b"<html>\n<title> - EVOLVING THREATS TO THE HOMELAND</title>\n<body><pre>[Senate Hearing 115-588]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 115-588\n \n                    EVOLVING THREATS TO THE HOMELAND\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n\n                             SECOND SESSION\n\n                               __________\n\n                           SEPTEMBER 13, 2018\n\n                               __________\n\n        Available via the World Wide Web: http://www.govinfo.gov  \n        \n                        Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n        \n        \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        \n\n\n\n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n34-575 PDF             WASHINGTON : 2019      \n\n\n        \n        \n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                    RON JOHNSON, Wisconsin, Chairman\nROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri\nRAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware\nJAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota\nMICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan\nJOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire\nSTEVE DAINES, Montana                KAMALA D. HARRIS, California\nJON KYL, Arizona                     DOUG JONES, Alabama\n\n                  Christopher R. Hixon, Staff Director\n                Gabrielle D'Adamo Singer, Chief Counsel\n          Michelle D. Woods, Senior Professional Staff Member\n              Colleen E. Berny, Professional Staff Member\n                     William G. Rhodes III, Fellow\n               Margaret E. Daum, Minority Staff Director\n               J. Jackson Eaton, Minority Senior Counsel\n                 Subhasri Ramanathan, Minority Counsel\n           Julie G. Klein, Minority Professional Staff Member\n                     Laura W. Kilbride, Chief Clerk\n                     Thomas J. Spino, Hearing Clerk\n                     \n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Johnson..............................................     1\n    Senator McCaskill............................................     2\n    Senator Hassan...............................................    15\n    Senator Jones................................................    18\n    Senator Peters...............................................    21\n    Senator Carper...............................................    24\nPrepared statements:\n    Senator Johnson..............................................    35\n    Senator McCaskill............................................    37\n\n                               WITNESSES\n                      Thursday, September 13, 2018\n\nKevin Mandia, Chief Executive Officer, FireEye, Inc..............     4\nCathy Lanier, Senior Vice President of Security, National \n  Football League................................................     6\nScott McBride, Manager, Infrastructure Security Department, Idaho \n  National Laboratory............................................     8\nJennifer Bisceglie, President and Chief Executive Officer, \n  Interos Solutions, Inc.........................................    10\n\n                     Alphabetical List of Witnesses\n\nBisceglie, Jennifer:\n    Testimony....................................................    10\n    Prepared statement...........................................    57\nLanier, Cathy:\n    Testimony....................................................     6\n    Prepared statement...........................................    46\nMcBride, Scott:\n    Testimony....................................................     8\n    Prepared statement...........................................    51\nMandia, Kevin:\n    Testimony....................................................     4\n    Prepared statement...........................................    40\n\n                                APPENDIX\n\nResponses to post-hearing questions for the Record:\n    Mr. Mandia...................................................    66\n    Ms. Lanier...................................................    72\n\n\n                    EVOLVING THREATS TO THE HOMELAND\n\n                              ----------                              \n\n\n                      THURSDAY, SEPTEMBER 13, 2018\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:31 a.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, \nChairman of the Committee, presiding.\n    Present: Senators Johnson, Lankford, McCaskill, Carper, \nPeters, Hassan, Harris, and Jones.\n\n             OPENING STATEMENT OF CHAIRMAN JOHNSON\n\n    Chairman Johnson. Good morning. This hearing will come to \norder. I want to thank the witnesses for traveling here, for \ntaking time to write your testimony, and your willingness to \nappear and answer our questions and give us your oral \ntestimony.\n    I will ask that my written statement be entered in the \nrecord.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Johnson appears in the \nAppendix on page 35.\n---------------------------------------------------------------------------\n    As I was explaining out back or in the ante room, this \nhearing really is borne out of my own personal frustration. I \nhave been here 7\\1/2\\ years, and I cannot remember where this \nphrase was coined, but it is over the last couple of months as \nI have been talking about a number of these issues. We have \nbeen sitting here admiring these problems and just not \neffectively addressing them.\n    So, today, we are not covering all the potential threats. \nWe are going to have our full-fledged threat hearing with the \nFederal Bureau of Investigation (FBI) Director and Secretary of \nthe Department of Homeland Security (DHS) and the head of the \ncounterterrorism group. That will be in a couple weeks.\n    But I wanted to assemble some experts on some of these \nspecific threats that literally could be existential. I do not \nwant to scare people. I am always, to a certain extent, \nreluctant to lay out these threats. I do not want to give \npeople any ideas, but some of these things are just so public \nnow and so obvious in terms of what these problems are.\n    I think it was in March 2015. We had Joe Lieberman and Tom \nRidge here. They developed this blue ribbon study panel on \nbiothreats, and back then, they had a pretty simple suggestion. \nNumber one recommendation was we need somebody in charge. There \nare more than 20-some different appropriations, different \nagencies, and a number of different agencies were doing things. \nBut there was nobody in charge of what happens if we actually \nhad a real biothreat and how we would react to that.\n    I would say kind of the same thing is true of cyber. We \nhave Kevin Mandia, a real expert with FireEye, talking about \nthe different types of cyber threats.\n    It is certainly true with drones. We have been trying to \npass a bill--I think we are getting a little bit closer--in \nterms of just giving DHS the same authority to start studying \nhow to counter and some authority to counter drones, like the \nDepartment of Defense (DOD) and the Department of Energy (DOE) \nhas over some of their facilities.\n    But I was shocked. I think most of my colleagues were \nshocked that we do not have the authority to even study, much \nless counter use of drones.\n    We have held multiple hearings on the threats of \nElectromagnetic Pulse (EMP) and Geomagnetic Disturbance (GMD), \nand we have Scott McBride here from the Idaho National \nLaboratory, a real expert on that subject, both EMP and GMD, \nbut also just electric grids in total as relates to potential \ncyberattacks or kinetic attacks as it relates to that.\n    And then we have Jennifer Biscelgie in terms of a strategic \nresource management, in terms of how do we strategically look \nat the threats of our supply chain, which has also come up with \nwhether it is Huawei and Zhongxing Telecommunication Equipment \n(ZTE) and just other threats from that standpoint.\n    So, again, I just want to thank all the witnesses. I am \nlooking for some practical solutions, things that we can \nactually do. We have admired this problem enough. We have \nstudied it enough. We have not produced the strategies, and \nthat is true, but I am actually looking for some concrete \nthings we can take away from this hearing. And maybe if there \nis a law that we have to pass, try and pass that law, but just \ntry and figure out something. Let us do something about some of \nthese problems.\n    With that, I will turn it over to our Ranking Member, \nSenator McCaskill.\n\n           OPENING STATEMENT OF SENATOR MCCASKILL\\1\\\n\n    Senator McCaskill. Thank you, Mr. Chairman.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator McCaskill appears in the \nAppendix on page 37.\n---------------------------------------------------------------------------\n    Two days ago marked the 17th anniversary of the September \n11, 2001 (9/11) attacks on this Nation. It is a somber reminder \nof the threats we face and that we must continue to vigilantly \nprotect the country from those who wish to do us harm.\n    In the 17 years since 9/11, Congress and the American \npeople have had spirited debates surrounding the nature of \nthreats to the United States and how best to protect ourselves \nfrom them.\n    A lot has changed over these nearly two decades, but until \nrecently, one component remained constant. Since joining the \nSenate over 30 years ago, my friend and colleague, Senator John \nMcCain, was an integral part of every national security \nconversation that took place in this body. His commitment to \npublic service, his dedication to the defense of our country, \nand his efforts to promote American values were unparalleled.\n    I had the privilege of serving with him on this Committee \nand on the Senate Armed Services Committee. His conviction, \ninsight, and sense of humor will be sorely missed, even his \nincredible temper. John McCain made an indelible mark on the \nsecurity of this Nation, and I will miss him as a colleague and \na partner in addressing these complicated issues.\n    I also welcome Senator Kyl back to the Senate and to this \nCommittee, and I look forward to working with him.\n    The United States has made enormous progress in preventing \nanother 9/11-style attack, but threats to the country remain. \nTerrorism continues to evolve as a threat and requires \ninnovative solutions to confront and prevent it.\n    As the United States and the world become more digitally \nconnected and as technology advances at a rapid pace, we have \nnew vulnerabilities. This hearing provides an opportunity for \nthe Committee to focus on some of those concerns and explore \nreal solutions.\n    In 2013, for the first time, then-Director of National \nIntelligence James Clapper prioritized cyber threats above \nterrorism when testifying before Congress. In the years since, \nthe problem has metastasized. The threat of cyberattacks and \ncyber espionage regularly dominate headlines, and with the \nmidterms approaching, election security is obviously of \nparamount concern.\n    This Congress, Senator McCain, as Chairman of the Armed \nServices Committee, created a Cybersecurity Subcommittee on \nwhich I serve, where our focus complements the work of this \nCommittee on identifying cyber threats and strengthening our \nforces and capabilities.\n    One area of focus that I am particularly concerned about is \nSupply Chain Risk Management (SCRM) and specifically the \ninformation technology (IT) and telecommunications supply \nchains within our government agencies and the U.S. \ninfrastructure.\n    This evolving threat can turn a mundane antivirus software \npurchase into an unacceptable risk to our national security. We \nneed to make sure our information technology products and \nservices are safe from infiltration, down to the smallest \ncomponent, and like most national security issues, that \nrequires a strategy and a whole-of-government approach.\n    Supply chain risk management cannot be achieved piecemeal. \nIn this regard, a threat to one agency is likely a threat to \nmany others.\n    In June, Senator Lankford and I introduced the Federal \nAcquisition Supply Chain Security Act to address this critical \nissue. Few understand this issue better than some of the \nexperts on this panel.\n    I hope this hearing will provide the Committee, Federal \nagencies, and the public with a better understanding of how to \nsolve this problem.\n    Similarly, this Committee has heard from numerous Cabinet \nofficials and experts in the public and private sectors about \nthreats posed by drones.\n    Chairman Johnson and I introduced legislation that would \nauthorize the Department of Homeland Security and the \nDepartment of Justice (DOJ) to conduct limited counter-drone \noperations for a narrow set of important and prioritized \nmissions. Our bill is just the simple first step in tackling \nthis mounting problem, and we welcome additional thoughts from \nthe witnesses on solutions that might mitigate the threat.\n    I thank the Chairman for holding this hearing and look \nforward to the discussion.\n    Chairman Johnson. Thank you, Senator McCaskill.\n    It is the tradition of this Committee to swear in \nwitnesses, so if you all would stand and raise your right hand. \nDo you swear the testimony you will give before this Committee \nwill be the truth, the whole truth, and nothing but the truth \nso help you, God?\n    Mr. Mandia. I do.\n    Ms. Lanier. I do.\n    Mr. McBride. I do.\n    Ms. Bisceglie. I do.\n    Chairman Johnson. Please be seated.\n    Our first witness is Kevin Mandia. Mr. Mandia is the chief \nexecutive officer (CEO) of FireEye, a leading global \ncybersecurity company. Prior to FireEye, he founded the \ncybersecurity firm Mandiant Corporation. Earlier in his career, \nMr. Mandia served in the United States Air Force as a \ncybercrime investigator. Mr. Mandia.\n\nTESTIMONY OF KEVIN MANDIA,\\1\\ CHIEF EXECUTIVE OFFICER, FIREEYE, \n                              INC.\n\n    Mr. Mandia. Thank you, Mr. Chairman, Ranking Member \nMcCaskill, and other Members of the Committee. I appreciate \nthis opportunity to speak to you today about the cyber threats \nfacing our Nation.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Mandia appears in the Appendix on \npage 40.\n---------------------------------------------------------------------------\n    Before I begin discussing these cyber threats, I would like \nto take a moment to extend our condolences to each of you for \nthe loss of your dear friend and colleague, Senator John \nMcCain.\n    In my testimony today, I intend to discuss the cyber \nthreats to our Nation, what they are, what their impact could \nbe, and what we can do about it.\n    I have been working in cybersecurity for over 25 years. As \nthe Senator said, I started my career in the Air Force as a \ncomputer security officer at the Pentagon. Following that, I \nwas a special agent in the Air Force Office of Special \nInvestigations, investigating computer intrusions into our \nmilitary networks, and I have the privilege today to serve as \nthe CEO of FireEye.\n    As I sit here right now, we are responding to dozens of \nbreaches around the world. We have over 300 investigators that \nconduct over 600 investigations every year into what happened \nduring the breach and what to do about it. We have over 100 \nthreat analysis that are in 18 different countries that speak \n32 different languages, actively tracking the threat actors on \na global basis to try to get attribution behind who is doing \nit. And we have over 15,000 sensors that every hour detect \nbetween 50 to 70,000 malicious events. We are the last line of \ndefense for computer security for our customers.\n    We have been seeing the attacks firsthand. We know how the \nattackers are evading our safeguards, and we have witnessed the \nimpact that these attacks have had firsthand as well.\n    Let me begin by sharing three general observations about \nthe cyber threats to the United States. First, I believe the \nUnited States is more vulnerable in cyberspace than other \nnations. First, we depend more on the Internet, the \nconnectivity, the technology, and the infrastructure than the \nnations that host the most prevalent cyber attackers, such as \nIran, Russia, China, and North Korea.\n    Second, our critical infrastructure is shared. For the most \npart, it is in the hands of the private sector, and during \ntimes of duress or outright war, if we need to do ``shields \nup'' in a joint defense, we are going to need to cooperate \nbetween the government and the private sector, whereas many \nother nations, some of their critical infrastructure is purely \ngovernment controlled.\n    Third--and it sounds odd, but it is true--that a weakness \nof the United States is in fact in cyberspace, freedom of the \npress, fundamental to our democracies, but it gives attackers \ntwo advantages that we simply do not have if we reciprocated \nthose types of attacks on closed societies.\n    First, influence operations can be conducted in the United \nStates with greater efficacy than in a closed society. Second, \nthe ability to attack an organization or an individual, steal \ntheir information, and threaten to publish it online in any \ncapacity; or to threaten or hold their information hostage is \nan invasion on our privacy. It allows folks to leverage our \ncitizens in ways that closed societies do not need to worry \nabout as much.\n    The second observation I would like to make is that a lot \nof people talk about Pearl Harbor scenarios against the Nation \nin cyberspace. I think what is going to be more likely is what \nwe refer to internally at FireEye as ``cyber trench warfare.'' \nI want to talk about some of the ingredients for cyber trench \nwarfare.\n    The first characteristic is that it is going to be \nconducted below the threshold that would elicit an aggressive \nresponse by the United States. It will be low and slow. It will \nendure, but it will slowly erode our willingness to combat it \nover time. Second, the campaigns will be long term. Third, \nthese campaigns are going to go after, in my opinion, the \nsofter targets. A lot of people think that critical \ninfrastructure in the military will be target number one if we \nhave a modern war. In fact, it may very well be the softer \ntargets, small municipalities, health care, small elementary \nschools, the small businesses that make the fabric of our daily \nbusinesses run. Those will be the soft targets that are in fact \nattacked, and in aggregate, if all the soft targets in this \ncountry succumb to a destructive attack, the impact and \nconsequence can be pretty grave.\n    The last general observation that would happen during any \ncyber conflict against the United States, is what I describe as \na butterfly effect, and it works two ways. Whenever there is a \ncyberattack, when somebody takes the gloves off and escalates \nin cyberspace, even the perpetrators are not fully aware of \nwhat the impact of these attacks will be. If somebody launches \nan indiscriminate, destructive attack on our Nation, they do \nnot know what unintended consequences can happen from that.\n    But I do know this. We have not been able to predict it \neither, and imagine if the U.S. Senate came offline for a day \nor two from the Internet, what would happen? Would you be able \nto get into the parking garage? Would you be able to even make \na phone call from your desk? Would you be able to buy lunch in \nthe cafeteria downstairs? It has a lot of unintended \nconsequences that people have not predicted in the past.\n    So what do we do about it? The threats to our Nation are \ngrowing. I gave you some high-level observations about this, \nbut by establishing a system where the private and public \nsectors work together, we practice together. That is key. We \npractice together doing dry runs, and we proactively use threat \nintelligence. We can create a learning system. We are getting \nbetter every day, but we can accelerate getting better at a \nfaster rate.\n    And, last, we need to explore international rules of \nengagement and hold threat actors accountable. Right now, the \nkey word is ``deterrence.'' Do we have a deterrence against \ncyber-threat actors against our Nation? What can we do about \nthat?\n    If we find a way to have some diplomatic treaties or \nagreements with other nations that are launching these attacks, \nthe United States and the daily lives of our citizens will be \nbetter safeguarded.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Thank you, Mr. Mandia.\n    Our next witness is Cathy Lanier. Ms. Lanier is the senior \nvice president of Security for the National Football League \n(NFL). She previously served as the Chief of the Metropolitan \nPolice Department of the District of Columbia. Ms. Lanier.\n\n    TESTIMONY OF CATHY LANIER,\\1\\ SENIOR VICE PRESIDENT OF \n               SECURITY, NATIONAL FOOTBALL LEAGUE\n\n    Ms. Lanier. Hi. Good morning, Chairman Johnson and Senator \nMcCaskill. How are you? Members of the Committee. Thank you \nagain for the opportunity to testify here today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Lanier appears in the Appendix on \npage 46.\n---------------------------------------------------------------------------\n    As requested, I will focus my testimony on the threat posed \nby malicious drones at major sporting events.\n    At the NFL, we have observed a dramatic increase in the \nnumber of threats, incidents, and incursions by drones. Fewer \nthan 10 miles from here, a drone flew over FedEx Field during \npregame activities for a Monday Night Football game, violating \nWashington's national security airspace and the airspace \nrestrictions of the NFL game.\n    The NFL is not alone. For example, in 2017, a drone crashed \ninto the stands of a Major League Baseball game between the \nPadres and the Diamondbacks.\n    A 2017 incident involving two NFL stadiums dramatically \ndemonstrates this threat. During a San Francisco 49ers game, \nthe stadium security director at Levi's Stadium called me and \nalerted me that a drone had just dropped leaflets over the \nseating bowl. I warned the other teams, so when the operator \nsought to fly a drone over nearby Oakland Coliseum, local law \nenforcement was ready for them. They were able to quickly \nidentify the operator and arrest him.\n    We are all very fortunate that the drone over Levi's \nStadium dropped just leaflets. Drones today are capable of \ninflicting much greater damage.\n    As the Committee knows, various threat assessments have \nrecognized that large gatherings of people are enticing targets \nfor malicious actors.\n    The Federal Aviation Administration (FAA) and Congress have \ntherefore imposed flight restrictions on the airspace above \nlarge sporting events. The FAA first established these \nrestrictions after 9/11, and Congress subsequently strengthened \nand codified those requirements.\n    The current temporary flight restrictions prohibits \naircraft over NFL games, Major League Baseball games, National \nCollegiate Athletic Association (NCAA) Division One football \ngames, and major motor speedway events such as National \nAssociation for Stock Car Auto Racing (NASCAR). These flight \nrestrictions have largely worked as intended, keeping \ncommercial and civil aircraft away from stadiums during games. \nDrones, however, present an entirely different challenge that \nneeds an appropriate legislative response.\n    Drones can be acquired easily and cheaply. They are often \nused by unlicensed individuals, with no awareness of airspace \nrules, flight restrictions, or many other regulatory \nrequirements related to aircraft.\n    Stopping drones is currently extremely challenging. Drones \nare small and portable. They can be launched quickly and very \nclose to a stadium from an adjacent parking lot. Several \nstadium security directors have told me that they are regularly \napproached by vendors selling counter-drone equipment. They \nknow that using such devices are illegal.\n    The current State of law, however, leaves security \nofficials with an unenviable choice: Procure the equipment \nwhose use would be illegal, or remain unequipped to respond to \na security threat that can endanger tens of thousands of \npeople.\n    The NFL, therefore, supports the development of new \napproaches to drones. We support the FAA's remote \nidentification effort. We support revising the hobbyist \nexemption, which currently permits far too many drones to be \nflown by far too many unlicensed and untrained pilots.\n    Further, we support the aim of your legislation to extend \ndrone interdicting authority to DOJ and DHS. Your bill is an \nimportant step forward.\n    In particular, the bill permits State officials to request \nFederal support for local law enforcement efforts. The bill \ncorrectly recognizes that local law enforcement officers are \nprimarily responsible for security at locations where drones \npresent risks such as NFL games.\n    Although this provision permits local officials to request \nFederal assistance, there is not enough Federal resources to \nprovide security at all the events that need protection, \nincluding the 256 NFL games in a season.\n    The NFL, therefore, strongly encourages Congress to \nconsider additional reforms that would provide authorities to \nlocal law enforcement officers to detect and intercept drones \nthat pose a threat to major sporting events like our NFL games.\n    The NFL looks forward to continuing to work with Congress, \nthe FAA, and others on our shared goal of ensuring the safety \nand security of our players, coaches, fans, and staff that \nattend our games.\n    Thank you so much for the opportunity to be here today. I \nappreciate your time.\n    Chairman Johnson. Thank you, Ms. Lanier.\n    Next witness is Scott McBride. Mr. McBride is the \nInfrastructure Security Department manager within the National \nand Homeland Security Infrastructure Protection Department at \nIdaho National Laboratory. Mr. McBride directs power systems \nengineering projects for the lab's clients, including the \nDepartment of Energy and Department of Defense. Mr. McBride.\n\nTESTIMONY OF SCOTT MCBRIDE,\\1\\ MANAGER, INFRASTRUCTURE SECURITY \n             DEPARTMENT, IDAHO NATIONAL LABORATORY\n\n    Mr. McBride. Thank you, Chairman Johnson, Ranking Member \nMcCaskill, and distinguished Members of the Committee for \nholding this hearing and inviting Idaho National Laboratory's \ntestimony on the potential threat of geomagnetic disturbance \nand electromagnetic pulse to the U.S. power grid.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. McBride appears in the Appendix \non page 51.\n---------------------------------------------------------------------------\n    At Idaho Nation Laboratory, I manage power system projects, \nindustrial control system security to secure critical \ninfrastructure throughout our Nation, with a primary focus on \nthe energy grid.\n    As the U.S. electric power grid incorporates new digital \ntechnology with decades-old infrastructure, the grid is \nbecoming vulnerable to GMD and EMP events, whether the EMP \nsource is from nuclear or non-nuclear sources. We have \ndeveloped a fairly robust understanding of the scientific \nprinciples of the damaging waveforms associated with GMD that \nenables us to predict effects and design protections to \nmitigate those effects.\n    Initial experiments have been completed, and models are \nbeginning to emerge that assist us in better understanding and \ncharacterizing effects and impacts from the individual waveform \nspecifically associated with an electromagnetic pulse.\n    Research and testing of the interdependent effects of the \ncombined three waveforms on our grid's individual components \nand interconnected infrastructure is an uncharacterized field \nof study that needs further exploration and discovery.\n    There are ways the United States may improve its \nunderstanding of the extent of the vulnerability and reduce or \neliminate consequences of GMD and EMP events.\n    In addressing this need, the Department of Energy recently \ntasked the National Laboratories to develop a report that \nupdates the extent of our current scientific understanding of \nthe effects of EMP on the electric power grid. Pending this \nreport's publication, significant progress for GMD and EMP grid \nprotection can be made by pursuing four concurrent paths.\n    The first adopts EMP hardened transformer neutral blocking \ndevices designed to provide automatic protection for \ntransformers against GMD events to prevent harmonic generation, \nreduce reactive power demand, and reduce voltage collapse.\n    The second defines the EMP threat environment, including \nresearch coupled currents and voltages for transmission and \ndistribution lines, in support of developing an informed all-\nhazards protective strategy.\n    The third conducts a series of scaled experiments on a \nvariety of grid components and restoration assets to \nunderstand, predict, and measure the impacts of EMP events on \nunprotected systems as well as the effectiveness of protective \noptions.\n    The fourth identifies the prioritized infrastructure that \ncan lead to a most effective and impactful set of actions that \nwill harden the grid and enable reliable black-start processes.\n    Following this research path with appropriate and \ncoordinated government and industry partnerships can lead to a \nset of effective hardness and protective measures for GMD and \nEMP events that add quantifiable, cost-effective resiliency to \nthe power grid.\n    Current gaps in knowledge suggest that the experiments of \nhighest priority would include assessing the damage from \nintegration of the propagating electromagnetic radiation \neffects to grid assets directly connected to long power lines, \nantennas, and communication and data lines; measuring \neffectiveness of shielding, including nonconductive critical \ncommunication fiber-optic cables, well-grounded equipment \nracks, and shielded buildings, such as power grid control \ncenters; determining the effectiveness of developmental \ntechnologies for transient voltage surge suppression; and \nfinally, exercising high-voltage system operations and \nprocesses for critical systems spares replacement, restoration \nprocedures, and recovery processes.\n    This research will have the most benefit if the results are \nconcurrently shared with stakeholders who are developing \npriorities for more research that can be utilized to enhance \npredictive models and provide stakeholders with the sound \ntechnical basis for standards and regulatory guidance. While it \nmay not be plausible to protect all assets, careful \nprioritization of the research and implementation of \nprotections can enable critical portions of the grid to survive \nor at least be rapidly restored following a GMD or EMP event.\n    Cooperation between government and industry can accelerate \nfull implementation of a protection strategy through a greater \ntechnical understanding of GMD and EMP threat characteristics \nand system effects.\n    Thank you.\n    Chairman Johnson. Thank you, Mr. McBride.\n    Our final witness is Jennifer Bisceglie. Close enough. You \ncan tell us what it is. [Laughter.]\n    Ms. Bisceglie is the president and CEO of Interos \nSolutions, Inc., which assists public and commercial sector \ncustomers with supply chain and vendor risk management. Ms. \nBisceglie is named the AT&T Innovator of the Year in 2015.\n\n    TESTIMONY OF JENNIFER BISCEGLIE,\\1\\ PRESIDENT AND CHIEF \n           EXECUTIVE OFFICER, INTEROS SOLUTIONS, INC.\n\n    Ms. Bisceglie. Chairman Johnson, Ranking Member McCaskill, \nand Members of the Committee, thank you for the invitation and \nthe opportunity to speak with you today on the underappreciated \nthreats to the homeland that, if not mitigated, could \nsignificantly damage the Nation's critical infrastructure and/\nor disrupt people's lives, especially as it relates to the \nglobal supply chain and the use of information and \ncommunications technology (ICT).\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Bisceglie appears in the Appendix \non page 57\n---------------------------------------------------------------------------\n    By way of introduction, Interos is a company I founded over \n13 years ago to evaluate the risks in the global economy and \nour business partnerships, alliances, and distribution networks \nthat comprise our supply chains.\n    The company is built on my over 25 years in the global \nsupply chain industry, having helped multiple U.S.-based \ncompanies create maximum advantage from different skillsets, \nlabor pools, and competitive business arrangements with \npartners around the world.\n    During those years, I have watched risk concerns in the \nsupply chain move from quality to physical security to \nresiliency and now product integrity and the role of the \ndigital connection or cyber.\n    Published in April of this year, Interos' report for the \nU.S.-China Economic and Security Review Commission for supply \nchain vulnerabilities when sourcing technology specifically \nfrom China and using that technology in the U.S. Federal IT \nnetworks stressed several solutions, the most important being \nthat the United States establish a national strategy for supply \nchain risk management in U.S. ICT with supporting policies, so \nthat the Nation's security posture is forward-leaning versus \nreactive and based on incident response.\n    Our adversaries are very public about executing a strategy \nagainst us. The time has come for us to stand strong and \nvisibly protect ourselves.\n    In my submitted testimony, I spoke to six areas that are \ndirectly related to today's hearing. I will be summarizing them \nhere for this briefing, with focus on three, and I have been \nmassively updating the last one based on your pep talk--and \nthen open the remaining time for any questions you have.\n    Before addressing the specific areas of the report, I would \nlike to stress that whether it is 5G or blockchain, the \nInternet of Things (IOT), or any other emerging technology or \ntechnological threat, an underlying foundation for security, \nboth physical and digital, is an understanding of who the \nstakeholders are, where your vulnerabilities lie, and having a \nstrategy for managing those associated risks.\n    The solution cannot solely be focused on the latest tools \nand technologies. Cultures need to change. The money needs to \nbe spent to educate people on their role in traditional risk \nmanagement.\n    Given our position in the market, my company has had the \nopportunity to work with public and private sector \norganizations, spanning multiple industry verticals. In the \ngovernment, we have worked with Defense Intelligence Agency \n(DIA), National Security Agency (NSA), several Office of the \nSecretary of Defense (OSD) members, the General Services \nAdministration (GSA), Social Security Administration (SSA), \nFederal Deposit Insurance Corporation (FDIC), Department of \nEnergy, and the National Nuclear Security Administration \n(NNSA).\n    In the private sector, we have worked with manufacturers, \nthe financial institutions, utilities, and others, and the \nsituation is always the same. If the organization does not take \na focused and comprehensive approach to risk management \nprioritized by senior leadership, there will be unnecessary \nexposure and invariably negative impact.\n    We would also like to stress that the supply chain attacks \nwill continue to become easier, more prevalent and more \nthreatening as emerging technologies, such as the one I \nmentioned earlier with 5G, the Internet of Things, and others \nincrease the attack surface exponentially.\n    As a point of clarification, just briefly, you will hear \nthe term SCRM a lot.\n    Very quickly in the time that I have left, how reliant is \nthe U.S. Government and U.S. IT firms specifically on China \nfirms and Chinese-made IT products and services? The answers \nvary. Over 95 percent of our electronic components and IT \nsystems supporting the U.S. Federal IT networks and commercial \noff-the-shelf products come from China. They have done this on \npurpose. It is an economic movement, and that is just where all \nthe sourcing comes from.\n    Number two, to assess the government success in managing \nthese risks associated with the sensitive country firms and \nsensitive country-made products, in short, there is very little \nsystemic success, and that is part of the reason we are having \nthis conversation today.\n    And I think the last part is what steps should we take, and \nthis goes back to the conversation earlier. I have changed my \ncomments. They will align with what I submitted, but six very \nspecific things, if I were to leave this room today, the first \nis--and the act that we talked about earlier brought it up--a \nsingle whole-of-government approach that the Department of \nDefense and other agencies cannot self-elect out of. We are all \nusing the same suppliers, and there has to be some sort of \nexception management process because things do pop up, but \nthere really just needs to be a single risk-management approach \nfor the government.\n    There really needs to be somebody in charge, and the person \nneeds to report to the head of the agency. And it cannot be a \npolitical person. This is not a political problem. It is a \nbusiness problem. We cannot keep changing people as the \nAdministration changes. You are never going to get ahead of it.\n    The third, you need to have a line item resource for the \nagencies to use. Right now, the way that this is managed across \nthe intelligence community (IC), the DOD, and the civilian \nagencies, it is robbing Peter to pay Paul. There is no money \nassociated to supply chain risk management in the agencies.\n    The fourth--and the act does talk on this--is a real \npartnership with industry. We need to fix the Federal \nAcquisition Regulation (FAR). We need to fix the Defense \nFederal Acquisition Regulations (DFARs), the Defense Enrollment \nEligibility Reporting System (DEERS), and any other acquisition \nstrategy we have in the government. The National Institute of \nStandards and Technology (NIST) has a role, but it is as an \nevangelist and a supporter. They are not a leader in this \nconversation. They do not dictate how business operates. This \nis a business problem.\n    The second to last is metrics on the impact, not just \nactivity, not just how much money did we spend or what are we \ndoing, but specifically what mitigations, what problems with \nmitigations and how did we share that information to get better \nas the whole of government. And I think, again, the act can \nhelp with that.\n    And then the last part is not to overclassify this problem. \nThat is a problem I run into in every agency, and the thing \nthat we have to remember is that this is a global business and \neconomic issue, and every time we overclassify it, we reduce \nthe amount of people that can have an impact on solving the \nproblem.\n    So, with that, I will turn it back. Thank you.\n    Chairman Johnson. Thank you.\n    I am going to reserve my time out of respect for my \ncolleagues' time, but one of the big problems in just about \nevery one of these situations is the complexity of the problem. \nThe expert witnesses, you speak in language that laymen do not \nunderstand. Again, I really appreciate your expertise, and we \nneed it in your written testimony, to answer our questions, if \nyou could, as much as possible try and convey this in layman's \nterms. It would be very helpful.\n    One of the analogies I use is I am old enough to remember \n``Gilligan's Island,'' and on this island, most of us are \nGilligans. Not too many professors know how to turn a coconut \ninto a battery.\n    I do not care whether it is cyber, whether it is EMP, \nwhether it is encountering drones. This is incredibly complex \ntechnology and just science, and that is part of the problem \nthe government has in dealing with these problems, is nobody \nunderstands it in the agencies or in Congress. So that is a \nhurdle I am just really not quite sure how we are going to ever \novercome.\n    But, with that, I will turn it over to Senator McCaskill.\n    Senator McCaskill. I want to talk a minute about supply \nchain. I would like your take on this, Ms. Bisceglie and even \nMr. Mandia.\n    I read in the morning paper and what really concerned me is \nthe conflict we have going on now in Turkey. We reached out to \neight nations to help us build the F-35, including Turkey. \nTurkey is building--a cockpit display--is one of their \ncompanies, defense contractors, and a center fuselage.\n    Well, now we have Erdogan in disagreement with the United \nStates. So he has now decided he is going to go buy the Russian \nair defense system, S-400 from Russia, instead of working with \nus to acquire the Patriot.\n    So now we have this bizarre situation; Russia, who we know \nhas conducted cyber warfare against our country, is beginning \nto put an air defense system in the same country that is \nbuilding the cockpit displays and the center fuselage on our \nnext generation fighter pilot.\n    Should I be worried about this? Ms. Bisceglie.\n    [Speaking off microphone.]\n    Senator McCaskill. Absolutely.\n    Ms. Bisceglie. We are actually talking to the F-35 program \nas well.\n    And back to the Senator's comment, to me--and maybe I am \nvery simple about this, but this--again, it is a business \nproblem. And so we are actually working with a very large \ntechnology company right now around prototyping, and I will \nbring it back to exactly what you asked about, but the whole \nidea is getting out of the fact that we are in a world that \nthere is only a single source of supply. There is not.\n    There is either other companies that can be competitive \nthat are today competitive or other companies that if we put \nresearch and development (R&D) dollars into them could be \ncompetitive. So they do the 75 percent solution; they need the \n25 percent to develop.\n    And so with this technology company, that is literally what \nwe are doing around prototyping, is figuring out what are the \nproducts and the components and the software that they are \ngoing to need in the near and the long term, and how do we look \nglobally at where suppliers exist in the world in places that \nmaybe we do not want to deal with and we do have to deal with \nthem because of cost, because of time that I need that product \nor service, or other places in the world that are a bit more \nfriendly to how I do business? And then I can start developing \nit, so I have multiple sources of supply. So I do not have a \nsituation that you are talking about right now.\n    Senator McCaskill. Except the problem is with this, the \nreason they did this is they wanted to bring down the cost by \nhaving more orders.\n    Ms. Bisceglie. Right.\n    Senator McCaskill. So this was a quid pro quo. We are going \nto give you pieces of the production in return for an order for \n100 F-35s because the more we build, the cheaper they get.\n    So that to me is the challenge here, is that we are doing \nbusiness with a very sensitive part in an incredibly important \nweapon system with a country that is now playing footsie with \nour cyber enemy.\n    Ms. Bisceglie. Right. I think it goes back to my comments \nearlier, and again, ma'am, maybe I am doing this too simply, \nbut to me, this is very much a business situation and it is \nrisk management that says I am willing to deal with that \nsensitive country because of cost or I am going to pay a little \nbit over here, more over here, because I do not want to deal \nwith that country. And if we could get out of the politics, \nunderstanding that is part of risk management----\n    Senator McCaskill. Right.\n    Ms. Bisceglie [continuing]. And say, ``You know what? I am \nwilling to accept this risk over here, and I am going to \nmitigate more on my side,'' that is a risk management approach.\n    What you are talking about is exactly the conversations we \nare not having. We are just saying ``China bad'' or ``Turkey \nbad,'' and that is just not the world we live in.\n    The more that our leadership that is actually involved in \nthese programs is focused on this is what I can deal with from \na risk standpoint and this is what I cannot and focus on \nrequirements, I honestly think that--businesses have been doing \nthis forever. This is really how business is done. We cannot \nget excited over the political aspect. I actually think that is \nto our detriment.\n    Senator McCaskill. Well, business and the Pentagon are \nsometimes two mutually exclusive concepts----\n    Ms. Bisceglie. Yes, ma'am.\n    Senator McCaskill [continuing]. Let me just say, having \ndone a lot of work on contracting in the Pentagon.\n    Do you have anything you would like to add to that, Mr. \nMandia?\n    Mr. Mandia. Yes. I think at the highest level of \nabstraction, Senator, economics follows geopolitical \nconditions. Cyberattacks are directly linked to geopolitical \nconditions. Security is related to it.\n    When I listened to what you were saying, it dawned on me \nthat the exact same challenges we have with Turkey building \nvery important components and essential components to anything, \nwe have the same problem here in the United States. We have \nsmall companies that cannot protect themselves in cyberspace--\n--\n    Senator McCaskill. Right.\n    Mr. Mandia [continuing]. But they are building mission-\ncritical systems.\n    Senator McCaskill. Exactly.\n    Mr. Mandia. So, obviously, as part of the process, we have \nto build security in it and checks and balances into the \nprocess, regardless of where construction and where the supply \nchain resides.\n    Senator McCaskill. Have either one of you had a chance to \nlook at the supply chain risk management bill that Senator \nLankford and I have introduced? It is very similar to a \nproposal the White House has made. Is there any input you would \nlike to have on that legislation?\n    Ms. Bisceglie. So I have, and actually, if I had kept to my \noriginal comments, I think it is a very good start.\n    I think when I first heard about it, it heartened me, \nhaving been in this industry for so long, that we have raised \nthe visibility up to this level.\n    I think that my comments--and I have been asked to submit \nas well--is that from an implementation standpoint--and I \nunderstand it is the first time we have gotten the conversation \nto this level--I still do not think we have enough industry and \nbusiness involvement because, at the end of the day, that is \nwho is actually going to execute against it.\n    So the players that are included in that bill are all the \nnormal players from a government standpoint, but I would like \nto see more direct industry involvement, which is not \nnecessarily just through trade associations, but specialties in \ndifferent industry sectors, which I think from an \nimplementation standpoint will make it more impactful from an \nimplementation as well as reduce the cost.\n    Senator McCaskill. I am going to turn to another subject \nnow. If you have anything else on this, Mr. Mandia, I would \nsure like you to submit it.\n    So what happens if the folks at Busch Stadium in St. Louis \nget information that there is going to be a drone incursion, \nand that their sources tell them--maybe it is the St. Louis \npolice department--that it is an armed drone.\n    So if that were to occur today, what would happen to the \nCardinal organization if they took it down? What penalties \nwould lie against the Cardinal security operation if they \nactually took down that drone?\n    Ms. Lanier. So it would depend. First of all, we typically \nwould not get intelligence or information that a drone is \nincoming, but if we did and if there was mitigation or \ninterception technology available and that was used as one of \nseveral different types of technologies, it would be illegal \nfor them to use that to take that drone down.\n    Senator McCaskill. What would happen to them? What are the \npenalties? Do you know?\n    Ms. Lanier. I cannot tell you the penalties. It just \ndepends on which type of----\n    Senator McCaskill. Well, can I just tell you that I will \nrepresent them for free if they take it down?\n    Ms. Lanier. I will pass that along.\n    Senator McCaskill. Ultimately at the end of our processes \nin law, there is a jury, and juries are very good about \nweighing the facts. If you let juries decide things, they \nvery--I mean, not that they do not make mistakes, but a jury in \nthat circumstance, I can assure you would apply common sense \nand say this was a matter of risk management, and what they did \nwas the right thing.\n    We are going to rush to get something done. We are trying \nto get something done that would give people the authority to \ntake action in those circumstances, but it scares the bejesus \nout of me that----\n    Ms. Lanier. Unfortunately, this is a discussion that is \ngoing on, and it should not have to go on. You have people that \nwant to make sure they are providing adequate security and \nsafety for 70 or 80,000 people, and they want to do the right \nthing. Nobody wants to be at odds with the law under any \ncircumstance.\n    Senator McCaskill. Right.\n    Ms. Lanier. So that is the discussion that goes on, quite \nhonestly.\n    Senator McCaskill. Well, I just think that, obviously, if \nyou are faced with a dilemma of the unknown being harm to \nthousands of people versus the unknown of what happens to us if \nwe do it, I just want to encourage them to use common sense.\n    Chairman Johnson. Of course, one of the problems right now \nis DHS does not even have the authority to study how to knock \nthat thing down. It is a problem.\n    Again, if they knock down malign drones, my guess, the jury \nwould rule correctly. The problem is, What if they knocked down \nthe wrong one in good faith? Then they would have greater \nliability, and that is what we are trying to give. We are \ntrying to give them the liability against that type of event. \nSenator Hassan.\n\n              OPENING STATEMENT OF SENATOR HASSAN\n\n    Senator Hassan. Thank you, Mr. Chair and Ranking Member \nMcCaskill, and add me to the group that would call for the \napplication of common sense here when it comes to protecting \npeople at large events.\n    I wanted to focus with you, Mr. Mandia, on some of the \nissues that come up with small vendors and cyber threats. In \nyour testimony, you spoke about the challenges that smaller \ncompanies and organizations face from cyber threats. In \nparticular, you pointed out that their vulnerabilities not only \nthreaten their operations but their partners, their customers, \ntheir suppliers, and ultimately our country's economy.\n    Your point underscores the importance of making sure that \nthe Federal Government does all it can to help protect these \nsmall companies and service providers.\n    Last spring, DHS revealed that Russia targeted several \nsmall vendors through a cyberattack to gain access to our \nelectric grid. DHS reported that many of these vendors lack the \nresources or dedicated cybersecurity professionals to detect \nand prevent these kinds of intrusions. It does not seem \nreasonable to me to expect companies with only a few staff and \nmaybe one full-time IT professional to be able to defend \nagainst the fully offensive cyber capabilities of State-level \ncyber actors like Russia.\n    What should be DHS's role in helping to secure these \ncompanies, and what sort of resources should we be considering \nin order to achieve some degree of defense against State-level \nhacking?\n    Mr. Mandia. You have to take this in a couple parts. Great \nquestion, one of great concern to many people.\n    First and foremost, if all we do is play defense, if we are \nup against Russia, we are up against Wayne Gretzky on a penalty \nshot, and we have a bunch of goalies out there, where if they \nget unlimited penalty shots, they are going to put the puck in \nthe net.\n    What I have observed in the private sector in practice is \nthe bigs are helping secure the ``smalls'' and taking on some \nof the burden of doing that, but we cannot win if all we do is \nfocus on defense, defense, defense. And that is why we need to \nhave imposed risks and consequences to those who do it, which \nmeans we have to get attribution rights support the technical \nassets, the human assets, the international cooperation so that \nwe know who is doing these attacks----\n    Senator Hassan. Right.\n    Mr. Mandia [continuing]. So we can at least weigh a \nproportional response to it.\n    But when we also look at it, we have to take it in bite \nsizes. We cannot secure every company overnight, all the \n``smalls''. You have to start with the ones in the critical \ninfrastructures, and I believe if you can secure the ``bigs'' \nfirst, the ``bigs'' will help you secure the ``smalls'', and \nyou start with the utilities. You start with health care. You \nstart with communications. And you work that way.\n    I think you have to take it industry by industry. If you \nprotect the company, then you can protect the industry, and if \nyou protect certain industries, you can protect the Nation.\n    There are three ways to slice it, but we are certainly \ngoing to need some deterrence to come to the table.\n    Senator Hassan. Well, I thank you for that response, and we \nwill likely follow up with you on it some more.\n    I wanted to move now to the issue of Federal network \nsecurity. According to your testimony, FireEye has worked \nclosely with DHS and dozens of civilian and Federal agencies to \nprovide these agencies with the capabilities needed to achieve \na baseline of security against cyber threats.\n    As we see increasingly more sophisticated and diverse \ncyberattacks, DHS's role in helping to protect Federal agencies \nand the dot-gov domain from cyber intrusion will become all the \nmore important.\n    To that end, DHS has endeavored to strengthen the tools and \ncapabilities it provides to Federal agencies to protect \nthemselves, including the maturation of its two signature \nprograms, the EINSTEIN Program and the Continuous Diagnosis and \nMitigation Program. Can you please talk to us about the value \nof these programs in enhancing Federal network security and how \nthey may need to evolve in order to keep pace with a really \ndiverse and ever changing threat, a cyber-threat environment?\n    Mr. Mandia. Yes, I can, and I will make it brief.\n    You have to start somewhere I was a big proponent of the \nEINSTEIN stack because it sets the floor of how good you are, \nand you know what you are working with. If you can have a \nreferenced architecture, it is easier to manage.\n    We have a shortage of security professionals. You do not \nwant to learn 180 different products. You need to keep it down \nto the five to eight that are best of breed at that moment, but \nyou also have to create a learning system. And that is where \nthe intelligence comes in.\n    At the highest level of abstraction, I have been working \nwith the government since 1993 in cybersecurity. We are getting \nbetter every year, so that is the good news.\n    Senator Hassan. Yes. Well, thank you for that.\n    Let me follow up with one last topic on the issue of \ncybersecurity generally, which is something you have talked \nabout, cyber resiliency.\n    You mentioned it in your testimony that one of the best \nways to counter the threat of a crippling cyberattack is to \nmitigate the effects of such an attack through strengthening \nprivate and public sector cyber resilience.\n    You gave the example of how an Alaskan-based company worked \nto survive a ransomware attack by reverting to typewriters and \nhandwritten notes to maintain daily operations.\n    While I was Governor, we worked to develop continuity of \noperations plans for our State agencies and government, and \nthat included considering how to access data and how we would \noperate without technology.\n    Obviously, in an ideal world, we want to avoid bringing out \ncarbon paper again, right? But can you help us identify the \nbest ways to achieve effective cyber resiliency? What sort of \nmechanism and incentives would need to be put in place to \nencourage the private sector to develop this kind of \nresiliency, and what can the U.S. Government's role be in \nhelping to achieve baseline cyber resiliency?\n    Mr. Mandia. Yes. I think it is a great question.\n    Bottom line is life fire drills. The only way you are ever \ngoing to get better at something is if you force the issue, and \nyou keep it--maybe it is utilities and energy first, health \ncare, telecommunications. Financial services are pretty good on \ntheir own.\n    But if you think about it, if the gloves came off in a \nmodern warfare today, what are the two top targets? It is going \nto be energy; it is going to be telecommunications. And that is \nwhere they are mostly in the hands of the private sector. So \nyou have to do a joint drill, and they already are doing this, \nbut is it the only way to get the unvarnished truth that every \nCEO is operating on. We are as secure as we can get. Even CEOs \nwant the live fire drills, and the red teaming exercise to see \nwhat can happen. Then if you coordinate it, it would be a 1-day \nor 2-day event every year, where you had the private sector and \npublic sector do a joint drill, that simple, and that will give \nus both, A, how good are we to get the unvarnished truth, and \nB, so what do we do and how do we operate through it. We will \nlearn a lot just by practicing.\n    Senator Hassan. Well, I thank you for that answer, and I \nthink it also speaks to the need not only to prioritize it in \nconcept, but prioritize it in terms of resources because in my \nexperience, if you do not assign that kind of coordination and \npractice as a priority and devote resources to it, it always \ngets pushed aside with the urgency of everyday operations. And \nso we need to really focus on it.\n    I thank you for your expertise and your help.\n    Chairman Johnson. Senator Jones.\n\n               OPENING STATEMENT OF SENATOR JONES\n\n    Senator Jones. Thank you, Mr. Chairman, and thank you to \nall the witnesses for being here today. It is really \ninformative for us.\n    Ms. Bisceglie, I would like to ask you a little bit more \nabout the supply chain.\n    I had lunch with a friend of mine in Mobile the other day \nwhose company ships all over the world. They are in ports all \nover. We talk about the supply chain. We talk about infecting \nthe supplies and those kind of things, as Ranking Member \nMcCaskill said a minute ago. But to me, it is also a problem \nwith the shippers, that those could get hacked. And you divert \nor either destroy shipments going across, and I would like for \nyou to address that just a moment because the public-private \npartnerships seems to me very important with folks like that to \nbe able to work with the government to try to minimize those \npotential attacks. I would like you to address that.\n    Also, when you were giving us your list of things to be \ndone, you warned against overclassifying the problem, and I \nwould like for you to just dive into that just a little bit \nmore for the record to explain what you meant by \noverclassifying which I think government often tends to do.\n    Ms. Bisceglie. Thank you for both those questions.\n    So your point about the delivery mechanisms, to me, that is \npart of the supply chain. When we talk in the industry, we talk \nabout sub-tiers, and it is one thing I do not think, to the \npoint you are making--in the government, we are not thinking \nthat way yet, so again, back to the act that is being created--\nthe bill that is out there.\n    The more that we start talking about all of the levels of \nthe \nsupply chain, which is not just the people producing widgets \nbut how those widgets move to the next step, I think it is \nincredibly important. And when you talk about widgets moving to \nthe next step--and I do not care if that is software or \nhardware--that is the physical delivery, so the boats and \ntrains and automobiles and all the people involved in that. It \nis the electronic. It is the blockchain updates. It is the \nElectronic Data interchange (EDI). It is however you are \nsending that information, open source software, but it is all \nof those mechanisms.\n    So if I were to just take a quick example, if I was to make \nthis pen, so I am the holder of the pen, somebody behind me \ncobbled that together. I bought it at Staples. Somebody behind \nStaples cobbled it together. Then you explode the pieces, and \nin between all of those it was mailed, right? Was it put on a \ntruck? And who are all those people? Humans involved in all of \nthat. To me, that is the multi-tiered supply chain.\n    We do visualizations of those types of relationships at \nInteros in my company, and we just did this for one of the \ntopid banks, the top 10 banks in the country. And when they saw \nhow interconnected they were with their suppliers--and not just \nwho they thought they were directly connected to, but how that \nsame company was actually a tier 2 and a tier 3 and, to your \npoint, delivery partners, they had no idea.\n    So, to me, the more that we as a government partner with \nindustry and think of all of the sub-tiers and all of the hands \nthat touch it, that is really the only way to solve this \nproblem. So it is expanding that definition.\n    The second thing on the overclassifying is that we do this \nbecause we do not understand, and part of what we do not \nunderstand is that this is a business problem that needs to be \nsolved. And the second piece is that most businesses do not \nhave the clearances because they do not need the clearances to \nactually get the job done.\n    Back to the Senator's point, the more that we can kind of \ndumb this down and talk about it just business to business, put \nit into requirements, and so the Senator's point, a lot of the \nsmall and medium size businesses, the more you put these things \ninto requirements and say as part of your contract, you have to \ndo X, Y, Z, the better off we are going to be. And \nclassification does not come into that.\n    Most of the people that actually have to take actions and \nprovide solutions do not have clearances.\n    Senator Jones. All right. Thank you.\n    Ms. Lanier, you said something in response to Senator \nMcCaskill's question that struck me a little bit because, \nobviously, the drone issue concerns everyone. Alabama, my \nState, has a lot of outdoor events, whether it is the music \nfestivals, whether it is the sporting events. We are in the \nfall, and college football is a really big deal right now. In \nfact, many people would think that Alabama should be in the NFL \nrather than the NCAA, but we will not go there.\n    But you mentioned that you might not have any notice about \nan incoming drone, unlike our missile defense system or \nsomething like that. Would you talk about that a little bit \nmore and what can we do now to maybe at least get that on the \nradar, so to speak, a lot of people want to take a picture over \nBryant-Denny Stadium when it is full. I get that, but they \nshould not.\n    What can we do right now to maybe help in that aspect to \njust put people on notice? Is there something we have the tools \nwith now?\n    Ms. Lanier. Well, there are efforts under way to try and \neducate people. A lot of it is people that are just not \neducated that there are flight restrictions that prohibit the \nuse of drones over most of these large events, like the NFL \nstadiums on game days. So getting that message out has been a \nhuge effort to try and educate folks.\n    And there are detection systems. So the technology that is \nthere now comes into two different sets. There is detection \ncapabilities, and then there is interdiction capabilities. Some \nof the technology that is available--and, again, mostly illegal \nto use--can detect that a drone is incoming.\n    A lot of times, they are launched from a parking lot right \nnear or very close by.\n    Senator Jones. Right.\n    Ms. Lanier. So there is not a lot of lead time, not a lot \nof advanced warning that they are coming. So the detection \nsystems would be one thing, but the interdiction systems is the \nother part of that. And that is kind of what we have been \ntalking about here today, is the ability for someone to have \nthe authority to use that, from a law enforcement perspective \nto use that technology to intercept that incoming drone so that \nit does not make its way into the stadium, into the seating \nbowl where all of those thousands of people are gathering.\n    Senator Jones. The restrictions that are currently in \neffect, I think--and maybe I am wrong about this, but as I \nunderstand it, there are restrictions about flying a drone \nwithin 3 miles of any event that is holding 30,000 or more \npeople. Is that correct?\n    Ms. Lanier. That is correct, and that is the one that is \nmore difficult to educate people on because it is a temporary \nflight restriction.\n    So there have been some measures put in place to geo-fence \nareas around airports, so that drones cannot go into those \nrestricted areas, but the temporary flight restriction that \ngoes along with mass gatherings, with that threshold and \nhigher, is much more difficult to educate and is not as easily \nprogrammable into drones.\n    Senator Jones. OK. All right. That is all.\n    I may have some questions for the record, Mr. Chairman. \nThank you very much for having this hearing.\n    Senator Johnson. Thanks, Senator Jones.\n    I do want to underscore the importance of public awareness. \nIt is one of the reasons we are holding this hearing to make \nthe public aware that we have these threats, whether it is the \nflight restrictions, public exposure in terms of the hacking, \nwhether it is Kaspersky Labs. I think public exposure is \nextremely important when it comes to cyber defenses. Just \npeople's awareness so they can start looking at their own \nvulnerabilities is incredibly important. Senator Peters.\n\n              OPENING STATEMENT OF SENATOR PETERS\n\n    Senator Peters. Thank you, Mr. Chairman.\n    Thank you to each of our witnesses for your testimony here \ntoday.\n    While we meet today to talk about the evolving threats to \nthe homeland and look at major threats like cyberattacks, \nelectromagnetic pulses, and drones, I would like to express my \nconcerns about the broader issue of crisis response under our \ncurrent Administration.\n    I was disturbed this morning to see that the President took \nto Twitter to make false claims about the death count in Puerto \nRico, which comes days after he claimed the government's \nresponse to Maria deserved an A plus.\n    Nearly 3,000 Americans died as a result of Hurricane Maria \nand the inadequate response that followed, and yet the \nPresident does not accept those results and denies any \nresponsibility for the failures in 2017.\n    3,000 deaths is not a number invented to attack the \nPresident, as he claims. It is the acknowledgement of real \nhuman lives. Each number represents a person that trusted in \ntheir government to help them in their time of need. Hurricane \nMaria was devastating, and our country will continue to face \nevolving threats from a variety of hazards, manmade as well as \nnatural.\n    Americans should not have to worry that in a time of \ncrisis, a true national emergency, that our commander in chief \nwould cast doubt on very real, very human impacts of the \ncrisis.\n    And as Hurricane Florence now bears down on the Carolinas, \nwe have to make every effort to ensure that the Federal \nGovernment is well-positioned to support everybody in its path, \nbut we cannot forget about the continuing crisis in Puerto Rico \nand the systemic challenges that led to the horrifying death \ncount that the President today denied on Twitter.\n    Our Committee or the Federal Spending Oversight and \nEmergency Management (FSO) Subcommittee should make use of the \nbroad jurisdiction of the Department and governmentwide \nemergency response to exert strong oversight and hold officials \naccountable.\n    Mr. Chairman, I think we should hold a hearing on the \nfailures and lessons learned from the responses to Hurricanes \nHarvey, Irma, and Maria and hope that we can have a dedicated \nhearing on that issue.\n    Chairman Johnson. Right now, we have a different subject.\n    Senator Peters. I know, but this is of critical importance. \nAnd I would hope that we would do that. We were trying to do \nthis in the Subcommittee, and we were informed that the \nAdministrator does not go to a Subcommittee even charged with \noversight of Federal Emergency Management Agency (FEMA). We \nwould hope to have your help in getting the Administrator here \nto answer questions.\n    Chairman Johnson. OK. I would like FEMA right now to \nconcentrate on the hurricane season currently, but we will look \nat that.\n    Senator Peters. I appreciate that, Mr. Chairman.\n    Certainly, cybersecurity, which is our issue that we are \nhere today to discuss, is a vital component of all of our \ncritical infrastructure. Mr. Mandia, do you put in that \ncategory chemical facilities or ones that are potentially \nsusceptible to significant cyberattack and could present a risk \nto critical infrastructure?\n    Mr. Mandia. Yes. I do not know if I can speak to the \nspecifics of all the chemical facilities out there and their \ncybersecurity posture in defense, so no.\n    In my prepared remarks, I did talk about indiscriminate \nattacks, and certainly, every single individual and every \nsingle organization, should the gloves come off in cyberspace \nand there is an escalation, we are all going to get targeted. \nThat is the interesting thing about cyberspace. It is \ninfinitely scalable and can go broad.\n    A lot of times, the individualized security of one \norganization in that industry, is only going to be as secure as \nthe weakest link in that industry.\n    Senator Peters. Well, I raise the issue of chemical \nfacilities because I have heard that inspectors in the Chemical \nFacility, Anti-Terrorism Standards (CFATS) Program, who mostly \nhave physical security backgrounds, they are worried that they \ndo not have the appropriate knowledge and training to assess \nwhether or not the facility owners have appropriately addressed \nthe risk to cybersecurity.\n    So my question to you is, How can we get these folks the \ntraining that they need, and certainly fits into their very \nbusy schedule now in order to be able to supervise these \nactivities?\n    Mr. Mandia. I can tell you, speaking generically, as a \npublic CEO, you never want to see more and more regulation. The \nreality is regulated industries, generally, at least you can \nset the benchmark or threshold for what security they will \nhave, and if it is important enough to the Nation to secure \nthose types of organizations that create certain chemicals, you \ncould regulate them. You could find a way to do a benchmark of \nsecurity that they have to have. And once that is the case, \nthere are plenty of opportunities to hire cybersecurity \nprofessionals. There is plenty of training that they can \nobtain.\n    And we saw work in the private sector with the payment card \nindustry. The private sector regulated itself and said, ``Here \nis what we need to have to secure credit card data,'' and they \nforced you to do vulnerability assessments and different types \nof assessments. And anyone who processes credit card data \napplies those standards to them.\n    Senator Peters. Mr. McBride, I have been a proponent of \nimproving our understanding of geomagnetic disturbances from \nspace weather for some time now, and I teamed up with Senator \nGardner on the Space Weather Research and Forecasting Act back \nin 2016.\n    We had William Bryan, the nominee to the director of \nScience and Technology (S&T) at DHS a couple of weeks ago. I \nasked him what role his organization can play in preparing our \nNation for a potential space weather event. He responded that \nhe will work with the DHS and other customers to determine what \nrequirements needed to be worked toward in this area.\n    So my question to you is, in your opinion, in what areas do \nwe know what these requirements are, and in what areas do we \nneed more research to better understand how our critical \ninfrastructure may be impacted by a space weather event?\n    Mr. McBride. So the electromagnetic pulse threat is \nmultifaceted. We have high-altitude nuclear detonations that \ncreate an E1, E2, E3 effect. So it is the full spectrum of the \nEMP pulse.\n    We have things like flux compression generators. We have \nthe sun. The sun particularly--the E3 portion of the EMP pulse \nwith geomagnetic disturbance can be minutes or even up to \nhours. That threat is ultimately going to potentially cause \ndamage to large substation power transformers.\n    We have never combined in the models or otherwise the \nentire waveform associated with the EMP threat, E1, E2, and E3. \nI believe that is a huge knowledge gap that needs to be \nexperimented and understood.\n    In addition, nobody is in charge. So DHS, we have been \ndoing some work for the Department of Energy Office of \nElectricity, understanding what EMP and GMD risks to the power \ngrid are. DHS, their mode was they asked a particular person to \nstay abreast of what others are doing relative to the \nelectromagnetic pulse threat.\n    Department of Defense recently formed their electromagnetic \ndefense task force, which I participated in 3 weeks ago. Nobody \nhas really taken ahold of whose responsibility is it to \nmitigate this threat to the power grid.\n    I believe for EMP E3, with an investment of somewhat less \nthan $4 billion, we could mitigate that vulnerability to our \nmost key resources in our extra high-voltage power grid. That \ntechnology exists. We have tested and validated it. We know how \nto do it. Where we do it and who funds it is the big challenge \nthat we face.\n    Senator Peters. Thank you.\n    Chairman Johnson. As long as we just made that point, I \nwant to talk about how reasonable that cost is. Less than $4 \nbillion, we had testimony here earlier with Dr. Richard Garwin \non the Carrington Effect that happened about 150-some years \nago.\n    Mr. McBride. 1859.\n    Chairman Johnson. 1859.\n    We have generally--figure that one of those large-scale \nsolar storms once every 100 years. Richard Garwin said we have \na 10 percent chance every decade of having something like the \nCarrington Effect.\n    Again, we have been dodging that bullet now for over 150 \nyears. If we were to experience that with today's electronics \nand technology, what would the cost of a massive solar storm--\nwhat would the potential cost be that we are trying to mitigate \nwith about a $4 billion expenditure?\n    Mr. McBride. I believe that cost would be in the trillions \nof dollars, significantly less than the cost to replace the \ninfrastructure that would fail due to a Carrington-level event.\n    Chairman Johnson. And hundreds, thousands, tens of \nthousands of lives lost?\n    Mr. McBride. Very likely. It would be the socioeconomic \ndisaster that this country has never seen.\n    Chairman Johnson. So you take a look at Puerto Rico who \nlost power, but we could try and surge resources and help that. \nThere would not be too many people coming to rescue on \nsomething like that type of event, correct?\n    Mr. McBride. That is correct.\n    Chairman Johnson. Again, Senator Peters, I appreciate your \nconcern about this. We share that, and we will continue to try \nand figure out and get somebody put in charge of that. Senator \nCarper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thanks, Mr. Chairman.\n    We also are on multiple committees, and we just finished \none of my hearings. So I am happy to be able to join you now at \nthis hearing. I missed your testimony and had a chance to look \nat it, and I appreciate the chance to ask you some questions.\n    I am told that some of you mentioned in your testimony the \nRussian campaign to hack the U.S. Presidential election in \n2016. Attempts by Russia and Russian government, backing actors \nto interfere in sovereign elections are not new. In 2014, that \ncountry orchestrated a campaign to interfere in the elections. \nIn the Ukraine, my wife has been with some of her friends and \ncolleagues from DuPont from years ago, has been in Georgia this \nweek, and she is sharing with me some of what Russia tried to \ndo in Georgia that we are familiar with.\n    U.S. intelligence agency or the U.S. intelligence community \nsaid in its 2016 report that a criminal will likely continue \nusing cyber campaigns to interfere in elections for two simple \nreasons. They are cheap, and there seems to be no consequences.\n    Mr. Mandia, your testimony said much the same thing.\n    Yesterday, President Trump signed a general Executive Order \nthat would impose sanctions on countries found to be \ninterfering in our elections, but he has failed to impose \nsanctions on Russia, despite explicit authorization from the \nCongress.\n    The Republicans in Congress recently defeated an amendment \nfrom Senator Leahy that would have provided States with an \nadditional $250 million for election security.\n    I would just ask. Again, I think, Mr. Mandia, from you and \nMs. Bisceglie?\n    Here is the question: Do you believe the United States \ncould do more, should do more to deter and prevent cyberattacks \non our election infrastructure in order to protect our \ndemocratic processes? That is the first part of the question.\n    The second half of the question would be, What steps in \nparticular do you recommend that those of us here in Congress \nfocus on first?\n    Kevin, do you want to go first? Thank you.\n    Mr. Mandia. Well, for the next 30 minutes, I will be \noutlining the steps we need to take. No, I am kidding.\n    But the bottom line is right now it is an interesting time \nto be impacting cybersecurity. Every modern nation does not \nknow where the border is for behavior. There are no \ninternational rules of engagement, and I observed the Russian \nbehavior from 1995 to 2000 and whatever today is.\n    For the most part, we have observed their offensive \ncapability on a daily basis. I have done thousands of hours of \nforensics looking at some of the machines compromised from \nthreat actors in Russia, whether criminal or government-\nsponsored. Sometimes it is hard to tell the difference.\n    The bottom line is if all we are ever doing is playing \ndefense, we are always going to be having a little mop-up on \nAisle 5 to do in cyberspace somewhere just because the \nasymmetry between offense and defense, it is almost hard to \nexplain.\n    We are trying to defend millions of machines, but as long \nas there is a communication channel into your organization from \nanother human and there is anonymity on the Internet, you are \nhackable. It is just that simple. Whether that communication \nchannel is email, Skype, instant messaging. Facebook wall is \njust waiting for somebody and baiting them to it.\n    So this is a complex channel where you have to have a \ndoctrine that imposes risk and repercussions. The problem is it \nis also hard to write a red line in cyberspace. The demarcation \nof what is acceptable and what is not acceptable is still \nblurry.\n    What I have seen in the last few years--and I am indirectly \nanswering your question--is we are seeing indictments. We are \ngetting attribution. We are making indictments. A lot of people \nask, ``Does that matter?'' The answer is yes. We have a \nsovereign nation and a Department of Justice pointing the \nfinger at nation-states and individuals in those nations.\n    Over time, even if the government cannot impose risks and \nrepercussions, the Internet experience from nations that harbor \ncybercriminals and different--what I call trench warfare in \ncyberspace by nation-state actors, their Internet experience is \nactually going to be different.\n    There are private sector organizations that block every \nInternet Protocol (IP) address from Russia today. That is going \nto expand and expand and expand.\n    The bottom line is the private sector is doing what is in \nits realm to defend itself, and it is looking to the government \nto do its best to get attribution right and to impose risks and \nrepercussions and to have some predictable doctrine so that we \ncan govern the behaviors.\n    And it is going to happen. If we do not do anything soon, \nSenator, what we are witnessing is escalation, and the reason I \ntold you the years I have been responding to Russia is for \nwhatever reason, in August 2015, we saw them change rules of \nengagement that they followed with great discipline for the \nprior 20 years. Suddenly, they started targeting wider, started \ndoing less counter-forensics, started attacking anti-Putin \nprofessors, started posting things that they stole. Those \nbehavior changes, if unchecked, will keep escalating.\n    So we are going to have to sort it out. The answer to that \nis going to be a lot of folks sitting in the room trying to get \nthat doctrine piece together. We have been working on this for \n20 years. It is not simple. We have been admiring the \ncomplexity of it, but we have to start somewhere.\n    And that is enough of my statement.\n    Senator Carper. All right. Thanks so much.\n    Jennifer, I will just use your first name, if you do not \nmind.\n    Ms. Bisceglie. No, that is fine.\n    Senator Carper. Again, two-part question. Do you believe \nthe United States could do more to deter and prevent \ncyberattacks on our election infrastructure in order to protect \nour democratic process? And, second, what steps in particular \nwould you recommend that we take here in Congress? Where should \nwe focus first?\n    Thanks.\n    Ms. Bisceglie. Thank you.\n    And I absolutely agree with everything that Kevin outlined.\n    Back to the Federal Information Technology Supply Team Risk \nManagement Improvement Act, to me, this is a perfect example of \nwhere they could have some impact. It is really the players \nthat are at that table looking at what the doctrine should be \nand then really looking at all of the sub-tier relationships \nbecause it is not happening at the voting machine level. It is \nall the components in it that expose you to a lot of the \ncommunication concerns that Kevin just outlined. To me, that is \na perfect opportunity for what you have put out there to say \nlet us really understand all the different levels, all the \ndifferent players, what is important, where the opportunities \nare that we are exposed to, because I agree we need to have an \noffensive, but we do need to have a defensive at the same time \nbecause you have people involved.\n    And so I think if you follow the steps that Kevin just \noutlined, it is perfect. Take this act. Take this bill that is \nout there and really start focusing on the sub-tier \nrelationships, and we are going to be better off.\n    The last thing I would like to talk to you--and it comes \nfrom all the questions that have been asked--you really cannot \nseparate these two conversations. The supply chain and the \ncyber concern is a physical and a digital relationship, and you \ncannot separate those things anymore. Whether you are talking \nabout the F-35 or logistical ports or voting machines, this is \nthe same conversation, and it has to be done hand-in-hand or we \nare going to miss something.\n    Senator Carper. Thanks to both of you. In fact, thanks to \nall of you.\n    Chairman Johnson. A quick little comment. This is really \nmore Senate Foreign Relations Committee, but we held a hearing \nwith North Atlantic Treaty Organization (NATO). The question I \nraised in that hearing last week and the one I will continue to \nraise is we need an attitude change. When you look at NATO, the \ncombined economic firepower of NATO is well north of $30 \ntrillion. Russia is less than two. How can NATO, how can the \nEU, how can America allow that puny little economic power push \nus around this way? Because we just have to change that \nattitude. We are the 800-pound gorilla, and it is really absurd \nwhat we are allowing Russia to get away with.\n    But, anyway, I have questions. I want to ask each of you--\nand I will start with Mr. McBride. Who should be in charge of \nthis effort? Which Department, which agency is best positioned \nto be in charge of GMD, EMP, and I would say even responsible \nfor reestablishing the grid, even with a cyberattack?\n    Mr. McBride. I believe as the sector-specific agency for \nthe electric grid in the United States, the Department of \nEnergy should be in charge of mitigating this threat.\n    Chairman Johnson. So, obviously, Department of Defense, \nDepartment of Homeland Security would be involved in that, but \nthe lead agency should really be the Department of Energy?\n    Mr. McBride. I believe that to be the truth. Yes.\n    Chairman Johnson. OK. Ms. Lanier, when it comes to drones, \nwhat do you think? You have been in law enforcement. Who should \nbe in charge of that effort?\n    Ms. Lanier. Well, in charge of the effort, I would say \nprobably DHS.\n    Chairman Johnson. Because right now, it is FAA.\n    Ms. Lanier. Correct. I would say probably DHS.\n    And I would also say that, as I mentioned in my testimony, \nboth my written and my oral testimony, I think it is really \nimportant that we find some way to integrate State and local \nlaw enforcement on the back side of that DOJ-DHS effort. I \nthink they are really important. That is why they are the first \nresponders.\n    And the threat that is posed by drones that detect and \ninterdict, it is going to be critical to have State and local \nlaw enforcements tied in there.\n    Chairman Johnson. Mr. Mandia and Jennifer, in terms of \ncybersecurity, who should be taking charge?\n    Mr. Mandia. It is going to depend on mission. It is that \nsimple.\n    Right now, when it is law enforcement, you see the FBI \nprimarily present, but local law enforcement will be present as \nwell.\n    In regards to other operations in cyber, you will have the \nintelligence agencies. I just think it is more complex because \nyou also had the private sector, and there is usually an \nalignment by industry where energy companies and utilities are \naligned to figure out what is best practice for us and what do \nwe do. The financial services and the Financial Services \nInformation Sharing and Analysis Center (FS-ISAC) are aligned. \nSo you see the private sector trying to regulate the private \nsector in many ways as well. I gave you that example, the \npayment card industry.\n    I think it is hard to pick. Do you have one cyber czar in \ncharge of all this when you have so many missions and so many \nindustries impacted by it?\n    Right now the system is working pretty well. I think \nprobably the biggest change we could make in the government is \nbecause there is a shortage of cybersecurity professionals, you \nmay want to have the DOD doing what they do. The intelligence \nagencies are doing what they do, and there may be other \nagencies like FAA and a few others that need to do it alone, \nbut there is probably an opportunity to consolidate a single \ncomputer emergency response team--that is the security \noperations center for 100 government agencies. Why not? We do \nnot have the effort to do it.\n    Chairman Johnson. Where should that be housed?\n    Mr. Mandia. Sir, I would pose that question to you.\n    Chairman Johnson. Well, Ms. Bisceglie.\n    Ms. Bisceglie. So it may be a little snarky, but my point \nis whoever is going to actually do it is who should do it.\n    Chairman Johnson. That would be good criteria, right.\n    Ms. Bisceglie. So the latest one I have seen for supply \nchain in cyber is Homeland Security. If we are going to do \nthis--and I do agree with what Kevin, again, just laid out.\n    But my thought is I would have a dotted line. I would have \nthe alignment by industry because even when you look at an \nindustry, you have all the different pieces that go into it. So \nI would have the dotted line to Department of Energy, to the \nDOD, to whatever they are responsible for, get away from the \npartnerships. The idea of a GSA and DHS partnership is really \nvery difficult. Somebody has to be responsible.\n    And then, again, get away from the political agenda, which \nto the point that you just said forces that cultural shift that \nreally needs to occur.\n    Chairman Johnson. You have all mentioned that you really \nneed the information sharing with private sector and \ngovernment. That has always been the problem with DOD taking \ncharge, and that is one of the reasons people look at DHS as \nkind of the default agency that can work with private sector.\n    But, again, who has the greater capability?\n    Ms. Bisceglie. So, in my opinion--and I do not want to put \nmyself out of business, but this is--to the point that you \nsaid, this is a culture.\n    There was actually a memo that you are probably aware of \nthat went around last year in the Department of Defense that \nactually gave their people permission to talk to industry. That \nis not a law. That is a culture. And so the more that we help \nfolks understand that businesses are the ones that are going to \nsolve this--this is not government to solve. Regulatory, I \nagree with. It is businesses to solve and change the culture.\n    Chairman Johnson. I think there may be reluctance from the \nprivate sector to be contacting DOD or NSA.\n    Mr. McBride, I will just have you chime in on this one on \ncyber. You have some knowledge of this.\n    Mr. McBride. Yes. So, for several years, Idaho operated the \nIndustrial Control Systems Cyber Emergency Response Teams (ICS-\nCERT). So we were in a reactive mode. Where there is an attack \nin the Ukraine, we send fly away teams out, collect that \nforensic data from their networks. We reverse-engineer that in \nour malware lab, understand what the malware can do, and \ndevelop mitigations for that.\n    Department of Homeland Security has now closed the ICS-\nCERT, and now it is all operated through the National Crime \nInformation Center (NCIC) here in--I believe DC.\n    Sharing information with the asset owners that need to know \nwhat the threat and intelligence is has been a difficult \nproblem. I think we can improve that. Some people are now \ngetting security clearances, where the threat intelligence can \nbe shared with them.\n    There is a new program that has just been stood up that is \ntrying to change from a reactive mode into more proactive. \nCountries like Chechnya, Estonia, the Ukraine, they have told \nus that they feel like they are test beds for Russia. So Russia \ndevelops a cyber capability. They exercise that on one of these \nthree countries.\n    We have people all over the world collecting intelligence. \nWe want to be able to develop mitigations for threats, \nvulnerabilities, and malwares that are discovered prior to \narriving on U.S. soil.\n    The intent is to create a proactive mitigation strategy for \ncyber threats.\n    Chairman Johnson. OK. But do you all agree somebody has to \nbe in charge? I mean, this cannot be five, six, seven different \nagencies, just line authority and nobody really with the \nauthority to make sure that there is commonality in our \napproach and that type of thing. Just yes, yes, yes, or what is \nit?\n    Mr. Mandia. It is tough because I still think it aligns by \nindustries. If there was an all-out cyber campaign against this \nNation, you are going to see the financial services circle the \nwagons. You are going to see the utility circle the wagons. \nLargely, a lot of the attacks against those two groups may be \nwholly different.\n    If you are attacking a utility to shut it down, the attack \nlooks one way. If you are attacking the financial services to \ndisrupt it, it may look a little bit different.\n    What I have observed in threat actors is they actually do \nalign a little bit by industry. So you will circle the wagons \nthat way.\n    Overall, coordinating that event and that response, it is \nhard from where I sit to say it is not the DOD during times of \nwar.\n    With that being said, during times of perceived peace, \nright now, I have observed we have a shortage of folks to \nprotect our networks. It would make sense to centralize for \nmost government agencies that defense component and capability.\n    Chairman Johnson. I am just going to continue down my list. \nI have a lot of questions here.\n    Mr. Mandia, you are talking about attribution----\n    Senator Carper. Mr. Chairman?\n    Chairman Johnson. Pardon?\n    Senator Carper. Could I just follow up on your question?\n    Chairman Johnson. Sure.\n    Senator Carper. It is just a follow-on, if I can.\n    When we passed out of this Committee legislation \nreauthorizing DHS, one of the provisions in that \nreauthorization dealt with National Protection Program \nDirectorate (NPPD) and in which we sought to make it clear that \nthey had the skills, the responsibility and so forth to work in \nthis arena.\n    I think a bunch of us believe that we all share the goal of \nensuring that NPPD functions as a full component of the \nDepartment and it has resources that are necessary to carry out \nwhat we all think is a critical cybersecurity mission.\n    Would any of you care to comment on the importance of \nauthorizing a dedicated cybersecurity agency within DHS to work \nwith the private sector in order to address these kinds of \nthreats?\n    Ms. Bisceglie. I think it is very important. I think it is \nimportant to have somebody in charge with a charter, and if \nNPPD is the place, they have to have a charter. They have to be \nresourced appropriately from a skills set standpoint as well as \nfinancially, and then they need to be held accountable and \nagain not just around activity but for the integration across \nthe players, as Kevin keeps outlining, and what are we actually \ndoing about it?\n    Senator Carper. Thank you.\n    Anyone else?\n    Mr. Mandia. Centralized is going to be better than \ndecentralized.\n    At the end of the day, you look at what Britain did and the \nUK. They have one place where everybody reports every single \nevent to, not a multitude of them. Overall, you will have a \nbetter learning system if you do centralize all the intel \ncoming in and have one coordinating point. Yes.\n    Senator Carper. All right. Thank you, Mr. Chairman.\n    Chairman Johnson. Israeli has one directorate reporting \nright to the prime ministers. So we need to look at those \nmodels.\n    But, Mr. Mandia, you were talking about attribution \noffense. What came to my mind during that process was just \ndefinition of the problem too.\n    I have been doing this for 7 years, and I kind of define \nthe whole cyber issue in four buckets--crime, cybercrime; \nespionage, industrial espionage; then just malicious activists, \nOK; and then warfare, those four buckets.\n    I completely agree with you. As long as we are just on \ndefense, that is where we are going to be, and offense is going \nto get better and better capabilities.\n    You need to have some kind of deterrent, but the problem \nthere is attribution and if you go on offense, to do it right. \nCan you just speak to that concern?\n    Mr. Mandia. Well, I do know this. You can easily frame it \nexactly how you just did. You have criminals. You have \nespionage. You have just malicious intent, destroy whatever you \ncan, and you have warfare.\n    But what we observed was amazing for me. In September 2015, \nwe had some kind of agreement with China. I do not know if it \nwas written or not, but what we observed in cyberspace is prior \nto August 2015, we saw between 60 to 80 U.S. companies \ncompromised every month from cyber espionage campaigns out of \nChina. August, it goes down to four.\n    Chairman Johnson. And you wrote the book on that, right?\n    Mr. Mandia. Right. Well, we exposed it in New York Times in \n2013 just because it felt unfair having folks barge into a \nbuilding in a military unit and hack into a brick-and-mortar \nfirm in the United States, did not seem like a fair fight.\n    The bottom line is we saw, after some agreement was \nreached, those attacks go down to four and hold steady for a \nlong time. So there are certain nations we can, in fact, have \nagreements on rules of engagement, and I would argue, we have \nhad them for decades with Russia even until recently. It seems \nlike they have escalated.\n    So where you can get that kind of agreement, we should do \nit, and where you cannot, that is where the complexities arise.\n    Chairman Johnson. Well, to get back to your point about too \nmuch classification--again, I will go back to Kaspersky. When \nwe first found out about that, we knew about them for almost a \ndecade. We allowed that business to grow and be a security \nplatform for most computers here and exposed ourselves. To me, \nthat public exposure is incredibly important.\n    I mean, in your Mandiant report, I think it was 2014 on the \nPeople's Liberation Army (PLAs) little operation there.\n    China, I think is particularly sensitive to public exposure \nand disclosure on these things.\n    I think Russia certainly could possibly, as long as we are \nmaking them pay a price for these things.\n    I could not agree with you more that we way overclassify \nthese, and it is to our own detriment. And we are saying we do \nit for national security, and I think we are actually risking \nour national security by not making more of these things \npublic.\n    I want to talk a little bit about government control versus \nprivate sector. Private sector would be more nimble. When I sat \nin a hearing over there early on--this was in probably 2012--\ntalking about the Collins-Lieberman bill, a representative from \nDHS--I asked him point blank, ``How long will it take you to \nwrite the regulations, contemplating this piece of \nlegislation?'' With a straight face, he said about 7 years.\n    To me, an insurance model will really help discipline this \nprocess. I would like you to talk a little bit about that, Mr. \nMandia, because you sort of touched on this. Where are we in \nterms of ensuring cyber risks, and do you think that is an \neffective model?\n    Mr. Mandia. Well, I do think it has been in the discussion \nsince the late 90s. When you look at risk, most CEOs want to \ndeploy their own risk framework to their organization. If you \nare not a regulated entity, it is your risk profile that you \nneed to implement at your company.\n    I do believe insurance--I think it is inevitable, quite \nfrankly. We have talked about it for multiple decades, but \nthere is cyber insurance available, and the question becomes \nwho sets the floor for how good we are at cybersecurity?\n    It is real hard for the government to have sweeping \nlegislation that says here is how good you need to be whether \nyou make cupcakes, make hamburgers, or make missiles.\n    I do not think it works. I think you can self-regulate, and \nthe private sector can do this. And insurance is probably one \nway where that can come to fruition. That if you do want cyber \nassurance and maybe even you have to get it if your company is \nshaped a certain way, has a certain number of employees, or for \nmaybe certain industries. We have regulations for utilities. We \nhave them for financial services. Those are pretty much taken \ncare of, but for a lot of the mom-and-pop shops that are \ndriving business, maybe insurance is the right route in that \nthey get--basically it will be the insurance companies that say \nhere is how good your cybersecurity needs to be, here is the \nfloor, and at least we can start benchmarking the \ninfrastructure security.\n    Chairman Johnson. Well, then through the supply chain too, \nlike International Organization for Standardization (ISO) \ncertification, you can also certify sub-tier suppliers to do \nthose audits again. That can all occur in the private sector.\n    Senator McCaskill, do you have any further questions?\n    Senator McCaskill. No.\n    Chairman Johnson. Let me in this case--because, again, we \nhad some good questions. We have some real experts here. Is \nthere something that somebody touched on that we were not able \nto really kind of flesh out?\n    I will just kind of go down the list or down the witness \npanel here. Is there something you want to say just in a \nclosing comment? Mr. Mandia.\n    Mr. Mandia. No. I have said enough.\n    Chairman Johnson. OK. Ms. Lanier.\n    Ms. Lanier. Yes. I think I missed an opportunity to \nreemphasize the main points that we wanted to get across today.\n    Again, I mentioned in my written testimony, we support the \nFederal Aviation Administration's efforts to adopt and \nimplement the remote identification requirements for all or \nnearly all drones that are sold or operating in the United \nStates.\n    We also feel that Congress should revise the hobbyist \nexemption in Section 336 of the FAA Modernization and Reform \nAct of 2012. The current hobbyist exemption permits far too \nmany drones to be operated by unlicensed and untrained pilots.\n    And we support the aims of your bill. The Preventing \nEmerging Threats Act of 2018, which would extend drone \ninterdiction authority to Department of Homeland Security and \nDepartment of Justice. The bill represents an important step \nforward in helping to provide greater protections. We just want \nit to go a little further and include State and local law \nenforcement officers that are on the front lines every day at \nmass gatherings trying to protect thousands of people.\n    So thank you for letting us participate.\n    Chairman Johnson. That would be next step, no doubt about \nit. Mr. McBride.\n    Mr. McBride. So I would like to mention that in the United \nStates, we have public power utilities like Request for \nEquitable Adjustment (REAs), co-ops, and municipals. They are \nowned by their members, by their customers, and they are \nunregulated. And then we have the investor-owned utilities \nwhich are regulated. They are regulated by the State public \nutility commissions and by the Federal Energy Regulatory \nCommission (FERC). I think it is important that government-\nprivate partnership be developed because the utilities that are \nnot regulated, unless they are told they have to do something, \nthey are probably not likely to do it. So I believe the \nresponsibility to the asset owners would be to identify, do the \nmodeling and analysis, to identify those critical assets that \nneed the protection against the threat of EMP or GMD, and then \nthe government, I think has to help them implement the \nmitigations for those.\n    Chairman Johnson. Thank you.\n    Ms. Bisceglie, did I ever get that right?\n    Ms. Bisceglie. That was awesome. You did.\n    Chairman Johnson. Oh, OK. Great.\n    Ms. Bisceglie. I think our biggest thing was to really \ncentralize it and line item fund it, but on your last question, \nif I could, the difference to government and the private \nsector, I think the biggest thing--and again, I think that the \nbill for the Federal Information Technology Supply Team Risk \nManagement Improvement Act, the Government really needs to \nunderstand what they are inherently responsible for and what is \nimportant to them. So is it the voting machines that were \ninvolved in the Census 2020? What is important? Use this act to \nactually drive that home.\n    Focus on that risk tolerance. That is where the \nregulations, the policies, the auditing that was just mentioned \nby Mr. McBride--we do not get asked. Like Continuous \nDiagnostics and Mitigation (CDM), the latest version of CDM \nactually has a supply chain risk management as a requirement in \nprocurement, and nobody is being audited against what is being \ndone or not being done. I think it is a great question to ask.\n    And then I think the last thing is what I mentioned before. \nAgain, I did hear a lot here. In any of these things, we cannot \nseparate cyber and supply chain because they are one-in-one, \nhand-in-hand right now.\n    Thank you.\n    Chairman Johnson. Again, thank you.\n    I cannot help but notice and comment on the fact that prior \nto this hearing--this was always Senator McCain, who--again, we \nall respected--in his last couple of years as Chairman of Armed \nServices, he was not in this Committee as often, but we all \ntraveled with him. We saw his commitment to individual liberty, \nfreedom, the type of hero he was not only in America, but you \ngo over to Ukraine because he was fighting for, again, those \nkind of democratic values.\n    So we already do miss him. We sorely miss him. I am \nreminded just kind of looking at a different name in his spot.\n    And I also want to welcome Senator Jon Kyl, who I also have \na great deal of respect for. He has done a lot of work in terms \nof national security, maintenance of our nuclear stockpile to \nkeep this Nation safe.\n    So I wanted to make those comments as we close out this \nhearing.\n    But, again, thank you for your testimony. You put a lot of \nwork into it. You really did. I appreciate that. They will be \nin the record, and the hearing record will remain open for 15 \ndays until September 28, 5 p.m., for the submission of \nstatements and questions for the record.\n    This hearing is adjourned.\n    [Whereupon, at 12:04 p.m., the Committee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------   \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              \n\n\n\n                     <all>\n</pre></body></html>\n"