b"<html>\n<title> - PRIVATE SECTOR AND GOVERNMENT CHALLENGES AND OPPORTUNITIES TO PROMOTE THE CYBERSECURITY AND RESILIENCY OF OUR NATION'S CRITICAL ENERGY INFRASTRUCTURE</title>\n<body><pre>[Senate Hearing 115-506]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n                                                        S. Hrg. 115-506\n \n                     PRIVATE SECTOR AND GOVERNMENT\n                    CHALLENGES AND OPPORTUNITIES TO\n                     PROMOTE THE CYBERSECURITY AND\n                       RESILIENCY OF OUR NATION'S\n                     CRITICAL ENERGY INFRASTRUCTURE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                      ENERGY AND NATURAL RESOURCES\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 1, 2018\n\n                               __________\n                               \n                               \n                               \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              \n                               \n                               \n\n\n                       Printed for the use of the\n               Committee on Energy and Natural Resources\n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n        \n        \n                            ______\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n 29-767               WASHINGTON : 2019\n        \n        \n        \n        \n        \n               COMMITTEE ON ENERGY AND NATURAL RESOURCES\n\n                    LISA MURKOWSKI, Alaska, Chairman\nJOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington\nJAMES E. RISCH, Idaho                RON WYDEN, Oregon\nMIKE LEE, Utah                       BERNARD SANDERS, Vermont\nJEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan\nSTEVE DAINES, Montana                JOE MANCHIN III, West Virginia\nCORY GARDNER, Colorado               MARTIN HEINRICH, New Mexico\nLAMAR ALEXANDER, Tennessee           MAZIE K. HIRONO, Hawaii\nJOHN HOEVEN, North Dakota            ANGUS S. KING, JR., Maine\nBILL CASSIDY, Louisiana              TAMMY DUCKWORTH, Illinois\nROB PORTMAN, Ohio                    CATHERINE CORTEZ MASTO, Nevada\nSHELLEY MOORE CAPITO, West Virginia  TINA SMITH, Minnesota\n\n                      Brian Hughes, Staff Director\n                Patrick J. McCormick III, Chief Counsel\n  Brianne Miller, Senior Professional Staff Member and Energy Policy \n                                Advisor\n             Mary Louise Wagner, Democratic Staff Director\n                Sam E. Fowler, Democratic Chief Counsel\n                David Gillers, Democratic Senior Counsel\n           Scott McKee, Democratic Professional Staff Member\n           \n                            C O N T E N T S\n\n                              ----------                              \n\n                           OPENING STATEMENTS\n\n                                                                   Page\nMurkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1\nCantwell, Hon. Maria, Ranking Member and a U.S. Senator from \n  Washington.....................................................     3\nDuckworth, Hon. Tammy, a U.S. Senator from Illinois..............     5\n\n                               WITNESSES\n\nWalker, Hon. Bruce J., Assistant Secretary, Office of Electricity \n  Delivery and Energy Reliability, U.S. Department of Energy.....     6\nMatheson, Hon. Jim, Chief Executive Officer, National Rural \n  Electric Cooperative Association...............................    17\nEndicott-Popovsky, Dr. Barbara, Executive Director, Center for \n  Information Assurance and Cybersecurity, University of \n  Washington.....................................................    30\nSanders, Dr. William H., Donald Biggar Willett Professor of \n  Engineering, and Head, Department of Electrical and Computer \n  Engineering, University of Illinois at Urbana-Champaign........    59\nLee, Robert M., Chief Executive Officer and Co-Founder, Dragos, \n  Inc............................................................    67\n\n          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED\n\nCantwell, Hon. Maria:\n    Opening Statement............................................     3\nDuckworth, Hon. Tammy:\n    Opening Statement............................................     5\nEndicott-Popovsky, Dr. Barbara:\n    Opening Statement............................................    30\n    Written Testimony............................................    32\n    Responses to Questions for the Record........................   167\nLee, Robert M.:\n    Opening Statement............................................    67\n    Written Testimony............................................    70\n    Responses to Questions for the Record........................   205\nMatheson, Hon. Jim:\n    Opening Statement............................................    17\n    Written Testimony............................................    19\n    Responses to Questions for the Record........................   164\nMurkowski, Hon. Lisa:\n    Opening Statement............................................     1\nSanders, Dr. William H.:\n    Opening Statement............................................    59\n    Written Testimony............................................    61\n    Responses to Questions for the Record........................   202\nWalker, Hon. Bruce J.:\n    Opening Statement............................................     6\n    Written Testimony............................................     9\n    Responses to Questions for the Record........................   154\n\n\n     PRIVATE SECTOR AND GOVERNMENT CHALLENGES AND OPPORTUNITIES TO\n\n        PROMOTE THE CYBERSECURITY AND RESILIENCY OF OUR NATION'S\n\n                     CRITICAL ENERGY INFRASTRUCTURE\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 1, 2018\n\n                                       U.S. Senate,\n                 Committee on Energy and Natural Resources,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:00 a.m. in \nRoom SD-366, Dirksen Senate Office Building, Hon. Lisa \nMurkowski, Chairman of the Committee, presiding.\n\n           OPENING STATEMENT OF HON. LISA MURKOWSKI, \n                    U.S. SENATOR FROM ALASKA\n\n    The Chairman. Good morning, everyone. The Committee will \ncome to order as we begin our hearing on the cybersecurity and \nresiliency of our critical energy infrastructure.\n    Cyberattacks are a well-documented and continuing threat. \nEvery day we seem to hear of yet another incident. \nIncreasingly, it appears that the bad actors are nation-states \nand sophisticated entities, such as organized crime or terror \ngroups. These attacks are across-the-board and not limited, of \ncourse, to energy infrastructure.\n    Just last week, according to the news reports out there, \nU.S. intelligence identified efforts by Russian military spies \nto attack computers used by Olympic officials during this \nyear's games. Reportedly, their goal was to make it look as if \nNorth Koreans were leading the cyberattack. Acts of cyber \nintrusion such as these can jeopardize diplomatic relations and \ncould have more serious repercussions.\n    Just a couple days ago, the Director of the Division of \nElections in my home State of Alaska again informed the public \nthat Russian cyber actors made a failed attempt to access the \nDivision's public website prior to the 2016 election. \nApparently they merely scanned the state's system so this was \nnot a `breaking and entering' scenario, but it clearly \nunderscores the persistence of the problem.\n    Here in the United States, the energy sector is clearly a \nhigh value target for cyberattacks. Earlier this month \nEntergy's security monitoring system detected a cyber intrusion \non the company's corporate network. Thankfully, the intrusion \nwas on the corporate side and did not affect energy delivery or \nreliability, but again, bad actors will test any available \navenue in an attempt to infiltrate energy networks.\n    Our Committee has spent a lot of time, many hours, \nexamining the threats to energy infrastructure. We have learned \nabout the potential challenges of increased digitalization of \nthe energy sector and opportunities to improve cybersecurity by \nengineering in protections and developing strong cybersecurity \nprotocols.\n    We have repeatedly heard how protection of our nation's \ncritical assets is a shared responsibility, with federal, state \nand private sector partners working together to improve cyber \ndefenses and sharpen responses to cyberattacks. We know there \nis more work to be done to improve that collaborative work. We \nare alert to the danger that ``shared responsibility'' can, in \npractice, be the hardest responsibility to consistently and \naccountably discharge.\n    Now we have also legislated to help address the \ncybersecurity problem. In the Energy Policy Act of 2005, \nCongress imposed mandatory reliability standards, including \ncyber standards, on the electric industry. And today we will \nhear testimony that these standards have led to meaningful \nimprovements. The electric sector is still the only sector that \nhas such stringent requirements, but we will also hear that \nkeeping the nation safe from major cyber threats goes well \nbeyond regulation.\n    Last Congress, in the FAST Act, we enacted provisions \nauthored by this Committee to codify the Department of Energy \nas the sector-specific agency for the energy sector and we \nprovided the Secretary with the authority to address grid-\nrelated emergencies, including cyberattacks. We also sought to \nfacilitate greater information sharing by protecting sensitive \ninformation from disclosure. I am pleased to report that public \nand private sector efforts not only to identify threats and \nshare information but also to improve the capabilities for \ndetecting and responding, are intensifying.\n    So the question this morning is, ``What do we do next?'' \nWhat should the Federal Government do, or refrain from doing, \nto meet this dynamic and evolving threat? And how can the \ngovernment help improve the cyber resiliency of critical energy \ninfrastructure if a threat becomes a reality?\n    Mr. Walker's testimony states that Secretary Perry is \nestablishing a distinct ``Office of Cybersecurity, Energy \nSecurity, and Emergency Response.'' This new office, which will \nbe known by the acronym C.E.S.E.R.--we are already referring to \nit I guess as Caesar, big shoes here.\n    [Laughter.]\n    But much of CESER's lineage is from the Department's \ncurrent office, the Office of Electricity Delivery and Energy \nReliability, which was established after the 2003 Northeast \nPower Blackout.\n    Mr. Walker, we appreciate the Department's attention to \nthis important topic and certainly look forward to learning \nmore about this new office and how you intend it operate and \nfunction.\n    Protecting our nation's energy infrastructure, we all \nagree, is critical to maintaining so much of the American way \nof life. We must determine what the next appropriate steps will \nbe to further identify and prevent cyber intrusions and \nincrease resiliency in the event of an attack. Those solutions \nmay not require more regulation, but rather more common sense \nand cooperation.\n    I appreciate the expert witnesses that we have before us \ntoday, that you have made time to be before the Committee. I \nwill introduce them after Senator Cantwell's opening comments, \nbut we appreciate you being here.\n    Senator Cantwell.\n\n               STATEMENT OF HON. MARIA CANTWELL, \n                  U.S. SENATOR FROM WASHINGTON\n\n    Senator Cantwell. Thank you, Madam Chair, and thank you for \nholding this important hearing. I am sure that the Chair has \nprobably grown weary of how many times I bring up \ncybersecurity.\n    [Laughter.]\n    Both in our negotiations on an energy bill, now almost two \nyears ago, the need to be more expeditious about the process, \nand my continued concern about it from the perspective of one \nof the greatest threats facing our nation.\n    So I am delighted to have the panelists before us today to \nfocus on what our nation needs to do to be more expeditious in \nour agenda on cybersecurity.\n    Obviously, cybersecurity, as it impacts our energy \ninfrastructure, is one of the key issues for this Committee. We \nused to say that we were worried about foreign entities \nentering our airspace, our shipping lanes, or any kind of \nunwanted provocations. Now they come in the form of \ncyberattacks.\n    So make no mistake, our nation's energy infrastructure is \nunder that attack from Russians and other state actors. We \nknow, according to the Ukrainians, Russia took out part of the \nUkraine electricity grid in 2015 and 2016 through cyber means. \nWIRED magazine, at the time, chillingly suggested that the \nentire nation of the Ukraine was becoming a Russia test lab for \ncyber war.\n    As one of our witnesses will say today--Dragos has said \nthat the Russian government has devised a cyber weapon that has \nthe potential to be one of the most disruptive yet against our \nelectricity system. So we look forward to hearing more on that.\n    In the last year, the Washington Post reported that Russian \ngovernment hackers were behind cyber intrusions into a nuclear \npower plant's business system. We know from our own northwest \nlab that the firewall that protects much of our information, \nthey have communications of something like 25,000 a day, \ncyberattacks against that system.\n    We know what is happening and, as the Chair mentioned, we \nknow that the Administration has set up a cyber office which we \nappreciate but we want the Administration to be much more \naggressive.\n    We have been pushing for over a year now asking for a \nthreat assessment to our electricity grid. I think it was June \n22, 2017, that we wrote the White House asking them to perform \na required assessment on protecting the grid from cyberattacks.\n    I know, Mr. Walker, you are here today and you will try to \nenlighten us on the work that you have been doing in your short \nperiod of time, which is a lot given the Puerto Rico situation, \nso we appreciate that. Nonetheless, we want the Department of \nEnergy to respond to this letter of a year ago asking them what \nwe are doing to protect the reliability of our electricity grid \nfrom Russian hacking. This was sent by many U.S. Senators and \nwe have yet to have a response.\n    Why is this so important? We saw just this morning the \nGerman government was hacked by Russian actors. According to \nthe German Interior Ministry, we can confirm that the Federal \nOffice of Information Security and Intelligence Services were \npart of a cyber hack.\n    So this issue is not going away. It is only growing in \nincredible importance. We don't want to have an Administration \nasleep at the computer terminal while we are sitting here \nworrying about American business and government interests and \nnational security interests being attacked by state-owned \nactors.\n    I also hope that we can see, as we specifically asked \nSecretary Perry during his confirmation hearing, that the \nAdministration will support a robust infrastructure investment \nas it relates to cybersecurity. I know he told the Committee at \nthe time that he believed that we should do that and we want to \nsee in this next budget legislation, that commitment. I know \nthat the Chair and I had a chance to talk to the President at \nan infrastructure discussion a couple weeks ago, and we \nemphasized how much energy infrastructure needed to be part of \na national infrastructure investment bill. So now is the time \nfor action.\n    We also discussed, and the Chair and I have in legislation, \na clear focus on how important workforce is to a critical \nenergy infrastructure for the future, including cybersecurity.\n    Our state, the State of Washington, has been a leader in \ndeveloping a cyber workforce training, and I would like to \nwelcome Professor Barbara Endicott-Popovsky to testify today. \nShe is the Executive Director at the Center for Information \nAssurances and Cybersecurity at the University of Washington, a \nnational leader in pioneering cyber education.\n    We were able to have a forum there recently to see how \nbusiness, education and the cybersecurity community was coming \ntogether to try to focus on cybersecurity solutions. She has \nbeen shaping cybersecurity education policy and has authored \nmore than 100 peer-\nreviewed articles. So we welcome what you have to say today on \nthis issue.\n    She recognizes, as I do, that one of the biggest challenges \nto the nation's cyber preparedness is a skilled workforce and \nthat by 2020 IBM estimates that there will be 1.5 million \nunfilled cybersecurity positions across all industries. That is \nmind boggling, mind boggling, to think about but not hard to \nimagine given that we live in an information age and how \nconnected everything is going to be and how every layer will \nalso need security and reinforcement.\n    I hope that today's hearing will help illuminate for us how \nmuch investment we really need to make to make that part of our \nenergy infrastructure work cost-effectively.\n    We know that some of the challenges that we face is getting \nthat curriculum well established and also making sure that \ndifferent aspects of the cybersecurity challenge are addressed \neverywhere from two-year degrees to PhDs. I do think the \nDepartment of Energy has a role to play here in defining for \nindividuals interested in this area, the partnerships that will \nbe necessary to skill that workforce in a timely fashion.\n    All in all, Madam Chair, thank you so much for the hearing \ntoday. Thank you for the attention to this issue. I know you \nand I keep hoping that there will be some cybersecurity \nlegislation that moves through the Full Congress as it has \nalready moved through the Senate. So, maybe, I don't know if \nthe third time is the charm, but hopefully we will be able to \nuse these very important events that have transpired across the \nentire world to get our colleagues to see the urgency of the \nsituation.\n    So again, thank you for the hearing.\n    The Chairman. Thank you, Senator Cantwell, and thank you \nfor your persistent push on the cybersecurity piece of it.\n    As you mention, we think we have a good, strong, bipartisan \nbill. We would like to see that be more than just a bill. We \nwould like to see it be law and to put in place some of these \nprotections that we have been working on so hard, but I greatly \nappreciate your continued focus on this.\n    We have a good, strong panel with us this morning. Again, \nwelcome.\n    We have our Assistant Secretary for the Department of \nEnergy, Mr. Bruce Walker. It is good to have you back before \nus.\n    We are also joined by former Congressman Jim Matheson. \nCongressman Matheson represented Utah from 2001 to 2015. He is \nnow the CEO of the National Rural Electric Cooperative \nAssociation (NRECA). It is good to have you before the \nCommittee.\n    Dr. Barbara Endicott-Popovsky with the Center for \nInformation Assurance and Cybersecurity at the University of \nWashington has just been introduced by Senator Cantwell. We are \nvery pleased that you could join us this morning.\n    Dr. William Sanders is from the University of Illinois, and \nI will let Senator Duckworth introduce him.\n    But let me also welcome Mr. Robert Lee, who is the CEO of \nDragos Incorporated. It is good to have you with the Committee.\n    Senator Duckworth, if you would like to introduce your fine \nconstituent.\n\n              STATEMENT OF HON. TAMMY DUCKWORTH, \n                   U.S. SENATOR FROM ILLINOIS\n\n    Senator Duckworth. Thank you, Chairwoman Murkowski.\n    I would like to extend a very warm welcome to Dr. Sanders, \nwho is joining us from the University of Illinois at Urbana-\nChampaign. They have some great farm-to-table restaurants \nthere, by the way.\n    I am proud that the University of Illinois was one of the \nvery first universities to recognize the importance of ensuring \nthat cybersecurity and cyber resiliency of our energy \ninfrastructure.\n    Dr. Sanders serves as the head of the Department of \nElectrical and Computer Engineering and is an expert on \ncomputing and critical infrastructure, such as the power grid.\n    Over the past several decades, Dr. Sanders has published \nover 270 technical papers in these areas and received the 2016 \nIEEE Innovation and Societal Infrastructure Award.\n    He has used his expertise to assist the government's \nefforts to make the grid more secure and resilient. This work \nincludes leading an initiative of the Department of Energy and \nthe Department of Homeland Security on building a better, more \nsecure and resilient power grid.\n    Dr. Sanders, I am thrilled that you are able to join us \ntoday. I think your voice will be a very valuable one to \ntoday's discussion.\n    We all know that future battles will increasingly exist in \ncyberspace and that cybersecurity is a critical aspect of our \nnational security, and I look forward to hearing your testimony \nand your recommendations concerning this very important issue.\n    Welcome.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator.\n    Again, thank you all.\n    I would ask that you try to keep your comments to about \nfive minutes. Your full statements will be included as part of \nthe record.\n    I will note for colleagues that we are scheduled to have \nvotes. I think it is 11:45 when we have a series of three votes \nthat are set up. My intention this morning is to try to move as \nquickly as we can so that we can get in as many questions as we \ncan to this fine group of experts.\n    Assistant Secretary Walker, if you would like to lead off.\n    Thank you.\n\nSTATEMENT OF HON. BRUCE J. WALKER, ASSISTANT SECRETARY, OFFICE \nOF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. DEPARTMENT \n                           OF ENERGY\n\n    Mr. Walker. Thank you. Good morning.\n    Chairman Murkowski, Ranking Member Cantwell, and \ndistinguished members of the Committee, thank you for the \nopportunity to discuss the continuing cybersecurity threats \nfacing our national energy infrastructure and the Department of \nEnergy's role in protecting it.\n    Establishing a resilient energy infrastructure is a top \npriority of the Secretary and a major focus of the Department; \nhence, our focus on cybersecurity is paramount.\n    Our national security and economy depend on the \navailability of a reliable and resilient energy infrastructure. \nThe mission of the Office of Delivery and Energy Reliability, \nOE, is to strengthen, transform and improve the resiliency of \nenergy infrastructure to ensure access to reliable and secure \nsources of energy.\n    The Secretary and DOE are committed to working with our \npublic and private sector partners to protect the nation's \ncritical energy infrastructure from physical security events, \nnatural and man-made disasters and cybersecurity threats.\n    To demonstrate our focus on the aforementioned mission, the \nSecretary announced last month he's establishing an Office of \nCybersecurity, Energy Security and Emergency Response, better \nknown as CESER. This organization change will strengthen the \nDepartment's role as the energy sector-specific agency for \ncybersecurity thereby supporting our national security \nresponsibilities.\n    The creation of this office will build upon what we do \ntoday, significantly increase the Department's focus on energy \ninfrastructure protection and will enable more coordinating \npreparedness and response to physical and cyber threats as well \nas natural disasters. Furthermore, the CESER Office will play \nan essential role in coordinating government and industry \nefforts to address these energy sector threats.\n    The President has requested slightly more than $95 million \nin FY2019 for CESER with a focus on early stage R&D activities, \nworking with our national labs to improve cybersecurity and \nresilience, to harden and evolve critical grid infrastructure. \nThese activities will develop the next generation of \ncybersecurity control systems, components and devices, \nincluding enhancing our ability to share time-critical data \nwith industry to detect, prevent and recover from cyber events.\n    Our national intelligence agencies have noted the \nincreasing number and sophistication of cyber threats. Our \nadversaries understand the energy sector is a valuable target \nbecause of the assets that the sector controls, including our \ndefense critical energy infrastructure.\n    DOE's role in energy sector cybersecurity was codified by \nCongress under the FAST Act. That legislation designated DOE as \nthe sector-specific agency for cybersecurity. As a result, the \nSecretary of Energy is authorized upon the declaration of a \ngrid security emergency by the President to issue emergency \norders to protect or restore critical electric infrastructure \nor defense critical electric infrastructure.\n    In order to properly plan for this type of occurrence, it \nis critical that we continue to work closely with our energy, \nindustry and federal agency partners. In the energy sector, the \ncore of critical infrastructure partners consists of the \nElectricity Subsector Coordinating Council, the Oil and Natural \nGas Subsector Coordinating Council and the Energy Government \nCoordinating Council.\n    The Energy Government Coordinating Council is led by CESER \nand DHS and it is where the interagency partners, states and \ninternational partners come together to discuss the important \nsecurity and resilience issues for the energy sector. \nCollectively, we all work together under DHS' Critical \nInfrastructure Partnered Advisory Council which provides a \nmechanism for industry and government coordination.\n    As a part of the Comprehensive Energy Cybersecurity \nResiliency Strategy, the Department of Energy, working with our \nindustry partners, is focusing cyber support efforts to enhance \nvisibility and situational awareness of operational networks, \nincrease alignment of cybersecurity preparedness and planning \nacross local, state and federal levels and leveraging the \nexpertise of our national labs to drive cybersecurity \ninnovation.\n    In conclusion, cyber threats continue to evolve and DOE is \nworking diligently to eliminate and mitigate the potential \nconsequences of these threats. Establishing the CESER Office is \na result of our laser-focused attention to cyber and physical \nsecurity.\n    Our long-term vision is significant and will positively \nimpact our national security. The establishment of this office \nwill be the first step in the transformational change necessary \nto meet the ever-changing cyber landscape highlighted by our \nnational intelligence agencies.\n    Finally, I would like to highlight that the risk of \nphysical and cyber threats is continuingly exacerbated by a set \nof circumstances that are increasingly interdependent of the \nvarious energy systems throughout the nation. This \nsignificantly increases our overall risk due to the increased \nnumber of penetration points that can significantly impact \nnational security and economy.\n    As always, I appreciate the opportunity to appear before \nthis Committee to discuss cybersecurity in the energy sector \nand I applaud your leadership.\n    I look forward to working with you and your respective \nstaffs to continue to address cyber and physical security \nchallenges.\n    Thank you.\n    [The prepared statement of Mr. Walker follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    The Chairman. Thank you, Secretary Walker.\n    Congressman Matheson, welcome.\n\n   STATEMENT OF HON. JIM MATHESON, CHIEF EXECUTIVE OFFICER, \n        NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION\n\n    Mr. Matheson. Good morning, Chairman Murkowski and Ranking \nMember Cantwell, members of the Committee. I appreciate the \ninvitation to testify before you on what is a very important \ntopic.\n    I'm testifying today on behalf of more than 900 electric \ncooperatives who are working together to protect our U.S. \nelectricity system from cyber threats. I just returned last \nnight from the NRECA annual meeting with our membership and we \nalso had a TechAdvantage conference, and I'm happy to share \nwith you that cybersecurity was a significant topic of \ndiscussion of both of those meetings.\n    We had several breakout sessions on cybersecurity to share \ninformation with our members about the latest in policy and \ntechnology, and our members shared with each other examples of \nwhat they are doing to keep their systems secure. That peer-to-\npeer learning is a hallmark of the electric cooperative \nprogram.\n    Protecting the nation's complex interconnected electric \npower system while ensuring reliable, secure and affordable \nelectricity has always been a top priority for electric co-ops \nand, quite frankly, for the entire electric power industry. \nMaintaining the resilience and security of the electric grid \nrequires a flexible approach that draws upon a variety of \ntools, resources and options.\n    As threats and threat actors continue to evolve, so must \nthe industry's capability to defend against them. The \npossibility of a cybersecurity attack affecting grid operations \nis something for which the electric sector has been preparing \nfor years.\n    These preparations are built on the need for a flexible \napproach and they include implementing security standards and \ntechnologies to protect systems, forging close partnerships to \nidentify threats and solutions and to respond to incidents, \nengaging in active information sharing about threats and \nvulnerabilities, participating in industry and cross sector \ndisaster planning exercises such as DOE's clear path and the \nNorth American Electric Reliability Corporation's Grid X \nbiannual exercise. We also partner with DOE, the National Labs \nand other federal agencies on cybersecurity research to improve \ntools and resources needed by the industry to address these \nthreats.\n    Protecting the electric grid from threats that could affect \nnational security and public safety is a responsibility shared \nby both the government and the electric power sector. As we \ncontinue working together to protect the electric system from \ncyber threats, there are a couple of areas that can benefit \nthese partnerships and the sector that I'd like to highlight in \nthese comments.\n    First, these efforts can be enhanced through continued \ncybersecurity research and development, including support for \ndeveloping resources for small and medium-sized utilities. The \nRural Electric Cooperative Association is active in \ncybersecurity research programs and initiatives supported by \nthe DOE's Office of Electricity Delivery and Energy \nReliability. Strong research and development programs are \nessential to developing new technologies to keep pace with the \nrapidly changing cybersecurity threats that our industry faces. \nThe DOE is our industry's primary source for federal funding to \ndevelop cybersecurity tools and resources.\n    Currently, one of the most valuable research programs for \nelectric cooperatives is the funding partnership between DOE \nand the Rural Electric Co-ops, called the Rural Cooperative \nCybersecurity Capabilities Program, or we call it RC3 for \nshort. This partnership is specifically focused on addressing \nthe unique cybersecurity needs of small and mid-sized \ndistribution utilities. And in addition to developing \ncybersecurity resources and tools appropriate for these \nutilities, we have provided cybersecurity training to more than \n150 of our members through the RC3 program.\n    The second area I'd mention in these comments is the need \nto continue improving information sharing between the \ngovernment and electric utilities. In some circumstances, there \nare situations where the government possesses information on \nintelligence on a particular threat or vulnerability that could \nbe timely and actionable for the industry. We support efforts \naimed at increasing electric cooperatives access to this type \nof information thereby helping us to do an even better job of \nprotecting the grid. The FAST Act and Cyber Information Sharing \nAct from last Congress were excellent and appreciated steps in \nthis direction.\n    Information sharing, of course, is a bidirectional issue \nand assurances that sensitive information shared from industry \nto government will be properly protected and free of liability \nconcerns when shared in good faith is also necessary. In \naddition, the government also holds information on terrorist \nactivities. A voluntary process that allows utilities to have \nthe FBI perform enhanced background investigation screening for \ncritical employees in our industry could go a long way in \nhelping to address some of the potential insider threat \nconcerns.\n    So again, thank you for inviting me to testify today. We \nlook forward to working with Congress on these issues and \ncontinuing in our successful partnerships with the DOE and \nother federal agencies.\n    I'm happy to answer any questions.\n    [The prepared statement of Mr. Matheson follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    The Chairman. Thank you, Congressman Matheson.\n    Dr. Endicott-Popovsky, welcome.\n\nSTATEMENT OF DR. BARBARA ENDICOTT-POPOVSKY, EXECUTIVE DIRECTOR, \nCENTER FOR INFORMATION ASSURANCE AND CYBERSECURITY, UNIVERSITY \n                         OF WASHINGTON\n\n    Dr. Endicott-Popovsky. Thank you.\n    Good morning, Chairman Murkowski and Ranking Member Maria \nCantwell and distinguished members of the Committee. I want to \nthank you for the opportunity to speak with you today about \nexamining cybersecurity in our nation's critical energy \ninfrastructure.\n    My name is Dr. Barbara Endicott-Popovsky. I'm the Executive \nDirector of the Center for Information Assurance and \nCybersecurity at the University of Washington, and we are an \nNSA Center of Academic Excellence in cybersecurity as well as a \nregional resource center for dissemination of best practices. \nWe convene industry, government and military around shared \nproblems, but to provide context for my remarks, we're driven \nby four major ideas.\n    First of all, in cyberspace everyone is your neighbor. This \nis going to require new ways of thinking about partnerships \nwith military, industry and government.\n    Secondly, cybersecurity involves rules and tools. While it \ncame from technology, there are still humans in the system and \nthere's no firewall for stupid. So, it's going to require \npolicies, procedures, awareness training that's going to really \ndeal with that human element.\n    Thirdly, all of this is exacerbated by not enough talent. \nAnd I can't emphasize that enough. This is a systemic problem, \nand it is not going to be fixed with a Band-Aid. This is going \nto be equivalent to the moon shot project that we had back in \nthe Kennedy era. Now, we were able to do it back then. We \nshould be able to pull the resources together to do it now, but \nthis is a serious problem.\n    And besides that, cybersecurity is becoming a profession \nand I want to caution the Committee about balkanizing the field \nwith its own definitions and its own educational procedures. \nThere are differences, infrastructure to infrastructure, yes.\n    I would refer the Committee to work that was done by the \nFCC CSRIC that was designed to look at how they could leverage \nexisting NIST and NSA, DHS, work that's been done on \ncybersecurity educational standards and I think you'll find \nthat much is already there, but there will be a delta.\n    How did we get here? Certainly, cyberattacks are daunting. \nWe're living through digital transformation. That's what's \ngoing on. And we're still clinging to mental models from the \nphysical world and the information world that simply don't \nwork. Cross sector collaboration, for example, is something we \ntalk about, but it's not easily done because all sectors have \ntheir own missions. It's very difficult to get everyone on the \nsame page.\n    However, there's one thing we can all agree on. There is no \ncyber fire department. There is no cyber 911. In a cyber \ndisaster the DoD is prepared to protect its own networks and \nmaintain its mission, but who is there on the civilian side and \nthe private sector side? No one.\n    This vacuum is a national security threat. And toward this \nend H.R. 3712 has been proposed by our delegation that deals \nwith proliferating the Cyber Civil Support teams across the \ncountry which is going to require extensive education of the \nNational Guard so that they're prepared to do what's necessary \nin the event of an attack.\n    The case of cyber war is a case of mutually assured \ndestruction. Make no mistake. At some point, we're going to \nneed the equivalent of the Kennedy and Khrushchev red phone and \nnuclear disarmament talks, but getting everybody to agree on \nenforcement is going to be a problem and I'm not sure that \nnation-states right now have an appetite for stepping up to the \ntable. But this will have to happen so we don't mistake each \nother. This is a tragedy of the commons where a shared resource \nis used individually by users to the detriment of the whole and \nto the ruination, perhaps, of the whole.\n    In addressing the talent deficit, this is a problem across \nall sectors and, in particular, with utilities. We need to be \nmindful that industry is competing for the same talent and \ntheir salaries are much higher. So I suggest that we consider \nways to incentivize students to go to work for utilities \nthrough, perhaps, funded scholarship programs. The bottom line, \nagain, is that this is no easy fix. This is no Band-Aid. We \nneed commitment over the long haul to really develop what's \nnecessary to transform our educational processes so that we \nprepare people adequately and quickly to do what's necessary to \nprotect our vital infrastructure.\n    Thank you.\n    [The prepared statement of Dr. Endicott-Popovsky follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n   \n   \n    \n    The Chairman. Thank you, Doctor.\n    Dr. Sanders, welcome.\n\n  STATEMENT OF DR. WILLIAM H. SANDERS, DONALD BIGGAR WILLETT \n PROFESSOR OF ENGINEERING, AND HEAD, DEPARTMENT OF ELECTRICAL \n  AND COMPUTER ENGINEERING, UNIVERSITY OF ILLINOIS AT URBANA-\n                           CHAMPAIGN\n\n    Dr. Sanders. Good morning, Chairwoman Murkowski, Ranking \nMember Cantwell and distinguished members of the Committee. \nThank you for inviting me to speak today.\n    My name is Bill Sanders, and I'm the Head of the Department \nof Electrical and Computer Engineering at the University of \nIllinois at Urbana-Champaign. As was also said earlier when I \nwas introduced, I've led or co-lead major centers funded by the \nDepartment of Energy, the Department of Homeland Defense and \nthe National Science Foundation for the last 12 years working \nin this area.\n    I want to focus my comments today on cyber resiliency. \nResiliency is a fundamental concept that differs from \ntraditional metrics, such as reliability or cybersecurity. In \nthe context of electric power, resiliency is not just about \nbeing able to lessen the likelihood an outage will occur, but \nit's about managing and coping with outage events when they do \noccur.\n    With resiliency, we attempt, to the greatest extent \npossible, to avoid a blackout, but understand and accept it may \nnot be possible to totally avoid its occurrence. Thus, we work \nto respond as quickly as possible to the event when it occurs, \npreserving critical and individual societal services during the \nperiod of degraded operation and over time striving for full \nrecovery and enhanced robustness.\n    An important new concern for the resiliency of this is the \ncyber portion of the grid and how it affects overall grid \nresiliency. The electric power system has become increasingly \nreliant on its cyber infrastructure to deliver electricity to \nconsumers. A compromise of power grid control systems or other \nportions of the grid cyber infrastructure can have serious \nconsequences ranging from a simple disruption of service with \nno damage to the physical components to permanent damage to \nhardware that can have long lasting effects on the performance \nof the system. Any consideration of improved power grid \nresiliency requires consideration of ways to make the grid \ncyber infrastructure resilient.\n    Over the last decade, much attention has rightly been \nplaced on grid cybersecurity, but much less has been placed on \ngrid cyber resiliency. It's now, however, becoming very \napparent that protection alone by cybersecurity is not \nsufficient and it can never be made perfect.\n    Given the relentless attacks and the challenges of \nprevention, successful cyber penetrations are inevitable and \nthere's evidence in increases of the rates of penetration.\n    The resiliency goals for the cyber infrastructure thus \nrequire a clear understanding of the interaction between the \ncyber and conventional physical portions of the grid and how \nimpairments on either side, cyber or physical, could impact the \nother.\n    Specific guidance about cyber resiliency research that is \ncritically needed comes from a consensus study published in \nJuly 2017 by the National Academies of Sciences, Engineering \nand Medicine, entitled, Enhancing the Resilience of the \nNation's Electricity System.\n    As one of the co-authors on this report, I helped craft \nseven overarching recommendations. Overarching recommendation \nnumber five is particularly relevant to the concept of cyber \nresilience. I'll paraphrase. The Department of Energy, together \nwith the Department of Homeland Security, academic research \nteams, national labs and the private sector should carry out a \nprogram of research, development and demonstration activities \nto develop and deploy capabilities for the continuous \ncollection of diverse, both cyber and physical sensor data, \ndiffusion of sensor data with other intelligence information, \nvisualization techniques, analytics, restoration techniques and \nthe creation of post-event rules. In summary, the cyber threat \nto grid resiliency is real. The time to act is now.\n    It is critical that the Committee understand the following:\n    Number one, grid resiliency is different from cybersecurity \nand requires a fundamentally new approach.\n    Two, protection as a cybersecurity mechanism alone is not \nsufficient and can never be made perfect. The grid can only be \nresilient if its cyber infrastructure is also resilient. So, \nresearch and development are critically needed to provide \nassured mechanisms to ensure cyber resiliency.\n    Three, six capabilities--continuous data collection, the \nfusion of sensor data, visualization, analytics, restoration \nand post-event tools--are critical to creating an effective \nstrategy for cyber resiliency. Those capabilities can only be \nachieved if academia, industry and government work closely \ntogether in a focused research and development program.\n    And finally, Congress should continue to fund and increase \nfunding to the Department of Energy and other government \nagencies to advance this research and development.\n    Thank you very much. I would be happy to answer any \nquestions.\n    [The prepared statement of Dr. Sanders follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    The Chairman. Thank you, Dr. Sanders.\n    Mr. Lee, welcome to the Committee.\n\n  STATEMENT OF ROBERT M. LEE, CHIEF EXECUTIVE OFFICER AND CO-\n                     FOUNDER, DRAGOS, INC.\n\n    Mr. Lee. Chairwoman Murkowski, Ranking Member Cantwell and \nmembers of the Committee, thank you for providing me the \nopportunity to present before you today.\n    I want to briefly explain my background which informs the \ntestimony I bring before you. I started my career at the United \nStates Air Force Academy, was commissioned and then took a \nposition as a cyber warfare operations officer tasked out to \nthe National Security Agency (NSA).\n    While at the NSA I was tasked with building a mission to \nidentify new nation-state threats breaking into environments. \nIt was there that I built and led a first-of-its-kind mission \nlooking at the nation-states breaking into industrial \nenvironments. I did so with the hypothesis that we would find \nthe new threats, and we did. It was there I came to understand \nthat there was a significant collection bias in the U.S. \nintelligence community and in the larger information security \ncommunity. That means, as we typically prioritize and report on \nthings where we collect and can see, but we're blind to the \nenvironments that we're not collecting like industrial control \nnetworks.\n    I left to build Dragos to gain insights and develop \ntechnology to help people.\n    Over the last three years, we've seen these type of attacks \ntake place: The Ukraine power grid attack of 2015, I was one of \nthe lead investigators there to solve the first-ever \ncyberattack that could halt grid operations; the Ukraine attack \nof 2016, where my firm and I helped identify and analyze \nCRASHOVERRIDE--the software that was purposely built to disrupt \nelectric grids; and, in 2017 in the Middle East a more \nconcerning thing to me is that a first piece of malware that \nwas developed to specifically target human life was deployed. \nSo with my experience in the military and intelligence \ncommunity, training the world's defenders and leading the \nworld's best against the world's worst, I want to highlight a \nfew points for you today.\n    First, as scary as all this sounds, our infrastructure is \nextremely resilient today. We have to do more, but I do want to \nnote that there's a lot of good work happening in the \ncommunity. My team often strives for nuance in our analysis and \nreporting on the threats, but we have observed a disservice to \nthe community over the last couple decades, even the most \ncasual phishing email deployed to a corporate network of a \nnuclear power plant gets headlines about cyberattacks taking \ndown infrastructure and killing people. This is not accurate. \nThese scenarios presented are often nonsense and full of hype \nand unintended misinformation, but the threats are real.\n    Today, my firm released three reports detailing the \nindustrial threats of vulnerabilities and our lessons learned \nand response. We detailed five such threat activity groups or \nteams specifically targeting industrial control networks. This \nis in addition to the much larger number of teams that are \ntargeting the corporate networks of infrastructure companies \nbut this specific trend is worrying.\n    Equally important though, we must be careful of \ntechnologies and approaches which sound like silver bullets and \nthey sound too good to be true. These approaches are often \nreferred to in the industry as buzzwords making immense \ntraction and buzz and attention when used in conversations and \nthey do have an application, but they're obviously and usually \nextended far past that application. And the context of \ncybersecurity, block chain, machine speed, automated response \nand artificial intelligence are three such examples that are \nthrown around frequently as a panacea for our problems when \nthey are simply not.\n    On to my second point today which is the role of \nregulation. The NERC CIP standards are often highly discussed \ntopics, but it is undeniable that the efforts in the community \nto comply with these standards have made the North American \nbulk electric system the most resilient and well defended in \nthe world. However, regulations serve as a base level of \nsecurity. They're obviously on the trailing end of what is \ngoing on and they, in no way, can regulate the human adversary. \nMalware and vulnerabilities are not our threats, the human \nadversary is our threat.\n    For that, we must take an approach that also appreciates \nthe workforce development that's required. I recommend for a \nperiod of three to four years that no new regulations be \nimposed under NERC--it would allow companies to catch up with \ncurrent regulations as well as identify the threat landscape \nbefore them and come up with their own best practices for the \ntype of innovation that we need for industrial-specific \nnetworks.\n    On my third point my recommendations for DOE's CESER. \nFirst, provide multi-year funding and greater operational \nsupport to efforts that are prioritized to make foundational \nchanges to the fundamental risk. Consequence-driven, cyber-\ninformed engineering is one of those programs that's been \nhighlighted that I think very kindly of. It is in no way going \nto fix everything, but it is foundational and so, our grid \nsecurity.\n    Second, CESER should serve as the key team focused on deed \nduplicating efforts in the DOE and their labs by being keenly \naware of what is already taking place in the private sector. \nThere is never malice or intentional overlap, but at the speed \nand rate of innovation in the private sector as well as the \nsheer volume, overlap can take place that has unintentional \noverlaps and competitive issues will emerge.\n    Third, with a stated mission of focusing on addressing \nemerging threats, realize and appreciate the best insights and \nintelligence on threats or in the community and the companies \nthat are being targeted. The private sector companies, like \nDragos, as well as the community members like the electric \nISAC, the downstream natural ISAC and the others, have a keen \ninsight in that threat landscape today and partnering with \nteams like CESER will ensure that they do not recreate efforts, \nbut that we all achieve the same goal of providing security to \nour infrastructure.\n    I sincerely want to thank the Committee for providing me \nthe opportunity to testify today and will welcome any questions \nand additional information to help support the safety of our \nfamilies, communities and each other.\n    Thank you.\n    [The prepared statement of Mr. Lee follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n     \n    The Chairman. Thank you, Mr. Lee.\n    Thank you all. We appreciate your testimony this morning. \nWe will begin with a round of questions.\n    Senator Cassidy has to go preside in another Committee, so \nI am going to defer my questions, and you may proceed.\n    Senator Cassidy. Thank you, Madam Chair.\n    Mr. Walker, there is a book, Black Swan, by Nicholas Taleb, \nand one of his premises is that the more complex organizations \nbecome, the more vulnerable they become to a black swan event, \nthat which is two standard deviations beyond the norm but just \ntotally brings things down--think the financial crisis of 2007.\n    Part of your testimony spoke of the interrelatedness of all \nof our systems. I never pronounce it correctly, MISO or meso, \nbut that network which takes electrons all throughout the \nmiddle part of our country. Do we have such increasingly \ncomplex energy systems that we are prone to that black swan \nevent, you see where I am going with this?\n    Mr. Walker. Yes sir, and thank you for the question, \nSenator.\n    I believe that, as I did mention in my testimony, the \ninterdependencies that are resulting through the retirement of \nmany fuel-shored coal and nuclear plants that are being \nreplaced with natural gas plants, has placed a significant \ninterdependency of the electric generation system upon the \ninfrastructure that supplies and supports the gas \ninfrastructure throughout the United States.\n    And to that end, I have been working with the labs to \nactually do a single point of failure analysis of the gas \ninfrastructure system in order to understand the overall impact \non the generation components that are impacted on the \nelectricity system.\n    Senator Cassidy. I hear what you are saying, but the basis \nof my question is should we fear this interdependency?\n    Mr. Walker. I believe we need to understand the \ninterdependency which is why the first goal of my department is \nthe building of a North American, fully integrated model that \nhighlights the interdependencies and is able to do an n-1-1-1 \nanalysis to demonstrate what the interdependencies are and \ntherefore define the complexities to determine what the \nmathematical, the two-standard deviation impact is away from a \nsecure network.\n    Senator Cassidy. I am not sure you are answering my \nquestion because it does seem as if within that you acknowledge \nthat we should fear, but you are just trying to prepare us as \nmuch as possible to insulate that highly complex system from \nthat two-standard deviation event.\n    Mr. Walker. I guess I don't fear it. I need to understand \nit.\n    Senator Cassidy. Got it.\n    Mr. Walker. And my----\n    Senator Cassidy. Okay.\n    If I don't get this quite right, ma'am, but Dr. Endicott-\nPopovsky, I occasionally stutter, so I apologize.\n    You said everybody is our neighbor, but Mr. Lee said that \nreally we are reasonably, I don't want to misquote or overstate \nbut, secure within the energy sector. But if everybody is our \nneighbor and we have an Internet of Things and somebody's \nlittle modulator on their thermostat back home, can that sneak \nall the way in and disrupt our grid? And what if that \nthermostat is in Spain or Mexico or China, can it similarly do \nit because from what you said they are our neighbor?\n    Dr. Endicott-Popovsky. When I spoke about everybody is your \nneighbor in the online world and in cyberspace, I'm speaking in \na high level, metaphorically. And theoretically what you're \ntalking about is possible.\n    Certainly what the gentleman from Dragos was talking about \nwith the adversaries that we face, there are individuals out \nthere that are spending overtime and double time to figure out \njust those kinds of scenarios. And we should make no mistake, \nwe have allowed, in my opinion, our valuables to sit on a table \nin the kitchen with our back door open without thinking about \nwhat that invites.\n    And so----\n    Senator Cassidy. Now, that is a little bit contra to what \nyou said, Mr. Lee, in which you said, don't sit on laurels, but \nwe are not as quite as incredibly, you know, our valuables are \nnot necessarily on the table, at least when it comes to the \nenergy grid.\n    Would you accept that or----\n    Mr. Lee. So, I would not disagree that we are \ninterconnected in a way that opens up new risk, but I think my, \nsort of, point was the fact that every single thing that occurs \ngets messed with headlines that everybody is going to die. And \nI think that does a disservice to the amount of work that the \nenergy community has put into our infrastructure----\n    Senator Cassidy. Then that brings me to Dr. Sanders' \ncomment in which you suggest that we are not having this. \nImplied in your conclusion was that we are not having this \nacademia, industry, government working group to find solutions, \nare we not?\n    Dr. Sanders. So, we are having that. There are, actually \nfunded by the Office of Electricity (OE), there are efforts \ngoing on that are combining together academics, industry people \nand government. Some of the nice programs that have been run by \nOE, so-called industry projects----\n    Senator Cassidy. I am almost out of time so I gather that \nwe are, you just, perhaps, have more of it.\n    Dr. Sanders. We are doing it. We need more of it----\n    Senator Cassidy. Last thing.\n    Ma'am, you have raised working group and I had, somehow, in \nthe back of my mind in Washington State that you all had a \nbill. I don't know if it was implemented, that you would allow \ncomputer programming to be used as a substitute for a foreign \nlanguage requirement in your primary and secondary school. Do I \nremember that? And if so, was it implemented? And if so, what \nare the results?\n    Dr. Endicott-Popovsky. I will get back to you with that \nanswer. I recall that that was proposed, but I will get back \nwith you, sir, with that answer.\n    [The answer to Senator Cassidy's question appears on page \n152 at the end of the hearing.]\n    Senator Cassidy. Sounds great. It just sounds great to me \nbecause no one who ever studied French in school ever learned \nFrench, on the other hand, in fact, I am not sure they know \nwhere France is.\n    [Laughter.]\n    But if they learned how to use even Excel or Python, \nwouldn't we be better off?\n    Dr. Endicott-Popovsky. I agree that we need to be looking \nfrom an educational perspective down into the K-12 arena, \nabsolutely.\n    Senator Cassidy. Okay.\n    Madam Chair, I thank you for deferring.\n    The Chairman. Thank you, Senator Cassidy.\n    Senator Manchin.\n    Senator Manchin. Thank you, Madam Chair.\n    I would just like to say also that Latin was not much \nexperienced later either.\n    [Laughter.]\n    I am thinking I had two years in high school and still \ncan't speak a word of it.\n    Thank you, Madam Chairman and Ranking Member Cantwell, for \nhaving this important hearing. I would also like to thank each \none of you, the witnesses, for appearing here today.\n    It is nice to see Congressman Matheson, and we appreciate \nyour appearance here. I believe it is your first in this \ncapacity. During your time in Congress you were known for your \nbipartisanship which we miss very much. That is one of the many \nreasons I have no doubt that the Rural Electric Cooperative \nAssociation is in very good hands, sir.\n    We have held several cyber hearings this year, including \nthe Subcommittee on Energy on which I serve as the Ranking \nMember, alongside Chairman Gardner, as we discussed previously, \nnew digital technologies have increased energy efficiency and \nallowed for enhanced customer experience. However, increasing \nour reliance on these platforms also leaves us more vulnerable \nto cyberattacks. It is not a question of if, but a question of \nwhen.\n    With that in mind, my home State of West Virginia, as all \nof you know, I think, continues to be a net exporter of energy. \nThat means that our neighbors really depend on us for reliable \nelectricity which coal and natural gas produces on a regular \nbasis. I cannot stress the importance of reliable transmission \nof energy is our way of life, and I am concerned about our \nsecurity every day.\n    I applaud the ongoing work by the Department of Energy and \nDepartment of Homeland Security, Mr. Walker, but I also want to \nmake sure we can eliminate our energy sector's vulnerabilities.\n    As a member of the Senate Intel Committee, I consider these \ncyber hearings vitally important and I am very, very \nappreciative that we are having this hearing.\n    Congressman Matheson, I would ask, what has been the single \nmost helpful strategy or approach for your members to prepare \nfor and mitigate the risk of cyberattack? What do you think \nthat you all have been able to do to assist the Department of \nEnergy and any of our other agencies?\n    Mr. Matheson. The answer starts with the word partnership \nand we've had excellent relationships in terms of working with \nthe Department of Energy and developing, as I mentioned in my \nopening comments, the program we call RC3, which is a program \nthat we put together to train our co-ops. It's really a toolbox \nof different options that they can use to do a self-assessment \nof their circumstance at their co-op, identify potential \nvulnerabilities and risks, share best practices with each \nother.\n    And it's, sort of, a self-improvement process as well, \ncontinuous improvement dynamic because this threat is evolving \nevery day, as we've all discussed, and it's something that we \nrecognize that wherever we are today, we've got to get better \nby tomorrow. And that's been a significant play for us through \nthese smaller utilities, you know?\n    Senator Manchin. Yes.\n    Mr. Matheson. We need a program that recognizes the small, \nmedium-sized utilities and the fact that the Department of \nEnergy recognized as well and help fund this effort.\n    And I might mention, this effort was not just done with the \nRural Electric Co-ops, it was also done with the municipal \nutilities as well. I think that's been an important program, \nand that's a specific answer I give to your question.\n    Senator Manchin. Let me say this, I have been told by my \nutility producers, whether they be electricity by coal-fired \nfor baseload or whether it be our natural gas in all the \npipelines, that we are building and pumping stations. I am \nconcerned about the vulnerability. I have been able to go up \nmyself, with maybe just a little gate or a little fence around \nit.\n    Mr. Matheson. Yeah.\n    Senator Manchin. The pumping or our transmission, I would \nguess. I would ask each one of you, and I will start with Mr. \nLee. What keeps you up at night and what are you worried about, \nbecause I see vulnerabilities it would not be hard to attack by \nany of us?\n    If our pumping stations go down most of the East Coast is \nin trouble. If our transmission lines go down and our big \ntransfer stations, which are not all that foolproof.\n    So, if you could tell me, Mr. Lee, what are you concerned \nabout and what do you think we need to do for the next step?\n    Mr. Lee. Thank you, Senator, for your question.\n    I'm extremely concerned about the disparity between our \nindustries. So I often like to applaud the electric industry, \nspecifically, but that does not equate to every other industry.\n    I think the threats are far more, sort of, aggressive than \npeople realize, but not as bad as they want to imagine. And in \nthere is that nuance we have to capture.\n    I've been in manufacturing facilities, small to medium-\nsized co-ops, gas locations that are vital to critical \ncommunities where not even the basics of security have been \ndone. So, there is this back and forth we have to address.\n    So I'm concerned about that, and I'm also concerned about \nsome of the smaller events and our ability to respond to them. \nI'm very confident the U.S. Government has a response if a \nmajor cyberattack were to occur.\n    Senator Manchin. Okay.\n    Mr. Lee. But what about a 30-minute power outage in DC?\n    Senator Manchin. Yes.\n    Mr. Lee. That's something that brings me, sort of keeps me \nup at night at how we respond.\n    Senator Manchin. Mr. Walker, if I could go to you real \nquickly on this. I know we are concerned about the cyberattack \nand what cyber can do and shut down with a person from far \naway. I am concerned also about the hardened attack that can \noccur.\n    Mr. Walker. Sure.\n    Senator Manchin. What you all have been doing there and \nmaking sure utilities are strengthening their position to \nprotect?\n    Mr. Walker. Thank you for the question, Senator.\n    Specifically, what keeps me up at night in relation to this \nis the actual physical security component and, to that end, our \nDepartment has worked with our security department that does \nthe evaluations of our NNSA sites. We are extrapolating upon \nthe work that has been done extensively by the national labs \nand our security sites to bring it into and we're using our \nPMAs which are federally-owned, as the test bed for the proving \nground to utilize the physical security strategies, if you \nwill, developed mostly by the Sandia labs to employ them on \nboth the gas, electric and oil infrastructure throughout the \nUnited States.\n    Senator Manchin. Thank you.\n    My time has expired. I wish I could hear from all of you, \nbut if you get a chance, just chime in when you can.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Manchin.\n    Senator Gardner.\n    Senator Gardner. Thank you, Madam Chair, and thanks to the \nwitnesses for being here today.\n    It is a critical issue, obviously. As we speak, the \nColorado Department of Transportation is actually dealing with \na cyberattack now. It has gone through several days' worth of a \nSamSam ransomware attack that has shut down the Colorado \nDepartment of Transportation computers within the Colorado \nDepartment of Transportation for days.\n    So this isn't just something that we should worry about for \ntomorrow. This is something that we should have been worried \nabout a long time ago and were worried about a long time ago \nand need to worry even more about how we address this today so \nthat we can prevent these kinds of things from spreading even \nfurther into hospitals and to roads and to other places.\n    Thank you for being a part of that solution and bringing \nthese ideas forward, because you were worried about this a long \ntime ago. You are worried about it today and a part of the \nsolution going forward and I thank you for that.\n    Congressman Matheson, if you don't mind, I enjoyed serving \nwith you in the House. You and I are affectionately referred to \nas House broken, being in the House and having that experience.\n    [Laughter.]\n    But we have talked a lot with our folks back home in \nColorado, the co-ops and others, about the challenges they face \nin cyber.\n    Would an expedited security clearance process address your \nneed for enhanced background checks and would having more \ncleared personnel improve the flow of specific additional \ninformation? For example, we had a hearing, I believe it was \nlast Congress, where somebody said that they were told by a \nsecurity audit that they had a piece of equipment that would \nnot pass federal standards, but they were then told that they \ncould not tell them what that piece of equipment was because \nthey did not have the right clearance.\n    Mr. Matheson. Right.\n    No, you've raised a really important issue and that is the \ninternal threat, the human threat. And what we propose, and \nit's not just the co-ops of the electric industry in general \nthat feels this way, is we would like access where we could \nhave FBI background check clearance to really check on key \nemployees. Although, the industry is willing to pay for that \nand we don't even want the information, the personal \ninformation, the FBI can keep that, but we would like to have \nthat capacity to have key employees go through that security \ncheck process.\n    I think that would be important risk mitigation for the \nutility industry and to having better confidence in the people \nthat have access to sensitive information.\n    Senator Gardner. Thank you for that.\n    For those members that do have clearances, do they have \ndifficulty trying to find or accessing classified briefing \nspace? Is that a problem as well or----\n    Mr. Matheson. Yeah, there is a question about timing in \nparticular, more than ultimately gain access. And I think that \nwe're always looking to improve, but there's no question that \nif we could find efforts for timely information to get to us in \na way that we can act on it in a reasonable way when we have a \nthreat. That always should be the goal.\n    And yes, we need to improve----\n    Senator Gardner. You can't just pick up the phone, on a \nregular unsecured line, and talk to the general manager of \nHighline Electric or something like that.\n    Mr. Matheson. You got it.\n    And we're trying to figure out, you know, this is a two-way \nstreet to how this information goes.\n    Yes, we want access to information from government sources \nin a timely way where we get that confidential information. We \nalso need to get that information to the government. We want \nsome protections about how that sensitive information is going \nto be used when it goes in that direction as well.\n    Senator Gardner. Great.\n    Mr. Walker, I have a couple minutes here so I want to get \nto you as well.\n    In your testimony, you talk about defense critical energy \ninfrastructure which was defined in the FAST Act. Can you \nexplain what DOE is doing to address Defense Critical Energy \nInfrastructure (DCEI)?\n    Mr. Walker. Thank you for the question, Senator.\n    The--I want to note that I think it was an astute \nobservation by the Congress to include the DCEI in the FAST \nAct. Upon taking office in DOE, one of the first things I did \nwas focus in on that point that was raised by the FAST Act.\n    To that end, I did a significant amount of research--my \nteam and working with members from the Department of Defense, \nDHS, the Army Corps, RPMAs, particularly WAPA, as well as other \nmembers in the key stakeholder groups--we developed a strategy, \nan operational strategy, that will enhance our ability to \nensure that when those defense critical infrastructure are \nnecessary to be utilized, that they'll be available, \nnotwithstanding what the impact is to the rest of the grid \nthroughout the United States. And we continue to work on that \ndiligently with our federal partners and our industry partners \nto focus on that.\n    And if I may, I'd like to comment on the previous \nquestion----\n    Senator Gardner. Great.\n    Mr. Walker. ----to Congressman Matheson.\n    Earlier this week, DOE, I chair and DHS chairs the Energy \nGovernment Coordinating Council and with regard to clearances, \none of the things that was a key takeaway from that meeting is \nthe clearance process and getting an expedited process is \nimportant, but I think what's more notable and what I focus the \norganization on, in conjunction with DHS, was we need to \nprovide timely and actionable information to the energy \npartners that we have in both the ESCC and the ONG.\n    And it's really about that action, very black and white. \nYou either need to act on this or you don't need to act on that \nand we need to figure out how to declassify information enough \nto be able to provide that guidance so that we won't get caught \ninto this clearance issue.\n    So that's one of the key takeaways that we're working on \ndiligently as well, Senator.\n    Senator Gardner. Great. Thank you, Mr. Walker.\n    Thanks to all of you, and I yield my time.\n    The Chairman. Terrific timing, thank you, Senator.\n    Next, we will turn to Senator Hirono.\n    Senator Hirono. Mr. Lee, did I hear you correctly when you \nresponded to an earlier question that we are prepared to \nrespond adequately if there is a major cyberattack? And did you \nmean a major cyberattack on our energy infrastructure?\n    Mr. Lee. Yes, ma'am.\n    So with that discussion, I think that the U.S. Government \nis more well-positioned on a major cyberattack than it would be \non a smaller cyberattack was my----\n    Senator Hirono. No, but are you talking about with \nparticular reference to the energy infrastructure that we are \nprepared to respond so that we can keep our energy \ninfrastructure going?\n    Mr. Lee. No, Senator.\n    So, the response is on the private sector. I think the \nbelief structure that U.S. military or others are going to go \non civilian networks is misplaced. I'm referring to the \ngeopolitical and, sort of, diplomatic response that we would be \nable to have.\n    Senator Hirono. Well, it is just that I just came from an \nArmed Services Committee hearing with General Nakasone, who is \na nominee to lead NSA and Cyber Command, and he did--now there \nis general acknowledgement that we have not responded to \nvarious, particular state-sponsored cyberattacks on OPM, for \nexample, in other ways.\n    That is why I wanted to get clarification from you as to \nexactly what you meant when you said that you thought we were \nprepared to respond. According to General Nakasone, we are not \nquite there.\n    I wanted to further ask you, Mr. Lee. As our control \nsystems become more complex, and you were asked this, and \nperhaps we have become more vulnerable to attacks. So on the \nother hand, perhaps, technical advances could potentially make \nstate-of-the-art security technology, we can incorporate state-\nof-the-art security technology such as advanced encryption \nalgorithms and other measures to protect our systems.\n    So, in your opinion, is progress being made to ensure that \nindustrial control systems are more secure as the technology \nbecomes better or are we losing ground because these systems \nare becoming more complex and inherently more vulnerable to \nadvanced persistent cyber threats?\n    Mr. Lee. Thank you, Senator, for your question.\n    I think it's definitely a race that we're also introducing \nnew risk while they become more verbose in their capabilities. \nSome systems that were never designed to do certain things now \nhave those capabilities built into them and they shouldn't. At \nthe same time, though, we are making a lot of progress in the \nsector.\n    So, I think it is, sort of, in this position where we're \nincreasing risk. We're increasing security, but we have to do \nmore of the security to offset that risk.\n    Senator Hirono. I think you also testified that our \ninfrastructure, and I assume that's our energy infrastructure, \nis quite resilient at this point so that, particularly on the \nelectric side, they have done a lot to protect themselves----\n    Mr. Lee. Yes, and I think there is still balance there that \nwe didn't have a lot more we need to do, but I think that we \nshould not be so careful, or we should be careful and sort of, \njust say that they haven't done anything which is inaccurate.\n    Senator Hirono. Yes, I understand.\n    Mr. Walker, you describe the DOE's work with industry in \ndeveloping the voluntary Cyber Risk Information Sharing \nProgram, or CRISP, as a way of monitoring and managing the \nsecurity and resiliency of the electric grid.\n    I would imagine a utility may not be inclined to \nvoluntarily report a cyber incident that may have exposed a \nweakness in their cybersecurity posture. If they are not \nrequired to share that kind of information, how forthcoming do \nyou believe utilities have been in sharing sensitive \ninformation relating to cyber risks that they are confronting \non a daily basis? And in your view, is there a way to induce \nand encourage greater participation in programs such as CRISP?\n    Mr. Walker. Thank you for the question, Senator.\n    I believe that the partnership that we have between the \nelectricity sector, Coordinating Subsector Coordinating Council \nand the Oil and Natural Gas Subsector Coordinating Council is \nextremely strong and it continues to get stronger, particularly \nas we work through the Government Coordinating Council to \nintegrate that information with DHS.\n    So I believe the industry is completely forthcoming, just \nlike we are completely forthcoming with that bidirectional flow \nof information, both classified and unclassified.\n    You know, this is an ongoing evolution and a partnership \nthat we all understand that we need to work together. The \nintegration of both the oil and natural gas as well as the \nelectric industry into an overall system of energy that's \nhighly dependent upon each other has driven us to work together \nover the years and we continue to progress that.\n    In fact, today we're meeting at DHS for the C-PAC to \nfurther work between government and our energy partners.\n    Senator Hirono. So the voluntariness of this program is not \npreventing the utilities from fully participating and \ncooperating in----\n    Mr. Walker. Not at all.\n    The limiting factor has been the cost of the implementation \nwhich is why we've been working very hard. We're going to \ncontinue to work hard with NRECA and the APPA to further embed \nthis.\n    You'll note in my testimony, I said about 75 percent of the \nutility customers throughout the United States are covered by \nthat. Our goal is, obviously, 100 percent. And we need to work \nharder, and we are working, to develop cheaper solutions, more \ncost-effective innovation in our labs for the sensing \ntechnology that's necessary to effectuate the CRISP program.\n    Senator Hirono. Thank you.\n    So continuing research in this area is really important and \nto provide those resources.\n    Mr. Walker. Absolutely and we are doing that.\n    Senator Hirono. Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Hirono.\n    Assistant Secretary Walker, let me ask you this.\n    With the restructuring and the division now between the \nOffice of Electricity Delivery and now this separate Office of \nCybersecurity with its own Assistant Secretary, there would be \nsome that would argue that so much of this is just intertwined, \nthe issues of electricity delivery and energy reliability are \nnot distinct, they are very much intertwined. Then you have the \nreality that we are talking here about how we can design \ncybersecurity into every aspect of system operations so that an \nentirely separate office might be actually counterproductive.\n    Now I am not saying that I am one of those skeptics, but I \ndo think it is important, as the Committee that is looking at \nthat, that you share with us the rationale for this separate \noffice and the response to those who might say it is a little \nbit counterproductive to have it separate.\n    Mr. Walker. Thank you, Senator Murkowski.\n    I think that's an excellent question and being part of the \ndecision-making for doing this, I'd like to answer this.\n    Number one, in taking this position and looking across all \nof the different departments that I'm responsible for and \nunderstanding what was set forth in the FAST Act and really the \nfocus of cybersecurity and given the fact that the FAST Act \ndesignated DOE as the sector-specific agency. That is a \nsignificant undertaking, and I've done the analysis myself as \nto what work is necessary.\n    As I mentioned with Senator Gardner, the DCI component, \njust that strategy alone and identifying and working through \nthe defense critical energy infrastructure, is a significant \nundertaking both in breadth and depth.\n    Now the way I would specifically delineate how the two are \nintertwined in one concept but very distinct in the others is \nthe whole idea of the CESER program is to be actionable, near-\nterm and highly responsive today. So things like DCI strategies \nare things that are actionable today and need to be done. \nHowever, I would note that the remaining portion of OE that I \nwill be leading focuses on the longer-term solutions so just \nbecause we solve and have an operational strategy to make the \nsystem work for DCI today, having a longer-term strategy that \nlooks at different R&D capabilities, different design \nstrategies, is really what the focus of the OE Department is \ngoing to be.\n    And I note, Senator Murkowski, I'm taking the opportunity \nto change the name of my department because both you and I \nstruggle with it every time we're here.\n    The other part of the OE component which is very, very \nsignificant and a massive undertaking is the development of the \nNorth American model, an energy sensitive model that is able to \ndo enhanced analysis, to do contingency analysis to understand \nwhat the next worst case is when a significant infrastructure, \nwhether it be gas or electric or petroleum, goes offline to be \nable to do real load following analyses with a high integration \nof interdependency analysis. That work will drive and \nfundamentally change the way that we make investments in our \ninfrastructure throughout the entire United States and it will \nchange the way markets are driven and it will change the way \nthat we look at reliability, make investments in operation and \nmaintenance. So that will be work that will be done in that OE \nDepartment and that's a significant undertaking that we've laid \nout the strategy for as well.\n    The Chairman. You have your work cut out for you.\n    I am going to defer my time and go to Senator King and then \nwe will go to Senator Daines.\n    Senator King. Thank you.\n    Mr. Walker, welcome back to the Committee. You were here \nnot long ago, and we are glad to have you back.\n    Mr. Walker. Thank you, sir.\n    Senator King. Napoleon said, ``War is history.'' Freud \nsaid, ``Anatomy is destiny.'' King says, ``Structure is \npolicy.''\n    I welcome the new office because I think you are creating a \nstructure that will facilitate good policy in this area because \nwithout some area of responsibility in the department that \nfocused, specifically, on the problem of cybersecurity and \nresiliency, I am afraid the response and the planning and the \nprograms will be diffused and unfocused. So I hope that you \nwill move quickly to facilitate the formation of this office \nand to get it, to stand it up so that it can meet its urgent \npurpose.\n    Mr. Walker. Yes, sir, that's the goal.\n    It's important for us which is why the Secretary announced \nit and, you know, one of the things I learned early in my \ncareer is you design organizations around process and how you \nwant to drive the policy. And that was part of the \ndistinguishing factor in establishing this Department, \nspecifically for cybersecurity. And you'll note the second \npart, which is energy security which incorporates that closely, \nyou know, type, physical component which is absolutely \nnecessary for us to focus on, particularly as the \ninterdependency exacerbates our risk.\n    Senator King. Now the problem here--and this is not your \nproblem, this is an all-of-government problem and I just came \nfrom a hearing in the Armed Services Committee with the nominee \nto head Cyber Command--is that this country lacks a coherent \nstrategy of deterrence in the cyber realm. You can argue, we \nare either at war now or a war is imminent in terms of \ncyberattacks on this country, small and large. And yet, we have \nno deterrent policy. Our adversaries feel there is no cost to \ntheir attacking us in a variety of ways, large and small.\n    So, again, this is not your responsibility, but I hope that \nin the councils of government as you are discussing these \nmatters, we cannot simply rely on defensive measures. We cannot \nkeep patching software.\n    Ultimately, people who are making a calculation as to \nwhether to attack us have to believe there will be a response, \nwhether in the cyber field or sanctions or some other area, but \nthis is something that I am urging everyone. I don't have the \nSecretary of Energy or the Secretary of Defense or the \nPresident sitting here, so you are it. I hope you will take \nthis message back, because without a deterrent strategy we are \nsimply sitting ducks and there will be, not maybe, there will \nbe an attack unless we can deter our adversaries. I hope you \nwill take that message back.\n    Mr. Walker. Yes, sir, I will.\n    Senator King. Thank you.\n    Mr. Lee, you did some analysis on the Ukraine attack, is \nthat correct?\n    Mr. Lee. Yes, Senator.\n    Senator King. Rolling out of the response to that, Senator \nRisch and I have introduced a bill that is here that \nessentially is a back to the future bill because one of the \nlearnings, I understand, from the Ukraine attack was that they \nhad some places where there were analog switches and there was \nhuman intervention that enabled them to recover more swiftly.\n    Our concern is that if we are totally digital that there, \nas you, I think, testified a few minutes ago, there may be \nunintentional provisions in there that allow us to not be \nresilient and we have asked the national labs to look at some \nof these ideas. Is that something that you think makes sense?\n    Mr. Lee. Thank you for your question, Senator.\n    And yes, I do. I was actually able to provide some comments \nto the House companion for that. I thought it was very well \npositioned. I thank you for your leadership on it. There are a \nlot of----\n    Senator King. I did not know you were going to say that, \nbut I am delighted.\n    Mr. Lee. Yes, sir. So, teed up.\n    [Laughter.]\n    But there is a lot of functionality we're putting in that \ndoesn't make sense. This is not to say we need to go back, sort \nof, to the Stone Age. We cannot stop innovation and we should \nnot. I mean, a lot of optimizations make sense for the \nbusinesses that run, but there are certain locations and \ncertain functions of protection equipment and safety equipment \nthat doesn't need to be able to run minesweeper and solitaire \non it. They can do a more basic function which, in a sense, \nmakes it a much more difficult information and tax base for the \nadversary.\n    So I do think it makes a lot of sense in the right \napplication.\n    Senator King. Well, I hope we can. I hope, Madam Chair, \nthat is a bill we can move.\n    Again, talk to the national labs, instruct the national \nlabs to work on this concept of where in the system, not the \nentire system and not taking it back, but where in the system \ncould we place some of these elements that would be more \nrudimentary, if you will, but would protect us from a \ncatastrophic cascading of software.\n    Mr. Walker, I hope that you can, and I am out of time, but \nI hope that you will get back to us with thoughts as you are \nstanding up this office.\n    And one of the critical points here is the relationship \nbetween the government and the private sector. We don't run the \nelectric grid. We can only help work with the utilities to do \nso.\n    And to the extent that there are impediments to full \ncoordination and cooperation, in other words, things like \nutilities concerns about liability or costs or how do we do \nthis in a way that is not the heavy hand of government, but is \na cooperative relationship.\n    What I am asking you is, if you observe and develop, and I \nwould ask this question also to the electric cooperative and to \nthe utility industry, generally, if there are impediments here, \nplease let us know what they are so that we can try to address \nthem, because this is a crucial issue and it has to be close \ncoordination without smothering is, I guess, the way I would \nput it.\n    Mr. Walker. Sure.\n    And thank you for the point and I surely, if I run into an \nimpediment, I have not seen one yet, we have a fantastic \nrelationship with EEI, APPA and NRECA and then working through \nthe ONG Coordinating Council and the Electricity Subsector \nCoordinating Council.\n    You know, we work through these issues. And the great part \nabout these forums is we've all got the same and similar \nmission. We approach it from different angles, perhaps, but \nwe've got, the mission is to make sure that the energy \ninfrastructure is available when needed. And fortunately, we \nhave great partnerships with those members.\n    Senator King. I am out of time, but with the Chair's \nindulgence, I hope one of your elements of your work will be \nred teaming so that you can demonstrate to utilities where they \nhave problems.\n    Mr. Walker. Yes, we are.\n    We're taking a very progressive, proactive approach on many \nof these issues.\n    Senator King. Thank you.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator King.\n    Senator Daines.\n    Senator Daines. Thank you, Chair Murkowski, for this \nhearing. I know that cybersecurity and the protection of the \nelectrical grid has been an important issue for this Committee, \nand I hope we continue to press on it and do find some good \nsolutions to secure our grid. As you all know there are many \nthreats to the grid.\n    I first want to thank all the witnesses today for working \nhard to continue to keep the lights on. Mr. Matheson, it's good \nto have you here today, back on the Hill.\n    Mr. Matheson. Thank you.\n    Senator Daines. We served together in the House and I have \nsaid the rural co-ops when they, the electric co-ops, when they \ncome to my office once a year, I am not sure there is a better \norganization that represents a true cross section of our state \nand is closest to I call it, kind of, the real Montana, as our \nrural electric co-ops. I mean that sincerely.\n    Mr. Matheson. And that sure sounds good to me.\n    Senator Daines. Yes, but it is true, you know, when in \ndoubt speak the truth, my mom and dad always told me.\n    Mr. Matheson. Thank you.\n    Senator Daines. I do believe our rural co-ops are on the \nfront line in the defense of our grid, especially in rural \nstates like Montana.\n    Mr. Matheson. Yeah.\n    Senator Daines. But for the most part the co-ops you \nrepresent do not have a lot of excess cash to spend on research \nor new expensive technologies. And further, there isn't one \nsingle solution as we know, in fact, I have quoted Senator King \nwhen you said, ``There's no such thing as a silver bullet, \nmaybe silver buckshot.'' I think that is one of the best \ntakeaways I have had in a long time.\n    Senator King. Thank you, sir.\n    [Laughter.]\n    Senator Daines. Thank you.\n    Because co-ops are as diverse as any other business and \nthey span great distances, particularly in rural states like \nMontana.\n    Mr. Matheson, do you have examples of some of the efforts \nthat co-ops are doing to address these challenges and how our \nco-ops in Montana are working to protect local grids?\n    Mr. Matheson. Well, thank you, Senator, and you are correct \nthat there is a diverse set of circumstances of the over 900 \nelectric co-ops in America. They're in very different \nsituations. Some are large. Some are small. Some have great \ndispersed geographic areas. Some are more confined. So it's \ndefinitely, there's not a one-size-fits-all. We preach that \noften within the co-op community.\n    When it comes to the cyber threat there is one way I would \ndelineate between two categories of co-ops. There are about 120 \nco-ops in this country that really are connected really in the \nbulk electric system and that is an area where the need to \ncomply with the NERC reliability standards and cybersecurity \nstandards comes into play. And it's where the real threat to \nthe grid exists, if you will. And those electric co-ops are \nsubject to the NERC audits. They are subject to that \nregulation. They perform well in that regard and that's where \nwe like to use operational threats, that's where the co-ops \nhave, that set of co-ops, that set of co-ops have dealt with \nthat type of circumstance.\n    The other co-ops are the smaller distribution co-ops. \nThey're not necessarily directly with the bulk electric system \nand a lot of the cyber threats that they see are more on the \ninformation side, you know, on the personal information, \nthey're trying to hack in to get a social security number \nwhatever that might be.\n    And so, in that situation, again, we have large, small but \nwhat we try to do is create a peer-to-peer relationship where \nco-ops can compare, they can consolidate and share assets in \nterms of taking on these threats because you said some of them \ndon't have a lot of extra money laying around.\n    And that's really what cooperatives are about. It's in \ntheir name. They cooperate with each other. That's how our \nsectors really try to take on this issue, even across the \ndiverse set of circumstances we have, we have a really \ncoordinated effort to make sure that we're sharing best \npractices with each other to take on the cyber threat.\n    Senator Daines. Regarding the cyber threat, I recently \nintroduced the Cyber SAFETY Act which would, I think, \nincentivize----\n    Mr. Matheson. Yeah.\n    Senator Daines. ----the private sector and generally we are \nbetter off served with carrots versus sticks----\n    Mr. Matheson. Yeah.\n    Senator Daines. ----to incentivize the private sector to \ninnovate and commercialize the next generation of cybersecurity \ntechnologies. Could you discuss how that bill might help rural \nco-ops?\n    Mr. Matheson. The rural co-ops and, I might add, the rest \nof the electric utility sector, support this bill. It's an \nimportant bill for a number of reasons.\n    One is it removes an impediment that was in the original \nSafety Act from sharing information where before we could \nshare, events had to be described as, declared as acts of \nterrorism by Homeland Security. And this legislation that you \nhave introduced removes that requirement and it will facilitate \ngreater information sharing between the utility sector and the \nrelevant federal agencies.\n    The effort to produce more innovation in this area is \nsomething we strongly support, and I think it's a step that \nwould go in the right direction.\n    Senator Daines. Thanks, Mr. Matheson.\n    The Chairman. Thank you, Senator Daines.\n    Senator Smith.\n    Senator Smith. Thank you very much, Madam Chair, for this \nhearing and thank you, Ranking Member Cantwell. I am just also \nvery much appreciating your testimony today.\n    Senator Daines, you and I share an interest in rural \nelectric cooperatives, so I appreciate your questions on that \nas well. Thank you, thanks very much.\n    I wanted to just touch quickly on a couple of things. By \nnow we have all seen the conclusion of the United States \nintelligence community that the Russian government has engaged \nin cyberattacks intended to sway the outcome of our election. \nWe also know that Russia has previously targeted energy \nsystems, twice taking down portions of the Ukrainian grid in \n'15 and '16. And this is in addition to cyber events taking \nplace in the American energy sector such as the Russian malware \nthat was found on the computer of the Vermont utility. Senator \nKaine touched on this with our need for a deterrent strategy \nfor cyberattacks.\n    But Mr. Lee, I was struck by a point in your testimony that \nI would like you to elaborate on a little bit where you said, \n``We do not understand the industrial threat landscape and we \ndo not have enough trained professionals focusing on industrial \ncontrol cybersecurity.'' Could you just touch on that briefly \nand also suggest what, if anything, the Federal Government can \ndo to address this shortage of cyber professionals in the \nenergy sector?\n    Mr. Lee. Thank you, Senator, for your question.\n    It comes down to an aspect of collection. So, going back to \nthe co-op discussion. I know of a number of co-ops that have \ntold me, well, we don't have cyber threats in our industrial \nnetworks. And I'll ask, well, have you ever collected or looked \ninside those networks? And the answer will be, well, no. Then \nhow would you know that they're not there because I've \nabsolutely seen nation-state level threats going into those \nenvironments. And oftentimes, utilities and others will say, \nwell, I'm not a good threat, but that's the one thing you don't \nget a vote on. I mean, I've seen adversaries training in those \nenvironments, if nothing else.\n    I think it's important to address that our lack of \nunderstanding of that threat landscape translates to also how \nwe are trying to defend against these attacks. A lot of our \nbest practices and standards and regulations are built off of \nwhat would be applied to enterprise security networks at JP \nMorgan and may not be appropriate for an electric utility. So I \nthink there is that balance and we have to understand that \ncollection gap.\n    One of the things that I think is most important is that \nworkforce development. And this is coming from a technology \nvendor, I will tell you, the most important aspect is the \nhuman. We use technology to, sort of, be a Band-Aid until we \nget that.\n    On the human aspect by having better trained professional \nindustrial security, they will be able to make the right \ndecisions for their infrastructure.\n    We talk about information sharing, but the problem with \ninformation sharing is always the ability to action it which is \nat the utility or infrastructure site.\n    These professionals that we're training are very critical, \nnot only in K through 12, but also in the professional training \nthat we have out in the industry.\n    Senator Smith. So the big issue is, we ought to be focusing \non workforce development and that capacity. Okay, thank you \nvery much.\n    I have just a little bit more time and I would like to \naddress a question to the panel more broadly which is, we are \nseeing this incredible transformation in the way energy is \ngenerated and distributed and delivered in the United States \nwith much more distributed energy resources and smart grid \ntechnologies coming online. I am really interested in how this \nis impacting grid security overall. Is it making it worse? Is \nit making it better? Could you just or could anybody on the \npanel feel free to chime in about what challenges or benefits \ndoes a more decentralized grid have when it comes to \ncybersecurity?\n    Mr. Walker. I'll weigh in first.\n    Senator Smith. Thank you.\n    Mr. Walker. I think there's two components to the question.\n    The first is, the diversity of the portfolio on the \ngeneration component, for instance, has and can have the \ntendency, if it's modeled properly, we understand where it's \nbeing placed and if it's strategically being placed, have the \nbenefit of adding security from the standpoint that there's \njust more diversity and therefore, more iterations to be able \nto go through.\n    However, I would offset that by the fact that by adding \ncertain levels of diversity, depending on what they are and the \ncase I'll point to is the heavy reliance due to economic \nfactors on natural gas has now placed natural gas in a place \nwhere it's providing a significant amount of generation.\n    As I noted in my testimony, what that does is it more than \ndoubles the amount of critical infrastructure that has to be \nprotected simply because there's an entire pipeline now that \nonce was, it was a contributing factor, but it wasn't a \nsignificantly contributing factor, to the generation of \nelectricity throughout the United States.\n    Senator Smith. Dr. Sanders, did you want to chime in here?\n    Dr. Sanders. I'll just add very quickly that I think that \nMr. Walker spoke well about the diversity in the energy and \ngeneration portfolio.\n    But you brought up, Senator Smith, a very, very important \npoint. Much of the growth of the smart grid is on the \ndistribution side and much of the cybersecurity protections and \nresiliency that's put in place is in the bulk electric power \ngrid. In fact, NERC and FERC rules only apply on the bulk \nelectric power grid side.\n    So as we see this very different kind of smart grid, it's \nthe architecture, it's the complexity of the architecture that \nwe need to understand and the kind of point solutions we've had \nin the past just aren't going to apply.\n    Thank you.\n    Senator Smith. Thank you very much.\n    And Madam Chair, oh----\n    Mr. Matheson. I know we're over time----\n    Senator Smith. Yes, please.\n    Mr. Matheson. ----but just what I said within some earlier \ncomments about we appreciate the fact that there has been an \neffort and we've received R&D efforts to look at small and \nmedium-sized utilities. We still think that that's an area that \nmerits continued emphasis and your questions have raised \nanother reason why that's the case.\n    Senator Smith. Thank you very much.\n    Madam Chair, I believe I am past my time. Thank you.\n    The Chairman. Thank you, Senator Smith.\n    Senator Cantwell.\n    Senator Cantwell. Thank you, Madam Chair.\n    As former Director of National Intelligence, General \nClapper said, ``Cybersecurity is now more significant to our \nnational security than terrorism.''\n    So, last year along with all those numerous cyberattacks \nand breaches, we see that more and more of our economy and \ncritical infrastructure is being attacked. I see everyone \nnodding here.\n    Do we have the right threat assessment yet on our grid? Do \nwe have an accurate threat assessment, Mr. Lee?\n    Mr. Lee. I do not believe so.\n    Dr. Sanders. I do not believe so as well. I think that's a \ncapability that's absolutely critical to develop and the \nmaturity models we have today just are not sufficient.\n    Senator Cantwell. Anybody else?\n    Okay, so what do we need to do to get that? Mr. Lee?\n    Mr. Lee. When it comes to the threat landscape and \nunderstanding the threats that pose, I do think private sector \nis best positioned.\n    I always hear discussions about security clearances which I \nthink are incredibly important, especially for the strategic \nlevel, but I think people are going to be dismayed when they \nget a security clearance to go in for this magical intel about \nthe industrial threats and be met with nothing or very little. \nA lot of the insights are in the private sector companies. My \ninsight at my firm today rivals what I have when I led the NSA \nmission for it. So, I think to do proper work we have to work \ntogether.\n    It's where I do think DOE's CESER will be important, work \nwith the ISAC is important, trying to understand what's going \non at the operational layer of the CRISP program as an example \nis great, but it's for the enterprise networks. It doesn't \ntouch the operations networks and our ability to do that \ntogether will give us that threat landscape.\n    Senator Cantwell. Dr. Endicott-Popovsky?\n    Dr. Endicott-Popovsky. Yes, I'd like to suggest that the \nwork that the National Guard is doing in Washington State has \nrelevance to your question.\n    I point to the recent work that they did with SnoPUD and \nlater with a utility in the middle of the state where the Guard \ncooperated with the utility itself, with the Governor's \npermission, to go in and do red teaming which is not easy \nconsidering that you're working military to the private sector. \nBut that kind of effort, I think, was beneficial to the utility \nitself where they understood where they were vulnerable when \nthey actually thought they were not.\n    It puts people in the mindset of the threat actor and one \nof the things that could help this Committee, going back to \nsome conversation earlier about the threat actors involved, is \nto understand the evolution and the motivation of the threat \nactors. Many people still remember War Games and we had this \nmental model that it's some kid at a computer that's hacking in \nrandomly and causing trouble. We very quickly saw organized \ncrime figuring out that it was easier to log into a bank than \nto walk through the front doors with a gun and risk life and \nlimb.\n    And so, monetary motivations are really easy to grasp, but \nfor nation-state actors, it's more complex to figure out what \nthey're after. And that, I think, has made it challenging for \nthe private sector to really think about what's going on \nbecause strategically they don't think militarily. They think \nmarkets, they think economies but they've never been a military \ntarget. And so, now they find themselves as a military target \nand your strategic thinking has got to be different and this is \nwhere those red teaming exercises with the Guard were so \nhelpful. Kilmer's bill is designed to replicate this in Major \nLowenberg's name across the country with all National Guards.\n    Senator Cantwell. We are finding our whole political system \nis a target.\n    Dr. Endicott-Popovsky. Correct.\n    Senator Cantwell. And so, I think people think that when we \nsent this letter a year ago that we were trying to echo, maybe, \nsome larger tone about the Russians. We are just dead serious \nthat this is a problem.\n    Dr. Endicott-Popovsky. And it's not just----\n    Senator Cantwell. And we are dead serious that we have to \ncome up with a threat assessment and work through it, as you \njust said. I like the way you described it because you are \nsaying you have to understand what the threat actors' \nmotivation is and then you will understand the potentials and \npossibilities for attack and what you want to do with it. I see \nyou all nodding there.\n    Dr. Endicott-Popovsky. And it's not just the Russians. It's \nthe North Koreans. It's the Chinese. The Russians, I think, are \nparticularly good at it, but we certainly have a variety of \nnation-states that raid against our own infrastructure.\n    And I go back to World War II movies. What did we, as the \nAllies, take out with the German attacks from our bombers? We \nwent for infrastructure. And now our infrastructure can be \nbreached at a distance. What would you do if you were a nation-\nstate actor? And so, getting your mind in the role of the \nadversary, I think, is very helpful.\n    Senator Cantwell. Yes, Dr. Sanders?\n    Dr. Sanders. I think you asked a really excellent question.\n    I agree with Mr. Lee that we need more data collection. I \nagree with my academic colleague on the right that red teams \ncan be useful. But I want to emphasize that red teams only can \nfind problems. They cannot give forward-looking assessments.\n    When we find a problem with a red team we, hopefully, fix \nthat problem. We do not know what our state is going forward.\n    So exactly what you're asking for is a credible way to \nassess the situation, to understand the bad guys, to understand \nthe threat actors, but also to understand the users of the \nsystem because the users of the system through incorrect use or \naccidental use will also open up vulnerabilities.\n    So it's really three things we need to understand: we need \nto understand the attackers, we need to understand the users of \nthe system and we critically need to understand the \narchitecture of the system because if the system is not \nperfectly secure then we need to understand how that \narchitecture can create cascading failures or prevent cascading \nfailures. So these three things.\n    Senator Cantwell. Mr. Walker, is this something that the \nOffice can achieve? A threat assessment?\n    Mr. Walker. Yes, ma'am.\n    We work with the intelligence communities which DOE is part \nof and the effort in understanding the different components \nwith regard to CRISP.\n    One of the things we've already done, and we're in the \nearly stage of development, is the development of a program, an \nR&D program, called CYOTE which is Cybersecurity for the \nOperational Technology Environment. So it goes to the OT \nenvironment that Mr. Lee was speaking about before.\n    Much of the work in the past has been spent on the IT side \nof this. We are now focused on the OT side of this and that \nwill provide us the situational awareness that we need to \nunderstand the threat assessment, particularly on the OT side \nwhich is where the vulnerability for the energy sector resides \nthe most.\n    Senator Cantwell. Do you think this squarely resides at \nDOE?\n    Mr. Walker. I think that it needs to be a partnership \nbetween private industry that owns the majority of \ninfrastructure throughout the United States as well as other \nagency partners that have, particularly on the intelligence \nside as well as DHS where they have much of the information \nnecessary for us to have a 360-degree view of the \nvulnerability.\n    But we could work, obviously, through our EGCC and the ONG \nSCC to get the oil, natural gas, private sector, as well as the \nelectricity subsector together and working with the energy \ngovernment side, the coordinating council which I co-chair with \nDHS, to take this initiative on, move forward and come back \nwith a complete understanding of what we've got, as well as a \nnumber of solutions.\n    Senator Cantwell. Well, I think, as the witnesses have all \nsaid, we need to be serious about this. We need to get the \nthreat assessment done.\n    Mr. Walker. Yes, ma'am.\n    Senator Cantwell. We need to get an understanding of what \nour workforce need is from that threat assessment.\n    What other additional focuses besides just hardening of our \ninfrastructure? What else do we need to be undertaking to make \nsure that we can continue to grow in the ways that we want to \ngrow in an information age so that we can give our constituents \ncertainty?\n    I so appreciate it, Madam Chair. Thank you for the extended \ntime.\n    The Chairman. Very important questions.\n    It really goes to the broader issue. If we don't know what \nour threat is, it is pretty tough to be able to address it and \nthe recognition that knowing what we know now is wonderful, but \nhow are we able to anticipate and project and basically stay \none step ahead of those that are looking to be destructive?\n    I just note that there is a report out this morning from \nthe House Science Committee that describes Russia's extensive \nefforts to influence U.S. energy markets through divisive and \ninflammatory posts on social media platforms, not unlike what \nwas going on at the time of the election. I, obviously, have \nnot read this. This just came out this morning but, again, it \njust speaks to what we are dealing with and the, kind of, the \nmultiheaded issue that it is. How you pin down or can target \nwhat that next threat is is anybody's guess here.\n    I wanted to ask just a few follow-on questions from some of \nthe things that have been raised by members this morning.\n    This is directed to you, Congressman Matheson. Last \nCongress when we moved the FAST Act through we gave the Energy \nSecretary these emergency authorities and we strengthened the \ninformation sharing----\n    Mr. Matheson. Right.\n    The Chairman. ----with FOIA exemptions for our critical \ninfrastructure information. Have these FOIA exemptions been \nhelpful?\n    And then to Senator King's question. He mentioned the issue \nof liability and the information sharing and how it can be \nfurther improved if you have some assurances----\n    Mr. Matheson. Sure.\n    The Chairman. ----that the sensitive information is going \nto be properly protected and free of liability concerns.\n    On the liability side of things, is this an area where we \nneed to legislate with that? Are you comfortable with what \nwe've put in place with the FAST Act and the provisions that we \nhave now with regards to the information sharing?\n    Mr. Matheson. First on the FAST Act and we were, we, of \ncourse, supported the FAST Act as it moved through Congress.\n    Your question of how it's played out now in terms of the \nFOIA exemptions, since this Act, since it's been implemented, \nhas been in its infancy. It's a little bit of an open question \nstill.\n    The Chairman. Because we don't really know.\n    Mr. Matheson. I have no concerns. I'm just saying I can't \ntell you this is how it's worked in a really substantive way \nbecause it's just too new to get that kind of answer.\n    The Chairman. Okay.\n    Mr. Matheson. But we did support the FAST Act as it was \nmoving through Congress, and we appreciate that it's a law. If \nwe have any issues with it, I'm sure we'll be communicating \nthat back.\n    On the liability, yeah, look, I think this is an issue \nwhere there's always going to be an interestedness looking for \nopportunities to make sure that information that we pass on to \nour government partners has some level of protection and the \nFAST Act clearly addressed some liability concerns that we had \nand we appreciate that. Am I going to tell you we've got \neverything off the table now? I'm sure this is going to be an \nongoing conversation as we look at going into practice, where \nwe have information transfer and making sure we have \nappropriate liability protections, that's going to be an \nongoing conversation which is going to have to happen.\n    The Chairman. Assistant Secretary Walker, on the government \ndisclosure of data, we have the Critical Energy Infrastructure \nInformation, CEII, and this dealing with, basically, the \npublic's right to know certain information and I think we all \nsupport levels of transparency. But when it comes to critical \ninfrastructure information, it seems reasonable that we want to \nbe somewhat circumspect here.\n    Is this an issue where we need to, again, look at FERC and \nhow it is able to release data in the format that it is right \nnow? Is this a policy, given what is going on out there in \nterms of balancing the need to know with the need to be as \nsecure as possible, is this something that we need to revisit \npossibly?\n    Mr. Walker. At this time, I don't think it is.\n    I recently had a meeting with our newly confirmed \nAdministrator for EIA with regard to much of the information \nthat is promulgated out through that department on a pretty \nregular basis. And the reason I had met with her was because of \nthe significant work we're doing with developing this North \nAmerican interdependency model for the entire energy system. \nClearly one of the things that's been raised as we start \ntalking across the bouncing authorities and the regional \ncoordinators is to protect the flow of information.\n    That legislation actually enabled DOE to even develop a \npolicy. So we're actually in the process of working through \nfinalization of our policy with regard to the CEII that you \nnoted that was defined in the FAST Act.\n    So, again, I think the FAST Act provided for a very \nsignificant insight into the needed collaboration between \nCongress and the Executive Branch and all of the partners that \nreally have the purpose of protecting national security.\n    The Chairman. Good. Good.\n    Back to you, Mr. Matheson, and this is as it relates to \ncompliance with mandatory standards. You have said in your \ntestimony that the electric sector today is the only one with \nmandatory and enforceable standards when it comes to \ncybersecurity. We have noted that and, in fact, these \nviolations come with some fines, some pretty hefty fines.\n    Mr. Matheson. That's correct.\n    The Chairman. A million dollars per day per violation is \npretty significant.\n    Mr. Matheson. Yeah.\n    The Chairman. But we also have those who would suggest that \nour utilities are overly focused on compliance. And so, you \nhave a situation that in an effort to meet the mandatory \nstandards that have been set out and avoid these financial \npenalties, nobody wants to be paying a million dollars a day \nper violation, that the electric sector is possibly losing \nground because they are focusing on the wrong thing here. They \nare focusing on checking the box on the compliance, and they \nmiss the goal of cybersecurity protections. Do you think that \nthat is a real concern?\n    Mr. Matheson. You know, I would resist that, actually.\n    The Chairman. Okay.\n    Mr. Matheson. I believe that, you know, this is an industry \ndriven process through NERC to develop these standards. FERC, \nof course, approves those standards.\n    Resilience, reliability have always been a concern for the \nelectric industry throughout its history. Cyber is the issue \nthat has evolved over the last several years as part of that \nnow, but no, I don't see any sense where the regulations or the \nrequirements that the NERC process has produced have diverted \nour attention as an industry from focusing on what's most \nimportant.\n    I'd like to think, instead, it's actually created the focus \non what we ought to be looking at. So, yeah, I would disagree \nwith that premise that it has caused some inappropriate \nattention on compliance at the expense of legitimate \ncybersecurity efforts.\n    The Chairman. Okay, fair enough.\n    Let me ask you one more question.\n    Mr. Matheson. Sure.\n    The Chairman. You were asked a question from Senator \nDaines, specific to Montana and Montana's co-ops, but obviously \nin my state, pretty small, pretty small entities.\n    Do you have confidence that our smaller co-ops, our smaller \nentities, are capable of meeting the cyber challenges? It \ndoesn't make any difference if you are in Seattle or if you are \nin Aniak, you still want to be able to rely on your energy \ngrid----\n    Mr. Matheson. Absolutely.\n    The Chairman. ----whether it is a little bit smaller or \nnot. Do you have a level of confidence that our smaller \nentities are holding up okay?\n    Mr. Matheson. Yeah, I do have that confidence. And I'm \ngoing to say what everyone else has said in this hearing that \nthis is an evolving threat so we never, even if we're confident \ntoday, we still have to work for tomorrow.\n    I would offer Alaska specific, you know, there are--a lot \nof our electric co-ops that are isolated. They're microgrids.\n    The Chairman. Yes.\n    Mr. Matheson. And we have one co-op in Alaska that's right \nnow working on implementing, sort of, a cybersecurity protocol \nspecifically for a microgrid distribution utility.\n    The Chairman. We think we are going to pioneer on this and \neveryone is going to want to come up and see what we are doing.\n    Mr. Matheson. I'm all for that.\n    The Chairman. Yes.\n    Mr. Matheson. Because as we said earlier, every co-op is \ndifferent and municipal utilities have the same. And so, yeah, \nI like to think that individually people are recognizing--these \nare my circumstances, what should I do to take on cybersecurity \nrisk and mitigate in an appropriate way? And I see even smaller \nco-ops doing just that.\n    The Chairman. Good. Good.\n    One last question and this relates to the workforce. I \nappreciate what Senator Cantwell raised in her opening \nstatement and the work that you have done, Dr. Endicott-\nPopovsky, in focusing just on this.\n    The training is absolutely key and critical. I think we \nrecognize that. I think we know that the training has to go all \nthe way down the chain, those who are making the decision at \nthe top, all the way down to the grid operators at the very, \nvery local level. I wrote down your comment here, Doctor, that \nyou said, ``there's no firewall for stupid here.'' I think we \nall want to make sure that at the end of the day we have that \nlevel of training and skill and expertise all the way down. Are \nyou convinced that we are getting the training all the way down \nto that local grid operator?\n    Dr. Endicott-Popovsky. I think it's mixed, but I think that \nis the trend. Every person that participates in some fashion is \na potential node in the network that can cause a problem.\n    I think Mr. Lee had mentioned something about a phishing \nattack, clicking on a link and causing problems. I mean, this \nis a very common issue and firewalls don't prevent that. You've \ngot people that need to know not to do that sort of thing. So, \nyou're absolutely right. There does have to be training down \nthrough every level.\n    There are some organizations that are modeling some very \neffective training. You have to avoid the yada, yada flavor of \nthe month. That happens in many organizations. I take asbestos \ntraining. I take this. I take that.\n    And so, there's some ways to make training vivid and NIST \nhas some guidelines that they've published that are very good \nat telling you how to be effective with your training. We use \nthem in our classes.\n    But somehow you have to get it visceral for people. We \ncould conduct a training here for the Committee, give you a \nsense of what it's like to be the bad guys. Once you start to \nthink like bad guys, you start to see more things.\n    I had a student, internationally, one time write me a \nlittle note--and I teach things that are safe to teach: \noperations, business operations--but he wrote me a very telling \nnote, ``Why do you people in the West keep emphasizing the \ntechnology when the bad guys''--and I'm thinking, how do you \nknow?--``when the bad guys are always looking for the person?''\n    So, if you put yourself in the role of the adversary, a \nnation-state, if you have a particularly plum target, something \nluscious that you can't resist. What lengths would you go to to \nviolate that system? How important is that to you? It's a \ncompletely different mindset. We have to be right every time. \nThey only have to be right once. So it's a daunting problem and \nwe have complex systems and lots of participants. I don't think \nwe can expect to get it right every time. I think we have to \nrecognize vulnerabilities and risk. But awareness is the \nbeginning.\n    The Chairman. Yes.\n    Dr. Endicott-Popovsky. I'd be happy to provide some \nmaterials, if you're interested.\n    The Chairman. I think it would be helpful for the \nCommittee.\n    Dr. Endicott-Popovsky. It's a passion of mine.\n    The Chairman. I can tell and that is appreciated.\n    Senator Cantwell, did you have any follow-on?\n    Senator Cantwell. I want to thank you.\n    The Chairman. I want to thank each of you. I think your \ntestimony has been very, very important. We have had a very \nimportant discussion today, and we will look forward to \nadditional input for the record as some have promised.\n    We will look forward to working with you, Mr. Walker, in \nthis capacity here with a very keen focus on cyber.\n    I will note the Committee's appreciation for your \nattendance here, Mr. Lee. Not only have you given us good \ninsight, but I'm told that your wife is expecting and has been \nexpecting to deliver for quite some time----\n    [Laughter.]\n    ----and that your appearance here today was made possible \nbecause hopefully, hopefully, she is going to have this labor--\n--\n    Mr. Lee. Today.\n    The Chairman. ----commence----\n    Mr. Lee. So, she's amazing.\n    The Chairman. ----soon----\n    [Laughter.]\n    ----after you are excused from this table. So hopefully if \nshe is watching now, she's got the go ahead----\n    [Laughter.]\n    ----and she can deliver a beautiful baby safely into the \nworld. We congratulate you on that.\n    Mr. Lee. Thank you.\n    The Chairman. You have always got to end the Committee on a \nhappy note, so thank you all.\n    Dr. Endicott-Popovsky. Madam Chairman, I have a question.\n    The Chairman. Doctor?\n    Dr. Endicott-Popovsky. I did get a real-time update on \nSenator Cassidy's question about the potential change in the \nlanguage requirements for K-12 in the State of Washington. They \nare still considering computer language as a substitute for \nforeign language. The original bill died, but there's still \nresidual interest in that concept, and it's being studied \nthroughout this year. And apparently, we're going to be meeting \nwith the Office of Superintendents here sometime in the near \nfuture to discuss this issue. So can you pass that on to him?\n    The Chairman. We will share it with him and others as well.\n    Dr. Endicott-Popovsky. Alright, thank you.\n    The Chairman. We appreciate that.\n    Thank you all.\n    The Committee stands adjourned.\n    [Whereupon, at 11:53 a.m. the hearing was adjourned.]\n\n                      APPENDIX MATERIAL SUBMITTED\n\n                              ----------    \n                              \n                              \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              \n                              \n                              \n                              \n                              \n\n\n\n</pre></body></html>\n"