[Senate Hearing 115-588]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 115-588
 
                    EVOLVING THREATS TO THE HOMELAND

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS


                             SECOND SESSION

                               __________

                           SEPTEMBER 13, 2018

                               __________

        Available via the World Wide Web: http://www.govinfo.gov  
        
                        Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        




                U.S. GOVERNMENT PUBLISHING OFFICE
                   
34-575 PDF             WASHINGTON : 2019      


        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana                KAMALA D. HARRIS, California
JON KYL, Arizona                     DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
          Michelle D. Woods, Senior Professional Staff Member
              Colleen E. Berny, Professional Staff Member
                     William G. Rhodes III, Fellow
               Margaret E. Daum, Minority Staff Director
               J. Jackson Eaton, Minority Senior Counsel
                 Subhasri Ramanathan, Minority Counsel
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk
                     

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator McCaskill............................................     2
    Senator Hassan...............................................    15
    Senator Jones................................................    18
    Senator Peters...............................................    21
    Senator Carper...............................................    24
Prepared statements:
    Senator Johnson..............................................    35
    Senator McCaskill............................................    37

                               WITNESSES
                      Thursday, September 13, 2018

Kevin Mandia, Chief Executive Officer, FireEye, Inc..............     4
Cathy Lanier, Senior Vice President of Security, National 
  Football League................................................     6
Scott McBride, Manager, Infrastructure Security Department, Idaho 
  National Laboratory............................................     8
Jennifer Bisceglie, President and Chief Executive Officer, 
  Interos Solutions, Inc.........................................    10

                     Alphabetical List of Witnesses

Bisceglie, Jennifer:
    Testimony....................................................    10
    Prepared statement...........................................    57
Lanier, Cathy:
    Testimony....................................................     6
    Prepared statement...........................................    46
McBride, Scott:
    Testimony....................................................     8
    Prepared statement...........................................    51
Mandia, Kevin:
    Testimony....................................................     4
    Prepared statement...........................................    40

                                APPENDIX

Responses to post-hearing questions for the Record:
    Mr. Mandia...................................................    66
    Ms. Lanier...................................................    72


                    EVOLVING THREATS TO THE HOMELAND

                              ----------                              


                      THURSDAY, SEPTEMBER 13, 2018

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:31 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Lankford, McCaskill, Carper, 
Peters, Hassan, Harris, and Jones.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will come to 
order. I want to thank the witnesses for traveling here, for 
taking time to write your testimony, and your willingness to 
appear and answer our questions and give us your oral 
testimony.
    I will ask that my written statement be entered in the 
record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 35.
---------------------------------------------------------------------------
    As I was explaining out back or in the ante room, this 
hearing really is borne out of my own personal frustration. I 
have been here 7\1/2\ years, and I cannot remember where this 
phrase was coined, but it is over the last couple of months as 
I have been talking about a number of these issues. We have 
been sitting here admiring these problems and just not 
effectively addressing them.
    So, today, we are not covering all the potential threats. 
We are going to have our full-fledged threat hearing with the 
Federal Bureau of Investigation (FBI) Director and Secretary of 
the Department of Homeland Security (DHS) and the head of the 
counterterrorism group. That will be in a couple weeks.
    But I wanted to assemble some experts on some of these 
specific threats that literally could be existential. I do not 
want to scare people. I am always, to a certain extent, 
reluctant to lay out these threats. I do not want to give 
people any ideas, but some of these things are just so public 
now and so obvious in terms of what these problems are.
    I think it was in March 2015. We had Joe Lieberman and Tom 
Ridge here. They developed this blue ribbon study panel on 
biothreats, and back then, they had a pretty simple suggestion. 
Number one recommendation was we need somebody in charge. There 
are more than 20-some different appropriations, different 
agencies, and a number of different agencies were doing things. 
But there was nobody in charge of what happens if we actually 
had a real biothreat and how we would react to that.
    I would say kind of the same thing is true of cyber. We 
have Kevin Mandia, a real expert with FireEye, talking about 
the different types of cyber threats.
    It is certainly true with drones. We have been trying to 
pass a bill--I think we are getting a little bit closer--in 
terms of just giving DHS the same authority to start studying 
how to counter and some authority to counter drones, like the 
Department of Defense (DOD) and the Department of Energy (DOE) 
has over some of their facilities.
    But I was shocked. I think most of my colleagues were 
shocked that we do not have the authority to even study, much 
less counter use of drones.
    We have held multiple hearings on the threats of 
Electromagnetic Pulse (EMP) and Geomagnetic Disturbance (GMD), 
and we have Scott McBride here from the Idaho National 
Laboratory, a real expert on that subject, both EMP and GMD, 
but also just electric grids in total as relates to potential 
cyberattacks or kinetic attacks as it relates to that.
    And then we have Jennifer Biscelgie in terms of a strategic 
resource management, in terms of how do we strategically look 
at the threats of our supply chain, which has also come up with 
whether it is Huawei and Zhongxing Telecommunication Equipment 
(ZTE) and just other threats from that standpoint.
    So, again, I just want to thank all the witnesses. I am 
looking for some practical solutions, things that we can 
actually do. We have admired this problem enough. We have 
studied it enough. We have not produced the strategies, and 
that is true, but I am actually looking for some concrete 
things we can take away from this hearing. And maybe if there 
is a law that we have to pass, try and pass that law, but just 
try and figure out something. Let us do something about some of 
these problems.
    With that, I will turn it over to our Ranking Member, 
Senator McCaskill.

           OPENING STATEMENT OF SENATOR MCCASKILL\1\

    Senator McCaskill. Thank you, Mr. Chairman.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator McCaskill appears in the 
Appendix on page 37.
---------------------------------------------------------------------------
    Two days ago marked the 17th anniversary of the September 
11, 2001 (9/11) attacks on this Nation. It is a somber reminder 
of the threats we face and that we must continue to vigilantly 
protect the country from those who wish to do us harm.
    In the 17 years since 9/11, Congress and the American 
people have had spirited debates surrounding the nature of 
threats to the United States and how best to protect ourselves 
from them.
    A lot has changed over these nearly two decades, but until 
recently, one component remained constant. Since joining the 
Senate over 30 years ago, my friend and colleague, Senator John 
McCain, was an integral part of every national security 
conversation that took place in this body. His commitment to 
public service, his dedication to the defense of our country, 
and his efforts to promote American values were unparalleled.
    I had the privilege of serving with him on this Committee 
and on the Senate Armed Services Committee. His conviction, 
insight, and sense of humor will be sorely missed, even his 
incredible temper. John McCain made an indelible mark on the 
security of this Nation, and I will miss him as a colleague and 
a partner in addressing these complicated issues.
    I also welcome Senator Kyl back to the Senate and to this 
Committee, and I look forward to working with him.
    The United States has made enormous progress in preventing 
another 9/11-style attack, but threats to the country remain. 
Terrorism continues to evolve as a threat and requires 
innovative solutions to confront and prevent it.
    As the United States and the world become more digitally 
connected and as technology advances at a rapid pace, we have 
new vulnerabilities. This hearing provides an opportunity for 
the Committee to focus on some of those concerns and explore 
real solutions.
    In 2013, for the first time, then-Director of National 
Intelligence James Clapper prioritized cyber threats above 
terrorism when testifying before Congress. In the years since, 
the problem has metastasized. The threat of cyberattacks and 
cyber espionage regularly dominate headlines, and with the 
midterms approaching, election security is obviously of 
paramount concern.
    This Congress, Senator McCain, as Chairman of the Armed 
Services Committee, created a Cybersecurity Subcommittee on 
which I serve, where our focus complements the work of this 
Committee on identifying cyber threats and strengthening our 
forces and capabilities.
    One area of focus that I am particularly concerned about is 
Supply Chain Risk Management (SCRM) and specifically the 
information technology (IT) and telecommunications supply 
chains within our government agencies and the U.S. 
infrastructure.
    This evolving threat can turn a mundane antivirus software 
purchase into an unacceptable risk to our national security. We 
need to make sure our information technology products and 
services are safe from infiltration, down to the smallest 
component, and like most national security issues, that 
requires a strategy and a whole-of-government approach.
    Supply chain risk management cannot be achieved piecemeal. 
In this regard, a threat to one agency is likely a threat to 
many others.
    In June, Senator Lankford and I introduced the Federal 
Acquisition Supply Chain Security Act to address this critical 
issue. Few understand this issue better than some of the 
experts on this panel.
    I hope this hearing will provide the Committee, Federal 
agencies, and the public with a better understanding of how to 
solve this problem.
    Similarly, this Committee has heard from numerous Cabinet 
officials and experts in the public and private sectors about 
threats posed by drones.
    Chairman Johnson and I introduced legislation that would 
authorize the Department of Homeland Security and the 
Department of Justice (DOJ) to conduct limited counter-drone 
operations for a narrow set of important and prioritized 
missions. Our bill is just the simple first step in tackling 
this mounting problem, and we welcome additional thoughts from 
the witnesses on solutions that might mitigate the threat.
    I thank the Chairman for holding this hearing and look 
forward to the discussion.
    Chairman Johnson. Thank you, Senator McCaskill.
    It is the tradition of this Committee to swear in 
witnesses, so if you all would stand and raise your right hand. 
Do you swear the testimony you will give before this Committee 
will be the truth, the whole truth, and nothing but the truth 
so help you, God?
    Mr. Mandia. I do.
    Ms. Lanier. I do.
    Mr. McBride. I do.
    Ms. Bisceglie. I do.
    Chairman Johnson. Please be seated.
    Our first witness is Kevin Mandia. Mr. Mandia is the chief 
executive officer (CEO) of FireEye, a leading global 
cybersecurity company. Prior to FireEye, he founded the 
cybersecurity firm Mandiant Corporation. Earlier in his career, 
Mr. Mandia served in the United States Air Force as a 
cybercrime investigator. Mr. Mandia.

TESTIMONY OF KEVIN MANDIA,\1\ CHIEF EXECUTIVE OFFICER, FIREEYE, 
                              INC.

    Mr. Mandia. Thank you, Mr. Chairman, Ranking Member 
McCaskill, and other Members of the Committee. I appreciate 
this opportunity to speak to you today about the cyber threats 
facing our Nation.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Mandia appears in the Appendix on 
page 40.
---------------------------------------------------------------------------
    Before I begin discussing these cyber threats, I would like 
to take a moment to extend our condolences to each of you for 
the loss of your dear friend and colleague, Senator John 
McCain.
    In my testimony today, I intend to discuss the cyber 
threats to our Nation, what they are, what their impact could 
be, and what we can do about it.
    I have been working in cybersecurity for over 25 years. As 
the Senator said, I started my career in the Air Force as a 
computer security officer at the Pentagon. Following that, I 
was a special agent in the Air Force Office of Special 
Investigations, investigating computer intrusions into our 
military networks, and I have the privilege today to serve as 
the CEO of FireEye.
    As I sit here right now, we are responding to dozens of 
breaches around the world. We have over 300 investigators that 
conduct over 600 investigations every year into what happened 
during the breach and what to do about it. We have over 100 
threat analysis that are in 18 different countries that speak 
32 different languages, actively tracking the threat actors on 
a global basis to try to get attribution behind who is doing 
it. And we have over 15,000 sensors that every hour detect 
between 50 to 70,000 malicious events. We are the last line of 
defense for computer security for our customers.
    We have been seeing the attacks firsthand. We know how the 
attackers are evading our safeguards, and we have witnessed the 
impact that these attacks have had firsthand as well.
    Let me begin by sharing three general observations about 
the cyber threats to the United States. First, I believe the 
United States is more vulnerable in cyberspace than other 
nations. First, we depend more on the Internet, the 
connectivity, the technology, and the infrastructure than the 
nations that host the most prevalent cyber attackers, such as 
Iran, Russia, China, and North Korea.
    Second, our critical infrastructure is shared. For the most 
part, it is in the hands of the private sector, and during 
times of duress or outright war, if we need to do ``shields 
up'' in a joint defense, we are going to need to cooperate 
between the government and the private sector, whereas many 
other nations, some of their critical infrastructure is purely 
government controlled.
    Third--and it sounds odd, but it is true--that a weakness 
of the United States is in fact in cyberspace, freedom of the 
press, fundamental to our democracies, but it gives attackers 
two advantages that we simply do not have if we reciprocated 
those types of attacks on closed societies.
    First, influence operations can be conducted in the United 
States with greater efficacy than in a closed society. Second, 
the ability to attack an organization or an individual, steal 
their information, and threaten to publish it online in any 
capacity; or to threaten or hold their information hostage is 
an invasion on our privacy. It allows folks to leverage our 
citizens in ways that closed societies do not need to worry 
about as much.
    The second observation I would like to make is that a lot 
of people talk about Pearl Harbor scenarios against the Nation 
in cyberspace. I think what is going to be more likely is what 
we refer to internally at FireEye as ``cyber trench warfare.'' 
I want to talk about some of the ingredients for cyber trench 
warfare.
    The first characteristic is that it is going to be 
conducted below the threshold that would elicit an aggressive 
response by the United States. It will be low and slow. It will 
endure, but it will slowly erode our willingness to combat it 
over time. Second, the campaigns will be long term. Third, 
these campaigns are going to go after, in my opinion, the 
softer targets. A lot of people think that critical 
infrastructure in the military will be target number one if we 
have a modern war. In fact, it may very well be the softer 
targets, small municipalities, health care, small elementary 
schools, the small businesses that make the fabric of our daily 
businesses run. Those will be the soft targets that are in fact 
attacked, and in aggregate, if all the soft targets in this 
country succumb to a destructive attack, the impact and 
consequence can be pretty grave.
    The last general observation that would happen during any 
cyber conflict against the United States, is what I describe as 
a butterfly effect, and it works two ways. Whenever there is a 
cyberattack, when somebody takes the gloves off and escalates 
in cyberspace, even the perpetrators are not fully aware of 
what the impact of these attacks will be. If somebody launches 
an indiscriminate, destructive attack on our Nation, they do 
not know what unintended consequences can happen from that.
    But I do know this. We have not been able to predict it 
either, and imagine if the U.S. Senate came offline for a day 
or two from the Internet, what would happen? Would you be able 
to get into the parking garage? Would you be able to even make 
a phone call from your desk? Would you be able to buy lunch in 
the cafeteria downstairs? It has a lot of unintended 
consequences that people have not predicted in the past.
    So what do we do about it? The threats to our Nation are 
growing. I gave you some high-level observations about this, 
but by establishing a system where the private and public 
sectors work together, we practice together. That is key. We 
practice together doing dry runs, and we proactively use threat 
intelligence. We can create a learning system. We are getting 
better every day, but we can accelerate getting better at a 
faster rate.
    And, last, we need to explore international rules of 
engagement and hold threat actors accountable. Right now, the 
key word is ``deterrence.'' Do we have a deterrence against 
cyber-threat actors against our Nation? What can we do about 
that?
    If we find a way to have some diplomatic treaties or 
agreements with other nations that are launching these attacks, 
the United States and the daily lives of our citizens will be 
better safeguarded.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Mr. Mandia.
    Our next witness is Cathy Lanier. Ms. Lanier is the senior 
vice president of Security for the National Football League 
(NFL). She previously served as the Chief of the Metropolitan 
Police Department of the District of Columbia. Ms. Lanier.

    TESTIMONY OF CATHY LANIER,\1\ SENIOR VICE PRESIDENT OF 
               SECURITY, NATIONAL FOOTBALL LEAGUE

    Ms. Lanier. Hi. Good morning, Chairman Johnson and Senator 
McCaskill. How are you? Members of the Committee. Thank you 
again for the opportunity to testify here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Lanier appears in the Appendix on 
page 46.
---------------------------------------------------------------------------
    As requested, I will focus my testimony on the threat posed 
by malicious drones at major sporting events.
    At the NFL, we have observed a dramatic increase in the 
number of threats, incidents, and incursions by drones. Fewer 
than 10 miles from here, a drone flew over FedEx Field during 
pregame activities for a Monday Night Football game, violating 
Washington's national security airspace and the airspace 
restrictions of the NFL game.
    The NFL is not alone. For example, in 2017, a drone crashed 
into the stands of a Major League Baseball game between the 
Padres and the Diamondbacks.
    A 2017 incident involving two NFL stadiums dramatically 
demonstrates this threat. During a San Francisco 49ers game, 
the stadium security director at Levi's Stadium called me and 
alerted me that a drone had just dropped leaflets over the 
seating bowl. I warned the other teams, so when the operator 
sought to fly a drone over nearby Oakland Coliseum, local law 
enforcement was ready for them. They were able to quickly 
identify the operator and arrest him.
    We are all very fortunate that the drone over Levi's 
Stadium dropped just leaflets. Drones today are capable of 
inflicting much greater damage.
    As the Committee knows, various threat assessments have 
recognized that large gatherings of people are enticing targets 
for malicious actors.
    The Federal Aviation Administration (FAA) and Congress have 
therefore imposed flight restrictions on the airspace above 
large sporting events. The FAA first established these 
restrictions after 9/11, and Congress subsequently strengthened 
and codified those requirements.
    The current temporary flight restrictions prohibits 
aircraft over NFL games, Major League Baseball games, National 
Collegiate Athletic Association (NCAA) Division One football 
games, and major motor speedway events such as National 
Association for Stock Car Auto Racing (NASCAR). These flight 
restrictions have largely worked as intended, keeping 
commercial and civil aircraft away from stadiums during games. 
Drones, however, present an entirely different challenge that 
needs an appropriate legislative response.
    Drones can be acquired easily and cheaply. They are often 
used by unlicensed individuals, with no awareness of airspace 
rules, flight restrictions, or many other regulatory 
requirements related to aircraft.
    Stopping drones is currently extremely challenging. Drones 
are small and portable. They can be launched quickly and very 
close to a stadium from an adjacent parking lot. Several 
stadium security directors have told me that they are regularly 
approached by vendors selling counter-drone equipment. They 
know that using such devices are illegal.
    The current State of law, however, leaves security 
officials with an unenviable choice: Procure the equipment 
whose use would be illegal, or remain unequipped to respond to 
a security threat that can endanger tens of thousands of 
people.
    The NFL, therefore, supports the development of new 
approaches to drones. We support the FAA's remote 
identification effort. We support revising the hobbyist 
exemption, which currently permits far too many drones to be 
flown by far too many unlicensed and untrained pilots.
    Further, we support the aim of your legislation to extend 
drone interdicting authority to DOJ and DHS. Your bill is an 
important step forward.
    In particular, the bill permits State officials to request 
Federal support for local law enforcement efforts. The bill 
correctly recognizes that local law enforcement officers are 
primarily responsible for security at locations where drones 
present risks such as NFL games.
    Although this provision permits local officials to request 
Federal assistance, there is not enough Federal resources to 
provide security at all the events that need protection, 
including the 256 NFL games in a season.
    The NFL, therefore, strongly encourages Congress to 
consider additional reforms that would provide authorities to 
local law enforcement officers to detect and intercept drones 
that pose a threat to major sporting events like our NFL games.
    The NFL looks forward to continuing to work with Congress, 
the FAA, and others on our shared goal of ensuring the safety 
and security of our players, coaches, fans, and staff that 
attend our games.
    Thank you so much for the opportunity to be here today. I 
appreciate your time.
    Chairman Johnson. Thank you, Ms. Lanier.
    Next witness is Scott McBride. Mr. McBride is the 
Infrastructure Security Department manager within the National 
and Homeland Security Infrastructure Protection Department at 
Idaho National Laboratory. Mr. McBride directs power systems 
engineering projects for the lab's clients, including the 
Department of Energy and Department of Defense. Mr. McBride.

TESTIMONY OF SCOTT MCBRIDE,\1\ MANAGER, INFRASTRUCTURE SECURITY 
             DEPARTMENT, IDAHO NATIONAL LABORATORY

    Mr. McBride. Thank you, Chairman Johnson, Ranking Member 
McCaskill, and distinguished Members of the Committee for 
holding this hearing and inviting Idaho National Laboratory's 
testimony on the potential threat of geomagnetic disturbance 
and electromagnetic pulse to the U.S. power grid.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. McBride appears in the Appendix 
on page 51.
---------------------------------------------------------------------------
    At Idaho Nation Laboratory, I manage power system projects, 
industrial control system security to secure critical 
infrastructure throughout our Nation, with a primary focus on 
the energy grid.
    As the U.S. electric power grid incorporates new digital 
technology with decades-old infrastructure, the grid is 
becoming vulnerable to GMD and EMP events, whether the EMP 
source is from nuclear or non-nuclear sources. We have 
developed a fairly robust understanding of the scientific 
principles of the damaging waveforms associated with GMD that 
enables us to predict effects and design protections to 
mitigate those effects.
    Initial experiments have been completed, and models are 
beginning to emerge that assist us in better understanding and 
characterizing effects and impacts from the individual waveform 
specifically associated with an electromagnetic pulse.
    Research and testing of the interdependent effects of the 
combined three waveforms on our grid's individual components 
and interconnected infrastructure is an uncharacterized field 
of study that needs further exploration and discovery.
    There are ways the United States may improve its 
understanding of the extent of the vulnerability and reduce or 
eliminate consequences of GMD and EMP events.
    In addressing this need, the Department of Energy recently 
tasked the National Laboratories to develop a report that 
updates the extent of our current scientific understanding of 
the effects of EMP on the electric power grid. Pending this 
report's publication, significant progress for GMD and EMP grid 
protection can be made by pursuing four concurrent paths.
    The first adopts EMP hardened transformer neutral blocking 
devices designed to provide automatic protection for 
transformers against GMD events to prevent harmonic generation, 
reduce reactive power demand, and reduce voltage collapse.
    The second defines the EMP threat environment, including 
research coupled currents and voltages for transmission and 
distribution lines, in support of developing an informed all-
hazards protective strategy.
    The third conducts a series of scaled experiments on a 
variety of grid components and restoration assets to 
understand, predict, and measure the impacts of EMP events on 
unprotected systems as well as the effectiveness of protective 
options.
    The fourth identifies the prioritized infrastructure that 
can lead to a most effective and impactful set of actions that 
will harden the grid and enable reliable black-start processes.
    Following this research path with appropriate and 
coordinated government and industry partnerships can lead to a 
set of effective hardness and protective measures for GMD and 
EMP events that add quantifiable, cost-effective resiliency to 
the power grid.
    Current gaps in knowledge suggest that the experiments of 
highest priority would include assessing the damage from 
integration of the propagating electromagnetic radiation 
effects to grid assets directly connected to long power lines, 
antennas, and communication and data lines; measuring 
effectiveness of shielding, including nonconductive critical 
communication fiber-optic cables, well-grounded equipment 
racks, and shielded buildings, such as power grid control 
centers; determining the effectiveness of developmental 
technologies for transient voltage surge suppression; and 
finally, exercising high-voltage system operations and 
processes for critical systems spares replacement, restoration 
procedures, and recovery processes.
    This research will have the most benefit if the results are 
concurrently shared with stakeholders who are developing 
priorities for more research that can be utilized to enhance 
predictive models and provide stakeholders with the sound 
technical basis for standards and regulatory guidance. While it 
may not be plausible to protect all assets, careful 
prioritization of the research and implementation of 
protections can enable critical portions of the grid to survive 
or at least be rapidly restored following a GMD or EMP event.
    Cooperation between government and industry can accelerate 
full implementation of a protection strategy through a greater 
technical understanding of GMD and EMP threat characteristics 
and system effects.
    Thank you.
    Chairman Johnson. Thank you, Mr. McBride.
    Our final witness is Jennifer Bisceglie. Close enough. You 
can tell us what it is. [Laughter.]
    Ms. Bisceglie is the president and CEO of Interos 
Solutions, Inc., which assists public and commercial sector 
customers with supply chain and vendor risk management. Ms. 
Bisceglie is named the AT&T Innovator of the Year in 2015.

    TESTIMONY OF JENNIFER BISCEGLIE,\1\ PRESIDENT AND CHIEF 
           EXECUTIVE OFFICER, INTEROS SOLUTIONS, INC.

    Ms. Bisceglie. Chairman Johnson, Ranking Member McCaskill, 
and Members of the Committee, thank you for the invitation and 
the opportunity to speak with you today on the underappreciated 
threats to the homeland that, if not mitigated, could 
significantly damage the Nation's critical infrastructure and/
or disrupt people's lives, especially as it relates to the 
global supply chain and the use of information and 
communications technology (ICT).
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Bisceglie appears in the Appendix 
on page 57
---------------------------------------------------------------------------
    By way of introduction, Interos is a company I founded over 
13 years ago to evaluate the risks in the global economy and 
our business partnerships, alliances, and distribution networks 
that comprise our supply chains.
    The company is built on my over 25 years in the global 
supply chain industry, having helped multiple U.S.-based 
companies create maximum advantage from different skillsets, 
labor pools, and competitive business arrangements with 
partners around the world.
    During those years, I have watched risk concerns in the 
supply chain move from quality to physical security to 
resiliency and now product integrity and the role of the 
digital connection or cyber.
    Published in April of this year, Interos' report for the 
U.S.-China Economic and Security Review Commission for supply 
chain vulnerabilities when sourcing technology specifically 
from China and using that technology in the U.S. Federal IT 
networks stressed several solutions, the most important being 
that the United States establish a national strategy for supply 
chain risk management in U.S. ICT with supporting policies, so 
that the Nation's security posture is forward-leaning versus 
reactive and based on incident response.
    Our adversaries are very public about executing a strategy 
against us. The time has come for us to stand strong and 
visibly protect ourselves.
    In my submitted testimony, I spoke to six areas that are 
directly related to today's hearing. I will be summarizing them 
here for this briefing, with focus on three, and I have been 
massively updating the last one based on your pep talk--and 
then open the remaining time for any questions you have.
    Before addressing the specific areas of the report, I would 
like to stress that whether it is 5G or blockchain, the 
Internet of Things (IOT), or any other emerging technology or 
technological threat, an underlying foundation for security, 
both physical and digital, is an understanding of who the 
stakeholders are, where your vulnerabilities lie, and having a 
strategy for managing those associated risks.
    The solution cannot solely be focused on the latest tools 
and technologies. Cultures need to change. The money needs to 
be spent to educate people on their role in traditional risk 
management.
    Given our position in the market, my company has had the 
opportunity to work with public and private sector 
organizations, spanning multiple industry verticals. In the 
government, we have worked with Defense Intelligence Agency 
(DIA), National Security Agency (NSA), several Office of the 
Secretary of Defense (OSD) members, the General Services 
Administration (GSA), Social Security Administration (SSA), 
Federal Deposit Insurance Corporation (FDIC), Department of 
Energy, and the National Nuclear Security Administration 
(NNSA).
    In the private sector, we have worked with manufacturers, 
the financial institutions, utilities, and others, and the 
situation is always the same. If the organization does not take 
a focused and comprehensive approach to risk management 
prioritized by senior leadership, there will be unnecessary 
exposure and invariably negative impact.
    We would also like to stress that the supply chain attacks 
will continue to become easier, more prevalent and more 
threatening as emerging technologies, such as the one I 
mentioned earlier with 5G, the Internet of Things, and others 
increase the attack surface exponentially.
    As a point of clarification, just briefly, you will hear 
the term SCRM a lot.
    Very quickly in the time that I have left, how reliant is 
the U.S. Government and U.S. IT firms specifically on China 
firms and Chinese-made IT products and services? The answers 
vary. Over 95 percent of our electronic components and IT 
systems supporting the U.S. Federal IT networks and commercial 
off-the-shelf products come from China. They have done this on 
purpose. It is an economic movement, and that is just where all 
the sourcing comes from.
    Number two, to assess the government success in managing 
these risks associated with the sensitive country firms and 
sensitive country-made products, in short, there is very little 
systemic success, and that is part of the reason we are having 
this conversation today.
    And I think the last part is what steps should we take, and 
this goes back to the conversation earlier. I have changed my 
comments. They will align with what I submitted, but six very 
specific things, if I were to leave this room today, the first 
is--and the act that we talked about earlier brought it up--a 
single whole-of-government approach that the Department of 
Defense and other agencies cannot self-elect out of. We are all 
using the same suppliers, and there has to be some sort of 
exception management process because things do pop up, but 
there really just needs to be a single risk-management approach 
for the government.
    There really needs to be somebody in charge, and the person 
needs to report to the head of the agency. And it cannot be a 
political person. This is not a political problem. It is a 
business problem. We cannot keep changing people as the 
Administration changes. You are never going to get ahead of it.
    The third, you need to have a line item resource for the 
agencies to use. Right now, the way that this is managed across 
the intelligence community (IC), the DOD, and the civilian 
agencies, it is robbing Peter to pay Paul. There is no money 
associated to supply chain risk management in the agencies.
    The fourth--and the act does talk on this--is a real 
partnership with industry. We need to fix the Federal 
Acquisition Regulation (FAR). We need to fix the Defense 
Federal Acquisition Regulations (DFARs), the Defense Enrollment 
Eligibility Reporting System (DEERS), and any other acquisition 
strategy we have in the government. The National Institute of 
Standards and Technology (NIST) has a role, but it is as an 
evangelist and a supporter. They are not a leader in this 
conversation. They do not dictate how business operates. This 
is a business problem.
    The second to last is metrics on the impact, not just 
activity, not just how much money did we spend or what are we 
doing, but specifically what mitigations, what problems with 
mitigations and how did we share that information to get better 
as the whole of government. And I think, again, the act can 
help with that.
    And then the last part is not to overclassify this problem. 
That is a problem I run into in every agency, and the thing 
that we have to remember is that this is a global business and 
economic issue, and every time we overclassify it, we reduce 
the amount of people that can have an impact on solving the 
problem.
    So, with that, I will turn it back. Thank you.
    Chairman Johnson. Thank you.
    I am going to reserve my time out of respect for my 
colleagues' time, but one of the big problems in just about 
every one of these situations is the complexity of the problem. 
The expert witnesses, you speak in language that laymen do not 
understand. Again, I really appreciate your expertise, and we 
need it in your written testimony, to answer our questions, if 
you could, as much as possible try and convey this in layman's 
terms. It would be very helpful.
    One of the analogies I use is I am old enough to remember 
``Gilligan's Island,'' and on this island, most of us are 
Gilligans. Not too many professors know how to turn a coconut 
into a battery.
    I do not care whether it is cyber, whether it is EMP, 
whether it is encountering drones. This is incredibly complex 
technology and just science, and that is part of the problem 
the government has in dealing with these problems, is nobody 
understands it in the agencies or in Congress. So that is a 
hurdle I am just really not quite sure how we are going to ever 
overcome.
    But, with that, I will turn it over to Senator McCaskill.
    Senator McCaskill. I want to talk a minute about supply 
chain. I would like your take on this, Ms. Bisceglie and even 
Mr. Mandia.
    I read in the morning paper and what really concerned me is 
the conflict we have going on now in Turkey. We reached out to 
eight nations to help us build the F-35, including Turkey. 
Turkey is building--a cockpit display--is one of their 
companies, defense contractors, and a center fuselage.
    Well, now we have Erdogan in disagreement with the United 
States. So he has now decided he is going to go buy the Russian 
air defense system, S-400 from Russia, instead of working with 
us to acquire the Patriot.
    So now we have this bizarre situation; Russia, who we know 
has conducted cyber warfare against our country, is beginning 
to put an air defense system in the same country that is 
building the cockpit displays and the center fuselage on our 
next generation fighter pilot.
    Should I be worried about this? Ms. Bisceglie.
    [Speaking off microphone.]
    Senator McCaskill. Absolutely.
    Ms. Bisceglie. We are actually talking to the F-35 program 
as well.
    And back to the Senator's comment, to me--and maybe I am 
very simple about this, but this--again, it is a business 
problem. And so we are actually working with a very large 
technology company right now around prototyping, and I will 
bring it back to exactly what you asked about, but the whole 
idea is getting out of the fact that we are in a world that 
there is only a single source of supply. There is not.
    There is either other companies that can be competitive 
that are today competitive or other companies that if we put 
research and development (R&D) dollars into them could be 
competitive. So they do the 75 percent solution; they need the 
25 percent to develop.
    And so with this technology company, that is literally what 
we are doing around prototyping, is figuring out what are the 
products and the components and the software that they are 
going to need in the near and the long term, and how do we look 
globally at where suppliers exist in the world in places that 
maybe we do not want to deal with and we do have to deal with 
them because of cost, because of time that I need that product 
or service, or other places in the world that are a bit more 
friendly to how I do business? And then I can start developing 
it, so I have multiple sources of supply. So I do not have a 
situation that you are talking about right now.
    Senator McCaskill. Except the problem is with this, the 
reason they did this is they wanted to bring down the cost by 
having more orders.
    Ms. Bisceglie. Right.
    Senator McCaskill. So this was a quid pro quo. We are going 
to give you pieces of the production in return for an order for 
100 F-35s because the more we build, the cheaper they get.
    So that to me is the challenge here, is that we are doing 
business with a very sensitive part in an incredibly important 
weapon system with a country that is now playing footsie with 
our cyber enemy.
    Ms. Bisceglie. Right. I think it goes back to my comments 
earlier, and again, ma'am, maybe I am doing this too simply, 
but to me, this is very much a business situation and it is 
risk management that says I am willing to deal with that 
sensitive country because of cost or I am going to pay a little 
bit over here, more over here, because I do not want to deal 
with that country. And if we could get out of the politics, 
understanding that is part of risk management----
    Senator McCaskill. Right.
    Ms. Bisceglie [continuing]. And say, ``You know what? I am 
willing to accept this risk over here, and I am going to 
mitigate more on my side,'' that is a risk management approach.
    What you are talking about is exactly the conversations we 
are not having. We are just saying ``China bad'' or ``Turkey 
bad,'' and that is just not the world we live in.
    The more that our leadership that is actually involved in 
these programs is focused on this is what I can deal with from 
a risk standpoint and this is what I cannot and focus on 
requirements, I honestly think that--businesses have been doing 
this forever. This is really how business is done. We cannot 
get excited over the political aspect. I actually think that is 
to our detriment.
    Senator McCaskill. Well, business and the Pentagon are 
sometimes two mutually exclusive concepts----
    Ms. Bisceglie. Yes, ma'am.
    Senator McCaskill [continuing]. Let me just say, having 
done a lot of work on contracting in the Pentagon.
    Do you have anything you would like to add to that, Mr. 
Mandia?
    Mr. Mandia. Yes. I think at the highest level of 
abstraction, Senator, economics follows geopolitical 
conditions. Cyberattacks are directly linked to geopolitical 
conditions. Security is related to it.
    When I listened to what you were saying, it dawned on me 
that the exact same challenges we have with Turkey building 
very important components and essential components to anything, 
we have the same problem here in the United States. We have 
small companies that cannot protect themselves in cyberspace--
--
    Senator McCaskill. Right.
    Mr. Mandia [continuing]. But they are building mission-
critical systems.
    Senator McCaskill. Exactly.
    Mr. Mandia. So, obviously, as part of the process, we have 
to build security in it and checks and balances into the 
process, regardless of where construction and where the supply 
chain resides.
    Senator McCaskill. Have either one of you had a chance to 
look at the supply chain risk management bill that Senator 
Lankford and I have introduced? It is very similar to a 
proposal the White House has made. Is there any input you would 
like to have on that legislation?
    Ms. Bisceglie. So I have, and actually, if I had kept to my 
original comments, I think it is a very good start.
    I think when I first heard about it, it heartened me, 
having been in this industry for so long, that we have raised 
the visibility up to this level.
    I think that my comments--and I have been asked to submit 
as well--is that from an implementation standpoint--and I 
understand it is the first time we have gotten the conversation 
to this level--I still do not think we have enough industry and 
business involvement because, at the end of the day, that is 
who is actually going to execute against it.
    So the players that are included in that bill are all the 
normal players from a government standpoint, but I would like 
to see more direct industry involvement, which is not 
necessarily just through trade associations, but specialties in 
different industry sectors, which I think from an 
implementation standpoint will make it more impactful from an 
implementation as well as reduce the cost.
    Senator McCaskill. I am going to turn to another subject 
now. If you have anything else on this, Mr. Mandia, I would 
sure like you to submit it.
    So what happens if the folks at Busch Stadium in St. Louis 
get information that there is going to be a drone incursion, 
and that their sources tell them--maybe it is the St. Louis 
police department--that it is an armed drone.
    So if that were to occur today, what would happen to the 
Cardinal organization if they took it down? What penalties 
would lie against the Cardinal security operation if they 
actually took down that drone?
    Ms. Lanier. So it would depend. First of all, we typically 
would not get intelligence or information that a drone is 
incoming, but if we did and if there was mitigation or 
interception technology available and that was used as one of 
several different types of technologies, it would be illegal 
for them to use that to take that drone down.
    Senator McCaskill. What would happen to them? What are the 
penalties? Do you know?
    Ms. Lanier. I cannot tell you the penalties. It just 
depends on which type of----
    Senator McCaskill. Well, can I just tell you that I will 
represent them for free if they take it down?
    Ms. Lanier. I will pass that along.
    Senator McCaskill. Ultimately at the end of our processes 
in law, there is a jury, and juries are very good about 
weighing the facts. If you let juries decide things, they 
very--I mean, not that they do not make mistakes, but a jury in 
that circumstance, I can assure you would apply common sense 
and say this was a matter of risk management, and what they did 
was the right thing.
    We are going to rush to get something done. We are trying 
to get something done that would give people the authority to 
take action in those circumstances, but it scares the bejesus 
out of me that----
    Ms. Lanier. Unfortunately, this is a discussion that is 
going on, and it should not have to go on. You have people that 
want to make sure they are providing adequate security and 
safety for 70 or 80,000 people, and they want to do the right 
thing. Nobody wants to be at odds with the law under any 
circumstance.
    Senator McCaskill. Right.
    Ms. Lanier. So that is the discussion that goes on, quite 
honestly.
    Senator McCaskill. Well, I just think that, obviously, if 
you are faced with a dilemma of the unknown being harm to 
thousands of people versus the unknown of what happens to us if 
we do it, I just want to encourage them to use common sense.
    Chairman Johnson. Of course, one of the problems right now 
is DHS does not even have the authority to study how to knock 
that thing down. It is a problem.
    Again, if they knock down malign drones, my guess, the jury 
would rule correctly. The problem is, What if they knocked down 
the wrong one in good faith? Then they would have greater 
liability, and that is what we are trying to give. We are 
trying to give them the liability against that type of event. 
Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you, Mr. Chair and Ranking Member 
McCaskill, and add me to the group that would call for the 
application of common sense here when it comes to protecting 
people at large events.
    I wanted to focus with you, Mr. Mandia, on some of the 
issues that come up with small vendors and cyber threats. In 
your testimony, you spoke about the challenges that smaller 
companies and organizations face from cyber threats. In 
particular, you pointed out that their vulnerabilities not only 
threaten their operations but their partners, their customers, 
their suppliers, and ultimately our country's economy.
    Your point underscores the importance of making sure that 
the Federal Government does all it can to help protect these 
small companies and service providers.
    Last spring, DHS revealed that Russia targeted several 
small vendors through a cyberattack to gain access to our 
electric grid. DHS reported that many of these vendors lack the 
resources or dedicated cybersecurity professionals to detect 
and prevent these kinds of intrusions. It does not seem 
reasonable to me to expect companies with only a few staff and 
maybe one full-time IT professional to be able to defend 
against the fully offensive cyber capabilities of State-level 
cyber actors like Russia.
    What should be DHS's role in helping to secure these 
companies, and what sort of resources should we be considering 
in order to achieve some degree of defense against State-level 
hacking?
    Mr. Mandia. You have to take this in a couple parts. Great 
question, one of great concern to many people.
    First and foremost, if all we do is play defense, if we are 
up against Russia, we are up against Wayne Gretzky on a penalty 
shot, and we have a bunch of goalies out there, where if they 
get unlimited penalty shots, they are going to put the puck in 
the net.
    What I have observed in the private sector in practice is 
the bigs are helping secure the ``smalls'' and taking on some 
of the burden of doing that, but we cannot win if all we do is 
focus on defense, defense, defense. And that is why we need to 
have imposed risks and consequences to those who do it, which 
means we have to get attribution rights support the technical 
assets, the human assets, the international cooperation so that 
we know who is doing these attacks----
    Senator Hassan. Right.
    Mr. Mandia [continuing]. So we can at least weigh a 
proportional response to it.
    But when we also look at it, we have to take it in bite 
sizes. We cannot secure every company overnight, all the 
``smalls''. You have to start with the ones in the critical 
infrastructures, and I believe if you can secure the ``bigs'' 
first, the ``bigs'' will help you secure the ``smalls'', and 
you start with the utilities. You start with health care. You 
start with communications. And you work that way.
    I think you have to take it industry by industry. If you 
protect the company, then you can protect the industry, and if 
you protect certain industries, you can protect the Nation.
    There are three ways to slice it, but we are certainly 
going to need some deterrence to come to the table.
    Senator Hassan. Well, I thank you for that response, and we 
will likely follow up with you on it some more.
    I wanted to move now to the issue of Federal network 
security. According to your testimony, FireEye has worked 
closely with DHS and dozens of civilian and Federal agencies to 
provide these agencies with the capabilities needed to achieve 
a baseline of security against cyber threats.
    As we see increasingly more sophisticated and diverse 
cyberattacks, DHS's role in helping to protect Federal agencies 
and the dot-gov domain from cyber intrusion will become all the 
more important.
    To that end, DHS has endeavored to strengthen the tools and 
capabilities it provides to Federal agencies to protect 
themselves, including the maturation of its two signature 
programs, the EINSTEIN Program and the Continuous Diagnosis and 
Mitigation Program. Can you please talk to us about the value 
of these programs in enhancing Federal network security and how 
they may need to evolve in order to keep pace with a really 
diverse and ever changing threat, a cyber-threat environment?
    Mr. Mandia. Yes, I can, and I will make it brief.
    You have to start somewhere I was a big proponent of the 
EINSTEIN stack because it sets the floor of how good you are, 
and you know what you are working with. If you can have a 
referenced architecture, it is easier to manage.
    We have a shortage of security professionals. You do not 
want to learn 180 different products. You need to keep it down 
to the five to eight that are best of breed at that moment, but 
you also have to create a learning system. And that is where 
the intelligence comes in.
    At the highest level of abstraction, I have been working 
with the government since 1993 in cybersecurity. We are getting 
better every year, so that is the good news.
    Senator Hassan. Yes. Well, thank you for that.
    Let me follow up with one last topic on the issue of 
cybersecurity generally, which is something you have talked 
about, cyber resiliency.
    You mentioned it in your testimony that one of the best 
ways to counter the threat of a crippling cyberattack is to 
mitigate the effects of such an attack through strengthening 
private and public sector cyber resilience.
    You gave the example of how an Alaskan-based company worked 
to survive a ransomware attack by reverting to typewriters and 
handwritten notes to maintain daily operations.
    While I was Governor, we worked to develop continuity of 
operations plans for our State agencies and government, and 
that included considering how to access data and how we would 
operate without technology.
    Obviously, in an ideal world, we want to avoid bringing out 
carbon paper again, right? But can you help us identify the 
best ways to achieve effective cyber resiliency? What sort of 
mechanism and incentives would need to be put in place to 
encourage the private sector to develop this kind of 
resiliency, and what can the U.S. Government's role be in 
helping to achieve baseline cyber resiliency?
    Mr. Mandia. Yes. I think it is a great question.
    Bottom line is life fire drills. The only way you are ever 
going to get better at something is if you force the issue, and 
you keep it--maybe it is utilities and energy first, health 
care, telecommunications. Financial services are pretty good on 
their own.
    But if you think about it, if the gloves came off in a 
modern warfare today, what are the two top targets? It is going 
to be energy; it is going to be telecommunications. And that is 
where they are mostly in the hands of the private sector. So 
you have to do a joint drill, and they already are doing this, 
but is it the only way to get the unvarnished truth that every 
CEO is operating on. We are as secure as we can get. Even CEOs 
want the live fire drills, and the red teaming exercise to see 
what can happen. Then if you coordinate it, it would be a 1-day 
or 2-day event every year, where you had the private sector and 
public sector do a joint drill, that simple, and that will give 
us both, A, how good are we to get the unvarnished truth, and 
B, so what do we do and how do we operate through it. We will 
learn a lot just by practicing.
    Senator Hassan. Well, I thank you for that answer, and I 
think it also speaks to the need not only to prioritize it in 
concept, but prioritize it in terms of resources because in my 
experience, if you do not assign that kind of coordination and 
practice as a priority and devote resources to it, it always 
gets pushed aside with the urgency of everyday operations. And 
so we need to really focus on it.
    I thank you for your expertise and your help.
    Chairman Johnson. Senator Jones.

               OPENING STATEMENT OF SENATOR JONES

    Senator Jones. Thank you, Mr. Chairman, and thank you to 
all the witnesses for being here today. It is really 
informative for us.
    Ms. Bisceglie, I would like to ask you a little bit more 
about the supply chain.
    I had lunch with a friend of mine in Mobile the other day 
whose company ships all over the world. They are in ports all 
over. We talk about the supply chain. We talk about infecting 
the supplies and those kind of things, as Ranking Member 
McCaskill said a minute ago. But to me, it is also a problem 
with the shippers, that those could get hacked. And you divert 
or either destroy shipments going across, and I would like for 
you to address that just a moment because the public-private 
partnerships seems to me very important with folks like that to 
be able to work with the government to try to minimize those 
potential attacks. I would like you to address that.
    Also, when you were giving us your list of things to be 
done, you warned against overclassifying the problem, and I 
would like for you to just dive into that just a little bit 
more for the record to explain what you meant by 
overclassifying which I think government often tends to do.
    Ms. Bisceglie. Thank you for both those questions.
    So your point about the delivery mechanisms, to me, that is 
part of the supply chain. When we talk in the industry, we talk 
about sub-tiers, and it is one thing I do not think, to the 
point you are making--in the government, we are not thinking 
that way yet, so again, back to the act that is being created--
the bill that is out there.
    The more that we start talking about all of the levels of 
the 
supply chain, which is not just the people producing widgets 
but how those widgets move to the next step, I think it is 
incredibly important. And when you talk about widgets moving to 
the next step--and I do not care if that is software or 
hardware--that is the physical delivery, so the boats and 
trains and automobiles and all the people involved in that. It 
is the electronic. It is the blockchain updates. It is the 
Electronic Data interchange (EDI). It is however you are 
sending that information, open source software, but it is all 
of those mechanisms.
    So if I were to just take a quick example, if I was to make 
this pen, so I am the holder of the pen, somebody behind me 
cobbled that together. I bought it at Staples. Somebody behind 
Staples cobbled it together. Then you explode the pieces, and 
in between all of those it was mailed, right? Was it put on a 
truck? And who are all those people? Humans involved in all of 
that. To me, that is the multi-tiered supply chain.
    We do visualizations of those types of relationships at 
Interos in my company, and we just did this for one of the 
topid banks, the top 10 banks in the country. And when they saw 
how interconnected they were with their suppliers--and not just 
who they thought they were directly connected to, but how that 
same company was actually a tier 2 and a tier 3 and, to your 
point, delivery partners, they had no idea.
    So, to me, the more that we as a government partner with 
industry and think of all of the sub-tiers and all of the hands 
that touch it, that is really the only way to solve this 
problem. So it is expanding that definition.
    The second thing on the overclassifying is that we do this 
because we do not understand, and part of what we do not 
understand is that this is a business problem that needs to be 
solved. And the second piece is that most businesses do not 
have the clearances because they do not need the clearances to 
actually get the job done.
    Back to the Senator's point, the more that we can kind of 
dumb this down and talk about it just business to business, put 
it into requirements, and so the Senator's point, a lot of the 
small and medium size businesses, the more you put these things 
into requirements and say as part of your contract, you have to 
do X, Y, Z, the better off we are going to be. And 
classification does not come into that.
    Most of the people that actually have to take actions and 
provide solutions do not have clearances.
    Senator Jones. All right. Thank you.
    Ms. Lanier, you said something in response to Senator 
McCaskill's question that struck me a little bit because, 
obviously, the drone issue concerns everyone. Alabama, my 
State, has a lot of outdoor events, whether it is the music 
festivals, whether it is the sporting events. We are in the 
fall, and college football is a really big deal right now. In 
fact, many people would think that Alabama should be in the NFL 
rather than the NCAA, but we will not go there.
    But you mentioned that you might not have any notice about 
an incoming drone, unlike our missile defense system or 
something like that. Would you talk about that a little bit 
more and what can we do now to maybe at least get that on the 
radar, so to speak, a lot of people want to take a picture over 
Bryant-Denny Stadium when it is full. I get that, but they 
should not.
    What can we do right now to maybe help in that aspect to 
just put people on notice? Is there something we have the tools 
with now?
    Ms. Lanier. Well, there are efforts under way to try and 
educate people. A lot of it is people that are just not 
educated that there are flight restrictions that prohibit the 
use of drones over most of these large events, like the NFL 
stadiums on game days. So getting that message out has been a 
huge effort to try and educate folks.
    And there are detection systems. So the technology that is 
there now comes into two different sets. There is detection 
capabilities, and then there is interdiction capabilities. Some 
of the technology that is available--and, again, mostly illegal 
to use--can detect that a drone is incoming.
    A lot of times, they are launched from a parking lot right 
near or very close by.
    Senator Jones. Right.
    Ms. Lanier. So there is not a lot of lead time, not a lot 
of advanced warning that they are coming. So the detection 
systems would be one thing, but the interdiction systems is the 
other part of that. And that is kind of what we have been 
talking about here today, is the ability for someone to have 
the authority to use that, from a law enforcement perspective 
to use that technology to intercept that incoming drone so that 
it does not make its way into the stadium, into the seating 
bowl where all of those thousands of people are gathering.
    Senator Jones. The restrictions that are currently in 
effect, I think--and maybe I am wrong about this, but as I 
understand it, there are restrictions about flying a drone 
within 3 miles of any event that is holding 30,000 or more 
people. Is that correct?
    Ms. Lanier. That is correct, and that is the one that is 
more difficult to educate people on because it is a temporary 
flight restriction.
    So there have been some measures put in place to geo-fence 
areas around airports, so that drones cannot go into those 
restricted areas, but the temporary flight restriction that 
goes along with mass gatherings, with that threshold and 
higher, is much more difficult to educate and is not as easily 
programmable into drones.
    Senator Jones. OK. All right. That is all.
    I may have some questions for the record, Mr. Chairman. 
Thank you very much for having this hearing.
    Senator Johnson. Thanks, Senator Jones.
    I do want to underscore the importance of public awareness. 
It is one of the reasons we are holding this hearing to make 
the public aware that we have these threats, whether it is the 
flight restrictions, public exposure in terms of the hacking, 
whether it is Kaspersky Labs. I think public exposure is 
extremely important when it comes to cyber defenses. Just 
people's awareness so they can start looking at their own 
vulnerabilities is incredibly important. Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Thank you, Mr. Chairman.
    Thank you to each of our witnesses for your testimony here 
today.
    While we meet today to talk about the evolving threats to 
the homeland and look at major threats like cyberattacks, 
electromagnetic pulses, and drones, I would like to express my 
concerns about the broader issue of crisis response under our 
current Administration.
    I was disturbed this morning to see that the President took 
to Twitter to make false claims about the death count in Puerto 
Rico, which comes days after he claimed the government's 
response to Maria deserved an A plus.
    Nearly 3,000 Americans died as a result of Hurricane Maria 
and the inadequate response that followed, and yet the 
President does not accept those results and denies any 
responsibility for the failures in 2017.
    3,000 deaths is not a number invented to attack the 
President, as he claims. It is the acknowledgement of real 
human lives. Each number represents a person that trusted in 
their government to help them in their time of need. Hurricane 
Maria was devastating, and our country will continue to face 
evolving threats from a variety of hazards, manmade as well as 
natural.
    Americans should not have to worry that in a time of 
crisis, a true national emergency, that our commander in chief 
would cast doubt on very real, very human impacts of the 
crisis.
    And as Hurricane Florence now bears down on the Carolinas, 
we have to make every effort to ensure that the Federal 
Government is well-positioned to support everybody in its path, 
but we cannot forget about the continuing crisis in Puerto Rico 
and the systemic challenges that led to the horrifying death 
count that the President today denied on Twitter.
    Our Committee or the Federal Spending Oversight and 
Emergency Management (FSO) Subcommittee should make use of the 
broad jurisdiction of the Department and governmentwide 
emergency response to exert strong oversight and hold officials 
accountable.
    Mr. Chairman, I think we should hold a hearing on the 
failures and lessons learned from the responses to Hurricanes 
Harvey, Irma, and Maria and hope that we can have a dedicated 
hearing on that issue.
    Chairman Johnson. Right now, we have a different subject.
    Senator Peters. I know, but this is of critical importance. 
And I would hope that we would do that. We were trying to do 
this in the Subcommittee, and we were informed that the 
Administrator does not go to a Subcommittee even charged with 
oversight of Federal Emergency Management Agency (FEMA). We 
would hope to have your help in getting the Administrator here 
to answer questions.
    Chairman Johnson. OK. I would like FEMA right now to 
concentrate on the hurricane season currently, but we will look 
at that.
    Senator Peters. I appreciate that, Mr. Chairman.
    Certainly, cybersecurity, which is our issue that we are 
here today to discuss, is a vital component of all of our 
critical infrastructure. Mr. Mandia, do you put in that 
category chemical facilities or ones that are potentially 
susceptible to significant cyberattack and could present a risk 
to critical infrastructure?
    Mr. Mandia. Yes. I do not know if I can speak to the 
specifics of all the chemical facilities out there and their 
cybersecurity posture in defense, so no.
    In my prepared remarks, I did talk about indiscriminate 
attacks, and certainly, every single individual and every 
single organization, should the gloves come off in cyberspace 
and there is an escalation, we are all going to get targeted. 
That is the interesting thing about cyberspace. It is 
infinitely scalable and can go broad.
    A lot of times, the individualized security of one 
organization in that industry, is only going to be as secure as 
the weakest link in that industry.
    Senator Peters. Well, I raise the issue of chemical 
facilities because I have heard that inspectors in the Chemical 
Facility, Anti-Terrorism Standards (CFATS) Program, who mostly 
have physical security backgrounds, they are worried that they 
do not have the appropriate knowledge and training to assess 
whether or not the facility owners have appropriately addressed 
the risk to cybersecurity.
    So my question to you is, How can we get these folks the 
training that they need, and certainly fits into their very 
busy schedule now in order to be able to supervise these 
activities?
    Mr. Mandia. I can tell you, speaking generically, as a 
public CEO, you never want to see more and more regulation. The 
reality is regulated industries, generally, at least you can 
set the benchmark or threshold for what security they will 
have, and if it is important enough to the Nation to secure 
those types of organizations that create certain chemicals, you 
could regulate them. You could find a way to do a benchmark of 
security that they have to have. And once that is the case, 
there are plenty of opportunities to hire cybersecurity 
professionals. There is plenty of training that they can 
obtain.
    And we saw work in the private sector with the payment card 
industry. The private sector regulated itself and said, ``Here 
is what we need to have to secure credit card data,'' and they 
forced you to do vulnerability assessments and different types 
of assessments. And anyone who processes credit card data 
applies those standards to them.
    Senator Peters. Mr. McBride, I have been a proponent of 
improving our understanding of geomagnetic disturbances from 
space weather for some time now, and I teamed up with Senator 
Gardner on the Space Weather Research and Forecasting Act back 
in 2016.
    We had William Bryan, the nominee to the director of 
Science and Technology (S&T) at DHS a couple of weeks ago. I 
asked him what role his organization can play in preparing our 
Nation for a potential space weather event. He responded that 
he will work with the DHS and other customers to determine what 
requirements needed to be worked toward in this area.
    So my question to you is, in your opinion, in what areas do 
we know what these requirements are, and in what areas do we 
need more research to better understand how our critical 
infrastructure may be impacted by a space weather event?
    Mr. McBride. So the electromagnetic pulse threat is 
multifaceted. We have high-altitude nuclear detonations that 
create an E1, E2, E3 effect. So it is the full spectrum of the 
EMP pulse.
    We have things like flux compression generators. We have 
the sun. The sun particularly--the E3 portion of the EMP pulse 
with geomagnetic disturbance can be minutes or even up to 
hours. That threat is ultimately going to potentially cause 
damage to large substation power transformers.
    We have never combined in the models or otherwise the 
entire waveform associated with the EMP threat, E1, E2, and E3. 
I believe that is a huge knowledge gap that needs to be 
experimented and understood.
    In addition, nobody is in charge. So DHS, we have been 
doing some work for the Department of Energy Office of 
Electricity, understanding what EMP and GMD risks to the power 
grid are. DHS, their mode was they asked a particular person to 
stay abreast of what others are doing relative to the 
electromagnetic pulse threat.
    Department of Defense recently formed their electromagnetic 
defense task force, which I participated in 3 weeks ago. Nobody 
has really taken ahold of whose responsibility is it to 
mitigate this threat to the power grid.
    I believe for EMP E3, with an investment of somewhat less 
than $4 billion, we could mitigate that vulnerability to our 
most key resources in our extra high-voltage power grid. That 
technology exists. We have tested and validated it. We know how 
to do it. Where we do it and who funds it is the big challenge 
that we face.
    Senator Peters. Thank you.
    Chairman Johnson. As long as we just made that point, I 
want to talk about how reasonable that cost is. Less than $4 
billion, we had testimony here earlier with Dr. Richard Garwin 
on the Carrington Effect that happened about 150-some years 
ago.
    Mr. McBride. 1859.
    Chairman Johnson. 1859.
    We have generally--figure that one of those large-scale 
solar storms once every 100 years. Richard Garwin said we have 
a 10 percent chance every decade of having something like the 
Carrington Effect.
    Again, we have been dodging that bullet now for over 150 
years. If we were to experience that with today's electronics 
and technology, what would the cost of a massive solar storm--
what would the potential cost be that we are trying to mitigate 
with about a $4 billion expenditure?
    Mr. McBride. I believe that cost would be in the trillions 
of dollars, significantly less than the cost to replace the 
infrastructure that would fail due to a Carrington-level event.
    Chairman Johnson. And hundreds, thousands, tens of 
thousands of lives lost?
    Mr. McBride. Very likely. It would be the socioeconomic 
disaster that this country has never seen.
    Chairman Johnson. So you take a look at Puerto Rico who 
lost power, but we could try and surge resources and help that. 
There would not be too many people coming to rescue on 
something like that type of event, correct?
    Mr. McBride. That is correct.
    Chairman Johnson. Again, Senator Peters, I appreciate your 
concern about this. We share that, and we will continue to try 
and figure out and get somebody put in charge of that. Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman.
    We also are on multiple committees, and we just finished 
one of my hearings. So I am happy to be able to join you now at 
this hearing. I missed your testimony and had a chance to look 
at it, and I appreciate the chance to ask you some questions.
    I am told that some of you mentioned in your testimony the 
Russian campaign to hack the U.S. Presidential election in 
2016. Attempts by Russia and Russian government, backing actors 
to interfere in sovereign elections are not new. In 2014, that 
country orchestrated a campaign to interfere in the elections. 
In the Ukraine, my wife has been with some of her friends and 
colleagues from DuPont from years ago, has been in Georgia this 
week, and she is sharing with me some of what Russia tried to 
do in Georgia that we are familiar with.
    U.S. intelligence agency or the U.S. intelligence community 
said in its 2016 report that a criminal will likely continue 
using cyber campaigns to interfere in elections for two simple 
reasons. They are cheap, and there seems to be no consequences.
    Mr. Mandia, your testimony said much the same thing.
    Yesterday, President Trump signed a general Executive Order 
that would impose sanctions on countries found to be 
interfering in our elections, but he has failed to impose 
sanctions on Russia, despite explicit authorization from the 
Congress.
    The Republicans in Congress recently defeated an amendment 
from Senator Leahy that would have provided States with an 
additional $250 million for election security.
    I would just ask. Again, I think, Mr. Mandia, from you and 
Ms. Bisceglie?
    Here is the question: Do you believe the United States 
could do more, should do more to deter and prevent cyberattacks 
on our election infrastructure in order to protect our 
democratic processes? That is the first part of the question.
    The second half of the question would be, What steps in 
particular do you recommend that those of us here in Congress 
focus on first?
    Kevin, do you want to go first? Thank you.
    Mr. Mandia. Well, for the next 30 minutes, I will be 
outlining the steps we need to take. No, I am kidding.
    But the bottom line is right now it is an interesting time 
to be impacting cybersecurity. Every modern nation does not 
know where the border is for behavior. There are no 
international rules of engagement, and I observed the Russian 
behavior from 1995 to 2000 and whatever today is.
    For the most part, we have observed their offensive 
capability on a daily basis. I have done thousands of hours of 
forensics looking at some of the machines compromised from 
threat actors in Russia, whether criminal or government-
sponsored. Sometimes it is hard to tell the difference.
    The bottom line is if all we are ever doing is playing 
defense, we are always going to be having a little mop-up on 
Aisle 5 to do in cyberspace somewhere just because the 
asymmetry between offense and defense, it is almost hard to 
explain.
    We are trying to defend millions of machines, but as long 
as there is a communication channel into your organization from 
another human and there is anonymity on the Internet, you are 
hackable. It is just that simple. Whether that communication 
channel is email, Skype, instant messaging. Facebook wall is 
just waiting for somebody and baiting them to it.
    So this is a complex channel where you have to have a 
doctrine that imposes risk and repercussions. The problem is it 
is also hard to write a red line in cyberspace. The demarcation 
of what is acceptable and what is not acceptable is still 
blurry.
    What I have seen in the last few years--and I am indirectly 
answering your question--is we are seeing indictments. We are 
getting attribution. We are making indictments. A lot of people 
ask, ``Does that matter?'' The answer is yes. We have a 
sovereign nation and a Department of Justice pointing the 
finger at nation-states and individuals in those nations.
    Over time, even if the government cannot impose risks and 
repercussions, the Internet experience from nations that harbor 
cybercriminals and different--what I call trench warfare in 
cyberspace by nation-state actors, their Internet experience is 
actually going to be different.
    There are private sector organizations that block every 
Internet Protocol (IP) address from Russia today. That is going 
to expand and expand and expand.
    The bottom line is the private sector is doing what is in 
its realm to defend itself, and it is looking to the government 
to do its best to get attribution right and to impose risks and 
repercussions and to have some predictable doctrine so that we 
can govern the behaviors.
    And it is going to happen. If we do not do anything soon, 
Senator, what we are witnessing is escalation, and the reason I 
told you the years I have been responding to Russia is for 
whatever reason, in August 2015, we saw them change rules of 
engagement that they followed with great discipline for the 
prior 20 years. Suddenly, they started targeting wider, started 
doing less counter-forensics, started attacking anti-Putin 
professors, started posting things that they stole. Those 
behavior changes, if unchecked, will keep escalating.
    So we are going to have to sort it out. The answer to that 
is going to be a lot of folks sitting in the room trying to get 
that doctrine piece together. We have been working on this for 
20 years. It is not simple. We have been admiring the 
complexity of it, but we have to start somewhere.
    And that is enough of my statement.
    Senator Carper. All right. Thanks so much.
    Jennifer, I will just use your first name, if you do not 
mind.
    Ms. Bisceglie. No, that is fine.
    Senator Carper. Again, two-part question. Do you believe 
the United States could do more to deter and prevent 
cyberattacks on our election infrastructure in order to protect 
our democratic process? And, second, what steps in particular 
would you recommend that we take here in Congress? Where should 
we focus first?
    Thanks.
    Ms. Bisceglie. Thank you.
    And I absolutely agree with everything that Kevin outlined.
    Back to the Federal Information Technology Supply Team Risk 
Management Improvement Act, to me, this is a perfect example of 
where they could have some impact. It is really the players 
that are at that table looking at what the doctrine should be 
and then really looking at all of the sub-tier relationships 
because it is not happening at the voting machine level. It is 
all the components in it that expose you to a lot of the 
communication concerns that Kevin just outlined. To me, that is 
a perfect opportunity for what you have put out there to say 
let us really understand all the different levels, all the 
different players, what is important, where the opportunities 
are that we are exposed to, because I agree we need to have an 
offensive, but we do need to have a defensive at the same time 
because you have people involved.
    And so I think if you follow the steps that Kevin just 
outlined, it is perfect. Take this act. Take this bill that is 
out there and really start focusing on the sub-tier 
relationships, and we are going to be better off.
    The last thing I would like to talk to you--and it comes 
from all the questions that have been asked--you really cannot 
separate these two conversations. The supply chain and the 
cyber concern is a physical and a digital relationship, and you 
cannot separate those things anymore. Whether you are talking 
about the F-35 or logistical ports or voting machines, this is 
the same conversation, and it has to be done hand-in-hand or we 
are going to miss something.
    Senator Carper. Thanks to both of you. In fact, thanks to 
all of you.
    Chairman Johnson. A quick little comment. This is really 
more Senate Foreign Relations Committee, but we held a hearing 
with North Atlantic Treaty Organization (NATO). The question I 
raised in that hearing last week and the one I will continue to 
raise is we need an attitude change. When you look at NATO, the 
combined economic firepower of NATO is well north of $30 
trillion. Russia is less than two. How can NATO, how can the 
EU, how can America allow that puny little economic power push 
us around this way? Because we just have to change that 
attitude. We are the 800-pound gorilla, and it is really absurd 
what we are allowing Russia to get away with.
    But, anyway, I have questions. I want to ask each of you--
and I will start with Mr. McBride. Who should be in charge of 
this effort? Which Department, which agency is best positioned 
to be in charge of GMD, EMP, and I would say even responsible 
for reestablishing the grid, even with a cyberattack?
    Mr. McBride. I believe as the sector-specific agency for 
the electric grid in the United States, the Department of 
Energy should be in charge of mitigating this threat.
    Chairman Johnson. So, obviously, Department of Defense, 
Department of Homeland Security would be involved in that, but 
the lead agency should really be the Department of Energy?
    Mr. McBride. I believe that to be the truth. Yes.
    Chairman Johnson. OK. Ms. Lanier, when it comes to drones, 
what do you think? You have been in law enforcement. Who should 
be in charge of that effort?
    Ms. Lanier. Well, in charge of the effort, I would say 
probably DHS.
    Chairman Johnson. Because right now, it is FAA.
    Ms. Lanier. Correct. I would say probably DHS.
    And I would also say that, as I mentioned in my testimony, 
both my written and my oral testimony, I think it is really 
important that we find some way to integrate State and local 
law enforcement on the back side of that DOJ-DHS effort. I 
think they are really important. That is why they are the first 
responders.
    And the threat that is posed by drones that detect and 
interdict, it is going to be critical to have State and local 
law enforcements tied in there.
    Chairman Johnson. Mr. Mandia and Jennifer, in terms of 
cybersecurity, who should be taking charge?
    Mr. Mandia. It is going to depend on mission. It is that 
simple.
    Right now, when it is law enforcement, you see the FBI 
primarily present, but local law enforcement will be present as 
well.
    In regards to other operations in cyber, you will have the 
intelligence agencies. I just think it is more complex because 
you also had the private sector, and there is usually an 
alignment by industry where energy companies and utilities are 
aligned to figure out what is best practice for us and what do 
we do. The financial services and the Financial Services 
Information Sharing and Analysis Center (FS-ISAC) are aligned. 
So you see the private sector trying to regulate the private 
sector in many ways as well. I gave you that example, the 
payment card industry.
    I think it is hard to pick. Do you have one cyber czar in 
charge of all this when you have so many missions and so many 
industries impacted by it?
    Right now the system is working pretty well. I think 
probably the biggest change we could make in the government is 
because there is a shortage of cybersecurity professionals, you 
may want to have the DOD doing what they do. The intelligence 
agencies are doing what they do, and there may be other 
agencies like FAA and a few others that need to do it alone, 
but there is probably an opportunity to consolidate a single 
computer emergency response team--that is the security 
operations center for 100 government agencies. Why not? We do 
not have the effort to do it.
    Chairman Johnson. Where should that be housed?
    Mr. Mandia. Sir, I would pose that question to you.
    Chairman Johnson. Well, Ms. Bisceglie.
    Ms. Bisceglie. So it may be a little snarky, but my point 
is whoever is going to actually do it is who should do it.
    Chairman Johnson. That would be good criteria, right.
    Ms. Bisceglie. So the latest one I have seen for supply 
chain in cyber is Homeland Security. If we are going to do 
this--and I do agree with what Kevin, again, just laid out.
    But my thought is I would have a dotted line. I would have 
the alignment by industry because even when you look at an 
industry, you have all the different pieces that go into it. So 
I would have the dotted line to Department of Energy, to the 
DOD, to whatever they are responsible for, get away from the 
partnerships. The idea of a GSA and DHS partnership is really 
very difficult. Somebody has to be responsible.
    And then, again, get away from the political agenda, which 
to the point that you just said forces that cultural shift that 
really needs to occur.
    Chairman Johnson. You have all mentioned that you really 
need the information sharing with private sector and 
government. That has always been the problem with DOD taking 
charge, and that is one of the reasons people look at DHS as 
kind of the default agency that can work with private sector.
    But, again, who has the greater capability?
    Ms. Bisceglie. So, in my opinion--and I do not want to put 
myself out of business, but this is--to the point that you 
said, this is a culture.
    There was actually a memo that you are probably aware of 
that went around last year in the Department of Defense that 
actually gave their people permission to talk to industry. That 
is not a law. That is a culture. And so the more that we help 
folks understand that businesses are the ones that are going to 
solve this--this is not government to solve. Regulatory, I 
agree with. It is businesses to solve and change the culture.
    Chairman Johnson. I think there may be reluctance from the 
private sector to be contacting DOD or NSA.
    Mr. McBride, I will just have you chime in on this one on 
cyber. You have some knowledge of this.
    Mr. McBride. Yes. So, for several years, Idaho operated the 
Industrial Control Systems Cyber Emergency Response Teams (ICS-
CERT). So we were in a reactive mode. Where there is an attack 
in the Ukraine, we send fly away teams out, collect that 
forensic data from their networks. We reverse-engineer that in 
our malware lab, understand what the malware can do, and 
develop mitigations for that.
    Department of Homeland Security has now closed the ICS-
CERT, and now it is all operated through the National Crime 
Information Center (NCIC) here in--I believe DC.
    Sharing information with the asset owners that need to know 
what the threat and intelligence is has been a difficult 
problem. I think we can improve that. Some people are now 
getting security clearances, where the threat intelligence can 
be shared with them.
    There is a new program that has just been stood up that is 
trying to change from a reactive mode into more proactive. 
Countries like Chechnya, Estonia, the Ukraine, they have told 
us that they feel like they are test beds for Russia. So Russia 
develops a cyber capability. They exercise that on one of these 
three countries.
    We have people all over the world collecting intelligence. 
We want to be able to develop mitigations for threats, 
vulnerabilities, and malwares that are discovered prior to 
arriving on U.S. soil.
    The intent is to create a proactive mitigation strategy for 
cyber threats.
    Chairman Johnson. OK. But do you all agree somebody has to 
be in charge? I mean, this cannot be five, six, seven different 
agencies, just line authority and nobody really with the 
authority to make sure that there is commonality in our 
approach and that type of thing. Just yes, yes, yes, or what is 
it?
    Mr. Mandia. It is tough because I still think it aligns by 
industries. If there was an all-out cyber campaign against this 
Nation, you are going to see the financial services circle the 
wagons. You are going to see the utility circle the wagons. 
Largely, a lot of the attacks against those two groups may be 
wholly different.
    If you are attacking a utility to shut it down, the attack 
looks one way. If you are attacking the financial services to 
disrupt it, it may look a little bit different.
    What I have observed in threat actors is they actually do 
align a little bit by industry. So you will circle the wagons 
that way.
    Overall, coordinating that event and that response, it is 
hard from where I sit to say it is not the DOD during times of 
war.
    With that being said, during times of perceived peace, 
right now, I have observed we have a shortage of folks to 
protect our networks. It would make sense to centralize for 
most government agencies that defense component and capability.
    Chairman Johnson. I am just going to continue down my list. 
I have a lot of questions here.
    Mr. Mandia, you are talking about attribution----
    Senator Carper. Mr. Chairman?
    Chairman Johnson. Pardon?
    Senator Carper. Could I just follow up on your question?
    Chairman Johnson. Sure.
    Senator Carper. It is just a follow-on, if I can.
    When we passed out of this Committee legislation 
reauthorizing DHS, one of the provisions in that 
reauthorization dealt with National Protection Program 
Directorate (NPPD) and in which we sought to make it clear that 
they had the skills, the responsibility and so forth to work in 
this arena.
    I think a bunch of us believe that we all share the goal of 
ensuring that NPPD functions as a full component of the 
Department and it has resources that are necessary to carry out 
what we all think is a critical cybersecurity mission.
    Would any of you care to comment on the importance of 
authorizing a dedicated cybersecurity agency within DHS to work 
with the private sector in order to address these kinds of 
threats?
    Ms. Bisceglie. I think it is very important. I think it is 
important to have somebody in charge with a charter, and if 
NPPD is the place, they have to have a charter. They have to be 
resourced appropriately from a skills set standpoint as well as 
financially, and then they need to be held accountable and 
again not just around activity but for the integration across 
the players, as Kevin keeps outlining, and what are we actually 
doing about it?
    Senator Carper. Thank you.
    Anyone else?
    Mr. Mandia. Centralized is going to be better than 
decentralized.
    At the end of the day, you look at what Britain did and the 
UK. They have one place where everybody reports every single 
event to, not a multitude of them. Overall, you will have a 
better learning system if you do centralize all the intel 
coming in and have one coordinating point. Yes.
    Senator Carper. All right. Thank you, Mr. Chairman.
    Chairman Johnson. Israeli has one directorate reporting 
right to the prime ministers. So we need to look at those 
models.
    But, Mr. Mandia, you were talking about attribution 
offense. What came to my mind during that process was just 
definition of the problem too.
    I have been doing this for 7 years, and I kind of define 
the whole cyber issue in four buckets--crime, cybercrime; 
espionage, industrial espionage; then just malicious activists, 
OK; and then warfare, those four buckets.
    I completely agree with you. As long as we are just on 
defense, that is where we are going to be, and offense is going 
to get better and better capabilities.
    You need to have some kind of deterrent, but the problem 
there is attribution and if you go on offense, to do it right. 
Can you just speak to that concern?
    Mr. Mandia. Well, I do know this. You can easily frame it 
exactly how you just did. You have criminals. You have 
espionage. You have just malicious intent, destroy whatever you 
can, and you have warfare.
    But what we observed was amazing for me. In September 2015, 
we had some kind of agreement with China. I do not know if it 
was written or not, but what we observed in cyberspace is prior 
to August 2015, we saw between 60 to 80 U.S. companies 
compromised every month from cyber espionage campaigns out of 
China. August, it goes down to four.
    Chairman Johnson. And you wrote the book on that, right?
    Mr. Mandia. Right. Well, we exposed it in New York Times in 
2013 just because it felt unfair having folks barge into a 
building in a military unit and hack into a brick-and-mortar 
firm in the United States, did not seem like a fair fight.
    The bottom line is we saw, after some agreement was 
reached, those attacks go down to four and hold steady for a 
long time. So there are certain nations we can, in fact, have 
agreements on rules of engagement, and I would argue, we have 
had them for decades with Russia even until recently. It seems 
like they have escalated.
    So where you can get that kind of agreement, we should do 
it, and where you cannot, that is where the complexities arise.
    Chairman Johnson. Well, to get back to your point about too 
much classification--again, I will go back to Kaspersky. When 
we first found out about that, we knew about them for almost a 
decade. We allowed that business to grow and be a security 
platform for most computers here and exposed ourselves. To me, 
that public exposure is incredibly important.
    I mean, in your Mandiant report, I think it was 2014 on the 
People's Liberation Army (PLAs) little operation there.
    China, I think is particularly sensitive to public exposure 
and disclosure on these things.
    I think Russia certainly could possibly, as long as we are 
making them pay a price for these things.
    I could not agree with you more that we way overclassify 
these, and it is to our own detriment. And we are saying we do 
it for national security, and I think we are actually risking 
our national security by not making more of these things 
public.
    I want to talk a little bit about government control versus 
private sector. Private sector would be more nimble. When I sat 
in a hearing over there early on--this was in probably 2012--
talking about the Collins-Lieberman bill, a representative from 
DHS--I asked him point blank, ``How long will it take you to 
write the regulations, contemplating this piece of 
legislation?'' With a straight face, he said about 7 years.
    To me, an insurance model will really help discipline this 
process. I would like you to talk a little bit about that, Mr. 
Mandia, because you sort of touched on this. Where are we in 
terms of ensuring cyber risks, and do you think that is an 
effective model?
    Mr. Mandia. Well, I do think it has been in the discussion 
since the late 90s. When you look at risk, most CEOs want to 
deploy their own risk framework to their organization. If you 
are not a regulated entity, it is your risk profile that you 
need to implement at your company.
    I do believe insurance--I think it is inevitable, quite 
frankly. We have talked about it for multiple decades, but 
there is cyber insurance available, and the question becomes 
who sets the floor for how good we are at cybersecurity?
    It is real hard for the government to have sweeping 
legislation that says here is how good you need to be whether 
you make cupcakes, make hamburgers, or make missiles.
    I do not think it works. I think you can self-regulate, and 
the private sector can do this. And insurance is probably one 
way where that can come to fruition. That if you do want cyber 
assurance and maybe even you have to get it if your company is 
shaped a certain way, has a certain number of employees, or for 
maybe certain industries. We have regulations for utilities. We 
have them for financial services. Those are pretty much taken 
care of, but for a lot of the mom-and-pop shops that are 
driving business, maybe insurance is the right route in that 
they get--basically it will be the insurance companies that say 
here is how good your cybersecurity needs to be, here is the 
floor, and at least we can start benchmarking the 
infrastructure security.
    Chairman Johnson. Well, then through the supply chain too, 
like International Organization for Standardization (ISO) 
certification, you can also certify sub-tier suppliers to do 
those audits again. That can all occur in the private sector.
    Senator McCaskill, do you have any further questions?
    Senator McCaskill. No.
    Chairman Johnson. Let me in this case--because, again, we 
had some good questions. We have some real experts here. Is 
there something that somebody touched on that we were not able 
to really kind of flesh out?
    I will just kind of go down the list or down the witness 
panel here. Is there something you want to say just in a 
closing comment? Mr. Mandia.
    Mr. Mandia. No. I have said enough.
    Chairman Johnson. OK. Ms. Lanier.
    Ms. Lanier. Yes. I think I missed an opportunity to 
reemphasize the main points that we wanted to get across today.
    Again, I mentioned in my written testimony, we support the 
Federal Aviation Administration's efforts to adopt and 
implement the remote identification requirements for all or 
nearly all drones that are sold or operating in the United 
States.
    We also feel that Congress should revise the hobbyist 
exemption in Section 336 of the FAA Modernization and Reform 
Act of 2012. The current hobbyist exemption permits far too 
many drones to be operated by unlicensed and untrained pilots.
    And we support the aims of your bill. The Preventing 
Emerging Threats Act of 2018, which would extend drone 
interdiction authority to Department of Homeland Security and 
Department of Justice. The bill represents an important step 
forward in helping to provide greater protections. We just want 
it to go a little further and include State and local law 
enforcement officers that are on the front lines every day at 
mass gatherings trying to protect thousands of people.
    So thank you for letting us participate.
    Chairman Johnson. That would be next step, no doubt about 
it. Mr. McBride.
    Mr. McBride. So I would like to mention that in the United 
States, we have public power utilities like Request for 
Equitable Adjustment (REAs), co-ops, and municipals. They are 
owned by their members, by their customers, and they are 
unregulated. And then we have the investor-owned utilities 
which are regulated. They are regulated by the State public 
utility commissions and by the Federal Energy Regulatory 
Commission (FERC). I think it is important that government-
private partnership be developed because the utilities that are 
not regulated, unless they are told they have to do something, 
they are probably not likely to do it. So I believe the 
responsibility to the asset owners would be to identify, do the 
modeling and analysis, to identify those critical assets that 
need the protection against the threat of EMP or GMD, and then 
the government, I think has to help them implement the 
mitigations for those.
    Chairman Johnson. Thank you.
    Ms. Bisceglie, did I ever get that right?
    Ms. Bisceglie. That was awesome. You did.
    Chairman Johnson. Oh, OK. Great.
    Ms. Bisceglie. I think our biggest thing was to really 
centralize it and line item fund it, but on your last question, 
if I could, the difference to government and the private 
sector, I think the biggest thing--and again, I think that the 
bill for the Federal Information Technology Supply Team Risk 
Management Improvement Act, the Government really needs to 
understand what they are inherently responsible for and what is 
important to them. So is it the voting machines that were 
involved in the Census 2020? What is important? Use this act to 
actually drive that home.
    Focus on that risk tolerance. That is where the 
regulations, the policies, the auditing that was just mentioned 
by Mr. McBride--we do not get asked. Like Continuous 
Diagnostics and Mitigation (CDM), the latest version of CDM 
actually has a supply chain risk management as a requirement in 
procurement, and nobody is being audited against what is being 
done or not being done. I think it is a great question to ask.
    And then I think the last thing is what I mentioned before. 
Again, I did hear a lot here. In any of these things, we cannot 
separate cyber and supply chain because they are one-in-one, 
hand-in-hand right now.
    Thank you.
    Chairman Johnson. Again, thank you.
    I cannot help but notice and comment on the fact that prior 
to this hearing--this was always Senator McCain, who--again, we 
all respected--in his last couple of years as Chairman of Armed 
Services, he was not in this Committee as often, but we all 
traveled with him. We saw his commitment to individual liberty, 
freedom, the type of hero he was not only in America, but you 
go over to Ukraine because he was fighting for, again, those 
kind of democratic values.
    So we already do miss him. We sorely miss him. I am 
reminded just kind of looking at a different name in his spot.
    And I also want to welcome Senator Jon Kyl, who I also have 
a great deal of respect for. He has done a lot of work in terms 
of national security, maintenance of our nuclear stockpile to 
keep this Nation safe.
    So I wanted to make those comments as we close out this 
hearing.
    But, again, thank you for your testimony. You put a lot of 
work into it. You really did. I appreciate that. They will be 
in the record, and the hearing record will remain open for 15 
days until September 28, 5 p.m., for the submission of 
statements and questions for the record.
    This hearing is adjourned.
    [Whereupon, at 12:04 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------   
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]