b"<html>\n<title> - SECURING U.S. SURFACE TRANSPORTATION FROM CYBER ATTACKS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n        SECURING U.S. SURFACE TRANSPORTATION FROM CYBER ATTACKS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n          SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY\n\n                                and the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                             AND INNOVATION\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           FEBRUARY 26, 2019\n\n                               __________\n\n                            Serial No. 116-2\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                     \n\n       Available via the World Wide Web: http://www.govinfo.gov/\n\n                               __________\n\n\t\t \n                     U.S. GOVERNMENT PUBLISHING OFFICE \n\t\t \n35-378 PDF                WASHINGTON : 2019                 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           John Ratcliffe, Texas\nJ. Luis Correa, California           Mark Walker, North Carolina\nXochitl Torres Small, New Mexico     Clay Higgins, Louisiana\nMax Rose, New York                   Debbie Lesko, Arizona\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             Van Taylor, Texas\nEmanuel Cleaver, Missouri            John Joyce, Pennsylvania\nAl Green, Texas                      Dan Crenshaw, Texas\nYvette D. Clarke, New York           Michael Guest, Mississippi\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                                 ------                                \n\n          SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY\n\n                  J. Luis Correa, California, Chairman\nEmanuel Cleaver, Missouri            Debbie Lesko, Arizona, Ranking \nDina Titus, Nevada                       Member\nBonnie Watson Coleman, New Jersey    John Katko, New York\nNanette Diaz Barragan, California    John Ratcliffe, Texas\nVal Butler Deming, Florida           Mark Green, Tennessee\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Alex Marston, Subcommittee Staff Director\n            Kyle Klein, Minority Subcommittee Staff Director\n                                 ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           John Ratcliffe, Texas\nLauren Underwood, Illinois           Mark Walker, North Carolina\nElissa Slotkin, Michigan             Van Taylor, Texas\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n           \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable J. Luis Correa, a Representative in Congress From \n  the State of California, and Chairman, Subcommittee on \n  Transportation and Maritime Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Debbie Lesko, a Representative in Congress From the \n  State of Arizona, and Ranking Member, Subcommittee on \n  Transportation and Maritime Security:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     5\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Lousiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................     9\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Prepared Statement.............................................     3\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Prepared Statement.............................................    11\n\n                               WITNESSES\n                                Panel I\n\nMr. Robert Kolasky, Director, National Risk Management Center, \n  Cybersecurity and Infrastructure Security Agency, U.S. \n  Department of Homeland Security:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    15\nMs. Sonya T. Proctor, Director, Surface Division, Office of the \n  Security Policy and Industry Engagement, Transportation \n  Security Administration:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    20\n\n                                Panel II\n\nMr. James A. Lewis, Senior Vice President, Center for Strategic \n  and International Studies:\n  Oral Statement.................................................    38\n  Prepared Statement.............................................    39\nMs. Rebecca Gagliostro, Director, Security, Reliability, and \n  Resilience, Interstate Natural Gas Association of America:\n  Oral Statement.................................................    42\n  Prepared Statement.............................................    44\nMr. Erik Robert Olson, Vice President, Rail Security Alliance:\n  Oral Statement.................................................    46\n  Prepared Statement.............................................    49\nMr. John Hultquist, Director of Intelligence Analysis, FireEye:\n  Oral Statement.................................................    53\n  Prepared Statement.............................................    54\n\n \n        SECURING U.S. SURFACE TRANSPORTATION FROM CYBER ATTACKS\n\n                              ----------                              \n\n\n                       Tuesday, February 26, 2019\n\n             U.S. House of Representatives,\n       Subcommittee on Transportation and Maritime \n                                  Security, and the\n  Subcommittee on Cybersecurity, Infrastructure Protection \n                                            and Innovation,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to notice, at 10:03 a.m., \nin room 310, Cannon House Office Building, Hon. J. Luis Correa \n[Chairman of the Subcommittee on Transportation and Maritime \nSecurity] presiding.\n    Present: Representatives Correa, Richmond, Cleaver, Jackson \nLee, Langevin, Watson Coleman, Rice, Barragan, Underwood, \nSlotkin, Lesko, Walker, and Taylor.\n    Also present: Representative Thompson.\n    [Editor's Note.--Due to technical difficulties, audible \nportions of this transcript were not recorded and those \ninstances have been marked accordingly.]\n    Mr. Correa. Good morning everyone. Seeing the time of 10:05 \nhaving arrived, I would like to gavel down and chair--and call \nthe Subcommittees on Transportation and Maritime Security, and \nCybersecurity, Infrastructure Protection, and Innovation, to \norder.\n    Today's hearing marks the first hearing of this Congress \nfor the Subcommittee on Transportation and Maritime Security. I \nam excited to be chairing this subcommittee in this Congress \nand to be joined by our Ranking Member, Congresswoman Lesko \nfrom Arizona; I understand she is getting snow in Arizona, that \nis----\n    Mrs. Lesko. Right, that is--we were. It was crazy----\n    Mr. Correa. You were?\n    Mrs. Lesko. In Phoenix.\n    Mr. Correa. Save the water.\n    We have a great panel of distinguished Members on both \nsides of the aisle and I look forward to working with all of \nyou to tackle the security challenges facing the transportation \nand maritime sectors.\n    I am glad to hold our first hearing, jointly with the \nCybersecurity Subcommittee, and its leaders, Chairman Richmond, \nand Ranking Member Katko, who, Mr. Katko, unfortunately is not \nable to join us today.\n    I am also happy to welcome our two panels today of \nwitnesses and I look forward to your testimony.\n    We are here today to discuss a very important topic: \nCybersecurity in our Nation's mass transit, rail, pipeline, and \nother surface transportation systems. Cyber threats are a \ngrowing concern for security experts across many sectors and \nthe surface transportation sector is no different. Millions of \nAmericans, we rely on surface transportation every day and an \nattack against a large subway system or pipeline could have \nhugely negative effects on all of us.\n    Government and industry have both struggled to address \ncyber threats which have evolved quickly and have become more \nand more complex and I believe DHS is well-positioned to lead \ncybersecurity in the efforts across critical infrastructure \nsectors including the surface transportation sector.\n    Last year, Congress established a Cybersecurity \nInfrastructure and Security Agency, or CISA, making clear its \nstatus as the preeminent Cybersecurity Agency within the \nFederal Government. CISA works closely with TSA which is \nresponsible for securing all modes of transportation. In \nDecember 2018 working with CISA, TSA released a Cybersecurity \nRoadmap that sets priorities for securing transportation from \ncyber threats.\n    The Roadmap is an important first step in the right \ndirection, but it has to be followed by concrete action. In \ncoordination with CISA, TSA must ensure owners and operators \nhave access to the resources, intelligence, guidelines, and \nassessments needed to ensure the cybersecurity of their systems \nis as good as it can get.\n    Government and industry stakeholders together must also \naddress supply chain security concerns. We must make sure that \nsurface transportation systems are not made vulnerable to cyber \nespionage due to unchecked foreign manufacturing of subways \n[inaudible] some have questioned whether DHS has paid enough \nattention to Pipeline security and have raised the idea of \nmoving the responsibility from securing pipelines to another \ndepartment and Ms. Proctor I do hope you address that issue \nduring your comments [inaudible] because it would go against \nthe reasons Congress established DHS, TSA, and CISA.\n    Only DHS has the scope of authorities and access to \nintelligence needed to address cyber threats across critical \ninfrastructure sectors. DHS has made significant progress in \nsecuring pipelines, including recent updates of TSA's Pipeline \nSecurity Guidelines and it should be allowed to build upon \nthese on-going efforts.\n    This hearing provides a great opportunity to discuss the \nwork of both Government and the private sector to ensure all \nmodes of transportation are secure from cyber threats and I \nlook forward to a very productive conversation.\n    [The statement of Chairman Correa follows:]\n                  Statement of Chairman J. Luis Correa\n                           February 26, 2019\n    We have a great panel of distinguished Members on both sides of the \naisle, and I look forward to working with you all to tackle the \nsecurity challenges facing the transportation and maritime sectors. I \nam glad to hold our first hearing jointly with the Cybersecurity \nSubcommittee and its leaders, Chairman Richmond and Ranking Member \nKatko. I am also happy to welcome our two panels of witnesses today. We \nlook forward to your testimony.\n    We are here today to discuss an important topic: The cybersecurity \nof our Nation's mass transit, rail, pipeline, and other surface \ntransportation systems. Cyber threats are a growing concern for \nsecurity experts across many sectors--and the surface transportation \nsector is no different. Millions of Americans rely on surface \ntransportation every day for critical services, and an attack against a \nlarge subway system or pipeline could have a hugely negative impact.\n    Government and industry have both struggled to address cyber \nthreats, which are evolving quickly and becoming more complex. However, \nI believe DHS is well-positioned to lead cybersecurity efforts across \ncritical infrastructure sectors, including the surface transportation \nsector.\n    Last year, Congress established the Cybersecurity and \nInfrastructure Security Agency, or CISA, making clear its status as the \npreeminent cybersecurity agency within the Federal Government. To \nsecure surface transportation from cyber attacks, CISA works closely \nwith TSA, which is responsible for securing all modes of \ntransportation.\n    In December 2018, working with CISA, TSA released a Cybersecurity \nRoadmap, which sets priorities for securing transportation from cyber \nthreats. The publication of this roadmap is an important step in \naddressing the cybersecurity of transportation, but it must be followed \nby concrete action.\n    In the surface mode, TSA works collaboratively with the system \nowners and operators who provide front-line security at the local \nlevel. In coordination with CISA, TSA must ensure owners and operators \nhave access to the resources, intelligence, guidelines, and assessments \nneeded to ensure the cybersecurity of their systems.\n    Government and industry stakeholders together must also address \nsupply chain security concerns. We must make sure that surface \ntransportation systems are not made vulnerable to cyber espionage due \nto unchecked foreign manufacturing of subway cars or other \ninfrastructure.\n    Finally, some have questioned whether DHS has paid enough attention \nto pipeline security and have raised the idea of moving responsibility \nfor securing pipelines to another department. Doing so would be \nfoolhardy and go against the reasons Congress established DHS, TSA, and \nCISA. Only DHS has the scope of authorities and access to intelligence \nneeded to address cyber threats across critical infrastructure sectors.\n    For example, only TSA has authority to issue Security Directives to \nrequire immediate implementation of security measures across or within \nmodes of transportation in the face of an imminent threat or on-going \nattack.\n    DHS has made significant progress in securing pipelines, including \nrecent updates to TSA's Pipeline Security Guidelines, and it should be \nallowed to build upon its on-going efforts.\n    This hearing provides a great opportunity to discuss the work of \nboth Government and private industry to secure all modes of \ntransportation from cyber threats, and I look forward to a productive \nconversation.\n\n    Mr. Correa. Now I would like to recognize the Ranking \nMember of the subcommittee, the gentlewoman from Arizona, Mrs. \nLesko, for an opening statement.\n    Mrs. Lesko. Thank you, Mr. Chairman.\n    Thank you to all of you that are here today including the \npeople coming as our testifiers.\n    First, I would like to ask people to keep Representative \nKatko, in your prayers because his father passed away and that \nis why he is not here today and so Mr. Chairman, I do ask for \nunanimous consent for Representative Katko's statement to be \nadded to the record.\n    Mr. Correa. Without objection.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n    Thank you, Mr. Chairman, and thank you for holding a hearing on \nthis important issue.\n    I am pleased that my first subcommittee hearing as Ranking Member \nof the Cybersecurity, Infrastructure Protection, and Innovation \nsubcommittee is a joint hearing with the subcommittee I was honored to \nchair for 4 years.\n    Our world is increasingly connected. Our phones, computers, cars, \nand televisions are only some of the things we use every day that are \nvulnerable to a cyber attack that causes disruptions.\n    But what about those objects that affect our everyday life, that we \neither don't see or don't consider them to be vulnerable to cyber \nattacks like pipelines that undergird this country's energy sector or \nthe metro cars we rely on to get us around?\n    A cyber attack on the industrial control systems for our \noperational technology could wreak havoc across our Nation. It is an \nattack vector that we must take seriously and work to secure these \ntechnologies from motivated attackers.\n    Fortunately, we have two partners who are well-equipped to address \nthese vulnerabilities. TSA brings the expertise about our pipelines and \nmass transit systems while CISA is the cyber expert. I want to \nreiterate what my colleague, Ranking Member Lesko said in her opening \nstatement--TSA and CISA are stronger because of their ability to work \ntogether. Their value is made greater by the wealth of resources within \nDHS to help surface transportation operators be prepared for the cyber \nthreats.\n    As a committee, we must be vigilant in making sure the various \nsectors of our economy are protecting their assets from physical and \ncyber harm. We cannot allow for those technologies that are \nfoundational to our livelihood be a tool for a bad actor to launch a \ncyber attack.\n    Thank you to our witnesses for taking the time this morning to \nspeak on this topic. I look forward to hearing from you.\n\n    Mrs. Lesko. Thank you, Mr. Chairman, and thank you for \nholding a hearing today on this very important topic.\n    TSA has security authorities over America's surface \ntransportation modes including 6,700 mass transit systems, \npassenger and freight rail as well as motor coach in both rural \nand urban communities. In addition, pipelines are considered a \nmode of surface transportation for natural gas and hazardous \nmaterials. Across the United States, including in my home State \nof Arizona, TSA is responsible for securing more than 2\\1/2\\ \nmillion miles of pipelines carrying natural gas and other \nmaterials that quite literally fuel our economy.\n    While much progress has been made to provide better \nphysical security for surface transportation, there remains \ngrowing concerns surrounding the cybersecurity of our Nation's \nsurface transportation assets. As cyber actors become more \nsophisticated and surface transportation systems become \nincreasingly reliant on computer systems, the vulnerability of \nthis critical sector grows along with the risks posed by \nnefarious actors who may seek to exploit cybersecurity \nvulnerabilities to cause service disruptions or conduct \neconomic espionage.\n    In general, surface transportation systems utilize a number \nof interconnected information systems that, when exposed, \npresent cybersecurity vulnerabilities. According to the \nAmerican Public Transit Association, cyber attacks against \nsurface transportation operators can destroy an agency's \nphysical systems, render them inoperable, hand over control of \nsystems to an outside entity, or threaten the privacy of \nindividuals or customers.\n    In the 115th Congress, the Republican Majority worked in a \nbipartisan manner to enact the TSA Modernization Act, the \nfirst-ever authorization of TSA since the agency was created in \n2001. We also enacted the Cybersecurity and Infrastructure \nSecurity Agency Act of 2018 which created CISA in order to \nreform critical security programs within the Department and \nbetter equip DHS to support the cybersecurity of transportation \nsystems.\n    Additionally, TSA Administrator Pekoske has worked to \nrestructure the agency to reflect evolving mission needs. It is \nimportant to note that while threats against our transportation \nsector may be evolving, they are not diminishing. Legitimate \nconcerns have been raised as to the ability of TSA to provide \nnecessary security for surface transportation assets and \nparticularly pipelines.\n    While I believe TSA is best positioned as the Government's \nauthority on transportation security, it is incumbent upon the \nagency to demonstrate its commitment to securing all modes of \ntransportation. The Department of Homeland Security and its \ncomponents must work to mitigate growing cybersecurity threats \nand work hand-in-hand with industry partners to promote a \nculture of security and keep America's economy fueled and \nmoving with the public's confidence.\n    I do look forward to hearing the testimony before us today \nand thank you for being here.\n    I yield back, Mr. Chairman.\n    [The statement of Ranking Member Lesko follows:]\n                Statement of Ranking Member Debbie Lesko\n                           February 26, 2019\n    TSA has security authorities over America's surface transportation \nmodes, including 6,700 mass transit systems, passenger and freight \nrail, as well as motorcoach, in both rural and urban communities. In \naddition, pipelines are considered a mode of surface transportation for \nnatural gas and hazardous materials. Across the United States, \nincluding in my home State of Arizona, TSA is responsible for securing \nmore than 2.5 million miles of pipelines carrying natural gas and other \nmaterials that quite literally fuel our economy.\n    While much progress has been made to provide better physical \nsecurity for surface transportation there remains growing concern \nsurrounding the cybersecurity of our Nation's surface transportation \nassets.\n    As cyber actors become more sophisticated and surface \ntransportation systems become increasingly reliant on computer systems, \nthe vulnerability of this critical sector grows, along with the risk \nposed by nefarious actors who may seek to exploit cybersecurity \nvulnerabilities to cause service disruptions or conduct economic \nespionage.\n    In general, surface transportation systems utilize a number of \ninterconnected information systems that, when exposed, present \ncybersecurity vulnerabilities. According to the American Public Transit \nAssociation, cyber attacks against surface transportation operators can \ndestroy an agency's physical systems, render them inoperable, hand over \ncontrol of systems to an outside entity or threaten the privacy of \nindividuals or customers.\n    In the 115th Congress, the Republican Majority worked in a \nbipartisan manner to enact the TSA Modernization Act, the first-ever \nauthorization of TSA since the agency was created in 2001. We also \nenacted the Cybersecurity and Infrastructure Security Agency Act of \n2018, which created CISA in order to reform critical security programs \nwithin the Department and better equip DHS to support the cybersecurity \nof transportation systems. Additionally, TSA Administrator Pekoske has \nworked to restructure the agency to reflect evolving mission needs.\n    It is important to note that while threats against our \ntransportation sector may be evolving, they are not diminishing. \nLegitimate concerns have been raised as to the ability of TSA to \nprovide necessary security for surface transportation assets, in \nparticular pipelines. While I believe TSA is best positioned as the \nGovernment's authority on transportation security, it is incumbent upon \nthe agency to demonstrate its commitment to securing all modes of \ntransportation. The Department of Homeland Security and its components \nmust work to mitigate growing cybersecurity threats and work hand-in-\nhand with industry partners to promote a culture of security and keep \nAmerica's economy fueled and moving with the public's confidence.\n\n    Mr. Correa. Thank you very much.\n    I will--I would like to recognize the Chair of the \nCommittee on Homeland Security, Mr. Bennie Thompson, for some \nopening remarks, sir.\n    Mr. Thompson. Thank you very much, Chairman Correa; Ranking \nMember Lesko, on your maiden voyage as Ranking Member, welcome.\n    I would also like to express my sympathies to Ranking \nMember Katko on the loss of his father.\n    But also, this hearing today is very important, the cyber \nthreats facing the U.S. surface transportation sector. Since \nthe 9/11 attacks, the U.S. Government has focused on closing \ngaps in physical aviation security by Federalizing passenger \nand baggage screening, hardening cockpit doors, and deploying \nimproved screening technologies and training.\n    In September 2018 the subcommittees held a joint hearing \nhighlighting the potential harm from important undisclosed \nvector cyber threats in aviation. Today we will provide the \nsame attention to cybersecurity threats to the surface \ntransportation sector.\n    With TSA dedicating most of its resources to protecting \naviation, the surface transportation sector including freight \nand passenger trains, commuter rails, mass transit, buses, and \npipelines presents relatively a soft target for mass casualty \nattacks. We rely on these diverse assets not only for our \nshipping and other transports of natural gas, and a host of \nother activities essential to the health of our economy and \nNational security.\n    In recent years, surface transportation systems overseas \nhave been hit by terrorist attacks. On our own shores, New York \nCity's subway was a target of a failed terrorist plot in \nDecember 2017. Given the level of risk to surface \ntransportation, I am concerned that we have not sufficiently \nprotected this sector against cyber threats.\n    To date no cyber attacks have disrupted the actual \noperations of surface transportation systems but attacks have \nresulted in financial disruption and affected public confidence \nin various modes of surface transportation. These small-scale \nattacks have shown that a relatively simple intrusion could up \nend surface transportation services causing significant harm \nand disruption.\n    Last year Congress established Cybersecurity and \nInfrastructure Security Agency or CISA as the operational \nagency within the Federal Government [inaudible] on \ncybersecurity information sharing. CISA will continue to play a \ncritical role in providing cybersecurity resources within DHS \nincluding to TSA and to industries, to combat cyber threats to \ncritical infrastructure. TSA for its part maintains \nresponsibility for the security of all modes of transportation. \nWorking together within DHS, CISA and TSA are uniquely \npositioned to address cyber threats in transportation.\n    I would note that DHS's authorities and capabilities across \ncritical infrastructures' sectors in all modes of \ntransportation makes it better positioned to secure pipelines \nthan the Department of Energy, despite some suggestions to the \ncontrary.\n    In December 2018, in coordination with CISA, TSA released \nits first-ever Cybersecurity Roadmap, providing a vision for \nthe future of cybersecurity across all modes of transportation, \nwhile DHS is headed in the right direction much work remains. \nIn many cases surface transportation sector-owners and -\noperators struggle with the same cyber challenges that plague \nother industries: A National shortage of skilled cybersecurity \npersonnel; a work force with minimal cybersecurity training and \nawareness; and resource constraints across the board.\n    Finally, at a hearing on surface transportation security, I \nwould be remiss if I did not point out that TSA remains non-\ncompliant with requirements to publish surface transportation \nsecurity regulations which were enacted over a decade ago in \nthe Implementation Recommendations of the 9/11 Commission Act \nof 2007.\n    I would like to at some point, Mr. Chairman, hope to get a \nresponse to why we have not had that take place.\n    With that I yield back.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                           February 26, 2019\n    Since the 9/11 attacks, the U.S. Government has focused on closing \ngaps in physical aviation security by Federalizing passenger and \nbaggage screening, hardening cockpit doors, and deploying improved \nscreening technologies and training.\n    In September 2018, the subcommittees held a joint hearing \nhighlighting the potential harm from an important, underdiscussed \nvector: Cyber threats to aviation. Today, we will provide the same \nattention to cybersecurity threats to the surface transportation \nsector.\n    With TSA dedicating most of its resources to protecting aviation, \nthe surface transportation sector--including freight and passenger \ntrains, commuter rail, mass transit, buses, and pipelines--presents a \nrelatively soft target for mass-casualty attacks. We rely on these \ndiverse assets not only support for our personal and business travel, \nbut also commercial shipping, the transport of natural gas, and a host \nof other activities essential to the health of our economy and National \nsecurity.\n    In recent years, surface transportation systems overseas have been \nhit by terrorist attacks. On our own shores, New York City's subway was \nthe target of a failed terrorist plot in December 2017. Given the level \nof risk to surface transportation, I am concerned that we have not \nsufficiently protected this sector against cyber threats.\n    To date, no cyber attacks have disrupted the actual operations of \nsurface transportation systems, but attacks have resulted in financial \ndisruption and affected public confidence in various modes of surface \ntransportation. These small-scale attacks have shown that a relatively \nsimple intrusion could upend surface transportation services, causing \nsignificant harm and disruption.\n    Last year, Congress established Cybersecurity and Infrastructure \nSecurity Agency, or CISA, as the operational agency within the Federal \nGovernment charged with serving as the primary civilian interface for \ncybersecurity information sharing. CISA will continue to play a \ncritical role in providing cybersecurity resources within DHS, \nincluding to TSA, and to industry to combat cyber threats to critical \ninfrastructure.\n    TSA, for its part, maintains responsibility for the security of all \nmodes of transportation.\n    Working together within DHS, CISA, and TSA are uniquely positioned \nto address cyber threats to transportation.\n    I would note that DHS's authorities and capabilities across all \ncritical infrastructure sectors and all modes of transportation makes \nit better positioned to secure pipelines than the Department of Energy, \ndespite some suggestions to the contrary.\n    In December 2018, in coordination with CISA, TSA released its \nfirst-ever Cybersecurity Roadmap, providing a vision for the future of \ncybersecurity across all modes of transportation.\n    While DHS is headed in the right direction, much work remains. In \nmany cases, surface transportation sector owners and operators struggle \nwith the same cyber challenges that plague other industries: A National \nshortage of skilled cybersecurity personnel, a workforce with minimal \ncybersecurity training and awareness, and resource constraints across \nthe board.\n    Owners and operators must also address supply chain concerns, \nincluding those posed by the emergence of a Chinese state-owned \nenterprise manufacturing subway cars for U.S. mass transit systems. \nGovernment and industry must work together to ensure that cyber threats \nand vulnerabilities are fully understood and appropriately addressed.\n    Finally, at a hearing on surface transportation security, I would \nbe remiss if I did not point out that TSA remains non-compliant with \nrequirements to publish surface transportation security regulations, \nwhich were enacted over a decade ago in the Implementing \nRecommendations of the 9/11 Commission Act of 2007.\n    The rules required under the law would help TSA to better assess \nand address vulnerabilities within the surface transportation sector, \nincluding cybersecurity vulnerabilities.\n    I look forward to hearing from this panel of witnesses today, and I \nhope they will give us a candid assessment of the cybersecurity posture \nof our surface transportation sector.\n\n    Mr. Correa. Thank you, Chairman Thompson, for those opening \nstatements.\n    Now I would like to recognize the co-Chair of this hearing \ntoday, Mr. Richmond, Chairman of the Cybersecurity, \nInfrastructure Protection, and Innovation Subcommittee for an \nopening statement. Welcome, sir.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    I will recognize the Chairman of the whole--full committee, \nMr. Bennie Thompson, from Mississippi.\n    I will also join my colleagues in extending my condolences \nto Congressman Katko. As a person who has lost two fathers, I \nunderstand what he is going through and we wish him the best.\n    I want to start by congratulating Congressman Correa, on \nbecoming Chairman of the Transportation and Maritime Security \nSubcommittee. I look forward to working with you to improve the \ncybersecurity posture of our transportation infrastructure.\n    Last fall our subcommittees held a joint hearing to assess \ncybersecurity risks to aviation. We learned that cyber threats \nto aviation are persistent, that cyber tools can be used to \nengage in cyber espionage or undermine confidence in the \naviation industry and that the safety of air travelers requires \nus to stay a step ahead of bad actors.\n    In short, we learned that cybersecurity posture of the \naviation sector is a National security, economic security, and \npublic safety imperative. The same can be said for the \ncybersecurity posture of our surface transportation systems. \nSurface transportation includes roads, rail, maritime \nfacilities, and pipelines and my district is rich in all of \nthem so I am glad that we are beginning the 116th Congress with \nthis hearing.\n    Compared to the aviation sector, surface transportation \nreceives relatively little in Federal funding to support \nsecurity. Outside of the Transit Security Grant Program which \nis awarded to public transportation entities and primarily used \nto secure against physical threats, surface transportation \nowners and operators foot the bill for security themselves.\n    But the Federal Government is not off the hook, it plays a \ncritical role in providing the situational awareness, security \nassessments, and guidance to stakeholders that inform surface \ntransportation security investments.\n    In a decade-and-a-half since it was established, the \nDepartment of Homeland Security has matured its ability to \nconvene stakeholders, leverage its cross-component expertise, \nand share actionable intelligence analysis and guidance to help \naddress pressing National security challenges.\n    Whether or not the Federal Government can effectively \npartner with stakeholders to secure surface transportation \nmodes from cyber attacks, rests on DHS's ability to continue to \nperform and build on these capabilities. Approximately 125,000 \nmiles of pipelines valued at 1.9 billion move oil and gas \nthrough Louisiana every day. The industry employs over 2,500 \npeople in the State; toward that end I was pleased that the \nPipeline Cybersecurity Initiative was one of the first \npriorities announced by the new National Risk Management Center \nlast year and updated Pipeline Security Guidelines were finally \nreleased last March.\n    I am encouraged that the Department is redoubling its \nefforts to improve the cybersecurity of pipelines by enhancing \nthe in-house collaboration between CISA and TSA, and engaging \nwith the private sector.\n    I believe the Pipeline Security Initiative has the \npotential to provide a more comprehensive understanding of the \nunique cybersecurity risks to pipelines, particularly as the \nsector relies more on the industrial internet of things; that \nknowledge will empower stakeholders to address cybersecurity \nrisks more strategically. Although the Initiative was first \nannounced as one of the NRMC's initial sprint, I hope that it \nwill evolve into a more permanent collaboration.\n    I am concerned however that the updated Pipeline Security \nGuidelines do not address supply chain risk management; \nmoreover I would be interested to know how TSA is implementing \nthe 10 recommendations the Government Accountability Office \nmade in December related to its management of Pipeline Security \nProgram. The safety of my community and the economy of my \ndistrict depends on DHS getting this mission right.\n    I would be remiss if I did not also raise my concerns about \nthe cybersecurity posture of both passenger and freight rail, \nparticularly as passenger rail cars incorporate automatic train \ncontrol, network and train-line control and monitoring and \ndiagnostics, among other technologies.\n    Last month I read a troubling report of a Chinese rail \ncompany significantly under-bidding competitors to win transit \nrail contracts in four major markets. I am aware of China's \npolitical and economic ambitions. The intelligence community \nand Congress have been clear in cautioning against the use of \nChinese telecommunications products.\n    But it is unclear to me whether the Federal Government has \nassessed what, if any additional cybersecurity threat is posed \nby contracting with a Chinese company to purchase railcars with \nadvanced technologies. It is also unclear whether the Federal \nGovernment is providing any guidance to local transit \nauthorities to ensure cybersecurity is incorporated into their \nprocurement process.\n    I look forward to discussing these issues with the \nwitnesses today and I yield back the balance of my time.\n    [The prepared statement of Chairman Richmond follows:]\n                 Statement of Chairman Cedric Richmond\n                           February 26, 2019\n    Last fall, our subcommittees held a joint hearing to assess \ncybersecurity risks to aviation. We learned that cyber threats to \naviation are persistent, that cyber tools can be used to engage in \ncyber espionage or undermine confidence in the aviation industry, and \nthat the safety of air travelers requires us to stay a step ahead of \nbad actors.\n    In short, we learned that the cybersecurity posture of the aviation \nsector is a National security, economic security, and public safety \nimperative. The same can be said for the cybersecurity posture of our \nsurface transportation systems.\n    Surface transportation includes roads, rail, maritime facilities, \nand pipelines, and my district is rich in all of them, so I'm glad we \nare beginning the 116th Congress with this hearing. Compared to the \naviation sector, surface transportation receives relatively little in \nFederal funding to support security.\n    Outside of the Transit Security Grant Program--which is awarded to \npublic transportation entities and primarily used to secure against \nphysical threats--surface transportation owners and operators foot the \nbill for security themselves.\n    But the Federal Government is not off the hook. It plays a critical \nrole in providing the situational awareness, security assessments, and \nguidance to stakeholders that inform surface transportation security \ninvestments.\n    In the decade-and-a-half since it was established, the Department \nof Homeland Security has matured its ability to convene stakeholders, \nleverage its cross-component expertise, and share actionable \nintelligence analysis and guidance to help address pressing National \nsecurity challenges.\n    Whether or not the Federal Government can effectively partner with \nstakeholders to secure surface transportation modes from cyber attacks \nrests on DHS's ability to continue to perform and build on these \ncapabilities.\n    Approximately 125,000 miles of pipelines--valued at $1.9 billion--\nmove oil and gas through Louisiana every day. The industry employs over \n2,500 people in the State. Toward that end, I was pleased that the \nPipeline Cybersecurity Initiative was one of the first priorities \nannounced by the new National Risk Management Center last year and the \nupdated Pipeline Security Guidelines were finally released last March. \nI am encouraged that the Department is redoubling its efforts to \nimprove the cybersecurity of pipelines by enhancing the in-house \ncollaboration between CISA and TSA and engaging with the private \nsector.\n    I believe the Pipeline Cybersecurity Initiative has the potential \nto provide a more comprehensive understanding of the unique \ncybersecurity risks to pipelines, particularly as the sector relies \nmore on the industrial internet of things. That knowledge will empower \nstakeholders to address cybersecurity risks more strategically. \nAlthough the Initiative was first announced as one of the NRMC's \ninitial ``sprint,'' I hope that it will evolve into a more permanent \ncollaboration. I am concerned, however, that the updated Pipeline \nSecurity Guidelines do not address supply chain risk management.\n    Moreover, I will be interested to know how TSA is implementing the \n10 recommendations the Government Accountability Office made in \nDecember related to its management of the Pipeline Security Program. \nThe safety of my community and the economy of my district depend on DHS \ngetting this mission right.\n    I would be remiss if I did not also raise my concerns about the \ncybersecurity posture of both passenger and freight rail, particularly \nas passenger rail cars incorporate automatic train control, network and \ntrainline control, and monitoring and diagnostics, among other \ntechnologies. Last month, I read troubling reports of a Chinese rail \ncompany significantly underbidding competitors to win transit rail \ncontracts in four major markets.\n    I am aware of China's political and economic ambitions. The \nintelligence community and Congress have been clear in cautioning \nagainst the use of Chinese telecommunications products.\n    But it is unclear to me whether the Federal Government has assessed \nwhat, if any, additional cybersecurity threat is posed by contracting \nwith a Chinese company to purchase rail cars with advanced \ntechnologies.\n    It is also unclear whether the Federal Government is providing any \nguidance to local transit authorities to ensure cybersecurity is \nincorporated into their procurement processes.\n    I look forward to discussing these issues with the witnesses and I \nyield back the balance of my time.\n\n    Mr. Correa. Thank you, Chairman Richmond. I also would like \nto congratulate you on your Chairmanship; I look forward to \nworking with you as well.\n    Other Members of the subcommittee are reminded that under \nthe committee rules, opening statements may be submitted for \nthe record.\n    [The statement of Honorable Jackson Lee follows:]\n               Statement of Honorable Sheila Jackson Lee\n    Good morning Chairman Correa and Chairman Richmond, Ranking Member \nLesko and Ranking Member Katko, for convening today's joint hearing on \n``Securing U.S. Surface Transportation From Cyber Attacks.''\n    At the outset, let me congratulate Chairman Correa and Chairman \nRichmond on your elections to lead the Homeland Security Subcommittees \non Transportation and Maritime Security and Cybersecurity, \nInfrastructure Protection and Innovation Committee, respectively.\n    I look forward to continuing to work with each of you along with \nreturning Members of the committee and welcome an outstanding group of \nnew Members on both sides of the aisle, whom I trust will find the \nimportant work advanced by this committee as fulfilling and rewarding \nas I have since joining it as its inception.\n    Today's witnesses:\nPanel I\n  <bullet> Mr. Bob Kolasky, director, National Risk Management Center, \n        Cybersecurity and Infrastructure Security Agency, U.S. \n        Department of Homeland Security;\n  <bullet> Sonya T. Proctor, director, Surface Division, Office of \n        Security Policy and Industry Engagement, Transportation \n        Security Administration.\nPanel II\n  <bullet> Ms. Rebecca Gagliostro, director, security, reliability, and \n        resilience, Interstate Natural Gas Association of America;\n  <bullet> James A. Lewis, senior vice president, Center for Strategic \n        and International Studies;\n  <bullet> Erik Robert Olson, vice president, Rail Security Alliance;\n  <bullet> Mr. John Hultquist, director of intelligence analysis, \n        FireEye (Minority witness).\n    I thank each of today's witnesses for bringing their expert view on \nthe state of cybersecurity and surface transportation in the United \nStates.\n    I note that several of today's witnesses warn about China and the \nsecurity of transportation systems in the United States.\n    Their concern is shared by the Department of Defense in its annual \nreport to Congress: Military and Security Developments Involving the \nPeople's Republic of China 2018.\n    The report states that China obtains foreign technology through \nimports, foreign direct investment, industrial and cyber espionage, and \nestablishment of foreign research and development (R&D) centers.\n    In addition, an assessment of Cyber Operations by DoD said that \nPeople's Liberation Army researchers believe that building strong cyber \ncapabilities is necessary to protect Chinese networks and advocate \nseizing ``cyber space superiority'' by using offensive cyber operations \nto deter or degrade an adversary's ability to conduct military \noperations against China.\n    These findings by the DoD give our committee ample reason to \nconsider the cybersecurity implications of China's activity in the \ntransportation sector.\n    The Transportation Security Administration (TSA) is responsible for \nboth the physical security and cybersecurity of all modes of \ntransportation, including pipelines.\n    In November 2018, TSA released the ``TSA Cybersecurity Roadmap for \n2018,'' its first-ever cybersecurity roadmap.\n    The Roadmap will guide TSA's oversight of the cybersecurity of the \ntransportation systems sector over the next 5 years by focusing on four \npriority areas, which include risk identification, vulnerability \nreduction, consequence mitigation, and enabling cybersecurity outcomes.\n    In addition, the Roadmap emphasizes TSA's commitment to recruiting, \nretaining, and training technical and cyber talent to improve its \nability to engage with stakeholders on cybersecurity and information \ntechnology issues.\n    Finally, the Roadmap highlights TSA's collaboration with the \nCybersecurity and Infrastructure Security Agency (CISA), which is the \noperational component within DHS charged with serving as the primary \nFederal civilian interface for cybersecurity information sharing.\n    We know the threats that computing devices and systems face, which \nare almost too numerous to count:\n  <bullet> Bot-nets;\n  <bullet> Ransomware;\n  <bullet> Zero Day Events;\n  <bullet> Malware;\n  <bullet> Denial-of-Service Attacks;\n  <bullet> Distributed Denial-of-Service Attacks;\n  <bullet> Pharming;\n  <bullet> Phishing;\n  <bullet> Data Theft;\n  <bullet> Data Breaches;\n  <bullet> SQL Injection;\n  <bullet> Man-in-the-Middle Attack.\n    The list goes on, but suffice to say that as hard as any one person \nin our Government is working to stop cyber attacks there are likely \nanother thousand attempting to breach a system or device or technology \nused by a United States citizen.\n    Vulnerabilities of computing systems are not limited to intentional \nattacks, but can include acts of nature, human error, or technology \nfailing to perform as intended.\n    I am particularly concerned about cybersecurity of transportation \nfor pipelines, bridges, tolls, air traffic control systems, commercial \naircraft, ports, and automobiles.\n    Government agencies and political institutions around the world \nhave acknowledged that air traffic management and control (ATM/ATC) \nvulnerabilities could be used to undermine National security.\n    Any breach of the U.S. air traffic control system can lead to \nflight interruptions that may result in cancellations.\n    The number, type, and severity of cyber threats experienced by \nports, service providers, or port customers are unknown because victims \ngenerally prefer not to report incidents and to pay or absorb costs \nresulting from breaches or thefts.\n    Another reason for underreporting is that companies and ports often \nare unaware that their cybersecurity has been breached.\n    In January 2019, the American Association of Port Authorities \n(AAPA) identified nearly $4 billion in crucial port and supply chain \nsecurity needs over the next 10 years.\n    The AAPA says that funding is needed to ensure America's port \nfacilities are properly equipped to address new and evolving security \nchallenges.\n    The report recommends refocusing the Federal Emergency Management \nAgency's Port Security Grant Program to better meet the security \ninfrastructure needs of publicly-owned commercial seaports and related \nmaritime operations.\n    AAPA recommends funding an estimated $2.62 billion in maintenance \nand upgrades to port security equipment and systems, and another $1.27 \nbillion for investments to tackle cybersecurity, active shooter, drone \nmitigation, resiliency, and other evolving security threats.\n    It is reported that the U.S. Government invests $100 million \nannually in the Port Security Grant Program.\n    This grant program began after 9/11, and it is estimated that by \nthe end of 2017, container volumes through U.S. ports have increased 71 \npercent and total foreign trade tonnage had increased 37 percent, while \ncruise passenger traffic nearly doubled by the end of 2018.\n    During this time, 85 percent of AAPA U.S. member ports report that \nthey anticipate direct cyber or physical threats to their ports to \nincrease over the next 10 years.\n    The 2017 APM Maersk cyber attack illustrates how an incident can \nstart outside the United States and have a cascading impact on ports \nand terminal operations across the globe.\n    Further evidence on the cyber vulnerability of ports, comes from \nOctober 15, 2014, in a report by CyberKeel entitled, ``Maritime Cyber-\nRisks,'' which focused on financial thefts; alteration of carrier \ninformation regarding cargo location; barcode scanners used as hacking \ndevices (a variation of the light bulb vulnerability described above); \ntargeting of shipbuilding and maritime operations; cyber-enabled large \ndrug smuggling operations; compromising of Australian customs and \nborder protection; spoofing a vessel Automated Identification System \n(AIS); drilling rig cyber attack; vessel navigation control hack; GPS \njamming; vulnerabilities in the Electronic Chart Display and \nInformation System; and a Danish Maritime Authority breach.\n    In 2015, I hosted a briefing on ``Cyber Security Threat Posed by \nthe Ability to Hack Automobiles,'' which provided information on the \ngrowing threat of remote attacks against moving vehicles and the \nprivacy of consumer data captured by automotive systems.\n    Finally, the use of untrustworthiness of transportation \ninfrastructure can have significant impacts on our Nation's economy.\n    An important part of cybersecurity is establishing and maintaining \na cybersecurity culture both within the Federal Government and \nthroughout the private sector.\n    We must change the way we perceive and respond to cybersecurity \nvulnerabilities and threats.\n    We must be steadfast in our resolve to protect the Nation's \ntransportation system from cyber threats.\n    I look forward to the testimony of today's witnesses.\n    Thank you.\n\n    Mr. Correa. With that being said I welcome the first panel \nof witnesses.\n    Our first witness is Mr. Bob Kolasky, who serves as \ndirector of the National Risk Management Center at the \nCybersecurity and Infrastructure Security Agency at the \nDepartment of Homeland Security. As director he oversees the \nCenter's efforts to facilitate strategic cross-sector risk \nmanagement approach to cyber and physical threats to our \ncritical infrastructure.\n    Next we will have Ms. Sonya Proctor, who serves as director \nof the Surface Division within the Office of Security Policy or \nOSP, at the Transportation Security Agency. Ms. Proctor's \nresponsibilities include developing risk-based and effective \nsecurity policy in collaboration with stakeholders in surface \ntransportation modes.\n    Without objection, the witnesses' full statements will be \ninserted into the record and I will ask each witness to \nsummarize his or her statements in 5 minutes, beginning with \nMr. Kolasky.\n    Welcome, sir.\n\nSTATEMENT OF ROBERT KOLASKY, DIRECTOR, NATIONAL RISK MANAGEMENT \nCENTER, CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Kolasky. Thank you, Chairman.\n    Chairman Correa, Chairman Thompson, Chairman Richmond, \nRanking Member Lesko, and Members of the subcommittee, good \nmorning and thank you for the opportunity to testify regarding \nthe Department's on-going and collaborative efforts to \nstrengthen the cybersecurity of our Nation.\n    Today, as the subject of the hearing, I will focus my \nremarks on surface transportation including pipelines, mass \ntransit, freight, rail, and our highways.\n    First however I do want to thank the committee for its \nleadership in establishing the Cybersecurity and Infrastructure \nSecurity Agency, CISA. By creating our new agency in law, \nCongress formally recognized DHS's role as the leader of the \nNational effort to safeguard Federal networks and critical \ninfrastructure from cyber and physical threats.\n    CISA delivers organization-specific and cross-sector risk \nmanagement support to enhance the resiliency of our Nation's \ncritical infrastructure. We are the main Federal interface for \nsharing cyber-threat indicators. We provide a broad range of \ncybersecurity threat detector response and coordination \ncapabilities to assist industry across all sectors, including \nsurface transportation, for securing their operations. Our \ncapabilities bring together the intelligence committee, law \nenforcement, international partners, and the private sector.\n    As part of CISA, I serve as the director of the National \nRisk Management Center. The Center brings together industry and \nGovernment for collaborative planning, analysis, and \nprioritization in order to reduce risk to critical \ninfrastructure. These efforts complement and support the day-\nto-day operations across our agency and are intended to focus \non the most significant risks facing the Nation's critical \ninfrastructure. To that end cyber threats remain one of the \nmost significant strategic risks for the United States.\n    Critical infrastructure cyber incidents however are rarely \nsector-specific which means we can't afford to take a sector-\nspecific approach to risk management. Our adversaries target \ncommon vulnerabilities in systems across sectors. They target \ncompanies in one sector to launch attacks on a [inaudible] the \ngrowing interdependencies across sectors demand an integrated \napproach.\n    An attack on the transportation sector has operational \nimpact and transcends the operations across the transportation \nsector. That is one reason why we did establish the National \nRisk Management Center. Planning, operations, and information \nsharing to secure critical infrastructure must not be \nstovepiped; this is because of the global, borderless, \ninterconnected nature of cyber space where strategic threats \ncan manifest in the homeland without advance warning and speed \nof collaboration is essential.\n    In the coming months the National Risk Management Center \nwill finalize the identification of a set of National Critical \nFunctions. National Critical Functions are defined as the \nfunctions of Government and the private sector, so vital to the \nUnited States that their disruption, corruption, or dysfunction \ncould have a debilitating impact on National security, economic \nsecurity, National public health, or safety, and we identified \nthese in partnership with industry and our colleagues across \nthe Government.\n    Through this process we have already identified functions \nassociated with surface transportation such as the movement of \ncommodities through pipelines and the generation of electricity \nthat need to be prioritized. Because of that last year as you \nall mentioned, we launched the Pipeline Security Initiative to \nbuild upon past work in the sector.\n    This effort is a partnership between CISA, TSA, the \nDepartment of Energy, as well as industry. CISA is coordinating \nrisk management planning and tasking its cybersecurity \noperations, provide technical capabilities in support of my \ncolleague Sonya and her team as the sector-specific agency. \nTSA's relationship with the sector and understanding of \npipeline operations is critical to the success of this \ninitiative.\n    The Pipeline Security Initiative is conducting \ncybersecurity assessments on pipelines to identify and mitigate \nvulnerabilities. The first comprehensive assessment was \ncompleted in December 2018 and we expect to do 9 more this \nyear. These are some of the most comprehensive, in-depth, cyber \nassessments the U.S. Government has done on pipelines to date. \nBased on these assessments the NRMC will be conducting initial \nanalysis of how best to reduce risk to the Nation's pipeline \ninfrastructure, working with industry to prioritize mitigation \nactivities.\n    Another example of our work to support the transportation \nsector is industrial control security. Much of our Nation's \nsurface transportation is dependent on industrial control \nsystems to monitor, control, and safeguard operation. We at \nCISA have a long history of working to provide technical \nexpertise and to share information with ICS vendors and we will \ncontinue to do that with a focus on surface transportation.\n    The final area I want to talk about, the National Risk \nManagement Center's efforts are our efforts around supply chain \nsecurity. To address supply chain risks CISA has established an \nInformation and Communications Technology Supply Chain Risk \nManagement Task Force. This is a public-private partnership to \nfacilitate mitigation of emerging supply chain threats.\n    Work is on-going on 4 separate work streams intended to \nimprove threat information, better understand priority Supply \nChain risks, and incentivize and enhance Supply Chain Risk \nManagement. This work will help transportation sectors as well \nas critical infrastructure and Federal networks.\n    In closing, CISA will continue to be a partner to our \nGovernment and industry colleagues with the twin imperative of \naddressing the cyber threats we see today and shaping the risk \nenvironment of tomorrow. I am convinced that such an approach \nwill leave us better prepared to address any challenges we face \nfrom our adversaries now and in the future.\n    Once again thank you for the opportunity to appear before \nthe subcommittee today. I look forward to your questions.\n    [The prepared statement of Mr. Kolasky follows:]\n                  Prepared Statement of Robert Kolasky\n                           February 26, 2019\n    Chairman Richmond, Chairman Correa, Ranking Member Katko, Ranking \nMember Lesko, and Members of the subcommittees, thank you for the \nopportunity to testify regarding the U.S. Department of Homeland \nSecurity's (DHS) on-going efforts to reduce and mitigate risks to our \nNation's critical infrastructure. I have the privilege of serving as \nthe director of the National Risk Management Center (NRMC) at the \nCybersecurity and Infrastructure Security Agency (CISA). The NRMC \noperates as a planning, analysis, and collaboration center bringing \ntogether industry and multiple parts of Government to identify, \nanalyze, prioritize, and reduce risks to critical infrastructure. The \nNRMC's efforts are centered on the ``secure tomorrow'' mantle of CISA's \nmission--complementing and drawing from the day-to-day information \nsharing, technical analysis, and operational assistance missions from \nelsewhere in the agency.\n    My testimony today will focus on the cybersecurity of surface \ntransportation systems, including pipelines, mass transit systems, \nfreight rail systems, and highways. Both CISA and the Transportation \nSecurity Administration (TSA) play a critical role in accomplishing \nthis mission. CISA is leading National efforts to defend the Nation's \ncritical infrastructure today and secure tomorrow by partnering with \nindustry and Government to reduce risk from cyber, physical, and hybrid \nthreats. Thanks to Congress's leadership and passage of the \nCybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. \n115-278), we are now even better poised to further the maturation of \nthe organization to best reflect our essential mission and role in \nsecuring cyber space. CISA's efforts to secure surface transportation \nare carried out in close coordination with the TSA and Department of \nTransportation, the Sector-Specific Agencies (SSA) for the surface \ntransportation portion of the Transportation Systems Sector.\n                             cyber threats\n    Cyber threats remain one of the most significant strategic risks \nfor the United States, threatening our National security, economic \nprosperity, and public health and safety. The past several years have \nmarked a growing awareness of the cyber domain in the public \nconsciousness. We have seen advanced persistent threat actors, \nincluding hackers, cyber criminals, and nation-states, increase the \nfrequency and sophistication of their attacks. Our adversaries have \nbeen developing and using advanced cyber capabilities in attempts to \nundermine critical infrastructure, target our livelihoods and \ninnovation, steal our National security secrets, and threaten our \ndemocratic institutions.\n    Cybersecurity threats affecting surface transportation have the \npotential to impact the industrial control systems that operate \npipelines, mass transit, freight rail systems, and our highway \ninfrastructure. For example, America depends heavily on the 2.7 million \nmiles of pipeline crisscrossing our country. Increasingly, the business \noperations and control systems that are vital to the continuity of this \npart of our energy posture are threatened by cyber attacks from nation-\nstates and other malicious actors. Many pipelines are now supplied with \nindustrial control systems, automated pressure regulators, and control \nvalves. If this pipeline infrastructure is intentionally attacked, \ncontrol valves and pressure regulators could be affected. Failure of \nthese technologies could lead to pressure surges causing emergency \nshutdowns, unexpected explosions and fires, and other serious \nconsequences. The recently-published Worldwide Threat Assessment of the \nintelligence community states, ``China has the ability to launch cyber \nattacks that cause localized, temporary disruptive effects on critical \ninfrastructure--such as disruption of a natural gas pipeline for days \nto weeks--in the United States.''\n    Similarly, trains are now supplied with on-board information \ntechnology (IT) systems that provide and receive real-time updates on \ntrack conditions, train position, train separation, car status, and \nother operational data. While such technologies are designed to provide \nfaster and more reliable communications, these wireless communication \nadvances result in trains no longer functioning as closed systems, thus \nincreasing the cyber risks.\n    Today's industrial control systems within highway infrastructure \nare often not only automated but highly integrated. Interconnected road \nnetworks are controlled by numerous systems and devices such as traffic \nsignal systems, ramp metering systems, road weather information \nsystems, and field devices that feed into a traffic management center. \nIf an individual system or device was deliberately attacked, the \npotential to affect multiple control systems would be a distinct \nreality.\n                        cybersecurity priorities\n    CISA, our Government partners, and the private sector are all \nengaging in a more strategic and unified approach toward improving our \nNation's overall defensive posture against malicious cyber activity. In \nMay of last year, DHS published the Department-wide DHS Cybersecurity \nStrategy, outlining a strategic framework to execute our cybersecurity \nresponsibilities during the next 5 years. Both the Strategy and \nPresidential Policy Directive 21--Critical Infrastructure Security and \nResilience, emphasize that we must maintain an integrated approach to \nmanaging risk.\n    The National Cyber Strategy, released in September 2018, reiterates \nthe criticality of collaboration and strengthens the Government's \ncommitment to work in partnership with industry to combat cyber threats \nand secure our critical infrastructure. Together, the National Cyber \nStrategy and DHS Cybersecurity Strategy guide CISA's efforts to secure \nFederal networks and strengthen critical infrastructure. DHS works \nacross Government and critical infrastructure industry partnerships to \nshare timely and actionable information as well as to provide training \nand technical assistance. Our work enhances cyber threat information \nsharing between and among governments and businesses across the globe \nto stop cyber incidents before they occur and quickly recover when they \ndo. By bringing together all levels of government, the private sector, \ninternational partners, and the public, we are enabling a collective \ndefense against cybersecurity risks, while improving our whole-of-\nGovernment incident response capabilities, enhancing information \nsharing of best practices and cyber threats, strengthening our \nresilience, and facilitating safety.\n    CISA's National Cybersecurity and Communications Integration Center \n(NCCIC) provides entities with information, technical assistance, and \nguidance they can use to secure their networks, systems, assets, \ninformation, and data by reducing vulnerabilities, ensuring resilience \nto cyber incidents, and supporting their holistic risk management \npriorities. The NCCIC operates at the intersection of the Federal \nGovernment, State and local governments, the private sector, \ninternational partners, law enforcement, intelligence, and defense \ncommunities. The Cybersecurity Information Sharing Act of 2015 (Pub. L. \n114-113) established DHS as the Federal Government's central hub for \nthe sharing of cyber threat indicators and defensive measures. CISA's \nautomated indicator sharing capability allows the Federal Government \nand private-sector network defenders to share technical information at \nmachine speed.\n    Much of our Nation's surface transportation infrastructure is \ndependent on industrial control systems to monitor, control, and \nsafeguard operational processes. Many of the industrial control systems \ncurrently in use were built for operability, efficiency, and \nreliability during an era when security was a lower priority than it is \ntoday. CISA has a well-established history of working to secure \nindustrial control systems across critical infrastructure. In 2004, DHS \nestablished the Control Systems Security Program to address growing \nconcerns over the security of industrial control systems. Since 2009, \nDHS has maintained the Industrial Control Systems Joint Working Group \nas the primary body for communicating and partnering across all \ncritical infrastructure sectors and the government at all levels to \naccelerate the design, development, and deployment of secure industrial \ncontrol systems. CISA's industrial control systems cybersecurity \ncapabilities include malware and vulnerability analysis; an operational \nwatch floor to monitor, track, and investigate cyber incidents; \nincident response; international stakeholder coordination; and the \ncreation and dissemination of threat briefings, security bulletins, and \nnotices related to emerging threats and vulnerabilities impacting these \ntechnologies.\n                        national risk management\n    Our adversaries' capabilities on-line are outpacing our stove-piped \ndefenses. Specifically, there has been a critical gap in cross-sector, \ncross-government coordination on critical infrastructure security and \nresilience. Working together with the private sector and other \nGovernment partners, we are taking collective action to strengthen \ncross-sector, cross-government coordination against malicious cyber \nactors.\n    Through the NRMC within CISA, we have stepped up our efforts to \nprovide a comprehensive risk management approach to cyber and physical \nsecurity. The NRMC is a core component of DHS's efforts to take a \nholistic cross-sector approach to managing risks to the critical \nfunctions that drive our economy and are necessary to our National \nsecurity. Through the NRMC, Government and industry are coming together \nto create a more complete understanding of the complex perils that \nthreaten the Nation's critical infrastructure.\n    Risk is increasingly cross-sector in nature. A siloed approach to \nrisk identification and management simply will not work. By the nature \nof the threat, and infrastructure design, risk transcends \ninfrastructure sectors, is shared across State and National lines, and \nis held by both Government and industry. As an example, we recently \nbriefed industry on cyber activities that have been attributed to \nChina. Attempts to steal intellectual property do not discriminate \nbetween sectors of our economy. From biotechnology, to aircraft \ncomponents, to advanced rail equipment, and electrical generation \nequipment--information is at risk, and it can be weaponized. Similarly, \nthe cascading nature of cyber incidents across sectors is very real. We \nneed to look no further than NotPetya, the most costly cyber attack in \nhistory--which we have attributed to Russia--to see how risk easily \njumps across sectors and continents and how it can hit private sector \norganizations particularly hard.\n                      national critical functions\n    Historically, the U.S. Government has focused on prioritizing \ncritical infrastructure from the perspective of assets and \norganizations. A different approach for prioritization is needed to \nbetter address system-wide and cross-sector risks and dependencies. \nCISA, through the NRMC, is leading an effort to develop a set of \nNational Critical Functions to guide critical infrastructure risk \nmanagement.\n    National Critical Functions are defined as ``the functions of \nGovernment and the private sector so vital to the United States that \ntheir disruption, corruption, or dysfunction would have a debilitating \nimpact on National security, economic security, National public health \nor safety.'' This construct forces a risk management conversation that \nis less about whether an entity is a business or Government, and more \nabout what an entity does to manage risk and what risk it enables. This \nframework allows us to look at issue sets in the risk management space \nnot in isolation, but with a more holistic context.\n    We are partnering with SSAs and all 16 critical infrastructure \nsectors, including the Transportation Systems, Communications, \nFinancial Services, and Energy sectors to identify and validate \nNational Critical Functions. This list will be finalized in the coming \nmonths and will form the basis for subsequent analysis--including \nconsequence modeling and dependency analysis--in order to develop a \nRisk Register of the most pressing threats facing the critical \ninfrastructure community. Such a Risk Register will guide collective \naction between Government and industry on how to best address risk \nmanagement.\n    In doing the critical functions work, we have already identified \naspects associated with surface transportation, such as pipeline \noperations, that need to be prioritized in terms of security. Although \nwe are in our early stages of that work, we agree with the committee on \nthe pressing need to address risks associated with nation-state \nexploitation of vulnerabilities that link information to infrastructure \noperations and which could have significant consequences on community \nand economic security.\n                  surface transportation cybersecurity\n    The Pipeline Security Initiative is a partnership between CISA, \nTSA, the Department of Energy, and industry. Bad actors have shown \ninterest in infiltrating systems in sectors with less mature cyber \nhygiene, and using that access to better understand ways to manipulate \nequipment in sectors with more advanced security protocols. This can \nlead to critical pipeline systems, including water, natural gas, and \nliquid fuels, being at risk.\n    By leveraging the TSA's SSA expertise and CISA's technical \ncybersecurity capabilities, the Pipeline Security Initiative is working \nto improve our ability to identify and mitigate vulnerabilities to the \npipeline ecosystem. This initiative uses different voluntary \nassessments--ranging from single and multi-day inspections to self-\nassessments--to help our industry partners identify and mitigate \npotential vulnerabilities and provide the Government with a broader \nview of pipeline security risk.\n    In December 2018, we completed our first comprehensive assessment \nunder this new initiative. This initial assessment served as a \nsuccessful test-bed to ensure that tools and other techniques offer the \ndetail and data necessary to conduct the comprehensive analysis needed \nto ensure critical services and product flow through the pipeline \nsystems. We anticipate 9 more assessments in 2019.\n                           supply chain risks\n    Information and communications technology (ICT) is critical to \nevery business and Government agency's ability to carry out its mission \nefficiently and effectively. Vulnerabilities in ICT can be exploited \nintentionally or unintentionally through a variety of means, including \ndeliberate mislabeling and counterfeits, unauthorized production, \ntampering, theft, and insertion of malicious software or hardware. If \nthese risks are not detected and mitigated, the impact to the ICT could \nbe a fundamental degradation of its confidentiality, integrity, or \navailability and potentially create adverse impacts to essential \nGovernment or critical infrastructure systems.\n    Increasingly sophisticated adversaries seek to steal, compromise, \nalter, or destroy sensitive information on systems and networks, and \nrisks associated with ICT may be used to facilitate these activities. \nThe Office of the Director of National Intelligence (ODNI) acknowledges \nthat ``the U.S. is under systemic assault by foreign intelligence \nentities who target the equipment, systems, and information used every \nday by Government, business, and individual citizens.'' The \nglobalization of our supply chain can result in component parts, \nservices, and manufacturing from sources distributed around the world. \nODNI further states, ``Our most capable adversaries can access this \nsupply chain at multiple points, establishing advanced, persistent, and \nmultifaceted subversion. Our adversaries are also able to use this \ncomplexity to obfuscate their efforts to penetrate sensitive research \nand development programs, steal intellectual property and personally \nidentifiable information, insert malware into critical components, and \nmask foreign ownership, control, and/or influence of key providers of \ncomponents and services.''\n    CISA has launched the ICT Supply Chain Risk Management (SCRM) Task \nForce as a public-private partnership to mitigate emerging supply chain \nthreats. The Task Force is the main private-sector point of entry for \nour SCRM efforts and is jointly chaired by DHS and the chairs of IT and \nCommunications Sector Coordinating Councils. The Task Force is focused \non supply chain threat information sharing, supply chain threat mapping \nand assessment, establishing criteria for qualified bidder and \nmanufacturer lists, and incentivizing the purchase of ICT from original \nmanufacturers and authorized resellers.\n                               conclusion\n    In the face of increasingly sophisticated threats, DHS employees \nstand on the front lines of the Federal Government's efforts to defend \nour Nation's critical infrastructure from natural disasters, terrorism \nand adversarial threats, and technological risk such as those caused by \ncyber threats. The coming revolution of autonomous operations of \ninfrastructure and other core functions, which combines data, machine \nlearning, algorithms, and computing power and which is associated with \nmassive new markets in artificial intelligence, smart cities, and \nquantum computing is going to radically change the nature of National \nsecurity. The underpinning systems enabling functioning infrastructure \nhave become more complex, and design considerations have created new \nvulnerabilities. Combine the reality of adversaries who are seeking to \nachieve strategic gain in the global marketplace and there is an \nessential imperative to have security remain a first-order \nconsideration for key infrastructure deployments and in the \nestablishment of supply chains.\n    CISA is working with partners to meet this century's risks. Doing \nso requires being vigilant about security risk today and playing the \nlong game--which will require continued collaboration between the \nExecutive and Legislative branches. As the committee considers these \nissues, we are committed to working with Congress to ensure that this \neffort is done in a way that cultivates a safer, more secure, and \nresilient homeland.\n    Thank you for the opportunity to appear before the committee today, \nand I look forward to your questions.\n\n    Mr. Correa. Thank you, Mr. Kolasky.\n    I will now recognize Ms. Proctor, for your testimony; if \nyou can summarize your statements in 5 minutes. Thank you.\n\n  STATEMENT OF SONYA T. PROCTOR, DIRECTOR, SURFACE DIVISION, \n    OFFICE OF THE SECURITY POLICY AND INDUSTRY ENGAGEMENT, \n             TRANSPORTATION SECURITY ADMINISTRATION\n\n    Ms. Proctor. Thank you.\n    Good morning, Chairman Thompson, Chairman Correa, and \nRichmond, and Ranking Member Lesko, and distinguished Members \nof the subcommittee. Thank you for the opportunity to appear \nbefore you this morning to discuss the Transportation Security \nAdministration's efforts to secure surface transportation \nsystems including oil and natural gas pipelines from \ncybersecurity risks. I also want to thank you for the TSA \nModernization Act and the support of that.\n    TSA is committed to securing the transportation sector, \nwhich includes pipelines, against evolving and emerging risks \nsuch as cyber attacks; partnering with our private-sector \npartners to secure surface transportation from cyber attacks is \na critically important and complex undertaking.\n    The U.S. surface transportation system is a complex \ninterconnected and largely open network comprised of mass \ntransit systems, passenger and freight railroads, over-the-road \nbus operators, motor carrier operators, pipelines, and maritime \nfacilities. The various modes that make up the system operate \ndaily in close coordination with and proximity [inaudible] \ntransportation system, operating securely and safely.\n    Every year more than 10 billion trips are taken on 6,800 \nU.S. mass transit systems which range from small bus-only \nsystems in rural areas to large multi-modal systems in urban \nareas. Over-the-road bus operators carry approximately 604 \nmillion inter-city bus passengers each year; over 3,300 \ncommercial bus companies travel on the 4 million miles of \nroadway in the United States and on more than 600,000 highway \nbridges and through over 470 tunnels. Those same roads, \nbridges, and tunnels support the movement of goods throughout \nthe country by 8 million large-capacity commercial trucks.\n    As for our railroads and pipelines, more than 570 \nindividual freight railroads carrying essential goods, operate \non nearly 140,000 miles of track and 2.75 million miles of \npipelines owned and operated by approximately 3,000 private \ncompanies, transporting natural gas, refined petroleum \nproducts, and other commercial products.\n    TSA's functions and authorities as a security agency are \nuniquely structured to tackle the challenges at the \nintersections of surface transportation and cyber risks. To \nsecure these networks, TSA leverages its mature intelligence \nand analysis capability along with its vetting and \ncredentialing programs to ensure it can quickly develop and \npromulgate risk mitigation guidelines and measures to \neffectively [inaudible] efforts are bolstered by strong \npartnerships, trust, and collaboration with our Federal \nindustry and partners.\n    In this regard industry works with TSA to share their own \nunique vulnerabilities and security needs. Through this open \ncommunication we collaboratively develop programs and \nguidelines for industry to voluntarily adopt to increase their \noverall security posture an approach that has yielded \nsignificant security investments and improvements beyond what \nthe agency would have achieved from a regulatory approach \nalone. We believe that this voluntary and collaborative \napproach to developing and implementing security measures has \nbeen successful.\n    However, we also recognize that should arise based on an \neminent threat or real-world event the TSA administrator has \nunique authority to require immediate implementation of certain \nsecurity measures through the issuance of security directives.\n    In December 2018 the TSA administrator issued the agency's \nCybersecurity Roadmap which will guide efforts to prioritize \ncybersecurity measures within TSA and across the transportation \nsystem over the next 5 years. TSA approaches both cybersecurity \nand physical security by identifying, assessing, and mitigating \nthe risk. TSA helps surface owners and operators identify \nvulnerabilities and risks in their operations and works with \nthem to develop and implement risk mitigating solutions.\n    In closing TSA has been able to support the improvement of \nboth physical and cybersecurity across all surface modes of \ntransportation, including pipelines, thanks to the trust and \nrelationships we have cultivated with our Federal partners and \nindustry as evidenced by the programs and resources TSA has \ncollaboratively developed and implementing for our surface \ntransportation stakeholders. TSA is committed to securing the \nNation's surface transportation system from terrorist \nactivities and cyber attacks.\n    TSA looks forward to working with Congress on these efforts \nand thank you for the opportunity to discuss these issues here \nwith you today. I look forward to the subcommittee's questions.\n    [The prepared statement of Ms. Proctor follows:]\n                 Prepared Statement of Sonya T. Proctor\n                           February 26, 2019\n    Good morning Chairmen Correa and Richmond, Ranking Members Lesko \nand Katko, and distinguished Members of the subcommittees. Thank you \nfor the opportunity to appear before you to discuss the Transportation \nSecurity Administration's (TSA) efforts to secure surface \ntransportation systems including oil and natural gas pipelines from \ncybersecurity risks.\n    TSA is committed to securing the transportation sector, which \nincludes pipelines, against evolving and emerging risks, such as cyber \nattacks. Partnering with our private-sector partners to secure surface \ntransportation from cyber attacks is a critically important and complex \nundertaking. As the director of national intelligence recently stated, \nour adversaries and strategic competitors have cyber attack \ncapabilities they could use against U.S. critical infrastructure, \nincluding U.S. surface transportation. As a disruption to any of these \nsystems would negatively impact our economy, commerce, and well-being, \nthe cyber attack threat is driving the Department of Homeland \nSecurity's efforts to increase the cyber resilience of surface \ntransportation.\n                         surface transportation\n    The U.S. surface transportation system is a complex, \ninterconnected, and largely open network comprised of mass transit \nsystems, passenger and freight railroads, over-the-road bus operators, \nmotor carrier operators, pipelines, and maritime facilities. The \nvarious modes that make up this system operate daily in close \ncoordination with and proximity to one another. Americans and our \neconomy depend on the surface transportation system operating securely \nand safely.\n    Every year more than 10 billion trips are taken on 6,800 U.S. mass \ntransit systems, which range from small bus-only systems in rural areas \nto large multi-modal systems in urban areas. Over-the-road bus \noperators carry approximately 604 million intercity bus passengers each \nyear. Over 3,300 commercial bus companies travel on the 4 million miles \nof roadway in the United States and on more than 600,000 highway \nbridges greater than 20 feet in length and through over 470 tunnels. \nThose same roads, bridges, and tunnels support the movement of goods \nthroughout the country by 8 million large capacity commercial trucks.\n    As for our railroads and pipelines, more than 570 individual \nfreight railroads carrying essential goods operate on nearly 140,000 \nmiles of track, and 2.75 million miles of pipelines, owned and operated \nby approximately 3,000 private companies, transport natural gas, \nrefined petroleum products, and other commercial products.\n    TSA's functions and authorities as a security agency are uniquely \nstructured to tackle the challenges at the intersections of surface \ntransportation and cyber risks. To secure these networks, TSA leverages \nits mature intelligence and analysis capability, along with its vetting \nand credentialing programs to ensure it can quickly develop and \npromulgate risk mitigation guidelines and measures to effectively \ncoordinate and address evolving risk.\n    TSA's security efforts are bolstered by strong partnerships, trust, \nand collaboration with our Federal and industry partners. In this \nregard, industry works with TSA to share their own unique \nvulnerabilities and security needs. Through this open communication, we \ncollaboratively develop programs and guidelines for industry to \nvoluntarily adopt to increase their overall security posture--an \napproach that has yielded significant security investments and \nimprovements beyond what the agency would have achieved from a \nregulatory approach alone.\n    We believe that this voluntary and collaborative approach to \ndeveloping and implementing security measures has been successful. \nHowever, we also recognize that should the need arise, based on an \nimminent threat or real-world event, the TSA administrator has unique \nauthority to require immediate implementation of certain security \nmeasures through the issuance of Security Directives (SDs).\n    TSA also actively collaborates with law enforcement entities, such \nas the Federal Bureau of Investigation (FBI), the Department of \nJustice, and the Joint Terrorism Task Force, to address attacks on \ncritical infrastructure and supporting networks. For example, TSA works \nwith the FBI to share intelligence information and host joint working \ngroups on investigation and enforcement for attacks on surface \ntransportation infrastructure. TSA also serves on the Energy Sector \nGovernment Coordinating Council, co-chaired by the Department of Energy \nand the DHS Cybersecurity and Infrastructure Security Agency (CISA), to \ndiscuss energy and pipeline security issues, provide insight on \nrelevant intelligence, and coordinate at the Federal level on pipeline-\nrelated security recommendations and programs. Additionally, TSA works \nclosely with the Pipeline and Hazardous Materials Safety Administration \nwithin the Department of Transportation for incident response and \nmonitoring of pipeline systems.\n                       tsa cybersecurity roadmap\n    In December 2018, the TSA administrator issued the agency's \nCybersecurity Roadmap, which will guide efforts to prioritize \ncybersecurity measures within TSA and across the transportation system \nsector over the next 5 years. The Cybersecurity Roadmap identifies 4 \npriorities which will help the agency achieve its cybersecurity goals:\n  <bullet> Identify cybersecurity risks;\n  <bullet> Reduce vulnerabilities to our systems and critical \n        infrastructure across the transportation systems sector;\n  <bullet> Mitigate consequences if and when incidents do occur; and,\n  <bullet> Strengthen security and ensure the resilience of the system.\n    The TSA Cybersecurity Roadmap has been supplemented with the \ndevelopment of an implementation plan which will assist in resource \nallocation to this critical area. In coordination with CISA, the \nFederal Government's lead cybersecurity agency, the TSA Cybersecurity \nRoadmap brings TSA's cybersecurity efforts into alignment with both the \nNational Cyber Strategy and the DHS Cybersecurity Strategy.\n         tsa's cybersecurity efforts for surface transportation\n    TSA approaches both cybersecurity and physical security by \nidentifying, assessing, and mitigating any risks. TSA helps surface \nowners and operators identify vulnerabilities and risks in their \noperations, and works with them to develop and implement risk-\nmitigating solutions.\n    TSA's cybersecurity approach to its critical infrastructure mission \nis based on the National Institute of Standards and Technology (NIST) \ncybersecurity framework, which is designed to provide a foundation that \nindustry can implement to sustain robust cybersecurity measures. TSA \nshares information and resources with industry to support adoption of \nthe framework.\n    TSA cybersecurity resources and efforts for all modes of surface \ntransportation include:\n  <bullet> Cybersecurity Toolkit.--Provides information on an array of \n        resources, recommendations, and practices available at no cost \n        to surface transportation entities.\n  <bullet> Cybersecurity Counterterrorism Guides.--``Pocket'' resource \n        guides to help educate all levels of surface transportation \n        professionals on potential cyber threats, actions they can \n        take, and best practices. Over 59,000 cybersecurity guides have \n        been distributed across all modes of surface transportation.\n  <bullet> Cybersecurity ``5N5'' Workshops.--Provides owners and \n        operators of critical infrastructure with an awareness of \n        existing cybersecurity support programs, resources, familiarity \n        with the NIST Framework, and an opportunity to discuss \n        cybersecurity challenges and share best practices. Workshop \n        participants leave with immediate benefit by receiving 5 non-\n        technical cybersecurity actions to implement over 5 days (5N5).\n  <bullet> Cybersecurity Awareness Messages (CAMs).--Disseminates \n        information to stakeholders either in response to real-world \n        events or in anticipation of significant anniversaries or \n        holidays to support the transportation security community's \n        efforts to increase their cybersecurity posture, and recommends \n        voluntary cybersecurity protective measures.\n  <bullet> Daily Cybersecurity Reports.--The Public Transit and Over-\n        the-Road Bus Information Sharing and Analysis Centers \n        distribute daily cybersecurity awareness reports to their \n        members.\n    Pipeline-specific cybersecurity efforts include:\n  <bullet> TSA Pipeline Security Guidelines.--Initially developed in \n        2010 and revised in 2011, the Guidelines were revised again in \n        2018 to align with the NIST Cybersecurity Framework. TSA added \n        a new cybersecurity section to more accurately reflect the \n        current threat environment to help inform industry on how best \n        to allocate their security resources based on their operations.\n  <bullet> TSA-Federal Energy Regulatory Commission (FERC) Joint \n        Voluntary Cyber Architecture Reviews.--Assesses the pipeline \n        system's cybersecurity environment of operational and business \n        critical network controls. These controls include the networked \n        and segregated environments of Industrial Control System \n        components, such as Supervisory Control and Data Acquisition, \n        Distributed Control Systems, Remote Terminal Units, Human \n        Machine Interfaces, and Process Logic Controllers.\n  <bullet> Pipeline Cybersecurity Assessments.--DHS has established an \n        initiative to evaluate the cybersecurity posture of critical \n        oil and natural gas pipeline systems to determine their \n        cybersecurity practices and promote resilience. TSA has \n        partnered with CISA to develop on-site cyber assessments of key \n        pipeline systems as part of the Pipeline Security Initiative. \n        The assessments will provide pipeline owners with a \n        comprehensive evaluation and discovery process, focusing on \n        defense strategies associated with asset owners' specific \n        control systems network and segregated control assets. We plan \n        to evaluate as many critical pipeline systems as possible on \n        their cybersecurity posture by the end of this fiscal year, as \n        time and funding allows.\n  <bullet> Corporate Security Review (CSR) Program and Critical \n        Facility Security Review (CFSR) Programs.--CSRs are conducted \n        to evaluate existing corporate security policies, procedures, \n        and practices, and make recommendations for improving existing \n        corporate security posture. The TSA CSRs have been updated to \n        include a more comprehensive and robust review of the \n        cybersecurity policies, plans, and practices that the pipeline \n        industry is employing. The CFSR program evaluates the top 100 \n        most critical pipeline systems in the United States, collecting \n        site-specific information from the facility operator on \n        security policy, procedures, and physical security measures. \n        The CFSR program assessment questions have also been updated to \n        include cyber-specific measures.\n  <bullet> Classified Briefings.--TSA sponsors Classified briefings for \n        pipeline owners and operators. These briefings provide owners \n        and operators with a need to know on updated pipeline cyber \n        threat information.\n          pipeline security success through voluntary actions\n    TSA had great success in working with the pipeline community to \ndevelop and implement voluntary guidance and programs to enhance their \noverall security programs and raise their baseline levels of security. \nSpecifically, the pipeline community has been very supportive and \nreceptive to our Pipeline Security Guidelines, including the addition \nof a comprehensive cybersecurity section. The guidelines serve as the \nde facto standard for pipeline security programs, and were developed in \nclose coordination with the pipeline industry. Major pipeline industry \nassociations continue to show support of and collaboration with the \nmeasures set forth in the guidelines. Associations such as the American \nGas Association, the Interstate Natural Gas Association of America, and \nthe American Petroleum Institute, have written ``membership \nstatements'' committing to voluntary adherence to the Pipeline Security \nGuidelines.\n    Pipeline operators have shown a willingness and ability to \nvoluntarily implement the mitigation measures set forth in the \nguidelines. We have strong evidence that an industry-backed voluntary \nprogram to reduce risk by increasing compliance with the guidelines is \nworking. TSA conducted 23 CSRs in fiscal year 2018, and those pipeline \noperators assessed had a 90 percent compliance rate regarding Corporate \nSecurity Program Management; an 85 percent compliance rate regarding \nSecurity Incident Management; and an 80 percent compliance rate \nregarding the TSA recommended cybersecurity practices detailed in the \n2011 Guidelines. In addition, we have seen a strong increase in \ncorporate compliance when comparing results from a second review to a \ncompany's first review. For 10 companies where we have conducted a \nsecond CSR, we have seen the number of recommendations made decrease \nfrom a total of 446 recommendations (first review) to 146 (second \nreview). In addition, companies have implemented corrective actions on \nover 81 percent of the recommendations made during our CFSRs. This very \nhigh rate regarding corrective actions is indicative of industry \nacceptance and adherence to TSA Guidelines. In fiscal year 2019, we \nwill compile similar CSR data based on the updated 2018 Guidelines, \nwhich will help determine how and where we apply additional resources \nto the pipeline industry.\n                               conclusion\n    In closing, TSA has been able to support the improvement of both \nphysical and cybersecurity across all surface modes of transportation, \nincluding pipelines, thanks to the trust and relationships we have \ncultivated with our Federal partners and industry. As evidenced by the \nprograms and resources TSA has collaboratively developed and \nimplemented for our surface transportation stakeholders, TSA is \ncommitted to securing the Nation's surface transportation system from \nterrorist and cybersecurity attacks. TSA looks forward to working with \nCongress on these efforts. Thank you for the opportunity to discuss \nthese important issues. I look forward to the subcommittees' questions.\n\n    Mr. Correa. Thank you, Ms. Proctor.\n    I thank both of our witnesses for their comments.\n    Remind the Members that each one of us will have 5 minutes \nfor questions.\n    I will now recognize myself for some questions. Ms. \nProctor, I would like to start out with you. TSA currently \nrelies on voluntary standards for pipeline [inaudible] tell me, \nis this good or bad?\n    Ms. Proctor. The approach that we use for working with the \npipeline industry has been very successful. Yes, we indeed do \nuse a voluntary approach, our Pipeline Security Guidelines were \ndeveloped with the industry and they were developed to allow a \nvoluntary involvement with the pipeline industry. What we know \nis that with these guidelines we have flexibility to adjust the \nguidelines to the threat environment and certainly if the \nthreat dictates, if there is a significant threat, the \nadministrator of TSA has the authority to issue a security \ndirective to focus on that threat and to require security \nmeasures to address that specific threat.\n    Mr. Correa. So, Ms. Proctor, you are saying because of the \ncharacteristics of cyber attacks that specific regulations \nwould be counterproductive in this area?\n    Ms. Proctor. Yes, Mr. Chairman. The nature of cyber threats \nis that they are constantly emerging. They are emerging--much \nfaster than the Government's ability to write regulations to \naddress them and in this fashion if there is a significant \ncyber threat the administrator may address that through a \nsecurity directive.\n    Mr. Correa. Any thoughts about how you would keep us as \npolicy makers apprised of your progress or lack thereof since \nyou are looking at really voluntary standards, self-reporting?\n    Ms. Proctor. Mr. Chairman, we would be happy to report to \nthis committee on our progress with industry on the progress of \nthe assessments that we conduct with industry; we actually go \nout and conduct corporate security reviews, looking at the \nheadquarters, planning, the planning for cybersecurity plans, \nphysical plans, and we go out into the field and conduct \nassessments at critical facilities. We conduct critical \nfacility, security reviews in the field and we are comparing \nwhat we see in the field to the agreed-upon Pipeline Security \nGuidelines.\n    Mr. Correa. Complying with the cybersecurity challenge can \nbe very expensive, for the private sector or Government. So my \nquestion to you is, the private sector, do you see them \ncomplying voluntarily with what they have got to do? Which is \nto come up with the best practices, minimum standards or do you \nhave to push folks to go in the right direction; do you have to \npush folks to do the right thing?\n    Ms. Proctor. Sir, what we have witnessed is that the \nvoluntary approach has been very successful. We have found that \nthe companies are making those investments in their own \ncybersecurity, as well physical security, and they are doing \nthat to protect their ability to carry on their business as \nwell so we do believe that it has been effective in this \nvoluntary environment.\n    Mr. Correa. Quickly, another area, the realignment, TSA is \nrealigning some of its functions. Can you explain to us how \nthis realignment will affect surface transportation security?\n    Ms. Proctor. As a result of the realignment that \nAdministrator Pekoske has directed, the Surface Division assets \nare going to shift over into the security operations area where \nthey will join with our Transportation Security Inspectors who \nare already in the field, that Field Force is 200-plus strong \nso we will be combining our surface division--our current \nsurface division assets with the 200-plus Transportation \nSecurity Inspectors in the field, they will be working with us \nin conjunction with our transportation security partners in the \nfield.\n    Mr. Correa. Thank you very much.\n    I am going to yield the remainder of my time.\n    I will now recognize our Ranking Member for the \nTransportation Subcommittee, the gentlewoman from Arizona, Mrs. \nLesko, for some questions.\n    Ma'am.\n    Mrs. Lesko. Thank you, Mr. Chairman.\n    My first question is for either Ms. Proctor or Mr. Kolasky, \nor both. Some have suggested that other Federal agencies take \nover the role of physical and cybersecurity for pipelines, such \nas the Department of Energy and I was wondering if one of you \nor both of you can comment on why you think that it is \nimportant that it remains under the purview of TSA and \nDepartment of Homeland Security?\n    Ms. Proctor. Thank you, Ranking Member. We do believe that \nthe security of pipelines is best placed under the Department \nof Homeland Security and the assets that the Department of \nHomeland Security can bring to bear for the security of the \npipelines.\n    As has been mentioned here today, we are working very \nclosely with CISA to conduct comprehensive cybersecurity \nassessments on pipelines and the authority that I mentioned \nthat the administrator, the TSA administrator has, gives him \nthe authority to require whatever measures are necessary to \nsecure the pipelines to be implemented almost immediately at \nhis direction, to secure the pipelines from any type of threat, \nwhether that threat is a cyber threat or whether it is a \nphysical threat.\n    Mr. Kolasky. If I could just add to that, Ranking Member \nLesko, you know, one of the things we recognize, Sonja, and I, \nand our offices recognized is that we have some unique \ncapability across DHS that we can apply to the pipeline threat \nand within the agency, the partnership we have established has \nreally served as a force multiplier to TSA cybersecurity \nefforts.\n    The other thing I would augment that with, why I think this \nis a good place for it to be, is the fact that a lot of the \nnature of these risks, the control systems, the fact that \npipelines contribute to other critical infrastructures are \ncross-sector and we really are a place and we serve as the hub \nto bring information across sectors when we learn about risks \nto some operational technologies, we can quickly get it in the \nhands of TSA, to get out to the pipeline owners and operators, \nwe work together on that.\n    There's just a lot of shared risk in this space and \nseparating critical infrastructure, too much across agencies \nyou know, really runs the risk of creating stovepipes. I mean, \nright now we have got a nice blended mix of working with \nagencies, we work closely with the Department of Energy but I \ndon't think you want to take cybersecurity responsibilities out \nof DHS and put them further afield because of that they are \nmore just challenge----\n    Mrs. Lesko. I have one more question for, Ms. Proctor. Let \nme just read this from my notes. Recently the GAO determined \nthat, in a recent audit, determined that [inaudible] risk had \nfailed to identify critical facilities due to a lack of clarity \nfrom TSA on defining of facilities' criticality. To remedy \nthese challenges GAO recommended that the TSA administrator \ntake 10 actions with which TSA concurred [inaudible] what \nactions have been taken so that these high risks are \nidentified?\n    Ms. Proctor. Yes ma'am. Certainly, we have reviewed the GAO \nreport. We concur with the recommendations that GAO offered and \nwe are in the process now of addressing those recommendations \nthat were made by GAO. As you noted there were 10 \nrecommendations that were made by GAO and four of those \nrecommendations deal with the pipeline risk ranking tool that \nwe used to help establish risk in the pipeline industry so we \nare diligently working on all of the recommendations but we do \nexpect to have at least the first recommendation concluded \nwithin about 60 days.\n    Mrs. Lesko. Thank you, ma'am.\n    I yield back my time.\n    Mr. Correa. Thank you, Mrs. Lesko.\n    I now recognize the Chairman of the Cybersecurity \nSubcommittee, the gentleman from Louisiana, Mr. Richmond.\n    Mr. Richmond. I will pick up where the Ranking Member left \noff and, Ms. Proctor, your answer indicates that you will \naccomplish number 1 out of 10 in 60 days, what about the other \n9?\n    Ms. Proctor. Mr. Chairman, we are working on all of those \n10 recommendations at the same time. We have limited resources \nto work on all of them at the same time so we are working to \naddress the ones that we know that we can satisfy and those \ninvolve, again there were 4 that were associated with the risk \nranking tool, so we are working directly on those, as well as \nthe one that addresses the policy that we need to put in place \nfor the review of the actual guidelines.\n    Mr. Richmond. Let me just give you kind of an overview of \nmy district, largest petrochemical footprint in the country. We \nare neighbors to chemical facilities. We have all of the major \nrail lines running through our communities and for the most \npart they are good corporate neighbors, good employers, and \nthey pay well.\n    However when we look at the risk associated with that, we \nhave to make sure we mitigate it because on those rail cars \nthat come through our communities are dangerous chemicals and \nevery other thing that you can think of. So when we are looking \nat this, are we communicating the best, do we have strategic \npartnerships set up? It is important to us and so as we talk \nabout the cyber risk for, let us say rail, and our pipelines \nand our oil rigs and all of those, that now a lot of that is \ncontrolled electronically.\n    If you think about the BP disaster which was an accident, \nthink of a BP disaster that was an attack, so how are we \ncommunicating with those companies? But have we done anything \nto make sure that those companies are holding their \nsubcontractors in their supply chain to the same high standards \nthat we want to hold them to?\n    Mr. Kolasky. So I can talk a little bit about of the nature \nof your question. As you know, you mentioned chemical, you \nknow, through the CFATs regulation we put additional \nrequirements on chemical security, some of the facilities that \ndealt with that. You know, you referenced the oil and natural \ngas industry which operates pipelines that produces a lot of \nwhat you are talking about; we work closely with the oil and \nnatural gas industry, with the Department of Energy.\n    You know, specifically in terms of supply chain risk, we \nagree that this is an area that we have got to get deeper into, \npeople understanding the supply chain, I think there's an \nunderstanding of that.\n    I referenced in my opening remarks a task force that we \nhave established with critical infrastructure owners and \noperators which are focused particularly on threat information \nsharing, setting up processes through threat-based decision \nmaking, where should threat-based decision-making criteria be \nestablished, that will be an interagency process where we are \nable to get threat information out to help owners and operators \nmake a decision about companies or products they might not want \ninserted in the supply chain; we are advocating, more deeply \nunderstanding what is in a supply chain, that is an important \nelement.\n    But then there's also, it has to be mitigation steps, you \nknow, are people [inaudible] again is that written in the \nexpectation to do so in the contracts, that is the kind of \nstuff we are studying the Task Force to make recommendations to \nthe Federal Government, how to do that for our own Federal \nnetworks but also for critical infrastructure owners and \noperators and what incentives will get people deeper in.\n    So you know, I would summarize a problem that we probably \ndon't have enough information out there to help everyone be \nsmarter buyers that could [inaudible] in talking industry we \nwill understand why the information might not lead to the right \ndecisions being made or us taking too much risk on, we don't \nwant to deal with this by just cutting off things but we want a \nbetter understanding of risks that is being put into supply \nchains and when there are [inaudible] that could be put out \nthere.\n    Mr. Richmond. Well, and I guess I will just say before Ms. \nProctor takes a shot of it but think of passenger rail which is \nalmost completely electronic, what are we doing to ensure the \ntraveling public safety and do we have a sense of urgency \nunderstanding the risk that is out there?\n    With that, Mr. Chairman, I will yield back the balance of \nmy time.\n    Mr. Correa. Thank you, Chairman Richmond.\n    The Chair will now recognize other Members for questions \nthat they may want to ask.\n    In accordance with our committee rules, I will recognize \nMembers who were present at the start of the hearing, based on \nseniority in the committee, alternating between Majority and \nMinority. Those Members coming in later will be recognized in \nthe order of their arrival.\n    The Chair recognizes for 5 minutes, the gentlelady Ms. \nBarragan, from California.\n    Ms. Barragan. Thank you.\n    I am going to actually, going to follow up on a question \nthat Congressman Richmond just asked. In December 2016 L.A. \nMetro received a terror threat from abroad. It led to \nheightened security and this terror threat was on a commuter \nrail station, one that went into downtown Los Angeles, impacted \nabout a 150,000 riders a day on this line. So my question, it \nwas very similar to what Mr. Richmond just asked, but didn't \nget an answer from. So I am going to follow up there.\n    When we talk about cybersecurity risk, to what degree are \nwe considering the safety of the traveling public as well, and \npassenger rail and mass transit rely on computerized systems; a \ncybersecurity attack on the system could also mean risking the \nsafety of the traveling public. What is being done to mitigate \nthese risks to the public and both of you can answer.\n    Ms. Proctor. We provide both information and intelligence \nand that intelligence is delivered sometimes in an unclassified \nsetting but it is also delivered in a Classified setting, that \nis one of the most important things that we do, is keeping the \nsystems informed about the level of threat, the type of threat, \nwhich gives them the information that they need to apply \nmitigating measures to that particular threat.\n    In conjunction with the supply chain issues that my \ncolleague mentioned, those issues put them in the best position \nto ensure the safety of the traveling public. Most of our \ntransit systems have either their own law enforcement component \nor they have an agreement with their local law enforcement \nagency to provide security for the system. We have found them \nto be very engaged.\n    We have found them to be involved not only in receiving \ninformation not only from TSA but from our colleagues at the \nFBI, with the Joint Terrorism Task Force and with their \n[inaudible] to be effective. When we receive information that \nsuggests that some threat is present in mass transit you will \noften see an increased visibility; uniformed law enforcement \nofficers including the VIPER teams from TSA, the ground-based \nFederal Air Marshals who support our surface transportation.\n    We take that information very seriously and as soon as we \nreceive information that suggests that there might be some \nthreat to the system and whether that threat is physical or \ncyber, we reach out to those systems to make sure that they are \naware so they can start to apply mitigating measures.\n    Ms. Barragan. Right.\n    Mr. Kolasky, do you want to add anything to that?\n    Mr. Kolasky. Yes. Let me talk to, specifically about the \nrail. So Sonya mentioned information sharing, we know a lot \nabout cyber information, cyber things that might be happening \nbut one thing we did, a couple years ago is work with the rail \nindustry to attach cyber indicators, things that could be \nhappening in terms of tactics, techniques of a cyber attack, to \ncontrols that would be most useful in a rail transit context. \nSo you know, we took general information and we organized it by \nusing the NIST Cybersecurity Framework, working with industry \nwhere we could take specific indicators and say, if you see \nthis sort of stuff, here's what you might want to do in a rail \nsystem, it is--it is that customization that helps.\n    Then I would just add on the physical security which you \nreferenced in 2016 and another thing we do DHS is you know, try \nto enhance soft-target security and technology development that \ncan be deployed in transit settings you know, through our \nScience and Technology Directorate partnership with TSA and \n[inaudible] and do stuff through funding in transit systems so \nyou know, we are getting better every [inaudible].\n    Ms. Barragan. Recruiting and retaining a skilled cyber work \nforce is something the DHS and this committee has had a top \npriority to do. Historically CISA has struggled to fill \nimportant cybersecurity positions and I understand that TSA is \nalso looking to grow its cybersecurity work force. Mr. Kolasky, \ndoes the new National Risk Management Center have enough of the \nright people to carry out the ambitious goals you described \nwithout depleting personnel from other parts of CISA?\n    Mr. Kolasky. We have all pledged not to cannibalize each \nother so I think that is a good strategy here.\n    You know, we started with a good basis of analysts who have \nexperience, thinking about strategic risk, analyzing strategic \nrisks, doing planning, but we will be continuing hiring as we \ngo forward to establishing the National Risk Management Center, \nwe have about 20 positions that we are in the process of \nfilling so you know, as a director of an organization I always \nwant more talent; we are going to be pushing for it. I think we \nhave the ability to recruit people, becoming the Cybersecurity, \nInfrastructure Security Agency is motivating us to get better \ncandidates; we are using tools, incentives to hire people and \nthings like that, but we want to keep pushing.\n    Ms. Barragan. Yield back.\n    Mr. Correa. Thank you, Mrs. Barragan.\n    I will now call on the gentlelady from New York, Miss Rice, \nfor 5 minutes for questions.\n    Miss Rice. I am familiar with one of the largest subway \nsystems that we have in this country, New York City Subway \nSystem. It is a system that services 5.7 million people every \nsingle day, traveling through 472 subway stations and across \n662 miles of track--that is 1.8 billion people per year so I \nwonder if there is a strategy specifically. I need to look into \nthis with the NYPD which I think is probably one of the premier \nlaw enforcement agencies that you work hand-in-hand with.\n    Is there a strategy, and more importantly in New York City \nwhere everyone is very impatient, and likes to get from Point A \nto Point B as quickly as possible? You know, after 9/11 \neverything changed about how you travel, when you go into the \nairport.\n    Is there a public appetite for that kind of security system \nbefore you enter any system and I guess this is really a \nrhetorical question so that is just to throw that out there and \nI mentioned the impatience of New Yorkers because anything that \nslows down their travel is something that they will probably \nsquawk about but you know, I would hate to have that be \ninstituted after a terrible tragedy happens where the appetite \nmight be more [inaudible] another thing, I'd like to ask you \nabout is China's growing footprint in the United States. \nIndustrial supply chain and infrastructure. They are rooted in \npart by the emergence of the state-owned China Railway Rolling \nStock Corporation, CRRC for short, which I am sure you are all \nwell aware but they have won 4 out of 5 large U.S. \ntransportation [inaudible] has won contracts with the \nMetropolitan transportation authorities in Philadelphia, \nBoston, Chicago, and Los Angeles.\n    Another source I believe of the anxiety around these \nacquisitions concerns is the development that CRRC won these \ncontracts by placing low bids. Many critics point to the fact \nthat the company receives support from Chinese government \nthrough state subsidies which other contractors do not.\n    But also you know, you have Members of Congress, the \nPentagon, and industry experts that have stated concerns about \nChina's capabilities in deploying Chinese manufactured subway \nrailcars to engage in cyber espionage and surveillance, similar \nto the Government's concern when it comes to Huawei in the \ntelecommunications field. What is the level of concern that \neither one of you have? You know, and I guess this is a supply \nchain question as well, but it seems to me that this is like a \nbig red flag; I know that New York does not contract with CRRC \nbut just your thoughts on that, it seems like just such a huge \nred flag.\n    Mr. Kolasky. So two versions of thoughts. One thing that we \nhave to do, what we can to protect our information to not allow \nChina to use business information. [inaudible] There is an \nincreased threat and risk out there.\n    If you ask our specific concerns about any one of these, it \nis less about whether it is CRRC or anything, it is about \npractices that have been put in place to make sure that risk \nisn't being introduced into the system.\n    So you know, this really comes into procurement questions, \ndo we have tight procurement, let us please not go with the \nlowest bidder price-wise if you are a Metro Transit Authority, \nlet us make sure that they hit pretty tough security \nrequirements and then you can make a price-based decision but \nthe security requirements have to be built into the contracts, \npart of those security requirements is looking at the \nmanufacturing, where the manufacturer's going, getting eyes on \nas a procurer with technical expertise to make sure risk isn't \nbeing introduced at the point of manufacturing [inaudible] how \nyou set up the maintenance so I don't want----\n    Miss Rice. Do you set up those requirements or at least the \nlaundry list of things that States and municipalities should \nlook at. How many States adhere to them?\n    Mr. Kolasky. So, I mean, we are still in the process of \nworking with the Transit Authorities. We had a conversation on \nFriday where we shared some intelligence information around \nthat to help make decisions. Right now, I think there's an \nopportunity for companies to put greater requirements into \nprocurement language, that is something that the TSA and us \nwill be working with the industry on.\n    Miss Rice. So what would be the pushback against adhering \nto your guidelines?\n    Mr. Kolasky. I think when you talk to chief operating \nofficers, security officers, they want to do that, it is \npressures that they get from other pressures in----\n    Miss Rice. With costs?\n    Mr. Kolasky. Yes. So you know, we understand that these \ndecisions are trade-offs. We want to be in the side of pushing \nhard for security, recognizing that there are other pressures, \nthe business in the Transit Authority space.\n    Miss Rice. Whether it is interference in our election \nprocess which is well-documented. I mean, we have so many \nvulnerabilities across so many fundamental infrastructures in \nthis country that we have to have a serious conversation about \nthis and I just think that if you are going to set up \nguidelines, we have to try to understand why States are not \ngoing to adopt them and abide by them, if you are the agency \nfrom whom they are supposed to be getting this?\n    Mr. Kolasky. Sure there is good procurement in there.\n    We agree you know, we will set the guidelines, we will help \nthem do that. When security-based procurement decisions or \ninformed procurement decisions are not happening, that is where \nthe Executive branch and Legislative branch should have a \nconversation about what are the limitations for that happening.\n    I don't know, I don't want vulnerabilities to turn into \nrisk, they are vulnerabilities as you said but let us really \ntake a risk-based approach to where the priority should before \nactivity.\n    Miss Rice. When you come up with those guidelines, what \ndata are you using to kind-of push that information out, what \nare you basing your concerns on in terms of the supply chain, \nthe procurement process?\n    Mr. Kolasky. Based on, first of all, seeing systems, so \nwhere we see vulnerabilities let us stick with elections \nperception, we have gone out and we have worked with States and \ncounties to look at their election systems, see some common \nvulnerabilities, we do that.\n    Also working with the vendors in areas to understand you \nknow, areas where additional guidelines would help their own \nsecurity side and taking advice through these protected \nconversations, through the Critical Infrastructure Partnership \nAdvisory Council structure, we are hearing me, as somebody who \nwants to make a security decision, do not feel like I have all \nthe information I need to make a security decision. So it is \nthese conversations that help us.\n    Miss Rice. Do you have anything that you want to add?\n    OK.\n    Thank you. I yield back.\n    Mr. Correa. Thank you, Miss Rice.\n    I will call in the gentleman from Rhode Island, Mr. \nLangevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I want to welcome our witnesses here today and thank you \nfor your testimony.\n    Before I begin, I just want to mention I concur with \nChairman Thompson [inaudible] keep the pipeline, cybersecurity \nin the realm of TSA and not see it shipped over to DOE so I \nthink that is an important point to make and I am glad that it \nis been raised here today.\n    Obviously with all this and I think this hearing is \nessential to focus on transportation security especially to \ncybersecurity, these are the things that keep me up late at \nnight you know, as you know, where is the most damage that can \nbe done is in the area of critical infrastructure, in a number \nof fields and so one of the aspects I want to focus on today is \non pipeline security and obviously you need the right policies \nand procedures and plans put in place, you need the right \npeople with the right expertise.\n    So, Ms. Proctor, let me start with you, December 2018 GAO \nreport indicated that staffing in the Pipeline Security \nDivision was a major challenge with a number of empties ranging \nfrom 14 all the way down to 1, across several fiscal years. \nWhat is the current staffing level of the Pipeline Security \nDivision?\n    Ms. Proctor. Today the current staffing level is 5 but I \nthink it is important to say that with the realignment that has \nbeen directed by the administrator, we will be shifting into \nthe Security Operations organization where we will have the \nbenefit of the additional Transportation Security Inspectors in \nthe field. You know, there are 200-plus of them that will serve \nall of surface transportation so our Pipeline Section will be \nmuch larger, we will draw from that pool of Transportation \nSecurity Inspectors to provide the training and the experience \nto put them in the Pipeline Section.\n    Mr. Langevin. How many do you estimate will be in and \nspecifically dedicated to pipeline security, or are you talking \nabout, they are going to be leveraged across all those fields \nand from time to time they will rotate into the pipeline \nsecurity, I am not clear on your answer?\n    Ms. Proctor. Well, we think the Pipeline Section is going \nto require specialized training so we are going to put those \npeople in there, provide the training and make sure that they \nare qualified to go out and do those assessments.\n    We have not arrived at a final number yet, we are still \nworking on some of the staffing issues or the shifting of \npersonnel because it will serve all of our surface \ntransportation partners in a way that is going to allow us to \nput more people in the field working directly with our surface \ntransportation partners.\n    Mr. Langevin. So of the 5 that you mentioned, those staff, \nhow many have expertise in cybersecurity specific?\n    Ms. Proctor. I am sorry we have none that have specific \ncybersecurity expertise. They do have pipeline expertise but \nnot cyber expertise.\n    Mr. Langevin. I find that a troubling answer but let me ask \nyou, across all TSA services, service transportation of course, \nhow many specialize in cybersecurity?\n    Ms. Proctor. TSA does not have cybersecurity specialists. \nWe rely on our colleagues at CISA for cyber expertise. I mean, \nthat is a specialized field so we do rely on the DHS experts to \nprovide that input and they have, we work directly with them \nwhen we were developing the Pipeline Security Guidelines, and \ngot input from them to develop the current Pipeline Security \nGuidelines that have a cybersecurity section in them.\n    Mr. Langevin. OK. So we will stay on the topic of pipeline \nsecurity, approximately how many Critical Pipeline Systems are \nthere again in the United States? You maybe talked about this \nearlier on, but----\n    Ms. Proctor. That number varies depending on mergers and \nacquisitions, the number we work with is somewhere around a \n120.\n    Mr. Langevin. OK so I [inaudible] at end of the year, I \nmean, in your view given the number of pipelines that we are \ntalking about, is that adequate? Because it does not seem so to \nme.\n    Ms. Proctor. I don't want to suggest that those are all of \nthe pipeline assessments that we do so we still do critical \nfacilities, security reviews and those are separate from the 10 \ncomprehensive cyber assessments that we are doing with CISA so \nwe will continue to do those critical facilities security \nreviews. We completed 62 of those last year, even given the \nresources that we are working with now, but the 10 that we are \nreferring to are going to participate in the Comprehensive \nCyber Security Assessments that we are doing with CISA.\n    Mr. Langevin. OK, before my time runs out, I want to ask \nyou, Ms. Proctor, again the TSA Cybersecurity Roadmap provides \nfor the development of an implementation plan to see it put \ninto practice so had the actual implementation plan then \ndeveloped?\n    Ms. Proctor. We are in the process of developing that plan \nnow. You know, we recognize the priorities in the cybersecurity \nplan and the value that it is going to bring to us in surface \ntransportation. That plan is relatively new but we are \nreviewing that plan now to determine how we can implement that \nin surface transportation.\n    Mr. Langevin. When do you think the plan will actually be \nfinalized and is Congress going to be provided a copy of that? \nBecause we would like a copy.\n    Ms. Proctor. We would be happy to provide a copy of that \nfinalized plan and I can certainly provide you an update on \nwhen--when we believe that is going to be finalized. As \nindicated, we are working through a number of requirements \nright now including the GAO requirements so we are working on \nall of those concurrently.\n    Mr. Langevin. All right. Before my time runs out, I just \nwant to ask this though, how do you expect the [inaudible] with \nthe roll-out of the Roadmap and what additional resources, if \nany, are required to carry out the new plan once it is \nfinalized?\n    Ms. Proctor. The Cybersecurity Roadmap is going to require \nmore coordination with CISA and we will have to determine the \nresources based on how we see that plan rolling out and how we \nsee it being implemented across all of the surface \ntransportation modes, but we have been working very closely \ntogether, so those are some things that we are going to have to \ncontinue to work and to ensure that we can carry out the \nadministrator's intent on that plan.\n    Mr. Langevin. But the resources are going to be factored \nin, and actually as the plan is finalized you are working \nthrough those additional resource requests now as well?\n    Ms. Proctor. I am sorry, I didn't----\n    Mr. Langevin. You are planning for additional resource \nrequests once the plan is finalized, is what I am hearing you \nsaying, correct?\n    Ms. Proctor. Yes sir.\n    Mr. Langevin. OK.\n    Thank you very much.\n    I will yield back.\n    Mr. Correa. Thank you, Mr. Langevin.\n    Now would like to call the gentlewoman from New Jersey, \nMrs. Watson Coleman, for 5 minutes of discussion.\n    Mrs. Watson Coleman. Thank you, Mr. Chairman.\n    Thank you very much for your testimony. What is the \ngreatest threat from a cybersecurity attack on the pipeline? Is \nit that it would cut the flow of the natural gas or is it that \nit would blow up, what is it?\n    Ms. Proctor. So we recognize that the threats to pipeline \nfrom a cyber perspective do exist. Most of our significant \npipelines are controlled to some extent by computer systems \nthat manipulate valves and switches and controls----\n    Mrs. Watson Coleman. Right.\n    Ms. Proctor. So that impact would more likely affect the \noperation of the system. We would assume that it would affect \nmore the operation of the system, the flow perhaps of the \ncommodity.\n    Mrs. Watson Coleman. Is there any other kind of threat that \ncould result in either a leakage or an explosion that could be \ntriggered by some nefarious actors?\n    Mr. Kolasky. So I think we would like to have a follow-up \nconversation with you about threats where we can be more \nspecific in a different setting. I don't mean to put you off--\n--\n    Mrs. Watson Coleman. OK.\n    Mr. Kolasky. But I think that is more appropriate.\n    Mrs. Watson Coleman. Thank you, because I am concerned. Do \nyou work with FERC at all?\n    Ms. Proctor. Yes ma'am, we do.\n    Mrs. Watson Coleman. Because in New Jersey, in my district, \nthere's a PennEast pipeline and I visited a home and the \npipeline is going through that person's yard and as close as \nyou are to me, is as close to the pipeline is to the woman's \nbedroom and so things like that concern me about the siting of \nthese pipelines but in addition FERC hasn't had the \nresponsibility, the requirement of saying whether the pipelines \nare in the vicinity and that could be somehow accessed so that \nwe don't have so many pipelines, we just have the efficiency \nthat we need and you don't deal with that issue with FERC at \nall in terms of siting, right?\n    Ms. Proctor. No ma'am. We don't deal with the issue of \nsiting at all. We do work closely with FERC and we have \nconducted Cyber Architecture Assessments with FERC so----\n    Mrs. Watson Coleman. But that is not proximity. That is not \nlocation, that is infrastructure, right?\n    Ms. Proctor. Correct.\n    Mrs. Watson Coleman. If we have to have this conversation \nin another setting but we keep talking about the \nvulnerabilities that exists either in supply chain or in \ncybersecurity or in any way impacting the safety and security \nof any rail transportation, any pipelines and we say that we \nare doing things to advise our clients, whomever of these \nvulnerabilities.\n    Can you tell me in this setting: (A) How we identify these \nvulnerabilities, and (B) how does the procurer ensure that \nthere's language or whatever that protects that item that they \nare purchasing that is being built by China or anybody else? Is \nthat something that we can discuss here?\n    Mr. Kolasky. Yes. To some extent. I mean, first of all, I \nwant to reinforce that most of these worst-case scenarios, \nthere is a lot of fail-safes, there's layered defenses broken, \nbuilt in here and you know, one of our overall strategies is to \nget better, better, better to make this stuff, the worst case \nthat you are imagining, incredibly complex and only \naccomplishable by having physical access or doing things that \nare likely to be picked up by a Layered Defense System.\n    So first and foremost strategy, it is better understanding \nwhat is already put in place and putting in places to share \ninformation as quickly as possible. When you make something \nreally complex just like with a terrorist attack, you are more \nlikely to see the plotting that is going on there----\n    Mrs. Watson Coleman. Yes.\n    Mr. Kolasky. We have come a long way in that direction. Our \nadversaries might continue to get better but you know----\n    Mrs. Watson Coleman. Yes.\n    Mr. Kolasky. By making things complex is a good risk \nmanagement strategy.\n    Mrs. Watson Coleman. But I also want to know that when you \nare purchasing rail cars, what is it that you tell the agency \nthat is advertising, these specific things are how you mitigate \nthe possible compromising of the safety and security of your \ncar or whatever?\n    Mr. Kolasky. Sure. So----\n    Mrs. Watson Coleman. And----\n    Mr. Kolasky. At the basic level we give them an overview of \nbusiness practices of companies and links to Chinese \nintelligence doctrine, things that are available to understand \nthat there may be----\n    Mrs. Watson Coleman. I am going to assume----\n    Mr. Kolasky. Risks introduce into the system and then we \ntalk through what good procurement strategies are.\n    Mrs. Watson Coleman. I want to assume, worst-case scenario, \nthat we are purchasing cars from a company that means us no \ngood. I want to know specifically how do we protect against \nthat--what do we look for specifically to make sure that \nwhatever thing is that might compromise the safety of that car \nand its passengers. How do we see it, how do we know it, how do \nwe look for it? [inaudible]\n    Mr. Kolasky. It leads to a follow-on discussion.\n    The last thing I would say is that one of the things we are \nbringing in from a procurement perspective is the Federal \nGovernment as a whole has experience in procuring things that \nare really, really important to us and need to be secure and so \npart of what we can do with DHS working with some of our folks \nwho do even bigger procurement is bring some of those \npractices, share that with industry around so the relationship \nwith us and DOD and that sort of--in the testing that goes on \nin National Labs, that stuff's really important to get to----\n    Mrs. Watson Coleman. OK.\n    Mr. Kolasky. The level of fidelity you want.\n    Mrs. Watson Coleman. So I thank you.\n    My time is up and I just want to say, Mr. Chairman, I \nsomehow would like to have a discussion in another environment \nas to exactly what these things are.\n    Mr. Correa. I would love to do that, if we can I will.\n    Mrs. Watson Coleman. Thank you very much.\n    Mr. Correa. I will talk to the staff and, Mrs. Watson \nColeman, let us see if we can do that.\n    Thank you very much and recognize Ms. Slotkin for 5 minutes \nof questions. Thank you.\n    Ms. Slotkin. Yes. Hi, sorry to be late. I apologize. I am \nhappy to be the only one at this giant table down here.\n    I apologize if this is slightly repetitive. I like the--\nsome of my other fellow Congress men and women, have pipelines \ngoing through my district, some of them extremely close to the \nhomes, many of them the route had been changed without the \ncitizens' awareness and there's a lot of citizens who are \nconcerned about their safety, as we all would be.\n    So can you just walk me through in sort-of clear terms No. \n1, what you have done to prevent cyber attack and then No. 2, \nif there's a specific threat or a risk; I am from the \nintelligence community, former CIA officer and was definitely \naware that there was plenty of time, there were Classified \ninformation, threats, concerns, new techniques, that were \nClassified so we couldn't actually communicate with local \nbusinesses, with local communities, local law enforcement, even \non the real nature of the threat so what have--what are we \nsort-of doing to protect ourselves and then tell me about your \nmodus operandi on presenting information down to unclassified \nusers?\n    Ms. Proctor. So with regard to the threat and this goes \nback to our information sharing. Two weeks ago, I believe we \nhad a Classified briefing with members of the industry. It was \na Top-Secret Classified briefing to talk about the threat. As a \nmatter of fact, tomorrow we have another meeting with another \nClassified briefing with industry so we have found ways with \nour intelligence colleagues of providing the necessary \ninformation that our industry partners need in order to protect \ntheir industry from cyber threats so from the intelligence \nperspective we have been able to manage that with our \nintelligence partners.\n    I don't believe that there has been an unresolved issue \nwith the intelligence that we are providing. We are providing \neverything that we can provide in the appropriate atmosphere, \nwith people who have the appropriate clearances so in terms of \nthe information I believe that we are getting that out to the \nright people.\n    Mr. Kolasky. And----\n    Ms. Proctor. On the--cyber side, I am going to let----\n    Mr. Kolasky. You referenced community-level law \nenforcement, and this is where the fusion centers, the DHS, \nsponsors, come in very handy, there are somewhere around 85 \naround the country and both with industry but more particularly \nwith law enforcement and people who have been close to \ncommunity-level decisions [inaudible] teleconferences and \nthings like that.\n    Then implied in your question, obviously is not everyone is \ngoing to have a clearance no matter how good we get at doing \nthat so you know, we want to push, giving more out, the \nunclassified assessment, as you probably can guess what was in \nthe Worldwide Threat Assessment that Director Coats talked \nabout, that takes a while to get that statement to be made but \nthat statement becomes important because it lights a fire on \nthe importance of this issue and we have been following up with \nindustry both in the Classified and unclassified community \nspace with that.\n    Ms. Slotkin. So related to that, if there was an incident \nand because of declassification or problems with sharing, that \ninformation did not get to the company, who is the senior \naccountable official, who would be responsible for that mishap, \nwould it happen?\n    Mr. Kolasky. We within CISA have the ability to give \nprivate-sector clearances out so we will facilitate private-\nsector members getting access to information, depending on the \nnature of the information you are talking about it is on us as \na Government, who have that information to give as quickly as \npossible to the cleared community. I am not going to speculate \non the exact hypothetical--it is our job to make sure we have \nopened up the channels to give Classified information.\n    We in other parts of the Government also have 1-day reading \nauthorities where if you don't have a clearance but you need to \nhave this information and so you know, I think we all feel \nobligated to make sure that information gets in the hands of \nsomebody who could do something as soon as possible once we \nknow that is credible information.\n    Ms. Slotkin. OK. I would just say, again CIA and FBI \nweren't communicating particularly well during 9/11. There has \nto be accountability if there's mistakes; I am not saying \nanyone's you know, God forbid, planning for mistake but it is \nnice to know that you know, who is responsible for making sure \nwe pushed down this information to industry.\n    But I will yield back the rest of my time.\n    Mr. Correa. Thank our witnesses for your comments.\n    Now if I may, I would like to take a 5-minute recess and \nthen come back and start with our second panel.\n    Members please try to be back in 5 minutes. Thank you very \nmuch.\n    [Recess.]\n    Mr. Correa. The committee will now come to order.\n    We will start with our second panel.\n    Our first witness is Mr. James Lewis, serves as senior vice \npresident and the director of the Technology and Public Policy \nProgram at the Center of Strategic International Studies.\n    Next we will have Ms. Rebecca Gagliostro, my apologies, who \nis the director of security, reliability, and resilience at the \nInterstate Natural Gas Association of America which is \ncomprised of 27 members representing a vast majority of \ninterstate natural gas transmission pipeline companies.\n    Next, we will have Mr. Erik Olson, who is a vice president \nof the Rail Security Alliance, which is a coalition of North \nAmerican freight, rail car manufacturers, suppliers, unions, \nand steel interest.\n    Finally, will have Mr. John Hultquist, who serves as \ndirector of intelligence and analysis at FireEye. He has over \n10 years of experience, covering cyber espionage, hacktivism, \nand has worked in senior intelligence analyst positions in the \nDepartment of State.\n    Without objection the witnesses' full statements will be \ninserted to the record.\n    I will ask now each witness to summarize their statements \nfor 5 minutes, beginning with Mr. Lewis.\n    Thank you, welcome sir.\n\nSTATEMENT OF JAMES A. LEWIS, SENIOR VICE PRESIDENT, CENTER FOR \n              STRATEGIC AND INTERNATIONAL STUDIES\n\n    Mr. Lewis. Thank you. I thank the committee for the \nopportunity to testify.\n    We have entered an era of connected devices sometimes \ncalled the internet of things that offers real economic benefit \nbut comes with increased risk to homeland security and much of \nthis risk comes from the global supply chain. Most \ninfrastructure and transportation systems as you have heard are \nconnected to the internet in some way and depend on computers \nfor their operation. This includes electrical power systems, \npipelines, telecommunications and increasingly vehicles which \ncontinuously connect back to their manufacturer wherever that \nmanufacturer is located and these connections provide \nopportunities for espionage and service disruption.\n    As the committees have heard for many years, the state of \ncybersecurity remains poor. Most networks can be hacked, cyber \ncrime continues to grow, and cyber attack is an essential part \nof state conflict.\n    Our task is to mitigate risk. One way to do this is to ask \nhow a device connects to the internet, what information it \ntransmits, and how much transparency and control an operator \nhas over this data and connection.\n    Another way is to use three metrics: The value of data \ncollected; the critical [inaudible] variable data; perform \ncritical functions or whose disruptions could produce mass \neffect, need to be held to higher standards.\n    Currently the internet of things is probably more \nvulnerable to disruption than the regular good old internet. \nFor critical infrastructure we can ask how we would continue to \noperate in the event of a malicious incident and to what degree \nour control over these infrastructures are shared with a \nforeign manufacturer.\n    Products from China require special attention. The \ncombination of increased Chinese espionage, new national \nintelligence law on China, pervasive surveillance, and \nheightened military tensions have led to a dangerous situation \nbut the United States and China share a deeply integrated \nindustrial base, disentangling this would be costly, although \nsome now talk of a divorce. China is not the only country that \ncould exploit cyber vulnerabilities and critical \ninfrastructure. Iran and Russia have probed pipelines and other \ninfrastructures, including electrical power.\n    There are several steps we can take to reduce risk. The \nmost obvious is to improve network and device security. DHS's \nCyber and Infrastructure Security Agency, CISA, should be the \ncenter of this effort.\n    The development of security standards is essential. The \nNIST Cybersecurity Framework is a strong start but it needs to \nbe amplified and expanded for specific technologies. Any \ndefensive measure must accept that we cannot keep a determined \nopponent out of our networks. This means that we must also \nconsider measures to increase resiliency and allow for \ncontinued operation, integrated environments; this is the goal \nthat DOD has. Better security requires oversight. This is \nclearly a task for the committee but also for CISA.\n    Finally, a defensive approach by itself is inadequate. The \nUnited States needs to develop credible threats to deter \nforeign attackers and persuade them that interference in \ncritical infrastructure comes with the unacceptable risk of \nretaliation. We do not have this now. That would be a useful \nthing to do.\n    We haven't talked about the security premium which is what \nmany of us call it, it has come up several times [inaudible] in \npart because it is subsidized by the government. There might be \na Chinese intent, it is worth looking at, this subsidy but it \nmeans for companies--and we see this particularly with Huawei--\nthey must choose between buying cheap good equipment or more \nexpensive equipment that is secure, and that is a difficult \nchoice. I am not sure everyone will always come out in the same \nplace.\n    Thank you for the opportunity to testify. I look forward to \nyour questions.\n    [The prepared statement of Mr. Lewis follows:]\n                  Prepared Statement of James A. Lewis\n                           February 26, 2019\n    I would like to thank the committee for the opportunity to testify. \nMy testimony will discuss the risks to homeland security from the use \nof Chinese technology and equipment.\n    Chinese companies face a serious branding problem in many \ncountries. There is a level of distrust that has been created in good \nmeasure by Chinese government policies. The most prominent of these \npolicies are China's aggressive mercantilism, its disregard for \ninternational law, its massive espionage campaign, and, for the United \nStates, its announced intention to displace America and become the most \npowerful country in the world, reshaping international rules and \npractices to better fit the interest of China's rulers.\n    Espionage has been a part of the of the Sino-American relationship \nsince China's opening to the West in 1979. It is worth remembering that \nat this time, the United States and China shared a common enemy--the \nSoviet Union. This created incentives for cooperation that have long \nvanished. Chinese espionage initially focused on repairing the \ndisastrous effects of Maoist policies on China's economic and political \ndevelopment. This meant the illicit or coercive acquisition of Western \ntechnology. As China's cyber capabilities improved, beginning in the \nlate 1990's, some PLA units turned to hacking as a way to supplement \ntheir incomes, moonlighting by stealing Western intellectual property \nand then selling it to Chinese companies.\n    The illicit acquisition of technology is still a hallmark of \nChinese espionage activity, but there have been significant changes \nsince President Xi Jinping came to power in 2013. One of the first \nthings Xi did, reportedly, is order an inventory of Chinese cyber \nespionage activities. He found that many of these had not been ordered \nby Beijing, that Beijing did not have full control over tasking and \nassets, and some operations were for private interest and did not meet \nChina's strategic requirements.\n    Xi changed this. The Chinese military has been reorganized as part \nof a larger effort to modernize the PLA. Xi's anti-corruption campaign \ngreatly reduced the ability of PLA units to ``moonlight.'' Chinese \nintelligence collection is better organized, more focused on strategic \npriorities, and, some would say, better in performing its missions. \nThis comes at a time when, according to the U.S. intelligence \ncommunity, Chinese espionage has reached unprecedent levels. Today, \nthese efforts focus on the acquisition of advanced military and \ncommercial technologies, since China still lags the United States in \ntechnology, as well as military and government targets.\n    The United States and China reached an agreement in 2015 to end \ncommercial cyber espionage, but it is generally believed that this \nagreement has broken down in the last year. At the risk of sounding \noverly dramatic, some would describe this situation as an undeclared \nespionage war between China and the United States. In fact, this is not \na war, but a very intense contest where the United States is largely on \nthe defensive. Our allies also face a similar problem with Chinese \nefforts in Australia, Japan, Germany, the United Kingdom, Canada, and \nother advanced economies.\n    These activities create distrust, and a more specific ground for \ndistrust is China's 2017 National Intelligence Law. For some years, the \nUnited States had advised China to move away from an informal, ad hoc \nsystem of rules and put in place a formal legal structure based on \nlaws. The Chinese took our advice and one result is that long-standing \nChinese policies and practices have been codified into the 2017 \nIntelligence Law. The most important part of that law for today's \nhearing is that it creates a legal obligation for Chinese companies to \ncooperate fully with intelligence agencies upon request. There are no \ngrounds for appeal or an ability to refuse such requests.\n    This means that a Chinese company could be completely innocent of \nany wrongdoing, its products harmless, but a decision by the Chinese \ngovernment could change that in an instant. In the context of an \nincreasingly aggressive global espionage campaign, often conducted \nusing cyber techniques, there are reasonable grounds for the distrust \nof Chinese products. The first question to ask is not whether you trust \na Chinese company, but whether you trust the Chinese government.\n    Concerns over the Intelligence Law have become so significant, in \npart because of the implications of using Huawei telecommunications \nequipment, that China's official news agency felt obliged last week to \nput out a press release calling for a comprehensive and accurate \ntranslation. China's Foreign Ministry pointed out that while Article 7 \nof the law stipulates the obligation for Chinese companies and \nindividuals to ``support, assist, and cooperate'' with the country's \nintelligence service, Article 8 stipulates that China's intelligence \nservice should carry out its work according to law, protect human \nrights, and safeguard the legal rights and interests of individuals and \norganizations. Unfortunately, this promise is undercut by China's \nrecent behavior in regard to human rights and in the protection (better \nexpressed as the absence of protections) for the intellectual property \nof foreign companies.\n    We should note that China's government expresses similar concerns \nover their reliance on Western technology, in part because they assume \nthe relationship between Western companies and government is the same \nas the relationship between Chinese companies and the government. This \nofficial distrust of Western products is one reason why Beijing is \nspending billions of dollars to develop national sources of supply for \nmany technologies. These subsidies also provide commercial benefit, in \nbuilding national champions in Chinese industry and in eroding Western \ncompanies' market position.\n    China also leads the world in building a national system of \npervasive domestic surveillance. Communications and social media are \nmonitored, and an array of sensors monitor and record activities in \nurban areas. This sensor data is correlated with information held by \nthe government on Chinese residents' behavior and communications. This \npervasive surveillance is not popular among many Chinese, but it is \nincreasingly difficult to escape. One concern is that China will to \nsome degree extend this pervasive surveillance to countries and persons \nof interest outside of China or extend its extensive cyber espionage \ncampaign to include coercive actions, like disrupting critical \nservices. This is not something China would do lightly, but the risk \ncannot be dismissed.\n    The combination of increased espionage, new legal obligations, \npervasive surveillance, and heightened military tensions make for an \nuncomfortable and potentially dangerous situation, with implications \nfor U.S. security. The United States and China share a deeply \nintegrated industrial base, constructed during the time when we assumed \nthat China was moving in the direction of becoming a market economy and \na security partner. Disentangling this deeply integrated supply chain \nwould be costly and damaging to both countries, but some in America now \ntalk about a ``divorce'' while China is spending heavily to reduce its \nreliance on the United States.\n    Beyond the espionage risk, there is potential risk for critical \ninfrastructure that is growing. As more devices become connected to the \ninternet and reliant on software, the opportunities for disruption will \ngrow. This is not specifically a China problem, but a change in the \ntechnological environment as millions of devices connect to the \ninternet in ways that China (or other malicious actors) could exploit \nfor coercive purposes.\n    As the committee has heard for many years, the state of \ncybersecurity remains poor and almost any network or device can be \nhacked with enough persistence. Cyber crime continues to grow, and \ncyber tools have become an essential part of state conflict. If it is \nany consolation, China's cybersecurity is worse than ours, if only \nbecause of their frequent use of pirated software. Improving \ncybersecurity should be a potential area for cooperation between the \ntwo countries, but the current state of relations does not permit that.\n    An environment of connected devices, often called the internet of \nthings, is formed by devices that connect to the global internet, \nusually without human intervention. We all have heard of smart cars but \nmany large systems in infrastructure and transportation also rely on \ncomputers and connectivity. This environment will provide real economic \nopportunities and benefits, but it also comes with an increase in risk. \nOur task should be to estimate this risk and then develop strategies to \nmitigate it. Different technologies and different companies create \ndifferent levels of risk, and there are several ways to assess this.\n    One way to scope risk is to ask how a device connects to the \ninternet, what on-board sensors it has, what information it collects \nand transmits, and how much transparency, insight, and control an \noperator has over this data and connection. Many large capital goods, \nsuch as power technologies, pipelines, telecommunications and ships, \nare continuously connected over the internet to their manufacturer, to \nallow for status reports, maintenance scheduling, and for the updating \nof software. This continuous connection provides an opportunity to \ncollect information and to disrupt services. Instead of an update, a \ncommand could be sent to turn off or to reduce speed.\n    We have seen several examples of Chinese devices that report home, \nfrom drones to surveillance cameras, with the concern that under the \nnew intelligence law, the Chinese government could compel the provision \nof the data collected by these technologies. This kind of monitoring \nand collection has been a standard practice for intelligence agencies \nthat will certainly extend to the internet of things, and the risks of \nconnected devices is compounded when their home is in a hostile foreign \npower.\n    We could scope risk by measuring the cybersecurity status of \nconnected devices. The National Institute of Standards and Technology \n(NIST) is developing, in partnership with industry, standards for the \nsecurity of IOT devices. But this is still at a relatively early stage. \nIn general, the internet of things will be no more secure than the \nexisting internet and may be more vulnerable, since many IOT devices \nwill use simple computers with limited functionality.\n    We can also assess risk by using three metrics--the value of the \ndata accessible through or collected by the IOT device, the criticality \nof a function the connected device provides, and scalability of \nfailure. Devices that create or collect valuable data, perform crucial \nfunctions, or that can produce mass effect, need to be held to higher \nstandards and face greater scrutiny.\n    For critical infrastructure, we need to ask the same questions \nabout using Chinese products that we would ask for any critical \ninfrastructure protection policy: How sensitive are the operations and \nthe data associated with or accessible through the infrastructure, what \nwould happen if the infrastructure was disrupted by an opponent, how \nwould we continue to operate and then recover in the event of a \nmalicious incident, and for foreign products, and to what degree is \ncontrol or access shared with the foreign manufacturer?\n    The type of data collected and transmitted is a crucial element of \na risk assessment. Intelligence analysis data is driven by access to \nlarge amounts of data and the ability to correlate it with other data. \nData analytics provides new intelligence insights. A well-known example \nis the hack attributed to China of the Office of Personnel Management \n(OPM) and the theft of personal information. It is likely that OPM was \none of a series of related hacks, of insurance companies, airlines, and \ntravel agencies, that provided additional data that could be used to \ngain insight into America, personnel and practices. This means that \neven seemingly insignificant data, if correlated with other \ninformation, may provide influence value. The more ``granular'' the \ndata, and whether it refers to specific individuals, the greater its \nvalue. Less granular data, such as how many people are sitting on a \ntrain or at which stop they exit, may not pose much risk.\n    Managing our new competition with China will be difficult given the \nclose interconnection between the U.S. and Chinese economies. This is a \n30-year commercial and technological partnership not easily dismantled \nby either side. Given the deep interconnections that have grown between \nthe Chinese economy and the rest of the world, a bifurcation similar to \nthat seen during the Cold War is not possible, and it is not now in our \ninterest. A greater degree of separation between the two economies is \nnecessary but must be carefully developed for specific technologies and \nbased on a judgment on the risk that their use could provide China with \nan intelligence, military, or unfair commercial advantage.\n    These risks are manageable, and we have to contrast them to the \nrisk to the America economy from a violent disruption of trade with \nChina. Generally speaking, a complete divorce is not in our interest; \nand it is certainly not in China's interest. There are specific \ntechnologies and circumstances that require greater scrutiny and \ncountermeasures, but this does not apply across the board (at least at \nthis time). Working with our allies, we can modify China's behavior to \nmake this relationship more stable and less risky. We have done so in \nthe past, but this will be a process that will take years to complete, \nand in the interim, there are steps we must take to reduce the risk of \nChinese interference and espionage.\n    The most obvious is continued work to improve network and device \nsecurity. This will require some measure of regulatory action and close \npartnership with the affected industries and operators. One size does \nnot fit all when it comes to regulation, so the potential risk of IOT \nand Chinese technology must be managed using the sector-specific model \ndeveloped in the previous administration, and partnerships between \ncompanies, agencies with oversight, and DHS's new Cybersecurity and \nInfrastructure Security Agency (CISA) should be the core of this \neffort.\n    The development of security standards is a necessary complement to \nany regulation or voluntary action. The NIST Cybersecurity Framework is \na good starting point for this but must be extended and modified for \ndifferent kinds of transportation systems. CISA's Transportation \nSystems Sector Cybersecurity Framework Implementation Guide, published \nin June 2015, provides guidance to owners and operators on how to \nassess and implement cybersecurity standards.\n    All of these measures--voluntary action, regulation, and \nstandards--must be predicated on the knowledge that we cannot keep \nopponents out of our networks and devices. We can make it harder for \nthem but not impossible. This means that measures to increase \nresiliency, to allow for some level of continued operation in degraded \nconditions is essential. This adds expense to critical infrastructure, \nof course, and one part of any plan is to ask how this additional \nburden will be funded and whether the increase in risk is outweighed by \nthe potential savings--we should not automatically assume that the mere \nexistence of risk cancels out financial benefits.\n    All of these steps require oversight to assess risk and \nimprovement. This is clearly a task for Congress and this committee, \nbut also for the responsible agencies, industry bodies, and, in \nparticular, for CISA. The key question for assessment is whether the \nuse of the Chinese technology increases the risk of disruption or \nespionage, and the answer to this will depend in good measure on how \nthe Chinese products connect to the internet.\n    Finally, a purely defensive approach will be inadequate. The United \nStates needs to develop and articulate credible counterthreats to \ndissuade and deter foreign attackers. This may require more than \nsanctions and indictments. Although they are useful and have effect \nover the long term, they may need to be reinforced other punitive \nmeasures, part of a larger strategy on how to impose consequences and \nchange opponent thinking. Given the level of vulnerability and the \npotential increase in risk from both the acquisition of foreign \ntechnology and the digitizing of critical services, we must persuade \nopponents that any interference will come with unacceptable risk or \nretaliation by the United States.\n    There are trade issues that I have not touched upon, such as the \nChinese practice of building national champions through government \nsubsidies and, in some cases, industrial espionage. China also uses \nnon-tariff barriers and other protectionist mechanisms to hobble or \nblock competition from foreign firms in China. These Chinese practices \nharm our National interests and should be opposed as part of a larger \neffort to change China's behavior and move it in the direction of \nreciprocity.\n    I thank the committee for the opportunity to testify and look \nforward to any questions.\n\n    Mr. Correa. Thank you, Mr. Lewis.\n    Now I would like to recognize, Ms. Gagliostro, to summarize \nher statements in 5 minutes.\n\n     STATEMENT OF REBECCA GAGLIOSTRO, DIRECTOR, SECURITY, \nRELIABILITY, AND RESILIENCE, INTERSTATE NATURAL GAS ASSOCIATION \n                           OF AMERICA\n\n    Ms. Gagliostro. Thank you.\n    I am delighted to be here today to share our thoughts on \ncybersecurity in the pipeline industry. My name is Rebecca \nGagliostro, director of security, reliability, and resilience \nat the Interstate Natural Gas Association of America.\n    INGAA is a trade association that advocates regulatory and \nlegislative positions of importance to the Interstate Natural \nGas Pipeline Industry. Our 28-member companies operate \napproximately 200,000 miles of interstate natural gas pipelines \nthat are analogous to the interstate highway system. Like the \nhighways that are the arteries for so much of our Nation's \ncommerce, interstate natural gas pipelines are the \nindispensable link between U.S. natural gas producers and \nconsumers.\n    In my role at INGAA, I work directly with our members to \nensure that our pipeline infrastructure remains resilient, \nsafe, and secure. Cybersecurity is a priority for the Natural \nGas Pipeline Industry. INGAA member companies work worked \ndiligently to secure our Nation's critical gas transmission \ninfrastructure from both cyber and physical security threats. \nCybersecurity has been identified as the top operational risk \nby the executive leadership of our member companies and we take \nthe management of this risk very seriously.\n    Last year in recognition of this priority, INGAA's board of \ndirectors set forward with its commitment the Pipeline Security \nStatement. This Statement enumerates specific actions that all \nof our member companies are taking as part of their security \nprogram. The Statement emphasizes among other things, our \ncommitments to following the Transportation Security \nAdministration's Pipeline Security Guidelines.\n    Industry security efforts seeks to reduce the risk posed by \nsuccessful attack targeting our infrastructure. A foundational \nelement of a well-informed risk management program is \ncomprehensive information sharing. This is the key point that I \nwould like to emphasize. Real-time actionable information is \nvital to ensuring our pipeline operators are equipped with the \nlatest intelligence on threats.\n    Information sharing is occurring today between INGAA member \ncompanies and other industry stakeholders through the work of \nour Information Sharing and Analysis Centers also known as \nISACs, however this is not industry's responsibility alone. It \nis imperative that we also have a cooperative working \nrelationship with our Government partners to help facilitate \ninformation sharing.\n    We would like to note that there is strong information \nsharing occurring today with our partners at TSA and the \nDepartment of Homeland Security and we would like to see this \nrelationship continue.\n    INGAA believes that TSA's Pipeline Security Program is \nmaking a difference as it continues to improve. We understand \nthat TSA has accepted the Government Accountability Office's \nrecommendations for improving the management of its Pipeline \nSecurity Program and it is now in the process of implementing \nchanges in response to those recommendations. INGAA strongly \nbelieves that if followed these recommendations will help to \nmake a stronger and more robust program.\n    The increasing threat of nation-states cybersecurity \nattacks and interdependencies across our critical \ninfrastructures means that we must work together across \nindustry and Government to protect ourselves against threats. \nThe work that TSA and the Department of Homeland Security are \ndoing with the National Risk Management Center is a very \npositive step toward the end goal of protecting the Nation from \ncybersecurity threats.\n    Threats to critical infrastructure cannot be evaluated in \nisolation; all critical infrastructures are being targeted, \ntherefore we must identify the best ways to work together to \nprotect our National security.\n    In October, TSA and DHS announced their joint partnership \nin the Pipeline Cybersecurity Assessment Initiative which is \nworking to conduct Comprehensive Cybersecurity Assessments to \npipeline infrastructure. Assessments play a critical role in \nproviding the assurance that these programs are working. TSA \nhas already piloted one INGAA member assessment in 2018 and our \nmembers continue [inaudible] we believe that progress has been \nmade in securing our pipeline infrastructure and we should \ncontinue to focus on improving TSA's Pipeline Security Program.\n    The growing threat of nation-state cyber attacks requires a \ncoordinated and comprehensive approach backed by strong \ninformation sharing across all critical infrastructures sectors \nand across all Federal agencies supporting National Security. \nTSA's on-going work with the National Risk Management Center is \nhelping to bridge that gap.\n    We urge Congress to support TSA's efforts to improve its \nprogram and provide the necessary guidance and funding for \nadditional program-management staffing and cybersecurity \nexpertise that can work alongside the National Risk Management \nCenter and support the Pipeline Cybersecurity Assessment \nInitiative. We believe that this, in addition to the efforts \nthat are already under way, will help to make TSA successful in \nits mission to protect the Nation's pipeline infrastructure. \nThank you.\n    [The prepared statement of Ms. Gagliostro follows:]\n                Prepared Statement of Rebecca Gagliostro\n                           February 26, 2019\n    Good morning Chairmen Correa and Richmond, Ranking Members Lesko \nand Katko, and Members of the subcommittees. I am delighted to be here \ntoday to share our thoughts on cybersecurity in the pipeline industry. \nI am Rebecca Gagliostro, the director of security, reliability, and \nresilience at the Interstate Natural Gas Association of America \n(INGAA). INGAA is a trade association that advocates regulatory and \nlegislative positions of importance to the interstate natural gas \npipeline industry in the United States. INGAA's 28 members operate \napproximately 200,000 miles of interstate natural gas pipelines that \nare analogous to the interstate highway system. Like the highways that \nare the arteries for so much of our Nation's commerce, interstate \nnatural gas pipelines are the indispensable link between U.S. natural \ngas producers and consumers. In my role at INGAA, I work directly with \nour members to ensure that our pipeline infrastructure remains \nresilient, safe, and secure.\nCybersecurity is a priority for the natural gas pipeline industry\n    INGAA member companies work diligently to secure our Nation's \ncritical gas transmission infrastructure from cyber and physical \nsecurity threats. The boards of directors and executive leadership of \nour member companies have identified cybersecurity as a top operational \nrisk and take the management of this risk very seriously. Last year, in \nrecognition of this priority, INGAA's board of directors stepped \nforward with its Commitments to Pipeline Security\\1\\ statement, which \nenumerates specific actions that all of our member companies are taking \nto identify, protect, detect, respond to, and recover from security \nthreats targeting our systems. In addition, the statement emphasizes \nour members' commitments to following the Transportation Security \nAdministration's (TSA's) Pipeline Security Guidelines and the National \nInstitute of Standards and Technology's (NIST's) Cybersecurity \nFramework, and to engaging in comprehensive information sharing across \nthe industry and with our Federal partners. These are the foundations \nto building and maintaining strong pipeline security programs.\n---------------------------------------------------------------------------\n    \\1\\ INGAA Commitments to Pipeline Security, https://www.ingaa.org/\nFile.aspx?- id=34310&v=db10d1d2.\n---------------------------------------------------------------------------\n    INGAA's commitments provide a high-level roadmap of what our member \ncompanies are doing to secure our infrastructure, as appropriate for \npublic dissemination. In practice, our members' security programs are \nfar more extensive than the information that may be conveyed by these \ncommitments. It is our firm belief that we must be continually vigilant \nand entirely committed to the on-going improvement of our security \ndefenses because the adversaries seeking to harm infrastructure of all \nkinds, including natural gas pipelines, are nimble and the threats they \npose are evolving.\nPipeline operators take a risk-management approach to addressing \n        security threats\n    Industry security efforts seek to reduce the risk posed by a \nsuccessful attack targeting our infrastructure. This risk-informed \napproach helps us prioritize our actions and allocate appropriate \nresources toward the highest priority. Pipeline operators utilize a \nvariety of tools and resources, like the NIST Cybersecurity Framework \nand the TSA Pipeline Security Guidelines, to build well-rounded \ncybersecurity programs that effectively assess and manage the risks \nthat we face. We recognize that cybersecurity risk management \nstrategies must be comprehensive in nature and must implement measures \nto both reduce the likelihood of a successful attack and mitigate the \nimpacts of a successful attack, should one occur. As such, pipeline \noperators assess their security programs using a variety of resources \nsuch as Federal assessment programs, self-assessments, peer reviews, \nand third-party vulnerability and penetration tests. Exercises and \ntabletops also play an important role in testing our security programs, \nsharing information with our peers about our security practices, and \nplanning for how we will work across industry, interdependent sectors \nand with first responders during an incident.\n    A foundational element of a well-informed risk management program \nis comprehensive information sharing. This is a key point that deserves \nemphasis. Real-time, actionable information is vital to ensuring \npipeline operators are equipped with the latest intelligence on \nthreats, including known tactics, techniques, and mitigative measures. \nThis, in turn, enables operators to evaluate their risks and tailor an \napproach that best fits the needs of their individual systems and \nenvironments. Strong information sharing already occurs today between \nINGAA member companies and other industry stakeholders through the work \nof our information sharing and analysis centers (ISACs), including the \nDownstream Natural Gas (DNG) ISAC and the Oil and Natural Gas (ONG) \nISAC. However, this cannot be industry's responsibility alone. It is \nimperative that we also have a cooperative relationship with our \nGovernment partners to facilitate rapid information sharing. It is \nworth emphasizing that the pipeline industry has a strong information-\nsharing relationship with our partners at TSA and U.S. Department of \nHomeland Security (DHS). We would like to see this relationship of \ntrust continue and develop, as we look toward these agencies to \ndeclassify threat intelligence and provide us with the timely, \nactionable information necessary to protect our systems and \ninfrastructure.\nThe Transportation Security Administration pipeline security program is \n        improving\n    The Aviation and Transportation Security Act (Pub. L. 107-71) \n(``ATSA'') vested the Transportation Security Administration with \nauthority over pipeline security. Pursuant to this authority, TSA \noffers guidance on expected practices and procedures necessary to \nsecure the Nation's critical pipeline infrastructure. TSA offers \nseveral programs, tools, and products to assist pipeline operators with \nprotecting their infrastructure, including Critical Facility Security \nReviews, Corporate Security Reviews, Pipeline Cybersecurity \nAssessments, Smart Practices, I-STEP, Security Awareness Training \nVideos, and the International Pipeline Security Forum.\n    TSA acknowledges that there remains room for improvement in its \npipeline security program. The agency has accepted the recommendations \nfor improving the management of its pipeline security program that were \nmade by the Government Accountability Office and is in the process of \nimplementing them. INGAA strongly believes that if followed, these \nrecommendations will help to make a stronger and more robust program.\n    Following the tragic events of September 11, 2001, TSA's security \nprogram was rooted in the physical security threats targeting our \ncritical infrastructure. As acknowledged in a recent statement by \nDirector of National Intelligence Dan Coats, sophisticated nation-\nstate-backed cybersecurity capabilities present a real threat to our \ncritical infrastructure. These threats have led to increased emphasis \nby TSA and our sector on protecting pipeline infrastructure from \ncybersecurity threats. It is important to stress that these threats are \nfaced by all critical infrastructure and not just natural gas \npipelines. The increasing interdependence across the segments of our \nNation's critical infrastructure means that we must work together \nacross industry and Government to protect ourselves against these \nthreats.\n    The work that TSA and DHS are doing through the National Risk \nManagement Center (NRMC) is a very positive step toward the end goal of \nprotecting the Nation from cybersecurity threats. These agencies are \nworking together to understand how sophisticated, nation-state threat \nactors seek to identify ways to harm all U.S. critical infrastructure. \nWe believe this approach is significant because these threats cannot be \nanalyzed effectively in isolation. All critical infrastructure is being \ntargeted; therefore, we must identify the best ways to work together to \nprotect our National security.\n    In October, these agencies announced the Pipeline Cybersecurity \nAssessment Initiative, which is working to conduct comprehensive \ncybersecurity assessments of natural gas infrastructure to better \nunderstand the unique risks faced by our infrastructure as well as to \nidentify how best to protect it. In addition to having a recognized \nbaseline of practices, assessments are critical to providing assurance \nthat these programs are working. TSA has already piloted one INGAA \nmember assessment in 2018, and INGAA members continue to volunteer to \nparticipate in these new assessments in 2019.\nNext steps for building upon progress to secure pipeline infrastructure\n    INGAA believes that progress has been made in securing our pipeline \ninfrastructure and that the focus should be on continuing to improve \nTSA's pipeline security program. Threat actors regularly develop and \nrefine their tactics, and we must do the same. The increased \ncoordination between TSA and DHS's Cybersecurity and Infrastructure \nSecurity Agency (CISA) through the NRMC is an appropriate response to \nthe enhanced need for cybersecurity expertise to support industry's \nefforts to protect our critical infrastructure against these growing \nthreats. We understand TSA has embraced GAO's recommendations as a \nroadmap for improving its pipeline security program and is already \ntaking steps to respond to them.\n    INGAA and its member companies will continue to support TSA's \nefforts. This includes volunteering for assessments, sharing \ninformation about indicators of compromise and about how member \ncompanies are securing their infrastructure, and participating in \ncross-sector exercises so we can better determine how the different \nsegments of critical infrastructure must work together.\n    The growing threat of nation-state-backed attacks requires a \ncoordinated and comprehensive approach across all critical \ninfrastructure and across all Federal agencies supporting National \nsecurity. INGAA believes that TSA's on-going work with the NRMC and \nCISA is bridging that gap. We urge Congress to support TSA's efforts to \nimprove its program and to provide the necessary guidance and funding \nfor additional program management staffing and cybersecurity expertise \nthat can work directly with the NRMC and support the new Pipeline \nCybersecurity Assessment Initiative. INGAA believes that this \nsupplement to efforts already under way will help make TSA successful \nin its mission to protect the Nation's pipeline infrastructure.\n\n    Mr. Correa. Thank you very much for your testimony.\n    Now I will recognize, Mr. Olson, for 5 minutes.\n\n STATEMENT OF ERIK ROBERT OLSON, VICE PRESIDENT, RAIL SECURITY \n                            ALLIANCE\n\n    Mr. Olson. Chairman Correa, Chairman Richmond, Ranking \nMember Lesko, and Members of the subcommittees, my name is Erik \nOlson, and I am the vice president of the Rail Security \nAlliance. The Rail Security Alliance is a coalition of North \nAmerican freight rail manufacturers, suppliers, unions, and \nsteel interests, committed to ensuring the economic and \nNational security of our passenger and freight rail systems. On \nbehalf of our coalition thank you for the opportunity to \ntestify on the critical topic of securing our surface \ntransportation systems against cyber and privacy threats.\n    With thousands of miles of railroad covering the United \nStates, freight rail regularly transports everything from \nsensitive U.S. military equipment, to toxic and hazardous waste \nevery day. On the passenger side millions of Americans rely on \nthe commuter rail system daily. U.S. Rail System is also highly \nsophisticated, relying on a constantly expanding network of \ntechnology that dramatically increases its risks to cyber \nattack and hacking.\n    Today I want to draw the committee's attention to a \nparticular threat arising from foreign investments in this \nindustry that jeopardizes directly the future of America's \nPassenger and Freight Rail Systems. This threat is China.\n    China is strategically targeting the U.S. rail \nmanufacturing sector with aggressive anti-competitive tactics \nand how do we know that? Well, to date they have secured 4 U.S. \nmetropolitan transit contracts in Boston, Chicago, \nPhiladelphia, and Los Angeles, largely by utilizing anti-\ncompetitive under-bidding practices. These aggressive and anti-\ncompetitive activities are not unusual for China state-owned \nrail sector and raise grave National concerns, security \nconcerns that demand immediate attention.\n    Without decisive action America's industrial, military, and \nother Government interests could be forced to rely \nsignificantly or wholly on rail cars made by the Chinese \ngovernment thus creating massive cyber vulnerabilities that \nthreaten our Nation.\n    The Made in China 2025 Initiative, a key component of \nChina's 13th 5-Year Plan identifies the rail manufacturing \nsector as a top target for Chinese expansion. This initiative \nhas systematically and deliberately driven strategic investment \nand financing activities of the state-owned China Railway \nRolling Stock Corporation, CRRC, in third-country markets and \nthe United States. CRRC is wholly owned by the government of \nChina. It has 90 percent of China's domestic market for \nproduction of rail locomotives, bullet trains, passenger \ntrains, and Metro vehicles.\n    In just the last 5 years alone in the United States, we \nhave witnessed CRRC execute a business strategy to take market \nshare in the U.S. transit rail manufacturing sector deploying \nnear-limitless financing from its home government, allowing \nCRRC to establish itself as a formidable force in the U.S. rail \ntransit manufacturing base.\n    Emboldened with these contract victories, CRRC continues to \ntarget other U.S. cities including our Nation's capital. In \nSeptember the Washington Metropolitan Transit Authority, WMATA, \nissued a request for proposal for the new 8000-series Metro \nCar. This RFP includes numerous technologies which are \nsusceptible to cyber attacks. Whoever is selected to supply \nrail cars for WMATA will become a partner in the day-to-day \noperations of a Metro System whose stops include the Pentagon, \nthe Capitol, as well as unfettered access to D.C.'s tunnels and \nunderground infrastructure. As CRRC itself has stated, their \nobjective is to conquer the rest of the global rail market--\nneed I say more? Whether they be State, local, or Federal \nfunds, American taxpayer dollars should not be used to \nsubsidize the activities of a Chinese state-owned enterprise \nand compromise American security.\n    Based on the experiences of Australia, which this graph \ndenotes, whose domestic industry, CRRC was able to wipe out in \nunder a decade, we are equally concerned that CRRC will \nleverage its growing presence in the U.S. transit rail \nproduction to then pivot into freight rail assembly; we cannot \nallow this to happen here.\n    [The information follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Olson. Yet the Department of Homeland Security deems \nthe U.S. rail sector as a part of the Nation's critical \ninfrastructure, running through every major American city and \nevery military base in the Nation. We have had extensive \ndiscussions with representatives from DOD and based on those \ndiscussions, I am confident that the Secretary of Defense will \nexpress his concerns on this matter as well.\n    As China's CRRC becomes more dominant [inaudible] should \nthe United States rely on a Chinese state-owned enterprise for \nthe production of our countries freight and passenger rail \ncars, the position of RSA is a resounding, no. The strategic \ntargeting of our Nation's infrastructure by the government of \nChina and its state-owned enterprises poses a fundamental \nthreat to the fabric of our critical infrastructure and is a \npressure point for malicious cyber actors to threaten not only \nthe economic and National security of the United States but our \nstanding as a global power.\n    Thank you again for the opportunity to testify. I look \nforward to answering any questions you may have.\n    [The prepared statement of Mr. Olson follows:]\n                Prepared Statement of Erik Robert Olson\n                           February 26, 2019\n                              introduction\n    Chairman Correa, Chairman Richmond, Ranking Member Lesko, Ranking \nMember Katko, and Members of the subcommittees, my name is Erik Olson \nand I am the vice president of the Rail Security Alliance. The Rail \nSecurity Alliance is a coalition of North American freight rail car \nmanufacturers, suppliers, unions, and steel interests committed to \nensuring the economic and National security of our passenger and \nfreight rail systems. On behalf of our coalition, thank you for the \nopportunity to testify on the critical topic of securing our surface \ntransportation systems against cyber and privacy threats.\n    Rail in the United States is an integral component of our critical \ninfrastructure and our way of life. With nearly 140,000 miles of \nrailroad covering the United States, freight rail regularly transports \nkey commodities, sensitive U.S. military equipment, hazardous waste, \npotentially toxic and hazardous chemicals, and flammable liquids across \nthe country every day. On the passenger side, millions of Americans \nrely on commuter rail systems every day. The U.S. rail system is also \nhighly sophisticated, relying on a constantly expanding network of \ntechnology and digitization that dramatically increases its risk to \ncyber attack and hacking.\n    Today, I want to draw the committee's attention to a particular \nthreat arising from foreign investment in this industry that \njeopardizes the future of America's passenger and freight rail systems. \nChina is strategically targeting the U.S. rail manufacturing sector, \nwith aggressive, strategic, and anticompetitive actions. Thus far they \nhave secured four U.S. metropolitan transit contracts, largely by \nutilizing anticompetitive under-bidding practices. With China's \ngovernment picking up U.S. transit rail manufacturing contracts, the \nChinese are now using their rail manufacturing capabilities to assail \nthe U.S. freight manufacturing sector in a move that is reminiscent of \nwhat has already occurred in third-country markets such as Australia. \nThis activity is a pattern for China's state-owned rail sector and \nraises grave National security concerns. Without action, America's \nindustrial, military, and other Government interests could be forced to \nrely significantly or wholly on rail cars made by the Chinese \ngovernment, thus creating massive cyber vulnerabilities that threaten \nour military and industrial security.\n     china's state-owned enterprises target u.s. rail manufacturing\n    The ``Made in China 2025'' initiative, a key component of China's \n13th Five-Year plan,\\1\\ identifies the rail manufacturing sector as a \ntop target for Chinese expansion. This initiative has systematically \nand deliberately driven strategic investment and financing activities \nof the state-owned China Railway Rolling Stock Corporation (CRRC) in \nthird-country markets and the United States. CRRC is wholly owned by \nthe government of China and it has 90 percent of China's domestic \nmarket for production of rail locomotives, bullet trains, passenger \ntrains, and metro vehicles.\\2\\ In 2015, CRRC reported revenues of more \nthan $37 billion \\3\\--significantly outpacing the entire U.S. rail car \nmarket, which had $22 billion of output during the same year.\\4\\ \nAccording to Chinese state media, CRRC plans to increase overseas sales \nto $15 billion by next year alone. This represents about double the \nlevel of export orders from just 4 years ago \\5\\ and according to \nCRRC's own presentation materials the U.S. market remains a prime \ntarget to, as they put it, ``conquer.''\\6\\\n---------------------------------------------------------------------------\n    \\1\\ U.S.-China Economic and Security Review Commission, 2016 Report \nto Congress, November 2016, at 100.\n    \\2\\ Langi Chiang, China's largest train maker CRRC Corp announces \n12.2 billion yuan in contracts, South China Morning Report, July 23, \n2015. https://www.scmp.com/business/companies/article/1842983/chinas-\nlargest-train-maker-crrc-corp-announces-122-billion-yuan.\n    \\3\\ CRRC Corporation, 2015 CRRC Annual Report, https://\nwww.crrcgc.cc/Portals/73/Uploads/Files/2016/8-23/\n636075436968234671.pdf.\n    \\4\\ Oxford Economics, Will We Derail US Freight Rolling Stock \nProduction?, May 2017, at 24.\n    \\5\\ Brenda Goh, China Trainmaker CRRC to build more plants abroad \nin expansion plan: China Daily, REUTERS, Dec. 5, 2016, http://\nwww.reuters.com/article/us-crrc-expansion-idUSKBN13U0EJ.\n    \\6\\ @CRRC_global, ``Following CRRC's entry to Jamaica, our products \nare now offered to 104 countries and regions. So far, 83 percent of all \nrail products in the world are operated by #CRRC or are CRRC ones. How \nlong will it take for us conquering the remaining 17 percent?'' \nTwitter, January 11, 2018. https://twitter.com/CRRC_global/status/\n951476296860819456.\n---------------------------------------------------------------------------\n    Using State-backed financing, subsidies, and an array of other \ngovernment resources, CRRC has strategically targeted and sought to \ncapture the U.S. railcar manufacturing sector. In just the last 5 years \nthe United States has witnessed CRRC establish rail assembly operations \nfor transit railcars in 3 States, along with additional research and \nbidding operations in several others. By beginning with a business \nstrategy to take market share in the U.S. transit rail manufacturing \nsector and deploying near-limitless financing from its home government \nto help lower the well-below-market bids for new U.S. metropolitan \ntransit projects, CRRC has quickly established itself as a formidable \nforce in U.S. transit rail competition.\n    Several recent cases involving CRRC bids for new transit rail \nprojects serve as compelling examples of the strategy being employed by \nChina to capture our rail systems:\n  <bullet> CRRC bid $567 million to win a contract with the \n        Massachusetts Bay Transit Authority (MBTA) in Boston in 2014, \n        coming in roughly 50 percent below other bidders.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ Bonnie Cao, After Winning MBTA Contract, China Trainmaker CRRC \nPlans American Expansion, Boston Globe, Sept. 11, 2015. https://\nwww.bostonglobe.com/business/2015/09/11/after-winning-mbta-contract-\nchina-trainmaker-crrc-plans-american-expansion/jnS1kU7uHWF- \nGR9gjWmDEjM/story.html.\n---------------------------------------------------------------------------\n  <bullet> In 2016, CRRC won a contract to provide transit rail for the \n        Chicago Transit Authority (CTA), bidding $226 million less than \n        the next-highest bidder.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Corilyn Shropshire, First Step to New CTA Rail Cars: Build the \nFactory in Chicago, Chicago Tribune, Mar. 16, 2017. http://\nwww.chicagotribune.com/business/ct-cta-new-railcar-plant-0316-biz-\n20170315-story.html.\n---------------------------------------------------------------------------\n  <bullet> In early 2017, CRRC bid $137.5 million for a contract with \n        Southeastern Pennsylvania Transportation Authority (SEPTA) in \n        Philadelphia, underbidding the next-lowest bidder--which had a \n        robust local manufacturing presence--by $34 million.\\9\\\n---------------------------------------------------------------------------\n    \\9\\ Jason Laughlin, Mass.-Based Company with Chinese Backing Beats \nLocal Group for SEPTA Car Contract, The Philadelphia Inquirer, Mar. 21, \n2017. http://www.philly.com/philly/business/transportation/Mass-based-\ncompany-with-Chinese-backing-beats-out-local-group-for-SEP- TA-car-\ncontract.html.\n---------------------------------------------------------------------------\n  <bullet> In March 2017, CRRC finalized a contract with the Los \n        Angeles County Metropolitan Transportation Authority for its \n        transit rail system worth up to $647 million.\\10\\ Again, China \n        did this by leveraging below-market financing, which in turn \n        undercut other bidders.\n---------------------------------------------------------------------------\n    \\10\\ Keith Barrow, Los Angeles Orders CRRC Metro Cars, \nInternational Railway Journal, Mar. 24, 2017. http://\nwww.railjournal.com/index.php/north-america/los-angeles-orders-crrc-\nmetro-cars.html.\n---------------------------------------------------------------------------\n    Emboldened with these contract wins, CRRC continues to target other \nU.S. cities, including our Nation's capital. In September, the \nWashington Metropolitan Transit Authority (WMATA), which is the second-\nlargest mass transit system in the country, issued a Request for \nProposals (RFP) for the new 8000-series metro car. This RFP includes \nvideo surveillance, monitoring and diagnostics, data interface with \nWMATA, and automatic train control systems that are susceptible to \ncyber attacks. In response to concerns expressed by a number of \nlawmakers, including the Vice Chairman of the Senate Intelligence \nCommittee, WMATA re-issued its RFP to include additional cybersecurity \nprotections.\\11\\\n---------------------------------------------------------------------------\n    \\11\\ Sean Lyngaas, D.C. Metro system beefs up supply chain \ncybersecurity provisions for new rail cars, Cyberscoop, February 6, \n2019. https://www.cyberscoop.com/metro-dc-subway-cyberscecurity-rfp/.\n---------------------------------------------------------------------------\n    But the Rail Security Alliance's concerns do not end there. \nWhomever is selected to supply rail cars for WMATA will become a \npartner in the day-to-day operations of a Metro system whose stops \ninclude the Pentagon and the Capitol, as well as unfettered access to \nour Nation's tunnels and underground infrastructure.\n    We couple this reality with two additional critical facts. First, a \nClassified report written by WMATA's inspector general recently \nconcluded that there were significant shortcomings in WMATA's \nenterprise-level cybersecurity posture.\\12\\ Second, just last week the \nNew York Times noted that ``businesses and government agencies in the \nUnited States have been targeted in aggressive attacks by . . . Chinese \nhackers . . . ''.\\13\\ So, in light of China's pervasive history of \ncyber espionage and hacking, it is the position of the Rail Security \nAlliance that we cannot trust a Chinese state-owned enterprise to \nbuild, own, or operate in U.S. critical infrastructure.\n---------------------------------------------------------------------------\n    \\12\\ Ryan Johnston, D.C. Metro needs to improve its cybersecurity, \naudit finds, Statescoop, July 9, 2018. https://statescoop.com/wmata-\nincident-response-audit-calls-for-improved-cybersecurity-plan/.\n    \\13\\ Nicole Perlroth, Chinese and Iranian Hackers Renew Their \nAttacks on U.S. Companies, New York Times, February 18, 2019. https://\nwww.nytimes.com/2019/02/18/technology/hackers-chinese-iran-usa.html.\n---------------------------------------------------------------------------\n    These developments are even more alarming because they provide CRRC \nthe opportunity to pivot into freight rail assembly, a subsector of \nrail not protected by the same Buy America requirements as transit \nrail, and one that represents a troubling vulnerability if overtaken by \nthe government of China. Even so, CRRC is making steady and deliberate \nheadway into this sector with the launch of Vertex Rail Corporation and \nAmerican Railcar Services. Vertex Rail Corporation is now, a defunct \nfreight rail assembly facility that was based in Wilmington, North \nCarolina. On the other hand, American Railcar Services is a separate \nassembly facility headquartered in Miami, FL that maintains assembly \noperations in Moncton, New Brunswick.\n    Concerns about CRRC's transition into freight rail manufacturing \nare best illustrated by the recent experiences of third-country markets \nlike Australia, whose freight rail manufacturing sector CRRC entered in \n2008. In less than 10 years, CRRC effectively decimated the sector, \nforcing the 4 domestic suppliers out of business and out of the rail \nmarket which left only CRRC standing. Today, almost no meaningful \nAustralian passenger or freight rolling stock manufacturing exists--\nCRRC's Australia footprint is almost exclusively that of an assembler \nof Chinese-made parts and a financier of purchases from CRRC. We cannot \nlet that happen here.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                   implications for national security\n    Unlike the U.S. maritime shipping industry, whose security is \nprotected by the Jones Act, a measure that requires vessels \ntransporting goods between U.S. ports to be U.S.-built and majority \nU.S.-owned, freight rail in America has been left comparatively \nunprotected. Yet, the Department of Homeland Security (DHS) deems the \nU.S. rail sector as part of the Nation's critical infrastructure,\\14\\ \nnoting that 140,000 rail miles enable U.S. freight rail to run through \nevery major American city and every military base in the Nation. The \nDepartment of Defense (DoD), which itself maintains a fleet of more \nthan 1,300 rail cars, has also designated nearly 40,000 miles of \nfreight rail as part of the Strategic Rail Corridor Network (STRACNET), \na comprehensive rail network that connects military bases and maritime \nports across the country.\\15\\ We have had extensive discussions with \nrepresentatives from the Department of Defense, and based on those \ndiscussions I am confident that the Secretary of Defense would express \nhis concerns on this matter as well.\n---------------------------------------------------------------------------\n    \\14\\ Presidential Policy Directive 21 (PPD-21) identifies 16 \ncritical infrastructure sectors, including ``Transportation Systems.'' \nThe Department of Homeland Security defines ``Freight Rail'' as 1 of \nthe 7 key subsectors. See generally, PPD-21, Critical Infrastructure \nSecurity and Resilience, Feb. 12, 2013, https://www.whitehouse.gov/the-\npress-office/2013/02/12/Presidential-policy-directive-critical-\ninfrastructure-security-and-resil and Transportation Systems Sector, \nDep't of Homeland Sec., Mar. 25, 2013, http://www.dhs.gov/\ntransportation-systems-sector.\n    \\15\\ ``Strategic Rail Corridor Network (STRACNET),'' Global \nSecurity, 2012. https://www.globalsecurity.org/military/facility/\nstracnet.htm.\n---------------------------------------------------------------------------\n    Because freight rail transports not only military freight and \nindustrial products, but also nuclear material and hazardous chemicals \nthat can be safely and effectively transported only by rail, there is a \nserious risk that the technologies in these systems could be \ncompromised by a malicious actor. As noted by Brig. Gen. John Adams \n(USA, Ret.) in a 2018 report on the vulnerabilities of freight \nrail,\\16\\ our rail system's rapidly expanding internet of things (IoT) \ncapabilities presents an array of National security challenges that \ninclude:\n---------------------------------------------------------------------------\n    \\16\\ National Security Vulnerabilities of the U.S. Freight Rail \nInfrastructure and Manufacturing Sector--Threats and Mitigation, \nBrigadier General John Adams, US Army (Retired), October 22, 2018.\n---------------------------------------------------------------------------\n  <bullet> A digitized railroad network/the internet of things.--\n        Integrated teams of data scientists, software developers, and \n        engineers develop and apply technology across every aspect of \n        the Nation-wide freight rail network, effectively increasing \n        the vulnerability of industrial control systems, train \n        operations, and perhaps even the industry's metadata \n        warehousing centers to cyber threats.\n  <bullet> Rail Signaling.--Congress has mandated the installation of \n        positive train control (PTC) systems on much of the Nation's \n        rail systems as a means of preventing specific accidents. A \n        malicious cyber breach of PTC or underlying existing rail \n        signaling systems could wreak havoc and cause accidents or \n        derailments on the highly interdependent freight railway \n        network.\n  <bullet> Locomotives.--Rail locomotives rely upon hundreds of sensors \n        to monitor asset health and performance of train systems.\n  <bullet> On-board Freight Car Location & Asset Health Monitoring.--\n        Thousands of freight cars are equipped with telematics or \n        remote monitoring equipment, many of which are carrying \n        hazardous materials like chlorine, anhydrous ammonia, ethylene \n        oxide, and flammable liquids. This tracking technology includes \n        a wireless communication management unit to track precise near-\n        real-time location via GPS, direction of travel, speed, and \n        dwell time within the Transportation Security Administration \n        (TSA)'s 45 designated high-threat urban areas (HTUAs).\\17\\\n---------------------------------------------------------------------------\n    \\17\\ The Transportation Security Administration defines an HTUA as \nan area comprising one or more cities and the surrounding areas, \nincluding a 10-mile buffer zone.\n---------------------------------------------------------------------------\n    End-of-Train Telemetry (EOT).--The FRA requires all freight trains \noperating on excess of 30 mph to be equipped with a 2-way EOT device \nthat tracks GPS location and can allow a locomotive engineer to \ninitiate an emergency brake application, a critical safety feature for \ntrains that can stretch upwards of 10,000 feet long (See Attachment A).\n    The presence of these evolving technologies underscores the clear \ndanger of a foreign country, and particularly the government of China \nand its state-owned enterprises, having undue control of freight \nmanufacturing in the U.S. market. Already, there are reports of Chinese \nmanufacturers investigating the production of their own ``telematics'' \ntechnology to allow the monitoring and control of their rail cars.\\18\\ \nOn the transit side, China is already boasting about how it has \nutilized the latest advances in AI and facial recognition technology to \nidentify and track its 1.4 billion citizens,\\19\\ creating a very real \nprospect that they could do the same here in the United States.\n---------------------------------------------------------------------------\n    \\18\\ China plans ``smart trains'' to take on global rail companies, \nCHINA DAILY, March 10, 2016, http://english.chinamil.com.cn/news-\nchannels/2016-03/10/content_6952271_2.htm.\n    \\19\\ Surveillance Cameras Made by China Are Hanging All Over the \nU.S., The Wall Street Journal, November 12, 2017. https://www.wsj.com/\narticles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-\ns-1510513949.\n---------------------------------------------------------------------------\n                               conclusion\n    As China's CRRC becomes more dominant as a U.S. rail manufacturer, \nthere are urgent and compelling questions we must answer regarding \nwhether a growing presence of, and reliance upon freight or passenger \ncars from a major state-owned Chinese rail enterprise is likely to \ncompromise the security and safety of industrial, military, and \ncivilian transportation systems in the United States. For that reason, \nwe are grateful that Congress passed legislation last year that would \nmandate the Department of Homeland Security, in coordination with the \nCommittee on Foreign Investment in the United States and the Department \nof Transportation, produce a report on the National security threats of \nChinese SOE investment in our rolling stock manufacturing sector,\\20\\ \nand we strongly urge the committee to work with DHS as that report is \ncompleted.\n---------------------------------------------------------------------------\n    \\20\\ See. H.R. 5515--John S. McCain National Defense Authorization \nAct for Fiscal Year 2019, Sec. 1719(c).\n---------------------------------------------------------------------------\n    We greatly appreciate the committee's interest in addressing these \ncritical issues. The strategic targeting of our Nation's infrastructure \nby the government of China and its state-owned enterprises poses a \nfundamental threat to the fabric of our critical infrastructure and is \na pressure point for malicious cyber actors to threaten not only the \neconomic and National security of the United States, but to our \nstanding as a global power.\n    Thank you again for the opportunity to testify. I look forward to \nanswering any questions you may have.*\n---------------------------------------------------------------------------\n    * Attachment A has been retained in committee files and is \navailable at https://go.americanmanufacturing.org/page/-/\nAdams_Freight_Rail.pdf.\n\n    Mr. Correa. Thank you, for your statements.\n    I would like to recognize Mr. Hultquist, for 5 minutes.\n\nSTATEMENT OF JOHN HULTQUIST, DIRECTOR OF INTELLIGENCE ANALYSIS, \n                            FIRE EYE\n\n    Mr. Hultquist. Chairman Correa, and, Ranking Member Lesko, \nfor convening this joint hearing today. My name is John \nHultquist, and I am the director of intelligence analysis for \nFireEye. My team of over 150 intelligence analysts and \nresearchers pore over data we collect from FireEye's global \nnetworks of devices, incident response, researchers monitoring \nthe criminal underground and many more sources to understand \nthe global cyber threat.\n    FireEye is supporting the transportation and energy sectors \nhere at home. We are protecting TSA with email--thank you--and \nweb inspection and we are providing support to DHS's \nsubscription to our intelligence reporting.\n    At DOE we are supporting network and file inspection, \nmalware analysis, and protecting their data from threats down \nat their endpoints. The Department is the largest civilian \nagency, consumer of our intelligence reporting which provides \nfocused visibility into threats targeted at the energy sector.\n    Today I will focus primarily on threats on the horizon that \nFireEye is watching develop in the Middle East, Ukraine, South \nKorea, where Iran, Russia, North Korea, are the most active.\n    Despite a dearth of recent specific examples of pipeline \ntargeting by state actors that we have observed, targeting the \nsector is consistent with the behavior of several state actors \nwho have carried out disruptive and destructive operations. \nPipelines sit at the nexus of two well-established interests \nfor state actors, energy and transportation. For example, oil \nand gas has been the major focus of a long-term destructive \nmalware campaign by Iran in the Gulf.\n    Though these attacks have targeted critical infrastructure \norganizations, they have primarily affected business-focused IT \nsystems rather than sensitive controls systems. Nonetheless \nIranian-sponsored threat actors have caused significant, costly \ndisruptions from 2012 to as recently as 2018 using this \ncapability.\n    The Middle East was also the scene of the most \ndisconcerting attack on control systems we have observed. In an \nindustrial plant, they have suffered a disruption when \nattackers inadvertently triggered a shutdown using a malware we \ncall Triton. They triggered the shutdown because they were \nattempting to manipulate automated safety systems, one of the \nlast lines of defense to protect human life. We believe this \nactivity originated from a Russian government organization.\n    Transportation and logistics systems have been unrecognized \nbut fruitful focus for state cyber attackers as well. During \nand between attacks on Ukraine's grid, attempts were made by \nthe same Russian actors to gain access to rail, air, and sea \ntransportation routes and hubs to varying degrees of success.\n    Many of the companies which posted major losses from the \nNotPetya Ransomware incident in the hundreds of millions of \ndollars were also in the logistics business, despite this \nindustry not having been specifically targeted. Such a pattern \ncould indicate that logistics organizations may be especially \neconomically vulnerable to incidents of this nature.\n    Like pipeline operations, transit networks have been \nsubjected to ransomware operations and denial-of-service \nattacks which have on occasions resulted in disruption to \nservice. Ransomware which has affected many municipal services \nhas been used to hold transit systems hostage in return for \npayment. The websites associated with mass transit systems \nwhich are often crucial to their business have also been \nsubjected to denial-of-service attacks, in some cases \ndisrupting travel. Both ransomware and denial-of-service are \ncapabilities used by state actors.\n    The complexity of transit networks and the potential for \ncascading economic consequences from disruption, bear \nsimilarities to pipelines, however transit networks offer an \nadditional attraction to would-be attackers. Transit is a \nhighly-visible sector with which the public regularly \ninteracts; this factor is especially relevant as many cyber \nattacks appear to be more focused on psychological effects and \nundermining confidence in institutions and creating lasting \nphysical effects.\n    It is important to bear in mind that our adversaries are \nnot necessarily preparing for a doomsday situation or any \nlasting blow but a asymmetric scenario where they can project \npower onto our shores. Ultimately their aim may be to sow chaos \nrather than to achieve some complex military objective.\n    Thank you, again for the opportunity to participate in \ntoday's discussion. I am happy to answer any of your questions.\n    [The prepared statement of Mr. Hultquest follows:]\n                  Prepared Statement of John Hultquist\n                           February 26, 2019\n    Thank you, Chairman Richmond, Ranking Member Katko, Chairman \nCorrea, and Ranking Member Lesko for convening this joint hearing \ntoday. We appreciate the opportunity to share FireEye's perspective on \nthreats to the transportation and energy sectors and provide an \noverview of how the private sector is helping to secure those sectors.\n                              introduction\n    My name is John Hultquist, and I'm the director of intelligence \nanalysis for FireEye. My team of over 150 intelligence analysts and \nresearchers pore over data we collect from FireEye's global networks of \ndevices, managed defense of 7 global Security Operations Centers, our \nincident response, researchers we have monitoring the criminal \nunderground, and many more sources to understand the global cyber \nthreat. We have teams focused on criminal threats, cyber espionage, \ncyber physical, and strategic problems, as well as vulnerabilities. \nUltimately, we provide intelligence reporting and services used by \nGovernment and commercial clients around the world.\n    In addition to the 300-plus security professionals responding to \ncomputer intrusions, FireEye has over 200 cyber-threat analysts on \nstaff in 18 countries, speaking 30 different languages, to help us \npredict threats and better understand the adversary--often by \nconsidering the political and cultural environment of the threat \nactors. We have an enormous catalog of threat intelligence, and it \ncontinues to grow everyday alongside the continually increasing attacks \non organizations around the world.\n    FireEye is supporting the transportation and energy sectors here at \nhome. We're protecting the Transportation Security Administration with \nboth email and web inspection, managed by the Department of Homeland \nSecurity's Enterprise Security Operations Center. As TSA continues to \nstand up its intelligence capabilities, we are providing support \nthrough its subscription to our intelligence reporting.\n    Additionally, we assist in protecting the Department of Energy by \nsupporting network and file inspection, malware analysis, and \nprotecting their data from threats down to their endpoints. We provide \nthe ability for deep forensics inspection of all network traffic \nmanaged by the Department's Enterprise Security Operations Center. As \nDOE continues to enhance its cyber capabilities, we provide visibility \nto meet the Data Taxonomy Metrics. The Department is the largest \ncivilian agency consumer of our intelligence reporting, which provides \nfocused visibility into the threats targeted at the energy sector.\n    In addition to my role at FireEye I'm an adjunct professor at \nGeorgetown University and the founder of CYBERWARCON, a conference on \nthe cyber attack and information operations threat.\n    I have been working in cyber intelligence for over a decade, most \nof it at FireEye, but before that I worked as a contract cyber \nintelligence analyst with the Defense Intelligence Agency and State \nDepartment. Prior to that I worked briefly at the Surface \nTransportation and Public Transit Information Sharing and Analysis \nCenter where I was an analyst exploring threats to the sector we will \nbe discussing today. Part of my duties there were to forecast domestic \nthreats by exploring global incidents. Though much of this work was \nfocused on counterterrorism, I believe the methodology I employed there \nis applicable to this problem. If we want to forecast threats to \nsurface transportation, we have to look globally for the actors who may \ntarget this sector, and explore not just how they carry out attacks, \nbut why.\n    Today I will talk about a few incidents that have already affected \nsurface transportation, but I will focus primarily on threats on the \nhorizon that FireEye is watching develop in the Middle East, Ukraine, \nand South Korea, where Iran, Russia, and North Korea are most active. \nMy team has had some success with this method. In 2014, we exposed an \nactor, who we call Sandworm Team, which was carrying out cyber \nespionage in Ukraine and who was soon after exposed in U.S. critical \ninfrastructure. A year later this actor caused the first known blackout \nby cyber attack in the Ukraine.\n                               pipelines\n    Criminal, state, and hacktivist actors have all demonstrated an \ninterest in pipeline operators. Pipeline operators have been the victim \nof criminal ransomware incidents on multiple occasions. Hacktivist \nactors have threatened pipelines for environmental and other political \nreasons. We have seen some specific interest in pipeline infrastructure \nfrom state actors as well. APT1, an actor tied to China's People's \nLiberation Army, carried out an intrusion campaign attempting to gain \naccess to pipeline operators in 2012. While we do not think the \ncampaign aimed to cause any immediate effects, at the time we did \nassess that it was reconnaissance of our infrastructure that could be \nleveraged over the long term.\n    Despite the dearth of additional specific examples of pipeline \ntargeting, targeting the sector is consistent with the behavior of \nseveral state actors who have carried out disruptive and destructive \noperations. Pipelines sit at the nexus of two well-established \ninterests for these state attackers: Energy and transportation. Despite \na relatively brief history of disruptive and destructive cyber attacks \nagainst critical infrastructure, several incidents have focused on \nthese sectors where the potential for cascading economic and \npsychological effects on the target population is considerable.\n    Energy, particularly oil and gas and the electrical power industry, \nhas been the continued focus of threat actors who have either carried \nout disruptive cyber attacks or who appear to be tasked with preparing \nfor such an operation. Destructive and disruptive attacks on oil and \ngas have almost become common in the Middle East where our U.S. \nadversaries are showcasing their capabilities and improving their \nskills.\n    For example, oil and gas has been the major focus of a long-term \ndestructive campaign by Iran in the Gulf using destructive malware \ncommonly referred to as ``Shamoon.'' Though these attacks have targeted \ncritical infrastructure organizations, they have primarily affected \nbusiness-focused IT systems rather than the sensitive control systems \nwhich run production. Nonetheless, Iranian-sponsored threat actors \ncaused significant, costly disruptions from 2012 to as recently as \nDecember 2018, the last time we observed one of these incidents.\n    The Middle East was also the scene of the most disconcerting attack \non control systems we have observed. An industrial plant there suffered \na disruption when attackers inadvertently triggered a shutdown using \nmalware we call TRITON. They triggered that shutdown because they were \nattempting to manipulate automated safety systems, one of the last \nlines of defense to protect human life. We believe the attackers were \ndeveloping the ability to create an unsafe condition using the control \nsystems, while simultaneously disabling the safety systems designed to \nmitigate the attack. Such a scenario could have led to major disruption \nof operations, economic loss, and even loss of life. We believe this \nactivity originated from a Russian government organization called the \nCentral Scientific Research Institute of Chemistry and Mechanics. It is \nunknown whether these actors had been tasked to target the plant for \nsome specific geopolitical goal or if they were using this Middle \nEastern facility as a testbed to improve their capability.\n    In principal, methodologies honed in the Middle East against oil \nand gas could be applied to our pipeline sector. Destructive attacks \ncould be used to interrupt the administration of these complex systems, \npotentially causing economic repercussions that cascade through the \nmyriad of downstream users who depend on reliable service. A more \ncomplex scenario, like the TRITON incident, could also target \npipelines, which could be manipulated to potentially disastrous \nconsequences if actors can gain access to control and safety systems.\n    Transportation and logistics systems have been an underrecognized \nbut fruitful focus for state cyber attackers as well. During and \nbetween well-known attacks in Ukraine which turned off the power to \nportions of the country, attempts were made by the same Russian actors \nto gain access to rail, air, and sea transportation routes and hubs, to \nvarying degrees of success. In fact, we saw evidence indicating that \nwhile they were prepping the first attack that briefly disabled power \nservice in the Ukraine, the actors we call Sandworm Team were also \ncompromising airport and rail services. There are plausible but \nunverified reports of an attack which lead to disruption of rail \nservice coincided with the second attack on Ukraine's grid.\n    As in the case of the Middle East, in Ukraine, we see technically \ncomplex cyber attacks that strike at the most sensitive industrial \ncontrol systems, such as those that caused blackouts, as well as \nattacks that are not focused on these systems at all. Both types of \nattack have been successful. While grid attacks were undoubtedly \nwatershed events, the most economically damaging attack we have ever \nencountered was fake ransomware called NotPetya. This fake ransomware-\nencrypted drives just like its real criminal counterpart, but the state \nactors behind it never intended to decrypt this information for any \namount of money, essentially making it a destructive tool. The malware \nspread rapidly, locking up vital systems and causing major disruptions \nto global companies. The result was over 10 billion dollars in damages, \naccording to one White House estimate. Most notably, however, many of \nthe companies which posted major losses in the hundreds of millions \nwere in the logistics business, despite this industry not having been \nspecifically targeted. Such a pattern could indicate that logistics \norganizations may be especially economically vulnerable to cyber \nattacks of this nature.\n                                transit\n    Like pipeline operations, transit networks have been subjected to \nransomware operations and denial-of-service attacks, which have, on \noccasion, resulted in disruption to service. Ransomware, which has \naffected many municipal services, has been used to hold transit systems \nhostage in return for payment. An attack like this in San Francisco \ntook tickets systems off-line, but operations continued when riders \nwere offered free passage. In most cases we believe the attackers were \nfinancially motivated, though it is worth noting that these incidents \nexpose a vulnerability that state actors, who have used a fake \nransomware capability, could exploit.\n    In addition to ransomware incidents, the websites associated with \nmass transit systems, which are often crucial to their business, have \nbeen subjected to denial-of-service attacks. These incidents, which \ninvolve the use of a network of hijacked computers to jam a website \nwith bogus traffic, have in some cases frozen operations. We have seen \nthis phenomenon as far afield as Ukraine and Sweden. In 2017, transit \nsystems in Sweden came under a prolonged attack by an unknown actor who \ndisrupted travel. It is worth noting that like ransomware, denial of \nservice is a capability used by state actors. And just as ransomware \nallows these actors to carry out attacks while hiding their true \nintentions, state actors have purported to be hacktivists and taken \ncredit for denial-of-service attacks, hiding their hand it the \noperations. This was the case in the United States, where Iranian \nhackers attacking our financial system claimed to be a pan-Arab \nhacktivist. Furthermore, there is a reduced barrier to entry for these \ntypes of attacks, and even states without this capability could source \nit from the criminal underground.\n    The complexity of transit networks and the potential for cascading \neconomic consequences from disruption bear similarities to pipelines; \nhowever, transit networks offer an additional attraction to would-be \nattackers--transit is a highly-visible sector with which the public \nregularly interacts. This factor is especially relevant as many cyber \nattacks appear to be more focused on psychological effects and \nundermining confidence in institutions than creating lasting physical \neffects.\n    One example of a highly-visible cyber attack which affected the \npopulace is the destructive campaign against South Korean media and \nbanking in 2013. Though this campaign failed to interrupt broadcasts, \nit did interrupt some banking services, including on-line banking and \nATMs. The result was a visible crisis that affected the everyday lives \nof South Koreans and which might have been even greater if broadcasts \nwere halted. Blackouts fall into this same category of having far-\nreaching psychological effects. A disruption to transit could have a \nsimilar effect.\n                               conclusion\n    Thus far, U.S. critical infrastructure has been probed by actors \nfrom China, Russia, Iran, and North Korea. In many cases, these actors \nhave focused heavily on electricity generation; however, our experience \nwith them abroad suggests a much broader interest in creating \ndisruptive or destructive effects. We should take these lessons to \nheart now and prepare for incidents across the transportation sector.\n    It's important to bear in mind that our adversaries are not \nnecessarily preparing for a doomsday situation, or any lasting blow, \nbut an asymmetric scenario where they can project power within our \nshores. Ultimately, their aim may be to sow chaos rather than achieve \nsome complex military objective. Nonetheless, these incidents could \nhave economic and psychological effects we cannot ignore.\n    Thank you again for the opportunity to participate in today's \ndiscussion. And thank you for your leadership improving cybersecurity \nin the transportation and energy sectors. I look forward to working \nwith you to strengthen the partnership between the public and private \nsectors and to share best practices to thwart future cyber attacks.\n\n    Mr. Correa. I thank our panelists for their testimony.\n    If I may, I would like to recognize myself for 5 minutes of \nquestions. I will start out with, Mr. Lewis, you made a comment \nat the end of your statement about credible threat, we need to \nbe a credible threat, can you explain that a little bit?\n    Mr. Lewis. Certainly. Thank you, Mr. Chairman.\n    When we look at the behavior of Russia, China, Iran and to \nsome extent North Korea, they are the most dangerous attackers \nbut they are also very calculating, they are very rational and \nthey ask themselves, ``If I do this to the Americans, what is \nthe likelihood that the Americans will do something back?'' and \nif they believe there is no risk that we will do anything back, \nthey are more likely to undertake some sort of hostile or \ncoercive action.\n    Mr. Correa. In this committee last year, the full Committee \non Homeland Security, I asked the question, at what point does \na cyber attack constitute a declaration of war on the United \nStates? Any thoughts?\n    Mr. Lewis. This is [inaudible] was an attack that caused \ndeath or destruction or casualties, it would qualify as \njustifying a forceful response. Unfortunately, we haven't seen \nvery many of them and if you look at what the Russians did in \n2016, it wouldn't fall under that category so this is something \nthat I believe the intelligence community and cyber command are \nworking through. We need a new framework, if you cause death or \ndestruction, you fear a risk, that you fear that the United \nStates will retaliate. If you don't do that, people kind-of \nfeel like they can get away with it.\n    Mr. Correa. If you threaten our democracy or destabilize \nour Government, is that an act of war and I would ask that \nquestion to all of you?\n    Mr. Lewis. Under the current legal construct, the answer \nwould be no, right. You could make a case that by threatening \nthe political integrity of the United States, it would qualify \nas an act of war but our main problem is that we became aware \nthis was happening in April 2016, that is almost 3 years ago \nand we still have not done very much back.\n    Mr. Correa. Mr. Olson, you talked a little bit about the \nchallenge of Chinese assets, Chinese buying essentially their \nway into our markets, they are buying their markets and you \ntalk about a threat, could you relate that back to the China's \nnew 27 intelligence law that compels companies, Chinese \ncompanies to cooperate with the Chinese government?\n    Mr. Olson. Sure. So I am not fully familiar with the law \nitself, I mean, I have read articles about it. I mean, our \nconcern is that this is a wholly-owned, state-owned enterprise \nthat has a board of directors with members of the Communist \nParty and we know that when they set up shop here in United \nStates that we believe they are been directed by Beijing and \nthe cyber issues, privacy issues, and just the economic \nsecurity that stems from that is our main concern from RSA's \npoint of view.\n    Mr. Correa. Same question, to Mr. Hultquist.\n    Mr. Hultquist. Right, I am not familiar with that exact \nregulation but it is not uncommon for Russia or China to \nenforce or compel companies to work with their cybersecurity or \ntheir Signals Intelligence agencies to gather information.\n    Mr. Correa. Thank you very much.\n    I am going to yield the remainder of my time.\n    I will now recognize the gentle person from Arizona, Mrs. \nLesko.\n    Mrs. Lesko. Thank you, Mr. Chairman.\n    My first question is for, Mr. Hultquist, hello sir. I have \na couple of questions into one. Basically, how well do you \nthink the industry uses ISAC, the information you know, where \nyou share information with the industry [inaudible] and my \nsecondary question is, what are the risks from insider threats?\n    Mr. Hultquist. I had actually previously worked at a couple \nof the ISACs, actually the Surface Transportation and Public \nTransit ISAC, I worked there briefly before moving into the \ncyber world. They have made a lot of great strides in the cyber \nspace and several of them I think on are very, very mature and \nare making a big difference.\n    On one of the problems though is that we sometimes take \nthis myopic view of our sector and we have failed to see \nthreats coming because we are overly focused on just our own \nsector and it is important to look at our own sector but the \nactor who turned off the lights in Ukraine, was also targeting \nair, and rail, and all these other sectors, not because the \nlights were you know, particularly [inaudible] sometimes if we \nyou know, we focus too much that way, we can kind-of miss that.\n    I am sorry, your second question.\n    Mrs. Lesko. Was, what is the risk of insider threats, like \npeople that are working for, let us say, the rail system or \npassenger rail?\n    Mr. Hultquist. Many of the----\n    Mrs. Lesko. Or pipelines?\n    Mr. Hultquist. Major critical infrastructure incidents that \nwe have seen throughout history have involved an insider \ncomponent, a contractor who didn't get hired on was upset about \ntheir situation and decided to lock things up or I believe \nthere was a situation where they pumped toxic stuff into a \n[inaudible] critical infrastructure.\n    Mrs. Lesko. What can be done about it, do you think?\n    Mr. Hultquist. Probably a more complex or a more robust \nvetting process and recognition that when people move in and \nout of an organization, security measures need to be sort-of \nre-looked at particularly do they still have access, things of \nthat nature.\n    Mrs. Lesko. Thank you, sir.\n    My next question is for the gentleman with the rail system \nand you had mentioned--I read this article that I think it was \nin The Washington Post, entitled, ``Could a Chinese-made Metro \nCar, spy on us?'' I think you were quoted in this and some of \nthe transit authorities in this article, the Chicago Transit \nAuthority, the Massachusetts Bay Transportation Authority, they \nbasically said that none of the critical software components \nwere being produced in China.\n    What are your thoughts on that, are they misspoken or you \nknow, they said that they are considering bids from CRRC but \nthat the critical software components are not made in China and \nin fact one of the Massachusetts Bay Transportation Authority \nspokesman said, ``The design process for new rail cars includes \na cybersecurity analysis based on the U.S. Department of \nDefense Military System Safety Standard,'' so I am glad that we \nare bringing this up because I think it is a legitimate concern \nbut it seems like at least from these people, spokesman, that \nthe critical infrastructure is not made in China.\n    Can you comment?\n    Mr. Hultquist. Yes. What I would say to that is that our \nconcern is you can try to mitigate and the we heard from Ms. \nProctor, earlier that the cyber concerns are ever-evolving. I \ndon't know all the parts or the list of the parts but many \nparts are being made in China, the shells for Los Angeles and \nfor Boston are being made in China and shipped to Springfield, \nMassachusetts so our position at RSA's risk avoidance.\n    We don't know what can be put into a shell. We don't know \nwhat technology can be hid in there. The Chinese have a long \nview [inaudible] attack but we also think of it from a point of \nprivacy. When you have access to the tunnel [inaudible] the \nCCTV, can you get access to the Wi-Fi system? We know how they \nprofile their own citizens and it does not take a lot to lead \nto the fact that maybe you could do that here especially in the \nMetro region.\n    Mrs. Lesko. Thank you, sir.\n    I yield back my time.\n    Mr. Correa. Thank you, Mrs. Lesko.\n    I recognize the gentleman from Louisiana, Chairperson \nRichmond.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    This will be for Ms. Gagliostro and Mr. Olson. It is \nbasically describing your relationship with TSA-DHS as a whole \nbut TSA and CISA. Has there been rail stakeholder involvement \nin the implementation and the goals outlined in the Pipeline \nCybersecurity Initiative and, Mr. Olson, in your view, are DHS \nand TSA being proactive enough in sharing information about \ncyber threats and best practices within rail systems, and to \nboth of you all, what could they be doing differently or more?\n    Ms. Gagliostro. So I would say that yes, there has been \nrail stakeholder involvement beyond the efforts of the Pipeline \nCybersecurity Initiative because as you know, that Initiative \nwas only announced in October but prior to that TSA has been \nworking to build its security program for over a decade now, \nhas a very strong working relationship with industry. We \nregularly engage in Pipeline Sector stakeholder calls to share \ninformation about threat indicators that they are getting and \nalso information about the tools that they are providing to \nindustry to help us with their security programs.\n    I think that the work that TSA is doing right now to have \nmore coordination with DHS and the CISA Office, and the \nNational Risk Management Center is a very positive step in the \nright direction of looking more comprehensively across these \nnation-state threats in particular that are targeting all \ncritical infrastructure to make sure that we are empowering \nindustry to learn from how these threats are looking \n[inaudible].\n    Mr. Olson. To echo I agree that from my understanding, I \nmean, the folks at the Rail Security Alliance represents our \nprivate industry and we know they have been talking, TSA has \ntheir private briefings we heard that from, Ms. Proctor, \nearlier that they have been doing Classified briefings for \nmembers both in the Passenger Rail Sector and also the Freight \nRail Sector. I think there can always be more and more \ninvolvement, we have certainly reached out to them to have \nconversations as well on this point.\n    What I would say on the what could be done, what could they \nbe doing more is DHS actually has a study sitting at Homeland \nSecurity right now that they need to complete by the end of the \nfiscal year, we would love to work with you all and work with \nthe Department of Homeland Security on this study and ensure \nthat private sectors' voice is heard as they are completing \nthis risk assessment of what state-owned enterprises, how they \ncould affect the U.S. transit and freight rail market.\n    Mr. Richmond. Thank you for your time.\n    Mr. Chairman, I do have prior commitments so I will yield \nthe balance of my time through the gentleman from Missouri, Mr. \nCleaver.\n    Mr. Correa. Thank you, Chairman Richmond.\n    Mr. Cleaver, go ahead.\n    Mr. Cleaver. Thank you, Mr. Chairman.\n    I was mayor of Kansas City all during the 1990's up until \n2000 and I can remember one of the most frightening periods of \nmy term as mayor came when we received word, we were not \nnotified but we received word, there was very likely going to \nbe a shipment of [inaudible] and taken to the Nevada, Yucca \nMountain and there was a lot of resentment [inaudible] the \nlargest freight-rail site in the country and St. Louis 200 \nmiles away is No. 3.\n    We are a [inaudible] have been extremely concerned over the \nyears about the transportation of waste but also how vulnerable \nwe are and particularly in the Midwest because you know, no \nmatter what the discussion is, it's probably even freight, we \ntend to focus on East Coast, West Coast, maybe a little part of \nthe North Coast and the Midwest is wide open.\n    I always like to remind people that the first major \nterrorist attack in this country occurred right in the middle--\nMidwest at Oklahoma City at the Murrah Federal Building. It has \nnothing to do with rail but the point I am raising, Mr. Lewis, \nand, Mr. Olson, is that I am not sure that there is any \nappropriate attention being given to that part of the country \nwhere a lot of the rail is centered.\n    Mr. Olson. I tend to agree with you, Congressman. I know \nthat you know, the Class Is, the freight rail manufacturers are \nall working on these issues and working on the cyber aspects of \nthis and the security aspects of this. RSA's position and has \nbeen as our concern is allowing the Chinese to come in and make \nfreight railcars----\n    Mr. Cleaver. Yes, sir.\n    Mr. Olson [continuing]. And be a part of the system and the \nsecurity challenges come with that. As you know, freight rail \ncarries grain, from toxic waste, to military equipment, and our \nview is from RSA, as soon as you allow the Chinese into the \nsystem and they are building cars they are able to track where \nall these things are going and get a birds-eye view on where we \nare moving commodities, we are moving helicopters, where we are \nmoving people and that is of grave concern for us from a \nNational security perspective and we share your concerns sir.\n    Mr. Cleaver. Mr. Lewis.\n    Mr. Lewis. Thank you, Congressman. You know, I think \nthere's two questions you always want to ask, does the device \nconnect back home and there is a surprising answer to that \nincreasingly as we connect things to the internet. I was \nreading yesterday about a smart doorbell that was inadvertently \nrelaying peoples' voices back to China so rail cars are a good \ntarget, rail lines are a good target, they're traditional \nmilitary targets, good target for disruption.\n    The other thing you would want to ask though is when is it \nin the opponents' interest to do so and in that sense, they are \nlooking at it from a National perspective. They are looking at \nfrom where the least-defended parts of the country, where can \nthey achieve the most effect so in that way may be the Midwest \nis a good target.\n    Mr. Cleaver. Yes. I would argue that there is some evidence \nto suggest that it is a target and of course my question, Mr. \nChairman, is you know, when are we going to give the necessary \nattention? I mean, you know, when I am asked you know, the \nquestion, I am no longer in the mayor's office but the people \nwants to know, Homeland Security, so when are they going to \ngive us the attention that they have been giving New York and \nBoston and San Francisco and Los Angeles and I guess I should \nsay, it is still up in the air, until something happens. Is \nthat [inaudible].\n    Mr. Lewis. Attention has gone to the largest metropolitan \nareas and so you are really the top 12 SMSA, Standard \nMetropolitan Statistical Areas and so the question is, can we \nexpand that? It is a question of cost and also of personnel as \nwe have heard so that tends to mean that if you are not in the \ntop 12, the top 20, you might not be getting the same attention \nas others.\n    Mr. Correa. Thank you, Mr. Cleaver. Thank you very much and \nI would like to recognize the gentle person from New York, Miss \nRice.\n    Miss Rice. So, Mr. Lewis, just to continue on that so you \nhad said at the beginning right at the end of your original \nstatement, you talked about the cost factor. Can you just \nexpound on that a little bit more?\n    Mr. Lewis. Certainly. Thank you. We have heard from the \nother witnesses too that in many cases Chinese companies are \nsubsidizing--it is part of a larger very aggressive \nmercantilist policy that the Chinese follow and so that allows \nthem to offer products at a lower price and the information we \nsaw in Australia and them squashing the competition there, you \ncan find that in other industries so you have a subsidized \nprice with pretty good equipment----\n    Miss Rice. Right.\n    Mr. Lewis. Some unknown risk for surveillance or disruption \nand the buyers have to make a decision, do I pay more for \nsecurity or do I go with the lower cost and------\n    Miss Rice. So why is the Federal Government allowing them \nto make that decision at their level, regardless of whether the \nmoney that they are using is State money or Federal money. I \nmean, I would assume if it is Federal money then we have \nabsolute say over their decision-making process but is it that \ndifference--about what pocket of money they are taking it from?\n    Mr. Lewis. We--thank you. We have not come to terms until \nrecently with the fact that there's a risk in buying from China \nso our supply chains are deeply integrated and so you know, \nwhen you go to the store and you turn--very often it will say, \nMade in China. Up until a few years ago people thought, oh \nwell, you know, they are going to become a market--this is \nfine, so we have--we are just starting to think about how we \ndisentangle that. Part of it might be asking about what \ntechnologies are sensitive, where's there additional risk?\n    You have all seen all the news on Huawei in the papers and \nthis is a [inaudible].\n    Miss Rice. What are we waiting for in this field?\n    Mr. Olson. I would just add, I mean, Congress did examine \nthis issue last year when it came to Federal Transit Authority \ndollars, there was actually a 1-year ban put in place in the \nSenate THUD bill. It was unfortunately stripped out of the \nfinal version that you know, you guys passed on February 15 \nbecause it was deemed controversial because there are certain \nmembers that have state-owned enterprise Chinese facilities in \ntheir district and so they are trying to preserve jobs back \nhome.\n    I will also note--yes, you are right when it comes to the \nbucket of dollars there are some of these local governments \nbecause of the deep discounts that the Chinese are giving, the \ncase of Boston is a very poignant one where the Chinese came in \nas low as much as 50 percent below some other competitors and \nso Massachusetts waved FTA dollars, there's no Buy America \nprotections, there's no Federal dollars involved in this \nproject and they have just used State money and therefore the \nChinese are able to build many components and the shells and \nship them over here so unless we have an outright Federal ban \nor some Federal law that says, you can't do this, I would \nassume that States continue to buy because of price.\n    Miss Rice. So I am just wondering how we sound the alarm \nbell. I mean, I just don't know, if we are allowing elected \nMembers of Congress to be more concerned about preserving jobs \nin their districts than they are a National security, we have a \nproblem so if you wouldn't mind, Mr. Olson, just talking a \nlittle bit, can you just expound on that more because this has \nto be done. If this administration does not think that this is \na priority, it is not going to trickle down, it is just not.\n    Mr. Olson. I agree with you wholeheartedly. We are a 3-\nyear-old organization. We started because we saw this market \nentry in such a quick fashion and the 4 contracts quickly \nawarded to CRRC. They have built a freight assembly facility in \nWilmington, North [inaudible] so opportunities like this to \ntestify and get in front of more Members, I mean, we are \nadvocacy; we are trying to get in front of as many Members of \nCongress, and State and local officials to raise the alarm \nbells and we are partnering as much as possible with officials \nwithin the Trump administration to raise more awareness.\n    Miss Rice. Well, I want to thank Chairman Correa, very much \nfor actually you know, putting this hearing together.\n    I want to thank all of you so much because we sit here in \nthis little bubble here in Washington and you know, the very \ncommon theme that I have heard from everyone who has sat at \nthat table is, we have to keep the lines of communication open. \nThis is not a private-sector issue. This is not a public-sector \nissue. This is a Keep America Safe issue, and Our Democracy \nSafe issue, and I hope that you know, going forward and I know \nwith people like you will be able to; I hope we can have this \nconversation in a bipartisan fashion so thank you all for being \nhere.\n    I yield back the balance of my time.\n    Mr. Correa. Thank you, Miss Rice. I agree with you about \nsounding the alarm. It is a very interesting question.\n    Now I would like to recognize, Mrs. Watson Coleman, from \nNew Jersey.\n    Mrs. Watson Coleman. Thank you. Thank you, Mr. Chairman.\n    So if we have these companies that are owned by the Chinese \ncompany making things in the United States of America, \ntechnically we could have professionals from security, \ncybersecurity whatever to be able to go in, announced and \nunannounced and check right----\n    Mr. Olson. Of course.\n    Mrs. Watson Coleman. We probably could?\n    Mr. Olson. Yes.\n    Mrs. Watson Coleman. Do we? Do you know, if we do?\n    Mr. Lewis. It does not work and so that is the main \nproblem.\n    Mrs. Watson Coleman. It does not work, why?\n    Mr. Lewis. It does not work because first a lot of the--it \nnever did.\n    Mrs. Watson Coleman. Yes.\n    Mr. Lewis. Pardon me. A lot of the technology is connected \nback to the manufacturer----\n    Mrs. Watson Coleman. OK.\n    Mr. Lewis. So that they can do updates; you don't know if \nit is malicious traffic or innocent traffic. Second there is \njust a lot of opportunities in rail car or an airplane to \nhide----\n    Mrs. Watson Coleman. We are just trying to figure this out.\n    You know, Mr. Olson, this one paragraph [inaudible] what do \nyou think the Federal Government's role should be here in \nensuring that this does not happen here?\n    Mr. Olson. So first off, RSA's continued position is, \ntaxpayers' dollars should not be used to be subsidizing the \nstate-owned enterprise from China period, end of story.\n    Second, I would love to work with all of you as we look at \nother ways to do bans or outright bans on this technology from \nbeing on our system. I think it is too scary to allow Chinese \ngovernment-directed company to operate in the United States \nespecially when they are building a good chunk of the materials \nin China itself.\n    Mrs. Watson Coleman. Because the interest actually is not \nblowing us up as it is much as just owning us?\n    Mr. Olson. Tracking us.\n    Mrs. Watson Coleman. Owning us.\n    WMATA which oversees the Washington Metro System was \ncurrently working to procure new rail cars and updates its \nprocurement requirements to include the enhanced [inaudible] \nsafeguards.\n    Mr. Olson. RSA's position is as, Mr. Lewis, stated, it is \nnever enough. If you are going to be building components and \nparts in China, you can never do enough to mitigate. Our \nposition at RSA continues to be risk avoidance, let's just not \nbuy them.\n    Mrs. Watson Coleman. So let's not allow our money to be \nspent on purchasing Chinese----\n    Mr. Olson. Correct.\n    Mrs. Watson Coleman. OK.\n    I am good. Thank you.\n    I yield back.\n    Mr. Correa. Thank you very much for those questions.\n    Now I would like to recognize the good lady from Texas, Ms. \nJackson Lee.\n    Ms. Jackson Lee. Thank you very much Mr. Chairman.\n    Having just come in, let me first of all thank the \nwitnesses of the first panel and thank those of the second \npanel [inaudible] events I have been on this committee since 9/\n11 and have seen the maturing of terrorist potential and \nutilization of now technology different from bringing down a \nplane or using it as a torpedo into major structures here in \nthe United States, though it certainly is well-known that \ncertain elements still believe that aviation is a crucial and \nserious part, but I would be interested--or infrastructure is a \ncrucial and serious part of potential of attacking the United \nStates.\n    So, I am going to ask each of your question as to whether \nor not you are--do you think we are fully prepared for zero-day \npotential events; start with, Ms. Gagliostro?\n    Ms. Gagliostro. So I would say, in dealing with any sort of \ncybersecurity threats, the most important way for us to be \nprepared and respond is through working with our Federal \npartners on having strong information sharing on what we are \nlearning so zero-day threats are always a challenge because it \nis what you don't know yet but I think being cognizant of the \nthreat indicators and patterns of behavior and paying attention \nto those that we can be alerted to those threats quickly as \npossible.\n    Ms. Jackson Lee. You think the United States should address \nthose questions through legislation that would emphasize the \npartnership between the Federal Government and the private \nsector?\n    Ms. Gagliostro. I think the best way to address that is \nthrough strong partnership between the Federal Government and \nthe private sector.\n    Ms. Jackson Lee. So legislation that dictates that would be \nhelpful?\n    Ms. Gagliostro. To the extent that we don't think it is \neffective today.\n    Ms. Jackson Lee. Mr. Lewis.\n    Mr. Lewis. Thank you. First, I would distinguish between \nstate and non-state actors. No terrorist group currently has \nthe capability nor will acquire in the foreseeable future the \ncapability to launch a damaging cyber attack. This has been \ntrue for years, it is based on evidence from a number of----\n    Mr. Correa. Could you repeat that please?\n    Mr. Lewis. No terrorist group currently has the capability \nto launch a damaging cyber attack.\n    Ms. Jackson Lee. But please know that my zero-day is not \nlimited to nation-states.\n    Mr. Lewis. Exactly right. We have 4 very capable opponents \nwho have certainly done the reconnaissance to launch these \nkinds of attacks against----\n    Ms. Jackson Lee. Why don't you just recite their names for \nthe records?\n    Mr. Lewis. Russia, China, Iran, and North Korea, right, \nthey all have the capability, it is a question of when they \nwould use it so on the defensive side all the work that you \nhave heard from my colleagues, perhaps some improvement in \nstandards.\n    On the offensive side, as we discussed earlier [inaudible].\n    Ms. Jackson Lee [continuing]. Be effective focusing the \nGovernment on those issues?\n    Mr. Lewis. Ma'am, I have asked senior officials at DHS, if \nthey need more legislative authority, their position is no, but \nI think it would be useful to look and see where there are gaps \nin the existing legislation that might help them do better at \nprotecting------\n    Ms. Jackson Lee. Then they do need it because there are \ngaps.\n    Mr. Olson [continuing]. And then, Mr. Hultquist, you \nfollow?\n    Mr. Olson. I would agree with my colleagues on the panel \nhere and we would not oppose further legislation if it gives \nmore authority to fill as you said gaps for DHS.\n    You know, our position from the Rail Security Alliance is \nthat we have already allowed the Chinese in and that we need to \nstop the bleeding and not have them further infiltrate more \ntransit systems and especially the freight systems so we are \nlooking at it from that angle of hardware in the United States \nalready.\n    Ms. Jackson Lee. Thank you.\n    Mr. Hultquist. We have had good success anticipating a lot \nof these events by looking at the places where these actors are \nmost active--Ukraine, the Middle East, South Korea--so I would \nargue that getting that information, the observables out of \nthose spaces to the private sector who would likely bear the \nbrunt of any attack is probably the most important thing we can \ndo.\n    Ms. Jackson Lee. So if you have any legislation that \nfocuses on some of the elements that you have just mentioned--\n--\n    Mr. Hultquist. Absolutely, enforcing public-private \npartnership I think would be really important.\n    Ms. Jackson Lee. Just last question, Mr. Chairman, \ncybersecurity is becoming harder because of the connected \nnature of wireless technology, how long can we secure large \ncomplex systems when very small devices can pose risks? Whoever \nfeels most capable to answer that question, I would be \ndelighted.\n    Mr. Lewis. I will start. We can't secure them now so it is \nhard to see how it gets much worse but I think that as you add \nmore and more connected devices, the ability to create some \nsort of havoc--we talked about the smart doorbells.\n    Another one I just heard about is you know, those visible \nbraces you have got? Some of them are connected to the internet \nand you can just think of endless numbers of complications, \nbetween smart cars, smart ships, robots; they are moving into a \nworld where the number of things that can be hacked is growing \nexponentially.\n    Ms. Jackson Lee. Thank you.\n    So anyone else on how do we--yes sir?\n    Mr. Hultquist. We add more potential for disruption but we \nalso add more factors for the threat actors to gain access to \ncritical systems or systems that we care about.\n    Ms. Jackson Lee. Anyone else.\n    Mr. Chairman, I will just conclude by saying that there are \ngaping holes with our cyber system. This committee is best \nsuited to try to address those questions and gaping holes can \ncreate opportunities for havoc and I think this committee and \nthe Oversight on Transportation, Natural Gas, is crucial in its \nwork and I hope we will pass legislation dealing with some of \nthese very large holes that----\n    Mr. Correa. I concur with you, Ms. Jackson Lee, and I \nthink----\n    Ms. Jackson Lee. They create danger.\n    Mr. Correa. We have got a job to do here in terms of \naddressing those gaping holes.\n    It seems like every time we turn around there is a new \ntoothbrush with a chip on it so when you are brushing your \nteeth somebody's going to know how many times you do it a day \nand my point is there is no privacy anymore and it looks like \nall of our information is interconnected in some form or \nanother, whether it is a commercial venture, a state somewhere \naround the world so, Mr. Lewis, you intrigue me again with your \ncomments about the deterrence, is there a price to pay for what \nand when, and when does that trigger?\n    Good questions.\n    I want to thank all the witnesses for their valuable \ntestimony and all the Members here for their questions.\n    The Members of the committee may have additional questions \nfor the witnesses and we ask that you respond to them \nexpeditiously and in writing. Pursuant to Committee Rule \nVII(D), the hearing record will be held open for [inaudible].\n    Thank you to all the committee Members, of both committees, \nor I should say panels.\n    We stand adjourned.\n    [Whereupon, at 12:22 p.m., the subcommittees were \nadjourned.]\n\n                                 [all]\n                                 \n                                 \n                                 \n</pre></body></html>\n"