[Senate Hearing 115-475]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-475

                MITIGATING AMERICA'S CYBERSECURITY RISK

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS


                             SECOND SESSION

                               __________

                             APRIL 24, 2018

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                   U.S. GOVERNMENT PUBLISHING OFFICE                    
32-454 PDF                  WASHINGTON : 2019                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail, 
[email protected].     
        
        
       
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California
STEVE DAINES, Montana                DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
                  Colleen E. Berny, Research Assistant
               Margaret E. Daum, Minority Staff Director
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Bonni E. Dinerstein, Hearing Clerk

                            
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator McCaskill............................................     3
    Senator Hassan...............................................    13
    Senator Peters...............................................    15
    Senator Lankford.............................................    17
    Senator Harris...............................................    20
    Senator Carper...............................................    24
    Senator Jones................................................    26
    Senator Heitkamp.............................................    28
    Senator Daines...............................................    31
    Senator Hoeven...............................................    33
Prepared statements:
    Senator Johnson..............................................    51
    Senator McCaskill............................................    52

                               WITNESSES
                        Tuesday, April 24, 2018

Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and 
  Communications, National Protection and Program Directorate, 
  U.S. Department of Homeland Security...........................     4
Gregory C. Wilshusen, Director, Information Security Issues, U.S. 
  Government Accountability Office...............................     7
Hon. Eric Rosenbach, Co-Director of the Belfer Center for Science 
  and International Affairs at Harvard Kennedy School............     8

                     Alphabetical List of Witnesses

Manfra, Jeanette:
    Testimony....................................................     4
    Prepared statement...........................................    55
Rosenbach, Hon. Eric:
    Testimony....................................................     8
    Prepared statement...........................................    85
Wilshusen, Gregory C.:
    Testimony....................................................     7
    Prepared statement...........................................    64

                                APPENDIX

Electronic Privacy Information Center statement submitted for the 
  Record.........................................................    90
Responses to post-hearing questions for the Record:
    Ms. Manfra...................................................    92
    Mr. Wilshusen................................................   148
    Mr. Rosenbach................................................   173

 
                MITIGATING AMERICA'S CYBERSECURITY RISK

                              ----------                              


                        TUESDAY, APRIL 24, 2018

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, Hoeven, Daines, 
McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will come to 
order.
    I want to welcome our witnesses. Thank you for your time, 
your thoughtful written testimony, and looking forward to you 
answering our questions.
    The hearing is called ``Mitigating America's Cybersecurity 
Risk.'' I will first ask that my written opening statement be 
entered into the record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 51.
---------------------------------------------------------------------------
    I think the word ``mitigating'' is a good one. We are not 
going to solve this problem. The people on offense are 
continuing to increase their capabilities. I remember being 
briefed a couple of years ago about North Korea's capability. 
The consensus was they are far behind, for example, Russia and 
China. Now it sounds like they have really upped their game. 
They are always on the offense, they are always developing new 
tools, and we are playing defense and we are behind. I think we 
have to look at mitigating.
    I am mindful of the fact that the Department of Homeland 
Security (DHS) is very disappointed that we were not able to 
include in the omnibus the renaming of the National Protection 
and Programs Directorate (NPPD). I do not know who ever came up 
with that name. But, obviously, Cybersecurity and 
Infrastructure Security Agency (CISA) would be a better name 
for it.
    From my standpoint, it is bizarre, it is ridiculous that it 
requires an act of Congress for the Department of Homeland 
Security to rename an agency and restructure it so it actually 
does a better job. I do not get that, but that is the way it 
is. I do not know what the objection was. I think that might 
indicate further future problems in terms of lack of 
cooperation and coordination within the agencies, within 
committees, within Congress. But it is just unfortunate. We are 
going to do everything we can. Maybe a really good solution 
would be to pass the DHS authorization bill through the Senate 
that we passed through our Committee that includes that as 
well. But if that does not work, we will try and figure 
something out.
    We have passed a number of laws. I got here in 2011, and 
from day one everybody recognized cybersecurity is an issue, 
and it always kind of scares me when I hear this: ``We have to 
do something about it.'' Well, we have been doing things about 
it. We have been passing laws. I think we have plenty of laws 
on the books. I really do. The question is: Are we fully 
implementing them? Are some of these laws in conflict? Where 
are we at in terms of actually carrying out the laws, the 
authorities that you actually have?
    One of the things I will ask the witnesses, as you are 
talking about this--and, again, I read the testimony. This can 
be very confusing. Way too many acronyms. As you are evaluating 
and you are answering question in terms of different laws, 
different initiatives, I would like to get some kind of sense 
how far we are. Zero, we have not done anything with it; 10, we 
have it nailed. I am not expecting any 10s, but I would just 
like some sort of sense as we are going through this--and if 
you do not provide it, I will chime in and kind of ask that 
level of assessment.
    I do not think there is any doubt that we have made 
progress in the last 7 years. In multiple hearings on 
cybersecurity, this has been a real priority of this Committee. 
I would always ask what is the number one thing we have to do 
is information sharing and that we pass those laws, we have 
given liability protection. How well are they being utilized I 
think is the main question.
    I think the last statement I want to make, again, is just 
the potential turf battles, which I think is indicative of not 
being able to pass the renaming of NPPD in the last omnibus. I 
think that is a serious consideration. We need to probe that 
and find out where those stumbling blocks are. I realize there 
is always a little bit of a turf battle between the 
intelligence community (IC), the Department of Defense (DOD), 
National Security Agency (NSA), and DHS. From my standpoint and 
I think this Committee's standpoint, we just recognize DHS is 
the agency that really has the best capability of dealing with 
the private sector, and the threats that face our national 
security, really a great deal of them deal with the private 
sector, whether it is our financial system, whether it is our 
electrical grid system, those types of things. I cannot think 
of a better Department within government to be that focal point 
and do all those things.
    Again, this is very serious. I was telling the witnesses 
before the hearing, when I talk to young people, either in 
their last couple of years of high school or early in college, 
and they are contemplating what they want to do with their 
lives, what kind of degree program, I always say, ``Listen, if 
you want to get a job and a well-paying job that is going to be 
around for your working career, check out computer science with 
a concentration in cybersecurity, and you are going to be 
pretty well positioned.''
    I appreciate the witnesses being here. This is a priority 
of this Committee. It is a pervasive problem. It is not going 
away. We have got to make continuous improvement as best we 
can.
    With that, I will turn it over to our Ranking Member, 
Senator McCaskill.

           OPENING STATEMENT OF SENATOR MCCASKILL\1\

    Senator McCaskill. Thank you Mr. Chairman. I appreciate you 
holding this hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator McCaskill appears in the 
Appendix on page 52.
---------------------------------------------------------------------------
    Hardly a week goes by without some type of cyber incident 
dominating the headlines. In the United States and the world, 
as we become more digitally connected, I suspect that trend 
will only continue and heighten over time.
    Our government is a lot older than the Internet, so we have 
had to retrofit technology into existing government structures. 
But unlike a lot of issues that naturally fit into a single 
department or agency, cybersecurity and data protection affect 
all aspects of government. In the last few years, however, 
Congress, and in particular this Committee, as the Chairman has 
just outlined, has made a great deal of progress enhancing the 
Federal Government's ability to track and improve its 
cybersecurity.
    We codified the Department of Homeland Security to 
coordinate the operational security of Federal systems. That 
included designating DHS as the hub for information sharing, 
running the intrusion prevention and detection programs that 
are now mandated throughout Federal departments, leading asset 
response activities, and coordinating the protection of 
critical infrastructure. When necessary, DHS also has the 
unique authority to direct another agency to take certain steps 
to protect its systems.
    While every department and agency is ultimately in charge 
of protecting its own systems, Congress has done a lot to make 
DHS the primary cyber coordinator for the civilian Federal 
Government. This hearing is an opportunity to assess how DHS is 
using those authorities and if these tools are measurably 
improving the agencies' awareness and security.
    As I mentioned, part of DHS' responsibilities also include 
coordinating critical infrastructure protection, but the 
majority of critical infrastructure is not federally owned or 
operated. This is certainly the case with election systems, 
which are owned and operated by State and local governments.
    We all know that the intelligence community assessed with 
high confidence that Russia launched a campaign to influence 
the 2016 election, part of which aimed to undermine the public 
faith in the U.S. democratic process. There is no question that 
Russia has had a clear plan to break the backbone of 
democracies wherever they exist. A component of that operation 
included attempts to hack into voter registration systems.
    In the months before the election, DHS stepped up and 
offered cyber assistance to States that wanted help. In the 
aftermath of the election, DHS designated election 
infrastructure as critical infrastructure, which enabled 
interested States and localities to jump toward the front of 
the line to receive help.
    In the roughly 2 years since this issue appeared on the 
radar of States and the Federal Government, DHS has made 
progress building relationships with election officials and 
associated organizations throughout the country and in helping 
interested States and localities assess and improve the 
security of their voting systems. There have certainly been 
some bumps in the road, but I think DHS is on the right track. 
That said, I have serious reservations about our level of 
preparedness. Just last week, DHS Secretary Nielsen declined to 
express confidence in the country's election security, 
admitting only that there is increased awareness of the threat. 
That is very troubling.
    Beyond that, I am concerned that this Administration has 
only been treating the symptoms of Russia's interference. U.S. 
policy toward Russia has been uneven at best, and at worst, I 
worry that we have not done anything to actually change Russian 
behavior and stop them from trying to undermine our 
institutions, especially the institution of democracy.
    I look forward to hearing our distinguished witnesses' 
assessments of our election security and our cybersecurity and 
how we can continue to improve it in the future.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator McCaskill.
    It is the tradition of this Committee to swear in 
witnesses, so if you will all stand and raise your right hand. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Ms. Manfra. I do.
    Mr. Wilshusen. I do.
    Mr. Rosenbach. I do.
    Chairman Johnson. Please be seated.
    Our first witness is Jeanette Manfra. Ms. Manfra currently 
serves at the Department of Homeland Security at the Assistant 
Secretary of the National Protection and Programs Directorate, 
Office of Cybersecurity and Communications. Ms. Manfra.

TESTIMONY OF JEANETTE MANFRA,\1\ ASSISTANT SECRETARY, OFFICE OF 
   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Manfra. Thank you, sir. Chairman Johnson, Ranking 
Member McCaskill, and Members of the Committee, thank you for 
today's opportunity to discuss the Department of Homeland 
Security's ongoing efforts to reduce and mitigate cybersecurity 
risks. Safeguarding and securing cyberspace is a core homeland 
security mission.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Manfra appears in the Appendix on 
page 55.
---------------------------------------------------------------------------
    For the last decade, I have worked to advance the 
Department's cybersecurity and critical infrastructure mission. 
I have personally witnessed the commitment, dedication, and 
tireless efforts of the men and women at DHS. As cyber threats 
have evolved in times of calm and in times of crisis, these 
employees have never wavered in their duty to protect our 
homeland, and I am proud to serve alongside them as we work to 
address these important and sometimes complicated national 
security issues.
    On behalf of our workforce and our leadership, I want to 
thank this Committee for advancing legislation over the last 
few years that have strengthened our authorities and enabled us 
to better protect Federal networks and critical infrastructure. 
Now, as the Chairman mentioned, we must move to the next step: 
to create the Cybersecurity and Infrastructure Security Agency 
at DHS, which would see our organization, the National 
Protection and Programs Directorate, become a new agency.
    This change reflects the important work we carry out every 
day on behalf of the American people to safeguard and secure 
our critical infrastructure. We strongly support this much 
needed effort and urge quick action by Congress to pass this 
law.
    Malicious cyber operations remain one of the most 
significant strategic threats for the United States, holding 
our national security, economic prosperity, and public health 
and safety at risk. Over the past year, network defenders have 
seen the threat landscape grow more crowded, active, and 
dangerous. One single breach at Equifax and cyber criminals 
resulted in the online exposure of sensitive personal 
information belonging to nearly half of all Americans. North 
Korea's WannaCry ransomware spread to more than 150 countries, 
paralyzing industries from health care to hospitality. The 
Russian military-sponsored NotPetya attack was the most 
destructive and costly cyber attack in history causing billions 
of dollars in damage across Europe, Asia, and the Americas.
    We have taken steps to empower public and private partners 
to defend against many of these threats by publicly attributing 
State-sponsored activity, issuing technical indicators, and 
providing mitigation guidance. Since June 2017, DHS and the 
Federal Bureau of Investigation (FBI) have published eight 
technical alerts and malware reports to provide details on the 
malicious cyber tools of the North Korean Government.
    We have also published technical details and alerts 
regarding Russian-sponsored cyber activity, including 
operations that targeted U.S. Government and business in the 
energy, nuclear, water, aviation, and critical manufacturing 
sectors. These actors also collected information pertaining to 
industrial control systems.
    Last week, DHS joined our colleagues at the FBI and the 
United Kingdom's National Cybersecurity Center to publish the 
first international joint alert, which included details and 
mitigation guidance regarding worldwide cyber exploitation of 
network infrastructure devices such as routers. With high 
confidence, we assessed that Russian State-sponsored cyber 
actors are using compromised routers to support espionage, 
extract intellectual property, maintain persistent access to 
victim networks, and potentially lay a foundation for future 
offensive operations.
    DHS is also working to enhance cyber threat information 
sharing across the globe to stop incidents before they start. 
These actions help businesses and government agencies protect 
their systems and quickly recover should such an attack occur. 
While in many cases our defenses have been successful in 
mitigating these threats, we must continue to work to ensure 
our cyber defenses keep pace with technological change and 
evolving risks.
    I want to assure this Committee that DHS is embracing our 
statutory responsibility to administer the implementation of 
Federal agency cybersecurity policies and practices. This 
Committee played a key role in championing the passage of the 
Federal Information Security Modernization Act (FISMA) 2014, 
which provided the Secretary of Homeland Security the authority 
to develop and oversee implementation of binding operational 
directives (BOD) to agencies. We have issued a total of six 
binding operational directives, all of which are now public.
    I will discuss one of them, which was the very first BOD 
that we issued, and I am happy to answer any questions on 
others. But as an example, the first BOD we issued was around 
reducing the time to patch known critical vulnerabilities. When 
we issued this binding operational directive, we were not at an 
industry standard of time to path being less than 30 days. 
After we issued this binding operational directive and provided 
repeated reports to agencies, we are now consistently reducing 
the time to patch to less than 30 days. In addition to our 
efforts to protect government networks, we are focused on how 
government and industry work together to protect the Nation's 
critical infrastructure.
    Before closing, I want to address an issue that I know 
concerns many in this Congress and among the American public. 
As Secretary Nielsen said last week, 2 years ago the Russian 
Government launched a brazen, multifaceted influence campaign 
aimed at undermining public faith in our democratic process 
generally and our election specifically. That campaign involved 
cyber espionage, public disclosure of stolen data, cyber 
intrusions into State and local voter registration systems, 
online propaganda, and more. We cannot let it happen again, and 
that is why DHS has adopted an aggressive posture for helping 
to defend our election infrastructure.
    We are leading the interagency effort to provide voluntary 
assistance to State and local officials but, more importantly, 
to help them understand the risk and ensure that when the 
government has information of value to them that we get it to 
them.
    We will continue to coordinate and collaborate and support 
State and local officials during the 2018 elections. But cyber 
actors can come from anywhere, internationally or within the 
borders, and we are committed to ensuring a coordinated 
response from DHS to plan for, prepare, and mitigate risk to 
election infrastructure.
    Thank you, and I look forward to your questions regarding 
our efforts to enhance the Nation's cybersecurity.
    Chairman Johnson. Thank you, Ms. Manfra.
    Our next witness is Greg Wilshusen. Mr. Wilshusen currently 
served as Director of Information Security Issues at the U.S. 
Government Accountability Office (GAO). Mr. Wilshusen.

  TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION 
     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Johnson, Ranking Member McCaskill, 
and Members of the Committee, thank you for the opportunity to 
testify at today's hearing. At your request I will discuss our 
work related to Federal programs implemented by DHS that are 
intended to improve the cybersecurity networks and systems 
supporting Federal operations and our Nation's critical 
infrastructure.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wilshusen appears in the Appendix 
on page 64.
---------------------------------------------------------------------------
    Before I do, if I may, I would like to recognize several 
members of my team who were instrumental in preparing my 
statement and the work underpinning it. With me today are Tammi 
Kalugdan and Di'Mond Spencer, who are seated right behind me. 
In addition, Larry Crosland, David Plocher, Kush Malhotra, and 
Priscilla Smith also made key contributions.
    Mr. Chairman, Ranking Member McCaskill, consistent with the 
statutory authorities, DHS has made important progress 
implementing programs and activities that are intended to 
protect Federal and private sector networks and systems. For 
example, the Department has provided limited intrusion 
detection and prevention capabilities to entities across the 
Federal Government. It has also issued cybersecurity-related 
binding operational directives to Federal agencies, has served 
as the Federal-civilian interface for sharing cybersecurity-
related information with Federal and non-Federal entities, and 
promoted the use of the National Institute of Standards and 
Technology (NIST) Framework for Improving Critical 
Infrastructure Cybersecurity, and partially assessed its 
cybersecurity workforce. However, DHS needs to take additional 
actions to assure that it successfully mitigates cybersecurity 
risk.
    First, DHS needs to enhance the capabilities of the 
National Cybersecurity Protection System (NCPS). In 2016, we 
reported that NCPS had provided the Department with only a 
limited ability to detect and prevent potentially malicious 
activity entering and exiting computer networks of Federal 
agencies. DHS also had not developed much of the planned 
functionality of the system's information-sharing capability.
    Second, DHS needs to evaluate the activities of the 
National Cybersecurity and Communications Integration Center 
(NCCIC) more completely. In 2017, we reported that the extent 
to which NCCIC had performed its required functions in 
accordance with statutorily defined implementing procedures was 
unclear because the center had not established metrics and 
methods for which to evaluate its performance.
    We also identified several impediments to the center 
performing its functions more efficiently, such as the lack of 
a centralized system for tracking security incidents and not 
maintaining current contact information for all owners and 
operators of the most critical cyber-dependant infrastructure 
assets.
    A third activity is that DHS needs to better measure the 
effectiveness of its cyber risk mitigation activities with 
private sector partners. In fiscal years (FY) 2016 and 2018, we 
reported that in its role as the lead or co-lead Federal agency 
for collaborating with partners in 10 critical infrastructure 
sectors, DHS had not developed metrics to measure and report on 
the effectiveness of its cyber risk mitigation activities, 
including activities promoting and assessing private sector 
adoption of the NIST Cybersecurity Framework or on the 
cybersecurity posture of those sectors.
    Fourth, DHS needs to identify all of its cybersecurity 
workforce positions and critical skill requirements. In 2018, 
we reported that the Department had taken steps to assess its 
cybersecurity workforce; however, it had not identified all of 
its positions or its critical skill requirements.
    Since fiscal year 2016, we have made 29 recommendations to 
DHS to enhance the capabilities of NCPS, establish metrics and 
methods for evaluating its performance, and fully assessing its 
cybersecurity workforce, among other things. The Department 
generally concurred with these recommendations. As of this 
month, most of the recommendations remain open, and we are 
working with DHS to close the recommendations as they are 
implemented.
    Chairman Johnson, Ranking Member McCaskill, this concludes 
my opening statement. I would be happy to answer your 
questions.
    Chairman Johnson. Thank you.
    Our final witness is Eric Rosenbach. Mr. Rosenbach is the 
co-director at Harvard University's Belfer Center for Science 
and International Affairs. Mr. Rosenbach also previously served 
as the Deputy Assistant Secretary of Defense for Cyber Policy. 
Mr. Rosenbach.

  TESTIMONY OF THE HONORABLE ERIC ROSENBACH,\1\ CO-DIRECTOR, 
 BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, JOHN F. 
        KENNEDY SCHOOL OF GOVERNMENT, HARVARD UNIVERSITY

    Mr. Rosenbach. Chairman Johnson, Ranking Member McCaskill, 
other distinguished Members, thank you for calling today's 
hearing on mitigating America's cyber risk and for the 
invitation to testify. Thank you also to your hardworking staff 
who do everything to put a hearing like this together.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Rosenbach appears in the Appendix 
on page 85.
---------------------------------------------------------------------------
    Just for a moment, imagine you are watching a science 
fiction thriller about war in the information age. During the 
opening scenes of this movie, sophisticated ransomware shuts 
down the government of a major city for more than a week. A 
different type of weaponized ransomware, previously deployed by 
North Korean cyber operators, hits the aircraft production 
lines at a major aerospace company. Later, the Department of 
Homeland Security reveals that Russian cyber operatives have 
compromised important aspects of the Internet's routing 
infrastructure, and as the plot thickens in this movie, the 
intelligence community confirms that Russian military 
intelligence operatives have placed the same malware they used 
to take down the Ukrainian power grid twice throughout the 
energy infrastructure in the United States. As the candidates 
in this movie approach their midterm elections, all of the 
actors playing experts agree that the risk of Russian cyber and 
information attacks against election systems is imminent.
    Sitting in the movie theater watching all this unfold, you 
would probably scream to yourself, ``Why are they just sitting 
there watching all of this happen?'' But as you know, all those 
events are real, and they happened within the last several 
weeks.
    Against this stark reality, America must come together to 
build real capability and take real actions to address these 
threats. This hearing and the Committee's framing of the 
problem we face as one of managing cyber risk is important. We 
will not eliminate cyber threats to America, but we can 
mitigate them. To manage cyber risk, the government must lead a 
whole-of-nation effort in three specific areas: first, to 
bolster our domestic capabilities for defense; second, to 
develop precise and legal offensive cyber capabilities to 
disrupt cyber and information attacks at their source; and, 
finally, adopt a clear, public deterrence posture.
    For the purposes of my oral statement, I will just hit on 
some of the key aspects of that first area.
    Cyber risk affects all corners of our economy and society. 
Congress can do more to incentivize the private sector to act. 
In particular, Congress should: mandate that critical 
infrastructure providers adopt the NIST Cybersecurity 
Framework; establish baseline standards for the manufacturers 
and distributors of the ``Internet of things (IOT),'' and these 
devices include things such as home routers, security systems, 
and thermostats, all of those IOT devices; and, very 
importantly, ensure that online platforms--primarily Facebook 
and Twitter--are not used as the tools for foreign adversary 
information operations.
    Organizations outside government must also play a role in 
protecting the Nation from cyber attack. The Defending Digital 
Democracy Project that I co-lead up at Belfer Center at the 
Harvard Kennedy School, along with Robby Mook and Matt Rhoades, 
works very closely with States to improve their ability to 
mitigate cyber risk to our election systems. It is clear from 
our work with the States that they take this risk very 
seriously. But the States simply are not equipped to face the 
pointy end of the spear of cyber attacks from nation-state 
adversaries who are spending billions of dollars and dedicating 
thousands of cyber operators to advance their national 
interests.
    Our research and work also found that under the leadership 
of Secretary Nielsen, Under Secretary Krebs, and Assistant 
Secretary Manfra, DHS has improved support to the States. We 
also saw that the Department's efforts to provide real 
capability are important. Cybersecurity scans and risk 
assessments to the States have been very productive to help 
mitigate risk, and Congress should continue to support these.
    Furthermore, Congress should support the development of a 
DHS cybersecurity capability and provide robust resources and 
authorities for an operationally focused cybersecurity agency. 
This is more than bureaucratic box-shuffling. The Nation needs 
an expert-level organization that provides critical 
infrastructure operators with the support that could make a 
real difference in mitigating the risk of foreign cyber attack.
    When it comes down to protecting elections and critical 
infrastructure, State governments should also look very closely 
at strengthening the role that the National Guard and State-run 
fusion centers play in election-related threat information 
sharing. This potent combination will provide an important hub 
for sharing threat intelligence and cybersecurity capability.
    Thank you again for the opportunity to testify. I submit my 
formal testimony for the record and look forward to answering 
any questions you have.
    Chairman Johnson. Thank you, Mr. Rosenbach. I will defer my 
questioning until the very end to be respectful of Members' 
time. I will go to Senator McCaskill.
    Senator McCaskill. Great. Let me start with the 21 States. 
Assistant Secretary Manfra, you testified before the Senate 
Intelligence Committee that 21 States were affected by Russia's 
cyber activity. But my understanding is that number only 
reflects the States where there were censors or tools in place 
to capture the Russian activity. Is that correct?
    Ms. Manfra. Yes, the 21 States references the visibility 
that we had, whether that was the intelligence community or the 
censors of Russian targeting of State infrastructure related to 
elections.
    Senator McCaskill. But have we checked with the remaining 
States to determine whether they had tools in place that would 
have captured that activity?
    Ms. Manfra. Many of the States did have some capability 
that could have captured it.
    Senator McCaskill. How many?
    Ms. Manfra. I do not know off the top of my head, ma'am.
    Senator McCaskill. That would be something we would want to 
know, because I think the American people have been misled 
here, because it is my understanding that a number of the 
States do not have the tools to capture that activity, so we 
really have no idea how many States Russia tried to hack.
    Ms. Manfra. That is correct, ma'am, and I think we can 
assume that the majority of States were probably a target. What 
we have is the visibility that we had at the time. What I can 
also say is that we have many more States now who are moving 
their systems behind those censors that we have deployed via 
the Multi-State Information Sharing and Analysis Center (MS-
ISAC), so we are increasing our visibility.
    Senator McCaskill. I think the thing that I did not realize 
until I began really understanding what happened is the 
impression that was given at the time is that we had knowledge 
that 21 States were hacked, and the assumption was that the 
remaining States were not hacked. But, in fact, that is an 
incorrect assumption.
    Ms. Manfra. Twenty-one States were not hacked, ma'am.
    Senator McCaskill. There was an attempt to target 21 States 
that we know of by Russia in terms of their voter registration 
systems.
    Ms. Manfra. There was targeting via scanning, which is a 
common activity on the Internet. The reason we are concerned is 
because of where it was coming from, and the actual attempts to 
get into systems which was a much smaller number. But, yes, 
ma'am, you are correct. We only had the visibility that we had, 
and I believe I have been clear about that as I have discussed 
it. But, yes, how the media reports it I cannot control.
    Senator McCaskill. I sympathize with you there. We cannot 
control how it gets reported. But I want to make clear today on 
the record that it is likely that all 50 States were likely 
affected and that States that were not on that list were less 
vulnerable. But that is simply not true. States that were not 
on that list, in fact, might be more vulnerable.
    Ms. Manfra. I would not necessarily make a connection 
between vulnerability in the States as to whether they were 
targeted. Every organization is scanned a lot, sometimes 
thousands of times a day. What we were trying to differentiate 
between is what we saw, very concerning activity from known 
suspicious servers in this case that, as far as the visibility 
we had, and they were targeting to look for vulnerabilities. 
Most of the States that we had visibility into did block it.
    Your overall point is correct, ma'am. I just do not want to 
make this----
    Senator McCaskill. Yes, I just think we all kind of go, OK, 
21 States, they were not successful, OK, good, not a problem, 
when in reality I think the more accurate pronouncement would 
have been probably tried all the States, these were the States 
we could see they were trying.
    Ms. Manfra. That is correct. Fact-based, 21 States, but we 
can absolutely make the assumption that more would have been 
targeted.
    Senator McCaskill. OK. How many people does DHS have 
working full-time focused on election security and election 
infrastructure?
    Ms. Manfra. Ma'am, I will have to come back to you with the 
exact number, but the Election Task Force comprises about 10 to 
15 people.
    Senator McCaskill. They do this full-time, nothing else?
    Ms. Manfra. The majority of them are doing this full-time, 
and then we have it prioritized for all the other teams 
throughout my thousand-person organization.
    Senator McCaskill. OK. I would like the number of how many 
people are working full-time on election security and 
infrastructure security. Is it someone's job to just focus on 
election security?
    Ms. Manfra. Yes, Senator. We have a senior person who has 
been working in my organization for a long time. His job 100 
percent of the time is running the Election Task Force.
    Senator McCaskill. OK. Seventeen States have requested risk 
assessment?
    Ms. Manfra. Yes, ma'am.
    Senator McCaskill. Can you give us insight as to why States 
are declining the assistance?
    Ms. Manfra. It varies. Many of the States we talk to 
already have this type of service from the private sector, 
which we enthusiastically endorse. These are services that are 
provided by the market.
    Senator McCaskill. They are paying for that?
    Ms. Manfra. Yes.
    Senator McCaskill. Yours is free?
    Ms. Manfra. Yes, ma'am.
    Senator McCaskill. You will not tell me whether my State is 
one of those?
    Ms. Manfra. Missouri is working with us. I would have to 
direct you to Missouri for more details on what they are doing.
    Senator McCaskill. At DHS' request Congress included $26 
million for the Department's election work in the omnibus. Mr. 
Rosenbach, you are an outside observer of the work DHS has been 
doing, and you have been visiting election officials throughout 
the country. Every time I ask DHS if they need more resources, 
they have to say they are doing their work with the resources 
they have.
    As an outside observer, do you think we need to scale up 
the DHS efforts? Or is it right-sized?
    Mr. Rosenbach. Yes, ma'am, it is always easier when you are 
on the outside to answer money questions, but I would say I am 
sure that Secretary Manfra would benefit from additional 
resources, both financial and personnel. Making sure that they 
are good and capable is always a challenge. But this is one of 
the most important national security issues facing the country 
right now. Twenty-six million dollars is not very much money in 
the----
    Senator McCaskill. It is not very much money. How many 
people are waiting right now for an assessment that have not 
been able to get it yet? How many States, I should say?
    Ms. Manfra. Nobody in the election community is waiting for 
an assessment. Because we prioritized them, we now have a 
significant backlog in other critical infrastructure sectors in 
Federal agencies, but nobody in the election community is 
waiting.
    Senator McCaskill. If someone decided tomorrow that they 
wanted to get this done, you would be able to accommodate that 
prior to the elections beginning later this year?
    Ms. Manfra. Yes, ma'am.
    Senator McCaskill. OK. Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator McCaskill.
    I am going to take just a couple of minutes to make a point 
and also ask a question. I was in the September 2016 briefing. 
Senator Carper was there. Ms. Manfra, you were there. We were 
briefed about Russian attempts in the election, and it was 
Secretary Jeh Johnson, it was FBI Director James Comey, and 
Lisa Monaco, a member of the Obama Administration.
    The thrust of that briefing, without providing any 
classified information, was Russia has attempted this, they 
have attempted to hack into voter files, but the Administration 
has this under control, they are in contact with the States, 
and the main message we want you as Members of Congress, 
because it is so important in terms of the stability of our 
democracy to let the public know that we have this covered, and 
that the election in November will be legitimate.
    First of all, is that pretty much an accurate description, 
Ms. Manfra, of what we were being told as Members in that 
briefing?
    Ms. Manfra. Yes, sir, my recollection was that the 
leadership laid out the risk as they saw it, the intelligence 
as we saw it, but that is a fair conclusion.
    Chairman Johnson. From my own standpoint, because I heard 
that they were trying to access voter files, I was not willing 
to make that statement publicly, but I told the briefers that I 
am not going to dispute if you go out there and talk about 
that, because I think there are plenty of controls, a number of 
things that we can look to indicators in terms of whether 
voting tallies or an election have actually been affected in 
some way, shape, or form.
    This is a serious issue, no doubt about it, but I think we 
also have to be very careful not to blow it out of proportion. 
When I am looking at the problems with cybersecurity, I am far 
more concerned about attacks into our electrical grid or into 
our financial system. They could be unbelievably disruptive, 
and there may not be controls.
    We may be playing into Russia's hands, quite honestly. They 
are achieving exactly what they wanted to achieve, to all of a 
sudden call into question the legitimacy of the election. We 
have no control over these things, and this is an enormous 
problem that threatens our democracy. I just do not think that 
is the case. I think we need to take this issue seriously. We 
need to push back. We have obviously imposed sanctions on 
Russia, but we need to keep all these things in perspective and 
really focus on, in terms of DHS' time, you always have to 
prioritize things, the things that could really bring down this 
country. That from my standpoint is the other aspect of our 
critical infrastructure.
    That is my statement and my questions. Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you very much, and I thank Senator 
Peters for deferring to me. I have a vote at 10:45. We have 
worked it out with collaboration.
    Chairman Johnson. You guys are moving all over on me.
    Senator Hassan. First of all, welcome to the panel, and as 
always, I am sorry that we are all in and out at multiple 
committee hearings.
    I wanted to start with a question to you, Ms. Manfra, 
because I am very concerned about election security. I do think 
it is the bedrock of our democracy, and I think we have to take 
it incredibly seriously. As you know, the 2018 election cycle 
is well underway. Six States have held their primaries, and 
dozens more will do so in the next couple of weeks.
    To this point, has DHS detected any cyber activity 
targeting election infrastructure by Russia or any other actors 
during this election season?
    Ms. Manfra. We have not at this time, ma'am.
    Senator Hassan. Thank you. Last week, when Secretary 
Nielsen was asked whether she had confidence in U.S. election 
security, she did not provide the assurances that many of us 
wanted or, frankly, expected to hear from her. Do you have 
confidence in the security of our Nation's election systems? If 
not, then why?
    Ms. Manfra. If I may, because I was there when Secretary 
Nielsen was speaking, what she was trying to convey and what I 
believe she did convey, which is the same sentiment that I 
have, is we do not have perfect visibility into every State and 
local system. What we have confidence in is that DHS is doing 
everything that we can, that the government is doing everything 
we can, and that we have greater visibility than we did in 
2016. Not to parse words, ma'am, but to be clear, in no sector 
would I ever say I have complete confidence that nothing will 
ever happen, because that would be a foolhardy statement, I 
believe.
    Senator Hassan. Thank you for that clarification. I would 
encourage DHS, as many of us have been, to continue to reach 
out to the States. The States obviously have their own 
obligations and constitutional responsibilities, and I think 
intense collaboration is called for every single day as 
vigilantly and constantly as possible. I thank you for your 
efforts, and I look forward to hearing and seeing more of the 
results from those efforts.
    I also had a question, Mr. Rosenbach, for you. It is nice 
to see you again. Last year, you testified before the Commerce 
Committee on emerging cyber technologies. I serve on that 
Committee, and we discussed the need to secure the Internet of 
things at the hearing. You emphasized that the government needs 
to lead the effort to secure the Internet of things, and I see 
in your testimony today that you argue for the establishment of 
baseline security standards for the manufacturers and 
distributors of these Internet-connected devices.
    Given these positions, I want to draw your attention to a 
bill which I was an early cosponsor of, the Internet of Things 
Cybersecurity Improvement Act, which was introduced by Senate 
Intelligence Committee Ranking Member Mark Warner. This bill 
requires that when the Federal Government purchases an 
Internet-connected device for government use, the devices must 
adhere to specific minimum cybersecurity standards as 
established by the National Institute of Standards and 
Technology. According to one report, the Federal Government 
purchases more than $8 billion worth of Internet-connected 
devices each year.
    The idea behind this bill is that the Federal Government as 
a major purchaser of Internet-connected devices will lead the 
way on Internet of things security and will push the consumer 
market to step up its security efforts as well.
    Mr. Rosenbach, given your advocacy for minimum standards 
for Internet of things security, what is your opinion of the 
approach in Senator Warner's bill as a first step toward 
achieving the goals you laid out?
    Mr. Rosenbach. Thank you, Senator. I have looked at the 
bill, and I am a very strong believer in improving the security 
of the Internet of things. I think you always need to be 
careful about a regulatory approach, but from my professional 
perspective, many of the things that you lay out in that bill I 
think are very strong, and we need to do something in this 
space given the tremendous growth of devices that are connected 
to the Internet. Having government use its contracting leverage 
I think is a good place to start.
    Senator Hassan. Thank you very much. I appreciate that. I 
will submit my other questions for the record.
    Thank you again, Mr. Chair, and Senator Peters for your 
deference.
    Chairman Johnson. Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Thank you, Mr. Chairman. And thank you to 
the witnesses for your testimony here today.
    Well, obviously, as we have been having this discussion 
about elections and with local governments, I think it leads to 
the question that I have for you. With the creation of and 
support of processes to ensure coordination between the Federal 
entities and State authorities during cyber events, it is 
certainly essential that we have effective responses. So my 
question, Ms. Manfra, is: How exactly is the DHS promoting 
alignment of State cybersecurity plans with the National Cyber 
Incident Response Plan? And are there barriers to encouraging 
States or incentivizing States to align these plans?
    Ms. Manfra. Thank you, sir. Great question. We have been 
working with States for some time, though I have been stepping 
up those efforts not just for elections but just in general, of 
how States protect personally identifiable information (PII) 
that they have access to, which is a tremendous amount of data 
that is stored on their networks. We are leveraging a lot of 
the work that we have done on public safety communications 
around trying to address interoperability challenges to how we 
might address some of the cybersecurity and having the planning 
phase be very collaborative and tailored to the State. Every 
State is very different, whether they have a centralized 
network approach or not. We are working with the National 
Governors Association, policy academies, and we have technical 
assistance capabilities where we can help States organize 
themselves and develop a plan.
    Then there are a few kind of outstanding questions, I would 
say. We are working with the Federal Emergency Management 
Agency (FEMA) and the States to think about, from a cyber 
perspective, what fits in existing emergency management 
frameworks where we already have a well-defined process for how 
a Governor, National Guard, or other organizations that we 
traditionally use as a physical incident, if you will, goes 
from local to more significant. I believe that we want to 
leverage that as much as possible, but there are certain 
scenarios where it is less clear about what is the Governor's 
role in a certain situation. Is it because the company is 
headquartered there, for example? But if it is a multinational 
company, what does that look like?
    There are still some outstanding questions, and I believe 
the States have rightly been pushing to have some of these 
questions answered so it is clear on what the expectations are, 
if that answers your question.
    Senator Peters. It does, and you bring up FEMA. That 
actually leads to my next question here. According to a 2017 
National Preparedness Report, while States and territories 
continue to indicate that cybersecurity is a high priority, 
most actually rate themselves as lacking proficiency in it than 
any other core capability. In the past DHS and FEMA have used 
preparedness grants to drive action toward agreed-upon 
deficiencies or priorities, as you know. Despite being an 
allowable expense under a number of preparedness grant 
programs, spending on cybersecurity-related activity is just a 
fraction of that spent on other capabilities, even though they 
rank it so lowly.
    My question is: Has there been any consideration with DHS 
to change grant guidance or selection criteria for any existing 
State and local preparedness grant programs to push State and 
local governments to spend money to address what is an admitted 
lack of proficiency in cybersecurity?
    Ms. Manfra. First, I will speak to the grants question, and 
then to some other areas where we are working to shore up some 
of their gaps. I have been working very closely with FEMA, 
though they are not the only grants that can be leveraged for 
cybersecurity purposes. We are working broadly within the 
Federal grant community, but more specifically with FEMA, how 
can we provide more specific guidance on what we would like to 
see States buy. Cybersecurity is very broad, sometimes 
overwhelming, and for organizations to try to figure out how to 
prioritize their limited resources, they are trying to provide 
more discrete guidance, working with State and local officials, 
working with grants administrators to figure out first why are 
they not using more grant money for this gap and what more 
specific guidance.
    The other area that is a challenge is personnel, and our 
Scholarship for Service Program, which I think has not been as 
widely known as it should be--it is called the ``CyberCorps: 
Scholarship for Service,'' us, the NSA, work with the National 
Science Foundation to fund scholarships, 2-, 4-, and plus-year 
scholarships. The only requirement is that they serve in a 
government agency, meaning State and local governments can 
benefit from these students coming out of these programs. The 
government has already paid for the scholarships, and the State 
and local agencies can benefit.
    While I want these personnel as well, because I have just 
as many challenges, we are working with the States to make sure 
they are aware of it and have access to these personnel coming 
out of these programs.
    Senator Peters. You raise the issue of personnel, and that 
leads to my final question. I want to touch briefly on an 
effort that I am working on with my colleague Senator Hoeven, 
and I hope the Committee will take up a bill in our next 
markup, which is Senate bill 2620, the Federal Cybersecurity 
Joint Duty Program, which assists the Federal Government in 
developing an integrated cybersecurity workforce and allows 
rotation, similarly in the intelligence community as well as in 
the defense community. All of the witnesses could respond, if 
you would. In your opinion, would a joint duty program that 
provides rotational opportunities to cybersecurity employees be 
beneficial to both cyber employees as well as the Federal 
Government as a whole? We can start at this end.
    Mr. Rosenbach. Yes, sir, I think this is a great idea. 
Having worked in the Department of Defense the last 8 years, it 
would be really important for U.S. Cyber Command (CYBERCOM) 
people to be able to go help out DHS, learn from DHS as well, 
along with some of the other agencies. It sounds like a great 
idea.
    Senator Peters. Great. Thank you.
    Mr. Wilshusen. I would agree. Anytime you can bring in new, 
fresh ideas and gain greater perspective on how to secure 
systems, it is going to be a benefit to all.
    Senator Peters. Great. Thank you.
    Ms. Manfra. Sir, I look forward to working on the specifics 
of the bill, but generally, we are trying to think differently 
about the Federal cyber workforce. We cannot meet the demands 
in the current model, and I absolutely think being able to 
rotate personnel through agencies under sort of DHS' oversight, 
if you will, is something that we would be very willing to 
continue talking to you about.
    Senator Peters. In the remaining time, I have this 
question. This could also help with hiring and retention. We 
find that job satisfaction goes up when folks are able to 
rotate, see other parts of the whole government. Would you 
agree, in the 5 seconds remaining, the three of you?
    Ms. Manfra. I would agree, and I believe it would also 
bring more consistency to the level of training, which is 
something that we are also looking to improve.
    Senator Peters. Great.
    Mr. Wilshusen. I would also agree with that. We have a 
similar program, internal to GAO, in terms of rotating auditors 
among different audit groups, and it helps significantly.
    Senator Peters. Great.
    Mr. Rosenbach. Sir, anytime you can tell a cyber expert 
that they can go to NSA or CYBERCOM and legally hack the 
Iranian, North Koreans, or Russians for several years, they are 
going to stay in the government.
    Senator Peters. Great. I am out of time, but I appreciate 
your answers. Thank you.
    Chairman Johnson. Let me just quickly follow up. Is a piece 
of legislation required, or would you have the authority right 
now to do those rotations?
    Ms. Manfra. I am not a lawyer, nor a personnel expert, so 
we would have to check on that, sir. I know that we have the 
ability to do interagency rotations, which we have been 
exploring, but we can get back to you on the specifics of 
whether we----
    Chairman Johnson. Maybe GAO would have some indication of 
that.
    Mr. Wilshusen. Actually, I do not sir, but I can get back 
to you on that.
    Chairman Johnson. OK.
    Mr. Rosenbach. Sir, all I know is during the 7-years I was 
in DOD, it was very rare to see something like that happen.
    Chairman Johnson. Never happened?
    Mr. Rosenbach. Maybe authorities, maybe strong leadership, 
but something to facilitate it would be helpful.
    Senator Peters. My understanding is that it does require 
legislation to be able to move between these agencies, and so 
that is why----
    Chairman Johnson. OK. We will work with you on that.
    Senator Peters. Great.
    Chairman Johnson. Thanks. Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman. Thank you all 
for being here as well. Let me talk through a couple of things.
    Ms. Manfra, tell me about lessons learned on Kaspersky. We 
had a long conversation about supply chain. DHS has this 
responsibility to be able to help work with GSA and whoever it 
might be to be able to help get products out there and to be 
able to manage them. Then once we find out we have a product 
that has a problem, trying to be able to get it back out. Let 
us talk big picture. What are the lessons learned so far on 
that, including the status? Is every agency clean of Kaspersky 
Lab's products at this point? What have we learned from it?
    Ms. Manfra. I will answer the second first. Yes, 100 
percent of agencies are in compliance with the BOD.
    Lessons learned? I guess I will come from me personally in 
our organization. Maybe others in the government already knew 
some of these, but lessons learned I would say is that we need 
to modernize how the government thinks about third-party risk, 
and procurement officials having access to information that is 
necessary for them to make appropriate risk decisions; mission 
owners, network owners, and system owners thinking about supply 
chain risk and having guidance and better connecting our 
intelligence community with the acquisition community. Those 
are some of the high-level lessons, and we are implementing 
based on that.
    Senator Lankford. Who provides that guidance to them? Is 
that something each agency is responsible for or DHS is 
responsible for getting that to the agencies, then they get it 
down? How does that work?
    Ms. Manfra. The Office of Management and Budget (OMB) is 
responsible for overall acquisition guidance and the 
regulations around it, and then there are statutes, of course, 
that govern it. I believe DHS has a responsibility to provide 
that risk picture for government, either agencies individually 
or as an enterprise. We have been working very closely with OMB 
and other organizations on how do we improve that guidance and 
how do we ensure that DHS has a strong role in that process.
    Senator Lankford. How does this become an issue where DHS 
is going to help us with supply chain without everyone having 
to play ``Mother, May I?'' with your office every time they 
want to get a new printer to say, hey, this printer has this 
new Internet of things connection to it, and it has something 
else additional, we want to be able to get this, and suddenly 
you have to do a check. How are we developing standards and 
communicating that down rather than having to check each item?
    Ms. Manfra. At a highest level, the government needs to 
have a framework for how we think about supply chain risk, not 
just for the government but also so the private sector can 
understand how we think about supply chain risk, and we are 
working on that. Then it is about if there are hurdles that are 
preventing us from achieving some of these, whether that is 
through policy or regulation or statute, then we need to figure 
out what those are and remove those obstacles, which are also 
working through that process. It is quite complicated, as you 
may know, the acquisition process.
    The last piece is providing more guidance. These are the 
types of things that you should ask. This is how you should run 
your contracting process. These are the types of terms that you 
should put in your contracts if you are procuring a product or 
a service. Our plan is only for a very limited set, what we 
would call the ``high-value assets,'' who will actually go 
through a more thorough process where we would actually review 
a more thorough supply chain due diligence, if you will, not 
every single system in the government.
    Senator Lankford. But many of the systems are connected to 
us.
    Ms. Manfra. Yes.
    Senator Lankford. They become vulnerability points, whether 
that be a new thermostat that they install that is connected, 
or whether that be a new refrigerator they put in that has 
something to be able to connect to the WiFi on it, or the Coke 
machine that is down the hall.
    Ms. Manfra. Right.
    Senator Lankford. All these things have vulnerabilities. 
What is the process of helping agencies understand when you add 
something that has Internet of things on it, you are adding a 
vulnerability to your system once you connect it to your main 
communication?
    Ms. Manfra. Getting in the Internet of things, I think that 
is--and Eric Rosenbach mentioned this as well. I believe that 
we need more industry-driven standards for Internet of things 
diversity. If you look back at, say, Energy Star, which we have 
done some research on that, first, you had to have this kind of 
industry-driven standard, and then the government using its 
procurement authority to mandate, OK, we are only going to buy 
Energy Star products. Right now that does not really exist in 
the Internet of things, so it would have to be guidance of--
again, it would go back to a higher-level framework. Where is 
this produced? Do you have insight into the code where it came 
from? Do you understand where it was manufactured? Which right 
now is hard.
    Senator Lankford. Can the password be changed?
    Ms. Manfra. Can the password be changed? Right now that is 
quite cumbersome for agencies, but at the moment that is all we 
have, so that is the type of guidance we will be putting out.
    Senator Lankford. OK. That is one we will look forward to 
just following up on to be able to see where that goes, because 
this is going to quickly accelerate in a hurry. The more 
products we have out there that the password cannot be changed 
and updated, we have a default access point into our systems.
    Tell me about this wonderful new Cybersecurity and 
Infrastructure Security Agency. Why do we need to stand up a 
new agency? What is it that you are seeing that would say we 
cannot do it under existing structures, we are going to need a 
whole new structure to be able to accomplish that?
    Ms. Manfra. What we are looking at doing is transitioning 
the National Protection and Programs Directorate, which is 
currently a headquarters agency, and we do not have to go into 
the details, but there is actually administrative reasons why 
it would benefit the Department to stand us up as an 
operational agency.
    There is some minor restructuring that we would like to do, 
but the biggest thing that we are asking for is the change in 
the name, which does require an act of Congress to do that. I 
know it is hard sometimes maybe for people to understand why 
this is so important, but it is very hard to go out and try to 
market our organization, which is purely dependent upon 
voluntary partnerships and critical infrastructure with a name 
like the ``National Protection and Programs Directorate.'' It 
is also a morale issue for our workforce. They do not have a 
name that sort of reflects what they do.
    Senator Lankford. Is this an increase in staffing? Is this 
combining other offices? Or is it just switching that one 
office and switching the name and some of the placement of it? 
What else will you need?
    Ms. Manfra. What we are asking for does not increase staff 
or resources in this legislation. We are asking for just the 
name change and the authority to make some restructuring, just 
to make us more efficient internally.
    Senator Lankford. OK. Thank you.
    Mr. Wilshusen. Senator Lankford, if I could also just add a 
comment. GAO went through a similar name change back in the 
year 2000. Our previous name was ``General Accounting Office,'' 
and I can personally speak to the fact that when I went out on 
recruiting efforts and trips, people would see ``General 
Accounting Office'' and just keep walking by. I would have to 
go out from behind my booth and tell them, ``No. We do much 
more than that.'' It really does have an impact if your name 
reflects your mission, and it creates esprit de corps as well 
as helping to generate interest in your work.
    Senator Lankford. That is great. Thank you.
    Chairman Johnson. I cannot imagine anybody walking by 
something dealing with accounting, but---- [Laughter.] Senator 
Harris.

              OPENING STATEMENT OF SENATOR HARRIS

    Senator Harris. Thank you.
    Mr. Rosenbach, as you know, Congress recently added $380 
million to the omnibus to upgrade States' election technology. 
As I think you know, the omnibus allocates and prioritizes the 
money going to States based on the population of the State 
versus the need the State has to actually upgrade its 
technology. As you know, we have the Secure Elections Act. 
Senator Lankford and I and some of our colleagues are working 
on that to provide some standards for States on how they are 
going to actually be equipped to meet the challenges that we 
now know we face.
    What are your thoughts about whether or not we should be 
prioritizing the funding to States and how those priorities 
should be outlined in a way that actually will achieve the 
goal, which is that all States will have secure elections?
    Mr. Rosenbach. Thank you, ma'am. An interesting story for 
you is we were holding a national-level tabletop exercise with 
39 States up at Harvard the day the States were getting the 
news about how much money they would receive, and so they found 
out, they were happy. But they were unsure even with those 
State election officials how to best spend the money.
    Senator Harris. Right.
    Mr. Rosenbach. I think it establishes what your main point 
is. I would say that I think the Secure Elections Act is 
excellent, it is bipartisan, it gives guidance on information 
sharing, a little bit of litigation protection, which is good, 
and a process for grant provisions, which goes on.
    I think for the States, though, first of all, you would 
want to be very careful about any strict Federal guidance about 
how to spend it because it may be counterproductive in the 
relationship that DHS in particular right now is building. They 
have done a good job over the last year rebuilding trust with 
the States, and their autonomy is important.
    But I think there should be some general guidelines or a 
framework, maybe a NIST-like framework in which trusted parties 
work with States to help them decide the best way to allocate 
that money so that it has maximum effectiveness.
    Senator Harris. As you can probably tell from my question, 
I am speaking against perhaps what would seem to be the better 
interests of a large State, but I do know that being large 
should not necessarily because the priority. The priority 
should, I believe, be based on need as well.
    Mr. Rosenbach. Yes, ma'am.
    Senator Harris. Looking at the priorities from that 
perspective. You do support that?
    Mr. Rosenbach. Yes, ma'am. I totally agree, and here is 
why: Some States are much better off when it comes to 
protecting their election systems, and, remember, the Russians 
in particular do not have to attack every State. They will go 
to the weakest link. It does not have to be a prominent State 
or a battleground State. All they have to do is undermine trust 
in the system and confidence in the outcome, and that could be 
someplace that is very weak. We should try to address it from 
that perspective rather than a thin smear everywhere.
    Senator Harris. Well said. As we know, that was their goal, 
to undermine Americans' confidence in their democracy.
    Secretary Manfra, I saw you nodding your head. If you would 
like to add anything to the comments?
    Ms. Manfra. Yes, ma'am. I would say--first of all, I just 
want to thank you and Senator Lankford for your leadership on 
the legislation, and I think that we like to take a risk-based 
approach to everything that we do. I do think population can be 
a part of that risk-based approach, and we are working with the 
Government Coordinating Council (GCC), which is a name for the 
group of bipartisan representatives, Secretaries of State, as 
well as local election officials and other election experts. We 
are working on some guidance that can assist in how they spend 
that money. But I agree that a risk-based approach is usually a 
good way to go for spending grant dollars.
    Senator Harris. Thank you.
    Mr. Rosenbach, what are your thoughts about what we need, 
if we need any more funding beyond that $380 million? Do you 
have some thoughts about that?
    Mr. Rosenbach. if you look back in history and the reason 
why there are vulnerabilities, the Help Americans Vote Act 
allocated money that brought about some of this technology, but 
then the funding tail after that was dry. Remember, in 
cybersecurity, in all operations----
    Senator Harris. Or just nonexistent.
    Mr. Rosenbach. Right, it was dry. There was no follow. What 
we do not want is one big bump of money now and then nothing in 
the 5 years after that. Cybersecurity is about continually 
mitigating risk and patching, so you need some reliable funding 
stream so the States know that they can patch these systems, 
that they have a pool of money to go to to keep it secure over 
the long run.
    Senator Harris. That is a great point because by the very 
nature of technology, we know that it is constantly evolving. 
There is something that is very static about technology, which 
is that it is dynamic. It is constantly changing.
    I want to talk with you about the Election Assistance 
Commission (EAC). Do you know if they have anyone working in-
house who can provide technical expertise to inform their best 
practices, like a chief technologist? Do you know if they have 
one? Because I am not clear about that.
    Mr. Rosenbach. In our project at the Kennedy School, we 
have been working really closely with EAC. Matt Masterson, when 
he was there, was amazing to work with, and he is now at DHS, 
which I think is good for the country. They have some technical 
expertise, but, that is not their strong suit. There would be 
additional help needed there.
    Senator Harris. In your opinion, would it be beneficial to 
national security, to elections, and protecting that critical 
infrastructure, that they would have a chief technologist 
position there?
    Mr. Rosenbach. A lot of elections nowadays revolve around 
technology in one way or another, so almost all organization 
nowadays have some type of chief technology officer. That makes 
good sense to me.
    Senator Harris. Do any of the other panelists have a 
thought about this?
    Ms. Manfra. I would say I agree with Eric. Most 
organizations that deal with technology benefit from having a 
qualified chief technologist. The National Institute for 
Standards and Technology has long supported EAC in the 
development of the voluntary voting systems guidelines to 
include some of the technical--we have been assisting, but, 
yes, I would say it would benefit from that.
    Senator Harris. Thank you.
    Do you have any thoughts?
    Mr. Wilshusen. I was just going to say that the EAC is 
presently updating the standards now. I think the guidelines, I 
should say, are probably 10 or 15 years old. The EAC is 
reaching out to a number of different groups and experts as 
they go through that. My understanding is that the EAC expects 
to issue those updated guidelines later this year.
    Senator Harris. Hopefully, they also commit themselves to 
appointing and having a chief technologist.
    I have just one final question, Mr. Chairman. When I was 
Attorney General (AG) of California, we had a law that now I 
believe all 50 States have which is basically a data breach 
notification law, requiring, for example, corporations that 
experience a data breach that affects more than 500 
Californians, the case in California, that they had a 
responsibility to report that data breach to the State 
Department of Justice, the Attorney General.
    Do any of you know, because it is my understanding that 
there is no such requirement for Federal agencies, that if they 
experience a data breach they have a responsibility to report 
that to another body so that the consumer--and that would be 
the taxpayer--is aware that there has been such a data breach. 
For the sake of brevity, do you think it would be a good idea 
to have such a law? You can just give me a yes or no answer. 
Mr. Rosenbach.
    Mr. Rosenbach. Yes, ma'am. If you talk to private sector 
people, they spend an immense amount of time of legal hours and 
cost trying to figure out the patchwork quilt of data breach 
notification laws in the United States.
    Senator Harris. OK. What is your thought?
    Mr. Wilshusen. You mean for the Federal Government; to have 
Federal agencies report breaches?
    Senator Harris. Correct.
    Mr. Wilshusen. Agencies are supposed to be reporting to the 
U.S. Computer Emergency Readiness Team (US-CERT) when they have 
security incidents, and if they have a major security breach, 
they are also supposed to report to Congress under the Federal 
Information Security Modernization Act of 2014.
    Senator Harris. Do you believe that is happening?
    Mr. Wilshusen. I think they are reporting incidents to 
US-CERT. I do not know if they are reporting all of them, 
though.
    Senator Harris. Or if they are reporting to Congress.
    Mr. Wilshusen. I think they reported like five or so. I 
think the bar for reporting what is a significant or major 
information security incident can be pretty high, or at least 
interpreted to be high.
    Ms. Manfra. Yes, ma'am, they are required to report to us 
as well as their oversight committees. I can say that the 
reporting has increased. We are also deploying more capability 
so we can independently see whether we have something. But the 
reporting has increased to the Department, and in many cases we 
have worked with agencies on assisting with communications to 
Congress. I know that, at least in my perception, that is 
increasing as a result of that. But, of course, there is 
always--and the private sector has the same challenge. What is 
a significant incident? Particularly if it is not clear, if it 
is not a data breach, for example, where you can count the 
number of PII that has been lost.
    Senator Harris. Mr. Chairman, thank you. I appreciate the 
time.
    Chairman Johnson. While we are on the topic, in these 
previous hearings I talked about the priority, what we had to 
do, we had to do something. First was information sharing. Then 
it was data breach notification. I thought, well, that ought to 
be a no-brainer. But, over the years, I have come to understand 
how unbelievably complex that is.
    While we are on the subject, Ms. Manfra, you can just talk 
about it is difficult to define, you are not exactly sure if 
you have been breached. Just talk about the complexity and why 
we have not been able to come up with a national standard on 
that to preempt all these State laws, which makes it very 
difficult for anybody to comply.
    Ms. Manfra. Absolutely. The patchwork of data breach 
notification requirements by the States can be challenging. My 
experience has been that it is more about the time, because you 
do not always know right away how serious it is, and you do not 
always know who is doing it to you, which has a big impact, and 
whether you call this serious or not. It takes longer than most 
people actually appreciate to understand the scope of the 
incident. It is the threshold we have worked with in the 
government, we have created an incident severity scheme now 
that has been used for a couple of years. I think people 
generally understand this is why something should rise to the 
level, and we do our best to brief Congress. But it really 
comes down to that timing, as I understand it. What is the 
right amount of time to give a company or an agency to figure 
out what is really going on before they have to notify the 
public, the victims, or Congress.
    Chairman Johnson. Part of the problem, when you have been 
breached, sometimes those malign actors are on your system for 
hundreds of days before you even notice, and then you have to 
start doing the attribution. You have to do the forensics to 
find out is there really a breach or is this just a computer 
bug or something else. Correct?
    Ms. Manfra. Right.
    Chairman Johnson. Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Let us talk some more about data breach. 
About 10 years ago, Roy Blunt and I introduced legislation on 
data breach. I used the acronym PIN, spoke to how we needed to 
do a better job protecting our sensitive information; second, 
investigate laying out expectations for an investigation to 
proceed; and, finally, notification. The idea of having 50 
States going their own way just made no sense to Senator Blunt 
or me. As it turns out, it made no sense to Senator Nelson, it 
made no sense to Senator Feinstein, it made no sense to Senator 
Thune and others as well. We ended up with four committees of 
jurisdiction on data breach legislation, including this 
Committee, Judiciary, Commerce, and Intelligence. We all have 
our different stakeholders and folks that are interested in 
what we are doing and considering. It has just been----
    Chairman Johnson. Not a recipe for success, you are saying.
    Senator Carper. If you want to have a good picture of what 
is not working around here, it is getting data breach 
legislation enacted. But I am pleased that we are talking about 
it again today. Senator Blunt and I talked about not long ago.
    The idea of inviting a couple of you just to meet with the 
legislative leaders, Democrat and Republican leaders of these 
four committees of jurisdiction, and sharing with you what we 
have offered, and the staff will continue to have discussions 
at the staff level, but that might be helpful for us actually 
getting the show on the road. Would you be willing maybe to do 
that?
    Ms. Manfra. I would be happy to do that, Senator.
    Senator Carper. Oh, good. Thank you. Greg, we might even 
try to drag you with us as well.
    Mr. Wilshusen. Absolutely. We have done a couple reviews 
looking at data breach response as well as cybersecurity 
incident response. We would be happy to talk about that, too.
    Senator Carper. Great. All right. Thanks so much.
    I want to come back to a name change and just to say the 
name remains the same, and I agree with you, it is time to 
actually say what you do, and I do not think we are looking to 
do a whole lot more beyond that, but that would be a big deal. 
We are all interested in our business in branding, and I think 
it is understandable why that is important to you.
    Jeh Johnson was in town not long ago, and we had a chance 
to visit, and Ali Mayorkas on a separate visit. We talked about 
morale within the Department of Homeland Security, and I think 
if you look at the Federal agencies where we evaluate morale on 
an annual basis, the agency or the department that had the 
biggest uptick in morale was the Department of Homeland 
Security. That is something that the Chairman, the Ranking 
Member, and myself and others have focused on, and we are very 
pleased to see that. I believe your point, Madam Secretary, 
about having an agency that actually says what you do--and Mr. 
Wilshusen alluded to this as well--makes a whole lot of sense.
    One of the things that I like to do as a Senator--and I 
used to do it as Governor--I like to do customer calls. I call 
on businesses large and small, schools, hospitals in Delaware, 
and even outside of Delaware, to see what we can learn from 
them. We always ask three questions: How are you doing? How are 
we doing? ``We'' being Delaware, the State of Delaware, or 
Congress, our congressional delegation, or the Federal 
Government. What can we do to help? We asked these questions a 
lot about 3 or 4 years ago, and folks here to my left were a 
part of those conversations. Tom Coburn was a part of those 
conversations. I was a part of those conversations. We said, 
``What can we do to help?'' One of the things you said we could 
do to help was on the workforce side. We did, I think, a fair 
amount. Has it helped? What have we done that is helpful? What 
have you not taken full advantage of what we provided for you 
legislatively? If you all could take a minute on that 
workforce, how are we doing? I do not care who answers it. 
Maybe both of you can.
    Mr. Wilshusen. We recently issued a report last month on 
DHS' efforts implementing that Homeland Security Cybersecurity 
Workforce Assessment Act of 2014 in which it was responsible 
for identifying all of its cybersecurity positions, assigning 
codes to those positions based upon the work roles and the work 
categories, the specialty areas of those positions, and then to 
identify its critical needs and gaps. We found to a large 
extent that the Department had not implemented those actions in 
accordance with the deadlines established in law, but they are 
working toward it and have taken actions on it.
    We also found, even though it was not part of our report, 
one of the authorities granted to the Department under the 
Border Patrol Agent Pay Reform Act of 2014----
    Senator Carper. That was the one.
    Mr. Wilshusen. Right. Even though we were not examining 
that, we had heard that despite having these authorities to 
hire new cybersecurity-related personnel, the Department as of 
at least earlier this year had not really taken advantage of it 
for 3 or 4 years. But, again, that was really something we 
heard in passing. It was not a focus of our review. We were 
just examining the Department's implementation of the Homeland 
Security Cybersecurity Workforce Assessment Act.
    Senator Carper. Madam Secretary, just briefly, any 
comments?
    Ms. Manfra. As Greg mentioned, the responsibility for 
implementing that authority is with the Chief Human Capital 
Officer of the Department, which is not my organization, but we 
are working very closely with them. I think she has been up to 
testify a couple of times on this issue.
    Senator Carper. Who is that person?
    Ms. Manfra. I am sorry. Angie Bailey. We have a great 
relationship with her. She has only been on board for maybe 2 
years or so. But I am very excited about the program. While it 
has taken longer than we would have liked, they are completely 
rethinking the way we think about civilian service and really 
applying best-in-class concepts of how technology companies 
hire workforce. The way they are implementing the authority is 
going to allow us to have a very different approach to our 
workforce.
    We are also trying to improve the stuff we can control, 
think differently. Does everybody need the highest level of 
security clearance? The answer is no, because that is often the 
thing that can take the longest in the hiring process. Are we 
being better recruiters? We cannot just rely on a website and 
people to apply via a website. We have to be out there 
targeting our employees.
    As Greg mentioned as well, we have to understand what 
workforce we want and make sure that we are targeting the skill 
sets for the workforce that we want and that we need instead of 
hiring basically the people that are often given to us through 
the old government approach to hiring. So we are trying to do 
as much as we can.
    Senator Carper. Thank you. My time has expired.
    Mr. Chairman, two things. One, thank you so much for 
scheduling this hearing and to all of you for coming and 
testifying. My colleagues may recall that this Committee also 
required NPPD to improve EINSTEIN, provide us with updates on 
improvements and features. It is my understanding that we have 
not received any updates. I might be mistaken, but that is what 
I am told. I would like for us to have a conversation after 
today is over, and I will be interested and will ask questions 
for the record with respect to EINSTEIN 3A. Has it been 
updated? Does NPPD intend to develop new functions? Those are 
the kind of questions we would like to pursue.
    Again, thank you. This is timely and maybe overdue, but I 
am just delighted that we are doing it. Thank you.
    Chairman Johnson. Senator Jones.

               OPENING STATEMENT OF SENATOR JONES

    Senator Jones. Thank you, Mr. Chairman. I apologize for 
being late. We were marking up the opioid bill, which is also a 
very important piece of legislation that is about to move.
    I know you have had a lot of testimony and questions and 
answers, so I am going to kind of limit this to one question 
that I would like each of you to address, and it is just a 
pretty general question.
    There have been some 50 bills governing cybersecurity that 
have passed over the last few years, which sounds like an awful 
lot of action on behalf of the Congress. I have seen some parts 
of your GAO report suggesting areas of improvement in the 
implementation of some of those bills. But I would just like 
each of you to address, as you can, what else is there? Do you 
have, for instance, all the tools that are necessary, whether 
or not you have the ability to implement them right now, are 
there other things, 50 bills sounds like a lot, but there is a 
lot going on in this world, and are there other things that 
Congress and this Committee should be looking at that would 
help you in this world, whether it is the Department of 
Defense, whether it is Homeland Security? If each of you take 
just a moment with that, I would appreciate it.
    Ms. Manfra. I can start.
    Senator Jones. OK, sure.
    Ms. Manfra. I would say that Congress has, like you said, 
done a lot of very effective legislation in cybersecurity and 
really positioned DHS as that agency that is central to 
managing the defense of Federal networks and civilian networks 
and critical infrastructure. We are very satisfied with the 
authority that we have been given. For us, it is really about 
how do we ensure we have the capacity and the capability to 
fully implement those authorities.
    But as we continue to work and expand the work that we are 
doing and learn more about different areas, if we come up with 
additional legislative remedies that are needed, we would 
absolutely come and work with this Committee.
    Senator Jones. All right. Thank you.
    Mr. Wilshusen. I think it is more a matter of execution 
rather than additional legislation for the time being. As you 
mentioned, there are a number of laws for which agencies are 
responsible in implementing relative to cybersecurity. But the 
key thing is taking those authorities and actually effectively 
and efficiently executing them in order to secure the systems 
that the Federal Government operates. I would say it is more a 
matter of execution rather than the need for additional 
legislation at this time.
    Senator Jones. All right. Thank you.
    Mr. Rosenbach. Sir, it is always easier when you are on the 
outside, but I think that you all could start by clarifying the 
committee oversight structure for the Department of Homeland 
Security. This would not be passing a bill back on the 
Executive Branch, but it would be dealing maybe in the co-equal 
branch of Congress and cleaning things up here. I was speaking 
with Secretary Manfra beforehand, and she said she has already 
testified I think 15 times this year. Having been an Assistant 
Secretary of Defense, you spend a crazy amount of time 
preparing to come and work with you all, which is really 
implement, but it is time taken away from doing operational 
real things. I know that is a hard thing, but it is worth 
mentioning.
    I think that capability and talent are the two most 
important things in government, and bureaucracy is deadly to 
capability and talent, even in the Department of Defense where 
we have a huge budget and a lot of really motivated people. DHS 
has that as well. In some ways maybe there is a bill that could 
do away with a lot of the reporting requirements that GAO then 
grades Secretary Manfra on. That probably also would be 
helpful.
    I love government. I am at the School of Government. I am a 
big fan of that. But sometimes too much government keeps you 
from getting the real stuff done.
    Senator Jones. All right. Thank you all, and I appreciate 
it. I can tell you a couple of things from the report. As a 
former U.S. Attorney back before this really became such an 
issue, just the reporting and being able to share information 
across agency lines, and the collection of that data is so 
important. In Alabama, in particular, we have such critical 
infrastructure sectors with ship building and manufacturing, 
the aerospace industry, manufacturing, so I want to take you up 
on looking at that, because I think we need to be efficient and 
I want to make sure we can collect the data and be able to move 
as quickly as they can.
    That is all I have, Mr. Chairman. Thank you so much for 
letting me sneak in at the last minute and throw a couple 
questions out.
    Chairman Johnson. Not a problem. First of all, it was a 
great question. It was the first one on my list. Do we have 
enough laws? Mr. Rosenbach, we are going to clip that 
testimony. You are singing right out of our hymnal. I am sure 
Senator Heitkamp will make the same point. Senator Heitkamp.

             OPENING STATEMENT OF SENATOR HEITKAMP

    Senator Heitkamp. Thank you, Mr. Chairman.
    This is probably the most serious issue that we are 
confronting, probably behind the pandemic, in this country with 
the most disruptive oversight process in government. Think 
about that. When something really bad happens, I can only 
imagine the scramble to assume who is responsible for not 
making sure that we have the resources and making sure that we 
were not on the ball. We have to fix this, and I think the 
Chairman has held a meeting. It is really hard to wrestle 
jurisdiction away from other committees, but we have to stand 
firm to centralize our discussion of this, because if we do 
not, we are going to miss opportunities.
    One of the things that I have been talking about has been 
the impact of all this on small business, and I want to just 
make another brief statement. I think sometimes cybersecurity 
gets overlaid or kind of misstated as a privacy issue. It can 
become a privacy issue, but it is different from and different 
than privacy. We need to make sure that when we are talking 
about this, we do not confuse the two concepts.
    The first thing I am going to say is the first line of 
defense, if you are a beat walker, doing community policing, is 
people lock their door. They lock their car. They carry a 
flashlight. They carry some kind of method of defending 
themselves. They practice some kind of self-defense.
    We are missing a national dialogue on what we need to do 
for self-defense. What can we do within the government to set 
out some principles? I think the public wants to know. They do 
not want to have 20-character passwords, because everything 
requires a password now. They want to have easy access to their 
data and their information. But they need to understand that 
they have within their power the chance that could be a back 
door to something really bad happening.
    What are we doing to help cyber hygiene, to really promote 
cyber hygiene, to get it out not just to small businesses and 
big businesses, but to get it out to the mom-and-pop users of 
this technology? We will start with you.
    Ms. Manfra. Thank you, ma'am. Very well said. A lot of talk 
in cybersecurity and technology is very fancy and all sorts of 
interesting technologies, but when it comes down to it, my team 
of assessors continue to find the same basic problems, poor 
patch management, misconfigured systems, things that are known 
bad things. Within the Federal Government, we have tried to 
focus on changing those behaviors.
    More publicly, which I think is what your question is 
really getting at ma'am, we do need to do more. Our 
organization has been working with an organization called the 
``National Cybersecurity Alliance'' for some time--the campaign 
has been called the ``Stop, Think, Connect Campaign''--for some 
years, and we have been talking a lot about how do we expand 
our reach? How do we make the message more----
    Senator Heitkamp. Can I make a recommendation? I just 
visited with my insurance agents. Great people. They are now 
selling a product that includes cyber insurance. I am not sure 
how it is going to work. But there is a great place--when we 
talk about fire protection--I used to run the Fire Marshal's 
Office in North Dakota. We partnered with the insurance 
agencies because they knew they had risk, and they could do a 
lot.
    What are we doing to plus-up our effort looking at private 
organizations that have some skin in this game?
    Ms. Manfra. Another great point. We have been working with 
the insurance community for a few years now, both to educate 
them as they think about developing insurance policies and the 
challenges they have around that, but as a stakeholder, as a 
risk manager in helping to raise the level of cyber hygiene 
through requirements in their policies.
    We have been working with them. I think that environment 
has changed significantly. We are seeing a lot more insurers in 
this space. We see them as a great partner. Like you said, just 
getting to the average consumer, getting to--how can people be 
safe online? How can people be secure online? But also working 
with the technology community to think differently about things 
like identity.
    Senator Heitkamp. I do not have a whole lot of time left, 
but it seems to me that as you experience or see--just like we 
would do a GAO report with a list of recommendations, if you 
said, look, Corporation X, you are putting your users at risk, 
only you know that, and they continue to--if they do not modify 
or change or make the investment that they need to protect 
their data, should we not know that as consumers? Should we not 
know that? Should we not know what you know so that we can then 
create that push to encourage more rapid change within those 
organizations that are not doing what you think is appropriate 
to protect data?
    Ms. Manfra. In the case where I would know that 
information, which is not usually the case, but in the case 
where I would, I do believe that, yes, consumers should have a 
right to know. But that is definitely something that working 
with the U.S. Securities and Exchange Commission (SEC), working 
with others, thinking about disclosure requirements, 
transparency around----
    Senator Heitkamp. The concern that I have is frequently 
when we talk about disclosure, it is after the breach. It is, 
OK, now, who are you going to tell, when are you going to tell, 
and Equifax is an excellent example of where that got totally 
messed up, in my opinion, people who knew, who were trading 
before the public knew. That is some of the richest data you 
can possibly imagine, and we do not know--that is like a 
ticking time bomb waiting somewhere offshore, in my opinion, 
until they can absolutely do havoc, so we cannot say, well, 
nothing happened so far, because, why rush it?
    What I am saying is that there has to be a level of 
accountability with standards that when we look back on it, we 
could say, look, you should have known. A great example of that 
is when I met with my folks in Grand Forks, North Dakota. We 
are trying to really build out some cyber capability. They said 
a lot of the ATMs were running on Windows 98. Yes, look at your 
face. I mean, can you imagine? These are the kinds of things--
yes, I know it is expensive, but Windows 98 is no longer being 
modified for security protections. That is the kind of thing 
the public would be absolutely furious about if they knew that 
we knew that and somehow now their identity is being stolen, 
including, Social Security numbers and bank account numbers and 
now they are in the hassle of that.
    I just think it is really important we talk about cyber 
hygiene, that we talk about creating greater incentives for the 
easy things to get done--not the tough things, not autoimmune 
systems, all the things we want to talk about up here, but all 
the things we need to do here to lock the door, right? That is 
the example I always give. Let us lock the door. Maybe they 
will still break a window, but it is going to be harder to get 
in.
    Ms. Manfra. I could not agree with you more, ma'am.
    Chairman Johnson. Although it is kind of hard to hack into 
a floppy disk. [Laughter.]
    I do want to reinforce your point on the insurance. I have 
been making that point for quite some time. That is a private 
sector model, just like in manufacturing, because you have to 
respond to insurance premiums. Your premiums are lower if you 
have your sprinkler heads closer together. I think the 
insurance industry off of NIST, something like an ISO type of 
certification process, will be much more flexible than 
government ever will, as we are talking about needing 
congressional action just to change the name of your agency. I 
think that private insurance model is probably one of the best 
ways of enforcing those standards.
    Senator Heitkamp. It is definitely a force multiplier, and 
more and more small businesses are coming wanting protection, 
understanding the risk and the liability. This is an absolute 
pivotal point. If I can just for a minute brag about my 
insurance agents, they literally go through a checklist on 
cybersecurity.
    Chairman Johnson. Very thorough.
    Senator Heitkamp. What are you doing? What are you doing 
here? Maybe you should think about that. That is just 
invaluable. That is the kind of army you need to prevent people 
sneaking in through the back door.
    Chairman Johnson. That is because they want the premium. 
They never want to have to pay out the claim, which is exactly 
what you want with insurance.
    Senator Heitkamp. That is why you put sprinkler heads close 
together, too.
    Chairman Johnson. Right. Senator Daines.

              OPENING STATEMENT OF SENATOR DAINES

    Senator Daines. Thank you, Chairman Johnson, Ranking Member 
McCaskill, for holding this important hearing. Cybersecurity 
issues have been at the forefront of many minds lately. I spent 
12 years in the cloud computing business, and you always, when 
you woke up in the morning, ask yourself, ``What could happen 
in our business to put you on the front page of the Wall Street 
Journal?'' It is a cyber breach that is exactly one of those.
    In light of attacks such as the hacking of Montana's 
schools recently up in Flathead County, up near Glacier Park, 
as well as broader government breaches like the one we saw at 
OPM, in fact, 28 years in the private sector I never got a 
letter from my human resources (HR) department saying my PII 
had been compromised until I became an employee of the Federal 
Government as a U.S. Senator when I finally got a letter. It is 
vitally important that we address these issues promptly.
    In the Energy and Natural Resources Committee, we have been 
tackling the issue of protecting our electric grid from cyber 
attacks. It is a delicate balance we must strike as the vast 
majority of our infrastructure is privately owned, but many 
companies do not have the capital, sometimes the expertise, to 
defend against attacks from bad actors or nation-states. That 
is why it is important we work with the private sector to 
bolster cybersecurity.
    To that end, I have introduced the Cyber Safety Act, which 
simply clarifies that cyber technologies can apply for Safety 
Act protections. This bill would help incentivized the next 
generation of cyber defenses for critical infrastructure and 
help protect the grid from cyber attacks.
    Mr. Rosenbach, you mentioned in your testimony that, 
``Bolstering private sector cyber defenses without regulation 
should be a priority.'' I agree with that. How important is it 
to enable the private sector to innovate and commercialize the 
next generation of cybersecurity technologies without a 
technology mandate?
    Mr. Rosenbach. Senator, I think it is really important, and 
during the time I was in the Department of Defense, in the 
beginning I think NSA CYBERCOM had better capabilities than the 
private sector. If I look now, 8 years later, it is not even 
close. The private sector moves more quickly, advances more 
quickly. We need to be able to rely on them in a way that helps 
the country in a broader national security sense as well.
    Senator Daines. That is a strong statement you made, and as 
somebody who has been on the Commerce Committee, I see that as 
well in terms of the innovation cycles, the innovation 
ecosystems built in the private sector, and oftentimes how this 
large bureaucracy that we have, smart people, well-meaning 
people, sometimes having difficulty to attract and retain the 
best people when the money is a lot better sometimes on the 
other side.
    Mr. Wilshusen, I believe it is hard for the government to 
mandate cyber practices on the private sector when it does not 
even have its own house in order. There have been multiple 
cyber breaches in the Federal Government that are very 
concerning. Last year, I helped push the Modernizing Government 
Technology Act, and just last month, this Committee passed a 
bill that I introduced called the ``Support for Rapid 
Innovation Act'' as part of the DHS reauthorization. Both are 
important steps to mitigating risks within the Federal 
Government.
    What else do we need to do to ensure that the Federal 
Government is secure against cyber attacks?
    Mr. Wilshusen. I do not know if one will ever be able to 
say that we are secure against cyber attacks, but we can 
certainly do more to try to reduce the risk and likelihood of 
having significant breaches at Federal agencies. Much of that, 
as we discussed, is to effectively implement the security 
controls and requirements that have already been established. 
As Secretary Manfra mentioned, many of the key findings that we 
identify during our audits are the same things that we have 
been identifying for years: unpatched systems, use of 
unsupported systems, and not having effective security testing 
and evaluation processes at agencies.
    We often find that agencies will go and conduct a test or 
review their systems merely by either conducting interviews or 
reviewing certain policy documents as opposed to actually 
examining the security and the configuration of its systems.
    Much of what we need to do in the Federal Government is 
assuring that agencies have sufficient information on what the 
key cyber threats are at the moment, establishing processes to 
assure that they securely configure their systems, and being 
able to assure that those configurations and controls are being 
reviewed on a regular and ongoing basis.
    One of the programs that DHS is spearheading, the 
Continuous Diagnostics and Mitigation Program, is intended to 
help along those lines. But it is still in the relatively early 
stages of implementation. It is going to Phase 3 this year. 
There is still much that needs to be done at the Federal agency 
level.
    Senator Daines. Thank you. One of my observations, too, in 
terms of the procurement of best practices, best technologies 
out there, we see some of the same challenges in the Federal 
Government that are reflected oftentimes in Fortune 100s where 
Chief 
Information Officers (CIOs) and Chief Technology Officers 
(CTOs)--there is the old saying, ``You never get fired for 
buying''--and I will not create any problems here, but you can 
kind of list some of the large enterprise companies that 
typically they have Italian suits, expensive shoes, and high 
billing rates, and technologies that sometimes are burdensome 
and it costs more money to upgrade them and implement them than 
the solution itself. I will just leave it at that before I get 
in trouble.
    But my point is to be looking for these smaller, nimble 
players out there that are oftentimes on the forefront of 
innovation. I speak as one who used to be there. We finally got 
acquired by a large corporation, but some of the best ideas, 
frankly, are out there with little guys at the moment, and I 
hope we can incentivize appropriate procurement that would 
allow us to look at some of these smaller, more nimble players 
that usually are less money, better solution, faster 
implementation.
    Mr. Wilshusen. You mentioned procurement, and that is 
another key area to helping secure Federal systems. One aspect 
of that is buying operating systems, that the vendor has 
already preconfigured securely. By acquiring software that is 
secure out of the box, it will also help with securing systems.
    Senator Daines. Some of these large technology dinosaurs 
are extinct. They just do not know it yet. They need to be 
looking at the next generation.
    I better be quiet here, Mr. Chairman, before I get in 
trouble.
    Chairman Johnson. You were close. Senator Hoeven.

              OPENING STATEMENT OF SENATOR HOEVEN

    Senator Hoeven. Thank you, Mr. Chairman.
    Ms. Manfra, Senator Peters and I have introduced 
legislation, the Federal Cyber Joint Duty Program Act, S. 2620, 
which would enable the Federal Government to establish a 
civilian personnel rotation program for employees with cyber 
designation. It is similar to the joint duty programs that 
exist in the military and the intelligence community.
    My first question is: In your experience have you noticed a 
governmentwide cyber workforce shortage and/or retention 
challenge in the cyber field? What are the impacts that that 
has on your office, agency, and government as a whole?
    Ms. Manfra. Yes, sir, we absolutely have a shortage. We 
also have an equal challenge of inconsistently trained and 
qualified professionals across the government. We are working 
to address both of those challenges.
    Senator Hoeven. Do you think a rotational program for 
civilian employees in cyber work roles such as the bill that 
Senator Peters and I have introduced can be used as a tool to 
further develop and retain talent and create some of that 
consistency in the cybersecurity career field?
    Ms. Manfra. Sir, we would look forward to working with you 
on the specifics, but, yes, the concept makes a lot of sense to 
me.
    Senator Hoeven. That is a good answer.
    Mr. Wilshusen, I guess you published two reports recently 
which outline the persistent and longstanding challenge the 
Federal Government is experiencing in this area. I would ask 
you the same questions.
    Mr. Wilshusen. Certainly, as you point out, that has been a 
longstanding challenge within the Federal Government. Some of 
our reports and surveys that we have conducted with agency 
CISOs have consistently identified obtaining and retaining 
staff with technical skills has been particularly challenging 
for them. One of the steps, as you mentioned, with the rotation 
aspects, could potentially help in terms of giving those 
individuals greater insights as to how different agencies are 
implementing security for their systems and may be beneficial 
not only to the individual agencies but to those individuals as 
well.
    Senator Hoeven. I would ask the two of you, and then Mr. 
Rosenbach, relative to the private sector, in the public 
sector, how should we be communicating to the public in terms 
of cybersecurity, the steps we are taking, and what assurances 
can we give them that we are addressing cybersecurity 
sufficiently, first in the public sector, then in the private 
sector, both in regard to State actors, be that Russia, China, 
Iran, North Korea, and non-state actors, terrorist groups, for 
example? How should we be talking about what we are doing and 
its adequacy and whether or not they can be reassured and where 
they should have concerns?
    Ms. Manfra. From my perspective, sir, the way that I talk 
about it is that we are taking a risk-based approach to 
cybersecurity, and I cannot assure that there will never be 
another data breach or that we will never have a significant 
cyber incident. What I can assure is that we are taking a very 
focused look at what we are calling ``national critical 
functions.'' What are those functions that our citizens and 
residents and companies depend upon? How can an adversary 
disrupt those functions, whether that is through some sort of 
cyber means or otherwise? How do we work to reduce that risk, 
whether that is in the Federal Government or within critical 
infrastructure?
    We have a lot of authorities, not just DHS but the 
governmentwide has a lot of capabilities. We have a thriving 
cybersecurity market. We have increasing awareness among 
communities and companies of things like the NIST Cyber 
Framework where we need to continue to raise that baseline 
level of cybersecurity.
    For me, the approach is a combination of improving our 
understanding of threat, vulnerability, and consequence, but I 
come at it from the vulnerability and consequence side. What 
are those really high-impact--where do we have public health or 
safety risk? What are we doing to reduce that? For me, it is 
mostly focused on nation-state actors because those are 
generally the ones that both have the capability and the intent 
to accomplish something like that. But we are also looking at 
other non-state actors who would seek to disrupt those services 
or functions.
    Does that answer your question?
    Senator Hoeven. Kind of, but, again, for the public that 
gets to be a little confusing, and it comes across you are 
working on it, but in terms of should they be reassured that 
you have this, that kind of answer, it is hard to say you get 
them there with it.
    Ms. Manfra. I know that people want assurances. But in 
security----
    Senator Hoeven. They want honest assurances.
    Ms. Manfra. Sure.
    Senator Hoeven. They want an accurate response.
    Ms. Manfra. What I can assure the public is that the 
Department is doing everything that we can to coordinate within 
the government to make sure that the intelligence community is 
collecting information that would help reduce the risk, that we 
are passing that information to those who would own it, and 
that we are gaining visibility into what these potential 
consequences would look like. Companies are stepping up--the 
financial sector, the electric sector, water utilities across 
the country.
    Is there a lot more that we should be doing? Absolutely. 
But people are stepping up to own the risk and to work with us 
on it.
    Senator Hoeven. Mr. Wilshusen, how would you put it?
    Mr. Wilshusen. I would probably say that we are never going 
to be completely safe, and I think as you say, you have to be 
honest, particularly--and it is not just the Federal 
Government, but it is also individuals and their behavior out 
on the Internet. There is a great propensity for people to 
share a lot of information out on the Internet, on various 
different applications, and that information is being collected 
and used, often unbeknownst to the individuals who provide that 
information, generally willingly, to many of the different 
applications and systems that they may frequent out on the 
Internet.
    I think in terms of just being able to provide assurance to 
say that we are doing everything we can is one aspect of it as 
a Federal Government, but, we also have to be able to 
demonstrate that we are doing everything we can do to protect 
the systems that the Federal Government operates.
    But it is also up to individuals, who need to recognize 
they, too, have a responsibility. As the old adage says: 
security is everybody's business. Individuals, citizens, also 
have to take ownership of it as well in terms of how they act 
and behave in cyberspace.
    Mr. Rosenbach. I will be very quick because I know you are 
over. I will say that the most important thing to me is that 
you cannot expect the Department of Homeland Security or the 
private sector to be defending against advance nation-state 
threats. You need the Department of Defense and the intel 
community to be operating outside U.S. borders to take on 
adversaries before they hit us. The idea that we would let 
someone attack our democracy and our election system and there 
be almost no price to pay for that still is crazy to me. I was 
in a job where I probably should have done more. We as an 
Administration should have done more. But the country needs to 
do more.
    The private sector, there is a great and thriving market in 
the cybersecurity market, and they can make money and make a 
big difference. However, there are parts of the tech sector 
that need to internalize that they have a responsibility to the 
public to do more. That is primarily social media platforms 
right now. There is, I think, a little momentum in a positive 
way, but we need to see more there. Information operations by 
nation-states will continue to get worse unless they and the 
government both do something that is a little more assertive.
    Senator Hoeven. Thank you. I appreciate it.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator Hoeven.
    I have a number of questions, but Senator McCaskill is on a 
tight schedule, so I will let her ask hers first, and then I 
will close out the hearing.
    Senator McCaskill. Thank you. I just want to echo your 
comments, Mr. Rosenbach, about our lack of response offensively 
to the Russian active war against our country. I had the 
opportunity in the Armed Services Committee to pointedly ask 
Admiral Rogers, conveying to him what a woman said to me in the 
grocery store. Can we stop them? Do we have the capability of 
stopping them? He said to me in that hearing, ``Yes, you gave 
her the right answer. We can.'' But have we? He had to admit, 
no, we have not, and that he had not been given the command to 
do what we need to do to offensively go after this act of war 
against our democracy. It is a real head-scratcher for me and 
very frustrating that we are dancing around the obvious here. I 
just wanted to echo your comments that we are not utilizing the 
assets of the Department of Defense in an effective way against 
Russia and what they did to our country.
    Director Wilshusen, I wanted to ask you--I know it was the 
Election Division that gave--this is the last question I have--
that did the report looking at the voting equipment and the 
voluntary voter system guidelines. The Election Assistance 
Commission has guidelines they use to certify systems, which is 
pretty important right now. Those guidelines were first 
released in 2005, very outdated. I think anybody would 
acknowledge in this area that using guidelines that were 
developed in 2005 is not appropriate.
    They were updated in 2015, and the GAO's report that was 
issued last month noted that in January 2016, EAC adopted a 
plan that all new voting systems would be tested and certified 
against the 2015 guidelines beginning July 6, 2017. They also 
noted that as of November 2017 no voting systems had been 
certified using the 2015 guidelines. Looking on their websites, 
some systems were certified in March, like a month ago, but to 
the 2005 guidelines.
    What is going on? Why are they not utilizing the new 
guidelines that we have worked hard to update to make sure that 
the certification has the kind of validity we need at this 
point?
    Mr. Wilshusen. I will probably have to get back with you on 
the answer to that question with the audit team that actually 
performed the work. But I will say that my understanding is 
that the Election Assistance Commission is actually still in 
the process of updating those regulations or those voluntary 
guidelines, and they expect to issue them later this year. But 
at the same time, it would seem that if there are more current 
standards, that they would be using those standards to measure 
against new systems that are coming online.
    Senator McCaskill. Can you add anything to this, Secretary 
Manfra? What is the holdup here? This seems really like a waste 
of time to be certifying to 2005 guidelines?
    Ms. Manfra. Yes, ma'am, those guidelines are not final yet, 
so even though they did update and draft them, they are still 
in the process of finalizing. My understanding is that they 
will be finalized and issued very soon, and I agree with you, 
it is too long. I know the EAC has been working very hard, and 
we should get some updated guidelines out in the next few 
weeks, is my understanding.
    Senator McCaskill. I will continue to follow up on this. I 
will follow up directly with the EAC. But is this some 
requirement they have to make it take this long? Or are they 
just not moving quickly enough?
    Ms. Manfra. I would definitely check with the EAC on this. 
My understanding is it is somewhat of a cumbersome process that 
they go through. But I would definitely confirm with them.
    Senator McCaskill. Yes, because they should probably quit 
certifying until they get the new guidelines out. I think it is 
going to give a false sense of security to a lot of States.
    Chairman Johnson. Thank you, Senator McCaskill.
    I really do have a pretty long list of questions here. I 
think the questions asked by my colleagues have been excellent, 
but this is a big topic.
    Let me start by saying, when I got here in 2011, it was 
just generally recognized that cybersecurity is a real issue 
and we have to do something about it. There was one proposal 
made, I do not know, 400 pages. I was asking the folks that 
would be tasked with implementing it how long would it take to 
just write the regulations, and I am quite sure that they said 
something like 7 years. I never really thought a government 
solution here was going to be the be-all, end-all. You really 
had to look to the private sector.
    But in those hearings--and I thought this was pretty good, 
and I want to see if this is still a pretty good outline of 
what we really face in terms of threats. Four points.
    Cyber crime, cyber theft, the ransomware, copyright 
infringement, cyber intrusions all for the purpose of cyber 
thefts gaining people's personal accounts and personal 
information so they can hack into your accounts. We have seen 
them obviously violate the Internal Revenue Service (IRS) 
files.
    Then the next level would be industrial espionage. Of 
course, we have seen from the Mandiant report China has been 
excellent about that, and they have a lot of U.S. technology 
because of that. But it would not necessarily be only isolated 
to nation-states.
    The next one would be national security espionage. It is 
pretty amazing how close the J-20 Chinese fighter is to our F-
22. Amazing.
    The final level is really cyber warfare. Now, you could 
argue that could be destructive warfare. It could be 
disinformation.
    First of all, are there other categories that we need to be 
worrying about? Is that a pretty good outline to describe what 
threats we face? Secretary Manfra.
    Ms. Manfra. I can start, and my colleagues can add. First 
of all, I think, yes, it is a pretty good construct. The first 
group I might recharacterize as say ``monetization,'' so 
organizations, they do not have to be criminal, but they are 
seeking to monetize what they steal. I think you are right 
around it is differentiating between industrial espionage and 
national security. We further differentiate between a State--
using State assets to conduct industrial espionage for the 
benefit of their companies.
    The last one, cyber warfare, I guess the distinction that I 
would make is because cyber warfare means a lot of things to a 
lot of people, but it is the position of holding our critical 
infrastructure at risk and getting into that geopolitical 
nature of because I believe we have supremacy in most other 
areas of security through our Department of Defense, nuclear, 
etc., we have a lot of countries that are seeking to exploit an 
asymmetric advantage.
    Now, whether that leads to actual warfare or if it just 
puts us in a position where conflict and escalating tensions 
means something different because of the risk we have in the 
homeland, but----
    Chairman Johnson. Part of the problem is we really have no 
definition for it, correct? If you destroy computers through 
electronic beams, we call that a cyber attack. If you destroyed 
those computers with a bomb, that would for sure be an act of 
war. Do we need a definition? Could we even come up with one?
    Ms. Manfra. I think we need a doctrine for cyber war, and 
we are working on that. It is complicated. There area lot of 
people who have done a lot of work on this. But I do believe 
that is something that is important, and I think it is 
important to be transparent about what that doctrine looks like 
to a certain extent.
    Chairman Johnson. Mr. Rosenbach.
    Mr. Rosenbach. Sir, this may sound overly simplistic, but 
for about the past 10 years, I have always heard people debate 
whether we need cyber doctrine or what cyber war is. In my 
mind, in all of the White House Situation Room meetings I sat 
through, people knew----
    Chairman Johnson. You know it when you see it.
    Mr. Rosenbach [continuing]. What a real attack was. The 
problem is: Are you going to do something about it? It is not 
in the definition. You know it. It is are you willing then to 
take the action to go back and do something about it.
    Chairman Johnson. I realize there is a spectrum here, but 
what about just the challenge of attribution? You retaliate, 
you respond. If you do not have the attribution correct, that 
is a real problem. We just saw that with the use of chemical 
weapons.
    Mr. Rosenbach. Yes, sir.
    Chairman Johnson. When we finally could attribute it and we 
had a high level of confidence, we responded. But it is more 
difficult in cyber, isn't it?
    Mr. Rosenbach. Yes, sir. It is difficult. I would say this 
is something that has really changed over the past several 
years, too. Attribution is not as difficult as people think. 
The private sector is very good at it, if you look at Mandiant-
CrowdStrike, firms like that. NSA is very good at it, even some 
of the experts at DHS. You will never have 100 percent 
confidence. Just like in the terrorism strike, you may not know 
definitively, but most times now you can have pretty good 
attribution, and you can have it pretty quickly.
    Chairman Johnson. Let me ask you what kind of cyber attacks 
actually keep you awake at night. This is where I am going to 
get into the prioritization, the things that we really need to 
be concerned about, which means that is what we need to 
prioritize our assets and our attention toward as well. I will 
stay with you, Mr. Rosenbach.
    Mr. Rosenbach. Yes, sir, in your opening statement you 
talked about maybe the election threat is a little 
overemphasized, and in some ways that may be right. But what I 
worry the most about is a combination of info attacks and cyber 
attacks done by any of those nation-states. The Russians were 
successful in some ways, but that will not be lost on Kim Jong-
un or the Iranians, and they will want to go after our and 
other democracies. They can do things that undermine trust in 
democratic systems. They are not just about elections. The 
financial sector----
    Chairman Johnson. Don't we play into their hands in terms 
of undermining by literally blowing it out of proportion? I am 
not in any way, shape, or form minimizing the seriousness of 
it. We have seen what they did in Crimea, Ukraine.
    Mr. Rosenbach. Yes, Senator.
    Chairman Johnson. Basically an act of war against 
Montenegro if it would have succeeded.
    Mr. Rosenbach. I totally agree, and I did not mean to 
mischaracterize your statement.
    Chairman Johnson. No, we are having a discussion here.
    Mr. Rosenbach. I totally agree with you. Other things I 
worry about that are very important to the way the economy and 
the country runs, our GPS vulnerable to attack, other systems 
like that that these advanced bad guys know we depend very 
heavily on. In the Department of Defense, we always worried 
that someone would take out some of our network that would 
prevent us from responding in an operational way. Just an 
attack on our weapons systems, which are very network-
dependent, always kept me up at night.
    Chairman Johnson. What about attacks on the Financial 
System?
    Mr. Rosenbach. Yes, sir, right.
    Chairman Johnson. We have seen them shut down the 
electrical grid in Ukraine.
    Mr. Rosenbach. Twice, right, for sure.
    Chairman Johnson. These are existential just about, 
correct?
    Mr. Rosenbach. Yes, sir. Those are all real things. With 
the financial sector, they realize that a loss would hurt them. 
They tend to spend way more money than any other sector, so 
that is positive. They tend to be very good. There are a lot of 
things that worry me on the spectrum. But, again, your point 
about the fact that we are watching all of these things happen, 
the Russians take down the power grid in Ukraine twice, and 
then our response--and this was during the time I was in 
there--was weak to none. That is not a good way to improve our 
overall security at a national level.
    Chairman Johnson. Secretary Manfra, in your testimony you 
talked about, somewhat vaguely--and, again, I do not want to 
get into classified information here, but we are aware that 
Russia has done far more than meddle in our election. But you 
talked about attacks on staging versus intended targets. First 
of all, can you define that for me? Can you in a public setting 
lay out as best you can what Russia has done in other critical 
infrastructure outside of the elections?
    Ms. Manfra. Yes, sir. The difference between a staging or 
intended would be if somebody was trying to get a database that 
holds critical data that they want in a company, that company 
maybe has really good cyber defenses, but they are going to 
look for other targets that the company may have a business 
relationship, for example, and they are going to infiltrate 
that company and then try to jump to their ultimate target. We 
see that a lot. We see a lot of what we would call 'staging 
targets' where they are looking particularly for companies, 
what are the business relationships, what are their supply 
chain vulnerabilities. Even though a company itself may be 
doing everything it can, they are vulnerable because they have 
those other connections.
    We have talked publicly a lot about what Russia is doing. 
We have issued an unprecedented number of alerts attributing to 
Russian activity. We issued the alert around the targeting of 
critical infrastructure. It was not that they got into the 
control systems. We were able to disrupt that before they--if 
that was even their intent, but before they got there. But we 
are concerned about what they were stealing, the schematics of 
the control system, for example. We wanted to ensure that 
everybody had access to this information and could defend 
themselves.
    We have also issued this alert around network 
infrastructure devices, around routers, and these are really 
core to how networks and the Internet actually run. If an 
adversary can have access to that router, for example, they 
essentially can do pretty much whatever they want with that 
traffic.
    Chairman Johnson. Let me quickly interject. How did we let 
Kaspersky Labs grow the way we did, knowing what was the 
potential there, let them become one of the largest security 
systems in devices throughout America? Why did the intelligence 
community, why did we allow that to happen? Why did we not blow 
the whistle on Kaspersky years ago? Can anybody answer that 
one?
    Ms. Manfra. I believe in a free and open market where those 
who have the best product can sell that product. That being 
said, the FBI and others and ourselves have been providing 
classified briefs to various different organizations in 
industry.
    What I felt was that we needed to do more. We needed to get 
the word out.
    Chairman Johnson. Were we unaware of the fact that the 
owner, the head of the company, was KGB-trained? Were we 
unaware of that for years? Did that just kind of slip by 
unnoticed?
    Mr. Rosenbach. No, sir. That is something that has been 
widely known. Having very granular intel on things like that is 
hard. In the Department of Defense, we were always much more 
skeptical about Kaspersky, and so I think very rarely used it.
    The point about Kaspersky that is worth maybe internalizing 
is probably the best marketing person for Kaspersky was Edward 
Snowden because all around the world people then doubted 
whether you could trust American cybersecurity firms, and a 
large part of the world decided they would trust Kaspersky 
more.
    Chairman Johnson. Russia.
    Mr. Rosenbach. Right. That is a very unfortunate thing, but 
at least the rest of the world now is under surveillance by 
Kaspersky but not as much of the United States.
    Chairman Johnson. OK. I interrupted your response to my 
question, though. Did you have anything else you wanted to say?
    Ms. Manfra. On Kaspersky, sir?
    Chairman Johnson. Yes.
    Ms. Manfra. No.
    Chairman Johnson. I appreciated Senator Jones' questions in 
terms of number of laws, and I had the exact same question, so 
let me pose it somewhat differently. I think the response from 
both of you is that we do have the authorities, we have the 
laws. I will ask: Do we have too many? Are there overlapping 
laws? Are there conflicts in those laws that create problems 
for you? Or just the sheer volume--again, some of these, we are 
not complying. It does not sound like we are complying at all. 
On the 0 to 10 scale, it is probably 0. Is that because we have 
just passed too many that it has taken the Department's eye off 
the ball?
    Mr. Wilshusen. I do not know if we have too many. 
Specifically, there is some overlap in terms of what agencies 
are required to do, either per law or by government policy. 
Often, some of the laws that are passed codify practices that 
agencies and DHS are already doing. While there is usefulness 
in that, it helps to memorialize and make that a continuing 
requirement, such as with NCCIC, for example. There is 
usefulness in codifying practices so they endure past different 
administrations. But I do not know if I would say that there 
are too many laws related to cybersecurity.
    I will go back to what I said earlier, that it really gets 
back to execution, and there is not sufficient execution of 
those laws that are there or the implementing regulations and 
guidelines that have been identified by either OMB, DHS, or 
NIST.
    Chairman Johnson. Any of you want to comment on that 
question?
    Mr. Rosenbach. Sir, I know when you are in government, it 
is often hard to say something officially on the record about 
there being too many laws, so this is what I would say: When I 
was Chief of Staff at the Department of Defense, the last year 
the National Defense Authorization Act had 1,500 pages of new 
laws. The year before that, it had 1,400 pages of new laws. If 
you go through and you put all those together, it really binds 
the hands of executives in government no matter what the 
department.
    In the case of DHS, when they have all these overlapping 
jurisdictions, it makes it even more complicated because then 
they will be testifying on maybe the same law or theme for 
several different committees.
    I think there is something here that is not right about the 
way government is working. My humble perspective.
    Chairman Johnson. I do not know too many organizations that 
would recommend having a 535-member board of directors.
    Mr. Rosenbach. No, sir.
    Chairman Johnson. We have kind of seen the results.
    Secretary Manfra, do you have a comment?
    Ms. Manfra. We have not done the analysis to answer your 
question specifically, though we would be happy to work with 
you on that. I think from my perspective I feel that we have 
the laws that we need to execute our job, and as Greg said, it 
is a lot about capacity to actually execute. I think what we 
are doing is looking across, whether it is laws, reporting 
requirements, or regulations, where there are unnecessary 
burdens that are either put on the private sector or Federal 
agencies or whether maybe it is something useful but needs to 
be implemented better. I know that is a fairly broad answer. It 
is only just because I do not have specific analysis.
    Chairman Johnson. I will tell you, my attitude toward this, 
being Chairman of the Committee with jurisdiction over DHS, is 
we will get referred to us all kinds of different bills that 
have either passed the House or that are proposed by Senators, 
and we take all those very seriously. But we also take our 
responsibility to make sure that the Department is in--and I do 
not want to say ``total agreement'' because sometimes you have 
to potentially, with oversight do corrective action. But you 
sure would like to be cooperatively working with the Department 
to make sure that what is being passed out of here is 
complementary and helps you succeed in your mission, which is 
one of the reasons that our DHS authorization--and Senator 
Heitkamp was helpful on this as well, recognizing just this 
oversight and the number of committees of jurisdiction here, 
every time I ask I get a different number. It keeps getting 
higher.
    In that DHS authorization, which is why I am really hoping 
that we get that on the floor and pass it in its entirety, 
would be at least a commission, because there are not many 
committees or subcommittees that are just willingly going to 
give up their jurisdiction. But they need to understand--and, 
that is why, Mr. Rosenbach, I really do appreciate your 
testimony there. It is madness, and from my standpoint I think 
it puts at risk our national security and our homeland 
security. I think that is just true.
    Secretary Manfra, you talked about having the authorities, 
and I know in our briefing on election security, it is the 
point you made as well. Now, maybe you have changed because you 
seem certainly open or appreciative, and I think we all 
appreciate the efforts here. Do you still believe when it comes 
to your role making sure that we have free and fair elections 
and they cannot be tampered with, does the Department have 
enough legal authority to do what you think needs to be done?
    Ms. Manfra. Recognizing that this is a voluntary 
partnership, and I believe that is the right partnership model, 
I do believe that we have the authorities and the legal 
mandates to accomplish that mission. As we mentioned, we 
appreciate the $26 million. We have a fairly broad mission. We 
have a lot of critical infrastructure, to include election 
security, to include defending 101 Federal agency networks. I 
keep going back to authorities, very important, and we are 
grateful that we have them. But we also need to ensure that we 
have the capacity to execute them.
    Chairman Johnson. One aspect of security is just creating 
modules that are completely separate. I do want to step through 
a set of questions. Again, let me emphasize, I believe this is 
a very serious issue. As Chairman of the European Subcommittee 
on Foreign Relations, I have seen Russian interference for 
years. We have held hearings on it, OK? The political 
assassinations, what they have done. I do not underestimate 
this. But at the same time, I do not want to be playing into 
Putin's hands in terms of creating this great doubt in our 
election system. I do want to hopefully provide some 
reassurance.
    Let me start off, we spend billions of dollars--I am not a 
real fan of the professional political campaign class for a 
number of reasons. A lot of that money is wasted. What did 
Russia apparently spend on Facebook? Was it even $1 million? 
How effective is any political advertising? That would be my 
first point.
    But in terms of voting machines, lest anybody think that 
they can be manipulated through the Internet, Secretary Manfra, 
are any of them connected to WiFi or to the Internet?
    Ms. Manfra. The best practice is to not connect them, and 
all the State and local officials that we talk to, they assure 
us that they do not.
    Chairman Johnson. They do not. Now, some of them have no 
capability--correct?--although some do have WiFi, they are 
WiFi-capable, and maybe that is something we should do, is make 
sure that those are disabled.
    Ms. Manfra. That is correct. Not all of them have that 
WiFi, and they should absolutely be disabled.
    Chairman Johnson. Now, the concern in terms of Russian 
meddling, to me it would be three-fold. First of all, could 
they get in and get into the voting machines and actually 
affect the tallies? Next is: Can they get in the voter file? By 
the way, I am concerned about voter files that are not updated 
by election officials on the State and local level. That is a 
concern. Then I think finally it really is the sowing of 
confusion, the disinformation, doing exactly what the Obama 
Administration was trying to prevent in its briefing in 
September 2016, is get the American public questioning the 
legitimacy of an election.
    Let us go through affecting the vote tallies. How probable 
is that?
    Ms. Manfra. Our assessment is that it would be nearly 
impossible to achieve that undetected.
    Chairman Johnson. Anybody want to dispute that?
    Mr. Rosenbach. I do not know. I do not know anything from 
intelligence. What I do know is how good the Russian 
intelligence services are, and all the things they did to the 
Department of Defense even in classified networks. I personally 
find it hard to believe that we would always be able to detect 
whether the Russian intelligence services were penetrating into 
that.
    Here is a scenario. Sir, you know how dependent a lot of 
the States are on vendors. There is no way those vendors' 
networks are so secure that the Russians hypothetically could 
not get in supply chains. There is not a great risk. That I 
completely agree with. But there will always be some.
    Chairman Johnson. Which is one of the reasons in my voting, 
we do it on a paper ballot, and we put it in an optical 
scanner, and you have the paper trail right there.
    Mr. Rosenbach. Yes, sir. That is right.
    Chairman Johnson. One of my favorite sayings is, ``All 
change is not progress. All movement is not forward.'' As we 
have upgraded to more electronic voting machines, I am glad 
that in my voting precinct we do not do that.
    Mr. Rosenbach. If I could say something, I do not want to 
interrupt the flow of your questions, but the folks from 
Wisconsin and the election team there came to the Kennedy 
School and literally have been probably near perfect partners 
in terms of all of the States who we have worked for. We had a 
team that went to Wisconsin, looked at what they were doing, 
and learned from them. They came and helped us design a 
tabletop exercise for the other States. They participated in 
our tabletop exercise. It is those people who are very good 
about thinking about resilience, and they get the problem. That 
is what gives me the most confidence, because they are there, 
they are working on it. It is not in the abstract that their 
systems----
    Chairman Johnson. The reason I am taking the time and going 
through these details, I want to restore some confidence, 
because I think a lot of confidence, because I believe we need 
to take it seriously, but let us not blow it out of proportion. 
Let us in public display, talk about what the true risks are. 
In terms of actually changing the voting tallies, very 
difficult to do electronically--not impossible because they 
share vendors, but those machines are offline. What are the 
controls in place? You have election observers, Republican and 
Democrat, maybe Independent, at most voter precincts. Now, 
depending on how Republican or Democratic a precinct is, the 
effectiveness of that might be an issue. But we have exit 
polls, we have pre-polls. Describe the controls that are in 
place at a local electionsite to hopefully give the public 
confidence that the vote tallies are going to be very difficult 
to change enough for them to have an effect, to really affect 
the outcome of an election.
    Ms. Manfra. Yes, sir, and I think you phrased it perfectly 
actually in the beginning of the hearing, it is about 
mitigation, and it is about risk mitigation. What we learned--
and we spent a lot of time with election experts in 2016, 
because, again, we try to take a risk-based approach. We cannot 
fix everything. We cannot perfectly secure everything. We 
cannot defend everything. But what we can do is learn enough 
about the risk and help people prioritize. A lot of cyber 
people like to think about cyber solutions to their problems, 
but the reality is that we have a very decentralized, for 
better or worse, election system. We have a lot of observers in 
the process, and we have a way of tallying votes from that 
local polling station all the way up to the State that led us 
to that conclusion that there were so many observers in the 
process that somebody would note, there would be an indicator 
if something was wrong. That was where we got to this judgment.
    Yes, there are security researchers and hackers out there 
that can get into a voting machine, absolutely. But that is not 
the way it works on an actual election day. These machines are 
protected in warehouses, physically locked up. They are then 
transported in a physically secure way to these polling 
stations.
    Now, again, is this 100 percent trying to remove all risk? 
We are not.
    Chairman Johnson. No, listen, there is voter fraud. How 
extensive in my own mind probably not all that extensive except 
in a very close election maybe to affect the outcome.
    Mr. Rosenbach, either agree or disagree or dispute it? What 
are your thoughts on that?
    Mr. Rosenbach. No, sir, I agree, and, our project is just 
one small thing. It is not the Department of Homeland Security. 
But we have been trying to do the same thing. We have these 
playbooks where State and local election officials see all 
these best practices. They have been super-receptive to that. 
They understand that this is a system of systems. It is 
actually least often the case that we worry about the election, 
the electronic voting machine itself, as opposed to everything 
else that could be in there, and the way that you respond to 
that, just as you mentioned, is really important, incident 
response. Even if there were hypothetically something, if the 
Secretary of State with the local election officials came out 
and explained what may have happened, how you mitigated for 
that, then the public is much more likely to say, ``OK, this 
looks like something I can trust. The bad guys tried to get in. 
Maybe they did a little bit. Here is all the evidence.''
    We have found that that public communications aspect is 
more challenging than any of the technical part, because 
probably for very good reason, most State election officials 
are not really eager to get out in front of a camera and talk 
to the press about something that is as complex as a possible 
cyber info attack.
    Chairman Johnson. But, again, that is what we are trying to 
do right now, is reestablish some confidence that there are 
audit trails, there are recounts, there are things that would 
show up that you would really start scratching your head and 
go, ``There is a problem here.'' Let us say the vote totals 
exceed the number of people registered in a particular 
precinct, we should actually have some examples of that as 
well. But, that maybe is not malicious outside actors. That 
could be just an example of voter fraud.
    Ms. Manfra. Yes, sir, and if I could just add one thing, 
since you mentioned auditing, we do encourage all States to 
have an auditable trail. Not all of them have it. I was 
referring to kind of the checks and the balance and the 
observation of the vote count. Having an ability to go back 
forensically review and audit what happened I think is 
important. I want people to understand that there are some 
States that still do not have it.
    Chairman Johnson. Let us talk about the next area that 
there could be some mischief in terms of voter files. That 
could be malicious actors outside through--this I think would 
be more concerning, which is one of the reasons I was not 
willing to leave that briefing and September and say I have 
complete confidence, because I learned in that briefing that 
Russia had attempted to access voter files. That could be a 
problem. But, how would that manifest? How would that show up? 
You potentially go to your polling place and your name is not 
on it, or a bunch of people's names are on there that should 
not be on there. Also something that could come to light in the 
election, but that is exactly what, for example, a country like 
Russia would be trying to do, is try and disrupt the election, 
delegitimize it, produce a lack of confidence, correct?
    Mr. Rosenbach. Yes, sir, that is right. In our research we 
found that, again, election officials are used to doing 
business continuity planning. They are used to being resilient, 
because something bad always happens in an election--the 
weather, electricity. The backup of the voter files in most 
cases was something they were doing on a regular basis anyway. 
Even if, depending on the State, on election day a certain name 
was not on there, they have established standard operating 
procedures (SOPs) for how to deal with those things. That is 
another risk-limiting type function in the overall risk 
mitigation strategy that you would use.
    Chairman Johnson. They can do, what do they call it? Not a 
probationary ballot, but a----
    Ms. Manfra. Provisional ballot.
    Chairman Johnson. Provisional ballot, right.
    Anybody else was to comment just in terms of the voter 
files? If you have a backup and then somebody hacks into it, 
you are comparing those two, you can do a blend and go, ``Oh, 
there is a problem here,'' right?
    Ms. Manfra. Our assessment of the risk related to voter 
registration files and why we are concerned about it, not just 
because we had instances of it happening and being targeted, 
again, it is not so much about the privacy of the information 
because many of those registration files are not necessarily 
private. What it was about is to your third point, an ability 
to potentially sow confusion on voting day. Even though a 
provisional ballot is available, if you are concerned, was and 
remains, if people think that they are in the wrong place, they 
may decide, OK, well, I do not have time, or the lines get 
long, it is those sort of more--I guess it would generally fall 
in the information operations side. But that sort of is why we 
were concerned about voter registration databases.
    Chairman Johnson. OK. My point in spending a fair amount of 
time on this is to lay out the facts, lay out the reality, and 
provide some level of comfort that there are a lot of checks 
and balances in this process. I think the decentralized nature 
of our elections provides even greater security. Is this a 
serious issue? Sure, and we need to take it seriously, and we 
need to strengthen those controls. But I do not think we should 
blow this out of proportion and call into question the 
legitimacy of either past or future elections. That is kind of 
my main point. If you want to make a final comment on that 
before I move to my next points, Mr. Rosenbach?
    Mr. Rosenbach. Sir, the only thing I would say is I 
completely agree that this is not about the previous election. 
It did not impact the outcome. The point for me is the idea 
that any other nation could or is designing to impact the 
outcome of our elections and influence our democracy is 
something that I think upsets every American and is exactly 
what you are saying----
    Chairman Johnson. I agree. But, my point is what keeps me 
awake at night is shutting down the electrical grid, hacking 
into our financial system. You want to talk about chaos, that 
would be it right there. Yes, take this seriously looking 
forward, strengthen our controls, but there are an awful lot of 
controls in place that give me a fair amount of confidence, 
which puts this in terms of my things I worry about lower on 
the priority list. We have to be cautious not to blow it out of 
proportion.
    Let us just use an example. The fact that we were not able 
to attach to the omnibus the renaming of NPPD, somebody had an 
objection. What type of turf wars are existing within this 
realm? We have DHS, we have DOD, we have NSA, and we have the 
intelligence community. Do we have stovepipes? That is one of 
the lessons we learned from 9/11. We had stovepipes; those 
needed to be broken down. We need to work cooperatively.
    Mr. Rosenbach, you were talking about kind of a national 
center for this, which from my standpoint, when you have to 
have the private sector liaison plugging into some form of 
government, you want a civilian agency like DHS. Yet we have 
resistance to that. Let us lay out the reality of what we are 
dealing with here.
    Mr. Rosenbach. I really have no idea why someone would 
object to NPPD changing their name. That seems to me one of 
these extremely crazy cases of government where an organization 
cannot even rename themselves. We should probably do a case 
study at the Kennedy School about how inane this can be 
sometimes.
    Chairman Johnson. It requires an act of Congress. It is 
bizarre to me.
    Mr. Rosenbach. Yes, sir. It is not you, but people can pass 
all these laws about DHS, and they cannot even name themselves? 
Humble outsider, but it seems crazy.
    Chairman Johnson. We will clip that testimony, too. 
[Laughter.]
    Mr. Rosenbach. It is interesting. If I think back to when I 
was first Deputy Assistant Secretary, which was almost 8 or 9 
years ago now, we did not get along with DHS, and no offense to 
Jeanette, but DHS was kind of a mess. There were a lot people 
saying put DOD in charge of domestic cybersecurity, which would 
have been a horrible idea. We worked it out. There was one very 
memorable time when we were here in the Senate, and we did a 
tabletop exercise for the entire full Senate. Senator Mikulski, 
after the tabletop exercise, pointed to the Cabinet, and the 
Obama Administration said, ``Who is in charge when there is a 
huge cyber catastrophe?'' No one there could actually 
understand, and so we worked through that. Things are much 
better now. We are making a lot of progress.
    Chairman Johnson. Could they answer that question now?
    Mr. Rosenbach. It is very clear. It is actually DHS. In 
terms of incident response, they know that they are in charge. 
Now, in terms of the hit back, that was DOD. But even those 
things were not clear at the time, so there has been a lot of 
progress, which I think is good.
    That said, it now comes to the capability point. When I 
talk about an idea I have about DHS having more capability to 
do domestic cybersecurity things that could help critical 
infrastructure, that is what gives them cachet with the private 
sector and with others, is if they bring something to the 
table.
    Chairman Johnson. Secretary Manfra.
    Ms. Manfra. I do not think we were a mess. [Laughter.]
    Chairman Johnson. You can always improve.
    Ms. Manfra. It is good to testify next to former government 
officials.
    I think that Eric raises a really important point, though, 
that the government as a whole has matured a lot in thinking 
about cybersecurity and just generally how cyber is something 
that is a part of nearly every mission that we do, whether you 
are a trade agency, FEMA, or the Department of Defense, the 
notion that we operate on these systems and they are critical 
to our mission; but also that we have a lot of capability in 
the government to deter and to disrupt the threat.
    My Department has, I think, matured a lot, as we have 
talked about quite a bit. We have had a great deal of 
authorities in the past few years that we did not have 
previously. That I think helps. We have had significant growth 
in my organization. When I first started there, 11 years ago-
ish, we had maybe 100 or 150 people, and now we are authorized 
up to 1,000. But we have a really big mission.
    I have never received anything but full support from, 
whether it is the intelligence community, CYBERCOM, or DOD. 
What I do think is that we have to continue to ensure that 
everybody is positioned to think about how do we best defend 
our networks. How do we use the information and the tools that 
the government has available to it that is unique and ensure 
that we defend that? I believe it is DHS' role to drive that 
conversation, and I think as we have matured and we have 
learned from industry, we are better at doing that within the 
interagency.
    Chairman Johnson. You have been at NPPD how long?
    Ms. Manfra. Ten and a half years.
    Chairman Johnson. OK, so you have spanned administrations, 
which is good. That provides a little bit of comfort.
    Mr. Wilshusen, can you comment on this? Obviously, GAO has 
taken a look at all the government. Have you witnessed any 
stovepipes, any turf wars?
    Mr. Wilshusen. I will say that there could be at certain 
times among the agencies, particularly early on. But I think 
DHS has done a pretty good job as well, once it was given the 
statutory authority to issue binding operational directives. In 
the past, if DHS said something, there could have been some 
conflicts with other sister agencies. But I think the way it 
has shaken out with the authorities given to DHS and the way 
DHS has exercised those authorities that some of the turf wars 
have been alleviated.
    Chairman Johnson. One of the big issues with cyber, it is 
just complex. I use the analogy of ``Gilligan's Island.'' On 
this island most of us are Gilligans. Not too many professors 
know how to make a battery out of a coconut. It is just the 
vast majority of people do not understand this. We use the 
device. We just had the hearing with Facebook. The vast 
majority of people claimed, clicking on ``I accept the 
policies,'' had no idea. I think there is great awareness of 
how much of their private information is now available and is 
being used, being monetized. That is a problem.
    I am going to ask my final question in two parts, and it is 
unfair, but I am going to ask you to give me a number anyway, 
because I did not do it on individual, but just overall I think 
we have made a great deal of progress in this incredibly 
complex environment. I think from this testimony I have been 
given a little more comfort. We are getting our act together, 
but it is difficult, it is complex, and the folks on offense 
are always going to be--I do not know how far ahead. My sense 
is over the last 7 years we are closing the gap.
    One of the beauties of cyber defense is you do not have to 
build an expensive wall. It is code, and it can be really 
implemented at the speed of light. But, people are always on 
offense.
    My final question is, 0 to 10, how far have we come in 
terms of implementing of what we need to implement, first of 
all, in government but also then in the private sector? 
Actually, let us start with the private sector. Madam 
Secretary, why don't you start? Zero to 10, how far has the 
private sector come in terms of cybersecurity and cyber 
defense?
    Ms. Manfra. Well, it is----
    Chairman Johnson. By the way, what I should do is have you 
rate--like ``Jeopardy?!'' write down your answer. [Laughter.]
    No, I mean it. Write down your answer first.
    Mr. Wilshusen. Over what period of time----
    Chairman Johnson. First on the private sector. OK, how far 
have we come, 0 to 10 in terms of enacting cybersecurity?
    Mr. Wilshusen. Over what period of time?
    Chairman Johnson. The last 7 years. Where do we need to go? 
It does not make any difference. Where do we need to go, if 10 
is we have this nailed and we have the defense to really defend 
against any offense? First of all, in the private sector and 
then where are we in government? Do not be looking at each 
other's work. [Laughter.]
    We really ought to have that theme song.
    Secretary Manfra, so what is your answer? I will trust you 
to tell me.
    Ms. Manfra. I think if I could preface, it is hard to treat 
the private sector as a monolithic entity.
    Chairman Johnson. Oh, even government. I know.
    Ms. Manfra. Just prefacing----
    Chairman Johnson. It is a very unfair question. I got it. 
It gives me some indication though.
    Ms. Manfra. In talking about it in terms of how far we have 
come, I would probably give us, both the private sector and the 
government, in the 5 to 6 range. That is simply just because I 
believe that we have come a really long way. However, to 
truly--and I hope you will appreciate this. I talk a lot about 
getting the advantage back to the defenders, and being from 
Wisconsin, I believe defense wins championships, except for 
maybe last year. But other than that----
    Chairman Johnson. You need a little offense every now and 
then.
    Ms. Manfra. You need a little bit of offense. But I really 
do believe that we can use the asymmetric advantage that the 
United States does have, which is a strong industry in, whether 
it is the financial sector or the Internet, we have a powerful 
industry, we have a powerful government. What remains is 
putting it all together. I think this is DHS' thing to own. We 
do not own it completely. We have a lot of other partners in 
this. But that is sort of why I would put us in that 5 to 6 
range.
    Chairman Johnson. OK. But actually pretty equal between 
government and private sector, not one ahead of the other?
    Ms. Manfra. It is different challenges, but I do think 
equal.
    Chairman Johnson. Mr. Wilshusen.
    Mr. Wilshusen. Senator Carper once referred to me as a 
``glass-half-empty'' type of guy, so I am going to go with a 
little bit lower than Jeanette and probably go 3 and 4, and I 
actually think----
    Chairman Johnson. Is that 3 government, 4 private sector?
    Mr. Wilshusen. Actually, no. The other.
    Chairman Johnson. OK.
    Mr. Wilshusen. Flipping. I actually think government may be 
further along than----
    Chairman Johnson. Greater awareness, you think?
    Mr. Wilshusen. I think it is greater awareness, and it is 
greater guidance from up at the top and having the standards 
and the framework in place; whereas, it is more monolithic than 
you say with the private sector, which is very heterogeneous 
and has many different areas. I know that there are always--
when we go out to look at the security, which is not often, but 
we do examine the security controls at certain private 
companies, either providing services to the Federal Government 
or others, we typical find just as many if not worse security 
at those companies than we do find at the agencies. We find 
pretty significant vulnerabilities at the agencies.
    I would say generally I think government has probably a 
greater framework for its overall information security policies 
and standards than do the private sector.
    Chairman Johnson. Mr. Rosenbach, are you a glass-half-full 
or glass-half-empty?
    Mr. Rosenbach. I price myself on being an optimist. maybe 
that is because I lived through like the last 8 years, seeing 
all this bad stuff happen. I actually think the private sector 
is closer to 7, maybe 7.5. That is primarily because the 
cybersecurity industry and the tech sector are moving very 
quickly, and there are a lot of options out there that 
mitigate----
    Chairman Johnson. But not everyone in the private sector. I 
mean, there are a lot of people down near 0.
    Mr. Rosenbach. Yes, of course. I think the government is 5. 
If you said Department of Defense, I would say, OK, well, of 
course, we are better than everyone else. [Laughter.]
    But that is easy to do when you can tell people what to do 
and you have a $700 billion budget. But, overall, I think the 
government is probably 5, and that includes government policy 
about national security decisions, when we will respond to 
stuff, when we will attribute things.
    Chairman Johnson. I know that is a very unfair question and 
it is a very subjective answer, but it does give you some sort 
of feel. We have come a long way. I think it is just obvious. 
But we have quite a ways to go, and we cannot take our eye off 
the ball here. These are very serious problems we face, an 
enormous challenge.
    Again, I want to thank all of you for your testimony, for 
indulging my lengthy questions here. I think this was an 
excellent hearing, and I just want to thank you.
    With that, the hearing record will remain open for 15 days 
until May 9 at 5 p.m. for the submission of statements and 
questions for the record.
    This hearing is adjourned.
    [Whereupon, at 12:34 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]