[Senate Hearing 115-445]
[From the U.S. Government Publishing Office]
S. Hrg. 115-445
NOMINATION OF CHRISTOPHER C. KREBS
TO BE UNDER SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE,
U.S. DEPARTMENT OF HOMELAND SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
NOMINATION OF CHRISTOPHER C. KREBS TO BE UNDER SECRETARY,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,
U.S DEPARTMENT OF HOMELAND SECURITY
__________
APRIL 25, 2018
Available via the World Wide Web: http://www.Govinfo.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
32-455 PDF WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California
STEVE DAINES, Montana DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
David N. Brewer, Chief Investigative Counsel
Michelle D. Woods, Senior Professional Staff Member
Margaret E. Daum, Minority Staff Director
Donald K. Sherman, Minority Senior Counsel
Julie G. Klein, Minority Professional Staff Member
Joel F. Walsh, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Bonni E. Dinerstein, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator Heitkamp............................................. 2
Senator McCaskill............................................ 5
Senator Harris............................................... 9
Senator Peters............................................... 14
Senator Hassan............................................... 17
Senator Lankford............................................. 18
Prepared statements:
Senator Johnson.............................................. 27
Senator McCaskill............................................ 29
WITNESSES
Wednesday, April 25, 2018
Christopher C. Krebs, to be Under Secretary, National Protection
and Programs Directorate, U.S. Department of Homeland Security
Testimony.................................................... 3
Prepared statement........................................... 32
Biographical and financial information....................... 34
Letter from the Office of Government Ethics.................. 51
Responses to pre-hearing questions........................... 54
Responses to post-hearing questions.......................... 104
Letters of Support........................................... 123
NOMINATIONS OF CHRISTOPHER C. KREBS
TO BE UNDER SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE,
U.S. DEPARTMENT OF HOMELAND SECURITY
----------
WEDNESDAY, APRIL 25, 2018
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 3:05 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, Lankford, McCaskill, Carper,
Heitkamp, Peters, Hassan, Harris, and Daines.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. This hearing will come to order.
Today we are holding this hearing to consider the
nomination of Christopher C. Krebs to be the Under Secretary
for the National Protection and Programs Directorate (NPPD),
Department of Homeland Security (DHS). I think we are all
hoping that that will soon be named the ``Cybersecurity and
Infrastructure Security Agency'' (CISA). Maybe this will be the
last time we ever hold a confirmation hearing for that
Directorate's confirmation.
I do not have a whole lot to say in terms of an opening
statement. We had a really good hearing yesterday. Jeanette
Manfra from the Office of Cybersecurity and Communications
testified yesterday, and I think we really laid out the issues
and asked a lot of good questions.
I would ask that my written statement, be entered into the
record.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Johnson appears in the
Appendix on page 27.
---------------------------------------------------------------------------
I also want to enter into the record eight letters we have
received in support\2\ of Mr. Krebs signed by 58 different
individuals, and it is a broad range of people from former DHS
officials, Central Intelligence Agency (CIA), Federal Emergency
Management Agency (FEMA), U.S. Customs and Border Protection
(CBP), Department of Treasury, National Institute of Standards
and Technology (NIST), the Department of Defense (DOD),
National Security Agency (NSA), National Security Council
(NSC). I think you get the drift.
---------------------------------------------------------------------------
\2\ The letters referenced by Senator Johnson appears in the
Appendix on page 123.
---------------------------------------------------------------------------
There seems to be a fair amount of support for this
nomination. It is obviously an enormously important position.
What was underscored in yesterday's hearing are the threats we
face are real; they are pervasive; they are growing. And as
much as we have improved our defenses, folks on offense are not
standing still either. So we still have that gap between
offense and defense, and this is going to affect every part of
our economy. It affects every nation in the world. In some
respects, it can be an existential threat to this Nation.
So the responsibilities of the Under Secretary are
enormous, and we certainly want to thank you, Mr. Krebs, for
your willingness to serve again. We want to thank your
beautiful family, and we hope you introduce them in your
opening comments. This is a full-time job, and you are going to
be devoting a lot of time. You will be having a lot of time
away from your beautiful family. So this is a whole family
sacrifice, and we really do appreciate your willingness to
allow Christopher to serve in this capacity.
So, with that, it is the tradition of this Committee to
swear in witnesses, so if you will please stand and raise your
right hand. Do you swear that the testimony you will give
before this Committee will be the truth, the whole truth, and
nothing but the truth, so help you, God?
Mr. Krebs. I do.
Chairman Johnson. Please be seated.
Senator Heitkamp, in the absence of Senator McCaskill, do
you have a couple comments you would like to make?
OPENING STATEMENT OF SENATOR HEITKAMP
Senator Heitkamp. This is a division that I think has been
misnamed, and I would not say mismanaged but lacking focus. And
I can only say from the hearing we had yesterday and reading
your resume and the support, thank you for applying. Thank you
for being willing to serve. This is an area where clearly
people from this sector could command a lot of money in the
private sector, and the willingness that you have exhibited to
come to Washington and to be part of doing this for the entire
country, it is a patriotic act, and I want to thank you.
We are really excited to hear your testimony, but I cannot
speak for the rest of my colleagues on this Committee. I am
excited to get you confirmed and get you to work so we can
continue the discussion that we started yesterday.
Thank you, Mr. Chairman, and good luck.
Chairman Johnson. There is no doubt about it, we are very
fortunate to have such a qualified candidate.
So, with that, Mr. Krebs, why do you not start your
testimony?
TESTIMONY OF CHRISTOPHER C. KREBS TO BE UNDER SECRETARY,\1\
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Mr. Krebs. Chairman Johnson, Ranking Member McCaskill, and
Members of the Committee, thank you for the opportunity to
appear before you today as the President's nominee for Under
Secretary of Homeland Security for the National Protection and
Programs Directorate. I am honored to have been nominated for
this position by President Trump, and I am grateful to have
Secretary Nielsen's support.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Krebs appears in the Appendix on
page 32.
---------------------------------------------------------------------------
More than anything else, I am especially grateful for the
strong support of my family, and I would like to recognize
those who have joined us today.
First, I would like to thank my parents, Van and Fran, for
providing me the opportunities in life to succeed; my brothers
who could not join us today, William and Davis, for keeping me
honest, but also helping me develop my partnership-building
skills; and my father-in-law, Dave, and mother-in-law, Patrice,
for being there for me, my wife, and often as baby sitters for
our children. Those kids are here today. We have Henry, Anna,
Charlie--I think Jack had to step out.
Chairman Johnson. He is under wraps.
Mr. Krebs Then the fifth is going to join us later this
year. [Laughter.]
Chairman Johnson. Was that a new announcement?
Mr. Krebs. Yes.
Chairman Johnson. Congratulations.
Mr. Krebs. Thank you. They do keep me grounded----
Senator Heitkamp. You missed your parents' response.
[Laughter.]
Chairman Johnson. This is a Committee first, at least under
my chairmanship, so thanks.
Mr. Krebs. Good start. They do keep me grounded, and I come
to work every day to make the world a better, safer place for
their future.
Last, but certainly not least, I would like to recognize my
wife, Emily. Without her support, her patience, her strength,
and her love, I would not be here today.
I would also like to give thanks to my friends, my
coworkers old and new, and everyone else who has supported me
on this journey. I am humbled to have their support. And those
letters you mentioned, I am humbled to have the support of that
community.
I am fortunate to have served at DHS in several capacities.
Currently I serve as both the Assistant Secretary for
Infrastructure Protection as well as the Senior Official
Performing the Duties of the Under Secretary (SOPDUS) at NPPD,
two names I would like to retire. I have dedicated my career to
risk management and critical infrastructure protection in both
government and the private sector. I am passionate about this
mission, and if confirmed, it will be my honor to lead the
Department's cyber and infrastructure security mission.
This context is important. In our nomination discussions,
many of you asked what drew me to this job. The answer is
simple: I view this position as the pinnacle of national risk
management in cyber and physical infrastructure. We can do more
to advance a national risk management agenda than any other
single place in the U.S. Government. And since no single
stakeholder has all the information necessary to detect or
comprehensively manage systemic risk, NPPD's information-
sharing and coordination role and ability to engage policy-and
decisionmakers are essential to success in our shared homeland
security mission.
Success in this mission cannot be possible without the
tireless work of NPPD's incredibly talented workforce. While
serving as the senior official, I have sought to place the
employees first by creating a team-oriented culture, ensuring a
diverse and inclusive environment, and helping good ideas rise
to the top. If confirmed, I will continue to tirelessly
represent the men and women of NPPD; increase the visibility of
our mission and organization; and assertively engage
leadership, industry, Congress, and our other stakeholders on
their behalf.
NPPD's responsibilities have grown substantially since its
inception, driven by a dramatic shift in the threat environment
few could have anticipated 10 years ago. Today we face the
challenge of managing risk in both the physical and digital
worlds. This risk comes from Mother Nature; a diverse group of
threat actors including nation-states like Russia, China, Iran,
and North Korea; as well as cyber criminals, terrorist groups,
and others. We must do everything we can to mitigate these
threats and enhance the resilience of our infrastructure.
I see three primary strategic goals for NPPD. First, we
must defend civilian networks and secure Federal facilities.
Second, we must help manage systemic risk to national critical
functions. And, third, we must raise the security baseline by
providing stakeholders with the tools and resources they need
to secure infrastructure. We must foster voluntary, incentive-
driven partnerships with a wide range of stakeholders. If
confirmed, I will draw on my private sector experience and
understanding of government's unique value to ensure our
approach is customer-centric and requirements-driven.
Operationally, one of my top priorities at NPPD has been
enhancing the resilience of our Nation's election systems. In
the face of unprecedented Russian interference in our 2016
election, NPPD has worked closely with State and local election
officials across the country to ensure each American's vote
counts and is counted correctly. If confirmed, I will continue
to make this my top priority.
I will also work closely with Congress to facilitate
oversight of NPPD's activities and advance shared legislative
priorities, including restructuring NPPD, enhancing election
system security, reauthorizing the Chemical Facility Anti-
Terrorism Standards (CFATS) program, hardening infrastructure
against threats like electromagnetic pulse (EMP) and others.
I want to thank this Committee for including legislation
transforming NPPD into the Cybersecurity and Infrastructure
Security Agency in the recent DHS authorization bill. I look
forward to working with this Committee to pass that critical
legislation.
Thank you again for the opportunity to appear before you
today, and I look forward to answering your questions.
Chairman Johnson. Thank you, Mr. Krebs.
As we ad libbed the opening here, I forgot to introduce
you, so I will do that now before I ask our three questions.
Mr. Christopher Krebs is currently serving as the Assistant
Secretary for the Office of Infrastructure Protection for the
National Protection and Programs Directorate in the Department
of Homeland Security and is concurrently filling the role as
the Senior Official Performing the Duties of the Under
Secretary of the NPPD. That is as long a title as I have ever
read.
Prior to joining DHS, Mr. Krebs was the director of
cybersecurity policy for Microsoft, leading their work on
cybersecurity and technology issues. Mr. Krebs previously
served in DHS as a Senior Adviser to the Assistant Secretary
for Infrastructure Protection, where he helped establish a
number of national and international risk management programs.
Again, I could not be more pleased we have a person of such
caliber and experience willing to serve our Nation in this
capacity.
There are three questions the Committee asks of every
nominee for the record.
First, is there anything you are aware of in your
background that might present a conflict of interest with the
duties of the office to which you have been nominated?
Mr. Krebs. No, Mr. Chairman.
Chairman Johnson. Second, do you know of anything, personal
or otherwise, that would in any way prevent you from fully and
honorably discharging the responsibilities of the office to
which you have been nominated?
Mr. Krebs. No, sir.
Chairman Johnson. And, finally, do you agree without
reservation to comply with any request or summons to appear and
testify before any duly constituted committee of Congress if
you are confirmed?
Mr. Krebs. I do. And if I may caveat the first answer on
the conflicts of interest, I have consulted with Ethics
Counsel, and I will recuse myself for the next 11 months from
any particular matters involving Microsoft or the National
Cybersecurity Alliance.
Chairman Johnson. OK. That is noted for the record.
I will defer my questions out of respect for other Members'
time here, so, Senator McCaskill?
OPENING STATEMENT OF SENATOR MCCASKILL\1\
Senator McCaskill. Thank you. I want to apologize to you,
Mr. Krebs, for not being here at the beginning. I was on the
floor trying to get a UC for a Taxpayer's Right to Know data
availability online bill with Senator Lankford. We were trying
to get it passed, and so I was running a little late, so I
missed the announcement about your family and that you have
four children and one on the way?
---------------------------------------------------------------------------
\1\ The prepared statement of Senator McCaskill appears in the
Appendix on page 29.
---------------------------------------------------------------------------
Mr. Krebs. Yes, ma'am.
Senator McCaskill. My husband and I have seven children,
and we have 11 grandchildren, and I just want you to know the
more babies, the better. [Laughter.]
It is the motto around my house. We just had two new babies
a month and a half ago, two new grandsons, and they are the
light of my life.
I want to ask you--first of all, I am thrilled that you
have agreed to serve. I have reviewed your background, and I
think you
are--and I will tell you that staff that interviewed you came
back and said, ``He is the real deal. He really knows what he
is talking about.'' We need you in this job, I believe, and I
think it is very important that you are given the resources and
the authority you need to move the needle in this important
area.
The first question I ask every witness is very important
because I am a big oversight freak and I love to do oversight,
and I always want to make sure that oversight can continue,
regardless of the parties that are in charge. So I want to ask
you these three questions:
Do you agree to provide information and documents when
requested by Members of Congress, regardless of party?
Mr. Krebs. Yes, ma'am, I do.
Senator McCaskill. Do you believe that the NPPD management
should comply with requests for documents and information from
Members of Congress, regardless of party?
Mr. Krebs. Yes, ma'am, I do.
Senator McCaskill. And what role do you think Congress
should play in assisting NPPD management in rooting out waste,
fraud, and abuse?
Mr. Krebs. In your oversight role, I believe you can assist
us in understanding where we could be more efficient, give us
the appropriate authorities to ensure that we are responsible
stewards of the taxpayers' dollars.
Senator McCaskill. Let me ask you about the 17 States that
have requested risk assessments. I asked Assistant Secretary
Manfra, and I think I got an answer that was a little
confusing. I asked if any States were waiting right now for an
assessment that they have not been able to get. She said nobody
in the election community is waiting for an assessment.
My question was not about a backlog, but I was instead
trying to determine if all the States that have requested risk
assessments have actually received the service and that the
request has been completed. Do you have the data on that?
Mr. Krebs. So, ma'am, we have 17 States and 8 local
jurisdictions that have requested vulnerability assessments.
There are a number that are in the scheduling phase, and the
reason that they have not necessarily been completed to today
is that there is a certain degree of preparation that is
required for a risk and vulnerability assessment (RVA). That
sometimes can include some preparation oftentimes, rather,
preparation on the State or the local jurisdiction side. In
some cases, what we have seen is that they do have some
upgrades, patches, things like that that they need to get in
order. There are also some basic legal agreements that we have
to get in place that we understand, so they understand the
scope of the risk and vulnerability assessment. And on that
note, there is some scoping of the RVA that has to happen.
I will say this, though: If any State or local jurisdiction
asks for an RVA in advance of the 2018 midterm elections, they
will get it when they need it or they want it. There is no
backlog. The wait list is due to preparation. So you have my
commitment on that and that we are prioritizing these RVAs, and
they will get done at the request of the----
Senator McCaskill. So you are telling me the wait is on
their end and not on your end?
Mr. Krebs. I would say that there is just a standard
preparation that has to take place, and I would not say it is
on anybody's end necessarily. It is just getting ready for a
vulnerability assessment.
Senator McCaskill. How many of those 17 have actually been
completed?
Mr. Krebs. My understanding, at this point we are up to
about nine, I believe, and I would have to come back to you on
that one. But as I understand it, the majority of them will be
completed by if not the end of May, soon thereafter.
Senator McCaskill. OK. Obviously, it is the end of April.
Mr. Krebs. Yes, ma'am.
Senator McCaskill. The election is quickly approaching, and
I think it is really important if those States--and I really
admire the States that have stepped forward and said
voluntarily--and, by the way, whatever you find, what they do
with it is voluntary. There is nothing here about the heavy
hand of the Federal Government reaching into the States and
telling them what to do. I am really proud of those States that
have stepped forward and asked for the help, and I do not want
in any way to ever indicate that that shows that they somehow
are lacking. I think just the opposite. I think they are
showing a high degree of professionalism and responsibility by
asking for all the help they can get, especially when we are
willing to provide it to them at no cost. So I want to
compliment them.
I asked also yesterday--or I guess it was the day before
yesterday--Assistant Secretary Manfra how many people in DHS
work full-time on election security. She was going to get back
to me on that. Could you give me that answer?
Mr. Krebs. So the high-side number of full-time--and it
changes day to day based on when a special election is, when we
have an RVA, things like that. It is the 10 to 15 range. Again,
it flexes a little bit.
We do have a number of part-time, meaning we have full-time
equivalence Federal employees at DHS, that in some part of
their day are focused on State and local election activities,
including our risk and vulnerability assessment teams. They may
be going from a State to do election assistance to a Federal
high-value-asset assessment, depending on the week. So it is
going to vary.
The $26.2 million that Congress provided us in the fiscal
year (FY) 2018 omnibus is going to allow us, rather, to build
out our capacity in terms of what we can do not just for State
election systems, but more broadly the State and local
community as well. As we have seen I think with Mecklenburg
County, with Colorado, with Atlanta, there is a real need for
technical support and other assistance at the State and local
level, and so as we are engaging on the election front, we are
also expanding and looking a little bit more broadly at the
information technology (IT) systems across States.
Senator McCaskill. I do not think 10 to 15 full-time on
election security is anywhere near adequate, and I want you to
know that I personally will try to do everything I can to help
get more there. I am sure you agree with me that 10 to 15
people to cover election security in this entire country with
all the various election systems that exist is woefully
inadequate. But I do think we can also be looking at--I know
that all of this is being provided free. It seems to me we
ought to noodle on whether or not we could do some kind of
agreement where we would help with some kind of matching funds
from the State and local governments, because many of them are
hiring from the private sector at a high cost, and we could
partner with them and do more with maybe not quite as much
Federal money being spent. And I would like to explore that
also.
Thank you, Mr. Chairman.
Chairman Johnson. Just to augment that a little bit, they
obviously have cybersecurity individuals in the States as well,
so that is not just 10 or 15. You have a force multiplier in
terms of the State election officials, correct?
Mr. Krebs. Yes, sir, that is right. If I may, historically
when we have talked about this over the last year, we have
taken this bottom-up approach of here is how DHS can help do X,
Y, or Z.
I think what we need to do--and I believe the conversation
is turning that way--is take a more top-down approach in terms
of here is the shared responsibility of election security. DHS
is in support of State and local officials. State and local
officials have been managing risk to their enterprise and their
environments for years. It goes back well before elections.
They are the best there is at managing what happens on election
day when there is a power outage or there is a tornado or there
is a hurricane. They do this quite well. And IT security has
increasingly been one of the things they have looked at.
So when I talk about the 10 to 15-plus that we have from
the Department of Homeland Security, that is obviously in
support of thousands of security specialists across the
country. And it is, as you point out, not just State and local
officials. Some of those that are not taking our services, they
do so because they have their own capabilities, whether it is
in-house or contracted resources. But your point is take about
the matching funds.
Senator McCaskill. Let me just make this point. I know what
State employees are paid in the State of Missouri. I know what
the market bears for good IT help right now. I do not mean to
denigrate any of the State employees in my great State, but we
have cut and cut and cut and cut local and State governments,
and when you do that, you actually eat at the muscle of our
ability to track the best talent to do the kind of really high-
level work we are talking about here. So there may be people on
the payroll in a lot of States. I am not sure that all of them
have the expertise that we can help them with from your
Department.
Thank you, Mr. Chairman.
Chairman Johnson. But as is true in the private sector, you
do use private sector security analysts as well to aid. But,
anyway, I know Senator Harris has a unique situation. I think
this has been cleared that you are going to ask questions next.
Is that----
Senator Heitkamp. That is fine.
Chairman Johnson. OK. Senator Harris.
OPENING STATEMENT OF SENATOR HARRIS
Senator Harris. Senator Heitkamp, I thank you for your
gracious leadership and friendship.
Senator McCaskill. You are saying you owe her one? I just
want to make sure we got that.
Senator Harris. I knew she was not going to let it go this
easy. I am ranking in another hearing.
Senator Heitkamp. I have a celestial log book I keep.
[Laughter.]
Senator Harris. I look forward to the day I can pay you
back.
Congratulations on all of the changes that are happening in
your life in the midst of one of the great crises of our
country, which is securing our elections. And I appreciate the
last time you were before us and the answers to the questions I
presented. And I also know that you followed up and actually
did some reprioritization around the election cycle, so I
appreciate that.
I have a few questions for you about security clearances
for State elections officials. My understanding is that 30
State elections officials, which are representing 30 States,
have received a security clearance or an interim security
clearance as of today. Fifteen State officials have requested a
clearance but have not yet received one, and five State
officials have not yet applied.
Do you have a proposed timeline when all of these 30 State
officials will receive a permanent clearance?
Mr. Krebs. So, ma'am, on those five that have not yet
applied, in some situations they have actually declined to have
a clearance. Instead, we are working with other officials in
their States, for whatever reason.
On the 15 that are going through the process right now of
the adjudication of their SF-86, their clearance documents,
they are rolling in on a day-to-day basis. That process is
managed by the DHS Office of Intelligence Analysis (OIA).
I will say this: I do not have specifics because every
single case is different. Every single official has experienced
some life event that requires a little bit extra investigation
or adjudication. What came to my attention I was unaware of,
Secretaries of States are sued a lot just as a matter of the
course of business. Every single legal action has to be
recorded. I think we talked about that before.
So what we are doing is we are putting a lot of pressure on
the Intelligence Analysis Office to move those along, but I
will say this: I know, I have confidence that if right now I
needed to get a piece of intelligence in front of a State
election official, I could do that in a matter of hours. If I
needed to pull together a meeting tomorrow to share classified
information, we could do that. That is the progress we have
made in the last year.
I do not want to pin everything on issuing security
clearances. It is the outcome we are trying to achieve, and
that is, making sure that we can get classified information in
their hands when it is needed.
Senator Harris. I appreciate your point, but the concern I
have is that, short of a permanent security clearance, then
there is a process by which you would go day to day, right?
They have to go day to day in terms of when they are going to
receive or if they have the authority to receive classified
information. There is nothing that would give them a certain
permanence in terms of having it every day consistently without
reapplying. Is that correct?
Mr. Krebs. It is not a reapplying. If confirmed, I
personally would have the authority to give 1-day read-ins.
Senator Harris. Right.
Mr. Krebs. And it is not, submit information, it has to be
adjudicated there are known entities.
Senator Harris. But do you have to authorize that each day
to give a 1-day clearance?
Mr. Krebs. Yes, ma'am, but to be frank, if they had their
permanent clearances and I needed to get information to them, I
would have to do a judgment on need to know, anyway. So it is a
little bit of extra paperwork, but, again, I have confidence
that if I need to get a piece of information, we could make
that happen.
Senator Harris. Can you followup with this Committee and
give us a timeline on when those 30 State officials will
receive their permanent clearance, taking into account all the
variables?
Mr. Krebs. Yes, ma'am, the additional 15, we will
absolutely follow up.
Senator Harris. Yes, the 15.
Mr. Krebs. Yes, ma'am.
Senator Harris. And then I am sure you are aware, but I
asked my team to give me a list of the upcoming elections, and
so I am not going to ask you to tell me the status of each
election officials from these States. But I am sure you are
aware May 8th is Ohio. I hope they have theirs. May 15th,
Idaho, Nebraska, Oregon, and Pennsylvania; May 22nd, Arkansas
and Georgia; June 5th, Alabama, California; Iowa, New Mexico,
South Dakota, June 12th; another series of States, June 26th.
So this is all imminent.
Mr. Krebs. Yes, ma'am, and we are taking a risk-based
approach, so we are looking at what is imminent and then
working with the intelligence analysis folks to see what we can
do to increase the sense of urgency around that.
Senator Harris. Can you tell me which States are the five
States who do not want security clearances?
Mr. Krebs. So two things on that.
First is that, generally speaking, we do not discuss
security clearance matters in public as a matter of operational
security. They can then become targets for collection from
foreign intelligence agents. So that is the first piece.
The second is from an individual State, who is doing what,
who is taking what action, we are in a position where we are
not disclosing the individual pieces of information. Our
approach here is nonpartisan, apolitical.
Senator Harris. I hope so.
Mr. Krebs. We are absolutely----
Senator Harris. Because this is absolutely a nonpartisan
issue. So there is no rule that prohibits you from telling this
Committee, even in a classified setting, which States----
Mr. Krebs. So in a different setting, we can discuss more
specifics, but from a----
Senator Harris. Mr. Chairman, I would urge that we get that
information and, in particular, inform our colleagues who
represent those five States and make sure they are aware of the
seriousness of this issue.
Chairman Johnson. I have no problem with that.
Senator Harris. OK. That would be great.
And then on election data breach notification, another
important service--we have discussed this before--that DHS
provides is what I refer to as ``hazmat teams'' that will go
out to the State and help an election agency, if it has been
hacked, to get back up and running, to be resilient after an
attack.
In an interview, the Illinois State Board of Elections
executive director said that--and this is, I think, the Ranking
Member's point, too--``They have a good IT department,'' when
they faced a threat from a sophisticated foreign actor. But
they said their resources are like bows and arrows against the
lightning. So we are talking about, obviously, an attack on a
State election system. Would you agree that even though it
attacks a State, it really is a threat to national security?
Mr. Krebs. Yes, ma'am. I think Secretary Nielsen has been
consistent about that as well. Election security is a national
security issue.
Senator Harris. And so do you believe that if a State
election agency is hacked while administering a Federal
election, the State election agency should be required to
notify the Department of Homeland Security?
Mr. Krebs. Ma'am, I think it depends on the definition of
``hack.'' As I think Assistant Secretary Manfra discussed
yesterday, there is a difference between scanning and
targeting. Scanning happens in some cases thousands of times a
day.
Senator Harris. So, in your opinion, who should we leave
the definition up to? Because it seems to me we should have
some clear indication of what would require a State to report
to DHS that they have been hacked. And I appreciate the point
that has been discussed often, which is it is perhaps a vague
term. But whose responsibility is it then to clarify what
qualifies as a reportable hacking?
Mr. Krebs. So I think that is a conversation that is
happening right now in the Secure Elections Act. I think the
recent conversations you had with the Secretaries of State,
that is the exact sort of forum in which we can start hashing
out what the threshold is for a notification. I do not believe
a scan, frankly, would require notification, but a penetration
of a date of registration, I think there is some incentive or
some indication that----
Senator Harris. So my time is up, but what I would like to
do for follow-up is get from you your suggestions about what
should be defined as a ``hack'' which would require a State to
report that to DHS.
Mr. Krebs. Yes, ma'am.
Senator Harris. OK, thank you. And if you could do that
within the next 3 weeks, that would be great.
Thank you.
Chairman Johnson. Thank you, Senator Harris.
Just a quick comment. The complexity of data breach
notification is something I have learned a fair amount over the
last 5 or 6 years. Senator Heitkamp.
Senator Heitkamp. Thank you, Mr. Chairman and Ranking
Member, and thank you, Mr. Krebs, for agreeing to serve our
country, as I said in my opening comments.
I just want to throw out an idea that I think would be
helpful, and it goes to the kind of general theme of what I
want to talk about here, and that is, there needs to be a
Center of Excellence for cybersecurity. You know where I am
going, right? So we do financial audits in State government. We
do performance audits. Claire was, I think, the State auditor,
probably did a number of performance audits. I think it is only
responsible, especially when we are talking about Federal
elections, to do performance audits of the security of State
systems.
Now, we are in a crisis because we are up against a couple
months where, as Senator Harris pointed out, these elections
are coming now, and many of these elections will be decided in
the primary. And that is true particularly in States like
California where you have a jungle primary. And so it is on us,
and we cannot look our constituents in the eye and say, ``Yes,
everything is cool. We have it under control.'' We need to have
a Center of Excellence for cybersecurity on all things that
affect our national defense and our national security. And I
really believe that your agency is the place where that should
be. I think Senator Carper may agree with me on this. We fought
pretty hard to try and claw back some jurisdiction on cyber. It
has been centered in Intel, as it should. They should be
concerned about it. But we need a broader governmentwide,
nationwide plan for what we are going to do in cyber so we are
not stepping on each other, we are not taking missteps that are
incredibly costly. You know how costly all of this is. But we
cannot ignore the small stuff, and this is what I am getting
at. This is something we talked about yesterday, which is that
resiliency of the foundation. Right now I would tell you it is
fairly porous. I think that when people put their passwords as
``password'' or ``11111'' or they do not do the kinds of things
that are recommended in common-sense ways to try and protect
the resiliency of either their devices or their programs or
managing their data.
And so there is a whole lot of force multipliers that we
can rely on, whether it is nonprofit, consumer-oriented groups,
whether it is the State groups that do consumer protection and
consumer awareness and education, it is true probably in a lot
of areas in life, but many people just want that magic bullet.
You are going to create that impenetrable, hardened shield, and
we have to tell them, look, we can have the best military, we
can have the best law enforcement in the world, but if we do
not lock our doors, we are less secure.
So can you walk with me how you see your role in that piece
of it, not the top-down but the bottom-up kind of resiliency of
users? And that is pretty much all of us now in America.
Mr. Krebs. Yes, ma'am, absolutely. Thank you for the
question. I mentioned it in my opening statement, but when NPPD
was originally organized as a successor to Preparedness back in
the 2007 timeframe. It was a collection of programs, and the
name, in fact, reflects that, National Protection and Programs
Directorate. It was a hodgepodge. The threat, the cybersecurity
threat at the time was obviously nowhere near what it is today.
The budgets alone show that. The National Cybersecurity
Division was a small collection of folks that had an issue they
were trying to get their arms around.
Where we are now with the threat environment, with the
authorities that are provided by Congress, by the
appropriations that we have been provided, I think it is clear
that now--and this is the reason we need the Cybersecurity and
Infrastructure Security Agency--DHS NPPD is the primary--it is
the leader for national risk management for cyber and critical
infrastructure protection. It has statutory authorities to be
the lead critical infrastructure protection coordinator. There
are sector-specific agencies that have the sector excellence,
the expertise, whether it is Treasury, the Department of Energy
(DOE), HHS, but it all comes together at the top. So when you
talk about a top-down--and I understand where we are going with
the bottom-up, but on the top-down, there needs to be one
person, one organization, rather, that can stitch it all
together.
Senator Heitkamp. I just want you to know we expect you to
throw some sharp elbows. There has been a lot of turf on this,
and there cannot be. We need a Center of Excellence, and that
is your job, in my opinion, is to create a Center of Excellence
to be that entity that evaluates products out there, that can
be, in fact, protective and shield, to develop products that
can better educate the public on how to protect themselves, and
then have the ability to integrate those not just with those
cyber threats, but understand that that will put pressure on
physical threats and be at the table when we are evaluating all
threats and bring that expertise. That is why we are excited
that you have applied for this job, but that is my expectation
of what you are going to do with this job.
Mr. Krebs. Yes, ma'am, we have a common adversary; we have
a common enemy. I have no patience for infighting across the
family. We should be working toward the same common purpose,
but what we need is a centralization function, and that is us
as the----
Senator Heitkamp. Right, but the problem that you have is
that now that everybody has gotten panicked about cyber, this
is the new bright, shiny object over here. That is where there
is going to be some money. We might get some personnel. You
know how the bureaucracy reacts to that opportunity. And it
will go places that will be dispersed in ways that we do not
have the best and the brightest centralized in a Center of
Excellence. And that is what I want. That is what I want you to
be. That is what I want your agency to be. I have been nothing
but impressed by you and the people who have come before this
Committee, and I think we have a real opportunity here to work
with universities, we have a real opportunity to work with
other State agencies. You have 4\1/2\ or a quarter--I am not
sure what it all is, where it is.
Mr. Krebs. Four plus one.
Senator Heitkamp. Showing the shock on your parents' faces,
it might be just a quarter. Four and a quarter kids. This is
going to be hard work, and I am so grateful. I want to say
this--because I am running out of time--to your family because
we are putting a lot on your husband, and we are putting a lot
on your son and your son-in-law. But the work that he is going
to do is just as important as anyone who puts on a uniform and
carries a gun. He is on the front line of serious threats to
this country, and you should be so extraordinarily proud of him
and that you raised a fine human being, and for your kids, they
will know that you are working to make the world a better place
for them.
Thank you, and I look forward to ongoing discussions.
Mr. Krebs. Yes, ma'am. Thank you.
Chairman Johnson. Senator Heitkamp, before you potentially
leave here, I appreciate you bringing up the subject of turf
wars. I raised that issue yesterday. There is a reason we did
not get the name change in the omnibus. There was objection to
that. So we need to be honest about this. The reality of the
situation is that there is conflict here. I have been trying to
facilitate and I will make the offer again today. By the way, I
talked to Chairman Burr about this on the floor of the House
waiting for President Macron to speak about getting the
Secretary, yourself when confirmed, getting other Members of
Congress together, Intelligence Committee and DHS, and let us
work this out. That is what we need to do. This threat is too
significant to allow turf wars to get in the way of as
efficient an operation as possible in terms of dealing with a
very complex and serious problem.
Senator Heitkamp. I do not think there is any doubt about
it, and I think that when we have dispersed jurisdictions, we
have no accountability. So with this power, if we get this
done, comes accountability, and I think accountability and
understanding if something happens it is on you instead of
pointing the finger over at DOD, instead of pointing the finger
over at the intel community, I think that is critical for
accountability and oversight.
Chairman Johnson. So it is time to stop burying our heads
in the sand in terms of the turf wars that are occurring right
now. We have to get by those, and we have to come to an
agreement on this. So from my standpoint, this is a top
priority. We have to get this decided, agreed upon, and move
past it. Senator Peters.
OPENING STATEMENT OF SENATOR PETERS
Senator Peters. Thank you, Mr. Chairman. Mr. Krebs, again,
thank you for your willingness to serve. Senator Heitkamp is
right. This is an incredibly important position, and we are
going to be looking for your leadership every day dealing with
what is perhaps our No. 1 national security threat, which are
these cyber attacks.
I want to pick up on the theme that we have heard over and
over again about turf wars and how we have these silos in the
Federal Government. We often talk and this Committee talks
about some of these big challenges and we have to have a whole-
of-government approach. Yet the ``whole of government'' is in
all these discrete areas, do not talk to each other like they
should, and are not efficient, and we are not really focused on
the overall mission, which is to protect the American people.
It is not obviously the first time we have had these
issues, and the Department of Defense particularly has had
these issues for many years, from the Navy, the Air Force, and
the Army. They are very proud parts of the service, but for
many years they never really talked to each other. It is pretty
hard to conduct a war when the Navy is not talking to the Army
and they are not working together. And in order to resolve
that, jointness has been a big part of military doctrine for
many years, where they work in a joint fashion. There are joint
duty officers that actually will work in different branches to
learn about other branches and can be able to help coordinate
that.
But, unfortunately, we do not have that in the civilian
side so I am going to ask you about some legislation I am
working on that will hopefully allow us to have that kind of
joint duty officer, similar to what we would have in the
Department of Defense. I am working with Senator Hoeven on a
bill that we hope will be up at some point, Mr. Chairman. It is
the Federal Cybersecurity Joint Duty Program Act, which would
establish a civilian personnel rotation program designed
specifically for cyber professionals that would enable them to
gain experience across the Federal enterprise. So authorizing a
joint duty program would provide both clarity and guidance for
human capital officers across the government and help them
develop, I believe, a stronger cyber workforce if they have had
a chance to work in different departments. They are going to
bring lessons learned in this department to another department.
They are going to likely learn a whole lot in that department.
And then when you are trying to coordinate all these, you are
going to have a team of people who have actually worked across
these different agencies.
Yesterday in the previous hearing, Assistant Secretary
Manfra thought it was a good idea that we should move forward,
but I would like to have your thoughts. Would such a program
that would provide these kinds of rotational opportunities be
beneficial to employees? Is this something you think we need to
be looking at?
Mr. Krebs. Yes, sir, I think it bears a lot of merit. I
think the ability to standardize and centralize cybersecurity
across civilian agencies is something that will only help us.
In fact, we are looking at ways to do that now with the
Continuous Diagnostics and Mitigation (CDM) program. We are
doing some training for existing IT security professionals so
they know how to use the tools we are deploying through the CDM
program.
But this is a great example of if you put somebody in a
different environment and allow them to understand what the
operational environment looks like, they are going to come back
more well rounded, better off, and able to contribute to the
bigger mission.
I would also offer that, in addition to internal government
interagency rotations, we need to continue looking at
government programs exchanges with the private sector, so DHS
has the exemplar program that sends government officials out
into the private sector, as well as the loan executive program
that brings them in. So in some cases, we have them sitting in
our National Cybersecurity and Communications Integration
Center. That is another example of we can put our folks out
into an environment. They understand what private sector
requirements are, and they come back in and they help fine-tune
the mission.
So I am looking forward to having a continued conversation
on your bill in particular, though.
Senator Peters. Well, one thing that I see this doing,
too--and I would like your thoughts on it--is that it makes an
already interesting job even more interesting at a time when we
want to retain these professionals in Federal service. To be
able to have that wide range of experience I would think would
aid with retention. Do you agree?
Mr. Krebs. Yes, sir. I think if I can hang along with a
name that tells folks what my organization is, the
Cybersecurity Agency, if I can in a recruiting manner tell
them, hey, you can go hunt for the Russians, you can go hunt
for the Chinese across various departments and agencies, that
is a pretty attractive recruiting pitch.
Senator Peters. And how would the Federal cyber workforce
be strengthened if employees at other agencies were afforded
the chance to serve in a rotational capacity at NPPD?
Mr. Krebs. Well, for one, they would understand how we
approach incident response assessment, so when they do a
rotation within NPPD, they go back to their agency, and, again,
we have a standardized approach to cybersecurity and
information security professionals across the Federal
Government. To the extent that we can continue to standardize
and streamline our approach across the Federal Government, that
is going to make us better off.
Senator Peters. Great. Well, I appreciate that. I look
forward to working with you, if confirmed. And I think the
other idea that you raise, which would have to be the next
step, is people who can move out of the Federal Government into
the private sector and back, as you know, with civil service
rules that can be a lot more complicated, but one that I think
is absolutely critical. We see folks who are outstanding
individuals in the cyber space now who are willing to serve,
for example, in the National Guard in our new cyber units that
we are setting up there. They do not do it for the money. They
do it because of the mission. They do it because they are
patriotic Americans, but we have the opportunity to get highly
skilled folks in the private sector working on national defense
issues. I think there are opportunities to do that as well. Do
you agree?
Mr. Krebs. Yes, sir, and I think what you are highlighting
is that there are a number of tools in the cybersecurity
professional toolkit. DHS is not the only one that is having
some workforce challenges. The NSA is having workforce
challenges. We have already talked about the State and local
government official workforce challenges. The private sector
has workforce challenges.
So what we need to be looking at is, in addition to filling
the vacancies that we have, what are the other resources--I do
not want to steal Senator Hassan's thunder, but the bug bounty
program is another example of diversifying our capabilities.
What is the security outcome we are trying to achieve? That is
what we need to be focused on. And how are the ways we can plug
the gaps, whether it is National Guard--again, as long as we
are standardizing, taking a similar approach from a day-to-day
information security approach for when that bad day happens,
that when we show up, we all know how to respond, we all know
how to act so we are not doing the business card game. I think
that is only going to serve us that much better.
Senator Peters. Great. Thank you so much.
Mr. Krebs. Yes, sir.
Chairman Johnson. Thank you, Senator Peters.
By the way, I think it is an excellent idea, the rotation.
I like it so much I wish I would have thought of it myself.
What I would ask you to do is work with the different
departments and make sure that they do not have a problem with
it, because that is what we are going to do as Committee staff,
go to DHS, do you have any issues with that? But try and do
that work ahead of time. Again, I want to be completely
supportive of it.
Senator Peters. Thank you, Mr. Chairman.
Chairman Johnson. Senator Hassan.
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. Well, thank you, Mr. Chair, and I want to
thank you and Ranking Member McCaskill for this hearing.
Welcome, Mr. Krebs. And to the entire Krebs family, thank you.
I am seeing Henry and Anna. You are doing great. You are being
very polite, and you are doing better than most adults do in
these hearings. So I just want to thank you for sharing your
Dad with the people of our country, because he wants to and is
doing really important things to keep us all safe. So we are
really grateful.
Mr. Krebs, I wanted to follow up a little bit on what you
just mentioned a moment ago about the bug bounty program. You
and I have discussed the legislation that Senator Portman and I
have, Senate bill 1281, the Hack DHS Act, which passed the
Senate unanimously last week. Hack DHS requires the Department
to establish a one-time bug bounty pilot program in order to
assess the value of a bug bounty as a tool to secure DHS'
systems from all types of cyber threats.
Last week, you were quoted as having questions about how a
DHS bug bounty program would be funded and whether DHS would be
given the necessary flexibility to implement a bug bounty in a
safe and effective manner. I appreciate those concerns. The
good news is that our Hack DHS bill addresses all of those
concerns, as I think you and I have discussed.
Our bill gives DHS ample flexibility to implement the bug
bounty pilot program as DHS sees fit. Under the bill the
Secretary is empowered to exclude parts of DHS that it feels
are too risky to open up to a bug bounty, and under our bill
DHS is required to fully vet any hacker participating in the
bug bounty program.
Additionally, the bill authorizes $250,000 for DHS to run
the bug bounty pilot program, which is double what it cost the
Pentagon to run its pilot program.
Finally, my staff, Senator Portman's staff, and the staffs
of Chairman Johnson and Ranking Member McCaskill have all
worked closely with DHS to incorporate any DHS changes so that
this bug bounty program could serve as a key tool for the
Department to counter cyber threats.
So, Mr. Krebs, given that our bill addresses many of your
concerns, can you share with us your opinion about the Hack DHS
bill and whether you think it would provide DHS with a valuable
tool to strengthen the Department's cyber defenses?
Mr. Krebs. Yes, ma'am, as you and I discussed the other
evening, I welcome any tool that is going to help us be better,
and this is an example of a tool in the broader toolkit that
will enable us to secure our networks. So, yes, ma'am.
Senator Hassan. Thank you very much. I appreciate it.
That is all I have, Mr. Chair.
Chairman Johnson. Thank you, Senator Hassan.
Senator Lankford.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you, Mr. Chairman.
Good to see you again. Thanks for the work that you have
already done. Thanks to your family. The folks at this dais
understand extremely well the cost to families and what that
really means to your family, and so we appreciate very much the
sacrifice that you and your family are making to be able to
serve the country. So thank you for that.
Let me ask you a little bit about determining domestic
threats, foreign threats, and a variation that is coming now
where foreign actors are basically finding cyber criminals and
using them as contractors. And so we have this strange hybrid
of an area that is really a foreign cyber criminal that
sometimes works for a foreign government and sometimes they are
free-lancing and doing it on their own. As we are trying to be
able to determine the threats as they are coming, how to
respond to them and how to defend that, how are you filtering
out and how should we as a Nation quantify this is domestic, in
the United States, and this is foreign, this is a foreign
actor, a foreign criminal actor as well? And what would the
responses be different on that?
Mr. Krebs. So I think what we need to do is have a couple
different axes at which we look at the broader threat. So on
one side, we have the indiscriminate criminal threats, the
ransomware campaigns. There may be some scanning and hacking
and things like that. But it is those that are out there to
make a quick buck or whatever. And then we have the nation-
state level threat. And the gray space in between I think is--
--
Senator Lankford. The hybrid, right.
Mr. Krebs. You are hitting that. The issue here is that
each of the adversary sets is going to have a different set of
objectives and a corresponding set of pain points. So one
nation-state, for instance, may be more financially motivated;
another might be looking for geopolitical advancement. So
whatever the response is, the deterrence package, the
consequence package has to be tailored specifically to that
adversary.
In the general cyber criminal space, law enforcement, which
remains a challenge and is another part of the Federal
Government, whether it is within DHS or the Federal Bureau of
Investigation (FBI), that is going to require significant
coordination with the international law enforcement community
to do some of the overseas takedowns and extraditions. From a
nation-state approach, the deterrence package is going to be
wide-ranging, but it can include anything, as we have
discussed, from sanctions to other instruments of national
power.
Senator Lankford. So let me ask about the attribution of
that, because initially when it hits, let us say, a pipeline
company, it hits an electric grid, water, election system,
whatever it may be, we know it exists. But trying to get
attribution for it and then to be able to figure out what
agency is then going to be able to follow up, either
recommendations or how to respond, or who is going to handle
that, is that domestic? It is hitting the United States, but
was that someone local? So that is going to be who, is that
going to be you, is that going to be FBI? Who has it? Or is it
going to be international, is it going to be someone else? How
is that working right now with the hand-offs, and what can be
improved, the speed of both attribution and then the hand-off
of who has it from there?
Mr. Krebs. So Presidential Policy Directive (PPD-41) is
fairly clear in terms of the lanes in the road and who is doing
threat response and who is doing asset response. I am, frankly,
less concerned about if it is this bad guy trying to achieve
this objective. What I am concerned about is managing risk and
buying down risk, whether it is a single asset, understanding
what is going on within that network, helping them get it
straightened out, but then taking the piece out, whether it is
an indicator or other signature, and then moving it into other
aspects of not just that sector but other sectors. Because one
thing we are increasingly seeing is while the adversary,
particularly the nation-state adversary, is sophisticated and
capable, they are not all the time just focused purely on the
electricity subsector or the banking and finance subsector.
They are looking a little bit more broadly, so it is important
that we not limit ourselves to a sector-by-sector approach,
which we have already talked about today.
Senator Lankford. Right, which would be helpful. So let me
go to the risk side of it then. One of the lessons learned from
Kaspersky and what happened here in the Federal Government with
their distribution basically across multiple agencies and the
speed of our response once we discovered more.
Mr. Krebs. So given the ongoing litigation, I cannot get
too much into the specifics of Kaspersky, but what I can talk
about is broader supply chain risk management. We are taking a
couple different approaches at DHS. One is within NPPD we have
kicked off--I believe you have gotten the briefing on the cyber
supply chain risk management approach. What we are trying to do
is provide intelligence and other information and inject it
into the procurement process as left of procurement as
possible. So help contract officers and procurement officials
write Requests for Information and Sources Sought that are
risk-informed. And then when they do get Sources Sought, we can
then craft Requests for Proposals--again, risk-informed. When
they get their proposals--again, risk-informed--injecting the
appropriate risk information so that they can identify whether
it is a first-tier, second-tier, third-tier contractor, what
may be a risky proposition. And what that is really going to
require is transparency in the proposal. So it is going to
require procurement officials to drive more transparency, to
drive more information provided. And that is just at the
Federal procurement level.
Senator Lankford. So do you anticipate that your office
will work with procurement officials governmentwide to be able
to help develop some of those standards?
Mr. Krebs. Yes, sir, we are right now.
Senator Lankford. So is it, again, your assumption that
they will then have a new item, a new piece of software, a new
piece of hardware, a new refrigerator that goes in the lounge
that has wireless fidelity (WiFi) capability on it, whatever it
may be, is it your expectation that each product will then be
signed off by your office, or there is a set of standards to
say here is what to be able to watch for?
Mr. Krebs. So my hope is to get to the latter point, to get
to a more scalable approach. If we are looking at every single
transaction, we talk about backlogs. That one is going to be
years.
Senator Lankford. That is what I would assume.
Mr. Krebs. What we need to do is educate the procurement
officials so they can write smarter, more risk-informed
contracts, so you will attest that you have disabled this
feature, or you will describe the third-party code that was
written into your software or baked into your product.
Senator Lankford. OK. When do you anticipate that would
happen? I know that has already started. When do you think that
would be complete?
Mr. Krebs. To answer this the right way would be to say it
is never going to be complete because we are going to
continue----
Senator Lankford. Because there is always new stuff, yes.
Mr. Krebs. Yes, sir. I would have to get back to you on
exactly what our----
Senator Lankford. That is fair enough.
One of the key things that we are trying to be able to push
is to be able to make sure we are getting ahead of that. One of
the lessons learned on Kaspersky is speed.
Mr. Krebs. Yes, sir.
Senator Lankford. Once we actually find out about the
threat, how to be able to respond to that, what does that mean
getting the information out to multiple entities that need to
get it quickly, giving them options to be able to transition
from this to this, and to know that they can make that
transition quickly and safely, but also then studying the new
standards, trying to determine what questions need to be asked
before we begin the process.
Mr. Krebs. And if I may add, one piece is that while we are
focused on the tactical Federal procurement level, there is a
broader national strategic conversation that needs to happen on
supply chain risk management. We are seeing it in some of the
5G spaces. But what we need--sorry, out of the corner of my
eye.
Senator Lankford. No, that is a good thing, actually.
[Laughter.]
Mr. Krebs. What we need to do is actually look at what a
holistic national supply chain conversation looks like, what
the national critical functions are that underpin our very
economy that ensure that the Federal Government can perform its
duties on a day-to-day basis. And so we have to identify those
national critical functions. We have to identify those critical
components within those functions and then identify what the
transparency requirements are, what the certification or
standardization requirements are. And then at a certain level,
we may have to have conversations about reshoring and bringing
manufacturing back to the United States, and that is going to
require an entirely different strategy.
Senator Lankford. Thank you. I appreciate that. And, by the
way, ``Goodnight, Moon'' is one of the all-time classic pieces
of literature. [Laughter.]
Thank you.
Chairman Johnson. I think the lesson learned in Kaspersky,
certainly one of the lessons is that within the intelligence
and national security community, they knew full well that here
is a cybersecurity business founded and operated by a former
KGB officer, and it is probably not a real good idea to let
that business continue to grow and infiltrate into our economy
without mentioning something until this very late date.
I think our Committee Members have done a good job asking
questions, so let me just kind of mop up on a few things or
make some comments. Senator Harris was talking about data
breach notification. Talk about the complexities of that issue,
because it seems so simple. I mean, that is what I thought 6
years ago, and the top two things on cybersecurity are always
information sharing and a national preemption of data breach
notification just made so much sense, but it is far more
complex than that. So first speak to that a little bit.
Mr. Krebs. The complexities happen at virtually every layer
of government. So you have State data breach requirements. It
is going to vary State to State. I think 47-plus States have
actual data breach notifications. It is going to vary across
sector, too. Banking and finance, payment cards, retailers,
they are all going to have--whether it is personally
identifiable information (PII) or Payment Card Industry (PCI),
they are all going to have different thresholds for reporting
given the impacted community. Then you throw in Health
Insurance Portability and Accountability Act (HIPAA), you throw
in other health information. It is challenging alone at the
State level. And then once you bring it up to the Federal
level, I believe the average number is about eight pieces of
legislation per session.
Chairman Johnson. Talk about the entity itself being
breached, the complexity of knowing you have been breached----
Mr. Krebs. Knowing the extent.
Chairman Johnson [continuing]. Doing the forensics,
understanding exactly what happened before you are required to
do something.
Mr. Krebs. Yes, I think one of the challenges that we are
having is more, as you have mentioned, the complexity. It is
the complexity of the systems we are talking about, the
complexity of the information, the complexity of third-party
risk. Who actually is owning or operating that system that may
or may not have been impacted, what controls they had, what
information was reviewed, scanned, exfiltrated. These are all
questions that we are still trying to sort through as a
community, and it is not always a baked answer.
I will add in the other complexity is in certain cases
there are active investigations going on from a law enforcement
or intelligence perspective. We are trying to keep eyes on the
bad guy as they are moving around because this may be a novel
approach. And so there is some sort of preserving of the
environment for that sort of monitoring.
Chairman Johnson. As you heard from the Committee's
questions, obviously election security is something we take
very seriously, and we appreciate the fact that you realize
that is a top priority.
I do want to just kind of summarize the way I think of this
and see if you basically agree or how you would modify my
approach. But to me there are basically three threats from the
standpoint of election security. First of all, can someone get
into voting machines and actually affect the vote tally? Let me
lay them all out. Then, second, can they get into the voter
file? And then, third, the threat is literally public
confidence.
So when it comes to vote tallies, in our briefings it seems
like, because these election machines are not tied to the
Internet, some actually have WiFi capability, but they are
supposed to be turned off. It seems like it is pretty difficult
for somebody to actually affect the voting tally. Would you
agree with that?
Mr. Krebs. I think what we saw at least in 2016 was the
sophistication of the adversary was not at least what was
observed--I know Eric Rosenbach, ``Do not ever count the
Russians out,'' I think was his message. But based on what we
saw, the voter tally access was complicated. The thing that I
reiterate is this is not about achieving 100 percent security
or perfect security. It is about achieving a resilient
ecosystem where you have confidence at the end of the voting
cycle that what was put in on the left end came out on the
right end consistently. So that is why we continue to encourage
at least some sort of paper trail with a scientifically
significant on the other side audit.
So I think that if we can get into a situation where we are
managing risk--and that is what we are doing. We are not trying
to secure. We are managing----
Chairman Johnson. Again, I am actually asking these
questions to really confirm the final risk of public
confidence. Again, I do not want to blow anything out of
proportion. I want to take the risk seriously. And so changing
the actual voter count is going to be a very difficult thing
for somebody to do, certainly nationally. They might be able to
do it locally, but even that is pretty tough. Getting the voter
files to me is a more significant risk. But, again, there are
many controls. There are a number of things that we can do
post-audit, recounts, that give us some indication something
actually happened.
And so you take those first two risks--voter tally, voter
file--it is pretty minimal. And if we have our eyes on this and
you have election officials, you have a very dispersed--which I
think enhances election security, we ought to be able to as
much as possible increase public confidence in our elections.
To me, that is the whole point of this thing. And I do not want
a lot of the rhetoric out there decreasing public confidence.
Mr. Krebs. It is a good scare story. I think there has been
a lot of progress lately. Just yesterday or today, I believe
Orange County, California, released their voter security
playbook. The same has happened in Kentucky and Cook County.
The public confidence messaging piece has to catch up to the
fear factor.
Chairman Johnson. I do not want to understate the threat.
Mr. Krebs. There is no minimization.
Chairman Johnson. I think there is a great danger in
overstating it.
Mr. Krebs. That is right.
Chairman Johnson. Apparently, both of us met with the Chief
Executive Officer (CEO) of Duke Energy.
Mr. Krebs. Back to back, I think.
Chairman Johnson. As you know, I am concerned about
EMP/geomagnetic disturbances (GMD). But, again, Senator Harris
talked about clearances, and that is certainly what the CEO of
Duke Energy was talking about. This is a governmentwide
problem. There is a huge backlog. Is there a certain level
priority that we can slot some of these individuals in for
security clearances?
Mr. Krebs. Specific to the EMP/GMD threat or----
Chairman Johnson. Well, I mean, again, based on the
priority of the threats that we are recognizing.
Mr. Krebs. So, yes, sir, I believe there is some
prioritization of the process. I do believe that across the
Federal Government, I think the backlog is somewhere on the
order of 800,000 folks that are in processing. But from a
private sector clearance perspective, we are streamlining our
approach for how we work with the private sector and how they
are sponsored and how they are put through. Paperwork is
paperwork. We still want to make sure that the folks that are
getting the clearances have been adequately vetted and
validated and make sure that there is not something lurking
around that they may be held at risk. But there are ways that
we are looking at to help streamline the----
Chairman Johnson. OK, because I think we do need to
prioritize this based on the threat.
The CEO is taking over their industry-wide group on some of
this, and I am actually pleased to hear that she seems to be
taking EMP/GMD seriously. I do not think from a government
standpoint we have done enough, and I do not think we are
taking it seriously enough. So I guess you are going to be in
charge of the agency that will be tasked certainly from the
standpoint of DHS, the EMP Commission tasked DHS and DOE with
certain quick fixes, which, according to GAO, have not been
undertaken. We do not have the strategy yet. So, again, I just
want your assurance that this is something you will take
seriously. Let us get to the bottom of this. How serious a
threat is this? I am not an electrical engineer, but it has
driven me nuts over the last number of years that we just
cannot come to a conclusion of how serious a threat this is and
what we should really do to protect our Nation against what
could be a catastrophic occurrence.
Mr. Krebs. Yes, sir, you have my assurance that we are
taking this seriously.
Chairman Johnson. OK. Senator McCaskill, do you have
anything else?
Senator McCaskill. Yes, just a couple.
The binding operational directives (BOD), I know that you
issued BOD to make it more difficult for bad actors to mimic
legitimate email communications from Federal agencies. The
binding operational directives gave a 90-day and a 120-day
timeline for parts of the implementation, meaning some of those
deadlines have already passed. Can you give us a report card of
how many Federal agencies have complied with this?
Mr. Krebs. Ma'am, if I may, I would like to circle back
with specifics.
Senator McCaskill. Sure.
Mr. Krebs. The challenge with the Domain-based Message
Authentication Reporting and Conformance (DMARC) implementation
is that not every BOD is created the same. Not every network
across the Federal agencies are created the same. In some cases
there were email domains that, frankly, were either dormant or,
frankly, forgotten about. So there is a lot of kind of
collating of what is across the systems. That has led to some
challenges in implementation, but I would like to come back and
meet with your staff to----
Senator McCaskill. That would be great.
Mr. Krebs. Yes, ma'am.
Senator McCaskill. Because I would like to follow up with
that. I do think it is something that we have not--and I think
you are going to have to figure out a way to navigate this very
complex area so that we can take that basic first step in every
Federal agency in terms of email communication.
Mr. Krebs. Yes, ma'am.
Senator McCaskill. It is obviously a vulnerability.
You stated in your policy questionnaire--you all have some
responsibilities, some specific responsibilities outlined in
the National Response Framework in emergency management,
critical information protection, and communication restoration.
You stated in your policy questionnaire that you identified 50
areas for improvement after the 2017 hurricane season.
Obviously, you have no work to do in this new job. I can tell
you really are going to be spending a lot of time figuring out
how to stay busy. But I would be curious what you would
consider are the top two or three items on that list in terms
of what you learned in the aftermath of this brutal 2017
season, especially in terms of restoration of communication,
because when I have talked to people that were on the ground,
that was the biggest challenge in terms of getting stuff where
it needed to go, the inability of people to talk to one
another.
Mr. Krebs. So thank you for the question, and I came into
this job as Assistant Secretary for Infrastructure Protection
in August 2017. A week and a half later, Hurricane Harvey hit.
From that time until today, I have still been focused on
hurricane season 2017, getting ready for 2018. I made numerous
visits to Puerto Rico, went down to Texas and Florida.
The two primary takeaways that I have from hurricane
season: First, I needed to do across NPPD a better job of
integrating our cyber and communication shop and our physical
infrastructure shop. And what we have done since hurricane
season is a tighter linkage and, in fact, collocation of the
National Infrastructure Coordinating Center (NICC), the
physical side, into the National Cybersecurity and
Communications Integration Center (NCCIC) has responsibility
for Emergency Support Function (ESF) 2, the NICC supports ESF
3, 8, 9, 12, and, in part, 13. That is a Federal Protective
Service (FPS) mission. But everything at some point has to come
together from a visibility perspective. What we found in Puerto
Rico with Hurricane Maria in particular, specific to ESF 2, was
that we were able to work with the communications providers, a
number of them, including AT&T. That was one of the areas that
we were able to get infrastructure restoration frankly the
quickest. So we were able to work with the Department of
Defense through FEMA and the Joint Field Office (JFO) down in
Puerto Rico to put Cell On Light Trucks onto C-5 Galaxies out
of Dobbins Air Force Base north of Atlanta, Georgia. We put the
trucks on the plane, flew them down, put them in location,
popped them up, had others on barges coming down. We were able
to get that core infrastructure, that lifeline infrastructure
back up quicker than any lifeline infrastructure on the island.
That to me is, frankly, a signal that I have a pretty important
job here, not just on the cyber side but on the physical and
the communication side as well. So there is the integration so
that we can pass and flow information from the physical to the
cyber comms shop.
The second piece, I have already alluded to it, lifeline
infrastructure. One of the things that we need to take away
from hurricane season is getting meals ready to eat (MREs),
getting water, getting bags of ice, getting all that other
stuff into a disaster zone is important. But so is getting
comms up, lights on, things of that nature. So we need to be
figuring out what the right balance is between life-sustaining
operations and life-sustaining functions, and that includes
communications and power, because if you do not have power, you
are not going to get a lot of other stuff done. If you do not
have communications, it is going to be that much harder to
coordinate.
Senator McCaskill. You are going to need a lot more MREs if
you cannot get those two things done.
Mr. Krebs. Yes, ma'am, so, again, I think it is the
integration across my shop, but also working with FEMA to
prioritize the restoration of some infrastructure services, and
we have taken that to heart. We have a number of strategic
engagements and working groups with FEMA right now to improve
that. So for hurricane season 2018 I think we will be in a
better position from an infrastructure----
Senator McCaskill. Well, if you would share the entire 50--
list with our staff, we would appreciate it, so we can get an
idea----
Mr. Krebs. Yes, ma'am, happy to give you a brief----
Senator McCaskill. We are trying to follow up on some very
bad contracting that occurred in this space, which we are
trying to figure out how to make sure those mistakes are not
made again. But we want to be prepared to do the best oversight
we can moving forward, and that means knowing what you see are
the problem areas going forward. Thank you to you and your
family for your service.
Chairman Johnson. Thank you, Senator McCaskill.
Mr. Krebs, I think you have found, just by the questions
here, the Committee has a fair amount of confidence in your
ability, and I think we will in a bipartisan fashion do
everything we can to move this nomination along as quickly as
possible. So, again, I want to thank you for your testimony and
your willingness to serve and again thank your family. You know
already this is a 24/7 type of position, and they know that as
well.
The nominee has made financial disclosures and provided
responses to biographical and prehearing questions submitted by
the Committee. Without objection, this information will be made
part of the hearing record,\1\ with the exception of financial
data, which are on file and available for public inspection in
the Committee's offices.
---------------------------------------------------------------------------
\1\ The information submitted by Mr. Krebs appears in the Appendix
on page 34.
---------------------------------------------------------------------------
The hearing record will remain open until 5 p.m. tomorrow,
April 26th, for the submission of statements and questions for
the record.
This hearing is adjourned.
[Whereupon, at 4:17 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]