b'<html>\n<title> - MITIGATING AMERICA\'S CYBERSECURITY RISK</title>\n<body><pre>[Senate Hearing 115-475]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 115-475\n\n                MITIGATING AMERICA\'S CYBERSECURITY RISK\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 24, 2018\n\n                               __________\n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n        \n        \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                   U.S. GOVERNMENT PUBLISHING OFFICE                    \n32-454 PDF                  WASHINGTON : 2019                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail, \n<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e7809788a7849294938f828b97c984888ac9">[email&#160;protected]</a>     \n        \n        \n       \n        \n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                    RON JOHNSON, Wisconsin, Chairman\nJOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri\nROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware\nRAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota\nJAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan\nMICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire\nJOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California\nSTEVE DAINES, Montana                DOUG JONES, Alabama\n\n                  Christopher R. Hixon, Staff Director\n                Gabrielle D\'Adamo Singer, Chief Counsel\n                  Colleen E. Berny, Research Assistant\n               Margaret E. Daum, Minority Staff Director\n           Julie G. Klein, Minority Professional Staff Member\n                     Laura W. Kilbride, Chief Clerk\n                   Bonni E. Dinerstein, Hearing Clerk\n\n                            \n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Johnson..............................................     1\n    Senator McCaskill............................................     3\n    Senator Hassan...............................................    13\n    Senator Peters...............................................    15\n    Senator Lankford.............................................    17\n    Senator Harris...............................................    20\n    Senator Carper...............................................    24\n    Senator Jones................................................    26\n    Senator Heitkamp.............................................    28\n    Senator Daines...............................................    31\n    Senator Hoeven...............................................    33\nPrepared statements:\n    Senator Johnson..............................................    51\n    Senator McCaskill............................................    52\n\n                               WITNESSES\n                        Tuesday, April 24, 2018\n\nJeanette Manfra, Assistant Secretary, Office of Cybersecurity and \n  Communications, National Protection and Program Directorate, \n  U.S. Department of Homeland Security...........................     4\nGregory C. Wilshusen, Director, Information Security Issues, U.S. \n  Government Accountability Office...............................     7\nHon. Eric Rosenbach, Co-Director of the Belfer Center for Science \n  and International Affairs at Harvard Kennedy School............     8\n\n                     Alphabetical List of Witnesses\n\nManfra, Jeanette:\n    Testimony....................................................     4\n    Prepared statement...........................................    55\nRosenbach, Hon. Eric:\n    Testimony....................................................     8\n    Prepared statement...........................................    85\nWilshusen, Gregory C.:\n    Testimony....................................................     7\n    Prepared statement...........................................    64\n\n                                APPENDIX\n\nElectronic Privacy Information Center statement submitted for the \n  Record.........................................................    90\nResponses to post-hearing questions for the Record:\n    Ms. Manfra...................................................    92\n    Mr. Wilshusen................................................   148\n    Mr. Rosenbach................................................   173\n\n \n                MITIGATING AMERICA\'S CYBERSECURITY RISK\n\n                              ----------                              \n\n\n                        TUESDAY, APRIL 24, 2018\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10 a.m., in room \nSD-342, Dirksen Senate Office Building, Hon. Ron Johnson, \nChairman of the Committee, presiding.\n    Present: Senators Johnson, Lankford, Hoeven, Daines, \nMcCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones.\n\n             OPENING STATEMENT OF CHAIRMAN JOHNSON\n\n    Chairman Johnson. Good morning. This hearing will come to \norder.\n    I want to welcome our witnesses. Thank you for your time, \nyour thoughtful written testimony, and looking forward to you \nanswering our questions.\n    The hearing is called ``Mitigating America\'s Cybersecurity \nRisk.\'\' I will first ask that my written opening statement be \nentered into the record.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Johnson appears in the \nAppendix on page 51.\n---------------------------------------------------------------------------\n    I think the word ``mitigating\'\' is a good one. We are not \ngoing to solve this problem. The people on offense are \ncontinuing to increase their capabilities. I remember being \nbriefed a couple of years ago about North Korea\'s capability. \nThe consensus was they are far behind, for example, Russia and \nChina. Now it sounds like they have really upped their game. \nThey are always on the offense, they are always developing new \ntools, and we are playing defense and we are behind. I think we \nhave to look at mitigating.\n    I am mindful of the fact that the Department of Homeland \nSecurity (DHS) is very disappointed that we were not able to \ninclude in the omnibus the renaming of the National Protection \nand Programs Directorate (NPPD). I do not know who ever came up \nwith that name. But, obviously, Cybersecurity and \nInfrastructure Security Agency (CISA) would be a better name \nfor it.\n    From my standpoint, it is bizarre, it is ridiculous that it \nrequires an act of Congress for the Department of Homeland \nSecurity to rename an agency and restructure it so it actually \ndoes a better job. I do not get that, but that is the way it \nis. I do not know what the objection was. I think that might \nindicate further future problems in terms of lack of \ncooperation and coordination within the agencies, within \ncommittees, within Congress. But it is just unfortunate. We are \ngoing to do everything we can. Maybe a really good solution \nwould be to pass the DHS authorization bill through the Senate \nthat we passed through our Committee that includes that as \nwell. But if that does not work, we will try and figure \nsomething out.\n    We have passed a number of laws. I got here in 2011, and \nfrom day one everybody recognized cybersecurity is an issue, \nand it always kind of scares me when I hear this: ``We have to \ndo something about it.\'\' Well, we have been doing things about \nit. We have been passing laws. I think we have plenty of laws \non the books. I really do. The question is: Are we fully \nimplementing them? Are some of these laws in conflict? Where \nare we at in terms of actually carrying out the laws, the \nauthorities that you actually have?\n    One of the things I will ask the witnesses, as you are \ntalking about this--and, again, I read the testimony. This can \nbe very confusing. Way too many acronyms. As you are evaluating \nand you are answering question in terms of different laws, \ndifferent initiatives, I would like to get some kind of sense \nhow far we are. Zero, we have not done anything with it; 10, we \nhave it nailed. I am not expecting any 10s, but I would just \nlike some sort of sense as we are going through this--and if \nyou do not provide it, I will chime in and kind of ask that \nlevel of assessment.\n    I do not think there is any doubt that we have made \nprogress in the last 7 years. In multiple hearings on \ncybersecurity, this has been a real priority of this Committee. \nI would always ask what is the number one thing we have to do \nis information sharing and that we pass those laws, we have \ngiven liability protection. How well are they being utilized I \nthink is the main question.\n    I think the last statement I want to make, again, is just \nthe potential turf battles, which I think is indicative of not \nbeing able to pass the renaming of NPPD in the last omnibus. I \nthink that is a serious consideration. We need to probe that \nand find out where those stumbling blocks are. I realize there \nis always a little bit of a turf battle between the \nintelligence community (IC), the Department of Defense (DOD), \nNational Security Agency (NSA), and DHS. From my standpoint and \nI think this Committee\'s standpoint, we just recognize DHS is \nthe agency that really has the best capability of dealing with \nthe private sector, and the threats that face our national \nsecurity, really a great deal of them deal with the private \nsector, whether it is our financial system, whether it is our \nelectrical grid system, those types of things. I cannot think \nof a better Department within government to be that focal point \nand do all those things.\n    Again, this is very serious. I was telling the witnesses \nbefore the hearing, when I talk to young people, either in \ntheir last couple of years of high school or early in college, \nand they are contemplating what they want to do with their \nlives, what kind of degree program, I always say, ``Listen, if \nyou want to get a job and a well-paying job that is going to be \naround for your working career, check out computer science with \na concentration in cybersecurity, and you are going to be \npretty well positioned.\'\'\n    I appreciate the witnesses being here. This is a priority \nof this Committee. It is a pervasive problem. It is not going \naway. We have got to make continuous improvement as best we \ncan.\n    With that, I will turn it over to our Ranking Member, \nSenator McCaskill.\n\n           OPENING STATEMENT OF SENATOR MCCASKILL\\1\\\n\n    Senator McCaskill. Thank you Mr. Chairman. I appreciate you \nholding this hearing.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator McCaskill appears in the \nAppendix on page 52.\n---------------------------------------------------------------------------\n    Hardly a week goes by without some type of cyber incident \ndominating the headlines. In the United States and the world, \nas we become more digitally connected, I suspect that trend \nwill only continue and heighten over time.\n    Our government is a lot older than the Internet, so we have \nhad to retrofit technology into existing government structures. \nBut unlike a lot of issues that naturally fit into a single \ndepartment or agency, cybersecurity and data protection affect \nall aspects of government. In the last few years, however, \nCongress, and in particular this Committee, as the Chairman has \njust outlined, has made a great deal of progress enhancing the \nFederal Government\'s ability to track and improve its \ncybersecurity.\n    We codified the Department of Homeland Security to \ncoordinate the operational security of Federal systems. That \nincluded designating DHS as the hub for information sharing, \nrunning the intrusion prevention and detection programs that \nare now mandated throughout Federal departments, leading asset \nresponse activities, and coordinating the protection of \ncritical infrastructure. When necessary, DHS also has the \nunique authority to direct another agency to take certain steps \nto protect its systems.\n    While every department and agency is ultimately in charge \nof protecting its own systems, Congress has done a lot to make \nDHS the primary cyber coordinator for the civilian Federal \nGovernment. This hearing is an opportunity to assess how DHS is \nusing those authorities and if these tools are measurably \nimproving the agencies\' awareness and security.\n    As I mentioned, part of DHS\' responsibilities also include \ncoordinating critical infrastructure protection, but the \nmajority of critical infrastructure is not federally owned or \noperated. This is certainly the case with election systems, \nwhich are owned and operated by State and local governments.\n    We all know that the intelligence community assessed with \nhigh confidence that Russia launched a campaign to influence \nthe 2016 election, part of which aimed to undermine the public \nfaith in the U.S. democratic process. There is no question that \nRussia has had a clear plan to break the backbone of \ndemocracies wherever they exist. A component of that operation \nincluded attempts to hack into voter registration systems.\n    In the months before the election, DHS stepped up and \noffered cyber assistance to States that wanted help. In the \naftermath of the election, DHS designated election \ninfrastructure as critical infrastructure, which enabled \ninterested States and localities to jump toward the front of \nthe line to receive help.\n    In the roughly 2 years since this issue appeared on the \nradar of States and the Federal Government, DHS has made \nprogress building relationships with election officials and \nassociated organizations throughout the country and in helping \ninterested States and localities assess and improve the \nsecurity of their voting systems. There have certainly been \nsome bumps in the road, but I think DHS is on the right track. \nThat said, I have serious reservations about our level of \npreparedness. Just last week, DHS Secretary Nielsen declined to \nexpress confidence in the country\'s election security, \nadmitting only that there is increased awareness of the threat. \nThat is very troubling.\n    Beyond that, I am concerned that this Administration has \nonly been treating the symptoms of Russia\'s interference. U.S. \npolicy toward Russia has been uneven at best, and at worst, I \nworry that we have not done anything to actually change Russian \nbehavior and stop them from trying to undermine our \ninstitutions, especially the institution of democracy.\n    I look forward to hearing our distinguished witnesses\' \nassessments of our election security and our cybersecurity and \nhow we can continue to improve it in the future.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Thank you, Senator McCaskill.\n    It is the tradition of this Committee to swear in \nwitnesses, so if you will all stand and raise your right hand. \nDo you swear that the testimony you will give before this \nCommittee will be the truth, the whole truth, and nothing but \nthe truth, so help you, God?\n    Ms. Manfra. I do.\n    Mr. Wilshusen. I do.\n    Mr. Rosenbach. I do.\n    Chairman Johnson. Please be seated.\n    Our first witness is Jeanette Manfra. Ms. Manfra currently \nserves at the Department of Homeland Security at the Assistant \nSecretary of the National Protection and Programs Directorate, \nOffice of Cybersecurity and Communications. Ms. Manfra.\n\nTESTIMONY OF JEANETTE MANFRA,\\1\\ ASSISTANT SECRETARY, OFFICE OF \n   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND \n   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Manfra. Thank you, sir. Chairman Johnson, Ranking \nMember McCaskill, and Members of the Committee, thank you for \ntoday\'s opportunity to discuss the Department of Homeland \nSecurity\'s ongoing efforts to reduce and mitigate cybersecurity \nrisks. Safeguarding and securing cyberspace is a core homeland \nsecurity mission.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Manfra appears in the Appendix on \npage 55.\n---------------------------------------------------------------------------\n    For the last decade, I have worked to advance the \nDepartment\'s cybersecurity and critical infrastructure mission. \nI have personally witnessed the commitment, dedication, and \ntireless efforts of the men and women at DHS. As cyber threats \nhave evolved in times of calm and in times of crisis, these \nemployees have never wavered in their duty to protect our \nhomeland, and I am proud to serve alongside them as we work to \naddress these important and sometimes complicated national \nsecurity issues.\n    On behalf of our workforce and our leadership, I want to \nthank this Committee for advancing legislation over the last \nfew years that have strengthened our authorities and enabled us \nto better protect Federal networks and critical infrastructure. \nNow, as the Chairman mentioned, we must move to the next step: \nto create the Cybersecurity and Infrastructure Security Agency \nat DHS, which would see our organization, the National \nProtection and Programs Directorate, become a new agency.\n    This change reflects the important work we carry out every \nday on behalf of the American people to safeguard and secure \nour critical infrastructure. We strongly support this much \nneeded effort and urge quick action by Congress to pass this \nlaw.\n    Malicious cyber operations remain one of the most \nsignificant strategic threats for the United States, holding \nour national security, economic prosperity, and public health \nand safety at risk. Over the past year, network defenders have \nseen the threat landscape grow more crowded, active, and \ndangerous. One single breach at Equifax and cyber criminals \nresulted in the online exposure of sensitive personal \ninformation belonging to nearly half of all Americans. North \nKorea\'s WannaCry ransomware spread to more than 150 countries, \nparalyzing industries from health care to hospitality. The \nRussian military-sponsored NotPetya attack was the most \ndestructive and costly cyber attack in history causing billions \nof dollars in damage across Europe, Asia, and the Americas.\n    We have taken steps to empower public and private partners \nto defend against many of these threats by publicly attributing \nState-sponsored activity, issuing technical indicators, and \nproviding mitigation guidance. Since June 2017, DHS and the \nFederal Bureau of Investigation (FBI) have published eight \ntechnical alerts and malware reports to provide details on the \nmalicious cyber tools of the North Korean Government.\n    We have also published technical details and alerts \nregarding Russian-sponsored cyber activity, including \noperations that targeted U.S. Government and business in the \nenergy, nuclear, water, aviation, and critical manufacturing \nsectors. These actors also collected information pertaining to \nindustrial control systems.\n    Last week, DHS joined our colleagues at the FBI and the \nUnited Kingdom\'s National Cybersecurity Center to publish the \nfirst international joint alert, which included details and \nmitigation guidance regarding worldwide cyber exploitation of \nnetwork infrastructure devices such as routers. With high \nconfidence, we assessed that Russian State-sponsored cyber \nactors are using compromised routers to support espionage, \nextract intellectual property, maintain persistent access to \nvictim networks, and potentially lay a foundation for future \noffensive operations.\n    DHS is also working to enhance cyber threat information \nsharing across the globe to stop incidents before they start. \nThese actions help businesses and government agencies protect \ntheir systems and quickly recover should such an attack occur. \nWhile in many cases our defenses have been successful in \nmitigating these threats, we must continue to work to ensure \nour cyber defenses keep pace with technological change and \nevolving risks.\n    I want to assure this Committee that DHS is embracing our \nstatutory responsibility to administer the implementation of \nFederal agency cybersecurity policies and practices. This \nCommittee played a key role in championing the passage of the \nFederal Information Security Modernization Act (FISMA) 2014, \nwhich provided the Secretary of Homeland Security the authority \nto develop and oversee implementation of binding operational \ndirectives (BOD) to agencies. We have issued a total of six \nbinding operational directives, all of which are now public.\n    I will discuss one of them, which was the very first BOD \nthat we issued, and I am happy to answer any questions on \nothers. But as an example, the first BOD we issued was around \nreducing the time to patch known critical vulnerabilities. When \nwe issued this binding operational directive, we were not at an \nindustry standard of time to path being less than 30 days. \nAfter we issued this binding operational directive and provided \nrepeated reports to agencies, we are now consistently reducing \nthe time to patch to less than 30 days. In addition to our \nefforts to protect government networks, we are focused on how \ngovernment and industry work together to protect the Nation\'s \ncritical infrastructure.\n    Before closing, I want to address an issue that I know \nconcerns many in this Congress and among the American public. \nAs Secretary Nielsen said last week, 2 years ago the Russian \nGovernment launched a brazen, multifaceted influence campaign \naimed at undermining public faith in our democratic process \ngenerally and our election specifically. That campaign involved \ncyber espionage, public disclosure of stolen data, cyber \nintrusions into State and local voter registration systems, \nonline propaganda, and more. We cannot let it happen again, and \nthat is why DHS has adopted an aggressive posture for helping \nto defend our election infrastructure.\n    We are leading the interagency effort to provide voluntary \nassistance to State and local officials but, more importantly, \nto help them understand the risk and ensure that when the \ngovernment has information of value to them that we get it to \nthem.\n    We will continue to coordinate and collaborate and support \nState and local officials during the 2018 elections. But cyber \nactors can come from anywhere, internationally or within the \nborders, and we are committed to ensuring a coordinated \nresponse from DHS to plan for, prepare, and mitigate risk to \nelection infrastructure.\n    Thank you, and I look forward to your questions regarding \nour efforts to enhance the Nation\'s cybersecurity.\n    Chairman Johnson. Thank you, Ms. Manfra.\n    Our next witness is Greg Wilshusen. Mr. Wilshusen currently \nserved as Director of Information Security Issues at the U.S. \nGovernment Accountability Office (GAO). Mr. Wilshusen.\n\n  TESTIMONY OF GREGORY C. WILSHUSEN,\\1\\ DIRECTOR, INFORMATION \n     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Johnson, Ranking Member McCaskill, \nand Members of the Committee, thank you for the opportunity to \ntestify at today\'s hearing. At your request I will discuss our \nwork related to Federal programs implemented by DHS that are \nintended to improve the cybersecurity networks and systems \nsupporting Federal operations and our Nation\'s critical \ninfrastructure.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Wilshusen appears in the Appendix \non page 64.\n---------------------------------------------------------------------------\n    Before I do, if I may, I would like to recognize several \nmembers of my team who were instrumental in preparing my \nstatement and the work underpinning it. With me today are Tammi \nKalugdan and Di\'Mond Spencer, who are seated right behind me. \nIn addition, Larry Crosland, David Plocher, Kush Malhotra, and \nPriscilla Smith also made key contributions.\n    Mr. Chairman, Ranking Member McCaskill, consistent with the \nstatutory authorities, DHS has made important progress \nimplementing programs and activities that are intended to \nprotect Federal and private sector networks and systems. For \nexample, the Department has provided limited intrusion \ndetection and prevention capabilities to entities across the \nFederal Government. It has also issued cybersecurity-related \nbinding operational directives to Federal agencies, has served \nas the Federal-civilian interface for sharing cybersecurity-\nrelated information with Federal and non-Federal entities, and \npromoted the use of the National Institute of Standards and \nTechnology (NIST) Framework for Improving Critical \nInfrastructure Cybersecurity, and partially assessed its \ncybersecurity workforce. However, DHS needs to take additional \nactions to assure that it successfully mitigates cybersecurity \nrisk.\n    First, DHS needs to enhance the capabilities of the \nNational Cybersecurity Protection System (NCPS). In 2016, we \nreported that NCPS had provided the Department with only a \nlimited ability to detect and prevent potentially malicious \nactivity entering and exiting computer networks of Federal \nagencies. DHS also had not developed much of the planned \nfunctionality of the system\'s information-sharing capability.\n    Second, DHS needs to evaluate the activities of the \nNational Cybersecurity and Communications Integration Center \n(NCCIC) more completely. In 2017, we reported that the extent \nto which NCCIC had performed its required functions in \naccordance with statutorily defined implementing procedures was \nunclear because the center had not established metrics and \nmethods for which to evaluate its performance.\n    We also identified several impediments to the center \nperforming its functions more efficiently, such as the lack of \na centralized system for tracking security incidents and not \nmaintaining current contact information for all owners and \noperators of the most critical cyber-dependant infrastructure \nassets.\n    A third activity is that DHS needs to better measure the \neffectiveness of its cyber risk mitigation activities with \nprivate sector partners. In fiscal years (FY) 2016 and 2018, we \nreported that in its role as the lead or co-lead Federal agency \nfor collaborating with partners in 10 critical infrastructure \nsectors, DHS had not developed metrics to measure and report on \nthe effectiveness of its cyber risk mitigation activities, \nincluding activities promoting and assessing private sector \nadoption of the NIST Cybersecurity Framework or on the \ncybersecurity posture of those sectors.\n    Fourth, DHS needs to identify all of its cybersecurity \nworkforce positions and critical skill requirements. In 2018, \nwe reported that the Department had taken steps to assess its \ncybersecurity workforce; however, it had not identified all of \nits positions or its critical skill requirements.\n    Since fiscal year 2016, we have made 29 recommendations to \nDHS to enhance the capabilities of NCPS, establish metrics and \nmethods for evaluating its performance, and fully assessing its \ncybersecurity workforce, among other things. The Department \ngenerally concurred with these recommendations. As of this \nmonth, most of the recommendations remain open, and we are \nworking with DHS to close the recommendations as they are \nimplemented.\n    Chairman Johnson, Ranking Member McCaskill, this concludes \nmy opening statement. I would be happy to answer your \nquestions.\n    Chairman Johnson. Thank you.\n    Our final witness is Eric Rosenbach. Mr. Rosenbach is the \nco-director at Harvard University\'s Belfer Center for Science \nand International Affairs. Mr. Rosenbach also previously served \nas the Deputy Assistant Secretary of Defense for Cyber Policy. \nMr. Rosenbach.\n\n  TESTIMONY OF THE HONORABLE ERIC ROSENBACH,\\1\\ CO-DIRECTOR, \n BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, JOHN F. \n        KENNEDY SCHOOL OF GOVERNMENT, HARVARD UNIVERSITY\n\n    Mr. Rosenbach. Chairman Johnson, Ranking Member McCaskill, \nother distinguished Members, thank you for calling today\'s \nhearing on mitigating America\'s cyber risk and for the \ninvitation to testify. Thank you also to your hardworking staff \nwho do everything to put a hearing like this together.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Rosenbach appears in the Appendix \non page 85.\n---------------------------------------------------------------------------\n    Just for a moment, imagine you are watching a science \nfiction thriller about war in the information age. During the \nopening scenes of this movie, sophisticated ransomware shuts \ndown the government of a major city for more than a week. A \ndifferent type of weaponized ransomware, previously deployed by \nNorth Korean cyber operators, hits the aircraft production \nlines at a major aerospace company. Later, the Department of \nHomeland Security reveals that Russian cyber operatives have \ncompromised important aspects of the Internet\'s routing \ninfrastructure, and as the plot thickens in this movie, the \nintelligence community confirms that Russian military \nintelligence operatives have placed the same malware they used \nto take down the Ukrainian power grid twice throughout the \nenergy infrastructure in the United States. As the candidates \nin this movie approach their midterm elections, all of the \nactors playing experts agree that the risk of Russian cyber and \ninformation attacks against election systems is imminent.\n    Sitting in the movie theater watching all this unfold, you \nwould probably scream to yourself, ``Why are they just sitting \nthere watching all of this happen?\'\' But as you know, all those \nevents are real, and they happened within the last several \nweeks.\n    Against this stark reality, America must come together to \nbuild real capability and take real actions to address these \nthreats. This hearing and the Committee\'s framing of the \nproblem we face as one of managing cyber risk is important. We \nwill not eliminate cyber threats to America, but we can \nmitigate them. To manage cyber risk, the government must lead a \nwhole-of-nation effort in three specific areas: first, to \nbolster our domestic capabilities for defense; second, to \ndevelop precise and legal offensive cyber capabilities to \ndisrupt cyber and information attacks at their source; and, \nfinally, adopt a clear, public deterrence posture.\n    For the purposes of my oral statement, I will just hit on \nsome of the key aspects of that first area.\n    Cyber risk affects all corners of our economy and society. \nCongress can do more to incentivize the private sector to act. \nIn particular, Congress should: mandate that critical \ninfrastructure providers adopt the NIST Cybersecurity \nFramework; establish baseline standards for the manufacturers \nand distributors of the ``Internet of things (IOT),\'\' and these \ndevices include things such as home routers, security systems, \nand thermostats, all of those IOT devices; and, very \nimportantly, ensure that online platforms--primarily Facebook \nand Twitter--are not used as the tools for foreign adversary \ninformation operations.\n    Organizations outside government must also play a role in \nprotecting the Nation from cyber attack. The Defending Digital \nDemocracy Project that I co-lead up at Belfer Center at the \nHarvard Kennedy School, along with Robby Mook and Matt Rhoades, \nworks very closely with States to improve their ability to \nmitigate cyber risk to our election systems. It is clear from \nour work with the States that they take this risk very \nseriously. But the States simply are not equipped to face the \npointy end of the spear of cyber attacks from nation-state \nadversaries who are spending billions of dollars and dedicating \nthousands of cyber operators to advance their national \ninterests.\n    Our research and work also found that under the leadership \nof Secretary Nielsen, Under Secretary Krebs, and Assistant \nSecretary Manfra, DHS has improved support to the States. We \nalso saw that the Department\'s efforts to provide real \ncapability are important. Cybersecurity scans and risk \nassessments to the States have been very productive to help \nmitigate risk, and Congress should continue to support these.\n    Furthermore, Congress should support the development of a \nDHS cybersecurity capability and provide robust resources and \nauthorities for an operationally focused cybersecurity agency. \nThis is more than bureaucratic box-shuffling. The Nation needs \nan expert-level organization that provides critical \ninfrastructure operators with the support that could make a \nreal difference in mitigating the risk of foreign cyber attack.\n    When it comes down to protecting elections and critical \ninfrastructure, State governments should also look very closely \nat strengthening the role that the National Guard and State-run \nfusion centers play in election-related threat information \nsharing. This potent combination will provide an important hub \nfor sharing threat intelligence and cybersecurity capability.\n    Thank you again for the opportunity to testify. I submit my \nformal testimony for the record and look forward to answering \nany questions you have.\n    Chairman Johnson. Thank you, Mr. Rosenbach. I will defer my \nquestioning until the very end to be respectful of Members\' \ntime. I will go to Senator McCaskill.\n    Senator McCaskill. Great. Let me start with the 21 States. \nAssistant Secretary Manfra, you testified before the Senate \nIntelligence Committee that 21 States were affected by Russia\'s \ncyber activity. But my understanding is that number only \nreflects the States where there were censors or tools in place \nto capture the Russian activity. Is that correct?\n    Ms. Manfra. Yes, the 21 States references the visibility \nthat we had, whether that was the intelligence community or the \ncensors of Russian targeting of State infrastructure related to \nelections.\n    Senator McCaskill. But have we checked with the remaining \nStates to determine whether they had tools in place that would \nhave captured that activity?\n    Ms. Manfra. Many of the States did have some capability \nthat could have captured it.\n    Senator McCaskill. How many?\n    Ms. Manfra. I do not know off the top of my head, ma\'am.\n    Senator McCaskill. That would be something we would want to \nknow, because I think the American people have been misled \nhere, because it is my understanding that a number of the \nStates do not have the tools to capture that activity, so we \nreally have no idea how many States Russia tried to hack.\n    Ms. Manfra. That is correct, ma\'am, and I think we can \nassume that the majority of States were probably a target. What \nwe have is the visibility that we had at the time. What I can \nalso say is that we have many more States now who are moving \ntheir systems behind those censors that we have deployed via \nthe Multi-State Information Sharing and Analysis Center (MS-\nISAC), so we are increasing our visibility.\n    Senator McCaskill. I think the thing that I did not realize \nuntil I began really understanding what happened is the \nimpression that was given at the time is that we had knowledge \nthat 21 States were hacked, and the assumption was that the \nremaining States were not hacked. But, in fact, that is an \nincorrect assumption.\n    Ms. Manfra. Twenty-one States were not hacked, ma\'am.\n    Senator McCaskill. There was an attempt to target 21 States \nthat we know of by Russia in terms of their voter registration \nsystems.\n    Ms. Manfra. There was targeting via scanning, which is a \ncommon activity on the Internet. The reason we are concerned is \nbecause of where it was coming from, and the actual attempts to \nget into systems which was a much smaller number. But, yes, \nma\'am, you are correct. We only had the visibility that we had, \nand I believe I have been clear about that as I have discussed \nit. But, yes, how the media reports it I cannot control.\n    Senator McCaskill. I sympathize with you there. We cannot \ncontrol how it gets reported. But I want to make clear today on \nthe record that it is likely that all 50 States were likely \naffected and that States that were not on that list were less \nvulnerable. But that is simply not true. States that were not \non that list, in fact, might be more vulnerable.\n    Ms. Manfra. I would not necessarily make a connection \nbetween vulnerability in the States as to whether they were \ntargeted. Every organization is scanned a lot, sometimes \nthousands of times a day. What we were trying to differentiate \nbetween is what we saw, very concerning activity from known \nsuspicious servers in this case that, as far as the visibility \nwe had, and they were targeting to look for vulnerabilities. \nMost of the States that we had visibility into did block it.\n    Your overall point is correct, ma\'am. I just do not want to \nmake this----\n    Senator McCaskill. Yes, I just think we all kind of go, OK, \n21 States, they were not successful, OK, good, not a problem, \nwhen in reality I think the more accurate pronouncement would \nhave been probably tried all the States, these were the States \nwe could see they were trying.\n    Ms. Manfra. That is correct. Fact-based, 21 States, but we \ncan absolutely make the assumption that more would have been \ntargeted.\n    Senator McCaskill. OK. How many people does DHS have \nworking full-time focused on election security and election \ninfrastructure?\n    Ms. Manfra. Ma\'am, I will have to come back to you with the \nexact number, but the Election Task Force comprises about 10 to \n15 people.\n    Senator McCaskill. They do this full-time, nothing else?\n    Ms. Manfra. The majority of them are doing this full-time, \nand then we have it prioritized for all the other teams \nthroughout my thousand-person organization.\n    Senator McCaskill. OK. I would like the number of how many \npeople are working full-time on election security and \ninfrastructure security. Is it someone\'s job to just focus on \nelection security?\n    Ms. Manfra. Yes, Senator. We have a senior person who has \nbeen working in my organization for a long time. His job 100 \npercent of the time is running the Election Task Force.\n    Senator McCaskill. OK. Seventeen States have requested risk \nassessment?\n    Ms. Manfra. Yes, ma\'am.\n    Senator McCaskill. Can you give us insight as to why States \nare declining the assistance?\n    Ms. Manfra. It varies. Many of the States we talk to \nalready have this type of service from the private sector, \nwhich we enthusiastically endorse. These are services that are \nprovided by the market.\n    Senator McCaskill. They are paying for that?\n    Ms. Manfra. Yes.\n    Senator McCaskill. Yours is free?\n    Ms. Manfra. Yes, ma\'am.\n    Senator McCaskill. You will not tell me whether my State is \none of those?\n    Ms. Manfra. Missouri is working with us. I would have to \ndirect you to Missouri for more details on what they are doing.\n    Senator McCaskill. At DHS\' request Congress included $26 \nmillion for the Department\'s election work in the omnibus. Mr. \nRosenbach, you are an outside observer of the work DHS has been \ndoing, and you have been visiting election officials throughout \nthe country. Every time I ask DHS if they need more resources, \nthey have to say they are doing their work with the resources \nthey have.\n    As an outside observer, do you think we need to scale up \nthe DHS efforts? Or is it right-sized?\n    Mr. Rosenbach. Yes, ma\'am, it is always easier when you are \non the outside to answer money questions, but I would say I am \nsure that Secretary Manfra would benefit from additional \nresources, both financial and personnel. Making sure that they \nare good and capable is always a challenge. But this is one of \nthe most important national security issues facing the country \nright now. Twenty-six million dollars is not very much money in \nthe----\n    Senator McCaskill. It is not very much money. How many \npeople are waiting right now for an assessment that have not \nbeen able to get it yet? How many States, I should say?\n    Ms. Manfra. Nobody in the election community is waiting for \nan assessment. Because we prioritized them, we now have a \nsignificant backlog in other critical infrastructure sectors in \nFederal agencies, but nobody in the election community is \nwaiting.\n    Senator McCaskill. If someone decided tomorrow that they \nwanted to get this done, you would be able to accommodate that \nprior to the elections beginning later this year?\n    Ms. Manfra. Yes, ma\'am.\n    Senator McCaskill. OK. Thank you, Mr. Chairman.\n    Chairman Johnson. Thank you, Senator McCaskill.\n    I am going to take just a couple of minutes to make a point \nand also ask a question. I was in the September 2016 briefing. \nSenator Carper was there. Ms. Manfra, you were there. We were \nbriefed about Russian attempts in the election, and it was \nSecretary Jeh Johnson, it was FBI Director James Comey, and \nLisa Monaco, a member of the Obama Administration.\n    The thrust of that briefing, without providing any \nclassified information, was Russia has attempted this, they \nhave attempted to hack into voter files, but the Administration \nhas this under control, they are in contact with the States, \nand the main message we want you as Members of Congress, \nbecause it is so important in terms of the stability of our \ndemocracy to let the public know that we have this covered, and \nthat the election in November will be legitimate.\n    First of all, is that pretty much an accurate description, \nMs. Manfra, of what we were being told as Members in that \nbriefing?\n    Ms. Manfra. Yes, sir, my recollection was that the \nleadership laid out the risk as they saw it, the intelligence \nas we saw it, but that is a fair conclusion.\n    Chairman Johnson. From my own standpoint, because I heard \nthat they were trying to access voter files, I was not willing \nto make that statement publicly, but I told the briefers that I \nam not going to dispute if you go out there and talk about \nthat, because I think there are plenty of controls, a number of \nthings that we can look to indicators in terms of whether \nvoting tallies or an election have actually been affected in \nsome way, shape, or form.\n    This is a serious issue, no doubt about it, but I think we \nalso have to be very careful not to blow it out of proportion. \nWhen I am looking at the problems with cybersecurity, I am far \nmore concerned about attacks into our electrical grid or into \nour financial system. They could be unbelievably disruptive, \nand there may not be controls.\n    We may be playing into Russia\'s hands, quite honestly. They \nare achieving exactly what they wanted to achieve, to all of a \nsudden call into question the legitimacy of the election. We \nhave no control over these things, and this is an enormous \nproblem that threatens our democracy. I just do not think that \nis the case. I think we need to take this issue seriously. We \nneed to push back. We have obviously imposed sanctions on \nRussia, but we need to keep all these things in perspective and \nreally focus on, in terms of DHS\' time, you always have to \nprioritize things, the things that could really bring down this \ncountry. That from my standpoint is the other aspect of our \ncritical infrastructure.\n    That is my statement and my questions. Senator Hassan.\n\n              OPENING STATEMENT OF SENATOR HASSAN\n\n    Senator Hassan. Thank you very much, and I thank Senator \nPeters for deferring to me. I have a vote at 10:45. We have \nworked it out with collaboration.\n    Chairman Johnson. You guys are moving all over on me.\n    Senator Hassan. First of all, welcome to the panel, and as \nalways, I am sorry that we are all in and out at multiple \ncommittee hearings.\n    I wanted to start with a question to you, Ms. Manfra, \nbecause I am very concerned about election security. I do think \nit is the bedrock of our democracy, and I think we have to take \nit incredibly seriously. As you know, the 2018 election cycle \nis well underway. Six States have held their primaries, and \ndozens more will do so in the next couple of weeks.\n    To this point, has DHS detected any cyber activity \ntargeting election infrastructure by Russia or any other actors \nduring this election season?\n    Ms. Manfra. We have not at this time, ma\'am.\n    Senator Hassan. Thank you. Last week, when Secretary \nNielsen was asked whether she had confidence in U.S. election \nsecurity, she did not provide the assurances that many of us \nwanted or, frankly, expected to hear from her. Do you have \nconfidence in the security of our Nation\'s election systems? If \nnot, then why?\n    Ms. Manfra. If I may, because I was there when Secretary \nNielsen was speaking, what she was trying to convey and what I \nbelieve she did convey, which is the same sentiment that I \nhave, is we do not have perfect visibility into every State and \nlocal system. What we have confidence in is that DHS is doing \neverything that we can, that the government is doing everything \nwe can, and that we have greater visibility than we did in \n2016. Not to parse words, ma\'am, but to be clear, in no sector \nwould I ever say I have complete confidence that nothing will \never happen, because that would be a foolhardy statement, I \nbelieve.\n    Senator Hassan. Thank you for that clarification. I would \nencourage DHS, as many of us have been, to continue to reach \nout to the States. The States obviously have their own \nobligations and constitutional responsibilities, and I think \nintense collaboration is called for every single day as \nvigilantly and constantly as possible. I thank you for your \nefforts, and I look forward to hearing and seeing more of the \nresults from those efforts.\n    I also had a question, Mr. Rosenbach, for you. It is nice \nto see you again. Last year, you testified before the Commerce \nCommittee on emerging cyber technologies. I serve on that \nCommittee, and we discussed the need to secure the Internet of \nthings at the hearing. You emphasized that the government needs \nto lead the effort to secure the Internet of things, and I see \nin your testimony today that you argue for the establishment of \nbaseline security standards for the manufacturers and \ndistributors of these Internet-connected devices.\n    Given these positions, I want to draw your attention to a \nbill which I was an early cosponsor of, the Internet of Things \nCybersecurity Improvement Act, which was introduced by Senate \nIntelligence Committee Ranking Member Mark Warner. This bill \nrequires that when the Federal Government purchases an \nInternet-connected device for government use, the devices must \nadhere to specific minimum cybersecurity standards as \nestablished by the National Institute of Standards and \nTechnology. According to one report, the Federal Government \npurchases more than $8 billion worth of Internet-connected \ndevices each year.\n    The idea behind this bill is that the Federal Government as \na major purchaser of Internet-connected devices will lead the \nway on Internet of things security and will push the consumer \nmarket to step up its security efforts as well.\n    Mr. Rosenbach, given your advocacy for minimum standards \nfor Internet of things security, what is your opinion of the \napproach in Senator Warner\'s bill as a first step toward \nachieving the goals you laid out?\n    Mr. Rosenbach. Thank you, Senator. I have looked at the \nbill, and I am a very strong believer in improving the security \nof the Internet of things. I think you always need to be \ncareful about a regulatory approach, but from my professional \nperspective, many of the things that you lay out in that bill I \nthink are very strong, and we need to do something in this \nspace given the tremendous growth of devices that are connected \nto the Internet. Having government use its contracting leverage \nI think is a good place to start.\n    Senator Hassan. Thank you very much. I appreciate that. I \nwill submit my other questions for the record.\n    Thank you again, Mr. Chair, and Senator Peters for your \ndeference.\n    Chairman Johnson. Senator Peters.\n\n              OPENING STATEMENT OF SENATOR PETERS\n\n    Senator Peters. Thank you, Mr. Chairman. And thank you to \nthe witnesses for your testimony here today.\n    Well, obviously, as we have been having this discussion \nabout elections and with local governments, I think it leads to \nthe question that I have for you. With the creation of and \nsupport of processes to ensure coordination between the Federal \nentities and State authorities during cyber events, it is \ncertainly essential that we have effective responses. So my \nquestion, Ms. Manfra, is: How exactly is the DHS promoting \nalignment of State cybersecurity plans with the National Cyber \nIncident Response Plan? And are there barriers to encouraging \nStates or incentivizing States to align these plans?\n    Ms. Manfra. Thank you, sir. Great question. We have been \nworking with States for some time, though I have been stepping \nup those efforts not just for elections but just in general, of \nhow States protect personally identifiable information (PII) \nthat they have access to, which is a tremendous amount of data \nthat is stored on their networks. We are leveraging a lot of \nthe work that we have done on public safety communications \naround trying to address interoperability challenges to how we \nmight address some of the cybersecurity and having the planning \nphase be very collaborative and tailored to the State. Every \nState is very different, whether they have a centralized \nnetwork approach or not. We are working with the National \nGovernors Association, policy academies, and we have technical \nassistance capabilities where we can help States organize \nthemselves and develop a plan.\n    Then there are a few kind of outstanding questions, I would \nsay. We are working with the Federal Emergency Management \nAgency (FEMA) and the States to think about, from a cyber \nperspective, what fits in existing emergency management \nframeworks where we already have a well-defined process for how \na Governor, National Guard, or other organizations that we \ntraditionally use as a physical incident, if you will, goes \nfrom local to more significant. I believe that we want to \nleverage that as much as possible, but there are certain \nscenarios where it is less clear about what is the Governor\'s \nrole in a certain situation. Is it because the company is \nheadquartered there, for example? But if it is a multinational \ncompany, what does that look like?\n    There are still some outstanding questions, and I believe \nthe States have rightly been pushing to have some of these \nquestions answered so it is clear on what the expectations are, \nif that answers your question.\n    Senator Peters. It does, and you bring up FEMA. That \nactually leads to my next question here. According to a 2017 \nNational Preparedness Report, while States and territories \ncontinue to indicate that cybersecurity is a high priority, \nmost actually rate themselves as lacking proficiency in it than \nany other core capability. In the past DHS and FEMA have used \npreparedness grants to drive action toward agreed-upon \ndeficiencies or priorities, as you know. Despite being an \nallowable expense under a number of preparedness grant \nprograms, spending on cybersecurity-related activity is just a \nfraction of that spent on other capabilities, even though they \nrank it so lowly.\n    My question is: Has there been any consideration with DHS \nto change grant guidance or selection criteria for any existing \nState and local preparedness grant programs to push State and \nlocal governments to spend money to address what is an admitted \nlack of proficiency in cybersecurity?\n    Ms. Manfra. First, I will speak to the grants question, and \nthen to some other areas where we are working to shore up some \nof their gaps. I have been working very closely with FEMA, \nthough they are not the only grants that can be leveraged for \ncybersecurity purposes. We are working broadly within the \nFederal grant community, but more specifically with FEMA, how \ncan we provide more specific guidance on what we would like to \nsee States buy. Cybersecurity is very broad, sometimes \noverwhelming, and for organizations to try to figure out how to \nprioritize their limited resources, they are trying to provide \nmore discrete guidance, working with State and local officials, \nworking with grants administrators to figure out first why are \nthey not using more grant money for this gap and what more \nspecific guidance.\n    The other area that is a challenge is personnel, and our \nScholarship for Service Program, which I think has not been as \nwidely known as it should be--it is called the ``CyberCorps: \nScholarship for Service,\'\' us, the NSA, work with the National \nScience Foundation to fund scholarships, 2-, 4-, and plus-year \nscholarships. The only requirement is that they serve in a \ngovernment agency, meaning State and local governments can \nbenefit from these students coming out of these programs. The \ngovernment has already paid for the scholarships, and the State \nand local agencies can benefit.\n    While I want these personnel as well, because I have just \nas many challenges, we are working with the States to make sure \nthey are aware of it and have access to these personnel coming \nout of these programs.\n    Senator Peters. You raise the issue of personnel, and that \nleads to my final question. I want to touch briefly on an \neffort that I am working on with my colleague Senator Hoeven, \nand I hope the Committee will take up a bill in our next \nmarkup, which is Senate bill 2620, the Federal Cybersecurity \nJoint Duty Program, which assists the Federal Government in \ndeveloping an integrated cybersecurity workforce and allows \nrotation, similarly in the intelligence community as well as in \nthe defense community. All of the witnesses could respond, if \nyou would. In your opinion, would a joint duty program that \nprovides rotational opportunities to cybersecurity employees be \nbeneficial to both cyber employees as well as the Federal \nGovernment as a whole? We can start at this end.\n    Mr. Rosenbach. Yes, sir, I think this is a great idea. \nHaving worked in the Department of Defense the last 8 years, it \nwould be really important for U.S. Cyber Command (CYBERCOM) \npeople to be able to go help out DHS, learn from DHS as well, \nalong with some of the other agencies. It sounds like a great \nidea.\n    Senator Peters. Great. Thank you.\n    Mr. Wilshusen. I would agree. Anytime you can bring in new, \nfresh ideas and gain greater perspective on how to secure \nsystems, it is going to be a benefit to all.\n    Senator Peters. Great. Thank you.\n    Ms. Manfra. Sir, I look forward to working on the specifics \nof the bill, but generally, we are trying to think differently \nabout the Federal cyber workforce. We cannot meet the demands \nin the current model, and I absolutely think being able to \nrotate personnel through agencies under sort of DHS\' oversight, \nif you will, is something that we would be very willing to \ncontinue talking to you about.\n    Senator Peters. In the remaining time, I have this \nquestion. This could also help with hiring and retention. We \nfind that job satisfaction goes up when folks are able to \nrotate, see other parts of the whole government. Would you \nagree, in the 5 seconds remaining, the three of you?\n    Ms. Manfra. I would agree, and I believe it would also \nbring more consistency to the level of training, which is \nsomething that we are also looking to improve.\n    Senator Peters. Great.\n    Mr. Wilshusen. I would also agree with that. We have a \nsimilar program, internal to GAO, in terms of rotating auditors \namong different audit groups, and it helps significantly.\n    Senator Peters. Great.\n    Mr. Rosenbach. Sir, anytime you can tell a cyber expert \nthat they can go to NSA or CYBERCOM and legally hack the \nIranian, North Koreans, or Russians for several years, they are \ngoing to stay in the government.\n    Senator Peters. Great. I am out of time, but I appreciate \nyour answers. Thank you.\n    Chairman Johnson. Let me just quickly follow up. Is a piece \nof legislation required, or would you have the authority right \nnow to do those rotations?\n    Ms. Manfra. I am not a lawyer, nor a personnel expert, so \nwe would have to check on that, sir. I know that we have the \nability to do interagency rotations, which we have been \nexploring, but we can get back to you on the specifics of \nwhether we----\n    Chairman Johnson. Maybe GAO would have some indication of \nthat.\n    Mr. Wilshusen. Actually, I do not sir, but I can get back \nto you on that.\n    Chairman Johnson. OK.\n    Mr. Rosenbach. Sir, all I know is during the 7-years I was \nin DOD, it was very rare to see something like that happen.\n    Chairman Johnson. Never happened?\n    Mr. Rosenbach. Maybe authorities, maybe strong leadership, \nbut something to facilitate it would be helpful.\n    Senator Peters. My understanding is that it does require \nlegislation to be able to move between these agencies, and so \nthat is why----\n    Chairman Johnson. OK. We will work with you on that.\n    Senator Peters. Great.\n    Chairman Johnson. Thanks. Senator Lankford.\n\n             OPENING STATEMENT OF SENATOR LANKFORD\n\n    Senator Lankford. Thank you, Mr. Chairman. Thank you all \nfor being here as well. Let me talk through a couple of things.\n    Ms. Manfra, tell me about lessons learned on Kaspersky. We \nhad a long conversation about supply chain. DHS has this \nresponsibility to be able to help work with GSA and whoever it \nmight be to be able to help get products out there and to be \nable to manage them. Then once we find out we have a product \nthat has a problem, trying to be able to get it back out. Let \nus talk big picture. What are the lessons learned so far on \nthat, including the status? Is every agency clean of Kaspersky \nLab\'s products at this point? What have we learned from it?\n    Ms. Manfra. I will answer the second first. Yes, 100 \npercent of agencies are in compliance with the BOD.\n    Lessons learned? I guess I will come from me personally in \nour organization. Maybe others in the government already knew \nsome of these, but lessons learned I would say is that we need \nto modernize how the government thinks about third-party risk, \nand procurement officials having access to information that is \nnecessary for them to make appropriate risk decisions; mission \nowners, network owners, and system owners thinking about supply \nchain risk and having guidance and better connecting our \nintelligence community with the acquisition community. Those \nare some of the high-level lessons, and we are implementing \nbased on that.\n    Senator Lankford. Who provides that guidance to them? Is \nthat something each agency is responsible for or DHS is \nresponsible for getting that to the agencies, then they get it \ndown? How does that work?\n    Ms. Manfra. The Office of Management and Budget (OMB) is \nresponsible for overall acquisition guidance and the \nregulations around it, and then there are statutes, of course, \nthat govern it. I believe DHS has a responsibility to provide \nthat risk picture for government, either agencies individually \nor as an enterprise. We have been working very closely with OMB \nand other organizations on how do we improve that guidance and \nhow do we ensure that DHS has a strong role in that process.\n    Senator Lankford. How does this become an issue where DHS \nis going to help us with supply chain without everyone having \nto play ``Mother, May I?\'\' with your office every time they \nwant to get a new printer to say, hey, this printer has this \nnew Internet of things connection to it, and it has something \nelse additional, we want to be able to get this, and suddenly \nyou have to do a check. How are we developing standards and \ncommunicating that down rather than having to check each item?\n    Ms. Manfra. At a highest level, the government needs to \nhave a framework for how we think about supply chain risk, not \njust for the government but also so the private sector can \nunderstand how we think about supply chain risk, and we are \nworking on that. Then it is about if there are hurdles that are \npreventing us from achieving some of these, whether that is \nthrough policy or regulation or statute, then we need to figure \nout what those are and remove those obstacles, which are also \nworking through that process. It is quite complicated, as you \nmay know, the acquisition process.\n    The last piece is providing more guidance. These are the \ntypes of things that you should ask. This is how you should run \nyour contracting process. These are the types of terms that you \nshould put in your contracts if you are procuring a product or \na service. Our plan is only for a very limited set, what we \nwould call the ``high-value assets,\'\' who will actually go \nthrough a more thorough process where we would actually review \na more thorough supply chain due diligence, if you will, not \nevery single system in the government.\n    Senator Lankford. But many of the systems are connected to \nus.\n    Ms. Manfra. Yes.\n    Senator Lankford. They become vulnerability points, whether \nthat be a new thermostat that they install that is connected, \nor whether that be a new refrigerator they put in that has \nsomething to be able to connect to the WiFi on it, or the Coke \nmachine that is down the hall.\n    Ms. Manfra. Right.\n    Senator Lankford. All these things have vulnerabilities. \nWhat is the process of helping agencies understand when you add \nsomething that has Internet of things on it, you are adding a \nvulnerability to your system once you connect it to your main \ncommunication?\n    Ms. Manfra. Getting in the Internet of things, I think that \nis--and Eric Rosenbach mentioned this as well. I believe that \nwe need more industry-driven standards for Internet of things \ndiversity. If you look back at, say, Energy Star, which we have \ndone some research on that, first, you had to have this kind of \nindustry-driven standard, and then the government using its \nprocurement authority to mandate, OK, we are only going to buy \nEnergy Star products. Right now that does not really exist in \nthe Internet of things, so it would have to be guidance of--\nagain, it would go back to a higher-level framework. Where is \nthis produced? Do you have insight into the code where it came \nfrom? Do you understand where it was manufactured? Which right \nnow is hard.\n    Senator Lankford. Can the password be changed?\n    Ms. Manfra. Can the password be changed? Right now that is \nquite cumbersome for agencies, but at the moment that is all we \nhave, so that is the type of guidance we will be putting out.\n    Senator Lankford. OK. That is one we will look forward to \njust following up on to be able to see where that goes, because \nthis is going to quickly accelerate in a hurry. The more \nproducts we have out there that the password cannot be changed \nand updated, we have a default access point into our systems.\n    Tell me about this wonderful new Cybersecurity and \nInfrastructure Security Agency. Why do we need to stand up a \nnew agency? What is it that you are seeing that would say we \ncannot do it under existing structures, we are going to need a \nwhole new structure to be able to accomplish that?\n    Ms. Manfra. What we are looking at doing is transitioning \nthe National Protection and Programs Directorate, which is \ncurrently a headquarters agency, and we do not have to go into \nthe details, but there is actually administrative reasons why \nit would benefit the Department to stand us up as an \noperational agency.\n    There is some minor restructuring that we would like to do, \nbut the biggest thing that we are asking for is the change in \nthe name, which does require an act of Congress to do that. I \nknow it is hard sometimes maybe for people to understand why \nthis is so important, but it is very hard to go out and try to \nmarket our organization, which is purely dependent upon \nvoluntary partnerships and critical infrastructure with a name \nlike the ``National Protection and Programs Directorate.\'\' It \nis also a morale issue for our workforce. They do not have a \nname that sort of reflects what they do.\n    Senator Lankford. Is this an increase in staffing? Is this \ncombining other offices? Or is it just switching that one \noffice and switching the name and some of the placement of it? \nWhat else will you need?\n    Ms. Manfra. What we are asking for does not increase staff \nor resources in this legislation. We are asking for just the \nname change and the authority to make some restructuring, just \nto make us more efficient internally.\n    Senator Lankford. OK. Thank you.\n    Mr. Wilshusen. Senator Lankford, if I could also just add a \ncomment. GAO went through a similar name change back in the \nyear 2000. Our previous name was ``General Accounting Office,\'\' \nand I can personally speak to the fact that when I went out on \nrecruiting efforts and trips, people would see ``General \nAccounting Office\'\' and just keep walking by. I would have to \ngo out from behind my booth and tell them, ``No. We do much \nmore than that.\'\' It really does have an impact if your name \nreflects your mission, and it creates esprit de corps as well \nas helping to generate interest in your work.\n    Senator Lankford. That is great. Thank you.\n    Chairman Johnson. I cannot imagine anybody walking by \nsomething dealing with accounting, but---- [Laughter.] Senator \nHarris.\n\n              OPENING STATEMENT OF SENATOR HARRIS\n\n    Senator Harris. Thank you.\n    Mr. Rosenbach, as you know, Congress recently added $380 \nmillion to the omnibus to upgrade States\' election technology. \nAs I think you know, the omnibus allocates and prioritizes the \nmoney going to States based on the population of the State \nversus the need the State has to actually upgrade its \ntechnology. As you know, we have the Secure Elections Act. \nSenator Lankford and I and some of our colleagues are working \non that to provide some standards for States on how they are \ngoing to actually be equipped to meet the challenges that we \nnow know we face.\n    What are your thoughts about whether or not we should be \nprioritizing the funding to States and how those priorities \nshould be outlined in a way that actually will achieve the \ngoal, which is that all States will have secure elections?\n    Mr. Rosenbach. Thank you, ma\'am. An interesting story for \nyou is we were holding a national-level tabletop exercise with \n39 States up at Harvard the day the States were getting the \nnews about how much money they would receive, and so they found \nout, they were happy. But they were unsure even with those \nState election officials how to best spend the money.\n    Senator Harris. Right.\n    Mr. Rosenbach. I think it establishes what your main point \nis. I would say that I think the Secure Elections Act is \nexcellent, it is bipartisan, it gives guidance on information \nsharing, a little bit of litigation protection, which is good, \nand a process for grant provisions, which goes on.\n    I think for the States, though, first of all, you would \nwant to be very careful about any strict Federal guidance about \nhow to spend it because it may be counterproductive in the \nrelationship that DHS in particular right now is building. They \nhave done a good job over the last year rebuilding trust with \nthe States, and their autonomy is important.\n    But I think there should be some general guidelines or a \nframework, maybe a NIST-like framework in which trusted parties \nwork with States to help them decide the best way to allocate \nthat money so that it has maximum effectiveness.\n    Senator Harris. As you can probably tell from my question, \nI am speaking against perhaps what would seem to be the better \ninterests of a large State, but I do know that being large \nshould not necessarily because the priority. The priority \nshould, I believe, be based on need as well.\n    Mr. Rosenbach. Yes, ma\'am.\n    Senator Harris. Looking at the priorities from that \nperspective. You do support that?\n    Mr. Rosenbach. Yes, ma\'am. I totally agree, and here is \nwhy: Some States are much better off when it comes to \nprotecting their election systems, and, remember, the Russians \nin particular do not have to attack every State. They will go \nto the weakest link. It does not have to be a prominent State \nor a battleground State. All they have to do is undermine trust \nin the system and confidence in the outcome, and that could be \nsomeplace that is very weak. We should try to address it from \nthat perspective rather than a thin smear everywhere.\n    Senator Harris. Well said. As we know, that was their goal, \nto undermine Americans\' confidence in their democracy.\n    Secretary Manfra, I saw you nodding your head. If you would \nlike to add anything to the comments?\n    Ms. Manfra. Yes, ma\'am. I would say--first of all, I just \nwant to thank you and Senator Lankford for your leadership on \nthe legislation, and I think that we like to take a risk-based \napproach to everything that we do. I do think population can be \na part of that risk-based approach, and we are working with the \nGovernment Coordinating Council (GCC), which is a name for the \ngroup of bipartisan representatives, Secretaries of State, as \nwell as local election officials and other election experts. We \nare working on some guidance that can assist in how they spend \nthat money. But I agree that a risk-based approach is usually a \ngood way to go for spending grant dollars.\n    Senator Harris. Thank you.\n    Mr. Rosenbach, what are your thoughts about what we need, \nif we need any more funding beyond that $380 million? Do you \nhave some thoughts about that?\n    Mr. Rosenbach. if you look back in history and the reason \nwhy there are vulnerabilities, the Help Americans Vote Act \nallocated money that brought about some of this technology, but \nthen the funding tail after that was dry. Remember, in \ncybersecurity, in all operations----\n    Senator Harris. Or just nonexistent.\n    Mr. Rosenbach. Right, it was dry. There was no follow. What \nwe do not want is one big bump of money now and then nothing in \nthe 5 years after that. Cybersecurity is about continually \nmitigating risk and patching, so you need some reliable funding \nstream so the States know that they can patch these systems, \nthat they have a pool of money to go to to keep it secure over \nthe long run.\n    Senator Harris. That is a great point because by the very \nnature of technology, we know that it is constantly evolving. \nThere is something that is very static about technology, which \nis that it is dynamic. It is constantly changing.\n    I want to talk with you about the Election Assistance \nCommission (EAC). Do you know if they have anyone working in-\nhouse who can provide technical expertise to inform their best \npractices, like a chief technologist? Do you know if they have \none? Because I am not clear about that.\n    Mr. Rosenbach. In our project at the Kennedy School, we \nhave been working really closely with EAC. Matt Masterson, when \nhe was there, was amazing to work with, and he is now at DHS, \nwhich I think is good for the country. They have some technical \nexpertise, but, that is not their strong suit. There would be \nadditional help needed there.\n    Senator Harris. In your opinion, would it be beneficial to \nnational security, to elections, and protecting that critical \ninfrastructure, that they would have a chief technologist \nposition there?\n    Mr. Rosenbach. A lot of elections nowadays revolve around \ntechnology in one way or another, so almost all organization \nnowadays have some type of chief technology officer. That makes \ngood sense to me.\n    Senator Harris. Do any of the other panelists have a \nthought about this?\n    Ms. Manfra. I would say I agree with Eric. Most \norganizations that deal with technology benefit from having a \nqualified chief technologist. The National Institute for \nStandards and Technology has long supported EAC in the \ndevelopment of the voluntary voting systems guidelines to \ninclude some of the technical--we have been assisting, but, \nyes, I would say it would benefit from that.\n    Senator Harris. Thank you.\n    Do you have any thoughts?\n    Mr. Wilshusen. I was just going to say that the EAC is \npresently updating the standards now. I think the guidelines, I \nshould say, are probably 10 or 15 years old. The EAC is \nreaching out to a number of different groups and experts as \nthey go through that. My understanding is that the EAC expects \nto issue those updated guidelines later this year.\n    Senator Harris. Hopefully, they also commit themselves to \nappointing and having a chief technologist.\n    I have just one final question, Mr. Chairman. When I was \nAttorney General (AG) of California, we had a law that now I \nbelieve all 50 States have which is basically a data breach \nnotification law, requiring, for example, corporations that \nexperience a data breach that affects more than 500 \nCalifornians, the case in California, that they had a \nresponsibility to report that data breach to the State \nDepartment of Justice, the Attorney General.\n    Do any of you know, because it is my understanding that \nthere is no such requirement for Federal agencies, that if they \nexperience a data breach they have a responsibility to report \nthat to another body so that the consumer--and that would be \nthe taxpayer--is aware that there has been such a data breach. \nFor the sake of brevity, do you think it would be a good idea \nto have such a law? You can just give me a yes or no answer. \nMr. Rosenbach.\n    Mr. Rosenbach. Yes, ma\'am. If you talk to private sector \npeople, they spend an immense amount of time of legal hours and \ncost trying to figure out the patchwork quilt of data breach \nnotification laws in the United States.\n    Senator Harris. OK. What is your thought?\n    Mr. Wilshusen. You mean for the Federal Government; to have \nFederal agencies report breaches?\n    Senator Harris. Correct.\n    Mr. Wilshusen. Agencies are supposed to be reporting to the \nU.S. Computer Emergency Readiness Team (US-CERT) when they have \nsecurity incidents, and if they have a major security breach, \nthey are also supposed to report to Congress under the Federal \nInformation Security Modernization Act of 2014.\n    Senator Harris. Do you believe that is happening?\n    Mr. Wilshusen. I think they are reporting incidents to \nUS-CERT. I do not know if they are reporting all of them, \nthough.\n    Senator Harris. Or if they are reporting to Congress.\n    Mr. Wilshusen. I think they reported like five or so. I \nthink the bar for reporting what is a significant or major \ninformation security incident can be pretty high, or at least \ninterpreted to be high.\n    Ms. Manfra. Yes, ma\'am, they are required to report to us \nas well as their oversight committees. I can say that the \nreporting has increased. We are also deploying more capability \nso we can independently see whether we have something. But the \nreporting has increased to the Department, and in many cases we \nhave worked with agencies on assisting with communications to \nCongress. I know that, at least in my perception, that is \nincreasing as a result of that. But, of course, there is \nalways--and the private sector has the same challenge. What is \na significant incident? Particularly if it is not clear, if it \nis not a data breach, for example, where you can count the \nnumber of PII that has been lost.\n    Senator Harris. Mr. Chairman, thank you. I appreciate the \ntime.\n    Chairman Johnson. While we are on the topic, in these \nprevious hearings I talked about the priority, what we had to \ndo, we had to do something. First was information sharing. Then \nit was data breach notification. I thought, well, that ought to \nbe a no-brainer. But, over the years, I have come to understand \nhow unbelievably complex that is.\n    While we are on the subject, Ms. Manfra, you can just talk \nabout it is difficult to define, you are not exactly sure if \nyou have been breached. Just talk about the complexity and why \nwe have not been able to come up with a national standard on \nthat to preempt all these State laws, which makes it very \ndifficult for anybody to comply.\n    Ms. Manfra. Absolutely. The patchwork of data breach \nnotification requirements by the States can be challenging. My \nexperience has been that it is more about the time, because you \ndo not always know right away how serious it is, and you do not \nalways know who is doing it to you, which has a big impact, and \nwhether you call this serious or not. It takes longer than most \npeople actually appreciate to understand the scope of the \nincident. It is the threshold we have worked with in the \ngovernment, we have created an incident severity scheme now \nthat has been used for a couple of years. I think people \ngenerally understand this is why something should rise to the \nlevel, and we do our best to brief Congress. But it really \ncomes down to that timing, as I understand it. What is the \nright amount of time to give a company or an agency to figure \nout what is really going on before they have to notify the \npublic, the victims, or Congress.\n    Chairman Johnson. Part of the problem, when you have been \nbreached, sometimes those malign actors are on your system for \nhundreds of days before you even notice, and then you have to \nstart doing the attribution. You have to do the forensics to \nfind out is there really a breach or is this just a computer \nbug or something else. Correct?\n    Ms. Manfra. Right.\n    Chairman Johnson. Senator Carper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Let us talk some more about data breach. \nAbout 10 years ago, Roy Blunt and I introduced legislation on \ndata breach. I used the acronym PIN, spoke to how we needed to \ndo a better job protecting our sensitive information; second, \ninvestigate laying out expectations for an investigation to \nproceed; and, finally, notification. The idea of having 50 \nStates going their own way just made no sense to Senator Blunt \nor me. As it turns out, it made no sense to Senator Nelson, it \nmade no sense to Senator Feinstein, it made no sense to Senator \nThune and others as well. We ended up with four committees of \njurisdiction on data breach legislation, including this \nCommittee, Judiciary, Commerce, and Intelligence. We all have \nour different stakeholders and folks that are interested in \nwhat we are doing and considering. It has just been----\n    Chairman Johnson. Not a recipe for success, you are saying.\n    Senator Carper. If you want to have a good picture of what \nis not working around here, it is getting data breach \nlegislation enacted. But I am pleased that we are talking about \nit again today. Senator Blunt and I talked about not long ago.\n    The idea of inviting a couple of you just to meet with the \nlegislative leaders, Democrat and Republican leaders of these \nfour committees of jurisdiction, and sharing with you what we \nhave offered, and the staff will continue to have discussions \nat the staff level, but that might be helpful for us actually \ngetting the show on the road. Would you be willing maybe to do \nthat?\n    Ms. Manfra. I would be happy to do that, Senator.\n    Senator Carper. Oh, good. Thank you. Greg, we might even \ntry to drag you with us as well.\n    Mr. Wilshusen. Absolutely. We have done a couple reviews \nlooking at data breach response as well as cybersecurity \nincident response. We would be happy to talk about that, too.\n    Senator Carper. Great. All right. Thanks so much.\n    I want to come back to a name change and just to say the \nname remains the same, and I agree with you, it is time to \nactually say what you do, and I do not think we are looking to \ndo a whole lot more beyond that, but that would be a big deal. \nWe are all interested in our business in branding, and I think \nit is understandable why that is important to you.\n    Jeh Johnson was in town not long ago, and we had a chance \nto visit, and Ali Mayorkas on a separate visit. We talked about \nmorale within the Department of Homeland Security, and I think \nif you look at the Federal agencies where we evaluate morale on \nan annual basis, the agency or the department that had the \nbiggest uptick in morale was the Department of Homeland \nSecurity. That is something that the Chairman, the Ranking \nMember, and myself and others have focused on, and we are very \npleased to see that. I believe your point, Madam Secretary, \nabout having an agency that actually says what you do--and Mr. \nWilshusen alluded to this as well--makes a whole lot of sense.\n    One of the things that I like to do as a Senator--and I \nused to do it as Governor--I like to do customer calls. I call \non businesses large and small, schools, hospitals in Delaware, \nand even outside of Delaware, to see what we can learn from \nthem. We always ask three questions: How are you doing? How are \nwe doing? ``We\'\' being Delaware, the State of Delaware, or \nCongress, our congressional delegation, or the Federal \nGovernment. What can we do to help? We asked these questions a \nlot about 3 or 4 years ago, and folks here to my left were a \npart of those conversations. Tom Coburn was a part of those \nconversations. I was a part of those conversations. We said, \n``What can we do to help?\'\' One of the things you said we could \ndo to help was on the workforce side. We did, I think, a fair \namount. Has it helped? What have we done that is helpful? What \nhave you not taken full advantage of what we provided for you \nlegislatively? If you all could take a minute on that \nworkforce, how are we doing? I do not care who answers it. \nMaybe both of you can.\n    Mr. Wilshusen. We recently issued a report last month on \nDHS\' efforts implementing that Homeland Security Cybersecurity \nWorkforce Assessment Act of 2014 in which it was responsible \nfor identifying all of its cybersecurity positions, assigning \ncodes to those positions based upon the work roles and the work \ncategories, the specialty areas of those positions, and then to \nidentify its critical needs and gaps. We found to a large \nextent that the Department had not implemented those actions in \naccordance with the deadlines established in law, but they are \nworking toward it and have taken actions on it.\n    We also found, even though it was not part of our report, \none of the authorities granted to the Department under the \nBorder Patrol Agent Pay Reform Act of 2014----\n    Senator Carper. That was the one.\n    Mr. Wilshusen. Right. Even though we were not examining \nthat, we had heard that despite having these authorities to \nhire new cybersecurity-related personnel, the Department as of \nat least earlier this year had not really taken advantage of it \nfor 3 or 4 years. But, again, that was really something we \nheard in passing. It was not a focus of our review. We were \njust examining the Department\'s implementation of the Homeland \nSecurity Cybersecurity Workforce Assessment Act.\n    Senator Carper. Madam Secretary, just briefly, any \ncomments?\n    Ms. Manfra. As Greg mentioned, the responsibility for \nimplementing that authority is with the Chief Human Capital \nOfficer of the Department, which is not my organization, but we \nare working very closely with them. I think she has been up to \ntestify a couple of times on this issue.\n    Senator Carper. Who is that person?\n    Ms. Manfra. I am sorry. Angie Bailey. We have a great \nrelationship with her. She has only been on board for maybe 2 \nyears or so. But I am very excited about the program. While it \nhas taken longer than we would have liked, they are completely \nrethinking the way we think about civilian service and really \napplying best-in-class concepts of how technology companies \nhire workforce. The way they are implementing the authority is \ngoing to allow us to have a very different approach to our \nworkforce.\n    We are also trying to improve the stuff we can control, \nthink differently. Does everybody need the highest level of \nsecurity clearance? The answer is no, because that is often the \nthing that can take the longest in the hiring process. Are we \nbeing better recruiters? We cannot just rely on a website and \npeople to apply via a website. We have to be out there \ntargeting our employees.\n    As Greg mentioned as well, we have to understand what \nworkforce we want and make sure that we are targeting the skill \nsets for the workforce that we want and that we need instead of \nhiring basically the people that are often given to us through \nthe old government approach to hiring. So we are trying to do \nas much as we can.\n    Senator Carper. Thank you. My time has expired.\n    Mr. Chairman, two things. One, thank you so much for \nscheduling this hearing and to all of you for coming and \ntestifying. My colleagues may recall that this Committee also \nrequired NPPD to improve EINSTEIN, provide us with updates on \nimprovements and features. It is my understanding that we have \nnot received any updates. I might be mistaken, but that is what \nI am told. I would like for us to have a conversation after \ntoday is over, and I will be interested and will ask questions \nfor the record with respect to EINSTEIN 3A. Has it been \nupdated? Does NPPD intend to develop new functions? Those are \nthe kind of questions we would like to pursue.\n    Again, thank you. This is timely and maybe overdue, but I \nam just delighted that we are doing it. Thank you.\n    Chairman Johnson. Senator Jones.\n\n               OPENING STATEMENT OF SENATOR JONES\n\n    Senator Jones. Thank you, Mr. Chairman. I apologize for \nbeing late. We were marking up the opioid bill, which is also a \nvery important piece of legislation that is about to move.\n    I know you have had a lot of testimony and questions and \nanswers, so I am going to kind of limit this to one question \nthat I would like each of you to address, and it is just a \npretty general question.\n    There have been some 50 bills governing cybersecurity that \nhave passed over the last few years, which sounds like an awful \nlot of action on behalf of the Congress. I have seen some parts \nof your GAO report suggesting areas of improvement in the \nimplementation of some of those bills. But I would just like \neach of you to address, as you can, what else is there? Do you \nhave, for instance, all the tools that are necessary, whether \nor not you have the ability to implement them right now, are \nthere other things, 50 bills sounds like a lot, but there is a \nlot going on in this world, and are there other things that \nCongress and this Committee should be looking at that would \nhelp you in this world, whether it is the Department of \nDefense, whether it is Homeland Security? If each of you take \njust a moment with that, I would appreciate it.\n    Ms. Manfra. I can start.\n    Senator Jones. OK, sure.\n    Ms. Manfra. I would say that Congress has, like you said, \ndone a lot of very effective legislation in cybersecurity and \nreally positioned DHS as that agency that is central to \nmanaging the defense of Federal networks and civilian networks \nand critical infrastructure. We are very satisfied with the \nauthority that we have been given. For us, it is really about \nhow do we ensure we have the capacity and the capability to \nfully implement those authorities.\n    But as we continue to work and expand the work that we are \ndoing and learn more about different areas, if we come up with \nadditional legislative remedies that are needed, we would \nabsolutely come and work with this Committee.\n    Senator Jones. All right. Thank you.\n    Mr. Wilshusen. I think it is more a matter of execution \nrather than additional legislation for the time being. As you \nmentioned, there are a number of laws for which agencies are \nresponsible in implementing relative to cybersecurity. But the \nkey thing is taking those authorities and actually effectively \nand efficiently executing them in order to secure the systems \nthat the Federal Government operates. I would say it is more a \nmatter of execution rather than the need for additional \nlegislation at this time.\n    Senator Jones. All right. Thank you.\n    Mr. Rosenbach. Sir, it is always easier when you are on the \noutside, but I think that you all could start by clarifying the \ncommittee oversight structure for the Department of Homeland \nSecurity. This would not be passing a bill back on the \nExecutive Branch, but it would be dealing maybe in the co-equal \nbranch of Congress and cleaning things up here. I was speaking \nwith Secretary Manfra beforehand, and she said she has already \ntestified I think 15 times this year. Having been an Assistant \nSecretary of Defense, you spend a crazy amount of time \npreparing to come and work with you all, which is really \nimplement, but it is time taken away from doing operational \nreal things. I know that is a hard thing, but it is worth \nmentioning.\n    I think that capability and talent are the two most \nimportant things in government, and bureaucracy is deadly to \ncapability and talent, even in the Department of Defense where \nwe have a huge budget and a lot of really motivated people. DHS \nhas that as well. In some ways maybe there is a bill that could \ndo away with a lot of the reporting requirements that GAO then \ngrades Secretary Manfra on. That probably also would be \nhelpful.\n    I love government. I am at the School of Government. I am a \nbig fan of that. But sometimes too much government keeps you \nfrom getting the real stuff done.\n    Senator Jones. All right. Thank you all, and I appreciate \nit. I can tell you a couple of things from the report. As a \nformer U.S. Attorney back before this really became such an \nissue, just the reporting and being able to share information \nacross agency lines, and the collection of that data is so \nimportant. In Alabama, in particular, we have such critical \ninfrastructure sectors with ship building and manufacturing, \nthe aerospace industry, manufacturing, so I want to take you up \non looking at that, because I think we need to be efficient and \nI want to make sure we can collect the data and be able to move \nas quickly as they can.\n    That is all I have, Mr. Chairman. Thank you so much for \nletting me sneak in at the last minute and throw a couple \nquestions out.\n    Chairman Johnson. Not a problem. First of all, it was a \ngreat question. It was the first one on my list. Do we have \nenough laws? Mr. Rosenbach, we are going to clip that \ntestimony. You are singing right out of our hymnal. I am sure \nSenator Heitkamp will make the same point. Senator Heitkamp.\n\n             OPENING STATEMENT OF SENATOR HEITKAMP\n\n    Senator Heitkamp. Thank you, Mr. Chairman.\n    This is probably the most serious issue that we are \nconfronting, probably behind the pandemic, in this country with \nthe most disruptive oversight process in government. Think \nabout that. When something really bad happens, I can only \nimagine the scramble to assume who is responsible for not \nmaking sure that we have the resources and making sure that we \nwere not on the ball. We have to fix this, and I think the \nChairman has held a meeting. It is really hard to wrestle \njurisdiction away from other committees, but we have to stand \nfirm to centralize our discussion of this, because if we do \nnot, we are going to miss opportunities.\n    One of the things that I have been talking about has been \nthe impact of all this on small business, and I want to just \nmake another brief statement. I think sometimes cybersecurity \ngets overlaid or kind of misstated as a privacy issue. It can \nbecome a privacy issue, but it is different from and different \nthan privacy. We need to make sure that when we are talking \nabout this, we do not confuse the two concepts.\n    The first thing I am going to say is the first line of \ndefense, if you are a beat walker, doing community policing, is \npeople lock their door. They lock their car. They carry a \nflashlight. They carry some kind of method of defending \nthemselves. They practice some kind of self-defense.\n    We are missing a national dialogue on what we need to do \nfor self-defense. What can we do within the government to set \nout some principles? I think the public wants to know. They do \nnot want to have 20-character passwords, because everything \nrequires a password now. They want to have easy access to their \ndata and their information. But they need to understand that \nthey have within their power the chance that could be a back \ndoor to something really bad happening.\n    What are we doing to help cyber hygiene, to really promote \ncyber hygiene, to get it out not just to small businesses and \nbig businesses, but to get it out to the mom-and-pop users of \nthis technology? We will start with you.\n    Ms. Manfra. Thank you, ma\'am. Very well said. A lot of talk \nin cybersecurity and technology is very fancy and all sorts of \ninteresting technologies, but when it comes down to it, my team \nof assessors continue to find the same basic problems, poor \npatch management, misconfigured systems, things that are known \nbad things. Within the Federal Government, we have tried to \nfocus on changing those behaviors.\n    More publicly, which I think is what your question is \nreally getting at ma\'am, we do need to do more. Our \norganization has been working with an organization called the \n``National Cybersecurity Alliance\'\' for some time--the campaign \nhas been called the ``Stop, Think, Connect Campaign\'\'--for some \nyears, and we have been talking a lot about how do we expand \nour reach? How do we make the message more----\n    Senator Heitkamp. Can I make a recommendation? I just \nvisited with my insurance agents. Great people. They are now \nselling a product that includes cyber insurance. I am not sure \nhow it is going to work. But there is a great place--when we \ntalk about fire protection--I used to run the Fire Marshal\'s \nOffice in North Dakota. We partnered with the insurance \nagencies because they knew they had risk, and they could do a \nlot.\n    What are we doing to plus-up our effort looking at private \norganizations that have some skin in this game?\n    Ms. Manfra. Another great point. We have been working with \nthe insurance community for a few years now, both to educate \nthem as they think about developing insurance policies and the \nchallenges they have around that, but as a stakeholder, as a \nrisk manager in helping to raise the level of cyber hygiene \nthrough requirements in their policies.\n    We have been working with them. I think that environment \nhas changed significantly. We are seeing a lot more insurers in \nthis space. We see them as a great partner. Like you said, just \ngetting to the average consumer, getting to--how can people be \nsafe online? How can people be secure online? But also working \nwith the technology community to think differently about things \nlike identity.\n    Senator Heitkamp. I do not have a whole lot of time left, \nbut it seems to me that as you experience or see--just like we \nwould do a GAO report with a list of recommendations, if you \nsaid, look, Corporation X, you are putting your users at risk, \nonly you know that, and they continue to--if they do not modify \nor change or make the investment that they need to protect \ntheir data, should we not know that as consumers? Should we not \nknow that? Should we not know what you know so that we can then \ncreate that push to encourage more rapid change within those \norganizations that are not doing what you think is appropriate \nto protect data?\n    Ms. Manfra. In the case where I would know that \ninformation, which is not usually the case, but in the case \nwhere I would, I do believe that, yes, consumers should have a \nright to know. But that is definitely something that working \nwith the U.S. Securities and Exchange Commission (SEC), working \nwith others, thinking about disclosure requirements, \ntransparency around----\n    Senator Heitkamp. The concern that I have is frequently \nwhen we talk about disclosure, it is after the breach. It is, \nOK, now, who are you going to tell, when are you going to tell, \nand Equifax is an excellent example of where that got totally \nmessed up, in my opinion, people who knew, who were trading \nbefore the public knew. That is some of the richest data you \ncan possibly imagine, and we do not know--that is like a \nticking time bomb waiting somewhere offshore, in my opinion, \nuntil they can absolutely do havoc, so we cannot say, well, \nnothing happened so far, because, why rush it?\n    What I am saying is that there has to be a level of \naccountability with standards that when we look back on it, we \ncould say, look, you should have known. A great example of that \nis when I met with my folks in Grand Forks, North Dakota. We \nare trying to really build out some cyber capability. They said \na lot of the ATMs were running on Windows 98. Yes, look at your \nface. I mean, can you imagine? These are the kinds of things--\nyes, I know it is expensive, but Windows 98 is no longer being \nmodified for security protections. That is the kind of thing \nthe public would be absolutely furious about if they knew that \nwe knew that and somehow now their identity is being stolen, \nincluding, Social Security numbers and bank account numbers and \nnow they are in the hassle of that.\n    I just think it is really important we talk about cyber \nhygiene, that we talk about creating greater incentives for the \neasy things to get done--not the tough things, not autoimmune \nsystems, all the things we want to talk about up here, but all \nthe things we need to do here to lock the door, right? That is \nthe example I always give. Let us lock the door. Maybe they \nwill still break a window, but it is going to be harder to get \nin.\n    Ms. Manfra. I could not agree with you more, ma\'am.\n    Chairman Johnson. Although it is kind of hard to hack into \na floppy disk. [Laughter.]\n    I do want to reinforce your point on the insurance. I have \nbeen making that point for quite some time. That is a private \nsector model, just like in manufacturing, because you have to \nrespond to insurance premiums. Your premiums are lower if you \nhave your sprinkler heads closer together. I think the \ninsurance industry off of NIST, something like an ISO type of \ncertification process, will be much more flexible than \ngovernment ever will, as we are talking about needing \ncongressional action just to change the name of your agency. I \nthink that private insurance model is probably one of the best \nways of enforcing those standards.\n    Senator Heitkamp. It is definitely a force multiplier, and \nmore and more small businesses are coming wanting protection, \nunderstanding the risk and the liability. This is an absolute \npivotal point. If I can just for a minute brag about my \ninsurance agents, they literally go through a checklist on \ncybersecurity.\n    Chairman Johnson. Very thorough.\n    Senator Heitkamp. What are you doing? What are you doing \nhere? Maybe you should think about that. That is just \ninvaluable. That is the kind of army you need to prevent people \nsneaking in through the back door.\n    Chairman Johnson. That is because they want the premium. \nThey never want to have to pay out the claim, which is exactly \nwhat you want with insurance.\n    Senator Heitkamp. That is why you put sprinkler heads close \ntogether, too.\n    Chairman Johnson. Right. Senator Daines.\n\n              OPENING STATEMENT OF SENATOR DAINES\n\n    Senator Daines. Thank you, Chairman Johnson, Ranking Member \nMcCaskill, for holding this important hearing. Cybersecurity \nissues have been at the forefront of many minds lately. I spent \n12 years in the cloud computing business, and you always, when \nyou woke up in the morning, ask yourself, ``What could happen \nin our business to put you on the front page of the Wall Street \nJournal?\'\' It is a cyber breach that is exactly one of those.\n    In light of attacks such as the hacking of Montana\'s \nschools recently up in Flathead County, up near Glacier Park, \nas well as broader government breaches like the one we saw at \nOPM, in fact, 28 years in the private sector I never got a \nletter from my human resources (HR) department saying my PII \nhad been compromised until I became an employee of the Federal \nGovernment as a U.S. Senator when I finally got a letter. It is \nvitally important that we address these issues promptly.\n    In the Energy and Natural Resources Committee, we have been \ntackling the issue of protecting our electric grid from cyber \nattacks. It is a delicate balance we must strike as the vast \nmajority of our infrastructure is privately owned, but many \ncompanies do not have the capital, sometimes the expertise, to \ndefend against attacks from bad actors or nation-states. That \nis why it is important we work with the private sector to \nbolster cybersecurity.\n    To that end, I have introduced the Cyber Safety Act, which \nsimply clarifies that cyber technologies can apply for Safety \nAct protections. This bill would help incentivized the next \ngeneration of cyber defenses for critical infrastructure and \nhelp protect the grid from cyber attacks.\n    Mr. Rosenbach, you mentioned in your testimony that, \n``Bolstering private sector cyber defenses without regulation \nshould be a priority.\'\' I agree with that. How important is it \nto enable the private sector to innovate and commercialize the \nnext generation of cybersecurity technologies without a \ntechnology mandate?\n    Mr. Rosenbach. Senator, I think it is really important, and \nduring the time I was in the Department of Defense, in the \nbeginning I think NSA CYBERCOM had better capabilities than the \nprivate sector. If I look now, 8 years later, it is not even \nclose. The private sector moves more quickly, advances more \nquickly. We need to be able to rely on them in a way that helps \nthe country in a broader national security sense as well.\n    Senator Daines. That is a strong statement you made, and as \nsomebody who has been on the Commerce Committee, I see that as \nwell in terms of the innovation cycles, the innovation \necosystems built in the private sector, and oftentimes how this \nlarge bureaucracy that we have, smart people, well-meaning \npeople, sometimes having difficulty to attract and retain the \nbest people when the money is a lot better sometimes on the \nother side.\n    Mr. Wilshusen, I believe it is hard for the government to \nmandate cyber practices on the private sector when it does not \neven have its own house in order. There have been multiple \ncyber breaches in the Federal Government that are very \nconcerning. Last year, I helped push the Modernizing Government \nTechnology Act, and just last month, this Committee passed a \nbill that I introduced called the ``Support for Rapid \nInnovation Act\'\' as part of the DHS reauthorization. Both are \nimportant steps to mitigating risks within the Federal \nGovernment.\n    What else do we need to do to ensure that the Federal \nGovernment is secure against cyber attacks?\n    Mr. Wilshusen. I do not know if one will ever be able to \nsay that we are secure against cyber attacks, but we can \ncertainly do more to try to reduce the risk and likelihood of \nhaving significant breaches at Federal agencies. Much of that, \nas we discussed, is to effectively implement the security \ncontrols and requirements that have already been established. \nAs Secretary Manfra mentioned, many of the key findings that we \nidentify during our audits are the same things that we have \nbeen identifying for years: unpatched systems, use of \nunsupported systems, and not having effective security testing \nand evaluation processes at agencies.\n    We often find that agencies will go and conduct a test or \nreview their systems merely by either conducting interviews or \nreviewing certain policy documents as opposed to actually \nexamining the security and the configuration of its systems.\n    Much of what we need to do in the Federal Government is \nassuring that agencies have sufficient information on what the \nkey cyber threats are at the moment, establishing processes to \nassure that they securely configure their systems, and being \nable to assure that those configurations and controls are being \nreviewed on a regular and ongoing basis.\n    One of the programs that DHS is spearheading, the \nContinuous Diagnostics and Mitigation Program, is intended to \nhelp along those lines. But it is still in the relatively early \nstages of implementation. It is going to Phase 3 this year. \nThere is still much that needs to be done at the Federal agency \nlevel.\n    Senator Daines. Thank you. One of my observations, too, in \nterms of the procurement of best practices, best technologies \nout there, we see some of the same challenges in the Federal \nGovernment that are reflected oftentimes in Fortune 100s where \nChief \nInformation Officers (CIOs) and Chief Technology Officers \n(CTOs)--there is the old saying, ``You never get fired for \nbuying\'\'--and I will not create any problems here, but you can \nkind of list some of the large enterprise companies that \ntypically they have Italian suits, expensive shoes, and high \nbilling rates, and technologies that sometimes are burdensome \nand it costs more money to upgrade them and implement them than \nthe solution itself. I will just leave it at that before I get \nin trouble.\n    But my point is to be looking for these smaller, nimble \nplayers out there that are oftentimes on the forefront of \ninnovation. I speak as one who used to be there. We finally got \nacquired by a large corporation, but some of the best ideas, \nfrankly, are out there with little guys at the moment, and I \nhope we can incentivize appropriate procurement that would \nallow us to look at some of these smaller, more nimble players \nthat usually are less money, better solution, faster \nimplementation.\n    Mr. Wilshusen. You mentioned procurement, and that is \nanother key area to helping secure Federal systems. One aspect \nof that is buying operating systems, that the vendor has \nalready preconfigured securely. By acquiring software that is \nsecure out of the box, it will also help with securing systems.\n    Senator Daines. Some of these large technology dinosaurs \nare extinct. They just do not know it yet. They need to be \nlooking at the next generation.\n    I better be quiet here, Mr. Chairman, before I get in \ntrouble.\n    Chairman Johnson. You were close. Senator Hoeven.\n\n              OPENING STATEMENT OF SENATOR HOEVEN\n\n    Senator Hoeven. Thank you, Mr. Chairman.\n    Ms. Manfra, Senator Peters and I have introduced \nlegislation, the Federal Cyber Joint Duty Program Act, S. 2620, \nwhich would enable the Federal Government to establish a \ncivilian personnel rotation program for employees with cyber \ndesignation. It is similar to the joint duty programs that \nexist in the military and the intelligence community.\n    My first question is: In your experience have you noticed a \ngovernmentwide cyber workforce shortage and/or retention \nchallenge in the cyber field? What are the impacts that that \nhas on your office, agency, and government as a whole?\n    Ms. Manfra. Yes, sir, we absolutely have a shortage. We \nalso have an equal challenge of inconsistently trained and \nqualified professionals across the government. We are working \nto address both of those challenges.\n    Senator Hoeven. Do you think a rotational program for \ncivilian employees in cyber work roles such as the bill that \nSenator Peters and I have introduced can be used as a tool to \nfurther develop and retain talent and create some of that \nconsistency in the cybersecurity career field?\n    Ms. Manfra. Sir, we would look forward to working with you \non the specifics, but, yes, the concept makes a lot of sense to \nme.\n    Senator Hoeven. That is a good answer.\n    Mr. Wilshusen, I guess you published two reports recently \nwhich outline the persistent and longstanding challenge the \nFederal Government is experiencing in this area. I would ask \nyou the same questions.\n    Mr. Wilshusen. Certainly, as you point out, that has been a \nlongstanding challenge within the Federal Government. Some of \nour reports and surveys that we have conducted with agency \nCISOs have consistently identified obtaining and retaining \nstaff with technical skills has been particularly challenging \nfor them. One of the steps, as you mentioned, with the rotation \naspects, could potentially help in terms of giving those \nindividuals greater insights as to how different agencies are \nimplementing security for their systems and may be beneficial \nnot only to the individual agencies but to those individuals as \nwell.\n    Senator Hoeven. I would ask the two of you, and then Mr. \nRosenbach, relative to the private sector, in the public \nsector, how should we be communicating to the public in terms \nof cybersecurity, the steps we are taking, and what assurances \ncan we give them that we are addressing cybersecurity \nsufficiently, first in the public sector, then in the private \nsector, both in regard to State actors, be that Russia, China, \nIran, North Korea, and non-state actors, terrorist groups, for \nexample? How should we be talking about what we are doing and \nits adequacy and whether or not they can be reassured and where \nthey should have concerns?\n    Ms. Manfra. From my perspective, sir, the way that I talk \nabout it is that we are taking a risk-based approach to \ncybersecurity, and I cannot assure that there will never be \nanother data breach or that we will never have a significant \ncyber incident. What I can assure is that we are taking a very \nfocused look at what we are calling ``national critical \nfunctions.\'\' What are those functions that our citizens and \nresidents and companies depend upon? How can an adversary \ndisrupt those functions, whether that is through some sort of \ncyber means or otherwise? How do we work to reduce that risk, \nwhether that is in the Federal Government or within critical \ninfrastructure?\n    We have a lot of authorities, not just DHS but the \ngovernmentwide has a lot of capabilities. We have a thriving \ncybersecurity market. We have increasing awareness among \ncommunities and companies of things like the NIST Cyber \nFramework where we need to continue to raise that baseline \nlevel of cybersecurity.\n    For me, the approach is a combination of improving our \nunderstanding of threat, vulnerability, and consequence, but I \ncome at it from the vulnerability and consequence side. What \nare those really high-impact--where do we have public health or \nsafety risk? What are we doing to reduce that? For me, it is \nmostly focused on nation-state actors because those are \ngenerally the ones that both have the capability and the intent \nto accomplish something like that. But we are also looking at \nother non-state actors who would seek to disrupt those services \nor functions.\n    Does that answer your question?\n    Senator Hoeven. Kind of, but, again, for the public that \ngets to be a little confusing, and it comes across you are \nworking on it, but in terms of should they be reassured that \nyou have this, that kind of answer, it is hard to say you get \nthem there with it.\n    Ms. Manfra. I know that people want assurances. But in \nsecurity----\n    Senator Hoeven. They want honest assurances.\n    Ms. Manfra. Sure.\n    Senator Hoeven. They want an accurate response.\n    Ms. Manfra. What I can assure the public is that the \nDepartment is doing everything that we can to coordinate within \nthe government to make sure that the intelligence community is \ncollecting information that would help reduce the risk, that we \nare passing that information to those who would own it, and \nthat we are gaining visibility into what these potential \nconsequences would look like. Companies are stepping up--the \nfinancial sector, the electric sector, water utilities across \nthe country.\n    Is there a lot more that we should be doing? Absolutely. \nBut people are stepping up to own the risk and to work with us \non it.\n    Senator Hoeven. Mr. Wilshusen, how would you put it?\n    Mr. Wilshusen. I would probably say that we are never going \nto be completely safe, and I think as you say, you have to be \nhonest, particularly--and it is not just the Federal \nGovernment, but it is also individuals and their behavior out \non the Internet. There is a great propensity for people to \nshare a lot of information out on the Internet, on various \ndifferent applications, and that information is being collected \nand used, often unbeknownst to the individuals who provide that \ninformation, generally willingly, to many of the different \napplications and systems that they may frequent out on the \nInternet.\n    I think in terms of just being able to provide assurance to \nsay that we are doing everything we can is one aspect of it as \na Federal Government, but, we also have to be able to \ndemonstrate that we are doing everything we can do to protect \nthe systems that the Federal Government operates.\n    But it is also up to individuals, who need to recognize \nthey, too, have a responsibility. As the old adage says: \nsecurity is everybody\'s business. Individuals, citizens, also \nhave to take ownership of it as well in terms of how they act \nand behave in cyberspace.\n    Mr. Rosenbach. I will be very quick because I know you are \nover. I will say that the most important thing to me is that \nyou cannot expect the Department of Homeland Security or the \nprivate sector to be defending against advance nation-state \nthreats. You need the Department of Defense and the intel \ncommunity to be operating outside U.S. borders to take on \nadversaries before they hit us. The idea that we would let \nsomeone attack our democracy and our election system and there \nbe almost no price to pay for that still is crazy to me. I was \nin a job where I probably should have done more. We as an \nAdministration should have done more. But the country needs to \ndo more.\n    The private sector, there is a great and thriving market in \nthe cybersecurity market, and they can make money and make a \nbig difference. However, there are parts of the tech sector \nthat need to internalize that they have a responsibility to the \npublic to do more. That is primarily social media platforms \nright now. There is, I think, a little momentum in a positive \nway, but we need to see more there. Information operations by \nnation-states will continue to get worse unless they and the \ngovernment both do something that is a little more assertive.\n    Senator Hoeven. Thank you. I appreciate it.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Thank you, Senator Hoeven.\n    I have a number of questions, but Senator McCaskill is on a \ntight schedule, so I will let her ask hers first, and then I \nwill close out the hearing.\n    Senator McCaskill. Thank you. I just want to echo your \ncomments, Mr. Rosenbach, about our lack of response offensively \nto the Russian active war against our country. I had the \nopportunity in the Armed Services Committee to pointedly ask \nAdmiral Rogers, conveying to him what a woman said to me in the \ngrocery store. Can we stop them? Do we have the capability of \nstopping them? He said to me in that hearing, ``Yes, you gave \nher the right answer. We can.\'\' But have we? He had to admit, \nno, we have not, and that he had not been given the command to \ndo what we need to do to offensively go after this act of war \nagainst our democracy. It is a real head-scratcher for me and \nvery frustrating that we are dancing around the obvious here. I \njust wanted to echo your comments that we are not utilizing the \nassets of the Department of Defense in an effective way against \nRussia and what they did to our country.\n    Director Wilshusen, I wanted to ask you--I know it was the \nElection Division that gave--this is the last question I have--\nthat did the report looking at the voting equipment and the \nvoluntary voter system guidelines. The Election Assistance \nCommission has guidelines they use to certify systems, which is \npretty important right now. Those guidelines were first \nreleased in 2005, very outdated. I think anybody would \nacknowledge in this area that using guidelines that were \ndeveloped in 2005 is not appropriate.\n    They were updated in 2015, and the GAO\'s report that was \nissued last month noted that in January 2016, EAC adopted a \nplan that all new voting systems would be tested and certified \nagainst the 2015 guidelines beginning July 6, 2017. They also \nnoted that as of November 2017 no voting systems had been \ncertified using the 2015 guidelines. Looking on their websites, \nsome systems were certified in March, like a month ago, but to \nthe 2005 guidelines.\n    What is going on? Why are they not utilizing the new \nguidelines that we have worked hard to update to make sure that \nthe certification has the kind of validity we need at this \npoint?\n    Mr. Wilshusen. I will probably have to get back with you on \nthe answer to that question with the audit team that actually \nperformed the work. But I will say that my understanding is \nthat the Election Assistance Commission is actually still in \nthe process of updating those regulations or those voluntary \nguidelines, and they expect to issue them later this year. But \nat the same time, it would seem that if there are more current \nstandards, that they would be using those standards to measure \nagainst new systems that are coming online.\n    Senator McCaskill. Can you add anything to this, Secretary \nManfra? What is the holdup here? This seems really like a waste \nof time to be certifying to 2005 guidelines?\n    Ms. Manfra. Yes, ma\'am, those guidelines are not final yet, \nso even though they did update and draft them, they are still \nin the process of finalizing. My understanding is that they \nwill be finalized and issued very soon, and I agree with you, \nit is too long. I know the EAC has been working very hard, and \nwe should get some updated guidelines out in the next few \nweeks, is my understanding.\n    Senator McCaskill. I will continue to follow up on this. I \nwill follow up directly with the EAC. But is this some \nrequirement they have to make it take this long? Or are they \njust not moving quickly enough?\n    Ms. Manfra. I would definitely check with the EAC on this. \nMy understanding is it is somewhat of a cumbersome process that \nthey go through. But I would definitely confirm with them.\n    Senator McCaskill. Yes, because they should probably quit \ncertifying until they get the new guidelines out. I think it is \ngoing to give a false sense of security to a lot of States.\n    Chairman Johnson. Thank you, Senator McCaskill.\n    I really do have a pretty long list of questions here. I \nthink the questions asked by my colleagues have been excellent, \nbut this is a big topic.\n    Let me start by saying, when I got here in 2011, it was \njust generally recognized that cybersecurity is a real issue \nand we have to do something about it. There was one proposal \nmade, I do not know, 400 pages. I was asking the folks that \nwould be tasked with implementing it how long would it take to \njust write the regulations, and I am quite sure that they said \nsomething like 7 years. I never really thought a government \nsolution here was going to be the be-all, end-all. You really \nhad to look to the private sector.\n    But in those hearings--and I thought this was pretty good, \nand I want to see if this is still a pretty good outline of \nwhat we really face in terms of threats. Four points.\n    Cyber crime, cyber theft, the ransomware, copyright \ninfringement, cyber intrusions all for the purpose of cyber \nthefts gaining people\'s personal accounts and personal \ninformation so they can hack into your accounts. We have seen \nthem obviously violate the Internal Revenue Service (IRS) \nfiles.\n    Then the next level would be industrial espionage. Of \ncourse, we have seen from the Mandiant report China has been \nexcellent about that, and they have a lot of U.S. technology \nbecause of that. But it would not necessarily be only isolated \nto nation-states.\n    The next one would be national security espionage. It is \npretty amazing how close the J-20 Chinese fighter is to our F-\n22. Amazing.\n    The final level is really cyber warfare. Now, you could \nargue that could be destructive warfare. It could be \ndisinformation.\n    First of all, are there other categories that we need to be \nworrying about? Is that a pretty good outline to describe what \nthreats we face? Secretary Manfra.\n    Ms. Manfra. I can start, and my colleagues can add. First \nof all, I think, yes, it is a pretty good construct. The first \ngroup I might recharacterize as say ``monetization,\'\' so \norganizations, they do not have to be criminal, but they are \nseeking to monetize what they steal. I think you are right \naround it is differentiating between industrial espionage and \nnational security. We further differentiate between a State--\nusing State assets to conduct industrial espionage for the \nbenefit of their companies.\n    The last one, cyber warfare, I guess the distinction that I \nwould make is because cyber warfare means a lot of things to a \nlot of people, but it is the position of holding our critical \ninfrastructure at risk and getting into that geopolitical \nnature of because I believe we have supremacy in most other \nareas of security through our Department of Defense, nuclear, \netc., we have a lot of countries that are seeking to exploit an \nasymmetric advantage.\n    Now, whether that leads to actual warfare or if it just \nputs us in a position where conflict and escalating tensions \nmeans something different because of the risk we have in the \nhomeland, but----\n    Chairman Johnson. Part of the problem is we really have no \ndefinition for it, correct? If you destroy computers through \nelectronic beams, we call that a cyber attack. If you destroyed \nthose computers with a bomb, that would for sure be an act of \nwar. Do we need a definition? Could we even come up with one?\n    Ms. Manfra. I think we need a doctrine for cyber war, and \nwe are working on that. It is complicated. There area lot of \npeople who have done a lot of work on this. But I do believe \nthat is something that is important, and I think it is \nimportant to be transparent about what that doctrine looks like \nto a certain extent.\n    Chairman Johnson. Mr. Rosenbach.\n    Mr. Rosenbach. Sir, this may sound overly simplistic, but \nfor about the past 10 years, I have always heard people debate \nwhether we need cyber doctrine or what cyber war is. In my \nmind, in all of the White House Situation Room meetings I sat \nthrough, people knew----\n    Chairman Johnson. You know it when you see it.\n    Mr. Rosenbach [continuing]. What a real attack was. The \nproblem is: Are you going to do something about it? It is not \nin the definition. You know it. It is are you willing then to \ntake the action to go back and do something about it.\n    Chairman Johnson. I realize there is a spectrum here, but \nwhat about just the challenge of attribution? You retaliate, \nyou respond. If you do not have the attribution correct, that \nis a real problem. We just saw that with the use of chemical \nweapons.\n    Mr. Rosenbach. Yes, sir.\n    Chairman Johnson. When we finally could attribute it and we \nhad a high level of confidence, we responded. But it is more \ndifficult in cyber, isn\'t it?\n    Mr. Rosenbach. Yes, sir. It is difficult. I would say this \nis something that has really changed over the past several \nyears, too. Attribution is not as difficult as people think. \nThe private sector is very good at it, if you look at Mandiant-\nCrowdStrike, firms like that. NSA is very good at it, even some \nof the experts at DHS. You will never have 100 percent \nconfidence. Just like in the terrorism strike, you may not know \ndefinitively, but most times now you can have pretty good \nattribution, and you can have it pretty quickly.\n    Chairman Johnson. Let me ask you what kind of cyber attacks \nactually keep you awake at night. This is where I am going to \nget into the prioritization, the things that we really need to \nbe concerned about, which means that is what we need to \nprioritize our assets and our attention toward as well. I will \nstay with you, Mr. Rosenbach.\n    Mr. Rosenbach. Yes, sir, in your opening statement you \ntalked about maybe the election threat is a little \noveremphasized, and in some ways that may be right. But what I \nworry the most about is a combination of info attacks and cyber \nattacks done by any of those nation-states. The Russians were \nsuccessful in some ways, but that will not be lost on Kim Jong-\nun or the Iranians, and they will want to go after our and \nother democracies. They can do things that undermine trust in \ndemocratic systems. They are not just about elections. The \nfinancial sector----\n    Chairman Johnson. Don\'t we play into their hands in terms \nof undermining by literally blowing it out of proportion? I am \nnot in any way, shape, or form minimizing the seriousness of \nit. We have seen what they did in Crimea, Ukraine.\n    Mr. Rosenbach. Yes, Senator.\n    Chairman Johnson. Basically an act of war against \nMontenegro if it would have succeeded.\n    Mr. Rosenbach. I totally agree, and I did not mean to \nmischaracterize your statement.\n    Chairman Johnson. No, we are having a discussion here.\n    Mr. Rosenbach. I totally agree with you. Other things I \nworry about that are very important to the way the economy and \nthe country runs, our GPS vulnerable to attack, other systems \nlike that that these advanced bad guys know we depend very \nheavily on. In the Department of Defense, we always worried \nthat someone would take out some of our network that would \nprevent us from responding in an operational way. Just an \nattack on our weapons systems, which are very network-\ndependent, always kept me up at night.\n    Chairman Johnson. What about attacks on the Financial \nSystem?\n    Mr. Rosenbach. Yes, sir, right.\n    Chairman Johnson. We have seen them shut down the \nelectrical grid in Ukraine.\n    Mr. Rosenbach. Twice, right, for sure.\n    Chairman Johnson. These are existential just about, \ncorrect?\n    Mr. Rosenbach. Yes, sir. Those are all real things. With \nthe financial sector, they realize that a loss would hurt them. \nThey tend to spend way more money than any other sector, so \nthat is positive. They tend to be very good. There are a lot of \nthings that worry me on the spectrum. But, again, your point \nabout the fact that we are watching all of these things happen, \nthe Russians take down the power grid in Ukraine twice, and \nthen our response--and this was during the time I was in \nthere--was weak to none. That is not a good way to improve our \noverall security at a national level.\n    Chairman Johnson. Secretary Manfra, in your testimony you \ntalked about, somewhat vaguely--and, again, I do not want to \nget into classified information here, but we are aware that \nRussia has done far more than meddle in our election. But you \ntalked about attacks on staging versus intended targets. First \nof all, can you define that for me? Can you in a public setting \nlay out as best you can what Russia has done in other critical \ninfrastructure outside of the elections?\n    Ms. Manfra. Yes, sir. The difference between a staging or \nintended would be if somebody was trying to get a database that \nholds critical data that they want in a company, that company \nmaybe has really good cyber defenses, but they are going to \nlook for other targets that the company may have a business \nrelationship, for example, and they are going to infiltrate \nthat company and then try to jump to their ultimate target. We \nsee that a lot. We see a lot of what we would call \'staging \ntargets\' where they are looking particularly for companies, \nwhat are the business relationships, what are their supply \nchain vulnerabilities. Even though a company itself may be \ndoing everything it can, they are vulnerable because they have \nthose other connections.\n    We have talked publicly a lot about what Russia is doing. \nWe have issued an unprecedented number of alerts attributing to \nRussian activity. We issued the alert around the targeting of \ncritical infrastructure. It was not that they got into the \ncontrol systems. We were able to disrupt that before they--if \nthat was even their intent, but before they got there. But we \nare concerned about what they were stealing, the schematics of \nthe control system, for example. We wanted to ensure that \neverybody had access to this information and could defend \nthemselves.\n    We have also issued this alert around network \ninfrastructure devices, around routers, and these are really \ncore to how networks and the Internet actually run. If an \nadversary can have access to that router, for example, they \nessentially can do pretty much whatever they want with that \ntraffic.\n    Chairman Johnson. Let me quickly interject. How did we let \nKaspersky Labs grow the way we did, knowing what was the \npotential there, let them become one of the largest security \nsystems in devices throughout America? Why did the intelligence \ncommunity, why did we allow that to happen? Why did we not blow \nthe whistle on Kaspersky years ago? Can anybody answer that \none?\n    Ms. Manfra. I believe in a free and open market where those \nwho have the best product can sell that product. That being \nsaid, the FBI and others and ourselves have been providing \nclassified briefs to various different organizations in \nindustry.\n    What I felt was that we needed to do more. We needed to get \nthe word out.\n    Chairman Johnson. Were we unaware of the fact that the \nowner, the head of the company, was KGB-trained? Were we \nunaware of that for years? Did that just kind of slip by \nunnoticed?\n    Mr. Rosenbach. No, sir. That is something that has been \nwidely known. Having very granular intel on things like that is \nhard. In the Department of Defense, we were always much more \nskeptical about Kaspersky, and so I think very rarely used it.\n    The point about Kaspersky that is worth maybe internalizing \nis probably the best marketing person for Kaspersky was Edward \nSnowden because all around the world people then doubted \nwhether you could trust American cybersecurity firms, and a \nlarge part of the world decided they would trust Kaspersky \nmore.\n    Chairman Johnson. Russia.\n    Mr. Rosenbach. Right. That is a very unfortunate thing, but \nat least the rest of the world now is under surveillance by \nKaspersky but not as much of the United States.\n    Chairman Johnson. OK. I interrupted your response to my \nquestion, though. Did you have anything else you wanted to say?\n    Ms. Manfra. On Kaspersky, sir?\n    Chairman Johnson. Yes.\n    Ms. Manfra. No.\n    Chairman Johnson. I appreciated Senator Jones\' questions in \nterms of number of laws, and I had the exact same question, so \nlet me pose it somewhat differently. I think the response from \nboth of you is that we do have the authorities, we have the \nlaws. I will ask: Do we have too many? Are there overlapping \nlaws? Are there conflicts in those laws that create problems \nfor you? Or just the sheer volume--again, some of these, we are \nnot complying. It does not sound like we are complying at all. \nOn the 0 to 10 scale, it is probably 0. Is that because we have \njust passed too many that it has taken the Department\'s eye off \nthe ball?\n    Mr. Wilshusen. I do not know if we have too many. \nSpecifically, there is some overlap in terms of what agencies \nare required to do, either per law or by government policy. \nOften, some of the laws that are passed codify practices that \nagencies and DHS are already doing. While there is usefulness \nin that, it helps to memorialize and make that a continuing \nrequirement, such as with NCCIC, for example. There is \nusefulness in codifying practices so they endure past different \nadministrations. But I do not know if I would say that there \nare too many laws related to cybersecurity.\n    I will go back to what I said earlier, that it really gets \nback to execution, and there is not sufficient execution of \nthose laws that are there or the implementing regulations and \nguidelines that have been identified by either OMB, DHS, or \nNIST.\n    Chairman Johnson. Any of you want to comment on that \nquestion?\n    Mr. Rosenbach. Sir, I know when you are in government, it \nis often hard to say something officially on the record about \nthere being too many laws, so this is what I would say: When I \nwas Chief of Staff at the Department of Defense, the last year \nthe National Defense Authorization Act had 1,500 pages of new \nlaws. The year before that, it had 1,400 pages of new laws. If \nyou go through and you put all those together, it really binds \nthe hands of executives in government no matter what the \ndepartment.\n    In the case of DHS, when they have all these overlapping \njurisdictions, it makes it even more complicated because then \nthey will be testifying on maybe the same law or theme for \nseveral different committees.\n    I think there is something here that is not right about the \nway government is working. My humble perspective.\n    Chairman Johnson. I do not know too many organizations that \nwould recommend having a 535-member board of directors.\n    Mr. Rosenbach. No, sir.\n    Chairman Johnson. We have kind of seen the results.\n    Secretary Manfra, do you have a comment?\n    Ms. Manfra. We have not done the analysis to answer your \nquestion specifically, though we would be happy to work with \nyou on that. I think from my perspective I feel that we have \nthe laws that we need to execute our job, and as Greg said, it \nis a lot about capacity to actually execute. I think what we \nare doing is looking across, whether it is laws, reporting \nrequirements, or regulations, where there are unnecessary \nburdens that are either put on the private sector or Federal \nagencies or whether maybe it is something useful but needs to \nbe implemented better. I know that is a fairly broad answer. It \nis only just because I do not have specific analysis.\n    Chairman Johnson. I will tell you, my attitude toward this, \nbeing Chairman of the Committee with jurisdiction over DHS, is \nwe will get referred to us all kinds of different bills that \nhave either passed the House or that are proposed by Senators, \nand we take all those very seriously. But we also take our \nresponsibility to make sure that the Department is in--and I do \nnot want to say ``total agreement\'\' because sometimes you have \nto potentially, with oversight do corrective action. But you \nsure would like to be cooperatively working with the Department \nto make sure that what is being passed out of here is \ncomplementary and helps you succeed in your mission, which is \none of the reasons that our DHS authorization--and Senator \nHeitkamp was helpful on this as well, recognizing just this \noversight and the number of committees of jurisdiction here, \nevery time I ask I get a different number. It keeps getting \nhigher.\n    In that DHS authorization, which is why I am really hoping \nthat we get that on the floor and pass it in its entirety, \nwould be at least a commission, because there are not many \ncommittees or subcommittees that are just willingly going to \ngive up their jurisdiction. But they need to understand--and, \nthat is why, Mr. Rosenbach, I really do appreciate your \ntestimony there. It is madness, and from my standpoint I think \nit puts at risk our national security and our homeland \nsecurity. I think that is just true.\n    Secretary Manfra, you talked about having the authorities, \nand I know in our briefing on election security, it is the \npoint you made as well. Now, maybe you have changed because you \nseem certainly open or appreciative, and I think we all \nappreciate the efforts here. Do you still believe when it comes \nto your role making sure that we have free and fair elections \nand they cannot be tampered with, does the Department have \nenough legal authority to do what you think needs to be done?\n    Ms. Manfra. Recognizing that this is a voluntary \npartnership, and I believe that is the right partnership model, \nI do believe that we have the authorities and the legal \nmandates to accomplish that mission. As we mentioned, we \nappreciate the $26 million. We have a fairly broad mission. We \nhave a lot of critical infrastructure, to include election \nsecurity, to include defending 101 Federal agency networks. I \nkeep going back to authorities, very important, and we are \ngrateful that we have them. But we also need to ensure that we \nhave the capacity to execute them.\n    Chairman Johnson. One aspect of security is just creating \nmodules that are completely separate. I do want to step through \na set of questions. Again, let me emphasize, I believe this is \na very serious issue. As Chairman of the European Subcommittee \non Foreign Relations, I have seen Russian interference for \nyears. We have held hearings on it, OK? The political \nassassinations, what they have done. I do not underestimate \nthis. But at the same time, I do not want to be playing into \nPutin\'s hands in terms of creating this great doubt in our \nelection system. I do want to hopefully provide some \nreassurance.\n    Let me start off, we spend billions of dollars--I am not a \nreal fan of the professional political campaign class for a \nnumber of reasons. A lot of that money is wasted. What did \nRussia apparently spend on Facebook? Was it even $1 million? \nHow effective is any political advertising? That would be my \nfirst point.\n    But in terms of voting machines, lest anybody think that \nthey can be manipulated through the Internet, Secretary Manfra, \nare any of them connected to WiFi or to the Internet?\n    Ms. Manfra. The best practice is to not connect them, and \nall the State and local officials that we talk to, they assure \nus that they do not.\n    Chairman Johnson. They do not. Now, some of them have no \ncapability--correct?--although some do have WiFi, they are \nWiFi-capable, and maybe that is something we should do, is make \nsure that those are disabled.\n    Ms. Manfra. That is correct. Not all of them have that \nWiFi, and they should absolutely be disabled.\n    Chairman Johnson. Now, the concern in terms of Russian \nmeddling, to me it would be three-fold. First of all, could \nthey get in and get into the voting machines and actually \naffect the tallies? Next is: Can they get in the voter file? By \nthe way, I am concerned about voter files that are not updated \nby election officials on the State and local level. That is a \nconcern. Then I think finally it really is the sowing of \nconfusion, the disinformation, doing exactly what the Obama \nAdministration was trying to prevent in its briefing in \nSeptember 2016, is get the American public questioning the \nlegitimacy of an election.\n    Let us go through affecting the vote tallies. How probable \nis that?\n    Ms. Manfra. Our assessment is that it would be nearly \nimpossible to achieve that undetected.\n    Chairman Johnson. Anybody want to dispute that?\n    Mr. Rosenbach. I do not know. I do not know anything from \nintelligence. What I do know is how good the Russian \nintelligence services are, and all the things they did to the \nDepartment of Defense even in classified networks. I personally \nfind it hard to believe that we would always be able to detect \nwhether the Russian intelligence services were penetrating into \nthat.\n    Here is a scenario. Sir, you know how dependent a lot of \nthe States are on vendors. There is no way those vendors\' \nnetworks are so secure that the Russians hypothetically could \nnot get in supply chains. There is not a great risk. That I \ncompletely agree with. But there will always be some.\n    Chairman Johnson. Which is one of the reasons in my voting, \nwe do it on a paper ballot, and we put it in an optical \nscanner, and you have the paper trail right there.\n    Mr. Rosenbach. Yes, sir. That is right.\n    Chairman Johnson. One of my favorite sayings is, ``All \nchange is not progress. All movement is not forward.\'\' As we \nhave upgraded to more electronic voting machines, I am glad \nthat in my voting precinct we do not do that.\n    Mr. Rosenbach. If I could say something, I do not want to \ninterrupt the flow of your questions, but the folks from \nWisconsin and the election team there came to the Kennedy \nSchool and literally have been probably near perfect partners \nin terms of all of the States who we have worked for. We had a \nteam that went to Wisconsin, looked at what they were doing, \nand learned from them. They came and helped us design a \ntabletop exercise for the other States. They participated in \nour tabletop exercise. It is those people who are very good \nabout thinking about resilience, and they get the problem. That \nis what gives me the most confidence, because they are there, \nthey are working on it. It is not in the abstract that their \nsystems----\n    Chairman Johnson. The reason I am taking the time and going \nthrough these details, I want to restore some confidence, \nbecause I think a lot of confidence, because I believe we need \nto take it seriously, but let us not blow it out of proportion. \nLet us in public display, talk about what the true risks are. \nIn terms of actually changing the voting tallies, very \ndifficult to do electronically--not impossible because they \nshare vendors, but those machines are offline. What are the \ncontrols in place? You have election observers, Republican and \nDemocrat, maybe Independent, at most voter precincts. Now, \ndepending on how Republican or Democratic a precinct is, the \neffectiveness of that might be an issue. But we have exit \npolls, we have pre-polls. Describe the controls that are in \nplace at a local electionsite to hopefully give the public \nconfidence that the vote tallies are going to be very difficult \nto change enough for them to have an effect, to really affect \nthe outcome of an election.\n    Ms. Manfra. Yes, sir, and I think you phrased it perfectly \nactually in the beginning of the hearing, it is about \nmitigation, and it is about risk mitigation. What we learned--\nand we spent a lot of time with election experts in 2016, \nbecause, again, we try to take a risk-based approach. We cannot \nfix everything. We cannot perfectly secure everything. We \ncannot defend everything. But what we can do is learn enough \nabout the risk and help people prioritize. A lot of cyber \npeople like to think about cyber solutions to their problems, \nbut the reality is that we have a very decentralized, for \nbetter or worse, election system. We have a lot of observers in \nthe process, and we have a way of tallying votes from that \nlocal polling station all the way up to the State that led us \nto that conclusion that there were so many observers in the \nprocess that somebody would note, there would be an indicator \nif something was wrong. That was where we got to this judgment.\n    Yes, there are security researchers and hackers out there \nthat can get into a voting machine, absolutely. But that is not \nthe way it works on an actual election day. These machines are \nprotected in warehouses, physically locked up. They are then \ntransported in a physically secure way to these polling \nstations.\n    Now, again, is this 100 percent trying to remove all risk? \nWe are not.\n    Chairman Johnson. No, listen, there is voter fraud. How \nextensive in my own mind probably not all that extensive except \nin a very close election maybe to affect the outcome.\n    Mr. Rosenbach, either agree or disagree or dispute it? What \nare your thoughts on that?\n    Mr. Rosenbach. No, sir, I agree, and, our project is just \none small thing. It is not the Department of Homeland Security. \nBut we have been trying to do the same thing. We have these \nplaybooks where State and local election officials see all \nthese best practices. They have been super-receptive to that. \nThey understand that this is a system of systems. It is \nactually least often the case that we worry about the election, \nthe electronic voting machine itself, as opposed to everything \nelse that could be in there, and the way that you respond to \nthat, just as you mentioned, is really important, incident \nresponse. Even if there were hypothetically something, if the \nSecretary of State with the local election officials came out \nand explained what may have happened, how you mitigated for \nthat, then the public is much more likely to say, ``OK, this \nlooks like something I can trust. The bad guys tried to get in. \nMaybe they did a little bit. Here is all the evidence.\'\'\n    We have found that that public communications aspect is \nmore challenging than any of the technical part, because \nprobably for very good reason, most State election officials \nare not really eager to get out in front of a camera and talk \nto the press about something that is as complex as a possible \ncyber info attack.\n    Chairman Johnson. But, again, that is what we are trying to \ndo right now, is reestablish some confidence that there are \naudit trails, there are recounts, there are things that would \nshow up that you would really start scratching your head and \ngo, ``There is a problem here.\'\' Let us say the vote totals \nexceed the number of people registered in a particular \nprecinct, we should actually have some examples of that as \nwell. But, that maybe is not malicious outside actors. That \ncould be just an example of voter fraud.\n    Ms. Manfra. Yes, sir, and if I could just add one thing, \nsince you mentioned auditing, we do encourage all States to \nhave an auditable trail. Not all of them have it. I was \nreferring to kind of the checks and the balance and the \nobservation of the vote count. Having an ability to go back \nforensically review and audit what happened I think is \nimportant. I want people to understand that there are some \nStates that still do not have it.\n    Chairman Johnson. Let us talk about the next area that \nthere could be some mischief in terms of voter files. That \ncould be malicious actors outside through--this I think would \nbe more concerning, which is one of the reasons I was not \nwilling to leave that briefing and September and say I have \ncomplete confidence, because I learned in that briefing that \nRussia had attempted to access voter files. That could be a \nproblem. But, how would that manifest? How would that show up? \nYou potentially go to your polling place and your name is not \non it, or a bunch of people\'s names are on there that should \nnot be on there. Also something that could come to light in the \nelection, but that is exactly what, for example, a country like \nRussia would be trying to do, is try and disrupt the election, \ndelegitimize it, produce a lack of confidence, correct?\n    Mr. Rosenbach. Yes, sir, that is right. In our research we \nfound that, again, election officials are used to doing \nbusiness continuity planning. They are used to being resilient, \nbecause something bad always happens in an election--the \nweather, electricity. The backup of the voter files in most \ncases was something they were doing on a regular basis anyway. \nEven if, depending on the State, on election day a certain name \nwas not on there, they have established standard operating \nprocedures (SOPs) for how to deal with those things. That is \nanother risk-limiting type function in the overall risk \nmitigation strategy that you would use.\n    Chairman Johnson. They can do, what do they call it? Not a \nprobationary ballot, but a----\n    Ms. Manfra. Provisional ballot.\n    Chairman Johnson. Provisional ballot, right.\n    Anybody else was to comment just in terms of the voter \nfiles? If you have a backup and then somebody hacks into it, \nyou are comparing those two, you can do a blend and go, ``Oh, \nthere is a problem here,\'\' right?\n    Ms. Manfra. Our assessment of the risk related to voter \nregistration files and why we are concerned about it, not just \nbecause we had instances of it happening and being targeted, \nagain, it is not so much about the privacy of the information \nbecause many of those registration files are not necessarily \nprivate. What it was about is to your third point, an ability \nto potentially sow confusion on voting day. Even though a \nprovisional ballot is available, if you are concerned, was and \nremains, if people think that they are in the wrong place, they \nmay decide, OK, well, I do not have time, or the lines get \nlong, it is those sort of more--I guess it would generally fall \nin the information operations side. But that sort of is why we \nwere concerned about voter registration databases.\n    Chairman Johnson. OK. My point in spending a fair amount of \ntime on this is to lay out the facts, lay out the reality, and \nprovide some level of comfort that there are a lot of checks \nand balances in this process. I think the decentralized nature \nof our elections provides even greater security. Is this a \nserious issue? Sure, and we need to take it seriously, and we \nneed to strengthen those controls. But I do not think we should \nblow this out of proportion and call into question the \nlegitimacy of either past or future elections. That is kind of \nmy main point. If you want to make a final comment on that \nbefore I move to my next points, Mr. Rosenbach?\n    Mr. Rosenbach. Sir, the only thing I would say is I \ncompletely agree that this is not about the previous election. \nIt did not impact the outcome. The point for me is the idea \nthat any other nation could or is designing to impact the \noutcome of our elections and influence our democracy is \nsomething that I think upsets every American and is exactly \nwhat you are saying----\n    Chairman Johnson. I agree. But, my point is what keeps me \nawake at night is shutting down the electrical grid, hacking \ninto our financial system. You want to talk about chaos, that \nwould be it right there. Yes, take this seriously looking \nforward, strengthen our controls, but there are an awful lot of \ncontrols in place that give me a fair amount of confidence, \nwhich puts this in terms of my things I worry about lower on \nthe priority list. We have to be cautious not to blow it out of \nproportion.\n    Let us just use an example. The fact that we were not able \nto attach to the omnibus the renaming of NPPD, somebody had an \nobjection. What type of turf wars are existing within this \nrealm? We have DHS, we have DOD, we have NSA, and we have the \nintelligence community. Do we have stovepipes? That is one of \nthe lessons we learned from 9/11. We had stovepipes; those \nneeded to be broken down. We need to work cooperatively.\n    Mr. Rosenbach, you were talking about kind of a national \ncenter for this, which from my standpoint, when you have to \nhave the private sector liaison plugging into some form of \ngovernment, you want a civilian agency like DHS. Yet we have \nresistance to that. Let us lay out the reality of what we are \ndealing with here.\n    Mr. Rosenbach. I really have no idea why someone would \nobject to NPPD changing their name. That seems to me one of \nthese extremely crazy cases of government where an organization \ncannot even rename themselves. We should probably do a case \nstudy at the Kennedy School about how inane this can be \nsometimes.\n    Chairman Johnson. It requires an act of Congress. It is \nbizarre to me.\n    Mr. Rosenbach. Yes, sir. It is not you, but people can pass \nall these laws about DHS, and they cannot even name themselves? \nHumble outsider, but it seems crazy.\n    Chairman Johnson. We will clip that testimony, too. \n[Laughter.]\n    Mr. Rosenbach. It is interesting. If I think back to when I \nwas first Deputy Assistant Secretary, which was almost 8 or 9 \nyears ago now, we did not get along with DHS, and no offense to \nJeanette, but DHS was kind of a mess. There were a lot people \nsaying put DOD in charge of domestic cybersecurity, which would \nhave been a horrible idea. We worked it out. There was one very \nmemorable time when we were here in the Senate, and we did a \ntabletop exercise for the entire full Senate. Senator Mikulski, \nafter the tabletop exercise, pointed to the Cabinet, and the \nObama Administration said, ``Who is in charge when there is a \nhuge cyber catastrophe?\'\' No one there could actually \nunderstand, and so we worked through that. Things are much \nbetter now. We are making a lot of progress.\n    Chairman Johnson. Could they answer that question now?\n    Mr. Rosenbach. It is very clear. It is actually DHS. In \nterms of incident response, they know that they are in charge. \nNow, in terms of the hit back, that was DOD. But even those \nthings were not clear at the time, so there has been a lot of \nprogress, which I think is good.\n    That said, it now comes to the capability point. When I \ntalk about an idea I have about DHS having more capability to \ndo domestic cybersecurity things that could help critical \ninfrastructure, that is what gives them cachet with the private \nsector and with others, is if they bring something to the \ntable.\n    Chairman Johnson. Secretary Manfra.\n    Ms. Manfra. I do not think we were a mess. [Laughter.]\n    Chairman Johnson. You can always improve.\n    Ms. Manfra. It is good to testify next to former government \nofficials.\n    I think that Eric raises a really important point, though, \nthat the government as a whole has matured a lot in thinking \nabout cybersecurity and just generally how cyber is something \nthat is a part of nearly every mission that we do, whether you \nare a trade agency, FEMA, or the Department of Defense, the \nnotion that we operate on these systems and they are critical \nto our mission; but also that we have a lot of capability in \nthe government to deter and to disrupt the threat.\n    My Department has, I think, matured a lot, as we have \ntalked about quite a bit. We have had a great deal of \nauthorities in the past few years that we did not have \npreviously. That I think helps. We have had significant growth \nin my organization. When I first started there, 11 years ago-\nish, we had maybe 100 or 150 people, and now we are authorized \nup to 1,000. But we have a really big mission.\n    I have never received anything but full support from, \nwhether it is the intelligence community, CYBERCOM, or DOD. \nWhat I do think is that we have to continue to ensure that \neverybody is positioned to think about how do we best defend \nour networks. How do we use the information and the tools that \nthe government has available to it that is unique and ensure \nthat we defend that? I believe it is DHS\' role to drive that \nconversation, and I think as we have matured and we have \nlearned from industry, we are better at doing that within the \ninteragency.\n    Chairman Johnson. You have been at NPPD how long?\n    Ms. Manfra. Ten and a half years.\n    Chairman Johnson. OK, so you have spanned administrations, \nwhich is good. That provides a little bit of comfort.\n    Mr. Wilshusen, can you comment on this? Obviously, GAO has \ntaken a look at all the government. Have you witnessed any \nstovepipes, any turf wars?\n    Mr. Wilshusen. I will say that there could be at certain \ntimes among the agencies, particularly early on. But I think \nDHS has done a pretty good job as well, once it was given the \nstatutory authority to issue binding operational directives. In \nthe past, if DHS said something, there could have been some \nconflicts with other sister agencies. But I think the way it \nhas shaken out with the authorities given to DHS and the way \nDHS has exercised those authorities that some of the turf wars \nhave been alleviated.\n    Chairman Johnson. One of the big issues with cyber, it is \njust complex. I use the analogy of ``Gilligan\'s Island.\'\' On \nthis island most of us are Gilligans. Not too many professors \nknow how to make a battery out of a coconut. It is just the \nvast majority of people do not understand this. We use the \ndevice. We just had the hearing with Facebook. The vast \nmajority of people claimed, clicking on ``I accept the \npolicies,\'\' had no idea. I think there is great awareness of \nhow much of their private information is now available and is \nbeing used, being monetized. That is a problem.\n    I am going to ask my final question in two parts, and it is \nunfair, but I am going to ask you to give me a number anyway, \nbecause I did not do it on individual, but just overall I think \nwe have made a great deal of progress in this incredibly \ncomplex environment. I think from this testimony I have been \ngiven a little more comfort. We are getting our act together, \nbut it is difficult, it is complex, and the folks on offense \nare always going to be--I do not know how far ahead. My sense \nis over the last 7 years we are closing the gap.\n    One of the beauties of cyber defense is you do not have to \nbuild an expensive wall. It is code, and it can be really \nimplemented at the speed of light. But, people are always on \noffense.\n    My final question is, 0 to 10, how far have we come in \nterms of implementing of what we need to implement, first of \nall, in government but also then in the private sector? \nActually, let us start with the private sector. Madam \nSecretary, why don\'t you start? Zero to 10, how far has the \nprivate sector come in terms of cybersecurity and cyber \ndefense?\n    Ms. Manfra. Well, it is----\n    Chairman Johnson. By the way, what I should do is have you \nrate--like ``Jeopardy?!\'\' write down your answer. [Laughter.]\n    No, I mean it. Write down your answer first.\n    Mr. Wilshusen. Over what period of time----\n    Chairman Johnson. First on the private sector. OK, how far \nhave we come, 0 to 10 in terms of enacting cybersecurity?\n    Mr. Wilshusen. Over what period of time?\n    Chairman Johnson. The last 7 years. Where do we need to go? \nIt does not make any difference. Where do we need to go, if 10 \nis we have this nailed and we have the defense to really defend \nagainst any offense? First of all, in the private sector and \nthen where are we in government? Do not be looking at each \nother\'s work. [Laughter.]\n    We really ought to have that theme song.\n    Secretary Manfra, so what is your answer? I will trust you \nto tell me.\n    Ms. Manfra. I think if I could preface, it is hard to treat \nthe private sector as a monolithic entity.\n    Chairman Johnson. Oh, even government. I know.\n    Ms. Manfra. Just prefacing----\n    Chairman Johnson. It is a very unfair question. I got it. \nIt gives me some indication though.\n    Ms. Manfra. In talking about it in terms of how far we have \ncome, I would probably give us, both the private sector and the \ngovernment, in the 5 to 6 range. That is simply just because I \nbelieve that we have come a really long way. However, to \ntruly--and I hope you will appreciate this. I talk a lot about \ngetting the advantage back to the defenders, and being from \nWisconsin, I believe defense wins championships, except for \nmaybe last year. But other than that----\n    Chairman Johnson. You need a little offense every now and \nthen.\n    Ms. Manfra. You need a little bit of offense. But I really \ndo believe that we can use the asymmetric advantage that the \nUnited States does have, which is a strong industry in, whether \nit is the financial sector or the Internet, we have a powerful \nindustry, we have a powerful government. What remains is \nputting it all together. I think this is DHS\' thing to own. We \ndo not own it completely. We have a lot of other partners in \nthis. But that is sort of why I would put us in that 5 to 6 \nrange.\n    Chairman Johnson. OK. But actually pretty equal between \ngovernment and private sector, not one ahead of the other?\n    Ms. Manfra. It is different challenges, but I do think \nequal.\n    Chairman Johnson. Mr. Wilshusen.\n    Mr. Wilshusen. Senator Carper once referred to me as a \n``glass-half-empty\'\' type of guy, so I am going to go with a \nlittle bit lower than Jeanette and probably go 3 and 4, and I \nactually think----\n    Chairman Johnson. Is that 3 government, 4 private sector?\n    Mr. Wilshusen. Actually, no. The other.\n    Chairman Johnson. OK.\n    Mr. Wilshusen. Flipping. I actually think government may be \nfurther along than----\n    Chairman Johnson. Greater awareness, you think?\n    Mr. Wilshusen. I think it is greater awareness, and it is \ngreater guidance from up at the top and having the standards \nand the framework in place; whereas, it is more monolithic than \nyou say with the private sector, which is very heterogeneous \nand has many different areas. I know that there are always--\nwhen we go out to look at the security, which is not often, but \nwe do examine the security controls at certain private \ncompanies, either providing services to the Federal Government \nor others, we typical find just as many if not worse security \nat those companies than we do find at the agencies. We find \npretty significant vulnerabilities at the agencies.\n    I would say generally I think government has probably a \ngreater framework for its overall information security policies \nand standards than do the private sector.\n    Chairman Johnson. Mr. Rosenbach, are you a glass-half-full \nor glass-half-empty?\n    Mr. Rosenbach. I price myself on being an optimist. maybe \nthat is because I lived through like the last 8 years, seeing \nall this bad stuff happen. I actually think the private sector \nis closer to 7, maybe 7.5. That is primarily because the \ncybersecurity industry and the tech sector are moving very \nquickly, and there are a lot of options out there that \nmitigate----\n    Chairman Johnson. But not everyone in the private sector. I \nmean, there are a lot of people down near 0.\n    Mr. Rosenbach. Yes, of course. I think the government is 5. \nIf you said Department of Defense, I would say, OK, well, of \ncourse, we are better than everyone else. [Laughter.]\n    But that is easy to do when you can tell people what to do \nand you have a $700 billion budget. But, overall, I think the \ngovernment is probably 5, and that includes government policy \nabout national security decisions, when we will respond to \nstuff, when we will attribute things.\n    Chairman Johnson. I know that is a very unfair question and \nit is a very subjective answer, but it does give you some sort \nof feel. We have come a long way. I think it is just obvious. \nBut we have quite a ways to go, and we cannot take our eye off \nthe ball here. These are very serious problems we face, an \nenormous challenge.\n    Again, I want to thank all of you for your testimony, for \nindulging my lengthy questions here. I think this was an \nexcellent hearing, and I just want to thank you.\n    With that, the hearing record will remain open for 15 days \nuntil May 9 at 5 p.m. for the submission of statements and \nquestions for the record.\n    This hearing is adjourned.\n    [Whereupon, at 12:34 p.m., the Committee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'