[Senate Hearing 115-445]
[From the U.S. Government Publishing Office]








                                                        S. Hrg. 115-445

                   NOMINATION OF CHRISTOPHER C. KREBS
                    TO BE UNDER SECRETARY, NATIONAL
                  PROTECTION AND PROGRAMS DIRECTORATE,
                  U.S. DEPARTMENT OF HOMELAND SECURITY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS


                             SECOND SESSION

                               __________

       NOMINATION OF CHRISTOPHER C. KREBS TO BE UNDER SECRETARY,
             NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,
                  U.S DEPARTMENT OF HOMELAND SECURITY

                               __________

                             APRIL 25, 2018

       Available via the World Wide Web: http://www.Govinfo.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


		 
                     U.S. GOVERNMENT PUBLISHING OFFICE 
		 
32-455 PDF                WASHINGTON : 2019                 













        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California
STEVE DAINES, Montana                DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
              David N. Brewer, Chief Investigative Counsel
          Michelle D. Woods, Senior Professional Staff Member
               Margaret E. Daum, Minority Staff Director
               Donald K. Sherman, Minority Senior Counsel
           Julie G. Klein, Minority Professional Staff Member
           Joel F. Walsh, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Bonni E. Dinerstein, Hearing Clerk





















                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Heitkamp.............................................     2
    Senator McCaskill............................................     5
    Senator Harris...............................................     9
    Senator Peters...............................................    14
    Senator Hassan...............................................    17
    Senator Lankford.............................................    18
Prepared statements:
    Senator Johnson..............................................    27
    Senator McCaskill............................................    29

                               WITNESSES
                       Wednesday, April 25, 2018

Christopher C. Krebs, to be Under Secretary, National Protection 
  and Programs Directorate, U.S. Department of Homeland Security
    Testimony....................................................     3
    Prepared statement...........................................    32
    Biographical and financial information.......................    34
    Letter from the Office of Government Ethics..................    51
    Responses to pre-hearing questions...........................    54
    Responses to post-hearing questions..........................   104
    Letters of Support...........................................   123

 
                  NOMINATIONS OF CHRISTOPHER C. KREBS
                    TO BE UNDER SECRETARY, NATIONAL
                  PROTECTION AND PROGRAMS DIRECTORATE,
                  U.S. DEPARTMENT OF HOMELAND SECURITY

                              ----------                              


                       WEDNESDAY, APRIL 25, 2018

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 3:05 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, McCaskill, Carper, 
Heitkamp, Peters, Hassan, Harris, and Daines.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. This hearing will come to order.
    Today we are holding this hearing to consider the 
nomination of Christopher C. Krebs to be the Under Secretary 
for the National Protection and Programs Directorate (NPPD), 
Department of Homeland Security (DHS). I think we are all 
hoping that that will soon be named the ``Cybersecurity and 
Infrastructure Security Agency'' (CISA). Maybe this will be the 
last time we ever hold a confirmation hearing for that 
Directorate's confirmation.
    I do not have a whole lot to say in terms of an opening 
statement. We had a really good hearing yesterday. Jeanette 
Manfra from the Office of Cybersecurity and Communications 
testified yesterday, and I think we really laid out the issues 
and asked a lot of good questions.
    I would ask that my written statement, be entered into the 
record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 27.
---------------------------------------------------------------------------
    I also want to enter into the record eight letters we have 
received in support\2\ of Mr. Krebs signed by 58 different 
individuals, and it is a broad range of people from former DHS 
officials, Central Intelligence Agency (CIA), Federal Emergency 
Management Agency (FEMA), U.S. Customs and Border Protection 
(CBP), Department of Treasury, National Institute of Standards 
and Technology (NIST), the Department of Defense (DOD), 
National Security Agency (NSA), National Security Council 
(NSC). I think you get the drift.
---------------------------------------------------------------------------
    \2\ The letters referenced by Senator Johnson appears in the 
Appendix on page 123.
---------------------------------------------------------------------------
    There seems to be a fair amount of support for this 
nomination. It is obviously an enormously important position. 
What was underscored in yesterday's hearing are the threats we 
face are real; they are pervasive; they are growing. And as 
much as we have improved our defenses, folks on offense are not 
standing still either. So we still have that gap between 
offense and defense, and this is going to affect every part of 
our economy. It affects every nation in the world. In some 
respects, it can be an existential threat to this Nation.
    So the responsibilities of the Under Secretary are 
enormous, and we certainly want to thank you, Mr. Krebs, for 
your willingness to serve again. We want to thank your 
beautiful family, and we hope you introduce them in your 
opening comments. This is a full-time job, and you are going to 
be devoting a lot of time. You will be having a lot of time 
away from your beautiful family. So this is a whole family 
sacrifice, and we really do appreciate your willingness to 
allow Christopher to serve in this capacity.
    So, with that, it is the tradition of this Committee to 
swear in witnesses, so if you will please stand and raise your 
right hand. Do you swear that the testimony you will give 
before this Committee will be the truth, the whole truth, and 
nothing but the truth, so help you, God?
    Mr. Krebs. I do.
    Chairman Johnson. Please be seated.
    Senator Heitkamp, in the absence of Senator McCaskill, do 
you have a couple comments you would like to make?

             OPENING STATEMENT OF SENATOR HEITKAMP

    Senator Heitkamp. This is a division that I think has been 
misnamed, and I would not say mismanaged but lacking focus. And 
I can only say from the hearing we had yesterday and reading 
your resume and the support, thank you for applying. Thank you 
for being willing to serve. This is an area where clearly 
people from this sector could command a lot of money in the 
private sector, and the willingness that you have exhibited to 
come to Washington and to be part of doing this for the entire 
country, it is a patriotic act, and I want to thank you.
    We are really excited to hear your testimony, but I cannot 
speak for the rest of my colleagues on this Committee. I am 
excited to get you confirmed and get you to work so we can 
continue the discussion that we started yesterday.
    Thank you, Mr. Chairman, and good luck.
    Chairman Johnson. There is no doubt about it, we are very 
fortunate to have such a qualified candidate.
    So, with that, Mr. Krebs, why do you not start your 
testimony?

  TESTIMONY OF CHRISTOPHER C. KREBS TO BE UNDER SECRETARY,\1\ 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Krebs. Chairman Johnson, Ranking Member McCaskill, and 
Members of the Committee, thank you for the opportunity to 
appear before you today as the President's nominee for Under 
Secretary of Homeland Security for the National Protection and 
Programs Directorate. I am honored to have been nominated for 
this position by President Trump, and I am grateful to have 
Secretary Nielsen's support.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Krebs appears in the Appendix on 
page 32.
---------------------------------------------------------------------------
    More than anything else, I am especially grateful for the 
strong support of my family, and I would like to recognize 
those who have joined us today.
    First, I would like to thank my parents, Van and Fran, for 
providing me the opportunities in life to succeed; my brothers 
who could not join us today, William and Davis, for keeping me 
honest, but also helping me develop my partnership-building 
skills; and my father-in-law, Dave, and mother-in-law, Patrice, 
for being there for me, my wife, and often as baby sitters for 
our children. Those kids are here today. We have Henry, Anna, 
Charlie--I think Jack had to step out.
    Chairman Johnson. He is under wraps.
    Mr. Krebs Then the fifth is going to join us later this 
year. [Laughter.]
    Chairman Johnson. Was that a new announcement?
    Mr. Krebs. Yes.
    Chairman Johnson. Congratulations.
    Mr. Krebs. Thank you. They do keep me grounded----
    Senator Heitkamp. You missed your parents' response. 
[Laughter.]
    Chairman Johnson. This is a Committee first, at least under 
my chairmanship, so thanks.
    Mr. Krebs. Good start. They do keep me grounded, and I come 
to work every day to make the world a better, safer place for 
their future.
    Last, but certainly not least, I would like to recognize my 
wife, Emily. Without her support, her patience, her strength, 
and her love, I would not be here today.
    I would also like to give thanks to my friends, my 
coworkers old and new, and everyone else who has supported me 
on this journey. I am humbled to have their support. And those 
letters you mentioned, I am humbled to have the support of that 
community.
    I am fortunate to have served at DHS in several capacities. 
Currently I serve as both the Assistant Secretary for 
Infrastructure Protection as well as the Senior Official 
Performing the Duties of the Under Secretary (SOPDUS) at NPPD, 
two names I would like to retire. I have dedicated my career to 
risk management and critical infrastructure protection in both 
government and the private sector. I am passionate about this 
mission, and if confirmed, it will be my honor to lead the 
Department's cyber and infrastructure security mission.
    This context is important. In our nomination discussions, 
many of you asked what drew me to this job. The answer is 
simple: I view this position as the pinnacle of national risk 
management in cyber and physical infrastructure. We can do more 
to advance a national risk management agenda than any other 
single place in the U.S. Government. And since no single 
stakeholder has all the information necessary to detect or 
comprehensively manage systemic risk, NPPD's information-
sharing and coordination role and ability to engage policy-and 
decisionmakers are essential to success in our shared homeland 
security mission.
    Success in this mission cannot be possible without the 
tireless work of NPPD's incredibly talented workforce. While 
serving as the senior official, I have sought to place the 
employees first by creating a team-oriented culture, ensuring a 
diverse and inclusive environment, and helping good ideas rise 
to the top. If confirmed, I will continue to tirelessly 
represent the men and women of NPPD; increase the visibility of 
our mission and organization; and assertively engage 
leadership, industry, Congress, and our other stakeholders on 
their behalf.
    NPPD's responsibilities have grown substantially since its 
inception, driven by a dramatic shift in the threat environment 
few could have anticipated 10 years ago. Today we face the 
challenge of managing risk in both the physical and digital 
worlds. This risk comes from Mother Nature; a diverse group of 
threat actors including nation-states like Russia, China, Iran, 
and North Korea; as well as cyber criminals, terrorist groups, 
and others. We must do everything we can to mitigate these 
threats and enhance the resilience of our infrastructure.
    I see three primary strategic goals for NPPD. First, we 
must defend civilian networks and secure Federal facilities. 
Second, we must help manage systemic risk to national critical 
functions. And, third, we must raise the security baseline by 
providing stakeholders with the tools and resources they need 
to secure infrastructure. We must foster voluntary, incentive-
driven partnerships with a wide range of stakeholders. If 
confirmed, I will draw on my private sector experience and 
understanding of government's unique value to ensure our 
approach is customer-centric and requirements-driven.
    Operationally, one of my top priorities at NPPD has been 
enhancing the resilience of our Nation's election systems. In 
the face of unprecedented Russian interference in our 2016 
election, NPPD has worked closely with State and local election 
officials across the country to ensure each American's vote 
counts and is counted correctly. If confirmed, I will continue 
to make this my top priority.
    I will also work closely with Congress to facilitate 
oversight of NPPD's activities and advance shared legislative 
priorities, including restructuring NPPD, enhancing election 
system security, reauthorizing the Chemical Facility Anti-
Terrorism Standards (CFATS) program, hardening infrastructure 
against threats like electromagnetic pulse (EMP) and others.
    I want to thank this Committee for including legislation 
transforming NPPD into the Cybersecurity and Infrastructure 
Security Agency in the recent DHS authorization bill. I look 
forward to working with this Committee to pass that critical 
legislation.
    Thank you again for the opportunity to appear before you 
today, and I look forward to answering your questions.
    Chairman Johnson. Thank you, Mr. Krebs.
    As we ad libbed the opening here, I forgot to introduce 
you, so I will do that now before I ask our three questions.
    Mr. Christopher Krebs is currently serving as the Assistant 
Secretary for the Office of Infrastructure Protection for the 
National Protection and Programs Directorate in the Department 
of Homeland Security and is concurrently filling the role as 
the Senior Official Performing the Duties of the Under 
Secretary of the NPPD. That is as long a title as I have ever 
read.
    Prior to joining DHS, Mr. Krebs was the director of 
cybersecurity policy for Microsoft, leading their work on 
cybersecurity and technology issues. Mr. Krebs previously 
served in DHS as a Senior Adviser to the Assistant Secretary 
for Infrastructure Protection, where he helped establish a 
number of national and international risk management programs.
    Again, I could not be more pleased we have a person of such 
caliber and experience willing to serve our Nation in this 
capacity.
    There are three questions the Committee asks of every 
nominee for the record.
    First, is there anything you are aware of in your 
background that might present a conflict of interest with the 
duties of the office to which you have been nominated?
    Mr. Krebs. No, Mr. Chairman.
    Chairman Johnson. Second, do you know of anything, personal 
or otherwise, that would in any way prevent you from fully and 
honorably discharging the responsibilities of the office to 
which you have been nominated?
    Mr. Krebs. No, sir.
    Chairman Johnson. And, finally, do you agree without 
reservation to comply with any request or summons to appear and 
testify before any duly constituted committee of Congress if 
you are confirmed?
    Mr. Krebs. I do. And if I may caveat the first answer on 
the conflicts of interest, I have consulted with Ethics 
Counsel, and I will recuse myself for the next 11 months from 
any particular matters involving Microsoft or the National 
Cybersecurity Alliance.
    Chairman Johnson. OK. That is noted for the record.
    I will defer my questions out of respect for other Members' 
time here, so, Senator McCaskill?

           OPENING STATEMENT OF SENATOR MCCASKILL\1\

    Senator McCaskill. Thank you. I want to apologize to you, 
Mr. Krebs, for not being here at the beginning. I was on the 
floor trying to get a UC for a Taxpayer's Right to Know data 
availability online bill with Senator Lankford. We were trying 
to get it passed, and so I was running a little late, so I 
missed the announcement about your family and that you have 
four children and one on the way?
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator McCaskill appears in the 
Appendix on page 29.
---------------------------------------------------------------------------
    Mr. Krebs. Yes, ma'am.
    Senator McCaskill. My husband and I have seven children, 
and we have 11 grandchildren, and I just want you to know the 
more babies, the better. [Laughter.]
    It is the motto around my house. We just had two new babies 
a month and a half ago, two new grandsons, and they are the 
light of my life.
    I want to ask you--first of all, I am thrilled that you 
have agreed to serve. I have reviewed your background, and I 
think you 
are--and I will tell you that staff that interviewed you came 
back and said, ``He is the real deal. He really knows what he 
is talking about.'' We need you in this job, I believe, and I 
think it is very important that you are given the resources and 
the authority you need to move the needle in this important 
area.
    The first question I ask every witness is very important 
because I am a big oversight freak and I love to do oversight, 
and I always want to make sure that oversight can continue, 
regardless of the parties that are in charge. So I want to ask 
you these three questions:
    Do you agree to provide information and documents when 
requested by Members of Congress, regardless of party?
    Mr. Krebs. Yes, ma'am, I do.
    Senator McCaskill. Do you believe that the NPPD management 
should comply with requests for documents and information from 
Members of Congress, regardless of party?
    Mr. Krebs. Yes, ma'am, I do.
    Senator McCaskill. And what role do you think Congress 
should play in assisting NPPD management in rooting out waste, 
fraud, and abuse?
    Mr. Krebs. In your oversight role, I believe you can assist 
us in understanding where we could be more efficient, give us 
the appropriate authorities to ensure that we are responsible 
stewards of the taxpayers' dollars.
    Senator McCaskill. Let me ask you about the 17 States that 
have requested risk assessments. I asked Assistant Secretary 
Manfra, and I think I got an answer that was a little 
confusing. I asked if any States were waiting right now for an 
assessment that they have not been able to get. She said nobody 
in the election community is waiting for an assessment.
    My question was not about a backlog, but I was instead 
trying to determine if all the States that have requested risk 
assessments have actually received the service and that the 
request has been completed. Do you have the data on that?
    Mr. Krebs. So, ma'am, we have 17 States and 8 local 
jurisdictions that have requested vulnerability assessments. 
There are a number that are in the scheduling phase, and the 
reason that they have not necessarily been completed to today 
is that there is a certain degree of preparation that is 
required for a risk and vulnerability assessment (RVA). That 
sometimes can include some preparation oftentimes, rather, 
preparation on the State or the local jurisdiction side. In 
some cases, what we have seen is that they do have some 
upgrades, patches, things like that that they need to get in 
order. There are also some basic legal agreements that we have 
to get in place that we understand, so they understand the 
scope of the risk and vulnerability assessment. And on that 
note, there is some scoping of the RVA that has to happen.
    I will say this, though: If any State or local jurisdiction 
asks for an RVA in advance of the 2018 midterm elections, they 
will get it when they need it or they want it. There is no 
backlog. The wait list is due to preparation. So you have my 
commitment on that and that we are prioritizing these RVAs, and 
they will get done at the request of the----
    Senator McCaskill. So you are telling me the wait is on 
their end and not on your end?
    Mr. Krebs. I would say that there is just a standard 
preparation that has to take place, and I would not say it is 
on anybody's end necessarily. It is just getting ready for a 
vulnerability assessment.
    Senator McCaskill. How many of those 17 have actually been 
completed?
    Mr. Krebs. My understanding, at this point we are up to 
about nine, I believe, and I would have to come back to you on 
that one. But as I understand it, the majority of them will be 
completed by if not the end of May, soon thereafter.
    Senator McCaskill. OK. Obviously, it is the end of April.
    Mr. Krebs. Yes, ma'am.
    Senator McCaskill. The election is quickly approaching, and 
I think it is really important if those States--and I really 
admire the States that have stepped forward and said 
voluntarily--and, by the way, whatever you find, what they do 
with it is voluntary. There is nothing here about the heavy 
hand of the Federal Government reaching into the States and 
telling them what to do. I am really proud of those States that 
have stepped forward and asked for the help, and I do not want 
in any way to ever indicate that that shows that they somehow 
are lacking. I think just the opposite. I think they are 
showing a high degree of professionalism and responsibility by 
asking for all the help they can get, especially when we are 
willing to provide it to them at no cost. So I want to 
compliment them.
    I asked also yesterday--or I guess it was the day before 
yesterday--Assistant Secretary Manfra how many people in DHS 
work full-time on election security. She was going to get back 
to me on that. Could you give me that answer?
    Mr. Krebs. So the high-side number of full-time--and it 
changes day to day based on when a special election is, when we 
have an RVA, things like that. It is the 10 to 15 range. Again, 
it flexes a little bit.
    We do have a number of part-time, meaning we have full-time 
equivalence Federal employees at DHS, that in some part of 
their day are focused on State and local election activities, 
including our risk and vulnerability assessment teams. They may 
be going from a State to do election assistance to a Federal 
high-value-asset assessment, depending on the week. So it is 
going to vary.
    The $26.2 million that Congress provided us in the fiscal 
year (FY) 2018 omnibus is going to allow us, rather, to build 
out our capacity in terms of what we can do not just for State 
election systems, but more broadly the State and local 
community as well. As we have seen I think with Mecklenburg 
County, with Colorado, with Atlanta, there is a real need for 
technical support and other assistance at the State and local 
level, and so as we are engaging on the election front, we are 
also expanding and looking a little bit more broadly at the 
information technology (IT) systems across States.
    Senator McCaskill. I do not think 10 to 15 full-time on 
election security is anywhere near adequate, and I want you to 
know that I personally will try to do everything I can to help 
get more there. I am sure you agree with me that 10 to 15 
people to cover election security in this entire country with 
all the various election systems that exist is woefully 
inadequate. But I do think we can also be looking at--I know 
that all of this is being provided free. It seems to me we 
ought to noodle on whether or not we could do some kind of 
agreement where we would help with some kind of matching funds 
from the State and local governments, because many of them are 
hiring from the private sector at a high cost, and we could 
partner with them and do more with maybe not quite as much 
Federal money being spent. And I would like to explore that 
also.
    Thank you, Mr. Chairman.
    Chairman Johnson. Just to augment that a little bit, they 
obviously have cybersecurity individuals in the States as well, 
so that is not just 10 or 15. You have a force multiplier in 
terms of the State election officials, correct?
    Mr. Krebs. Yes, sir, that is right. If I may, historically 
when we have talked about this over the last year, we have 
taken this bottom-up approach of here is how DHS can help do X, 
Y, or Z.
    I think what we need to do--and I believe the conversation 
is turning that way--is take a more top-down approach in terms 
of here is the shared responsibility of election security. DHS 
is in support of State and local officials. State and local 
officials have been managing risk to their enterprise and their 
environments for years. It goes back well before elections. 
They are the best there is at managing what happens on election 
day when there is a power outage or there is a tornado or there 
is a hurricane. They do this quite well. And IT security has 
increasingly been one of the things they have looked at.
    So when I talk about the 10 to 15-plus that we have from 
the Department of Homeland Security, that is obviously in 
support of thousands of security specialists across the 
country. And it is, as you point out, not just State and local 
officials. Some of those that are not taking our services, they 
do so because they have their own capabilities, whether it is 
in-house or contracted resources. But your point is take about 
the matching funds.
    Senator McCaskill. Let me just make this point. I know what 
State employees are paid in the State of Missouri. I know what 
the market bears for good IT help right now. I do not mean to 
denigrate any of the State employees in my great State, but we 
have cut and cut and cut and cut local and State governments, 
and when you do that, you actually eat at the muscle of our 
ability to track the best talent to do the kind of really high-
level work we are talking about here. So there may be people on 
the payroll in a lot of States. I am not sure that all of them 
have the expertise that we can help them with from your 
Department.
    Thank you, Mr. Chairman.
    Chairman Johnson. But as is true in the private sector, you 
do use private sector security analysts as well to aid. But, 
anyway, I know Senator Harris has a unique situation. I think 
this has been cleared that you are going to ask questions next. 
Is that----
    Senator Heitkamp. That is fine.
    Chairman Johnson. OK. Senator Harris.

              OPENING STATEMENT OF SENATOR HARRIS

    Senator Harris. Senator Heitkamp, I thank you for your 
gracious leadership and friendship.
    Senator McCaskill. You are saying you owe her one? I just 
want to make sure we got that.
    Senator Harris. I knew she was not going to let it go this 
easy. I am ranking in another hearing.
    Senator Heitkamp. I have a celestial log book I keep. 
[Laughter.]
    Senator Harris. I look forward to the day I can pay you 
back.
    Congratulations on all of the changes that are happening in 
your life in the midst of one of the great crises of our 
country, which is securing our elections. And I appreciate the 
last time you were before us and the answers to the questions I 
presented. And I also know that you followed up and actually 
did some reprioritization around the election cycle, so I 
appreciate that.
    I have a few questions for you about security clearances 
for State elections officials. My understanding is that 30 
State elections officials, which are representing 30 States, 
have received a security clearance or an interim security 
clearance as of today. Fifteen State officials have requested a 
clearance but have not yet received one, and five State 
officials have not yet applied.
    Do you have a proposed timeline when all of these 30 State 
officials will receive a permanent clearance?
    Mr. Krebs. So, ma'am, on those five that have not yet 
applied, in some situations they have actually declined to have 
a clearance. Instead, we are working with other officials in 
their States, for whatever reason.
    On the 15 that are going through the process right now of 
the adjudication of their SF-86, their clearance documents, 
they are rolling in on a day-to-day basis. That process is 
managed by the DHS Office of Intelligence Analysis (OIA).
    I will say this: I do not have specifics because every 
single case is different. Every single official has experienced 
some life event that requires a little bit extra investigation 
or adjudication. What came to my attention I was unaware of, 
Secretaries of States are sued a lot just as a matter of the 
course of business. Every single legal action has to be 
recorded. I think we talked about that before.
    So what we are doing is we are putting a lot of pressure on 
the Intelligence Analysis Office to move those along, but I 
will say this: I know, I have confidence that if right now I 
needed to get a piece of intelligence in front of a State 
election official, I could do that in a matter of hours. If I 
needed to pull together a meeting tomorrow to share classified 
information, we could do that. That is the progress we have 
made in the last year.
    I do not want to pin everything on issuing security 
clearances. It is the outcome we are trying to achieve, and 
that is, making sure that we can get classified information in 
their hands when it is needed.
    Senator Harris. I appreciate your point, but the concern I 
have is that, short of a permanent security clearance, then 
there is a process by which you would go day to day, right? 
They have to go day to day in terms of when they are going to 
receive or if they have the authority to receive classified 
information. There is nothing that would give them a certain 
permanence in terms of having it every day consistently without 
reapplying. Is that correct?
    Mr. Krebs. It is not a reapplying. If confirmed, I 
personally would have the authority to give 1-day read-ins.
    Senator Harris. Right.
    Mr. Krebs. And it is not, submit information, it has to be 
adjudicated there are known entities.
    Senator Harris. But do you have to authorize that each day 
to give a 1-day clearance?
    Mr. Krebs. Yes, ma'am, but to be frank, if they had their 
permanent clearances and I needed to get information to them, I 
would have to do a judgment on need to know, anyway. So it is a 
little bit of extra paperwork, but, again, I have confidence 
that if I need to get a piece of information, we could make 
that happen.
    Senator Harris. Can you followup with this Committee and 
give us a timeline on when those 30 State officials will 
receive their permanent clearance, taking into account all the 
variables?
    Mr. Krebs. Yes, ma'am, the additional 15, we will 
absolutely follow up.
    Senator Harris. Yes, the 15.
    Mr. Krebs. Yes, ma'am.
    Senator Harris. And then I am sure you are aware, but I 
asked my team to give me a list of the upcoming elections, and 
so I am not going to ask you to tell me the status of each 
election officials from these States. But I am sure you are 
aware May 8th is Ohio. I hope they have theirs. May 15th, 
Idaho, Nebraska, Oregon, and Pennsylvania; May 22nd, Arkansas 
and Georgia; June 5th, Alabama, California; Iowa, New Mexico, 
South Dakota, June 12th; another series of States, June 26th. 
So this is all imminent.
    Mr. Krebs. Yes, ma'am, and we are taking a risk-based 
approach, so we are looking at what is imminent and then 
working with the intelligence analysis folks to see what we can 
do to increase the sense of urgency around that.
    Senator Harris. Can you tell me which States are the five 
States who do not want security clearances?
    Mr. Krebs. So two things on that.
    First is that, generally speaking, we do not discuss 
security clearance matters in public as a matter of operational 
security. They can then become targets for collection from 
foreign intelligence agents. So that is the first piece.
    The second is from an individual State, who is doing what, 
who is taking what action, we are in a position where we are 
not disclosing the individual pieces of information. Our 
approach here is nonpartisan, apolitical.
    Senator Harris. I hope so.
    Mr. Krebs. We are absolutely----
    Senator Harris. Because this is absolutely a nonpartisan 
issue. So there is no rule that prohibits you from telling this 
Committee, even in a classified setting, which States----
    Mr. Krebs. So in a different setting, we can discuss more 
specifics, but from a----
    Senator Harris. Mr. Chairman, I would urge that we get that 
information and, in particular, inform our colleagues who 
represent those five States and make sure they are aware of the 
seriousness of this issue.
    Chairman Johnson. I have no problem with that.
    Senator Harris. OK. That would be great.
    And then on election data breach notification, another 
important service--we have discussed this before--that DHS 
provides is what I refer to as ``hazmat teams'' that will go 
out to the State and help an election agency, if it has been 
hacked, to get back up and running, to be resilient after an 
attack.
    In an interview, the Illinois State Board of Elections 
executive director said that--and this is, I think, the Ranking 
Member's point, too--``They have a good IT department,'' when 
they faced a threat from a sophisticated foreign actor. But 
they said their resources are like bows and arrows against the 
lightning. So we are talking about, obviously, an attack on a 
State election system. Would you agree that even though it 
attacks a State, it really is a threat to national security?
    Mr. Krebs. Yes, ma'am. I think Secretary Nielsen has been 
consistent about that as well. Election security is a national 
security issue.
    Senator Harris. And so do you believe that if a State 
election agency is hacked while administering a Federal 
election, the State election agency should be required to 
notify the Department of Homeland Security?
    Mr. Krebs. Ma'am, I think it depends on the definition of 
``hack.'' As I think Assistant Secretary Manfra discussed 
yesterday, there is a difference between scanning and 
targeting. Scanning happens in some cases thousands of times a 
day.
    Senator Harris. So, in your opinion, who should we leave 
the definition up to? Because it seems to me we should have 
some clear indication of what would require a State to report 
to DHS that they have been hacked. And I appreciate the point 
that has been discussed often, which is it is perhaps a vague 
term. But whose responsibility is it then to clarify what 
qualifies as a reportable hacking?
    Mr. Krebs. So I think that is a conversation that is 
happening right now in the Secure Elections Act. I think the 
recent conversations you had with the Secretaries of State, 
that is the exact sort of forum in which we can start hashing 
out what the threshold is for a notification. I do not believe 
a scan, frankly, would require notification, but a penetration 
of a date of registration, I think there is some incentive or 
some indication that----
    Senator Harris. So my time is up, but what I would like to 
do for follow-up is get from you your suggestions about what 
should be defined as a ``hack'' which would require a State to 
report that to DHS.
    Mr. Krebs. Yes, ma'am.
    Senator Harris. OK, thank you. And if you could do that 
within the next 3 weeks, that would be great.
    Thank you.
    Chairman Johnson. Thank you, Senator Harris.
    Just a quick comment. The complexity of data breach 
notification is something I have learned a fair amount over the 
last 5 or 6 years. Senator Heitkamp.
    Senator Heitkamp. Thank you, Mr. Chairman and Ranking 
Member, and thank you, Mr. Krebs, for agreeing to serve our 
country, as I said in my opening comments.
    I just want to throw out an idea that I think would be 
helpful, and it goes to the kind of general theme of what I 
want to talk about here, and that is, there needs to be a 
Center of Excellence for cybersecurity. You know where I am 
going, right? So we do financial audits in State government. We 
do performance audits. Claire was, I think, the State auditor, 
probably did a number of performance audits. I think it is only 
responsible, especially when we are talking about Federal 
elections, to do performance audits of the security of State 
systems.
    Now, we are in a crisis because we are up against a couple 
months where, as Senator Harris pointed out, these elections 
are coming now, and many of these elections will be decided in 
the primary. And that is true particularly in States like 
California where you have a jungle primary. And so it is on us, 
and we cannot look our constituents in the eye and say, ``Yes, 
everything is cool. We have it under control.'' We need to have 
a Center of Excellence for cybersecurity on all things that 
affect our national defense and our national security. And I 
really believe that your agency is the place where that should 
be. I think Senator Carper may agree with me on this. We fought 
pretty hard to try and claw back some jurisdiction on cyber. It 
has been centered in Intel, as it should. They should be 
concerned about it. But we need a broader governmentwide, 
nationwide plan for what we are going to do in cyber so we are 
not stepping on each other, we are not taking missteps that are 
incredibly costly. You know how costly all of this is. But we 
cannot ignore the small stuff, and this is what I am getting 
at. This is something we talked about yesterday, which is that 
resiliency of the foundation. Right now I would tell you it is 
fairly porous. I think that when people put their passwords as 
``password'' or ``11111'' or they do not do the kinds of things 
that are recommended in common-sense ways to try and protect 
the resiliency of either their devices or their programs or 
managing their data.
    And so there is a whole lot of force multipliers that we 
can rely on, whether it is nonprofit, consumer-oriented groups, 
whether it is the State groups that do consumer protection and 
consumer awareness and education, it is true probably in a lot 
of areas in life, but many people just want that magic bullet. 
You are going to create that impenetrable, hardened shield, and 
we have to tell them, look, we can have the best military, we 
can have the best law enforcement in the world, but if we do 
not lock our doors, we are less secure.
    So can you walk with me how you see your role in that piece 
of it, not the top-down but the bottom-up kind of resiliency of 
users? And that is pretty much all of us now in America.
    Mr. Krebs. Yes, ma'am, absolutely. Thank you for the 
question. I mentioned it in my opening statement, but when NPPD 
was originally organized as a successor to Preparedness back in 
the 2007 timeframe. It was a collection of programs, and the 
name, in fact, reflects that, National Protection and Programs 
Directorate. It was a hodgepodge. The threat, the cybersecurity 
threat at the time was obviously nowhere near what it is today. 
The budgets alone show that. The National Cybersecurity 
Division was a small collection of folks that had an issue they 
were trying to get their arms around.
    Where we are now with the threat environment, with the 
authorities that are provided by Congress, by the 
appropriations that we have been provided, I think it is clear 
that now--and this is the reason we need the Cybersecurity and 
Infrastructure Security Agency--DHS NPPD is the primary--it is 
the leader for national risk management for cyber and critical 
infrastructure protection. It has statutory authorities to be 
the lead critical infrastructure protection coordinator. There 
are sector-specific agencies that have the sector excellence, 
the expertise, whether it is Treasury, the Department of Energy 
(DOE), HHS, but it all comes together at the top. So when you 
talk about a top-down--and I understand where we are going with 
the bottom-up, but on the top-down, there needs to be one 
person, one organization, rather, that can stitch it all 
together.
    Senator Heitkamp. I just want you to know we expect you to 
throw some sharp elbows. There has been a lot of turf on this, 
and there cannot be. We need a Center of Excellence, and that 
is your job, in my opinion, is to create a Center of Excellence 
to be that entity that evaluates products out there, that can 
be, in fact, protective and shield, to develop products that 
can better educate the public on how to protect themselves, and 
then have the ability to integrate those not just with those 
cyber threats, but understand that that will put pressure on 
physical threats and be at the table when we are evaluating all 
threats and bring that expertise. That is why we are excited 
that you have applied for this job, but that is my expectation 
of what you are going to do with this job.
    Mr. Krebs. Yes, ma'am, we have a common adversary; we have 
a common enemy. I have no patience for infighting across the 
family. We should be working toward the same common purpose, 
but what we need is a centralization function, and that is us 
as the----
    Senator Heitkamp. Right, but the problem that you have is 
that now that everybody has gotten panicked about cyber, this 
is the new bright, shiny object over here. That is where there 
is going to be some money. We might get some personnel. You 
know how the bureaucracy reacts to that opportunity. And it 
will go places that will be dispersed in ways that we do not 
have the best and the brightest centralized in a Center of 
Excellence. And that is what I want. That is what I want you to 
be. That is what I want your agency to be. I have been nothing 
but impressed by you and the people who have come before this 
Committee, and I think we have a real opportunity here to work 
with universities, we have a real opportunity to work with 
other State agencies. You have 4\1/2\ or a quarter--I am not 
sure what it all is, where it is.
    Mr. Krebs. Four plus one.
    Senator Heitkamp. Showing the shock on your parents' faces, 
it might be just a quarter. Four and a quarter kids. This is 
going to be hard work, and I am so grateful. I want to say 
this--because I am running out of time--to your family because 
we are putting a lot on your husband, and we are putting a lot 
on your son and your son-in-law. But the work that he is going 
to do is just as important as anyone who puts on a uniform and 
carries a gun. He is on the front line of serious threats to 
this country, and you should be so extraordinarily proud of him 
and that you raised a fine human being, and for your kids, they 
will know that you are working to make the world a better place 
for them.
    Thank you, and I look forward to ongoing discussions.
    Mr. Krebs. Yes, ma'am. Thank you.
    Chairman Johnson. Senator Heitkamp, before you potentially 
leave here, I appreciate you bringing up the subject of turf 
wars. I raised that issue yesterday. There is a reason we did 
not get the name change in the omnibus. There was objection to 
that. So we need to be honest about this. The reality of the 
situation is that there is conflict here. I have been trying to 
facilitate and I will make the offer again today. By the way, I 
talked to Chairman Burr about this on the floor of the House 
waiting for President Macron to speak about getting the 
Secretary, yourself when confirmed, getting other Members of 
Congress together, Intelligence Committee and DHS, and let us 
work this out. That is what we need to do. This threat is too 
significant to allow turf wars to get in the way of as 
efficient an operation as possible in terms of dealing with a 
very complex and serious problem.
    Senator Heitkamp. I do not think there is any doubt about 
it, and I think that when we have dispersed jurisdictions, we 
have no accountability. So with this power, if we get this 
done, comes accountability, and I think accountability and 
understanding if something happens it is on you instead of 
pointing the finger over at DOD, instead of pointing the finger 
over at the intel community, I think that is critical for 
accountability and oversight.
    Chairman Johnson. So it is time to stop burying our heads 
in the sand in terms of the turf wars that are occurring right 
now. We have to get by those, and we have to come to an 
agreement on this. So from my standpoint, this is a top 
priority. We have to get this decided, agreed upon, and move 
past it. Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Thank you, Mr. Chairman. Mr. Krebs, again, 
thank you for your willingness to serve. Senator Heitkamp is 
right. This is an incredibly important position, and we are 
going to be looking for your leadership every day dealing with 
what is perhaps our No. 1 national security threat, which are 
these cyber attacks.
    I want to pick up on the theme that we have heard over and 
over again about turf wars and how we have these silos in the 
Federal Government. We often talk and this Committee talks 
about some of these big challenges and we have to have a whole-
of-government approach. Yet the ``whole of government'' is in 
all these discrete areas, do not talk to each other like they 
should, and are not efficient, and we are not really focused on 
the overall mission, which is to protect the American people.
    It is not obviously the first time we have had these 
issues, and the Department of Defense particularly has had 
these issues for many years, from the Navy, the Air Force, and 
the Army. They are very proud parts of the service, but for 
many years they never really talked to each other. It is pretty 
hard to conduct a war when the Navy is not talking to the Army 
and they are not working together. And in order to resolve 
that, jointness has been a big part of military doctrine for 
many years, where they work in a joint fashion. There are joint 
duty officers that actually will work in different branches to 
learn about other branches and can be able to help coordinate 
that.
    But, unfortunately, we do not have that in the civilian 
side so I am going to ask you about some legislation I am 
working on that will hopefully allow us to have that kind of 
joint duty officer, similar to what we would have in the 
Department of Defense. I am working with Senator Hoeven on a 
bill that we hope will be up at some point, Mr. Chairman. It is 
the Federal Cybersecurity Joint Duty Program Act, which would 
establish a civilian personnel rotation program designed 
specifically for cyber professionals that would enable them to 
gain experience across the Federal enterprise. So authorizing a 
joint duty program would provide both clarity and guidance for 
human capital officers across the government and help them 
develop, I believe, a stronger cyber workforce if they have had 
a chance to work in different departments. They are going to 
bring lessons learned in this department to another department. 
They are going to likely learn a whole lot in that department. 
And then when you are trying to coordinate all these, you are 
going to have a team of people who have actually worked across 
these different agencies.
    Yesterday in the previous hearing, Assistant Secretary 
Manfra thought it was a good idea that we should move forward, 
but I would like to have your thoughts. Would such a program 
that would provide these kinds of rotational opportunities be 
beneficial to employees? Is this something you think we need to 
be looking at?
    Mr. Krebs. Yes, sir, I think it bears a lot of merit. I 
think the ability to standardize and centralize cybersecurity 
across civilian agencies is something that will only help us. 
In fact, we are looking at ways to do that now with the 
Continuous Diagnostics and Mitigation (CDM) program. We are 
doing some training for existing IT security professionals so 
they know how to use the tools we are deploying through the CDM 
program.
    But this is a great example of if you put somebody in a 
different environment and allow them to understand what the 
operational environment looks like, they are going to come back 
more well rounded, better off, and able to contribute to the 
bigger mission.
    I would also offer that, in addition to internal government 
interagency rotations, we need to continue looking at 
government programs exchanges with the private sector, so DHS 
has the exemplar program that sends government officials out 
into the private sector, as well as the loan executive program 
that brings them in. So in some cases, we have them sitting in 
our National Cybersecurity and Communications Integration 
Center. That is another example of we can put our folks out 
into an environment. They understand what private sector 
requirements are, and they come back in and they help fine-tune 
the mission.
    So I am looking forward to having a continued conversation 
on your bill in particular, though.
    Senator Peters. Well, one thing that I see this doing, 
too--and I would like your thoughts on it--is that it makes an 
already interesting job even more interesting at a time when we 
want to retain these professionals in Federal service. To be 
able to have that wide range of experience I would think would 
aid with retention. Do you agree?
    Mr. Krebs. Yes, sir. I think if I can hang along with a 
name that tells folks what my organization is, the 
Cybersecurity Agency, if I can in a recruiting manner tell 
them, hey, you can go hunt for the Russians, you can go hunt 
for the Chinese across various departments and agencies, that 
is a pretty attractive recruiting pitch.
    Senator Peters. And how would the Federal cyber workforce 
be strengthened if employees at other agencies were afforded 
the chance to serve in a rotational capacity at NPPD?
    Mr. Krebs. Well, for one, they would understand how we 
approach incident response assessment, so when they do a 
rotation within NPPD, they go back to their agency, and, again, 
we have a standardized approach to cybersecurity and 
information security professionals across the Federal 
Government. To the extent that we can continue to standardize 
and streamline our approach across the Federal Government, that 
is going to make us better off.
    Senator Peters. Great. Well, I appreciate that. I look 
forward to working with you, if confirmed. And I think the 
other idea that you raise, which would have to be the next 
step, is people who can move out of the Federal Government into 
the private sector and back, as you know, with civil service 
rules that can be a lot more complicated, but one that I think 
is absolutely critical. We see folks who are outstanding 
individuals in the cyber space now who are willing to serve, 
for example, in the National Guard in our new cyber units that 
we are setting up there. They do not do it for the money. They 
do it because of the mission. They do it because they are 
patriotic Americans, but we have the opportunity to get highly 
skilled folks in the private sector working on national defense 
issues. I think there are opportunities to do that as well. Do 
you agree?
    Mr. Krebs. Yes, sir, and I think what you are highlighting 
is that there are a number of tools in the cybersecurity 
professional toolkit. DHS is not the only one that is having 
some workforce challenges. The NSA is having workforce 
challenges. We have already talked about the State and local 
government official workforce challenges. The private sector 
has workforce challenges.
    So what we need to be looking at is, in addition to filling 
the vacancies that we have, what are the other resources--I do 
not want to steal Senator Hassan's thunder, but the bug bounty 
program is another example of diversifying our capabilities. 
What is the security outcome we are trying to achieve? That is 
what we need to be focused on. And how are the ways we can plug 
the gaps, whether it is National Guard--again, as long as we 
are standardizing, taking a similar approach from a day-to-day 
information security approach for when that bad day happens, 
that when we show up, we all know how to respond, we all know 
how to act so we are not doing the business card game. I think 
that is only going to serve us that much better.
    Senator Peters. Great. Thank you so much.
    Mr. Krebs. Yes, sir.
    Chairman Johnson. Thank you, Senator Peters.
    By the way, I think it is an excellent idea, the rotation. 
I like it so much I wish I would have thought of it myself.
    What I would ask you to do is work with the different 
departments and make sure that they do not have a problem with 
it, because that is what we are going to do as Committee staff, 
go to DHS, do you have any issues with that? But try and do 
that work ahead of time. Again, I want to be completely 
supportive of it.
    Senator Peters. Thank you, Mr. Chairman.
    Chairman Johnson. Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Well, thank you, Mr. Chair, and I want to 
thank you and Ranking Member McCaskill for this hearing. 
Welcome, Mr. Krebs. And to the entire Krebs family, thank you. 
I am seeing Henry and Anna. You are doing great. You are being 
very polite, and you are doing better than most adults do in 
these hearings. So I just want to thank you for sharing your 
Dad with the people of our country, because he wants to and is 
doing really important things to keep us all safe. So we are 
really grateful.
    Mr. Krebs, I wanted to follow up a little bit on what you 
just mentioned a moment ago about the bug bounty program. You 
and I have discussed the legislation that Senator Portman and I 
have, Senate bill 1281, the Hack DHS Act, which passed the 
Senate unanimously last week. Hack DHS requires the Department 
to establish a one-time bug bounty pilot program in order to 
assess the value of a bug bounty as a tool to secure DHS' 
systems from all types of cyber threats.
    Last week, you were quoted as having questions about how a 
DHS bug bounty program would be funded and whether DHS would be 
given the necessary flexibility to implement a bug bounty in a 
safe and effective manner. I appreciate those concerns. The 
good news is that our Hack DHS bill addresses all of those 
concerns, as I think you and I have discussed.
    Our bill gives DHS ample flexibility to implement the bug 
bounty pilot program as DHS sees fit. Under the bill the 
Secretary is empowered to exclude parts of DHS that it feels 
are too risky to open up to a bug bounty, and under our bill 
DHS is required to fully vet any hacker participating in the 
bug bounty program.
    Additionally, the bill authorizes $250,000 for DHS to run 
the bug bounty pilot program, which is double what it cost the 
Pentagon to run its pilot program.
    Finally, my staff, Senator Portman's staff, and the staffs 
of Chairman Johnson and Ranking Member McCaskill have all 
worked closely with DHS to incorporate any DHS changes so that 
this bug bounty program could serve as a key tool for the 
Department to counter cyber threats.
    So, Mr. Krebs, given that our bill addresses many of your 
concerns, can you share with us your opinion about the Hack DHS 
bill and whether you think it would provide DHS with a valuable 
tool to strengthen the Department's cyber defenses?
    Mr. Krebs. Yes, ma'am, as you and I discussed the other 
evening, I welcome any tool that is going to help us be better, 
and this is an example of a tool in the broader toolkit that 
will enable us to secure our networks. So, yes, ma'am.
    Senator Hassan. Thank you very much. I appreciate it.
    That is all I have, Mr. Chair.
    Chairman Johnson. Thank you, Senator Hassan.
    Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman.
    Good to see you again. Thanks for the work that you have 
already done. Thanks to your family. The folks at this dais 
understand extremely well the cost to families and what that 
really means to your family, and so we appreciate very much the 
sacrifice that you and your family are making to be able to 
serve the country. So thank you for that.
    Let me ask you a little bit about determining domestic 
threats, foreign threats, and a variation that is coming now 
where foreign actors are basically finding cyber criminals and 
using them as contractors. And so we have this strange hybrid 
of an area that is really a foreign cyber criminal that 
sometimes works for a foreign government and sometimes they are 
free-lancing and doing it on their own. As we are trying to be 
able to determine the threats as they are coming, how to 
respond to them and how to defend that, how are you filtering 
out and how should we as a Nation quantify this is domestic, in 
the United States, and this is foreign, this is a foreign 
actor, a foreign criminal actor as well? And what would the 
responses be different on that?
    Mr. Krebs. So I think what we need to do is have a couple 
different axes at which we look at the broader threat. So on 
one side, we have the indiscriminate criminal threats, the 
ransomware campaigns. There may be some scanning and hacking 
and things like that. But it is those that are out there to 
make a quick buck or whatever. And then we have the nation-
state level threat. And the gray space in between I think is--
--
    Senator Lankford. The hybrid, right.
    Mr. Krebs. You are hitting that. The issue here is that 
each of the adversary sets is going to have a different set of 
objectives and a corresponding set of pain points. So one 
nation-state, for instance, may be more financially motivated; 
another might be looking for geopolitical advancement. So 
whatever the response is, the deterrence package, the 
consequence package has to be tailored specifically to that 
adversary.
    In the general cyber criminal space, law enforcement, which 
remains a challenge and is another part of the Federal 
Government, whether it is within DHS or the Federal Bureau of 
Investigation (FBI), that is going to require significant 
coordination with the international law enforcement community 
to do some of the overseas takedowns and extraditions. From a 
nation-state approach, the deterrence package is going to be 
wide-ranging, but it can include anything, as we have 
discussed, from sanctions to other instruments of national 
power.
    Senator Lankford. So let me ask about the attribution of 
that, because initially when it hits, let us say, a pipeline 
company, it hits an electric grid, water, election system, 
whatever it may be, we know it exists. But trying to get 
attribution for it and then to be able to figure out what 
agency is then going to be able to follow up, either 
recommendations or how to respond, or who is going to handle 
that, is that domestic? It is hitting the United States, but 
was that someone local? So that is going to be who, is that 
going to be you, is that going to be FBI? Who has it? Or is it 
going to be international, is it going to be someone else? How 
is that working right now with the hand-offs, and what can be 
improved, the speed of both attribution and then the hand-off 
of who has it from there?
    Mr. Krebs. So Presidential Policy Directive (PPD-41) is 
fairly clear in terms of the lanes in the road and who is doing 
threat response and who is doing asset response. I am, frankly, 
less concerned about if it is this bad guy trying to achieve 
this objective. What I am concerned about is managing risk and 
buying down risk, whether it is a single asset, understanding 
what is going on within that network, helping them get it 
straightened out, but then taking the piece out, whether it is 
an indicator or other signature, and then moving it into other 
aspects of not just that sector but other sectors. Because one 
thing we are increasingly seeing is while the adversary, 
particularly the nation-state adversary, is sophisticated and 
capable, they are not all the time just focused purely on the 
electricity subsector or the banking and finance subsector. 
They are looking a little bit more broadly, so it is important 
that we not limit ourselves to a sector-by-sector approach, 
which we have already talked about today.
    Senator Lankford. Right, which would be helpful. So let me 
go to the risk side of it then. One of the lessons learned from 
Kaspersky and what happened here in the Federal Government with 
their distribution basically across multiple agencies and the 
speed of our response once we discovered more.
    Mr. Krebs. So given the ongoing litigation, I cannot get 
too much into the specifics of Kaspersky, but what I can talk 
about is broader supply chain risk management. We are taking a 
couple different approaches at DHS. One is within NPPD we have 
kicked off--I believe you have gotten the briefing on the cyber 
supply chain risk management approach. What we are trying to do 
is provide intelligence and other information and inject it 
into the procurement process as left of procurement as 
possible. So help contract officers and procurement officials 
write Requests for Information and Sources Sought that are 
risk-informed. And then when they do get Sources Sought, we can 
then craft Requests for Proposals--again, risk-informed. When 
they get their proposals--again, risk-informed--injecting the 
appropriate risk information so that they can identify whether 
it is a first-tier, second-tier, third-tier contractor, what 
may be a risky proposition. And what that is really going to 
require is transparency in the proposal. So it is going to 
require procurement officials to drive more transparency, to 
drive more information provided. And that is just at the 
Federal procurement level.
    Senator Lankford. So do you anticipate that your office 
will work with procurement officials governmentwide to be able 
to help develop some of those standards?
    Mr. Krebs. Yes, sir, we are right now.
    Senator Lankford. So is it, again, your assumption that 
they will then have a new item, a new piece of software, a new 
piece of hardware, a new refrigerator that goes in the lounge 
that has wireless fidelity (WiFi) capability on it, whatever it 
may be, is it your expectation that each product will then be 
signed off by your office, or there is a set of standards to 
say here is what to be able to watch for?
    Mr. Krebs. So my hope is to get to the latter point, to get 
to a more scalable approach. If we are looking at every single 
transaction, we talk about backlogs. That one is going to be 
years.
    Senator Lankford. That is what I would assume.
    Mr. Krebs. What we need to do is educate the procurement 
officials so they can write smarter, more risk-informed 
contracts, so you will attest that you have disabled this 
feature, or you will describe the third-party code that was 
written into your software or baked into your product.
    Senator Lankford. OK. When do you anticipate that would 
happen? I know that has already started. When do you think that 
would be complete?
    Mr. Krebs. To answer this the right way would be to say it 
is never going to be complete because we are going to 
continue----
    Senator Lankford. Because there is always new stuff, yes.
    Mr. Krebs. Yes, sir. I would have to get back to you on 
exactly what our----
    Senator Lankford. That is fair enough.
    One of the key things that we are trying to be able to push 
is to be able to make sure we are getting ahead of that. One of 
the lessons learned on Kaspersky is speed.
    Mr. Krebs. Yes, sir.
    Senator Lankford. Once we actually find out about the 
threat, how to be able to respond to that, what does that mean 
getting the information out to multiple entities that need to 
get it quickly, giving them options to be able to transition 
from this to this, and to know that they can make that 
transition quickly and safely, but also then studying the new 
standards, trying to determine what questions need to be asked 
before we begin the process.
    Mr. Krebs. And if I may add, one piece is that while we are 
focused on the tactical Federal procurement level, there is a 
broader national strategic conversation that needs to happen on 
supply chain risk management. We are seeing it in some of the 
5G spaces. But what we need--sorry, out of the corner of my 
eye.
    Senator Lankford. No, that is a good thing, actually. 
[Laughter.]
    Mr. Krebs. What we need to do is actually look at what a 
holistic national supply chain conversation looks like, what 
the national critical functions are that underpin our very 
economy that ensure that the Federal Government can perform its 
duties on a day-to-day basis. And so we have to identify those 
national critical functions. We have to identify those critical 
components within those functions and then identify what the 
transparency requirements are, what the certification or 
standardization requirements are. And then at a certain level, 
we may have to have conversations about reshoring and bringing 
manufacturing back to the United States, and that is going to 
require an entirely different strategy.
    Senator Lankford. Thank you. I appreciate that. And, by the 
way, ``Goodnight, Moon'' is one of the all-time classic pieces 
of literature. [Laughter.]
    Thank you.
    Chairman Johnson. I think the lesson learned in Kaspersky, 
certainly one of the lessons is that within the intelligence 
and national security community, they knew full well that here 
is a cybersecurity business founded and operated by a former 
KGB officer, and it is probably not a real good idea to let 
that business continue to grow and infiltrate into our economy 
without mentioning something until this very late date.
    I think our Committee Members have done a good job asking 
questions, so let me just kind of mop up on a few things or 
make some comments. Senator Harris was talking about data 
breach notification. Talk about the complexities of that issue, 
because it seems so simple. I mean, that is what I thought 6 
years ago, and the top two things on cybersecurity are always 
information sharing and a national preemption of data breach 
notification just made so much sense, but it is far more 
complex than that. So first speak to that a little bit.
    Mr. Krebs. The complexities happen at virtually every layer 
of government. So you have State data breach requirements. It 
is going to vary State to State. I think 47-plus States have 
actual data breach notifications. It is going to vary across 
sector, too. Banking and finance, payment cards, retailers, 
they are all going to have--whether it is personally 
identifiable information (PII) or Payment Card Industry (PCI), 
they are all going to have different thresholds for reporting 
given the impacted community. Then you throw in Health 
Insurance Portability and Accountability Act (HIPAA), you throw 
in other health information. It is challenging alone at the 
State level. And then once you bring it up to the Federal 
level, I believe the average number is about eight pieces of 
legislation per session.
    Chairman Johnson. Talk about the entity itself being 
breached, the complexity of knowing you have been breached----
    Mr. Krebs. Knowing the extent.
    Chairman Johnson [continuing]. Doing the forensics, 
understanding exactly what happened before you are required to 
do something.
    Mr. Krebs. Yes, I think one of the challenges that we are 
having is more, as you have mentioned, the complexity. It is 
the complexity of the systems we are talking about, the 
complexity of the information, the complexity of third-party 
risk. Who actually is owning or operating that system that may 
or may not have been impacted, what controls they had, what 
information was reviewed, scanned, exfiltrated. These are all 
questions that we are still trying to sort through as a 
community, and it is not always a baked answer.
    I will add in the other complexity is in certain cases 
there are active investigations going on from a law enforcement 
or intelligence perspective. We are trying to keep eyes on the 
bad guy as they are moving around because this may be a novel 
approach. And so there is some sort of preserving of the 
environment for that sort of monitoring.
    Chairman Johnson. As you heard from the Committee's 
questions, obviously election security is something we take 
very seriously, and we appreciate the fact that you realize 
that is a top priority.
    I do want to just kind of summarize the way I think of this 
and see if you basically agree or how you would modify my 
approach. But to me there are basically three threats from the 
standpoint of election security. First of all, can someone get 
into voting machines and actually affect the vote tally? Let me 
lay them all out. Then, second, can they get into the voter 
file? And then, third, the threat is literally public 
confidence.
    So when it comes to vote tallies, in our briefings it seems 
like, because these election machines are not tied to the 
Internet, some actually have WiFi capability, but they are 
supposed to be turned off. It seems like it is pretty difficult 
for somebody to actually affect the voting tally. Would you 
agree with that?
    Mr. Krebs. I think what we saw at least in 2016 was the 
sophistication of the adversary was not at least what was 
observed--I know Eric Rosenbach, ``Do not ever count the 
Russians out,'' I think was his message. But based on what we 
saw, the voter tally access was complicated. The thing that I 
reiterate is this is not about achieving 100 percent security 
or perfect security. It is about achieving a resilient 
ecosystem where you have confidence at the end of the voting 
cycle that what was put in on the left end came out on the 
right end consistently. So that is why we continue to encourage 
at least some sort of paper trail with a scientifically 
significant on the other side audit.
    So I think that if we can get into a situation where we are 
managing risk--and that is what we are doing. We are not trying 
to secure. We are managing----
    Chairman Johnson. Again, I am actually asking these 
questions to really confirm the final risk of public 
confidence. Again, I do not want to blow anything out of 
proportion. I want to take the risk seriously. And so changing 
the actual voter count is going to be a very difficult thing 
for somebody to do, certainly nationally. They might be able to 
do it locally, but even that is pretty tough. Getting the voter 
files to me is a more significant risk. But, again, there are 
many controls. There are a number of things that we can do 
post-audit, recounts, that give us some indication something 
actually happened.
    And so you take those first two risks--voter tally, voter 
file--it is pretty minimal. And if we have our eyes on this and 
you have election officials, you have a very dispersed--which I 
think enhances election security, we ought to be able to as 
much as possible increase public confidence in our elections. 
To me, that is the whole point of this thing. And I do not want 
a lot of the rhetoric out there decreasing public confidence.
    Mr. Krebs. It is a good scare story. I think there has been 
a lot of progress lately. Just yesterday or today, I believe 
Orange County, California, released their voter security 
playbook. The same has happened in Kentucky and Cook County. 
The public confidence messaging piece has to catch up to the 
fear factor.
    Chairman Johnson. I do not want to understate the threat.
    Mr. Krebs. There is no minimization.
    Chairman Johnson. I think there is a great danger in 
overstating it.
    Mr. Krebs. That is right.
    Chairman Johnson. Apparently, both of us met with the Chief 
Executive Officer (CEO) of Duke Energy.
    Mr. Krebs. Back to back, I think.
    Chairman Johnson. As you know, I am concerned about 
EMP/geomagnetic disturbances (GMD). But, again, Senator Harris 
talked about clearances, and that is certainly what the CEO of 
Duke Energy was talking about. This is a governmentwide 
problem. There is a huge backlog. Is there a certain level 
priority that we can slot some of these individuals in for 
security clearances?
    Mr. Krebs. Specific to the EMP/GMD threat or----
    Chairman Johnson. Well, I mean, again, based on the 
priority of the threats that we are recognizing.
    Mr. Krebs. So, yes, sir, I believe there is some 
prioritization of the process. I do believe that across the 
Federal Government, I think the backlog is somewhere on the 
order of 800,000 folks that are in processing. But from a 
private sector clearance perspective, we are streamlining our 
approach for how we work with the private sector and how they 
are sponsored and how they are put through. Paperwork is 
paperwork. We still want to make sure that the folks that are 
getting the clearances have been adequately vetted and 
validated and make sure that there is not something lurking 
around that they may be held at risk. But there are ways that 
we are looking at to help streamline the----
    Chairman Johnson. OK, because I think we do need to 
prioritize this based on the threat.
    The CEO is taking over their industry-wide group on some of 
this, and I am actually pleased to hear that she seems to be 
taking EMP/GMD seriously. I do not think from a government 
standpoint we have done enough, and I do not think we are 
taking it seriously enough. So I guess you are going to be in 
charge of the agency that will be tasked certainly from the 
standpoint of DHS, the EMP Commission tasked DHS and DOE with 
certain quick fixes, which, according to GAO, have not been 
undertaken. We do not have the strategy yet. So, again, I just 
want your assurance that this is something you will take 
seriously. Let us get to the bottom of this. How serious a 
threat is this? I am not an electrical engineer, but it has 
driven me nuts over the last number of years that we just 
cannot come to a conclusion of how serious a threat this is and 
what we should really do to protect our Nation against what 
could be a catastrophic occurrence.
    Mr. Krebs. Yes, sir, you have my assurance that we are 
taking this seriously.
    Chairman Johnson. OK. Senator McCaskill, do you have 
anything else?
    Senator McCaskill. Yes, just a couple.
    The binding operational directives (BOD), I know that you 
issued BOD to make it more difficult for bad actors to mimic 
legitimate email communications from Federal agencies. The 
binding operational directives gave a 90-day and a 120-day 
timeline for parts of the implementation, meaning some of those 
deadlines have already passed. Can you give us a report card of 
how many Federal agencies have complied with this?
    Mr. Krebs. Ma'am, if I may, I would like to circle back 
with specifics.
    Senator McCaskill. Sure.
    Mr. Krebs. The challenge with the Domain-based Message 
Authentication Reporting and Conformance (DMARC) implementation 
is that not every BOD is created the same. Not every network 
across the Federal agencies are created the same. In some cases 
there were email domains that, frankly, were either dormant or, 
frankly, forgotten about. So there is a lot of kind of 
collating of what is across the systems. That has led to some 
challenges in implementation, but I would like to come back and 
meet with your staff to----
    Senator McCaskill. That would be great.
    Mr. Krebs. Yes, ma'am.
    Senator McCaskill. Because I would like to follow up with 
that. I do think it is something that we have not--and I think 
you are going to have to figure out a way to navigate this very 
complex area so that we can take that basic first step in every 
Federal agency in terms of email communication.
    Mr. Krebs. Yes, ma'am.
    Senator McCaskill. It is obviously a vulnerability.
    You stated in your policy questionnaire--you all have some 
responsibilities, some specific responsibilities outlined in 
the National Response Framework in emergency management, 
critical information protection, and communication restoration. 
You stated in your policy questionnaire that you identified 50 
areas for improvement after the 2017 hurricane season. 
Obviously, you have no work to do in this new job. I can tell 
you really are going to be spending a lot of time figuring out 
how to stay busy. But I would be curious what you would 
consider are the top two or three items on that list in terms 
of what you learned in the aftermath of this brutal 2017 
season, especially in terms of restoration of communication, 
because when I have talked to people that were on the ground, 
that was the biggest challenge in terms of getting stuff where 
it needed to go, the inability of people to talk to one 
another.
    Mr. Krebs. So thank you for the question, and I came into 
this job as Assistant Secretary for Infrastructure Protection 
in August 2017. A week and a half later, Hurricane Harvey hit. 
From that time until today, I have still been focused on 
hurricane season 2017, getting ready for 2018. I made numerous 
visits to Puerto Rico, went down to Texas and Florida.
    The two primary takeaways that I have from hurricane 
season: First, I needed to do across NPPD a better job of 
integrating our cyber and communication shop and our physical 
infrastructure shop. And what we have done since hurricane 
season is a tighter linkage and, in fact, collocation of the 
National Infrastructure Coordinating Center (NICC), the 
physical side, into the National Cybersecurity and 
Communications Integration Center (NCCIC) has responsibility 
for Emergency Support Function (ESF) 2, the NICC supports ESF 
3, 8, 9, 12, and, in part, 13. That is a Federal Protective 
Service (FPS) mission. But everything at some point has to come 
together from a visibility perspective. What we found in Puerto 
Rico with Hurricane Maria in particular, specific to ESF 2, was 
that we were able to work with the communications providers, a 
number of them, including AT&T. That was one of the areas that 
we were able to get infrastructure restoration frankly the 
quickest. So we were able to work with the Department of 
Defense through FEMA and the Joint Field Office (JFO) down in 
Puerto Rico to put Cell On Light Trucks onto C-5 Galaxies out 
of Dobbins Air Force Base north of Atlanta, Georgia. We put the 
trucks on the plane, flew them down, put them in location, 
popped them up, had others on barges coming down. We were able 
to get that core infrastructure, that lifeline infrastructure 
back up quicker than any lifeline infrastructure on the island. 
That to me is, frankly, a signal that I have a pretty important 
job here, not just on the cyber side but on the physical and 
the communication side as well. So there is the integration so 
that we can pass and flow information from the physical to the 
cyber comms shop.
    The second piece, I have already alluded to it, lifeline 
infrastructure. One of the things that we need to take away 
from hurricane season is getting meals ready to eat (MREs), 
getting water, getting bags of ice, getting all that other 
stuff into a disaster zone is important. But so is getting 
comms up, lights on, things of that nature. So we need to be 
figuring out what the right balance is between life-sustaining 
operations and life-sustaining functions, and that includes 
communications and power, because if you do not have power, you 
are not going to get a lot of other stuff done. If you do not 
have communications, it is going to be that much harder to 
coordinate.
    Senator McCaskill. You are going to need a lot more MREs if 
you cannot get those two things done.
    Mr. Krebs. Yes, ma'am, so, again, I think it is the 
integration across my shop, but also working with FEMA to 
prioritize the restoration of some infrastructure services, and 
we have taken that to heart. We have a number of strategic 
engagements and working groups with FEMA right now to improve 
that. So for hurricane season 2018 I think we will be in a 
better position from an infrastructure----
    Senator McCaskill. Well, if you would share the entire 50--
list with our staff, we would appreciate it, so we can get an 
idea----
    Mr. Krebs. Yes, ma'am, happy to give you a brief----
    Senator McCaskill. We are trying to follow up on some very 
bad contracting that occurred in this space, which we are 
trying to figure out how to make sure those mistakes are not 
made again. But we want to be prepared to do the best oversight 
we can moving forward, and that means knowing what you see are 
the problem areas going forward. Thank you to you and your 
family for your service.
    Chairman Johnson. Thank you, Senator McCaskill.
    Mr. Krebs, I think you have found, just by the questions 
here, the Committee has a fair amount of confidence in your 
ability, and I think we will in a bipartisan fashion do 
everything we can to move this nomination along as quickly as 
possible. So, again, I want to thank you for your testimony and 
your willingness to serve and again thank your family. You know 
already this is a 24/7 type of position, and they know that as 
well.
    The nominee has made financial disclosures and provided 
responses to biographical and prehearing questions submitted by 
the Committee. Without objection, this information will be made 
part of the hearing record,\1\ with the exception of financial 
data, which are on file and available for public inspection in 
the Committee's offices.
---------------------------------------------------------------------------
    \1\ The information submitted by Mr. Krebs appears in the Appendix 
on page 34.
---------------------------------------------------------------------------
    The hearing record will remain open until 5 p.m. tomorrow, 
April 26th, for the submission of statements and questions for 
the record.
    This hearing is adjourned.
    [Whereupon, at 4:17 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]