamental risk. Consequence-driven, cyber-
informed engineering is one of those programs that's been 
highlighted that I think very kindly of. It is in no way going 
to fix everything, but it is foundational and so, our grid 
security.
    Second, CESER should serve as the key team focused on deed 
duplicating efforts in the DOE and their labs by being keenly 
aware of what is already taking place in the private sector. 
There is never malice or intentional overlap, but at the speed 
and rate of innovation in the private sector as well as the 
sheer volume, overlap can take place that has unintentional 
overlaps and competitive issues will emerge.
    Third, with a stated mission of focusing on addressing 
emerging threats, realize and appreciate the best insights and 
intelligence on threats or in the community and the companies 
that are being targeted. The private sector companies, like 
Dragos, as well as the community members like the electric 
ISAC, the downstream natural ISAC and the others, have a keen 
insight in that threat landscape today and partnering with 
teams like CESER will ensure that they do not recreate efforts, 
but that we all achieve the same goal of providing security to 
our infrastructure.
    I sincerely want to thank the Committee for providing me 
the opportunity to testify today and will welcome any questions 
and additional information to help support the safety of our 
families, communities and each other.
    Thank you.
    [The prepared statement of Mr. Lee follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
     
    The Chairman. Thank you, Mr. Lee.
    Thank you all. We appreciate your testimony this morning. 
We will begin with a round of questions.
    Senator Cassidy has to go preside in another Committee, so 
I am going to defer my questions, and you may proceed.
    Senator Cassidy. Thank you, Madam Chair.
    Mr. Walker, there is a book, Black Swan, by Nicholas Taleb, 
and one of his premises is that the more complex organizations 
become, the more vulnerable they become to a black swan event, 
that which is two standard deviations beyond the norm but just 
totally brings things down--think the financial crisis of 2007.
    Part of your testimony spoke of the interrelatedness of all 
of our systems. I never pronounce it correctly, MISO or meso, 
but that network which takes electrons all throughout the 
middle part of our country. Do we have such increasingly 
complex energy systems that we are prone to that black swan 
event, you see where I am going with this?
    Mr. Walker. Yes sir, and thank you for the question, 
Senator.
    I believe that, as I did mention in my testimony, the 
interdependencies that are resulting through the retirement of 
many fuel-shored coal and nuclear plants that are being 
replaced with natural gas plants, has placed a significant 
interdependency of the electric generation system upon the 
infrastructure that supplies and supports the gas 
infrastructure throughout the United States.
    And to that end, I have been working with the labs to 
actually do a single point of failure analysis of the gas 
infrastructure system in order to understand the overall impact 
on the generation components that are impacted on the 
electricity system.
    Senator Cassidy. I hear what you are saying, but the basis 
of my question is should we fear this interdependency?
    Mr. Walker. I believe we need to understand the 
interdependency which is why the first goal of my department is 
the building of a North American, fully integrated model that 
highlights the interdependencies and is able to do an n-1-1-1 
analysis to demonstrate what the interdependencies are and 
therefore define the complexities to determine what the 
mathematical, the two-standard deviation impact is away from a 
secure network.
    Senator Cassidy. I am not sure you are answering my 
question because it does seem as if within that you acknowledge 
that we should fear, but you are just trying to prepare us as 
much as possible to insulate that highly complex system from 
that two-standard deviation event.
    Mr. Walker. I guess I don't fear it. I need to understand 
it.
    Senator Cassidy. Got it.
    Mr. Walker. And my----
    Senator Cassidy. Okay.
    If I don't get this quite right, ma'am, but Dr. Endicott-
Popovsky, I occasionally stutter, so I apologize.
    You said everybody is our neighbor, but Mr. Lee said that 
really we are reasonably, I don't want to misquote or overstate 
but, secure within the energy sector. But if everybody is our 
neighbor and we have an Internet of Things and somebody's 
little modulator on their thermostat back home, can that sneak 
all the way in and disrupt our grid? And what if that 
thermostat is in Spain or Mexico or China, can it similarly do 
it because from what you said they are our neighbor?
    Dr. Endicott-Popovsky. When I spoke about everybody is your 
neighbor in the online world and in cyberspace, I'm speaking in 
a high level, metaphorically. And theoretically what you're 
talking about is possible.
    Certainly what the gentleman from Dragos was talking about 
with the adversaries that we face, there are individuals out 
there that are spending overtime and double time to figure out 
just those kinds of scenarios. And we should make no mistake, 
we have allowed, in my opinion, our valuables to sit on a table 
in the kitchen with our back door open without thinking about 
what that invites.
    And so----
    Senator Cassidy. Now, that is a little bit contra to what 
you said, Mr. Lee, in which you said, don't sit on laurels, but 
we are not as quite as incredibly, you know, our valuables are 
not necessarily on the table, at least when it comes to the 
energy grid.
    Would you accept that or----
    Mr. Lee. So, I would not disagree that we are 
interconnected in a way that opens up new risk, but I think my, 
sort of, point was the fact that every single thing that occurs 
gets messed with headlines that everybody is going to die. And 
I think that does a disservice to the amount of work that the 
energy community has put into our infrastructure----
    Senator Cassidy. Then that brings me to Dr. Sanders' 
comment in which you suggest that we are not having this. 
Implied in your conclusion was that we are not having this 
academia, industry, government working group to find solutions, 
are we not?
    Dr. Sanders. So, we are having that. There are, actually 
funded by the Office of Electricity (OE), there are efforts 
going on that are combining together academics, industry people 
and government. Some of the nice programs that have been run by 
OE, so-called industry projects----
    Senator Cassidy. I am almost out of time so I gather that 
we are, you just, perhaps, have more of it.
    Dr. Sanders. We are doing it. We need more of it----
    Senator Cassidy. Last thing.
    Ma'am, you have raised working group and I had, somehow, in 
the back of my mind in Washington State that you all had a 
bill. I don't know if it was implemented, that you would allow 
computer programming to be used as a substitute for a foreign 
language requirement in your primary and secondary school. Do I 
remember that? And if so, was it implemented? And if so, what 
are the results?
    Dr. Endicott-Popovsky. I will get back to you with that 
answer. I recall that that was proposed, but I will get back 
with you, sir, with that answer.
    [The answer to Senator Cassidy's question appears on page 
152 at the end of the hearing.]
    Senator Cassidy. Sounds great. It just sounds great to me 
because no one who ever studied French in school ever learned 
French, on the other hand, in fact, I am not sure they know 
where France is.
    [Laughter.]
    But if they learned how to use even Excel or Python, 
wouldn't we be better off?
    Dr. Endicott-Popovsky. I agree that we need to be looking 
from an educational perspective down into the K-12 arena, 
absolutely.
    Senator Cassidy. Okay.
    Madam Chair, I thank you for deferring.
    The Chairman. Thank you, Senator Cassidy.
    Senator Manchin.
    Senator Manchin. Thank you, Madam Chair.
    I would just like to say also that Latin was not much 
experienced later either.
    [Laughter.]
    I am thinking I had two years in high school and still 
can't speak a word of it.
    Thank you, Madam Chairman and Ranking Member Cantwell, for 
having this important hearing. I would also like to thank each 
one of you, the witnesses, for appearing here today.
    It is nice to see Congressman Matheson, and we appreciate 
your appearance here. I believe it is your first in this 
capacity. During your time in Congress you were known for your 
bipartisanship which we miss very much. That is one of the many 
reasons I have no doubt that the Rural Electric Cooperative 
Association is in very good hands, sir.
    We have held several cyber hearings this year, including 
the Subcommittee on Energy on which I serve as the Ranking 
Member, alongside Chairman Gardner, as we discussed previously, 
new digital technologies have increased energy efficiency and 
allowed for enhanced customer experience. However, increasing 
our reliance on these platforms also leaves us more vulnerable 
to cyberattacks. It is not a question of if, but a question of 
when.
    With that in mind, my home State of West Virginia, as all 
of you know, I think, continues to be a net exporter of energy. 
That means that our neighbors really depend on us for reliable 
electricity which coal and natural gas produces on a regular 
basis. I cannot stress the importance of reliable transmission 
of energy is our way of life, and I am concerned about our 
security every day.
    I applaud the ongoing work by the Department of Energy and 
Department of Homeland Security, Mr. Walker, but I also want to 
make sure we can eliminate our energy sector's vulnerabilities.
    As a member of the Senate Intel Committee, I consider these 
cyber hearings vitally important and I am very, very 
appreciative that we are having this hearing.
    Congressman Matheson, I would ask, what has been the single 
most helpful strategy or approach for your members to prepare 
for and mitigate the risk of cyberattack? What do you think 
that you all have been able to do to assist the Department of 
Energy and any of our other agencies?
    Mr. Matheson. The answer starts with the word partnership 
and we've had excellent relationships in terms of working with 
the Department of Energy and developing, as I mentioned in my 
opening comments, the program we call RC3, which is a program 
that we put together to train our co-ops. It's really a toolbox 
of different options that they can use to do a self-assessment 
of their circumstance at their co-op, identify potential 
vulnerabilities and risks, share best practices with each 
other.
    And it's, sort of, a self-improvement process as well, 
continuous improvement dynamic because this threat is evolving 
every day, as we've all discussed, and it's something that we 
recognize that wherever we are today, we've got to get better 
by tomorrow. And that's been a significant play for us through 
these smaller utilities, you know?
    Senator Manchin. Yes.
    Mr. Matheson. We need a program that recognizes the small, 
medium-sized utilities and the fact that the Department of 
Energy recognized as well and help fund this effort.
    And I might mention, this effort was not just done with the 
Rural Electric Co-ops, it was also done with the municipal 
utilities as well. I think that's been an important program, 
and that's a specific answer I give to your question.
    Senator Manchin. Let me say this, I have been told by my 
utility producers, whether they be electricity by coal-fired 
for baseload or whether it be our natural gas in all the 
pipelines, that we are building and pumping stations. I am 
concerned about the vulnerability. I have been able to go up 
myself, with maybe just a little gate or a little fence around 
it.
    Mr. Matheson. Yeah.
    Senator Manchin. The pumping or our transmission, I would 
guess. I would ask each one of you, and I will start with Mr. 
Lee. What keeps you up at night and what are you worried about, 
because I see vulnerabilities it would not be hard to attack by 
any of us?
    If our pumping stations go down most of the East Coast is 
in trouble. If our transmission lines go down and our big 
transfer stations, which are not all that foolproof.
    So, if you could tell me, Mr. Lee, what are you concerned 
about and what do you think we need to do for the next step?
    Mr. Lee. Thank you, Senator, for your question.
    I'm extremely concerned about the disparity between our 
industries. So I often like to applaud the electric industry, 
specifically, but that does not equate to every other industry.
    I think the threats are far more, sort of, aggressive than 
people realize, but not as bad as they want to imagine. And in 
there is that nuance we have to capture.
    I've been in manufacturing facilities, small to medium-
sized co-ops, gas locations that are vital to critical 
communities where not even the basics of security have been 
done. So, there is this back and forth we have to address.
    So I'm concerned about that, and I'm also concerned about 
some of the smaller events and our ability to respond to them. 
I'm very confident the U.S. Government has a response if a 
major cyberattack were to occur.
    Senator Manchin. Okay.
    Mr. Lee. But what about a 30-minute power outage in DC?
    Senator Manchin. Yes.
    Mr. Lee. That's something that brings me, sort of keeps me 
up at night at how we respond.
    Senator Manchin. Mr. Walker, if I could go to you real 
quickly on this. I know we are concerned about the cyberattack 
and what cyber can do and shut down with a person from far 
away. I am concerned also about the hardened attack that can 
occur.
    Mr. Walker. Sure.
    Senator Manchin. What you all have been doing there and 
making sure utilities are strengthening their position to 
protect?
    Mr. Walker. Thank you for the question, Senator.
    Specifically, what keeps me up at night in relation to this 
is the actual physical security component and, to that end, our 
Department has worked with our security department that does 
the evaluations of our NNSA sites. We are extrapolating upon 
the work that has been done extensively by the national labs 
and our security sites to bring it into and we're using our 
PMAs which are federally-owned, as the test bed for the proving 
ground to utilize the physical security strategies, if you 
will, developed mostly by the Sandia labs to employ them on 
both the gas, electric and oil infrastructure throughout the 
United States.
    Senator Manchin. Thank you.
    My time has expired. I wish I could hear from all of you, 
but if you get a chance, just chime in when you can.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator Manchin.
    Senator Gardner.
    Senator Gardner. Thank you, Madam Chair, and thanks to the 
witnesses for being here today.
    It is a critical issue, obviously. As we speak, the 
Colorado Department of Transportation is actually dealing with 
a cyberattack now. It has gone through several days' worth of a 
SamSam ransomware attack that has shut down the Colorado 
Department of Transportation computers within the Colorado 
Department of Transportation for days.
    So this isn't just something that we should worry about for 
tomorrow. This is something that we should have been worried 
about a long time ago and were worried about a long time ago 
and need to worry even more about how we address this today so 
that we can prevent these kinds of things from spreading even 
further into hospitals and to roads and to other places.
    Thank you for being a part of that solution and bringing 
these ideas forward, because you were worried about this a long 
time ago. You are worried about it today and a part of the 
solution going forward and I thank you for that.
    Congressman Matheson, if you don't mind, I enjoyed serving 
with you in the House. You and I are affectionately referred to 
as House broken, being in the House and having that experience.
    [Laughter.]
    But we have talked a lot with our folks back home in 
Colorado, the co-ops and others, about the challenges they face 
in cyber.
    Would an expedited security clearance process address your 
need for enhanced background checks and would having more 
cleared personnel improve the flow of specific additional 
information? For example, we had a hearing, I believe it was 
last Congress, where somebody said that they were told by a 
security audit that they had a piece of equipment that would 
not pass federal standards, but they were then told that they 
could not tell them what that piece of equipment was because 
they did not have the right clearance.
    Mr. Matheson. Right.
    No, you've raised a really important issue and that is the 
internal threat, the human threat. And what we propose, and 
it's not just the co-ops of the electric industry in general 
that feels this way, is we would like access where we could 
have FBI background check clearance to really check on key 
employees. Although, the industry is willing to pay for that 
and we don't even want the information, the personal 
information, the FBI can keep that, but we would like to have 
that capacity to have key employees go through that security 
check process.
    I think that would be important risk mitigation for the 
utility industry and to having better confidence in the people 
that have access to sensitive information.
    Senator Gardner. Thank you for that.
    For those members that do have clearances, do they have 
difficulty trying to find or accessing classified briefing 
space? Is that a problem as well or----
    Mr. Matheson. Yeah, there is a question about timing in 
particular, more than ultimately gain access. And I think that 
we're always looking to improve, but there's no question that 
if we could find efforts for timely information to get to us in 
a way that we can act on it in a reasonable way when we have a 
threat. That always should be the goal.
    And yes, we need to improve----
    Senator Gardner. You can't just pick up the phone, on a 
regular unsecured line, and talk to the general manager of 
Highline Electric or something like that.
    Mr. Matheson. You got it.
    And we're trying to figure out, you know, this is a two-way 
street to how this information goes.
    Yes, we want access to information from government sources 
in a timely way where we get that confidential information. We 
also need to get that information to the government. We want 
some protections about how that sensitive information is going 
to be used when it goes in that direction as well.
    Senator Gardner. Great.
    Mr. Walker, I have a couple minutes here so I want to get 
to you as well.
    In your testimony, you talk about defense critical energy 
infrastructure which was defined in the FAST Act. Can you 
explain what DOE is doing to address Defense Critical Energy 
Infrastructure (DCEI)?
    Mr. Walker. Thank you for the question, Senator.
    The--I want to note that I think it was an astute 
observation by the Congress to include the DCEI in the FAST 
Act. Upon taking office in DOE, one of the first things I did 
was focus in on that point that was raised by the FAST Act.
    To that end, I did a significant amount of research--my 
team and working with members from the Department of Defense, 
DHS, the Army Corps, RPMAs, particularly WAPA, as well as other 
members in the key stakeholder groups--we developed a strategy, 
an operational strategy, that will enhance our ability to 
ensure that when those defense critical infrastructure are 
necessary to be utilized, that they'll be available, 
notwithstanding what the impact is to the rest of the grid 
throughout the United States. And we continue to work on that 
diligently with our federal partners and our industry partners 
to focus on that.
    And if I may, I'd like to comment on the previous 
question----
    Senator Gardner. Great.
    Mr. Walker. ----to Congressman Matheson.
    Earlier this week, DOE, I chair and DHS chairs the Energy 
Government Coordinating Council and with regard to clearances, 
one of the things that was a key takeaway from that meeting is 
the clearance process and getting an expedited process is 
important, but I think what's more notable and what I focus the 
organization on, in conjunction with DHS, was we need to 
provide timely and actionable information to the energy 
partners that we have in both the ESCC and the ONG.
    And it's really about that action, very black and white. 
You either need to act on this or you don't need to act on that 
and we need to figure out how to declassify information enough 
to be able to provide that guidance so that we won't get caught 
into this clearance issue.
    So that's one of the key takeaways that we're working on 
diligently as well, Senator.
    Senator Gardner. Great. Thank you, Mr. Walker.
    Thanks to all of you, and I yield my time.
    The Chairman. Terrific timing, thank you, Senator.
    Next, we will turn to Senator Hirono.
    Senator Hirono. Mr. Lee, did I hear you correctly when you 
responded to an earlier question that we are prepared to 
respond adequately if there is a major cyberattack? And did you 
mean a major cyberattack on our energy infrastructure?
    Mr. Lee. Yes, ma'am.
    So with that discussion, I think that the U.S. Government 
is more well-positioned on a major cyberattack than it would be 
on a smaller cyberattack was my----
    Senator Hirono. No, but are you talking about with 
particular reference to the energy infrastructure that we are 
prepared to respond so that we can keep our energy 
infrastructure going?
    Mr. Lee. No, Senator.
    So, the response is on the private sector. I think the 
belief structure that U.S. military or others are going to go 
on civilian networks is misplaced. I'm referring to the 
geopolitical and, sort of, diplomatic response that we would be 
able to have.
    Senator Hirono. Well, it is just that I just came from an 
Armed Services Committee hearing with General Nakasone, who is 
a nominee to lead NSA and Cyber Command, and he did--now there 
is general acknowledgement that we have not responded to 
various, particular state-sponsored cyberattacks on OPM, for 
example, in other ways.
    That is why I wanted to get clarification from you as to 
exactly what you meant when you said that you thought we were 
prepared to respond. According to General Nakasone, we are not 
quite there.
    I wanted to further ask you, Mr. Lee. As our control 
systems become more complex, and you were asked this, and 
perhaps we have become more vulnerable to attacks. So on the 
other hand, perhaps, technical advances could potentially make 
state-of-the-art security technology, we can incorporate state-
of-the-art security technology such as advanced encryption 
algorithms and other measures to protect our systems.
    So, in your opinion, is progress being made to ensure that 
industrial control systems are more secure as the technology 
becomes better or are we losing ground because these systems 
are becoming more complex and inherently more vulnerable to 
advanced persistent cyber threats?
    Mr. Lee. Thank you, Senator, for your question.
    I think it's definitely a race that we're also introducing 
new risk while they become more verbose in their capabilities. 
Some systems that were never designed to do certain things now 
have those capabilities built into them and they shouldn't. At 
the same time, though, we are making a lot of progress in the 
sector.
    So, I think it is, sort of, in this position where we're 
increasing risk. We're increasing security, but we have to do 
more of the security to offset that risk.
    Senator Hirono. I think you also testified that our 
infrastructure, and I assume that's our energy infrastructure, 
is quite resilient at this point so that, particularly on the 
electric side, they have done a lot to protect themselves----
    Mr. Lee. Yes, and I think there is still balance there that 
we didn't have a lot more we need to do, but I think that we 
should not be so careful, or we should be careful and sort of, 
just say that they haven't done anything which is inaccurate.
    Senator Hirono. Yes, I understand.
    Mr. Walker, you describe the DOE's work with industry in 
developing the voluntary Cyber Risk Information Sharing 
Program, or CRISP, as a way of monitoring and managing the 
security and resiliency of the electric grid.
    I would imagine a utility may not be inclined to 
voluntarily report a cyber incident that may have exposed a 
weakness in their cybersecurity posture. If they are not 
required to share that kind of information, how forthcoming do 
you believe utilities have been in sharing sensitive 
information relating to cyber risks that they are confronting 
on a daily basis? And in your view, is there a way to induce 
and encourage greater participation in programs such as CRISP?
    Mr. Walker. Thank you for the question, Senator.
    I believe that the partnership that we have between the 
electricity sector, Coordinating Subsector Coordinating Council 
and the Oil and Natural Gas Subsector Coordinating Council is 
extremely strong and it continues to get stronger, particularly 
as we work through the Government Coordinating Council to 
integrate that information with DHS.
    So I believe the industry is completely forthcoming, just 
like we are completely forthcoming with that bidirectional flow 
of information, both classified and unclassified.
    You know, this is an ongoing evolution and a partnership 
that we all understand that we need to work together. The 
integration of both the oil and natural gas as well as the 
electric industry into an overall system of energy that's 
highly dependent upon each other has driven us to work together 
over the years and we continue to progress that.
    In fact, today we're meeting at DHS for the C-PAC to 
further work between government and our energy partners.
    Senator Hirono. So the voluntariness of this program is not 
preventing the utilities from fully participating and 
cooperating in----
    Mr. Walker. Not at all.
    The limiting factor has been the cost of the implementation 
which is why we've been working very hard. We're going to 
continue to work hard with NRECA and the APPA to further embed 
this.
    You'll note in my testimony, I said about 75 percent of the 
utility customers throughout the United States are covered by 
that. Our goal is, obviously, 100 percent. And we need to work 
harder, and we are working, to develop cheaper solutions, more 
cost-effective innovation in our labs for the sensing 
technology that's necessary to effectuate the CRISP program.
    Senator Hirono. Thank you.
    So continuing research in this area is really important and 
to provide those resources.
    Mr. Walker. Absolutely and we are doing that.
    Senator Hirono. Thank you, Madam Chair.
    The Chairman. Thank you, Senator Hirono.
    Assistant Secretary Walker, let me ask you this.
    With the restructuring and the division now between the 
Office of Electricity Delivery and now this separate Office of 
Cybersecurity with its own Assistant Secretary, there would be 
some that would argue that so much of this is just intertwined, 
the issues of electricity delivery and energy reliability are 
not distinct, they are very much intertwined. Then you have the 
reality that we are talking here about how we can design 
cybersecurity into every aspect of system operations so that an 
entirely separate office might be actually counterproductive.
    Now I am not saying that I am one of those skeptics, but I 
do think it is important, as the Committee that is looking at 
that, that you share with us the rationale for this separate 
office and the response to those who might say it is a little 
bit counterproductive to have it separate.
    Mr. Walker. Thank you, Senator Murkowski.
    I think that's an excellent question and being part of the 
decision-making for doing this, I'd like to answer this.
    Number one, in taking this position and looking across all 
of the different departments that I'm responsible for and 
understanding what was set forth in the FAST Act and really the 
focus of cybersecurity and given the fact that the FAST Act 
designated DOE as the sector-specific agency. That is a 
significant undertaking, and I've done the analysis myself as 
to what work is necessary.
    As I mentioned with Senator Gardner, the DCI component, 
just that strategy alone and identifying and working through 
the defense critical energy infrastructure, is a significant 
undertaking both in breadth and depth.
    Now the way I would specifically delineate how the two are 
intertwined in one concept but very distinct in the others is 
the whole idea of the CESER program is to be actionable, near-
term and highly responsive today. So things like DCI strategies 
are things that are actionable today and need to be done. 
However, I would note that the remaining portion of OE that I 
will be leading focuses on the longer-term solutions so just 
because we solve and have an operational strategy to make the 
system work for DCI today, having a longer-term strategy that 
looks at different R&D capabilities, different design 
strategies, is really what the focus of the OE Department is 
going to be.
    And I note, Senator Murkowski, I'm taking the opportunity 
to change the name of my department because both you and I 
struggle with it every time we're here.
    The other part of the OE component which is very, very 
significant and a massive undertaking is the development of the 
North American model, an energy sensitive model that is able to 
do enhanced analysis, to do contingency analysis to understand 
what the next worst case is when a significant infrastructure, 
whether it be gas or electric or petroleum, goes offline to be 
able to do real load following analyses with a high integration 
of interdependency analysis. That work will drive and 
fundamentally change the way that we make investments in our 
infrastructure throughout the entire United States and it will 
change the way markets are driven and it will change the way 
that we look at reliability, make investments in operation and 
maintenance. So that will be work that will be done in that OE 
Department and that's a significant undertaking that we've laid 
out the strategy for as well.
    The Chairman. You have your work cut out for you.
    I am going to defer my time and go to Senator King and then 
we will go to Senator Daines.
    Senator King. Thank you.
    Mr. Walker, welcome back to the Committee. You were here 
not long ago, and we are glad to have you back.
    Mr. Walker. Thank you, sir.
    Senator King. Napoleon said, ``War is history.'' Freud 
said, ``Anatomy is destiny.'' King says, ``Structure is 
policy.''
    I welcome the new office because I think you are creating a 
structure that will facilitate good policy in this area because 
without some area of responsibility in the department that 
focused, specifically, on the problem of cybersecurity and 
resiliency, I am afraid the response and the planning and the 
programs will be diffused and unfocused. So I hope that you 
will move quickly to facilitate the formation of this office 
and to get it, to stand it up so that it can meet its urgent 
purpose.
    Mr. Walker. Yes, sir, that's the goal.
    It's important for us which is why the Secretary announced 
it and, you know, one of the things I learned early in my 
career is you design organizations around process and how you 
want to drive the policy. And that was part of the 
distinguishing factor in establishing this Department, 
specifically for cybersecurity. And you'll note the second 
part, which is energy security which incorporates that closely, 
you know, type, physical component which is absolutely 
necessary for us to focus on, particularly as the 
interdependency exacerbates our risk.
    Senator King. Now the problem here--and this is not your 
problem, this is an all-of-government problem and I just came 
from a hearing in the Armed Services Committee with the nominee 
to head Cyber Command--is that this country lacks a coherent 
strategy of deterrence in the cyber realm. You can argue, we 
are either at war now or a war is imminent in terms of 
cyberattacks on this country, small and large. And yet, we have 
no deterrent policy. Our adversaries feel there is no cost to 
their attacking us in a variety of ways, large and small.
    So, again, this is not your responsibility, but I hope that 
in the councils of government as you are discussing these 
matters, we cannot simply rely on defensive measures. We cannot 
keep patching software.
    Ultimately, people who are making a calculation as to 
whether to attack us have to believe there will be a response, 
whether in the cyber field or sanctions or some other area, but 
this is something that I am urging everyone. I don't have the 
Secretary of Energy or the Secretary of Defense or the 
President sitting here, so you are it. I hope you will take 
this message back, because without a deterrent strategy we are 
simply sitting ducks and there will be, not maybe, there will 
be an attack unless we can deter our adversaries. I hope you 
will take that message back.
    Mr. Walker. Yes, sir, I will.
    Senator King. Thank you.
    Mr. Lee, you did some analysis on the Ukraine attack, is 
that correct?
    Mr. Lee. Yes, Senator.
    Senator King. Rolling out of the response to that, Senator 
Risch and I have introduced a bill that is here that 
essentially is a back to the future bill because one of the 
learnings, I understand, from the Ukraine attack was that they 
had some places where there were analog switches and there was 
human intervention that enabled them to recover more swiftly.
    Our concern is that if we are totally digital that there, 
as you, I think, testified a few minutes ago, there may be 
unintentional provisions in there that allow us to not be 
resilient and we have asked the national labs to look at some 
of these ideas. Is that something that you think makes sense?
    Mr. Lee. Thank you for your question, Senator.
    And yes, I do. I was actually able to provide some comments 
to the House companion for that. I thought it was very well 
positioned. I thank you for your leadership on it. There are a 
lot of----
    Senator King. I did not know you were going to say that, 
but I am delighted.
    Mr. Lee. Yes, sir. So, teed up.
    [Laughter.]
    But there is a lot of functionality we're putting in that 
doesn't make sense. This is not to say we need to go back, sort 
of, to the Stone Age. We cannot stop innovation and we should 
not. I mean, a lot of optimizations make sense for the 
businesses that run, but there are certain locations and 
certain functions of protection equipment and safety equipment 
that doesn't need to be able to run minesweeper and solitaire 
on it. They can do a more basic function which, in a sense, 
makes it a much more difficult information and tax base for the 
adversary.
    So I do think it makes a lot of sense in the right 
application.
    Senator King. Well, I hope we can. I hope, Madam Chair, 
that is a bill we can move.
    Again, talk to the national labs, instruct the national 
labs to work on this concept of where in the system, not the 
entire system and not taking it back, but where in the system 
could we place some of these elements that would be more 
rudimentary, if you will, but would protect us from a 
catastrophic cascading of software.
    Mr. Walker, I hope that you can, and I am out of time, but 
I hope that you will get back to us with thoughts as you are 
standing up this office.
    And one of the critical points here is the relationship 
between the government and the private sector. We don't run the 
electric grid. We can only help work with the utilities to do 
so.
    And to the extent that there are impediments to full 
coordination and cooperation, in other words, things like 
utilities concerns about liability or costs or how do we do 
this in a way that is not the heavy hand of government, but is 
a cooperative relationship.
    What I am asking you is, if you observe and develop, and I 
would ask this question also to the electric cooperative and to 
the utility industry, generally, if there are impediments here, 
please let us know what they are so that we can try to address 
them, because this is a crucial issue and it has to be close 
coordination without smothering is, I guess, the way I would 
put it.
    Mr. Walker. Sure.
    And thank you for the point and I surely, if I run into an 
impediment, I have not seen one yet, we have a fantastic 
relationship with EEI, APPA and NRECA and then working through 
the ONG Coordinating Council and the Electricity Subsector 
Coordinating Council.
    You know, we work through these issues. And the great part 
about these forums is we've all got the same and similar 
mission. We approach it from different angles, perhaps, but 
we've got, the mission is to make sure that the energy 
infrastructure is available when needed. And fortunately, we 
have great partnerships with those members.
    Senator King. I am out of time, but with the Chair's 
indulgence, I hope one of your elements of your work will be 
red teaming so that you can demonstrate to utilities where they 
have problems.
    Mr. Walker. Yes, we are.
    We're taking a very progressive, proactive approach on many 
of these issues.
    Senator King. Thank you.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator King.
    Senator Daines.
    Senator Daines. Thank you, Chair Murkowski, for this 
hearing. I know that cybersecurity and the protection of the 
electrical grid has been an important issue for this Committee, 
and I hope we continue to press on it and do find some good 
solutions to secure our grid. As you all know there are many 
threats to the grid.
    I first want to thank all the witnesses today for working 
hard to continue to keep the lights on. Mr. Matheson, it's good 
to have you here today, back on the Hill.
    Mr. Matheson. Thank you.
    Senator Daines. We served together in the House and I have 
said the rural co-ops when they, the electric co-ops, when they 
come to my office once a year, I am not sure there is a better 
organization that represents a true cross section of our state 
and is closest to I call it, kind of, the real Montana, as our 
rural electric co-ops. I mean that sincerely.
    Mr. Matheson. And that sure sounds good to me.
    Senator Daines. Yes, but it is true, you know, when in 
doubt speak the truth, my mom and dad always told me.
    Mr. Matheson. Thank you.
    Senator Daines. I do believe our rural co-ops are on the 
front line in the defense of our grid, especially in rural 
states like Montana.
    Mr. Matheson. Yeah.
    Senator Daines. But for the most part the co-ops you 
represent do not have a lot of excess cash to spend on research 
or new expensive technologies. And further, there isn't one 
single solution as we know, in fact, I have quoted Senator King 
when you said, ``There's no such thing as a silver bullet, 
maybe silver buckshot.'' I think that is one of the best 
takeaways I have had in a long time.
    Senator King. Thank you, sir.
    [Laughter.]
    Senator Daines. Thank you.
    Because co-ops are as diverse as any other business and 
they span great distances, particularly in rural states like 
Montana.
    Mr. Matheson, do you have examples of some of the efforts 
that co-ops are doing to address these challenges and how our 
co-ops in Montana are working to protect local grids?
    Mr. Matheson. Well, thank you, Senator, and you are correct 
that there is a diverse set of circumstances of the over 900 
electric co-ops in America. They're in very different 
situations. Some are large. Some are small. Some have great 
dispersed geographic areas. Some are more confined. So it's 
definitely, there's not a one-size-fits-all. We preach that 
often within the co-op community.
    When it comes to the cyber threat there is one way I would 
delineate between two categories of co-ops. There are about 120 
co-ops in this country that really are connected really in the 
bulk electric system and that is an area where the need to 
comply with the NERC reliability standards and cybersecurity 
standards comes into play. And it's where the real threat to 
the grid exists, if you will. And those electric co-ops are 
subject to the NERC audits. They are subject to that 
regulation. They perform well in that regard and that's where 
we like to use operational threats, that's where the co-ops 
have, that set of co-ops, that set of co-ops have dealt with 
that type of circumstance.
    The other co-ops are the smaller distribution co-ops. 
They're not necessarily directly with the bulk electric system 
and a lot of the cyber threats that they see are more on the 
information side, you know, on the personal information, 
they're trying to hack in to get a social security number 
whatever that might be.
    And so, in that situation, again, we have large, small but 
what we try to do is create a peer-to-peer relationship where 
co-ops can compare, they can consolidate and share assets in 
terms of taking on these threats because you said some of them 
don't have a lot of extra money laying around.
    And that's really what cooperatives are about. It's in 
their name. They cooperate with each other. That's how our 
sectors really try to take on this issue, even across the 
diverse set of circumstances we have, we have a really 
coordinated effort to make sure that we're sharing best 
practices with each other to take on the cyber threat.
    Senator Daines. Regarding the cyber threat, I recently 
introduced the Cyber SAFETY Act which would, I think, 
incentivize----
    Mr. Matheson. Yeah.
    Senator Daines. ----the private sector and generally we are 
better off served with carrots versus sticks----
    Mr. Matheson. Yeah.
    Senator Daines. ----to incentivize the private sector to 
innovate and commercialize the next generation of cybersecurity 
technologies. Could you discuss how that bill might help rural 
co-ops?
    Mr. Matheson. The rural co-ops and, I might add, the rest 
of the electric utility sector, support this bill. It's an 
important bill for a number of reasons.
    One is it removes an impediment that was in the original 
Safety Act from sharing information where before we could 
share, events had to be described as, declared as acts of 
terrorism by Homeland Security. And this legislation that you 
have introduced removes that requirement and it will facilitate 
greater information sharing between the utility sector and the 
relevant federal agencies.
    The effort to produce more innovation in this area is 
something we strongly support, and I think it's a step that 
would go in the right direction.
    Senator Daines. Thanks, Mr. Matheson.
    The Chairman. Thank you, Senator Daines.
    Senator Smith.
    Senator Smith. Thank you very much, Madam Chair, for this 
hearing and thank you, Ranking Member Cantwell. I am just also 
very much appreciating your testimony today.
    Senator Daines, you and I share an interest in rural 
electric cooperatives, so I appreciate your questions on that 
as well. Thank you, thanks very much.
    I wanted to just touch quickly on a couple of things. By 
now we have all seen the conclusion of the United States 
intelligence community that the Russian government has engaged 
in cyberattacks intended to sway the outcome of our election. 
We also know that Russia has previously targeted energy 
systems, twice taking down portions of the Ukrainian grid in 
'15 and '16. And this is in addition to cyber events taking 
place in the American energy sector such as the Russian malware 
that was found on the computer of the Vermont utility. Senator 
Kaine touched on this with our need for a deterrent strategy 
for cyberattacks.
    But Mr. Lee, I was struck by a point in your testimony that 
I would like you to elaborate on a little bit where you said, 
``We do not understand the industrial threat landscape and we 
do not have enough trained professionals focusing on industrial 
control cybersecurity.'' Could you just touch on that briefly 
and also suggest what, if anything, the Federal Government can 
do to address this shortage of cyber professionals in the 
energy sector?
    Mr. Lee. Thank you, Senator, for your question.
    It comes down to an aspect of collection. So, going back to 
the co-op discussion. I know of a number of co-ops that have 
told me, well, we don't have cyber threats in our industrial 
networks. And I'll ask, well, have you ever collected or looked 
inside those networks? And the answer will be, well, no. Then 
how would you know that they're not there because I've 
absolutely seen nation-state level threats going into those 
environments. And oftentimes, utilities and others will say, 
well, I'm not a good threat, but that's the one thing you don't 
get a vote on. I mean, I've seen adversaries training in those 
environments, if nothing else.
    I think it's important to address that our lack of 
understanding of that threat landscape translates to also how 
we are trying to defend against these attacks. A lot of our 
best practices and standards and regulations are built off of 
what would be applied to enterprise security networks at JP 
Morgan and may not be appropriate for an electric utility. So I 
think there is that balance and we have to understand that 
collection gap.
    One of the things that I think is most important is that 
workforce development. And this is coming from a technology 
vendor, I will tell you, the most important aspect is the 
human. We use technology to, sort of, be a Band-Aid until we 
get that.
    On the human aspect by having better trained professional 
industrial security, they will be able to make the right 
decisions for their infrastructure.
    We talk about information sharing, but the problem with 
information sharing is always the ability to action it which is 
at the utility or infrastructure site.
    These professionals that we're training are very critical, 
not only in K through 12, but also in the professional training 
that we have out in the industry.
    Senator Smith. So the big issue is, we ought to be focusing 
on workforce development and that capacity. Okay, thank you 
very much.
    I have just a little bit more time and I would like to 
address a question to the panel more broadly which is, we are 
seeing this incredible transformation in the way energy is 
generated and distributed and delivered in the United States 
with much more distributed energy resources and smart grid 
technologies coming online. I am really interested in how this 
is impacting grid security overall. Is it making it worse? Is 
it making it better? Could you just or could anybody on the 
panel feel free to chime in about what challenges or benefits 
does a more decentralized grid have when it comes to 
cybersecurity?
    Mr. Walker. I'll weigh in first.
    Senator Smith. Thank you.
    Mr. Walker. I think there's two components to the question.
    The first is, the diversity of the portfolio on the 
generation component, for instance, has and can have the 
tendency, if it's modeled properly, we understand where it's 
being placed and if it's strategically being placed, have the 
benefit of adding security from the standpoint that there's 
just more diversity and therefore, more iterations to be able 
to go through.
    However, I would offset that by the fact that by adding 
certain levels of diversity, depending on what they are and the 
case I'll point to is the heavy reliance due to economic 
factors on natural gas has now placed natural gas in a place 
where it's providing a significant amount of generation.
    As I noted in my testimony, what that does is it more than 
doubles the amount of critical infrastructure that has to be 
protected simply because there's an entire pipeline now that 
once was, it was a contributing factor, but it wasn't a 
significantly contributing factor, to the generation of 
electricity throughout the United States.
    Senator Smith. Dr. Sanders, did you want to chime in here?
    Dr. Sanders. I'll just add very quickly that I think that 
Mr. Walker spoke well about the diversity in the energy and 
generation portfolio.
    But you brought up, Senator Smith, a very, very important 
point. Much of the growth of the smart grid is on the 
distribution side and much of the cybersecurity protections and 
resiliency that's put in place is in the bulk electric power 
grid. In fact, NERC and FERC rules only apply on the bulk 
electric power grid side.
    So as we see this very different kind of smart grid, it's 
the architecture, it's the complexity of the architecture that 
we need to understand and the kind of point solutions we've had 
in the past just aren't going to apply.
    Thank you.
    Senator Smith. Thank you very much.
    And Madam Chair, oh----
    Mr. Matheson. I know we're over time----
    Senator Smith. Yes, please.
    Mr. Matheson. ----but just what I said within some earlier 
comments about we appreciate the fact that there has been an 
effort and we've received R&D efforts to look at small and 
medium-sized utilities. We still think that that's an area that 
merits continued emphasis and your questions have raised 
another reason why that's the case.
    Senator Smith. Thank you very much.
    Madam Chair, I believe I am past my time. Thank you.
    The Chairman. Thank you, Senator Smith.
    Senator Cantwell.
    Senator Cantwell. Thank you, Madam Chair.
    As former Director of National Intelligence, General 
Clapper said, ``Cybersecurity is now more significant to our 
national security than terrorism.''
    So, last year along with all those numerous cyberattacks 
and breaches, we see that more and more of our economy and 
critical infrastructure is being attacked. I see everyone 
nodding here.
    Do we have the right threat assessment yet on our grid? Do 
we have an accurate threat assessment, Mr. Lee?
    Mr. Lee. I do not believe so.
    Dr. Sanders. I do not believe so as well. I think that's a 
capability that's absolutely critical to develop and the 
maturity models we have today just are not sufficient.
    Senator Cantwell. Anybody else?
    Okay, so what do we need to do to get that? Mr. Lee?
    Mr. Lee. When it comes to the threat landscape and 
understanding the threats that pose, I do think private sector 
is best positioned.
    I always hear discussions about security clearances which I 
think are incredibly important, especially for the strategic 
level, but I think people are going to be dismayed when they 
get a security clearance to go in for this magical intel about 
the industrial threats and be met with nothing or very little. 
A lot of the insights are in the private sector companies. My 
insight at my firm today rivals what I have when I led the NSA 
mission for it. So, I think to do proper work we have to work 
together.
    It's where I do think DOE's CESER will be important, work 
with the ISAC is important, trying to understand what's going 
on at the operational layer of the CRISP program as an example 
is great, but it's for the enterprise networks. It doesn't 
touch the operations networks and our ability to do that 
together will give us that threat landscape.
    Senator Cantwell. Dr. Endicott-Popovsky?
    Dr. Endicott-Popovsky. Yes, I'd like to suggest that the 
work that the National Guard is doing in Washington State has 
relevance to your question.
    I point to the recent work that they did with SnoPUD and 
later with a utility in the middle of the state where the Guard 
cooperated with the utility itself, with the Governor's 
permission, to go in and do red teaming which is not easy 
considering that you're working military to the private sector. 
But that kind of effort, I think, was beneficial to the utility 
itself where they understood where they were vulnerable when 
they actually thought they were not.
    It puts people in the mindset of the threat actor and one 
of the things that could help this Committee, going back to 
some conversation earlier about the threat actors involved, is 
to understand the evolution and the motivation of the threat 
actors. Many people still remember War Games and we had this 
mental model that it's some kid at a computer that's hacking in 
randomly and causing trouble. We very quickly saw organized 
crime figuring out that it was easier to log into a bank than 
to walk through the front doors with a gun and risk life and 
limb.
    And so, monetary motivations are really easy to grasp, but 
for nation-state actors, it's more complex to figure out what 
they're after. And that, I think, has made it challenging for 
the private sector to really think about what's going on 
because strategically they don't think militarily. They think 
markets, they think economies but they've never been a military 
target. And so, now they find themselves as a military target 
and your strategic thinking has got to be different and this is 
where those red teaming exercises with the Guard were so 
helpful. Kilmer's bill is designed to replicate this in Major 
Lowenberg's name across the country with all National Guards.
    Senator Cantwell. We are finding our whole political system 
is a target.
    Dr. Endicott-Popovsky. Correct.
    Senator Cantwell. And so, I think people think that when we 
sent this letter a year ago that we were trying to echo, maybe, 
some larger tone about the Russians. We are just dead serious 
that this is a problem.
    Dr. Endicott-Popovsky. And it's not just----
    Senator Cantwell. And we are dead serious that we have to 
come up with a threat assessment and work through it, as you 
just said. I like the way you described it because you are 
saying you have to understand what the threat actors' 
motivation is and then you will understand the potentials and 
possibilities for attack and what you want to do with it. I see 
you all nodding there.
    Dr. Endicott-Popovsky. And it's not just the Russians. It's 
the North Koreans. It's the Chinese. The Russians, I think, are 
particularly good at it, but we certainly have a variety of 
nation-states that raid against our own infrastructure.
    And I go back to World War II movies. What did we, as the 
Allies, take out with the German attacks from our bombers? We 
went for infrastructure. And now our infrastructure can be 
breached at a distance. What would you do if you were a nation-
state actor? And so, getting your mind in the role of the 
adversary, I think, is very helpful.
    Senator Cantwell. Yes, Dr. Sanders?
    Dr. Sanders. I think you asked a really excellent question.
    I agree with Mr. Lee that we need more data collection. I 
agree with my academic colleague on the right that red teams 
can be useful. But I want to emphasize that red teams only can 
find problems. They cannot give forward-looking assessments.
    When we find a problem with a red team we, hopefully, fix 
that problem. We do not know what our state is going forward.
    So exactly what you're asking for is a credible way to 
assess the situation, to understand the bad guys, to understand 
the threat actors, but also to understand the users of the 
system because the users of the system through incorrect use or 
accidental use will also open up vulnerabilities.
    So it's really three things we need to understand: we need 
to understand the attackers, we need to understand the users of 
the system and we critically need to understand the 
architecture of the system because if the system is not 
perfectly secure then we need to understand how that 
architecture can create cascading failures or prevent cascading 
failures. So these three things.
    Senator Cantwell. Mr. Walker, is this something that the 
Office can achieve? A threat assessment?
    Mr. Walker. Yes, ma'am.
    We work with the intelligence communities which DOE is part 
of and the effort in understanding the different components 
with regard to CRISP.
    One of the things we've already done, and we're in the 
early stage of development, is the development of a program, an 
R&D program, called CYOTE which is Cybersecurity for the 
Operational Technology Environment. So it goes to the OT 
environment that Mr. Lee was speaking about before.
    Much of the work in the past has been spent on the IT side 
of this. We are now focused on the OT side of this and that 
will provide us the situational awareness that we need to 
understand the threat assessment, particularly on the OT side 
which is where the vulnerability for the energy sector resides 
the most.
    Senator Cantwell. Do you think this squarely resides at 
DOE?
    Mr. Walker. I think that it needs to be a partnership 
between private industry that owns the majority of 
infrastructure throughout the United States as well as other 
agency partners that have, particularly on the intelligence 
side as well as DHS where they have much of the information 
necessary for us to have a 360-degree view of the 
vulnerability.
    But we could work, obviously, through our EGCC and the ONG 
SCC to get the oil, natural gas, private sector, as well as the 
electricity subsector together and working with the energy 
government side, the coordinating council which I co-chair with 
DHS, to take this initiative on, move forward and come back 
with a complete understanding of what we've got, as well as a 
number of solutions.
    Senator Cantwell. Well, I think, as the witnesses have all 
said, we need to be serious about this. We need to get the 
threat assessment done.
    Mr. Walker. Yes, ma'am.
    Senator Cantwell. We need to get an understanding of what 
our workforce need is from that threat assessment.
    What other additional focuses besides just hardening of our 
infrastructure? What else do we need to be undertaking to make 
sure that we can continue to grow in the ways that we want to 
grow in an information age so that we can give our constituents 
certainty?
    I so appreciate it, Madam Chair. Thank you for the extended 
time.
    The Chairman. Very important questions.
    It really goes to the broader issue. If we don't know what 
our threat is, it is pretty tough to be able to address it and 
the recognition that knowing what we know now is wonderful, but 
how are we able to anticipate and project and basically stay 
one step ahead of those that are looking to be destructive?
    I just note that there is a report out this morning from 
the House Science Committee that describes Russia's extensive 
efforts to influence U.S. energy markets through divisive and 
inflammatory posts on social media platforms, not unlike what 
was going on at the time of the election. I, obviously, have 
not read this. This just came out this morning but, again, it 
just speaks to what we are dealing with and the, kind of, the 
multiheaded issue that it is. How you pin down or can target 
what that next threat is is anybody's guess here.
    I wanted to ask just a few follow-on questions from some of 
the things that have been raised by members this morning.
    This is directed to you, Congressman Matheson. Last 
Congress when we moved the FAST Act through we gave the Energy 
Secretary these emergency authorities and we strengthened the 
information sharing----
    Mr. Matheson. Right.
    The Chairman. ----with FOIA exemptions for our critical 
infrastructure information. Have these FOIA exemptions been 
helpful?
    And then to Senator King's question. He mentioned the issue 
of liability and the information sharing and how it can be 
further improved if you have some assurances----
    Mr. Matheson. Sure.
    The Chairman. ----that the sensitive information is going 
to be properly protected and free of liability concerns.
    On the liability side of things, is this an area where we 
need to legislate with that? Are you comfortable with what 
we've put in place with the FAST Act and the provisions that we 
have now with regards to the information sharing?
    Mr. Matheson. First on the FAST Act and we were, we, of 
course, supported the FAST Act as it moved through Congress.
    Your question of how it's played out now in terms of the 
FOIA exemptions, since this Act, since it's been implemented, 
has been in its infancy. It's a little bit of an open question 
still.
    The Chairman. Because we don't really know.
    Mr. Matheson. I have no concerns. I'm just saying I can't 
tell you this is how it's worked in a really substantive way 
because it's just too new to get that kind of answer.
    The Chairman. Okay.
    Mr. Matheson. But we did support the FAST Act as it was 
moving through Congress, and we appreciate that it's a law. If 
we have any issues with it, I'm sure we'll be communicating 
that back.
    On the liability, yeah, look, I think this is an issue 
where there's always going to be an interestedness looking for 
opportunities to make sure that information that we pass on to 
our government partners has some level of protection and the 
FAST Act clearly addressed some liability concerns that we had 
and we appreciate that. Am I going to tell you we've got 
everything off the table now? I'm sure this is going to be an 
ongoing conversation as we look at going into practice, where 
we have information transfer and making sure we have 
appropriate liability protections, that's going to be an 
ongoing conversation which is going to have to happen.
    The Chairman. Assistant Secretary Walker, on the government 
disclosure of data, we have the Critical Energy Infrastructure 
Information, CEII, and this dealing with, basically, the 
public's right to know certain information and I think we all 
support levels of transparency. But when it comes to critical 
infrastructure information, it seems reasonable that we want to 
be somewhat circumspect here.
    Is this an issue where we need to, again, look at FERC and 
how it is able to release data in the format that it is right 
now? Is this a policy, given what is going on out there in 
terms of balancing the need to know with the need to be as 
secure as possible, is this something that we need to revisit 
possibly?
    Mr. Walker. At this time, I don't think it is.
    I recently had a meeting with our newly confirmed 
Administrator for EIA with regard to much of the information 
that is promulgated out through that department on a pretty 
regular basis. And the reason I had met with her was because of 
the significant work we're doing with developing this North 
American interdependency model for the entire energy system. 
Clearly one of the things that's been raised as we start 
talking across the bouncing authorities and the regional 
coordinators is to protect the flow of information.
    That legislation actually enabled DOE to even develop a 
policy. So we're actually in the process of working through 
finalization of our policy with regard to the CEII that you 
noted that was defined in the FAST Act.
    So, again, I think the FAST Act provided for a very 
significant insight into the needed collaboration between 
Congress and the Executive Branch and all of the partners that 
really have the purpose of protecting national security.
    The Chairman. Good. Good.
    Back to you, Mr. Matheson, and this is as it relates to 
compliance with mandatory standards. You have said in your 
testimony that the electric sector today is the only one with 
mandatory and enforceable standards when it comes to 
cybersecurity. We have noted that and, in fact, these 
violations come with some fines, some pretty hefty fines.
    Mr. Matheson. That's correct.
    The Chairman. A million dollars per day per violation is 
pretty significant.
    Mr. Matheson. Yeah.
    The Chairman. But we also have those who would suggest that 
our utilities are overly focused on compliance. And so, you 
have a situation that in an effort to meet the mandatory 
standards that have been set out and avoid these financial 
penalties, nobody wants to be paying a million dollars a day 
per violation, that the electric sector is possibly losing 
ground because they are focusing on the wrong thing here. They 
are focusing on checking the box on the compliance, and they 
miss the goal of cybersecurity protections. Do you think that 
that is a real concern?
    Mr. Matheson. You know, I would resist that, actually.
    The Chairman. Okay.
    Mr. Matheson. I believe that, you know, this is an industry 
driven process through NERC to develop these standards. FERC, 
of course, approves those standards.
    Resilience, reliability have always been a concern for the 
electric industry throughout its history. Cyber is the issue 
that has evolved over the last several years as part of that 
now, but no, I don't see any sense where the regulations or the 
requirements that the NERC process has produced have diverted 
our attention as an industry from focusing on what's most 
important.
    I'd like to think, instead, it's actually created the focus 
on what we ought to be looking at. So, yeah, I would disagree 
with that premise that it has caused some inappropriate 
attention on compliance at the expense of legitimate 
cybersecurity efforts.
    The Chairman. Okay, fair enough.
    Let me ask you one more question.
    Mr. Matheson. Sure.
    The Chairman. You were asked a question from Senator 
Daines, specific to Montana and Montana's co-ops, but obviously 
in my state, pretty small, pretty small entities.
    Do you have confidence that our smaller co-ops, our smaller 
entities, are capable of meeting the cyber challenges? It 
doesn't make any difference if you are in Seattle or if you are 
in Aniak, you still want to be able to rely on your energy 
grid----
    Mr. Matheson. Absolutely.
    The Chairman. ----whether it is a little bit smaller or 
not. Do you have a level of confidence that our smaller 
entities are holding up okay?
    Mr. Matheson. Yeah, I do have that confidence. And I'm 
going to say what everyone else has said in this hearing that 
this is an evolving threat so we never, even if we're confident 
today, we still have to work for tomorrow.
    I would offer Alaska specific, you know, there are--a lot 
of our electric co-ops that are isolated. They're microgrids.
    The Chairman. Yes.
    Mr. Matheson. And we have one co-op in Alaska that's right 
now working on implementing, sort of, a cybersecurity protocol 
specifically for a microgrid distribution utility.
    The Chairman. We think we are going to pioneer on this and 
everyone is going to want to come up and see what we are doing.
    Mr. Matheson. I'm all for that.
    The Chairman. Yes.
    Mr. Matheson. Because as we said earlier, every co-op is 
different and municipal utilities have the same. And so, yeah, 
I like to think that individually people are recognizing--these 
are my circumstances, what should I do to take on cybersecurity 
risk and mitigate in an appropriate way? And I see even smaller 
co-ops doing just that.
    The Chairman. Good. Good.
    One last question and this relates to the workforce. I 
appreciate what Senator Cantwell raised in her opening 
statement and the work that you have done, Dr. Endicott-
Popovsky, in focusing just on this.
    The training is absolutely key and critical. I think we 
recognize that. I think we know that the training has to go all 
the way down the chain, those who are making the decision at 
the top, all the way down to the grid operators at the very, 
very local level. I wrote down your comment here, Doctor, that 
you said, ``there's no firewall for stupid here.'' I think we 
all want to make sure that at the end of the day we have that 
level of training and skill and expertise all the way down. Are 
you convinced that we are getting the training all the way down 
to that local grid operator?
    Dr. Endicott-Popovsky. I think it's mixed, but I think that 
is the trend. Every person that participates in some fashion is 
a potential node in the network that can cause a problem.
    I think Mr. Lee had mentioned something about a phishing 
attack, clicking on a link and causing problems. I mean, this 
is a very common issue and firewalls don't prevent that. You've 
got people that need to know not to do that sort of thing. So, 
you're absolutely right. There does have to be training down 
through every level.
    There are some organizations that are modeling some very 
effective training. You have to avoid the yada, yada flavor of 
the month. That happens in many organizations. I take asbestos 
training. I take this. I take that.
    And so, there's some ways to make training vivid and NIST 
has some guidelines that they've published that are very good 
at telling you how to be effective with your training. We use 
them in our classes.
    But somehow you have to get it visceral for people. We 
could conduct a training here for the Committee, give you a 
sense of what it's like to be the bad guys. Once you start to 
think like bad guys, you start to see more things.
    I had a student, internationally, one time write me a 
little note--and I teach things that are safe to teach: 
operations, business operations--but he wrote me a very telling 
note, ``Why do you people in the West keep emphasizing the 
technology when the bad guys''--and I'm thinking, how do you 
know?--``when the bad guys are always looking for the person?''
    So, if you put yourself in the role of the adversary, a 
nation-state, if you have a particularly plum target, something 
luscious that you can't resist. What lengths would you go to to 
violate that system? How important is that to you? It's a 
completely different mindset. We have to be right every time. 
They only have to be right once. So it's a daunting problem and 
we have complex systems and lots of participants. I don't think 
we can expect to get it right every time. I think we have to 
recognize vulnerabilities and risk. But awareness is the 
beginning.
    The Chairman. Yes.
    Dr. Endicott-Popovsky. I'd be happy to provide some 
materials, if you're interested.
    The Chairman. I think it would be helpful for the 
Committee.
    Dr. Endicott-Popovsky. It's a passion of mine.
    The Chairman. I can tell and that is appreciated.
    Senator Cantwell, did you have any follow-on?
    Senator Cantwell. I want to thank you.
    The Chairman. I want to thank each of you. I think your 
testimony has been very, very important. We have had a very 
important discussion today, and we will look forward to 
additional input for the record as some have promised.
    We will look forward to working with you, Mr. Walker, in 
this capacity here with a very keen focus on cyber.
    I will note the Committee's appreciation for your 
attendance here, Mr. Lee. Not only have you given us good 
insight, but I'm told that your wife is expecting and has been 
expecting to deliver for quite some time----
    [Laughter.]
    ----and that your appearance here today was made possible 
because hopefully, hopefully, she is going to have this labor--
--
    Mr. Lee. Today.
    The Chairman. ----commence----
    Mr. Lee. So, she's amazing.
    The Chairman. ----soon----
    [Laughter.]
    ----after you are excused from this table. So hopefully if 
she is watching now, she's got the go ahead----
    [Laughter.]
    ----and she can deliver a beautiful baby safely into the 
world. We congratulate you on that.
    Mr. Lee. Thank you.
    The Chairman. You have always got to end the Committee on a 
happy note, so thank you all.
    Dr. Endicott-Popovsky. Madam Chairman, I have a question.
    The Chairman. Doctor?
    Dr. Endicott-Popovsky. I did get a real-time update on 
Senator Cassidy's question about the potential change in the 
language requirements for K-12 in the State of Washington. They 
are still considering computer language as a substitute for 
foreign language. The original bill died, but there's still 
residual interest in that concept, and it's being studied 
throughout this year. And apparently, we're going to be meeting 
with the Office of Superintendents here sometime in the near 
future to discuss this issue. So can you pass that on to him?
    The Chairman. We will share it with him and others as well.
    Dr. Endicott-Popovsky. Alright, thank you.
    The Chairman. We appreciate that.
    Thank you all.
    The Committee stands adjourned.
    [Whereupon, at 11:53 a.m. the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------    
                              
                              
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]