b'<html>\n<title> - RESOURCING DHS\'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE FISCAL YEAR 2020 BUDGET REQUEST FOR THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY DIRECTORATE</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\nRESOURCING DHS\'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE \n       FISCAL YEAR 2020 BUDGET REQUEST FOR THE CYBERSECURITY AND \n     INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY \n                              DIRECTORATE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                       PROTECTION, AND INNOVATION\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 30, 2019\n\n                               __________\n\n                           Serial No. 116-14\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n\n                  U.S. GOVERNMENT PUBLISHING OFFICE                    \n37-454 PDF                  WASHINGTON : 2019                     \n          \n--------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f98996b99a8c8a8d919c9589d79a9694d7">[email&#160;protected]</a>    \n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           John Ratcliffe, Texas\nJ. Luis Correa, California           Mark Walker, North Carolina\nXochitl Torres Small, New Mexico     Clay Higgins, Louisiana\nMax Rose, New York                   Debbie Lesko, Arizona\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             Van Taylor, Texas\nEmanuel Cleaver, Missouri            John Joyce, Pennsylvania\nAl Green, Texas                      Dan Crenshaw, Texas\nYvette D. Clarke, New York           Michael Guest, Mississippi\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                            \n                            \n                            ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           John Ratcliffe, Texas\nLauren Underwood, Illinois           Mark Walker, North Carolina\nElissa Slotkin, Michigan             Van Taylor, Texas\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     5\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     9\n  Prepared Statement.............................................    10\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Prepared Statement.............................................     6\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Prepared Statement.............................................    12\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Prepared Statement.............................................    11\n\n                               Witnesses\n\nMr. Christopher C. Krebs, Director, Cybersecurity and \n  Infrastructure Security Agency, U.S. Department of Homeland \n  Security:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    15\nMr. William Bryan, Senior Official Performing the Duties of the \n  Under Secretary, Science and Technology Directorate, U.S. \n  Department of Homeland Security:\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    21\n\n                             For the Record\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Letter.........................................................     2\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Article........................................................    40\n\n                                Appendix\n\nQuestions From Chairman Bennie G. Thompson for Christopher C. \n  Krebs..........................................................    45\n\n \nRESOURCING DHS\'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE \n       FISCAL YEAR 2020 BUDGET REQUEST FOR THE CYBERSECURITY AND \n     INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY \n                              DIRECTORATE\n\n                              ----------                              \n\n\n                        Tuesday, April 30, 2019\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n             Subcommittee on Cybersecurity, Infrastructure \n                                Protection, and Innovation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:28 p.m., in \nroom 310, Cannon House Office Building, Hon. Cedric L. Richmond \n(Chairman of the subcommittee) presiding.\n    Present: Representatives Richmond, Jackson Lee, Langevin, \nRice, Underwood, Katko, Ratcliffe, Walker, and Taylor.\n    Also present: Representative Thompson.\n    Mr. Richmond. The Subcommittee on Cybersecurity, \nInfrastructure Protection, and Innovation will come to order.\n    The committee is meeting today to receive testimony on the \nfiscal year 2020 budget request for Cybersecurity and \nInfrastructure Security Agency, and the Science and Technology \nDirectorate.\n    Good afternoon. I would like to thank the witnesses for \nbeing here today to discuss an important priority for this \ncommittee, funding the cybersecurity, infrastructure security, \nand innovation missions at the Department of Homeland Security.\n    Well, before we begin, I would like to send my condolences \nto the victims and families of the recent synagogue shooting in \nCalifornia. We are keeping Poway community in our thoughts and \nprayers this week.\n    But thoughts and prayers aren\'t enough. We also need to \ndemand more of the President and his administration in the face \nof the rising threat of white nationalism and anti-Semitism \nseriously.\n    Returning to the topic of today\'s hearing, I want to begin \nby thanking the full committee Ranking Member Rogers and \nsubcommittee Ranking Member Katko for joining committee \nDemocrats in writing to appropriate us to seek additional \nfunding for CISA\'s cybersecurity mission.\n    I ask unanimous consent to insert a copy of the letter into \nthe record. Hearing no objection, the letter is inserted.\n    [The information follows:]\n            Letter Submitted by Honorable Cedric L. Richmond\n                                    April 10, 2019.\nThe Hon. Nita Lowey,\nChairwoman, Committee on Appropriations, U.S. House of Representatives, \n        H-307 The Capitol, Washington, DC 20515.\nThe Hon. Kay Granger,\nRanking Member, Committee on Appropriations, U.S. House of \n        Representatives, 1016 Longworth House Office Building, \n        Washington, DC 20515.\n    Dear Chairwoman Lowey and Ranking Member Granger: As Congress \nnavigates the Fiscal Year 2020 (FY 2020) appropriations process, we \nurge you to increase the Homeland Security Subcommittee\'s fiscal year \n2020 302(b) allocation. By providing additional funding in fiscal year \n2020, the Appropriations Committee can ensure Congress is able to \nproperly resource Federal cybersecurity and critical infrastructure \nprotection efforts at the Department of Homeland Security\'s (DHS) \nCybersecurity and Infrastructure Security Agency (CISA).\n    The American people and our government depend increasingly upon the \nInternet for daily conveniences, critical services, and economic \nprosperity. This extraordinary level of connectivity, however, has also \nintroduced progressively greater cyber risks for the United States. \nProtecting sensitive information on government networks and ensuring \naccess to safe food, reliable electricity and transportation, clean \nwater, and secure election infrastructure through cyberspace also \nintroduces new vulnerabilities and potentially catastrophic \nconsequences from cyber incidents. Long-standing threats from nation-\nstates, terrorists, transnational criminal organizations, and other \nmalicious actors continue to evolve in scope, scale, and complexity as \nour adversaries move their activities into the digital world. More than \never, cyber threats now exceed the danger of physical attacks.\n    Despite the warning signs, investment in our Federal civilian \ncybersecurity capabilities simply has not kept pace. Threats to our \nFederal networks and critical infrastructure constantly evolve, and our \nadversaries\' capabilities outpace our defenses. In today\'s world, a \nflat cybersecurity budget is just as dangerous as a cut. If our \nfundamental cybersecurity capabilities are not fully resourced, \nvulnerabilities will continue to go unaddressed, and America\'s embrace \nof digital infrastructure risks becoming a source of strategic \nliability.\n    Congress must rethink the way we resource this mission. Additional \ninvestments are necessary to ensure the United States is not only \ncapable of responding to the global threat, but that we are preparing \nfor future threats as well. We urge the Committee to break from the \nstatus quo and increase the Homeland Security Subcommittee\'s 302(b) \nallocation commensurate with the threat. It is imperative that the \nHomeland Security Subcommittee\'s 302(b) allocation enable CISA to \nmature and grow the services it provides to secure Federal and critical \ninfrastructure networks.\n    We appreciate your leadership on this issue and applaud the \nCommittee\'s historic support of DHS\'s cybersecurity and infrastructure \nprotection activities. Increased funding provided over the past few \nyears has helped CISA bring Federal departments and agencies into the \nNational Cybersecurity Protection System, sped deployment of Continuous \nDiagnostics and Mitigation tools and capabilities across the Federal \nenterprise, and dramatically expanded our nation\'s election security \nefforts. Now that CISA has demonstrated it is up to the task, it is \ntime for Congress to resource the agency to fully execute its critical \nhomeland security mission.\n    Thank you for your thoughtful consideration of our request.\n            Sincerely,\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]            \n\n    Mr. Richmond. From election security to supply chain \nsecurity, we ask more of DHS\'s cybersecurity arm every year.\n    Despite CISA\'s growing mission, its budget has remained \nstagnant. Since taking office, the President and those around \nhim have paid a lot of lip-service to the issues related to \ncybersecurity and innovation. But there hasn\'t been much \nfollow-through.\n    In February, for example, the President touted his \ninnovation agenda, but his fiscal year 2020 budget slashes \nfunding for the S&T by nearly one-third.\n    In September, former Secretary Nielsen stated that cyber \nattacks now exceed the risk of physical attacks. Yet, the \nPresident\'s fiscal year 2020 budget would cut CISA\'s \ncybersecurity funding.\n    Last Fall, the White House released the National cyber \nstrategy, which among other things, promised to further enable \nthe Department of Homeland Security to secure Federal \ndepartment and agency networks. But the fiscal year 2020 budget \nfailed to request additional funds or additional authorities \nfor CISA\'s Federal network security mission.\n    Although officials throughout the administration have \ndeclared that election security is a priority, no one in the \nWhite House has been directed to coordinate a Federal response, \nand it has never been a budget priority.\n    Instead, this National security issue seems to be viewed as \na hot potato in the President\'s inner circle, not worthy of a \nwhole-of-Government approach.\n    To complicate matters, all of this is happening in the \nabsence of a White House cybersecurity coordinator, which the \nWhite House eliminated last year.\n    The Mueller report makes clear that our adversaries will \ncontinue to meddle in our elections. DHS and the FBI have \nissued numerous warnings about threats Russia, China, Iran, and \nNorth Korea, among others, pose to our critical infrastructure.\n    The threats we face are constantly evolving. Our \ncybersecurity capabilities and the technology we deploy must do \nthe same. In short, the time has come for less talk and more \naction. If the White House won\'t lead, then Congress will.\n    I am hopeful that our bipartisan efforts to secure the \nadditional funding for CISA\'s cybersecurity activities will be \nsuccessful. I urge appropriators to reject the drastic cuts \nproposed to S&T\'s budget.\n    As the Chairman of this subcommittee, I take my oversight \nresponsibility at CISA and S&T seriously. That said, it is hard \nto do effective oversight when Congress has given an agency a \nmission that the President\'s budget doesn\'t fully support.\n    In the mean time, I look forward to understanding how this \ncommittee can help CISA clarify its cybersecurity \nresponsibilities among its interagency partners, particularly \nin the absence of a permanent Secretary.\n    Now that CISA has publicly released a National critical \nfunctions list, I will be interested in understanding how it \nwill coordinate across sectors and the interagency to develop \nthe risk register.\n    I will be interested to know how we can support S&T\'s \nefforts to equip DHS\'s components and first responders across \nthe country with the technology they need to do their jobs \nbetter and safer.\n    I look forward to the conversation we will have today, and \nI yield back the balance of my time.\n    [The statement of Chairman Richmond follows:]\n                Statement of Chairman Cedric L. Richmond\n                             April 30, 2019\n    I would like to thank the witnesses for being here today to discuss \nan important priority for this committee: Funding the cybersecurity, \ninfrastructure security, and innovation missions at the Department of \nHomeland Security. But before I begin, I would like to send my \ncondolences to the victims and families of the recent synagogue \nshooting in California. We are keeping the Poway community in our \nthoughts this week. But thoughts and prayers aren\'t enough. We also \nneed to demand more of the President and his administration in the face \nof the rising threat of white nationalism and anti-Semitism seriously.\n    Returning to the topic of today\'s hearing, I want to begin by \nthanking Full Committee Ranking Member Rogers and Subcommittee Ranking \nMember Katko for joining committee Democrats in writing to \nappropriators to seek additional funding for CISA\'s cybersecurity \nmission. From election security to supply chain security, we ask more \nof DHS\'s cybersecurity arm every year. Despite CISA\'s growing mission, \nits budget has remained stagnant. Since taking office, the President \nand those around him have paid a lot of lip service to issues related \nto cybersecurity and innovation but there hasn\'t been much follow-\nthrough. In February, for example, the President touted his innovation \nagenda but his fiscal year 2020 budget slashes funding for S&T by \nnearly one-third. In September, former Secretary Nielsen stated that \n``cyber attacks now exceed the risk of physical attacks.\'\'\n    Yet the President\'s fiscal year 2020 budget would cut CISA\'s \ncybersecurity funding. Last fall, the White House released the National \nCyber Strategy, which, among other things, promised to ``further enable \nthe Department of Homeland Security (DHS) to secure Federal department \nand agency networks.\'\' But the fiscal year 2020 budget failed to \nrequest additional funds or additional authorities for CISA\'s Federal \nnetwork security mission. And although officials throughout the \nadministration have declared that election security is a priority, no \none in the White House has been directed to coordinate a Federal \nresponse and it has never been a budget priority. Instead, this \nNational security issue seems to be viewed as a ``hot potato\'\' in the \nPresident\'s inner circle, not worthy of a ``whole-of-Government\'\' \napproach. To complicate matters, all of this is happening in the \nabsence of a White House Cybersecurity Coordinator, which the White \nHouse eliminated last year. The Mueller Report makes clear that our \nadversaries will continue to meddle in our elections. And DHS and FBI \nhave issued numerous warnings about threats our adversaries--from \nRussia and China to Iran and North Korea--pose to our critical \ninfrastructure.\n    The threats we face are constantly evolving. Our technology must do \nthe same. In short, the time has come for less talk and more action. If \nthe White House won\'t lead, then Congress will. I am hopeful that our \nbipartisan efforts to secure the additional funding for CISA\'s \ncybersecurity activities will be successful, and I urge appropriators \nto reject the drastic cuts proposed to S&T\'s budget. As the Chairman of \nthis subcommittee, I take my oversight responsibility of CISA and S&T \nseriously. That said, it\'s hard to do effective oversight when Congress \nhas given an agency a mission that the President\'s budget doesn\'t fully \nsupport. In the mean time, I look forward to understanding how this \ncommittee can help CISA clarify its cybersecurity responsibilities \namong its interagency partners, particularly in the absence of a \npermanent Secretary. And I will be interested to know how we can \nsupport S&T\'s efforts to equip DHS components and first responders \nacross the country with the technology they need to do their jobs \nbetter and safer.\n\n    Mr. Richmond. Members of the committee are reminded that \nunder the committee rules, opening statements may be submitted \nfor the record.\n    [The statement of Honorable Jackson Lee follows:]\n               Statement of Honorable Sheila Jackson Lee\n                             April 30, 2019\n    Chairman Richmond, and Ranking Member Katko thank you for today\'s \nhearing on ``Resourcing DHS\'s Cybersecurity and Innovation Missions: A \nReview of the Fiscal Year 2020 Budget Request for the Cybersecurity and \nInfrastructure Security Agency and the Science and Technology \nDirectorate.\'\'\n    I thank today\'s witnesses:\nPanel 1\n  <bullet> The Hon. Christopher C. Krebs, director, Cybersecurity and \n        Infrastructure Security Agency, U.S. Department of Homeland \n        Security; and\n  <bullet> Mr. William Bryan, senior official performing the duties of \n        the under secretary for science and technology, Science and \n        Technology Directorate, U.S. Department of Homeland Security.\n    This hearing will allow the committee to examine the President\'s \nfiscal year 2020 request for the Cybersecurity and Infrastructure \nSecurity Agency (CISA) and Science Technology Directorate (S&T) within \nthe Department of Homeland Security.\n    As hard as one person in our Government is working to stop cyber \nattacks there are likely another thousand attempting to breach a system \nor device owned by a United States citizen.\n    Last September, former Secretary Kirstjen Nielsen stated that \n``cyber attacks have exceed the risk of physical attacks,\'\' yet the \nPresident\'s budget request fails to adequately prioritize DHS\'s \ncybersecurity mission.\n    The fiscal year 2020 budget requests $1.608 billion in \nappropriations for all of CISA\'s activities excluding the Federal \nProtective Service (FPS), which is funded by fees.\n    The fiscal year 2020 request is a $73 million cut from the fiscal \nyear 2019 enacted levels of $1.681 billion.\n    The President\'s budget makes cuts across CISA\'s missions.\n    Cuts to Federal network security run counter to the objectives of \nthe National Cyber Strategy, the DHS Cybersecurity Strategy, and the \nDHS Cybersecurity Strategy Implementation Plan.\n    For example, the September 2018 National Cyber Strategy issued by \nthe White House states that:\n\n``The Administration will act to further enable the Department of \nHomeland Security (DHS) to secure Federal department and agency \nnetworks . . . This includes ensuring DHS has appropriate access to \nagency information systems for cybersecurity purposes and can take and \ndirect action to safeguard systems from the spectrum of risks.\'\' It \nalso states that the administration will ``continue to deploy \ncentralized capabilities, tools, and services through DHS.\'\'\n\n    I find it baffling that this administration talks tough about \ncybersecurity but cuts funding to essential cybersecurity programs.\n    The President\'s budget proposal neither seeks additional \nauthorities to empower DHS to secure the .gov domain, nor does it seek \nadditional funding to deploy centralized cybersecurity capabilities.\n    As adversaries seeking to undermine our Nation\'s public elections \nand disrupt the cyber ecosystem that fuels our economy become more \nsophisticated and prolific, they must be outmatched by a capable and \nresponse DHS.\n    The threats made possible by the internet are numerous and include:\n  <bullet> Bot-nets;\n  <bullet> Ransom-ware;\n  <bullet> Zero Day Events;\n  <bullet> Mal-ware;\n  <bullet> Denial-of-Service Attacks;\n  <bullet> Distributed Denial-of-Service Attacks;\n  <bullet> Pharming;\n  <bullet> Phishing;\n  <bullet> Data Theft;\n  <bullet> Data Breaches;\n  <bullet> SQL Injection;\n  <bullet> Man-in-the-middle Attack.\n    The list goes on, but suffice it to say that as hard as one person \nin our Government is working to stop cyber attacks there are likely \nanother thousand attempting to breach a system or device owned by a \nUnited States citizen.\n    According to the Mueller Report and the report from our \nintelligence communities entitled, ``Background to Assessing Russian \nActivities and Intentions in Recent U.S. Elections: The Analytic \nProcess and Cyber Incident Attribution.\'\'\n    Russia used every cyber espionage tool available to influence the \noutcome of the 2016 Presidential election to conduct a multi-faceted \ncampaign that included theft of data; strategically-timed release of \nstolen information; production of fake news; and manipulation of facts \nto avoid blame.\n    I have two concerns, which are:\n  <bullet> the security and integrity of the elections process; and\n  <bullet> the use of sophisticated cyber attacks fueled by botnets.\n    I have been persistent in my efforts to protect the rights of \ndisenfranchised communities in my district of inner-city Houston and \nacross the Nation.\n    Throughout my tenure in Congress, I have co-sponsored dozens of \nbills, amendments, and resolutions seeking to improve voters\' rights at \nall stages and levels of the election process.\n    This includes legislation aimed at:\n    1. Increasing voter outreach and turnout;\n    2. Ensuring both early and same-day registration;\n    3. Standardizing physical and language accessibility at polling \n        places;\n    4. Expanding early voting periods;\n    5. Decreasing voter wait times;\n    6. Guaranteeing absentee ballots, especially for displaced \n        citizens;\n    7. Modernizing voting technologies and strengthening our voter \n        record systems;\n    8. Establishing the Federal Election Day as a National holiday; and\n    9. Condemning and criminalizing deceptive practices, voter \n        intimidation, and other suppression tactics.\n    I also authored H.R. 745 in the 110th Congress, which added the \nlegendary Barbara Jordan to the list of civil rights trailblazers whose \nnames honor the Voting Rights Act Reauthorization and Amendments Act.\n    This bill strengthened the original Voting Rights Act by replacing \nFederal voting examiners with Federal voting observers--a significant \ndistinction that made it easier to safeguard against racially-biased \nvoter suppression tactics.\n    In the 114th Congress, I introduced H.R. 75, the Coretta Scott King \nMid-Decade Redistricting Prohibition Act of 2015, which would prohibit \nStates whose Congressional districts have been redistricted after a \ndecennial census from redrawing their district lines until the next \ncensus.\n    The voting rights struggles of the 20th Century are now joined by \nvoting rights threats posed by the 21st Century.\n    Russia an adversary of the United States, engaged in repeated \nattempts to interfere in the 2016 Presidential election, which prompted \nan unprecedented ``all-of-Government\'\' effort to alert local and State \nelection administrators to be aware of the threat.\n    Russia was reported to have breached 21 local and State election \nsystems, with later reports suggesting this number was larger than \ninitially reported.\n    In February 2018, special counsel Robert Mueller released \nindictments of 13 Russians, at least one of whom has direct ties to \nRussian President Vladimir Putin.\n    The Mueller Report was released and the most relevant sections \ndealing with Russia\'s interference using technology have been redacted.\n    That Russia used cyber intrusions to attack United States political \ninstitutions to collect data to manipulate the media and the public \nwith the purpose of influencing the outcome of the 2016 Presidential \nelections is now an undisputed fact.\n    Because of what was known at the time, on January 6, 2017, Homeland \nSecurity Secretary Johnson, as one of his last official acts under the \nObama administration, designated election systems as critical \ninfrastructure, and created a new subsector under the existing \nGovernment Facilities Sector designation.\n    On that same day, President-Elect Trump was briefed by the \nintelligence community that Vladimir Putin had directed the cyber \nattack on the United States of America.\n    Since then, intelligence officials have continued to warn that \nforeign governments--including Russia, Iran, and China--could attempt \nto interfere in U.S. elections.\n    In February 2018, 6 intelligence agency chiefs issued a dire \nwarning about the Kremlin\'s on-going efforts to influence the U.S. \nelections.\n    On January 29, 2019, the director of national intelligence \ntestified before the Senate Select Committee on Intelligence that our \nadversaries ``probably already are looking to the 2020 U.S. elections \nas an opportunity to advance their interests.\n    The House Committee on Homeland Security has the responsibility of \nproviding for the cybersecurity of Federal civilian agencies as well as \nthe security of the Nation\'s 16 critical infrastructure sectors from \ncyber and other threats.\n    The Election Infrastructure Subsector covers a wide range of \nphysical and electronic assets such as storage facilities, polling \nplaces, and centralized vote tabulation locations used to support the \nelection process, and information and communications technology to \ninclude voter registration databases, voting machines, and other \nsystems to manage the election process and report and display results \non behalf of State and local governments.\n    The work to secure our Nation\'s election system from cyber threats \nis on-going, which is why this hearing on the administration\'s \ncybersecurity budget priorities is relevant.\n    The U.S. Department of Homeland Security\'s (DHS) mission in \ncybersecurity and infrastructure protection is focused on enhancing \ngreater collaboration on cybersecurity across the 16 critical \ninfrastructure sectors and the sharing of cyber threat information \nbetween the private sector and Federal, State, and local partners.\n             botnet threat and the internet of things (iot)\n    While connected devices are transforming our personal and working \nlives in a multitude of ways, they are also a growing security risk--\nattackers are hijacking these devices and turning them into internet of \nthings botnets.\n    Botnet attacks have become commonplace, with CenturyLink Threat \nResearch Lab estimating that 195,000 such attacks take place every day \nand Accenture putting the average cost at $390,752.\n    As new wireless technologies enter the commercial and consumer \nspace attackers are finding different ways to launch more complex and \ndevastating exploits.\n    The proliferation of IoT-enabled devices is making for new rich \ntargets for attackers who are increasingly using IoT devices to build \ntheir botnets.\n    We must be steadfast in our resolve to have a strong shield to \ndefend civilian and critical infrastructure networks for all threats \nforeign and domestic.\n    We must develop an effective deterrent to foreign tampering in our \ndomestic affairs and especially in the critical area of local, State, \nor Federal public elections.\n    I look forward to the testimony of today\'s witnesses. Thank you.\n\n    Mr. Richmond. We now have Mr. Katko to read his opening \nstatement.\n    Mr. Katko. Thank you, Mr. Chairman, for holding this \nhearing. Thank you to our distinguished witnesses for being \nhere today, Mr. Krebs and Mr. Bryan.\n    So also, thank you to the Chair of is the whole committee, \nMr. Thompson, for being here, as well.\n    Our Nation faces digital and physical threats daily, \nhourly, by the minute, by the second, really, that have the \npotential to disrupt, damage, and destroy their targets.\n    These threats are only growing in magnitude, frequency, and \nsophistication in the years ahead. We have had several major \nattacks in my district alone in the last few weeks. They are \ngoing to continue, obviously.\n    The Federal Government must work with partners across the \npublic and private sectors, not only to prevent and deter \ncurrent threats, but also to evolve to meet those of the \nfuture.\n    Congress recognizes the need, and last year passed the \nCybersecurity and Infrastructure Security Agency Act of 2018.\n    This act created the Cybersecurity and Infrastructure \nSecurity Agency, or CISA for short, to serve as the Nation\'s \nrisk adviser, providing for the timely sharing of information, \nanalysis, and assessment and facilitating mitigation and \nresilience, building to partners across Government and \nindustries.\n    Their motto is to ``Defend today and Secure tomorrow.\'\' \nTheir mission is expansive. CISA is responsible for securing \nthe civilian Federal networks, comprised of 99 civilian \nagencies, monitoring emerging threats across sectors 24/7/365, \nsecuring our Nation\'s chemical facilities, partnering with \npublic and private sector to protect soft targets in crowded \nplaces, and identifying and addressing risks to our National \ncritical functions.\n    It is crucial that CISA has a budget and the human capital \nnecessary to be successful. Today, we will take a closer look \nat their plans and how they intend to carry out and achieve \ntheir mission.\n    I am also interested in hearing from National critical \nfunctions\' list in the new binding operational directive \nrelease today.\n    Today, we also will hear from the Science and Technology \nDirectorate for S&T, about how they plan to execute their \nmission in the year ahead. S&T, through partnerships within the \nFederal Government, academia and industry, develops innovative \nsolutions to aid the Department of Homeland Security in \nachieving its mission more effectively, efficiently, and \naffordably.\n    Like my colleague, the Chair of this committee, said, Mr. \nRichmond, there is bipartisan support to increasing your \nbudgets. We understand the critical function you play. We \nunderstand that you need more money to be able to do it \nproperly. I fully support that notion.\n    I look forward to hearing from both of our witnesses and my \ncolleagues to see how we can work together to ensure that \nHomeland Security is capable of protecting our Nation from \ndigital and physical threats.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n                             April 30, 2019\n    Our Nation faces digital and physical threats daily that have the \npotential to disrupt, damage, and destroy their targets. These threats \nwill only grow in magnitude, frequency, and sophistication in the years \nahead.\n    The Federal Government must work with partners across the public \nand private sectors not only to prevent and deter current threats, but \nalso to evolve to meet those of the future.\n    Congress recognized this need and last year passed the \nCybersecurity and Infrastructure Security Agency Act of 2018. This Act \ncreated the Cybersecurity and Infrastructure Security Agency, or CISA, \nto serve as the Nation\'s risk advisor, providing for the timely sharing \nof information, analysis, and assessment, and facilitating mitigation \nand resilience building to partners across Government and industries.\n    Their motto is to ``Defend today and Secure tomorrow,\'\' and their \nmission is expansive.\n    CISA is responsible for: Securing the civilian Federal networks, \ncomprised of 99 civilian agencies; monitoring emerging threats across \nsectors 24/7/365; securing our Nation\'s chemical facilities, partnering \nwith public and private sector to protect soft targets and crowded \nplaces; and identifying and addressing risks to our National critical \nfunctions.\n    It is critical that CISA has the budget and the human capital \nnecessary to be successful.\n    Today we will take a closer look at their plans and how they intend \nto carry out and achieve their mission.\n    Today we also will hear from the Science and Technology \nDirectorate, or S&T, about how they plan to execute their mission in \nthe year ahead.\n    S&T, through partnerships within the Federal Government, academia, \nand industry, develops innovative solutions to aid the Department of \nHomeland Security in achieving its mission more effectively, \nefficiently, and affordably.\n    I look forward to hearing from both our witnesses and my colleagues \nto see how we can work together to ensure DHS is capable of protecting \nour Nation from digital and physical threats.\n\n    Mr. Katko. Before I yield back, Mr. Chairman, I want to ask \nthat we add Congressman Rogers\' written testimony to the \nrecord, since he was unable to be here.\n    Mr. Richmond. Without objection.\n    [The statement of Ranking Member Rogers follows:]\n                 Statement of the Honorable Mike Rogers\n                             April 30, 2019\n    Thank you, Mr. Chairman, for holding this hearing, and to our \nwitnesses for being here today.\n    The threat landscape is continuing to evolve both in the cyber and \nphysical space. Threats can be technological, man-made, or natural, and \ncan emerge from nation-states, criminal organizations, terrorists, and \nothers seeking to cause havoc.\n    In our increasingly connected world, even the most seemingly \nunsophisticated of threats has the potential to do great damage.\n    The Cybersecurity and Infrastructure Security Agency partners with \nall levels of government and across industries to better manage and \nmitigate risk to secure against these threats.\n    CISA is spearheading initiatives to secure our supply chain, \nworking with States to protect our elections, monitoring networks, \nsecuring chemical facilities and planning and preparing for emerging \nthreats.\n    CISA\'s work is critical and I was pleased to join with Chairman \nThompson to request an increase to CISA\'s funding for this upcoming \nyear.\n    I look forward to hearing from CISA about their plans to defend \ntoday and secure tomorrow.\n    Thank you to S&T for appearing before us today. I look forward to \nhearing from you on the fiscal year 2020 budget request.\n    Thank you and I yield back.\n\n    Mr. Katko. With that, Mr. Chairman, I yield back.\n    Mr. Richmond. I now recognize the Chairman of the full \nCommittee on Homeland Security, Mr. Bennie Thompson, from \nMississippi for an opening statement.\n    Mr. Thompson. Thank you, Mr. Chairman. Thank our witnesses \nfor their presence today.\n    I am pleased to have the opportunity to examine an issue \ncritical to our National security posture, the budget requests \nfor the Cybersecurity Infrastructure Security Agency, CISA, and \nthe Science and Technology Directorate.\n    The past month at the Department of Homeland Security has \nbeen a tumultuous one. The President dismissed the Secretary, \nthe under secretary for management, the director of the Secret \nService, and the acting director of Immigration and Customs \nEnforcement.\n    At the same time, the Mueller report, even in its redacted \nform, crystalizes the threats of foreign election interference, \nas the 2020 elections approach.\n    Over the weekend, 1 person died and 3 were injured during a \nPassover services at a California synagogue, 6 months to the \nday of the Pittsburgh synagogue shooting that killed 11, \nunderscoring the growing threat of domestic terrorism at the \nhands of emboldened white nationalists, as we are a month away \nfrom hurricane season, and there is no Senate-confirmed FEMA \nadministrator.\n    In short, the Nation is facing increasingly complex \nthreats, and requires sturdy leadership to confront them. That \nis why I am pleased that Director Krebs and Acting Under \nSecretary Bryan are here to talk about the budgets for \ncomponents charged with leading civilian cybersecurity efforts, \nprotecting critical infrastructure and developing technologies \nthat make us safer and more secure.\n    For the record, I have serious concerns regarding the \nPresident\'s fiscal year 2020 budget request for both CISA and \nS&T. Last September, the former DHS Secretary observed that \ncyber attacks now exceed the risk of physical attacks. Since \nthe President submitted his last budget request, the FBI and \nDHS issued a joint technical alert warning about Russian cyber \nattacks against critical infrastructure.\n    Ransomware attacks have already wreaked havoc on local \ngovernments from Atlanta to Albany, and the Federal Government \nannounced that the Chinese government engaged in a 12-year \ncyber espionage campaign targeting intellectual property and \ntrade secrets.\n    The list is far from complete. After each incident, we have \nlooked at CISA to help us understand and mitigate the \nconsequences and secure the ecosystem from future attacks.\n    Moving forward, we look to CISA to continue its work \nimproving the cybersecurity posture of 99 Federal agencies, \nensure a secure 5G rollout, and help State and local \ngovernments keep bad actors out of our election systems.\n    Yet, the President\'s budget would decrease funding for \nCISA\'s cybersecurity budget from fiscal year 2019 levels. In a \ncontext of the current threat environment, even level funding \nis as dangerous as a cut.\n    I commend CISA\'s leadership for proactively attacking many \nof these threats head-on, including by making its cybersecurity \ncapabilities available to Presidential campaigns.\n    The Mueller report provided for greater details on the \nscale and scope of Russian election interference efforts, \nparticularly, how the Russians manipulated and hacked \ninformation from campaigns to sow deeds of discord and sway \nvotes.\n    I am glad that CISA is willing to do its part to prevent \nall forms of election interference. But I am worried that we \nare writing checks in this fiscal year 2020 budget that we \ncan\'t cash, especially given its important responsibilities to \nother critical infrastructure sectors.\n    Toward that end, I will be interested to know the level of \nengagement CISA will be able to undertake under the budget \nrequest, and how it will grow its support if Congress provided \nadditional funding.\n    I would also like to raise concern about the funding level \nrequested for S&T. For too long, we have deferred investment in \ninnovative security technologies to fund operation in funding \nthe President\'s Southern Border wall.\n    But these cuts have consequences, from reducing first-\nresponder training and technology, testing opportunities, by \nclosing National urban security technology laboratories, to \nshrinking homeland security researcher communities, by cutting \nuniversity programs and Centers of Excellence.\n    The program fiscal year 2020 budget shortchanges the future \nfor political wins today. I will fight to restore funding to \nimprove innovation activities at S&T.\n    With that, Mr. Chairman, I thank the witnesses, again, for \nbeing here. I yield back the balance of my time.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                             April 30, 2019\n    I am pleased to have the opportunity to examine an issue critical \nto our National security posture: The budget request for the \nCybersecurity and Infrastructure Security Agency (CISA) and the Science \nand Technology Directorate. The past month at the Department of \nHomeland Security has been a tumultuous one. The President dismissed \nthe Secretary, the under secretary for management, the director of \nSecret Service, and the acting director of Immigration and Customs \nEnforcement. At the same time, the Mueller Report--even in its redacted \nform--crystalizes the threat of foreign election interference as the \n2020 elections approach.\n    Over the weekend, 1 person died and 3 were injured during Passover \nservices as a California synagogue--6 months to the day of the \nPittsburgh synagogue shooting the killed 11--underscoring the growing \nthreat of domestic terrorism at the hands of emboldened white \nnationalists. And we are a month away from hurricane season and there \nis no Senate-confirmed FEMA administrator. In short, the Nation is \nfacing increasingly complex threats and requires steady leadership to \nconfront them. That is why I am pleased that Director Krebs and Acting \nUnder Secretary Bryan are here to talk about the budgets for components \ncharged with leading civilian cybersecurity efforts, protecting \ncritical infrastructure, and developing technologies that make us safer \nand more secure.\n    For the record, I have serious concerns regarding the President\'s \nfiscal year 2020 budget request for both CISA and S&T. Last September, \nthe former DHS Secretary observed that ``that cyber attacks now exceed \nthe risk of physical attacks.\'\' Since the President submitted his last \nbudget request:\n  <bullet> the FBI and DHS issued a joint technical alert warning about \n        Russian cyber attacks against critical infrastructure;\n  <bullet> ransomware attacks have wreaked havoc on local governments \n        from Atlanta to Albany; and,\n  <bullet> the Federal Government announced that the Chinese government \n        engaged in a 12-year cyber espionage campaign targeting \n        intellectual property and trade secrets.\n    This list is far from complete, and after each incident, we have \nlooked to CISA to help us understand and mitigate the consequences and \nsecure the ecosystem from future attacks. Moving forward, we will look \nto CISA to continue its work improving the cybersecurity posture of 99 \nFederal agencies, ensure a secure 5G rollout, and help State and local \ngovernments keep bad actors out of their election systems. Yet the \nPresident\'s budget would decrease funding for CISA\'s cybersecurity \nbudget from fiscal year 2019 levels. In the context of the current \nthreat environment, even level funding is as dangerous as a cut. I \ncommend CISA leadership for proactively tackling many of these threats \nhead-on, including by making its cybersecurity capabilities available \nto Presidential campaigns. The Mueller Report provided far greater \ndetail on the scale and scope of Russian election interference efforts, \nparticularly how the Russians manipulated hacked information from \ncampaigns to sow discord and sway votes. I am glad that CISA is willing \nto do its part to prevent all forms of election interference. But I\'m \nworried it is writing checks its fiscal year 2020 budget can\'t cash, \nespecially given its important responsibilities to other critical \ninfrastructure sectors. Toward that end, I will be interested to know \nthe level of engagement CISA would be able to undertake under the \nbudget request and how it would grow its support if Congress provided \nadditional funding.\n    I would also like to raise concerns about funding level requested \nfor S&T. For too long, we have deferred investments in innovative \nsecurity technologies to fund operations and funding the President\'s \nSouthern Border wall. But these cuts have consequences. From reducing \nfirst responder training and technology-testing opportunities by \nclosing National Urban Security Technology Laboratory to shrinking \nhomeland security researcher community by cutting university programs \nand Centers of Excellence, the President\'s fiscal year 2020 budget \nshortchanges the future for political wins today. I will fight to \nrestore funding to important innovation activities at S&T.\n\n    Mr. Richmond. Thank you, Mr. Chairman.\n    I will now welcome our panel of witnesses.\n    First, I would like to welcome Chris Krebs, the director of \nthe DHS Cybersecurity and Infrastructure Security Agency, back \nto testify before this panel.\n    Director Krebs has been at the helm of the DHS\'s \ncybersecurity activity since 2017. He has been an integral \nplayer in shaping and developing the Department\'s election \nsecurity capabilities.\n    I would also like to welcome William Bryan, the senior \nofficial performing the duties of the under secretary, who has \nbeen leading the Science and Technology Directorate since May \n2017.\n    Prior to his service at DHS, Mr. Bryan held multiple \nleadership roles at the Department of Energy and Department of \nDefense.\n    Without objection, the witnesses\' full statements will be \ninserted into the record.\n    I now ask each witness to summarize his statements for 5 \nminutes, beginning with Director Krebs.\n\nSTATEMENT OF CHRISTOPHER C. KREBS, DIRECTOR, CYBERSECURITY AND \n  INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Krebs. Chairman Richmond, Ranking Member Katko, and \nMembers of the subcommittee, thank you for today\'s opportunity \nto testify regarding the Cybersecurity and Infrastructure \nSecurity Agency, or CISA\'s, 2020 budget request.\n    CISA leads the National effort to safeguard and secure \nFederal networks and critical infrastructure from cyber and \nphysical threats. In this sense, we serve as the Nation\'s risk \nadviser.\n    To further our efforts in this mission, it is critical that \nacross Government industry we have clarity and common sense and \npurpose on what it is we need to protect. Earlier today I \nannounced that we reached a new milestone within CISA, by \nidentifying a set of National critical functions.\n    The NCFs are functions of Government in the private sector \nso vital to the United States that their disruption, \ncorruption, or dysfunction would have a debilitating effect on \nsecurity, National economic security, National public health or \nsafety, or any combination thereof.\n    NCFs represent an evolution in the Nation\'s risk management \nefforts by focusing on how entities or organizations enable \nfunctions or services across the economy, allowing for a better \nunderstanding of cross-cutting risk factors in the increasingly \ninterdependent nature of connected infrastructure.\n    The National critical function\'s effort is just one example \nof how CISA is leading the Nation\'s risk management efforts and \nwill serve as a road map to guide CISA activities in the coming \nyears.\n    Today, I would like to briefly touch on five of those \nactivities; protection of Federal networks, election security, \noperational technology, supply chain risk management, and soft-\ntarget security.\n    Across the Federal Government, we have better I.T. \ncapabilities Government-wide. We are on a path to \nstandardization, and leadership awareness at the Cabinet level \nis increasing.\n    By issuing guidance or directives to Federal agencies, \nproviding tools and services and implementing cybersecurity \ninitiatives, we are protecting Government and critical \ninfrastructure networks from malicious actors.\n    Binding operational directives have yielded significant \nresults for Federal cybersecurity. For instance, we have \nreduced the time agencies were taking to patch critical \nvulnerabilities from an average of 219 days in 2015, to an \naverage around 20 days today. In many cases, that is better \nthan industry. But we can do better.\n    Yesterday, I issued an updated directive requiring even \nshorter mitigation time frames for a broader category of \nvulnerabilities.\n    In January, we also issued an emergency directive to \nprotect Federal networks from a global campaign tampering with \nthe internet\'s phonebook, known as DNS. This year\'s budget will \ndevelop efforts to centralize DNS resolution for the Federal \nGovernment.\n    Perhaps the highest-profile threat today is attempts by \nnation-state actors to interfere in our elections. Over the \nlast 2 years, we have become close partners with the election \ncommunity.\n    Our efforts to protect 2020 are already under way. We will \nfocus on broadening the reach and depth of our assistance, \nemphasizing the criticality of election auditability, \nprioritizing the need to patch vulnerabilities, and developing \nlocality-specific cybersecurity profiles.\n    Operational technologies, such as industrial control \nsystems, are those components that operate our critical \ninfrastructure. The increasing integration and connectivity of \nthese technologies has vastly increased the potential impact of \ncyber threats.\n    Included in this year\'s budget is a request for a voluntary \npilot that will deploy network sensors to detect malicious \nactivity on critical infrastructure networks, including \nindustrial control systems.\n    Next, supply chain security is also critical to managing \nrisk. CISA chairs DHS\'s seat on the Federal Acquisition \nSecurity Council. This council, established by law last \nDecember, will provide a coordinated approach across the \nFederal Government to supply chain security.\n    Our success depends on collaboration with industry experts, \nthough. CISA\'s supply chain risk management task force has \nbrought together 20 Federal agencies and 40 of the largest \ncompanies in the information technology and communications \nsectors to reach consensus on how to best manage risk.\n    CISA also remains focused on physical threats. On Saturday, \nwe were once again deeply saddened to learn of the tragic \nshooting in a synagogue in Poway, California.\n    Far too often, our Nation is confronted with another \nviolent attack on places such as entertainment venues and \nplaces of worship or schools. Earlier this month, CISA updated \nand released a resource guide on securing such soft targets and \ncrowded places.\n    Before closing, research and development is critical to \nCISA\'s mission. CISA and S&T are committed to effective \ncoordination on R&D. We are working together on R&D for cyber \ndata analytics, and we will make R&D investments in mobile \nsecurity to include emerging 5G security requirements.\n    We are also looking at innovative approaches to securing \nsoft targets and crowded places from attacks.\n    In closing, I would like to thank the committee for its \ncontinued support of CISA and our mission. The authorities and \nresources provided over the years have helped raise this \nbaseline of cybersecurity and mitigated countless threats to \nFederal networks and critical infrastructure. Thank you.\n    [The prepared statement of Mr. Krebs follows:]\n               Prepared Statement of Christopher C. Krebs\n                             April 30, 2019\n    Chairman Richmond, Ranking Member Katko, and distinguished Members \nof the subcommittee, thank you for the opportunity to testify regarding \nthe fiscal year 2020 President\'s budget for the U.S. Department of \nHomeland Security\'s (DHS) Cybersecurity and Infrastructure Security \nAgency (CISA). The fiscal year 2020 President\'s budget of $3.17 billion \nfor CISA, which includes $1.6 billion in budget authority for fees \ncollected from Federal agencies in support of the Federal Protective \nService, reflects our commitment to safeguard our homeland, our values, \nand our way of life.\n    CISA strengthens the cybersecurity of Federal networks and \nincreases the security and resilience of our Nation\'s critical \ninfrastructure. Safeguarding and securing cyber space is a core DHS \nmission. The fiscal year 2020 President\'s budget recognizes the \ncriticality of this mission and ensures the men and women of CISA have \nthe resources they need to achieve it.\n    CISA\'s mission is to defend against the threats of today, while \nworking with partners across all levels of Government and the private \nsector to secure against the evolving risks of tomorrow--``Defend \nToday, Secure Tomorrow.\'\'\n    In passing the Cybersecurity and Infrastructure Security Agency Act \nof 2018, Congress recognized that CISA\'s role in fostering \ncollaboration between and across Government and the private sector has \nnever been more important. The threats from cyber attacks and terrorist \nactivities to natural disasters are more complex, and the threat actors \nmore diverse than at any point in our history.\n                            cisa priorities\n    Nefarious actors want to disrupt our way of life. Many are inciting \nchaos, instability, and violence. At the same time, the pace of \ninnovation, our hyper-connectivity, and our digital dependence has \nopened cracks in our defenses, creating new vectors through which our \nenemies and adversaries can strike us. This is a volatile combination, \nresulting in a world where threats are more numerous, more widely \ndistributed, highly networked, increasingly adaptive, and incredibly \ndifficult to root out.\n    CISA is strengthening our digital defense as cybersecurity threats \ngrow in scope and severity. The fiscal year 2020 President\'s budget \ncontinues investments in Federal network protection, proactive cyber \nprotection, and infrastructure security.\n    CISA, our Government partners, and the private sector, are all \nengaging in a more strategic and unified approach toward improving our \nNation\'s defensive posture against malicious cyber activity. In May \n2018, DHS published the Department-wide DHS Cybersecurity Strategy, \noutlining a strategic framework to execute our cybersecurity \nresponsibilities during the next 5 years. Both the Strategy and \nPresidential Policy Directive 21--Critical Infrastructure Security and \nResilience emphasize an integrated approach to managing risk.\n    CISA ensures the timely sharing of information, analysis, and \nassessments to build resilience and mitigate risk from cyber and \nphysical threats to infrastructure. CISA\'s partners include \nintergovernmental partners, the private sector, and the public. Our \napproach is fundamentally one of partnerships and empowerment, and it \nis prioritized by our comprehensive understanding of the risk \nenvironment and the corresponding needs of our stakeholders. We help \norganizations manage their risk better.\n    Cybersecurity operations at CISA detect, analyze, mitigate, and \nrespond to cybersecurity threats. We share cybersecurity risk \nmitigation information with Government and non-Government partners. By \nissuing guidance or directives to Federal agencies, providing tools and \nservices to all partners, and leading or assisting the implementation \nof cross-Government cybersecurity initiatives, we are protecting \nGovernment and critical infrastructure networks.\n    The fiscal year 2020 President\'s budget includes $694 million for \nFederal network protection, which includes Continuous Diagnostics and \nMitigation (CDM), National Cybersecurity Protection System (NCPS), and \nFederal Network Resilience. These programs provide the technological \nfoundation to secure and defend the Federal Government\'s information \ntechnology against advanced cyber threats.\n    NCPS is an integrated system-of-systems that delivers intrusion \ndetection and prevention, analytics, and information-sharing \ncapabilities. NCPS primarily protects traffic flowing into and out of \nFederal networks. One of its key technologies is the EINSTEIN intrusion \ndetection and prevention sensor set. This technology provides the \nFederal Government with an early warning system, improves situational \nawareness of intrusion threats, near-real time detection and prevention \nof malicious cyber activity.\n    CDM provides Federal network defenders with a common set of \ncapabilities and tools they can use to identify cybersecurity risks \nwithin their networks, prioritize based on potential impact, and \nmitigate the most significant risks first. The program provides Federal \nagencies with a risk-based and cost-effective approach to mitigating \ncyber risks inside their networks. The fiscal year 2020 President\'s \nbudget includes funding to continue deployment and operation of \nnecessary tools and services for all phases of the CDM program. By \npooling requirements across the Federal space, CISA is able to provide \nagencies with flexible and cost-effective options to mitigate \ncybersecurity risks and secure their networks.\n    Within the President\'s fiscal year 2020 budget, $4.8 million over \nthe fiscal year 2019 request is included to support our \nresponsibilities to improve the cybersecurity of high-value assets \nwithin the Federal Government. With improved governance, CISA can \nensure that Federal agencies are managing cybersecurity risk at a level \ncommensurate with each agency\'s own risk tolerance and that of the \nFederal Government. These efforts will ensure that agencies achieve a \nminimum cybersecurity baseline through assessments, technical \nassistance, and architectural and design support.\n    The fiscal year 2020 President\'s budget also includes an increase \nof $4.4 million to begin development efforts to centralize the \nauthoritative Domain Name System (DNS) resolution services for the \nFederal Government. The managed service will provide centralized DNS \nmanagement for the Federal Government and a rich set of analytics that \nsit on top of traditional DNS services.\n    The fiscal year 2020 President\'s budget includes $371 million for \nproactive cyber protection. Within this category, approximately $248 \nmillion is dedicated to CISA\'s National Cybersecurity and \nCommunications Integration Center (NCCIC). The NCCIC is CISA\'s \noperational cybersecurity center, and it provides capacity for the U.S. \nGovernment to respond rapidly to multiple significant incidents or \nrisks. The NCCIC operates 24 hours a day, 7 days a week at the \nintersection of the Federal Government, State and local governments, \nthe private sector, international partners, law enforcement, \nintelligence, and defense communities. The NCCIC provides a broad range \nof information-sharing and technical assistance capabilities to assist \nGovernment and private-sector entities across all 16 sectors of \ncritical infrastructure. In addition to information sharing and \nincident response, these capabilities include assessments and technical \nservices, such as vulnerability scanning and testing, penetration \ntesting, phishing assessments, and red-teaming on operational \ntechnology that includes the industrial control systems which operate \nour Nation\'s critical infrastructure, as well as recommended \nremediation and mitigation techniques that improve the cybersecurity \nposture of our Nation\'s critical infrastructure.\n    Within the proactive cyber protection funding, $11 million is \nincluded to support the CyberSentry pilot. This voluntary pilot program \nis designed to detect malicious activity on private-sector critical \ninfrastructure networks, including operational technology, such as \nindustrial control systems. The pilot will utilize network sensor \nsystems to detect threats; collect threat data; increase the speed of \ninformation sharing; and produce real-time, effective, actionable \ninformation to the companies vulnerable to malicious attacks.\n    The fiscal year 2020 President\'s budget request also includes $24.1 \nmillion for State and local government cybersecurity and infrastructure \nassistance prioritized for election security. These resources will \ninstitutionalize and mature CISA\'s election security risk-reduction \nefforts, allowing the agency to continue providing vulnerability \nmanagement services such as cyber hygiene scans, and on-site or remote \nrisk and vulnerability assessments, organizational cybersecurity \nassessments, proactive adversary hunt operations; and enhanced threat \ninformation sharing with State and local election officials.\n    The fiscal year 2020 President\'s budget fully funds CISA\'s risk \nmanagement activities, including $68 million for the National Risk \nManagement Center (NRMC). The NRMC is a planning, analysis, and \ncollaboration center working to identify and address the most \nsignificant risks to our Nation\'s critical infrastructure. Included \nwithin the fiscal year 2020 President\'s Budget is a realignment of \n$18.4 million to consolidate core risk management programs under \nunified leadership. NRMC is working to publish the National Critical \nFunctions (NCFs) list, which will enable the Federal Government and our \npartners to prioritize risk management actions.\n    For infrastructure security, the fiscal year 2020 President\'s \nbudget includes $246 million for protecting critical infrastructure \nfrom physical threats through informed security decision making by \nowners and operators of critical infrastructure. Activities include \nconducting assessments, facilitating exercises, and providing training \nand technical assistance Nation-wide. The program leads and coordinates \nNational efforts on critical infrastructure security and resilience by \ndeveloping strong and trusted partnerships across the Government and \nprivate sector. This includes reducing the risk of a successful attack \non soft targets and crowded places, including on our Nation\'s schools, \nand from emerging threats such as unmanned aircraft systems. The budget \nalso includes a $1 million increase for the Bomb-Making Materials \nAwareness Program. This increase will expand capability to detect and \ndisrupt terrorist attacks before they occur by transitioning effort to \na fully-funded program of record. The funds will build a service \ndelivery approach that achieves the scale necessary to have a strategic \nimpact.\n    The fiscal year 2020 President\'s budget includes $167 million for \nemergency communications to ensure real-time information sharing among \nfirst responders during all threats and hazards. CISA enhances public \nsafety interoperable communications at all levels of government across \nthe country through training, coordination, tools, and guidance. We \nlead the development of the National Emergency Communications Plan to \nmaximize the use of all communications capabilities available to \nemergency responders--voice, video, and data--and ensures the security \nof data and information exchange. CISA assists emergency responders and \nrelevant Government officials with communicating over commercial \nnetworks during natural disasters, acts of terrorism, and other man-\nmade disasters.\n    The fiscal year 2020 President\'s budget includes $1.6 billion in \nbudget authority for the Federal Protective Service (FPS). FPS provides \nlaw enforcement and protective security services to Federally-owned, -\nleased, or -operated facilities. FPS provides a comprehensive, risk-\nbased approach to facility protection that allows it to prioritize \noperations to prevent, detect, assess, respond to, and disrupt criminal \nand other incidents that endanger Federal facilities and people on \ntheir properties. Federal agencies pay fees to FPS for the services \nthey provide, and the fiscal year 2020 President\'s budget includes the \nrollout of a new fee model. The new fee model more accurately bills \ncustomers for the security services they need, and puts FPS on a path \ntoward a more sustainable path than the previous cost-per-square-foot \nmodel.\n    Finally, the fiscal year 2020 President\'s budget also provides $224 \nmillion to consolidate CISA in a new state-of-the-art headquarters \nfacility at DHS\'s St. Elizabeths Campus. CISA currently must operate \nfrom 8 different locations spread across the National Capital Region, a \nphysical layout that poses challenges to leadership command and control \nrequirements and which contributes to administrative and travel \ninefficiencies. Additionally the existing facilities do not have the \ncapacity to fully meet CISA\'s requirements, and most of the leases \nexpire in the next 4 years. Congress previously approved $120 million \nfor St. Elizabeths construction in fiscal year 2019 which, in \ncombination with $130 million in available carryover funds, will be \nused to construct the core shell for the new CISA headquarters \nbuilding. The fiscal year 2020 funds are included in the DHS Management \nDirectorate\'s budget and will be used for the build-out of tenant \nspaces, including information technology, electronic physical security, \noutfitting and other requirements important to maximizing CISA\'s \nability to succeed.\n                    a case study: election security\n    One of the highest-profile threats we face today is attempts by \nnation-state actors to maliciously interfere in our democratic \nelections. Leading up to the 2018 midterm elections, DHS worked hand-\nin-hand with Federal partners, State and local election officials, and \nprivate-sector vendors to provide them with information and \ncapabilities to enable them to better defend their infrastructure. This \npartnership led to successful implementation of a model that helps \nillustrate how CISA\'s cyber and critical infrastructure security \nmissions complement each other, and the critical role CISA plays in \nbringing stakeholders at all levels together to address a common \nthreat. We are now working to build upon these efforts during the 2020 \nelection cycle.\n    In the weeks leading up to the 2018 mid-term elections, over 500 \nCISA employees supported election security preparedness Nation-wide. \nCISA provided free technical cybersecurity assistance, continuous \ninformation sharing, and expertise to election offices and campaigns. \nElections Infrastructure Information Sharing and Analysis Center (EI-\nISAC) threat alerts were shared with all 50 States, over 1,400 local \nand territorial election offices, 6 election associations, and 12 \nelection vendors.\n    In August 2018, CISA hosted a ``Tabletop the Vote\'\' exercise, a 3-\nday, first-of-its-kind event to assist Federal partners, State and \nlocal election officials, and private-sector vendors in identifying \nbest practices and areas for improvement in cyber incident planning, \npreparedness, identification, response, and recovery. Through \nsimulation of a realistic incident scenario, exercise participants \ndiscussed and explored potential impacts to voter confidence, voting \noperations, and election integrity. Partners for this exercise included \n44 States and the District of Columbia; the Election Assistance \nCommission (EAC); the Department of Defense; Department of Justice; \nFederal Bureau of Investigation; Office of the Director of National \nIntelligence; National Institute of Standards and Technology (NIST); \nNational Security Agency; and the U.S. Cyber Command.\n    Through the ``Last Mile Initiative,\'\' CISA worked closely with \nState and local governments to outline critical cybersecurity actions \nthat should be implemented at the county level. This effort partnered \nCISA with State governments to produce county-specific cybersecurity \nsnapshot posters. The posters contained valuable information for \nauditors, staff, and voters, including a checklist and time line \nelection officials should follow to ensure security of the elections in \ntheir county. For political campaigns, CISA disseminated a \ncybersecurity best practices checklist to help candidates and their \nteams better secure their devices and systems.\n    On Election Day, CISA deployed field staff across the country to \nmaintain situational awareness and connect election officials to \nappropriate incident response professionals, if needed. In many cases, \nthese field staff were co-located with election officials in their own \nsecurity operations centers. CISA also hosted the National \nCybersecurity Situational Awareness Room, an on-line portal for State \nand local election officials and vendors that facilitates rapid sharing \nof information which gave election officials virtual access to the 24/7 \noperational watch floor of the NCCIC. This setup allowed CISA to \nmonitor potential threats across multiple States at once and respond in \na rapid fashion.\n    CISA goals for the 2020 election cycle include improving the \nefficiency and effectiveness of election audits, continued \nincentivizing the patching of election systems, and working with States \nto develop cybersecurity profiles utilizing the NIST framework. We will \nalso continue to engage any political entity that wants our help. CISA \noffers these entities the same tools and resources that we offer to \nState and local election officials, including trainings, cyber hygiene \nsupport, information sharing, and other resources.\n    CISA has made tremendous strides and remains committed to working \ncollaboratively with those on the front lines of administering our \nelections to secure election infrastructure from risks. In February, \nCISA officials provided updates to election officials on the full \npackage of security resources that are available from the Federal \nGovernment, along with a roadmap on how to improve coordination across \nthese entities. CISA also worked with our intelligence community \npartners to provide a Classified briefing for these individuals \nregarding the current threats facing our election infrastructure.\n    We will remain transparent and agile in combating threats and \nsecuring our physical and cyber infrastructure. However, we recognize \nthat there is a significant technology deficit across State, local, \nTribal, and territorial governments, and State and local election \nsystems, in particular. It will take significant and continual \ninvestment to ensure that election systems across the Nation are \nupgraded and secure, with vulnerable systems retired. These efforts \nrequire a whole-of-Government approach. The President and this \nadministration are committed to addressing these risks.\n                               conclusion\n    In the face of increasingly sophisticated threats, CISA employees \nstand on the front lines of the Federal Government\'s efforts to defend \nour Nation\'s Federal networks and critical infrastructure. The threat \nenvironment is complex and dynamic with interdependencies that add to \nthe challenge. As new risks emerge, we must better integrate cyber and \nphysical risk in order to effectively secure the Nation. CISA \ncontributes unique expertise and capabilities around cyber-physical \nrisk and cross-sector critical infrastructure interdependencies.\n    I recognize and appreciate this committee\'s strong support and \ndiligence as it works to resource CISA in order to fulfill our mission. \nYour support over the past few years has helped bring additional \nFederal departments and agencies into NCPS more quickly, speed \ndeployment of CDM tools and capabilities, and build out our election \nsecurity efforts. We at CISA are committed to working with Congress to \nensure our efforts cultivate a safer, more secure, and resilient \nhomeland while also being faithful stewards of the American taxpayer\'s \ndollars.\n    Thank you for the opportunity to appear before the subcommittee \ntoday, and I look forward to your questions.\n\n    Mr. Richmond. Thank you for your testimony.\n    I now recognize Mr. Bryan to summarize his statement for 5 \nminutes.\n\n  STATEMENT OF WILLIAM BRYAN, SENIOR OFFICIAL PERFORMING THE \n     DUTIES OF THE UNDER SECRETARY, SCIENCE AND TECHNOLOGY \n       DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Bryan. Good afternoon, Chairman Richmond, Chairman \nThompson, Ranking Member Katko, and distinguished Members of \nthe subcommittee.\n    Thank you for inviting me here today to testify on the \nPresident\'s budget request for fiscal year 2020, which includes \na request for $582.1 million for the Science and Technology \nDirectorate within the U.S. Department of Homeland Security.\n    The Department\'s research and development activities \nsupport a broad range of DHS missions, including domain threat \nawareness, delivering mitigation strategies and creating novel \ntechnology and approaches for components, first responders, and \nother partners across the homeland security enterprise.\n    Our customers put their lives on the line every day to keep \nour Nation safe and having the correct tools, techniques, and/\nor technologies can be vital to the operators\' safety and \nsuccess.\n    We must enable efficient, effective, and secure operations \nacross all homeland security missions by applying timely \nscientific, engineering, and innovative solutions through \nresearch, design, test and evaluation, and acquisition support.\n    Therefore, it is my mandate to ensure an efficient, \neffective, and nimble organization is in place to address the \nR&D needs of the Department and our partners. Whether through \nthe identification of existing technologies or the timely \ndevelopment of new technology, S&T can provide them with the \ntools they need to safely and effectively protect the homeland \nand the American people.\n    On October 1, 2018, I revitalized our structures, \nprocesses, and procedures, setting the foundation for S&T to be \nmore agile and responsive, ready to move quickly in response of \nchanges in the threat environment and to make use of existing \ntechnologies that can be adapted and leveraged to expedite the \ndevelopment of vital capabilities.\n    The revitalization strengthens our relationships to DHS \ncomponents, first responders, and our customers, and results in \na more integrated approach to innovation, requirements \ngathering, and problem solving.\n    I have realigned current R&D projects and funding to \nsupport the Department\'s key priorities going forward. For \nexample, the opioid detection project to support CBP, the next-\ngeneration explosives trace detection program to support TSA \nand our abilities to support counter-unmanned aircraft systems\' \nefforts across the Department.\n    Another key priority is cybersecurity. The 2018 DHS \ncybersecurity strategy emphasizes the importance of robust, \ncross-departmental cybersecurity R&D.\n    The fiscal year 2020 budget request proposes that most of \nDHS\'s cyber research and development resources are included in \nCISA\'s request. Over the last 8 months, CISA and S&T have \ncollaborated on a plan for execution of the fiscal year 2019 \nfunding in addition to the future year portfolio planning for \n2020 and beyond.\n    Our teams, jointly, have identified, prioritized, and \nvalidated research and development priorities for the S&T work \nprogram, each of which can be mapped to a Departmental \ncybersecurity priority.\n    It should be noted that CISA is not our only customer for \ncybersecurity R&D since many of our activities with other \ncomponents have a cyber nexus that must be addressed.\n    The fiscal year 2020 request continues to support S&T\'s \nSilicon Valley Innovation Program, or SVIP, which leverages \ninnovative commercial capabilities from across the country \nthrough non-traditional Government contractors to rapidly \ndeliver technology that meets validated component requirements.\n    To date, over 400 small business have applied to \nparticipate in SVIP solicitations. S&T has worked with 35 small \nstart-up companies and leveraged over $400 million in private-\nsector investment that aligns on-going private-sector activity \nwith DHS operational component requirements.\n    The budget will allow S&T to continue our commitment to \nfirst responder and disaster resilience R&D, with an additional \n$10.9 million to fund programs requested by FEMA that will \nincrease resiliency, preparedness, and risk mitigation in \nsupport of FEMA\'s strategic plan.\n    The budget request also includes $7.1 million to continue \nfunding the Chemical Security Analysis Center, or the CSAC. The \nCSAC identifies and assesses chemical threats and \nvulnerabilities in the United States and develops the best \nresponses to potential chemical hazards.\n    CSAC has been instrumental in supporting the Nation with \nresearch and development for the rapid detection of synthetic \nopioids. S&T\'s mission is to deliver effective and innovative \ninsights, methods, and solutions for the critical needs of DHS \ncomponents and our operational partners.\n    Through our revitalization efforts and within the available \nresources provided by the 2020 budget, S&T plans to continue to \nbuild upon that mission.\n    Chairman Richmond, Ranking Member Katko, and the Members of \nthe committee, thank you, again, for the opportunity to appear \nbefore you today, and for your continued support of S&T. I look \nforward to answering your questions.\n    [The prepared statement of Mr. Bryan follows:]\n                  Prepared Statement of William Bryan\n                             April 30, 2019\n    Good afternoon Chairman Richmond, Ranking Member Katko, and \ndistinguished Members of the subcommittee. Thank you for inviting me \nhere today to testify on the President\'s budget request for fiscal year \n2020, which includes a request of $582.1 million for the Science and \nTechnology Directorate (S&T) within the U.S. Department of Homeland \nSecurity (DHS).\n    The Department\'s research and development (R&D) activities support \na broad range of DHS missions, including domain threat awareness, \ndelivering mitigation strategies, and creating novel technology and \napproaches for the components, first responders, and other partners \nacross the homeland security enterprise. Our customers put their lives \non the line every day to keep our Nation safe, and having the correct \ntools, techniques, and/or technologies can be vital to the operators\' \nsafety and success.\n    We must enable efficient, effective, and secure operations across \nall homeland security missions by applying timely scientific, \nengineering, and innovative solutions through research, design, test \nand evaluation, and acquisition support. This is how we deliver \nresults. Technology innovation cycles are rapidly changing and the \nnature of the threats we see is dynamic. This combination presents a \nsignificant challenge to traditional R&D approaches.\n    Therefore, it is my mandate to ensure an efficient, effective, and \nnimble organization is in place to address R&D needs of Homeland \nSecurity front-line operators, particularly the DHS operational \ncomponents and first responders, today and into the future. Either \nthrough the identification of existing technologies or the timely \ndevelopment of new technology, S&T can provide them with the tools they \nneed to safely and effectively protect the Homeland and the American \npeople. In order to accomplish this, we have revitalized our \nstructures, processes, and procedures to ensure that S&T provides \nimpactful solutions to the ever-changing threats faced by our Nation. \nWe will solidify and strengthen S&T\'s core capabilities and provide a \ndeliberative approach to program execution that ensures timely delivery \nand solid return on investment for our Nation\'s taxpayers.\n    Over the past few months, we have set the foundation for S&T to be \nmore agile and responsive, ready to move quickly in response to changes \nin the threat environment, and to make use of existing technologies, \nwhen available, that can be adapted and leveraged to expedite the \ndevelopment of vital capabilities. S&T has significantly enhanced its \nability to transfer capabilities to where they are most needed by \nworking closely with operators, component partners, and industry to \ndeliver effective solutions. The revitalization strengthens our \nrelationships to DHS components, first responders, and other customers, \nand results in a more integrated approach to innovation, requirements \ngathering, and problem solving.\n    In the fiscal year 2020 request, S&T reorganizes the Apex thrust \narea to, Innovative Research and Foundational Tools, which realigns \ncurrent R&D projects and funding, enabling the efficient management and \nexecution of knowledge products and capabilities to better support DHS \ncomponents and front-line operators. This reorganization will focus on \nidentifying optimal approaches and solutions that address the \noperators\' needs through our Technology Centers (formerly Apex \nEngines), Technology Scouting, and initiatives that foster S&T\'s \npartnerships with industry and universities. R&D investments under this \nthrust area will improve requirements generation by conducting more \nthorough operational analysis and mission prioritization. These tools \nsupport S&T\'s operational blueprint model by enabling a matrixed \napproach to meeting customer requirements, either through identifying \nexisting technology and innovation or by initiating new R&D efforts.\n    S&T is dedicated to developing or adopting innovative tools for DHS \ncomponents, and the fiscal year 2020 budget request supports that \neffort. For example, the S&T Opioid Detection project will pilot \nadvanced technologies, including narcotics anomaly detection algorithms \nand chemical sensing technologies, in CBP international mail facilities \nin fiscal year 2020. Additionally, the Next Generation Explosives Trace \nDetection (Next Gen ETD) program will support TSA\'s 2017 Strategic \nFive-Year Technology Investment Plan for Aviation Security, which calls \nfor the deployment of Next Gen ETDs in 2020 and the development of \ntechnologies and concepts of operation that enhance passenger \nexperiences during screening.\n    The 2018 DHS Cybersecurity Strategy emphasizes the importance of \nrobust cross-Departmental cybersecurity R&D. I believe that having a \nstrong cybersecurity R&D program is critical for DHS. The fiscal year \n2020 President\'s budget request proposes that most of DHS\'s cyber \nresearch and development resources are included in Cybersecurity and \nInfrastructure Security Agency\'s (CISA) request. Over the last 8 \nmonths, CISA and S&T have collaborated on a plan for execution of the \nfiscal year 2019 funding, in addition to the future-year portfolio \nplanning for fiscal year 2020 and beyond. CISA and S&T have jointly \ndecided on cybersecurity R&D focus areas and requirements to foster \npartnerships and coordinate efforts between Government, industry, \nacademia, National laboratories, and international entities to improve \nthe global cybersecurity posture. CISA and S&T are working together to \ncollectively leverage our knowledge, capabilities, and technology to \nprotect our Nation\'s infrastructure from being undermined by our \nadversaries. To accomplish this, CISA and S&T leadership have \nidentified, prioritized and validated research and development \npriorities for the S&T work program--each of which can be mapped to a \nDepartmental cybersecurity priority. To do so, CISA has included S&T \nprogram managers in discussion of CISA technology road maps and \ntechnical areas in emerging risk; and S&T has included CISA in its \ndomestic and international work programs. CISA has identified \ncybersecurity R&D areas where there is a need for cyber analytics as \nwell as ``big data\'\' and ``data lake\'\' applications for cyber \noperations. Additionally CISA has requested that S&T focus a \nsignificant percentage of its current Cyber Security R&D portfolio on \nmobile devices, mobile application security, and emergency \ncommunications, to include emerging 5G LTE security requirements.\n    The fiscal year 2020 request continues support for S&T\'s Silicon \nValley Innovation Program (SVIP), which leverages innovative commercial \ncapabilities from across the country through non-traditional Government \ncontractors to rapidly deliver technology to fulfill DHS component-\ndefined requirements. This program fosters rapid development and \ndelivers tested technology into the field in a much shorter time frame \nthan is possible under traditional vehicles. S&T\'s SVIP collaborates \nwith DHS operational components to provide solutions that enhance \noverall situational awareness, detection, tracking, interdiction, and \napprehension. To date, over 400 small businesses have applied to \nparticipate in SVIP solicitations. S&T has worked with 35 small start-\nup companies and leveraged over $400 million in private-sector \ninvestment that aligns on-going private-sector activity with DHS \noperational component requirements.\n    The budget will allow S&T to continue our commitment to First \nResponder and Disaster Resilience R&D with an additional $10.9 million \nto fund programs requested by FEMA that will increase resiliency, \npreparedness, and risk mitigation in support of the FEMA Strategic \nPlan. Specifically, this proposed funding increase will establish a \nprogram to support a public safety and broadband implementation through \nresearch, development, testing, and evaluation of technologies that \nsupport end-user implementation.\n    The fiscal year 2020 President\'s budget request includes $7.1 \nmillion to restore funding for Chemical Security Analysis Center (CSAC) \noperations. CSAC identifies and assesses chemical threats and \nvulnerabilities in the United States and develops the best responses to \npotential chemical hazards. CSAC will continue directly supporting on-\ngoing work with customers, including work on chemical multifunction \ndetectors, analysis and response to chemical incidents, and development \nof mitigation strategies to protect the public. CSAC has been \ninstrumental in supporting the Nation with research and development for \nthe rapid detection of synthetic opioids.\n    The fiscal year 2020 President\'s budget request maintains S&T\'s \nTest and Evaluation (T&E) program at $7.7 million. T&E helps DHS \nacquisition programs to be completed at a lower cost and on schedule. \nWhile many factors determine the success of an acquisition, conducting \nT&E allows DHS program managers to identify issues earlier and address \nconcerns faster based on a scientific and independent evaluation. S&T\'s \nT&E efforts support every major program on the Department\'s Major \nAcquisition Oversight List (MAOL) by providing valuable independent and \nscientific based input at each Acquisition Review Board before a \nprogram advances to initial or full production or deployment decisions.\n    The fiscal year 2020 budget request allows for the continuation of \nthe university-based Centers of Excellence (COE) that are focused on \nhomeland security mission needs. COEs that will receive funding in \nfiscal year 2020 will conduct research and development that aligns with \nthe administration\'s priorities to strengthen border security, \ncybersecurity and infrastructure protection, and prioritize trans-\nnational criminal investigations. S&T conducts rigorous evaluations of \neach Center\'s performance using established criteria to help inform \nproject funding decisions that meet operator needs, and are focused on \ntransferring or transitioning research and technology outputs into \nfield use.\n    S&T\'s mission is to deliver effective and innovative insight, \nmethods, and solutions for the critical needs of DHS components and our \noperational partners in homeland security. Through our revitalization \nefforts and within the available resources provided by the fiscal year \n2020 President\'s budget, S&T plans to continue and build upon that \nmission.\n    Chairman Richmond, Ranking Member Katko, and Members of the \ncommittee, thank you again for the opportunity to appear before you \ntoday and for your continued support of S&T.\n    I look forward to answering your questions.\n\n    Mr. Richmond. I want to thank both witnesses for your \ntestimony.\n    I now recognize myself for 5 minutes for questions.\n    This is not a trick question, I just really would \nappreciate a yes or no as to the best of your ability.\n    Our intelligence agencies and the Mueller report both \nconfirm Russian election interference. Do you have any reason \nto dispute those assertions from our intelligence community and \nthe Mueller report?\n    Mr. Krebs. No, sir.\n    Mr. Richmond. Do you agree that election interference is a \nreal and dangerous threat that must be addressed?\n    Mr. Krebs. Yes, sir. I do.\n    Mr. Richmond. With that, let me ask you some other \nquestions that are not yes or no.\n    Who at the White House is leading the whole of Government \nelection security effort?\n    Mr. Krebs. So presently we work closely with the NSC on \nelection security-related policy issues. We have clear guidance \nfrom Ambassador Bolden and the National Security Council on \nwhat it is they expect of us to do.\n    When it comes down to actual execution of election security \nefforts across the interagency, we also have very clear \nunderstanding of our lanes in the road between the intelligence \ncommunity, the FBI, the law enforcement community and my team \nat DHS CISA.\n    The intelligence community works to find out what the bad \nguys are doing. The FBI works to help take them off the table, \narrest or whatever. Then, my team works with State and local \nelection officials to provide them an understanding of the \nthreat landscape and provide them the tools, capabilities, \ntraining exercise, what other capacity-building capabilities, \nin support of their efforts.\n    Mr. Richmond. I know that you would be interested in \ninformation sharing. The FBI is focused on collecting evidence \nand building a case.\n    I guess I am a sports guy, so I do sports analogies, and I \nunderstand that everybody has their different routes to run and \ntheir different assignments. Somebody is going to block; \nsomebody is going to do that.\n    Who is the quarterback, is my question? Who is making sure \nthat everybody is running their routes, blocking who they are \nsupposed to block and tackling who they should tackle?\n    Mr. Krebs. So there are head coaches, there are defensive \ncoordinators and there are offensive coordinators in this \nanalogy.\n    Mr. Richmond. Who is the head coach?\n    Mr. Krebs. So the President is the head coach. We have \noffensive and defensive coordinators across the bat, but when \nyou talk about this law enforcement coordination piece and the \ninvestigatory piece, we have improved relationships with the \nFBI on sharing information, deconfliction of actual on-network \nsorts of activities, where I am trying to get in there and help \nthe victim recover their networks, while the FBI is trying to \nfigure out who is doing this, who the bad guy is, whether it is \nRussia or whomever.\n    There is a process. Now I will say, the process needs to \nimprove. The FBI has a long history of processes and \nprocedures. They have been at this game a bit longer than my \nteam has. We are still evolving. I still see CISA as an agency \nis a bit of a start-up.\n    So we are still working internally to build the processes \nthat we need so that we can work with the Defense Department. \nWe can work with the FBI. We can work with the intelligence \ncommunity to ensure that we are doing the things that we need \nto do to ensure the victims are protected.\n    Mr. Richmond. Is there one person who wakes up every day to \nmake sure that you all are coordinated, and that is their sole \nresponsibility? So who would be the offensive and defensive \ncoordinator?\n    But I am talking about somebody whose own responsibility, \nlook, the President has a whole bunch of things that he has to \nwork on. But is there someone in the White House or anywhere \nelse that wakes up to make sure that you all are coordinated \nwith the FBI, who is coordinated with the CIA and that \neverybody is doing what they are supposed to do?\n    Mr. Krebs. There is an entire directorate within the \nNational Security Council that is focused on cybersecurity. \nThere is a director focused on the resilience.\n    So there are a number of officials at the White House and \nthe Executive Office of the President and the NSC that support \nour efforts. Again, from a policy perspective, you know, we are \nthe operational agencies. I have all the authorities I need to \ngo do my job.\n    So when I wake up every day, I am figuring out how to make \nsure State and local election officials are getting the support \nthey need, just like the FBI when they go out and they do their \njob, and the intelligence community they do their job.\n    Mr. Richmond. The fiscal year 2020 budget request, if \nenacted, will cut CISA\'s budget below the 2019 funding levels. \nHow would you manage those cuts, and how would spread them \nacross CISA?\n    Mr. Krebs. So I think you have to think through the budget \nformulation process.\n    So the fiscal year 2020 budget process was started in about \n18 months or so ago, actually, before I was really in a \nleadership position at the agency. It is, truly, what I would \ncall, and this is an NPPD budget, so it is a legacy budget.\n    What we are doing right now is, we are standing up. As we \nare standing up CISA, we are trying to figure out what we want \nto be when we grow up. So 2 years from now, where do we want to \nbe positioned?\n    There are a number of unmet requirements, I think, that we \nare discovering. I think today\'s release of the National \ncritical functions, alone, is representative of the \npotentiality of this agency.\n    So we identify 55 functions. This is an evolution of the \nrisk management thinking beyond 16 sectors. This is 55 \nfunctions that really, truly impact National security, economic \nsecurity, public health and safety.\n    So I can address at current a number of these functions. I \nthink election security is a great example. Congress has \ninvested in my agency, to date, close to $60 million purely \nfocused on election security.\n    I don\'t think outside of Federal networks, I don\'t think I \nhave another critical infrastructure sector that Congress has \ninvested specifically to that level.\n    If you factor in the, well, $22.3 million in the fiscal \nyear 2020 request, that is over $80 million on a National \ncritical function.\n    Mr. Richmond. I am a minute over, so I will just ask you a \nvery simple question. If we doubled your budget, would you \nspend it all?\n    Mr. Krebs. Yes, sir. Absolutely.\n    Mr. Richmond. Thank you.\n    With that, I will yield to the Ranking Member Mr. Katko.\n    Mr. Katko. Thank you, Mr. Chairman, I appreciate it.\n    Just a quick question, well, not a quick question. This is \nmore of a detailed question, actually. In Albany, New York, not \nfar from my district, there was a recent ransomware attack that \ncould have affected the police department\'s patrol vehicles. I \nam horrified to think what could have been done if they got \ninto those systems.\n    How does CISA perform outreach to State and local \ngovernments like these? Can that outreach be improved with \nproper funding?\n    Mr. Krebs. I think we have a lot of room to grow in State \nand local engagement. It is interesting that you mention \nAlbany, New York, because actually one of our key partners in \nengaging with State and local officials, election or otherwise, \nis based in Albany. It is the Multi-State Information Sharing \nand Analysis Center.\n    We fund the MSISAC on an annual basis. You have heard me \ntalk about our Albert sensors before, or our network net flow \nand intrusion detection systems. They manage that process for \nus.\n    So what more can I do? This is not something that gets \nfixed overnight. Working with State and local officials, again, \nelection or not, the progress has to first be made on the \nrelationship-building in the trust side.\n    I have a lot of tools that, if I was given more resources, \nI could scale those tools. But the thing I can\'t buy overnight, \nI can\'t go build with an engineer, is the relationship and the \ntrust between these officials.\n    So it is going to take time, it is going to take people, \nand it is going to take relationship development. But with the \nappropriate resources, I can get all those things done in due \ntime.\n    Mr. Katko. I mean, and I would like to follow up on another \narea. What percentage of the homeland security grants, to your \nknowledge, go toward cybersecurity?\n    Mr. Krebs. I would have to get back to you on the specifics \nof the budget, the grant budget. But I will say this, that the \nlast year was the first year that, in the Homeland Security \nGrant Program, that there was two important elements: A \nrequirement for an investment justification for cyber \nexpenditures, as well as the requirement to include a CIO or \nCISO on the decision board at the State level.\n    That has been carried through to this year. But, you know, \nit is out of the same big pot of money that we have a number of \nother requirements set against and we have historically had \nthose requirements set against.\n    Mr. Katko. Now, last week I had the pleasure to spend quite \na bit of time at Syracuse University in their quantum computing \nresearch area. To say that my head hurt when I got done is an \nunderstatement. They are very smart people, but quantum \ncomputing is a real threat. It is a very real threat in the \ncyber area, as far as our cyber defenses.\n    So as CISA is thinking about securing tomorrow, how are you \npreparing for the potential effects of quantum and other \nemerging technologies on critical infrastructure?\n    Mr. Krebs. So as I think of emerging technologies, whether \nit is quantum or artificial intelligence, machine learning, \nsome of those things are here in certain respects. I have to \nlook at both sides of the opportunity, as well as the potential \nrisk; 5G is actually a fantastic example of this right now.\n    So one of the things that I am doing, that I plan to do is \nwe will use this National critical functions set, 55 functions, \nto work with stakeholders to understand what the potential \nimpacts on them may be.\n    Ultimately, critical infrastructure in the United States--\nand I don\'t have the primary source here--85 percent owned and \noperated by the private sector. We have heard that number time \nand time again.\n    So when I want to understand where the risk is, where I \nwant to understand what the potential impacts are, I go to the \nsource. I go to the people that own the networks and get a \nsense of what their concerns are. I am able to then bring \nintelligence community, the law enforcement community.\n    I really do sit in an interesting spot in Government and \nindustry, that intersection of the I.C., law enforcement in the \nprivate sector and within those Government conversations, I am \nthe advocate for the private sector.\n    Mr. Katko. So what I mean, just so we are clear, could you \nexplain to the committee just at an elementary level, because \neveryone understands the threat that quantum computing is, but, \nbasically, it is fair to say if the bad guys get the quantum \ncomputing capability before we do on a large scale, that our \nnetworks are going to be much more vulnerable. Is that fair to \nsay?\n    Mr. Krebs. I think, particularly from an encryption, you \nknow, post-quantum computing presents a number of risks to our \ncurrent security configurations, encryption, password \nmanagement, things of that nature. So it is something that the \nFederal Government is investing in quite significantly right \nnow.\n    Mr. Katko. Last, and I will be quick here. With the 55 \nNational critical functions, you issued today, you spoke about \nthem for a moment but I want you to expand them just briefly. \nHow do you envision this is different from our critical \ninfrastructure sectors and lifeline sectors? How can we assure \nthat this does not leave anyone behind?\n    Mr. Krebs. So the way I think about this is, is we are \nincreasingly connecting, is we are more interdependent. This \nframework, which it really is a framework more than anything, \nallows us to think about those things that are more important. \nIt is not about specific organizations, businesses, banks, \nenergy companies, whatever.\n    It is about the thing they do and the thing they deliver, \nand who is involved in delivering that service. So it actually \nallows us to expand and open up the aperture so that we are not \nleaving people behind.\n    I think in the current formulation it is possible that we \nare not hitting all the right bits and pieces of the supply \nchain, for instance, small and medium-size businesses.\n    This gives us a better appreciation of some of those niche \nor boutique companies that may deliver a really critical \nservice that doesn\'t fall neatly within the 16 sectors.\n    Mr. Katko. Well, thank you very much. I yield back the \nbalance of my time.\n    Mr. Richmond. Thank you.\n    The Chair now recognizes for 5 minutes the gentleman from \nMississippi, Mr. Bennie Thompson.\n    Mr. Thompson. Thank you, Mr. Chairman.\n    Acting Under Secretary Bryan, I will try to be a little \nspecific on my questions. For instance, in the budget that is \nproposed, the Coastal Resilience Center at the University of \nNorth Carolina at Chapel Hill is scheduled for elimination. Do \nyou support that?\n    Mr. Bryan. Mr. Chairman, I support the President\'s budget. \nHaving said that, I certainly appreciate the resources Congress \nhas provided over the years and the support to the S&T folks \nand the mission that we have.\n    All of our Centers of Excellence provide great value. In \nfact, that particular Center of Excellence has handled about \n137 technical requests and has received additional resources \nfrom outside of S&T for the work that they are doing.\n    But under the proposed budget, we are going to have to look \nat some Centers of Excellence two of them, frankly that would \nhave to be shut down and halt the start-up of three other ones, \nshould the President\'s budget be executed.\n    Mr. Thompson. So is that a yes or no?\n    Mr. Bryan. All I am saying, Chairman, all the Centers of \nExcellence provide value. Tough decisions had to be made, when \nyou have to reduce your budget.\n    Fortunately, over the past few years, we have not had to \nexecute on some of those tough discussions that we have had to \nhave with the budget that we have been given.\n    But again, we have to look at the priorities of the \nDepartment and look at some of the other mission areas of the \nother Centers of Excellence in making those decisions.\n    Mr. Thompson. Well, I would assume that is a maybe? You \nknow, they do a lot with coastal resilience and we have lost \nimmeasurable coastal properties. The Chairman\'s area of \nLouisiana is a good example of the losses.\n    So I would like to have the benefit, if not at this \nhearing, as to how we plan to replace that capacity, because it \nappears to be something that is vital to everything.\n    Coupled with that, you talked about 35 small companies you \nhave been given contracts to as it relates to small business \nopportunities and what have you.\n    Do you have the data on how many women-owned or minority-\nowned or anything like that?\n    Mr. Bryan. Mr. Chairman, we can get back beyond the \nspecifics of that. We do have some programs focusing on \nHistorically Black Colleges and Universities, as well as \nminority-serving institutions. If you don\'t mind, I can share \nsome of those activities?\n    Mr. Thompson. Well, I would love to have it.\n    Mr. Krebs. Certainly.\n    Mr. Thompson. Thank you very much.\n    Mr. Krebs, the supply chain problem that we have identified \na good bit, have you looked at how we can better manage supply \nchains so it does not continue to be a vulnerability?\n    Mr. Krebs. We have a number of efforts on-going right now. \nLast year we established an ICT supply chain risk management \ntask force. I mentioned in my opening that 20 members of the \nFederal Government, 20 members of the I.T., and 20 members of \nthe comms.\n    Basically what we are trying to do through this task force \nis to bring together a diverse group of players who all play in \nthe supply chain risk management space somewhere, at some point \nand create more of a consistent lexicon or understanding of \n(A), how to share threat information.\n    I get information from Kaspersky Labs for instance, how can \nI share that out in a protected manner to people that can take \naction and remove the threat?\n    Mr. Thompson. Thank you. Election security.\n    Mr. Krebs. Yes, sir.\n    Mr. Thompson. Now that everybody agree that the Russians \nare a problem and that we need to do something about it, some \nof us are thinking about 2020 and what can we do between now \nand then to protect our system of elections? What is your \nsuggestion to Members of Congress as to what we can do?\n    Mr. Krebs. Sir, I think about protecting 2020 every day. In \nfact, a couple of months, a month or so ago, out at the RSA \nconference in San Francisco, I gave a keynote and I actually \nhad bumper stickers made up that said, #Protect2020. We are all \nin on protecting the 2020 election.\n    Where I think we are going to get the most amount of \nprogress over the next year-and-a-half, No. 1, is continuing to \nextend our engagement with State and local election officials. \nWe had about 1,400 of them prior to 2018 but there are 8,800 \ntotal. So I have got to keep pushing out.\n    We are also going to help understand where the risk truly \nis in the system. What are the things that are not just \nvulnerable but most susceptible, where the highest consequences \nare?\n    Then once we get down, which I think we are pretty close, \nwe need to figure out what resources are going to be required \nto close out those vulnerabilities. Whether anybody likes it or \nnot there is a technology deficit in State and local \ngovernments in general but it is specifically in the election \ncommunity.\n    So what are the resources, whether they come from the \nFederal Government or from State and local legislatures--that \nis a conversation that we need to have. We need to get \nresources to these people so that they can protect their \nsystem.\n    Mr. Thompson. So what you are saying is, is that technology \ndeficit, unless it is fixed, potentially serves as a danger to \nthe conduct of our 2020 elections?\n    Mr. Krebs. Sir, I think just like any other I.T. problem, \nwhich in some cases the election security issues is just an \nI.T. security issue, there are 15-plus-year-old machines or \nequipment out there that may not be managed anymore. There may \nnot be updates available. They may be out of cycle.\n    So how do we get those systems, those known antiquated \nvulnerable systems out of the system and put the more secure \nstuff in? At the same time build auditability into the process \nand really hammer the importance of auditability across the \nelection process.\n    Mr. Thompson. So in other words, somebody needs to provide \nsome resources for that to occur?\n    Mr. Krebs. Sir, it has got to come from somewhere, yes, \nsir.\n    Mr. Thompson. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Richmond. The Chairman now recognizes Mr. Walker from \nNorth Carolina for 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman. I would also like to \nask the overall committee Chairman for a copy of that report on \nthe HBCU outreach by the under secretary. We need a copy that. \nWe would appreciate that.\n    Director Krebs, how does your agency interact with the \nScience and Technology Directorate? Can you mention the \nrelationship?\n    Mr. Krebs. So SOPD Bryan, is that what I am supposed to \ncall you? That is my old title, the senior official performing \nthe duties here. I actually have a embed. So I have a couple of \nfolks from his shop that work with my folks on a regular basis.\n    I define a set of requirements that I need support on from \nan R&D perspective, share that with Mr. Bryan and then he is \nable to align his research and development programs against my \nrequirements. It was a top priority for both of us as we came \nin to ensure that we were pulling the same direction and that \nwe weren\'t, you know, in often competing research and \ndevelopment priorities.\n    Mr. Walker. Sure. What do you consider that, to use your \nwords, a top priority?\n    Mr. Krebs. Right now, I am looking at mobile security, 5G \nsecurity for instance. There is a great deal of opportunity in \nfront of both of us in terms of understanding what the risks \nare and how we can deploy more secured more mobile technology.\n    Also looking at general data analytics and I have an \nincredible amount of data that I am able to collect off of \nFederal agencies. But I don\'t have the tools or the horsepower \nand the pipes to do the right kind of work across it and \nanalyze the true threats. So, you know, he is helping me pull \ntogether what the tools and the infrastructure would look like.\n    Mr. Walker. Nice transition to the under secretary, same \nquestion for you. How would you describe your relationship or \nthe interaction with the Cybersecurity Infrastructure Security \nAgency and why is that alliance important to advancing overall \nDHS positions?\n    Mr. Bryan. One of priorities when I took over this position \nwas to increase the relationship. We are a customer service \norganization. So we have to create an environment where the \ncomponents and the customers and first responders have to want \nto work with S&T because of the value added that we bring to \nthem.\n    That was not always the case across the board with the \nrelationship between S&T and some of the components. The \nrelationship between the former NPPD and the former leadership \nwithin S&T was not all that good. So there was not a lot of \nleveraging of capability.\n    So Director Krebs and myself both determined that we were \ngoing to fix that and we structured our and built our \norganizations in such a way so that I actually have a team \ndedicated just to servicing CISA.\n    I have teams dedicated to servicing every component within \nthe Department of Homeland Security. So we are no longer in a \nposition where you ask us for or give us a requirement and we \ntake that and sit on it for a year and take another year to \nfigure out how we are going to solve it. We actually have \npeople, as he mentioned, embedded and so when a requirement \ncomes in we can tackle it right away.\n    Mr. Walker. Sure. Little bit of a concern on the \nduplicative efforts between the two. Can you address that and \nwould the transfer of funds from the S&T to CISA, will that \nhelp eliminate some of the duplicity?\n    Mr. Krebs. So we have worked hard over the last year-and-a-\nhalf-plus to remove any redundancy or duplication of efforts. \nIt doesn\'t matter where the money ends up. The job is going to \nget done. The job is going to get coordinated across the two of \nus.\n    If I end up with the money, I will be working with Bill and \nhis team to transfer and execute the funds in the research \nprogram accordingly.\n    Mr. Walker. Any concern from either one of you that this \nwould create challenges fulfilling the DHS cybersecurity \nmissions as a whole?\n    Mr. Krebs. Bill? I don\'t have any----\n    Mr. Bryan. I have no concerns.\n    Mr. Krebs. I think this is a matter of leadership and I \nthink they both weigh into it.\n    Mr. Walker. They switched up. I have a little bit, about 80 \nseconds left. Although many areas within the S&T\'s budget \nrequests had funding and reductions or transfers, one key \nthrust area that was increased with the RD&I or the Research \nDevelopment and Innovation funding for border security.\n    Do you think this is the result of DHS\'s commitment to \nfinding a solution to the crisis at the border?\n    Mr. Bryan.\n    Mr. Bryan. Yes, I do. Not just are the crisis of the \nSouthern Border but also the influx of opioids. So a lot of \nthat increase had to do with helping to figure out how to find \nthose opioids as they come in through the mail system and other \nplaces as well.\n    Mr. Walker. Sure. As the Ranking Member privileged to serve \non the Intelligence and Counterterrorism Subcommittee, I would \nlike to hear your perspective on how the RD&I funding is \nhelping to develop innovative technology products or other \nsolutions to protect overall our Nation.\n    Mr. Bryan. Well, a key element of our innovation, frankly, \nwas within our Silicon Valley Innovative Program. That was a \nbig benefit for us because we were able to tap into innovators, \nentrepreneurs, small companies, citizen scientists to help us \nwith some of our most pending critical situations.\n    Mr. Walker. OK.\n    Mr. Bryan. Now, we have lost that authority, that OTFA \nauthority which we are trying to get back, but the Silicon \nValley Innovative Program was just one of many ways we are able \nto tap into that innovation quickly.\n    Mr. Walker. OK, 10 seconds left. This last question, how \nhas the CSA\'s work aligned with the 2018 DHS cybersecurity \nstrategy? What remains to be done? If you would just hit the \nsecond part of that question, the strategy?\n    Mr. Krebs. Sir, we have to continue rolling out into the \ncritical infrastructure community. The Federal network\'s base \nis pretty straightforward. It is the critical infrastructure \ncommunity. I need to be able to get my tools. One thing I need \nto be better at is marketing and engagement. So we are going to \nput a lot of effort there.\n    Mr. Walker. Thank you, Mr. Chairman.\n    Mr. Richmond. Thank you.\n    The gentlemen from Rhode Island, Mr. Langevin, is \nrecognized for 5 minutes.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I want to welcome our witnesses here today and thank you \nfor you testimony. Thank you the job that you are doing. Before \nI get into my questions, I just want touch on, Chairman \nRichmond\'s question early on when we talked about, you know, \nwho is in charge, who coordinating.\n    You know, the reality is that we still don\'t have someone \nin charge. I understand the analogy with the President but, you \nknow, since we are talking sports analogies that would be \nequivalent to, you know, maybe the, you know, the team owner.\n    But, you know, who is actually executing and you don\'t have \na Bill Belichick that person who was basically fired by the \ncybersecurity coordinator. So nobody really has the policy and \nbudgetary authority to reach across Government that is pulling \nthis together.\n    So that is something that we still need to focus on. I \nstill say that we need a Senate-confirmed director with policy \nand budgetary authority to do that, but we will leave that for \nanother time.\n    Director Krebs, I appreciate the work that you and your \nteam are doing at CISA. But as you know, I also sit on the \nHouse Armed Services Committee and from that perspective I am \nfully vested in assuring that CISA has the capacity wherever \npossible to complete its core mission without drawing on \nPentagon resources.\n    So developing that expertise is essential for DHS, again \nnot having to always rely on reach-back to cyber command or NSA \nfor expertise. You know, based on my experience, you know, I \nhave that capacity building so where it relies on a DHS work \nforce.\n    So to that end, does the budget request reflect internal \nefforts to train and importantly retain the DHS cybersecurity \nwork force?\n    Mr. Krebs. Thank you for the question, and I would probably \npick, if you asked me a different NFL head coach other than \nBelichick, not a Patriots fan. Look, the----\n    Mr. Langevin. We will have to agree to disagree on that \none. I think he is doing pretty good.\n    [Laughter.]\n    Mr. Krebs. When we look at the budget, particularly from a \npersonnel perspective, we are still growing as an agency. We \nare still filling billets. I think I got about 1,300 folks.\n    Let\'s see, I have 1,100 cybersecurity professionals in \nplace. There are about 361 vacant positions right now, about 40 \npercent of those we either have a pending decision or a hiring \naction against. So our vacancy rate is not huge but it is so we \nneed to be filling those spots.\n    We have cross-training mechanisms in place. We are working \nto cross-train across not just CISA and not just DHS but \nthrough part of the President\'s management agenda.\n    We will be pushing out a cybersecurity work force academy \nacross the entirety of interagency. But at the same time, we \nare looking down the road of what does our incoming pipeline \nlook like?\n    Partnering with the Scholarship for Service Program to \nbring in college graduates and graduate programs, working with \norganizations like the recently announced cyber talent \ninitiative, MasterCard-Microsoft work day just launched. You \nknow, we need to be innovative in thinking about ways that we \ncan bring folks in, retain them.\n    But, you know, if we lose them to industry it is not the \nworst thing in the world because if they are with me for 5, 6, \n7, 8 years and then go out to industry that means I am building \nan alumni network that I haven\'t previously had, particularly \nalong the lines of the FBI and the service academies. So we are \nlooking at all different angles in terms of building that \ncapacity.\n    Mr. Langevin. Right. It is essential. I mean even \nUSCYBERCOM says that attracting and retaining the best talent \nis a challenge.\n    So gonna follow up on this, you know, do you believe that \nCISA is an attractive place for technical and operational \ncybersecurity experts? How does the budget support efforts to \nmake it more attractive?\n    Mr. Krebs. I am flat out, yes. I think it is one of the \nbest places to work in the Federal Government. I mean, you get \nto go work with the critical infrastructure community, you get \nto work with the Federal agencies and hunt for Russian, \nChinese, North Korean, Iranian actors on a daily basis. That is \njust plain fun.\n    Mr. Langevin. So let me ask this before my time runs out. \nYou know, you pledged again to work with any jurisdiction that \nneeds cybersecurity help on the elections. But do you actually \nnow have the personnel to do that, as well as to meet your \nother demands and priorities customers?\n    Mr. Krebs. I think at the moment we are finding that the \nrequest for our support is escalating in particular from the \nState and local community. I think elections have shown us \nthat, that there is a huge unmet need out there. So as I look \nto the out years we are going to need to boost our \ncapabilities, absolutely.\n    Mr. Langevin. You know, I hope you are going to be asking \nfor the right resources to do that and we stand ready to \nsupport you, so----\n    Mr. Krebs. Yes, sir.\n    Mr. Langevin. I know my time is expired.\n    Thank you, Mr. Chairman, I yield back.\n    Mr. Richmond. You are welcome.\n    The gentleman from Texas, Mr. Taylor, is recognized for 5 \nminutes.\n    Mr. Taylor. Are you sure? All right. Thank you, Mr. \nChairman, appreciate that.\n    Just going back to the conversation we had before we \nstarted this hearing in terms of municipal subdivisions of, you \nknow, some cities\', you know, utility districts. A lot of those \ngovernmental entities have personal data, right?\n    So they have got addresses, names, Social Security numbers, \ncredit card information. What are the penalties in Federal law \nfor a data breach for those organizations?\n    Mr. Krebs. So not necessarily an expert in specific \njurisdiction by jurisdiction but there are certain cases where \nthere are very narrowly tailored regulatory programs in place \nthat speak to data breach issues. But general speaking it is \nState by State of what the requirements are to notify the \npublic, to notify any potential victims.\n    Mr. Taylor. What actions are we taking at the Federal level \nto try to help cities, counties, special purpose districts, you \nknow, subdivisions underneath the States to secure their data, \nto deal with cyber attacks?\n    Mr. Krebs. So every service pretty much that I can provide \nto the Federal Government I try to shift that out to State and \nlocal governments. Little-known fact, but the continuous \ndiagnostics and mitigations program, which is basically an \neconomies of scale where we buy a bunch of services and \nproducts for the Federal agency, that list is available to \nState and local government.\n    So what I need to do is I have really good technical \ncapabilities. I have really good tools and services. What I \nneed to do a better job of is building awareness across State \nand local governments of what those things are, how they can \nuse them.\n    Quick example, last year was a really bad year for State \nand local governments between Charlotte and Mecklenburg County, \nBaltimore, Atlanta, Colorado Department of Transportation all \ngot popped for ransomware. We took that, saw the trend lines \nand executed a ransomware awareness campaign, webinars, local \nengagement.\n    My field force was engaging on a local basis. We saw an \nuptick in services, but we have got to keep it hitting harder. \nWe got to keep hitting it harder. A lot of these jurisdictions \ndon\'t have the resources or the wherewithal to protect \nthemselves.\n    Mr. Taylor. Shifting over to the National Risk Management \nCenter which has only been on-line for 10 months, can you speak \nto what has happened there and then can--where we have come in \n10 months, and where you sort-of see the future?\n    Mr. Krebs. Yes, sir. So the concept behind the National \nRisk Management Center was to take an existing organization or \na sub-component within my organization. It was more of an \ninternal research or risk analysis feature that took a task \nfrom internal, you know, my leadership team and some other \nstakeholders.\n    Our concept was to flip it around and turn it into a \nstorefront for industry to come in and set our risk and \nanalytics, strategic risk analytics agenda.\n    So in the mean time things we have done, first and \nforemost, today\'s National critical functions effort. That was \nspearheaded by the National Risk Management Center, again, an \nevolution of risk management thinking.\n    The ITC supply chain risk management task force managed by \nthe National Risk Management Center, never been done before at \nthis scale across the interagency and within industry.\n    The election security efforts run out of the National Risk \nManagement Center. But fundamentally, this is about \nidentifying, understanding strategic risk, and driving \ninitiatives to manage that risk today and in the future.\n    Mr. Taylor. Then you mentioned this briefly in your opening \nremarks about the domain name system or DNS and then can you \njust speak to, what are we, need to do there and sort-of what \nis the problem and what is the future solution?\n    Mr. Krebs. Right, it is the internet phone book on how you \nend up on that URL or that website that you are looking for.\n    What we found in early January during the shutdown was that \nsomebody out there had figured out a way, not particularly \nsophisticated but just a concerted effort at global scale, of \nhow to tamper or, highjack is not the right word, but tamper \nwith that process and comprise accounts.\n    So what we did first and foremost was figured out what was \nhappening across the Federal interagency and locked it down and \nhad a better awareness. That is what we accomplished through \nthe emergency directive.\n    Going forward what we think we can do is centralize some of \nthose DNS records management processes across the Federal \nGovernment because, again, I have 99 agencies to work with.\n    What we want to do is provide as much centralization of \nservices as possible so we can lock that process down. In \naddition, the way a lot of malware works from its command-and-\ncontrol infrastructure is it beacons back and forth to the \nmothership using DNS lookups.\n    So if we can sit on top of that process we will have a \nbetter understanding of what is going on across the Federal \ninteragency.\n    Mr. Taylor. All right.\n    Thank you, Mr. Chairman, I yield back.\n    Mr. Richmond. Thank you.\n    I now recognize the gentlelady from New York, Congresswoman \nRice.\n    Miss Rice. Thank you, Mr. Chairman. So, Mr. Krebs, I think \nyou were talking before I don\'t know if I heard this correctly \nbut would you describe it as a resistance with State and local \ngovernments to working together with you on election security? \nOr is that not the right word?\n    Mr. Krebs. If you had asked me 2 years ago, I may have, \nkind-of, may have said yes. Look, I like thinking through this \nprocess from where we were, where we are now, and where we need \nto go. In 2016 when this all went down and we were not really \nas a government, State and local or Federal, really aware of \nthe potential risk to the election process.\n    So when the Federal Government engaged, and it is something \nthat is historically and by statute legislative tradition a \nresponsibility of State and local governments, there was an \nimmediate recoil. There was an immediate antibody that said we \nhave got this. We don\'t need your help.\n    But from the intelligence community perspective, from DHS, \nwe understood the risks, I think. So but when you don\'t have \ntrust and you are trying to work in this space, it is an uphill \nclimb.\n    But in the intervening 2 years, particularly in the run-up \nto 2018, just the commitment, the engagement, the providing \nresources and the communication that we are not trying to take \nelections over.\n    Miss Rice. Right.\n    Mr. Krebs. We don\'t want to regulate elections. We are here \nto help. The ship has turned entirely, 180 degrees from where \nwe were. We work with all 50 States.\n    We have sensors, those Albert sensors, we just shipped the \n50th. So that means every State\'s secretary of state at the \nhighest level is going to be working with us on the intrusion \ndetection system.\n    I am really optimistic about where we are going, but the \ntechnology deficit remains. There is work to be done. We have \ngot to figure out how to improve and modernize and upgrade \nthese systems.\n    But a lot of it is also a people problem, so we have got to \ncontinue to educate, continue to share that phishing remains \none of the biggest threat vectors that the bad guys are using, \nparticularly the Russians.\n    Miss Rice. So in 2016, most of the Russian efforts were \ntargeted at the party committees, whether it was the DNC or the \nDCCC and the individual campaigns of elected officials.\n    When you testified before the full committee in February, \nyou stated that you didn\'t see a problem with using the \ninformation sharing--ISAC, the Information Sharing Analysis \nCenter--model to develop a more formal information-sharing \narrangement between DHS and the political party committee and, \nfor that matter, individual elections.\n    I mean, we are all up here in a constant election mode, and \nI can tell you I am sure I don\'t know the best ways to keep the \npolitical side, and this is not talking about politics here, \nbut the fact is that those are where the attacks are happening.\n    So have you been able to set up an arrangement, whether it \nis the Republican side or the Democratic side, these party \ncommittees?\n    Mr. Krebs. So prior to the 2018 mid-term, we did work with \nall the National-level committees and some State-level \ncommittees. That is going to continue to be a priority for us, \nthe committee level as well as the specific campaigns.\n    We will provide services. We will continue to do those \nthings that we offer for States, whether it is vulnerability \nscanning, information-sharing mechanisms, we are going to offer \nthose up. But I would ask, each of you are in cycle right now. \nDo you know if your campaign is working with us? You know, that \nis a good question to ask.\n    In the mean time, the DNC, Bob Lord, the CIO over there, I \nthink has done a really good job of talking about the basics of \nsecurity, cyber hygiene, you know, using commercial-grade \nemail, using encrypted messaging apps, multifactor \nauthentication, really basics.\n    If you do the basics, if your campaigns do the basics, I am \nnot talking go buy some super sophisticated security widget, if \nyou do the basics, you can address 90 some-odd percent of the \nthreat.\n    Miss Rice. Right. I agree with you.\n    Mr. Bryan, the President\'s budget again proposes closing \nthe National Urban Security Technology Laboratory, NUSTL, in \nManhattan, New York. NUSTL supports the successful development, \nevaluation and transition of Homeland Security technologies \ninto field use for first responders.\n    I have also reintroduced legislation to permanently \nauthorize the lab which passed the House unanimously in the \nlast Congress. Many police commissioners and fire chiefs have \nexpressed grave concern over the President\'s desire to close \nNUSTL and hamper efforts to prevent and respond to terrorist \nattacks.\n    Every first responder agency in the New York metropolitan \narea utilizes NUSTL technologies, including the NYPD, the FDNY, \nand certainly in my district the Nassau County Police \nDepartment on Long Island. How does closing the only lab \nentirely focused on preparing and protecting first responders \nagainst threats of terrorism make any sense?\n    Mr. Bryan. Again, ma\'am, I can\'t say enough positive things \nabout NUSTL myself. It is a capability and an asset with \nrelationships they have formed in New York to be able to do the \nkind of work that they are doing, and you have articulated all \nthat very well.\n    My role right now and what I have to do is look at should \nwe have to lose that capability, what would we do with the work \nthat is going on?\n    Miss Rice. But do you have the power or do you feel like \nyou have the power to voice your concern about maybe cutting in \na different area other than this? That is my question. I mean, \nI understand the loyalty. I understand that the orders come \nfrom the top down.\n    But if you have a very deep, real concern, which it sounds \nlike you do, about getting rid of this NUSTL, you know, what \nare the remedies? There has to be a remedy.\n    Mr. Bryan. Yes, the only remedy I have and all I can do is \nlook to where those capabilities could be performed elsewhere.\n    Miss Rice. But clearly they are unique to this \ninfrastructure.\n    Mr. Bryan. Yes, ma\'am.\n    Miss Rice. I think we just have to continue that \nconversation. I think more people in positions like yours and \nMr. Krebs\' hopefully, you know, stand up and push back when \nthings like this want to be done by the administration. Thank \nyou both very much.\n    Thank you, Mr. Chairman.\n    Mr. Richmond. You are welcome.\n    Now the other gentleman from Texas, Mr. Ratcliffe, is \nrecognized for 5 minutes.\n    Mr. Ratcliffe. Thank you, Chairman.\n    I want to thank the witnesses for being here. For those \nthat have been on this subcommittee for a while, they know that \nit has been an effort over multiple years on this committee to \nelevate DHS\'s cybersecurity mission through CISA.\n    So I was especially pleased that the President\'s budget \nrequest included increased funding for what is our Nation\'s \nlead civilian cybersecurity agency. I think that shows that \nthis administration is serious about prioritizing our defenses \nagainst new and emerging cybersecurity challenges, and I have a \nlot of confidence that that will hopefully continue because it \nhas to continue.\n    It is obvious to both of you that cybersecurity now touches \nliterally every aspect of the world we live in. It is central \nto every sector of our economy. It is vitally important for \nprotecting the most sensitive information of every American, \nand that makes it one of our foremost National security \nchallenges.\n    In my time on the committee, I have tried to press the \nDepartment to continue to improve its work in providing the \nprivate sector with actionable real-time cyber threat \nintelligence, to improve as a forum for cross-sector \ncybersecurity work, and now to continue its good work on the \ncontinuous diagnostic and mitigation program, a program that I \nbelieve is vitally important to our cybersecurity posture.\n    So to that point, Director Krebs, I want to ask you, the \nadministration\'s budget request includes an increase for CDM to \ncontinue providing those necessary tools and services for all \nphases of the program that enable our Federal I.T. networks to \nstrengthen our security posture of those cyber networks.\n    I would like you to, if you can, expand on the reasons \nbehind the increase in funding for CDM.\n    Mr. Krebs. Thank you, sir. Your long-term support of CISA \nhas been a huge part of our success in getting us into an \nagency from NPPD. In terms of CDM, CDM is certainly one of \nthose kind of arrows in the quiver as we protect the Federal \nnetwork.\n    CDM is one of the reasons, one of the capabilities of why \nwe have improved so dramatically since the OPM breach. In \nparticular, the understanding and the ability to look across \nthose 99 agencies and understand what, for instance, operating \nsystems are running within their environment and help work with \nthose agencies to get them on a road map or a path to a more \nsecure configuration.\n    When I talk about dividing operational directive for patch \nmanagement, vulnerability management, we are able to see what \nis going on in those agencies in terms of those critical \nvulnerabilities or those high vulnerabilities. So we can \nactually measure now. We have the visibility so we can see, and \nwe can take action.\n    CDM will continue to be, for us, long term, whether it is \nunderstanding what is on the network, who is interacting on the \nnetwork and ultimately getting down to the data protection \nlevel. It will be a core element, one of the crown jewels of \nFederal network security for us.\n    Mr. Ratcliffe. So to that point then, is the funding level \nthat is included, is it sufficient to advance the procurement \nand the installation of CDM\'s capabilities all the way through \nphase four?\n    Mr. Krebs. Well, I mean, when you think about the life-\ncycle of the program, of CDM, and it is important to keep in \nmind that every agency, there are 99 agencies, every agency has \na different level of maturity. So some agencies may be ready to \ngo to Phase Four well before other agencies.\n    So two elements of that. One, we have to continue investing \nin agencies and getting them up to speed and getting their \nsystems modernized. But also it allows for a policy \nconversation on what do we want the future of Federal networks \nto look like?\n    My view is that having 99 different agencies to manage \nindependently is long-term an untenable position. I think there \nis a model that the Department of Defense has in the DODN where \nthey have broader span of control over the elements of the \nDepartment of Defense.\n    When we think about these 99 agencies, what I want to be \nable to do is provide more centralized services, so take some \nof the risk out of the hands of the departments and agencies.\n    Earlier this week, we were named the qualified service \nmanagement offering for security services, which puts us in a \nshared service model out to those other Federal agencies, but \nreally getting to a point where CIOs and CISOs or CIOs thinking \nmore about citizen services rather than securing their \ninfrastructure. Let my team help manage that process.\n    Mr. Ratcliffe. Director, my time has expired, but just to \nfollow up on that, because you and I have talked about this a \nlot, we need to be better at breaking down the initial barriers \nto provide agencies with real-time situational awareness and \nrisk-based accountable information, all of which are vitally \nimportant and imperative to our Federal cybersecurity efforts.\n    The bottom line is this funding level, will it do that? \nWill it expand the CDM program to more agencies and in the end \nallow CISA to better protect and manage those high-value \nassets?\n    Mr. Krebs. So certainly, with more I can do more. With more \npeople, I can work with CIOs of agencies to help them develop \ntheir plans. I can help push out a security baseline for \nsecured configuration across the agencies. So certainly, you \nknow, I can do more, and I can do more faster.\n    Mr. Ratcliffe. I appreciate the Chair\'s indulgence. I yield \nback.\n    Mr. Richmond. You are welcome.\n    The gentlelady from Texas, Mrs. Jackson Lee, is recognized \nfor 5 minutes.\n    Ms. Jackson Lee. I thank the Chair and the Ranking Member \nfor this hearing, and it couldn\'t be more important.\n    I am just going to briefly start with you, Mr. Bryan. As \nyou well know, I spoke to you a couple of months ago with a \nmajor university who had a concern, and I have not yet heard, \nand it is an important issue for them. They work very hard, and \nI am just wondering when you will reach my office with a \nresponse?\n    Mr. Bryan. Yes, ma\'am. If I am not mistaken, a formal \nresponse was drafted, and I will follow up on where that went. \nBut in the short order, I can tell you that the discussion was \nbased on two projects that they were considering at the \nuniversity.\n    One of them has already been approved, and we are \nadjudicating the other one as we speak, so it should not take \nmuch longer before a final decision is made.\n    Ms. Jackson Lee. So maybe we will reach each other. It did \nnot lapse, which was their concern, that they did not get out \nof the queue.\n    Mr. Bryan. That is correct.\n    Ms. Jackson Lee. So they are in the queue?\n    Mr. Bryan. Yes.\n    Ms. Jackson Lee. Let me thank you very much.\n    Let me just pursue, Mr. Krebs, this whole idea of the \nbudget, and I do appreciate at least the suggested budget of \nthe President. How many staff are in your sector?\n    Mr. Krebs. So across the agency, we are at about 2,200 \npersonnel, Federal full-time equivalent.\n    Ms. Jackson Lee. This is dealing with cybersecurity issues?\n    Mr. Krebs. Cybersecurity I am at about close to 1,200 in \nterms of cybersecurity.\n    Ms. Jackson Lee. Yes, I am just talking about \ncybersecurity.\n    Mr. Krebs. Cybersecurity, yes, ma\'am, about 1,200.\n    Ms. Jackson Lee. OK. Let me read, Pittsburgh, the Tree of \nLife, Robert Gregory Bowers; Mother Emanuel, Dylann Roof; \nChristchurch, Brenton Harrison Tarrant; San Diego, John \nEarnest; and most recently, Los Angeles, a terrorist suspect \narrested yesterday, Mark Steven Domingo.\n    I would say a good percentage of those used the cyber \nsystem to proffer their hate or to take from it their hate. I \nthink, Mr. Krebs, you have acknowledged the kinds of persons \nthat are utilizing the cyber system.\n    How many of those people do you have working on these kinds \nof hate efforts, dastardly acts that result in the murder of \nAmericans and sometimes the murder of people around the world?\n    Mr. Krebs. So on the physical side of this, Tree of Life is \na great example. One of my protected security advisors up in \nPittsburgh had worked with Tree of Life Synagogue, had done a \nsecurity assessment, a walk-through of the facility and \nidentified areas for perhaps improved egress.\n    In fact, the rabbi at the Tree of Life Synagogue had \ncredited my team for saving lives.\n    Ms. Jackson Lee. I am particularly talking about the use of \nthe cyber system to promote hate.\n    Mr. Krebs. Yes, ma\'am.\n    Ms. Jackson Lee. What are we dealing with?\n    Mr. Krebs. So this is a domestic terrorism issue, in part. \nRecently, the office, and I would have to get back with you on \nthe structure and the engagement, but in Office of Terrorism \nPrevention this was just last week or 2 weeks ago out of the \nOffice of Policy that is focused on, much like countering ISIS, \nhow do we address issues like this of on-line speech?\n    Fundamentally, when I look at the problem there, there are \nFirst Amendment challenges with this challenge right now, or \nwith this issue right now. But my team is focused. When you say \ncyber systems, really what you are talking about is social \nmedia, email, and other forms of I.T. and communications.\n    That does not fall within the traditional cybersecurity \ndefinition, and it does not fall within my traditional \ncybersecurity authorities.\n    Ms. Jackson Lee. Well, let me move on, because I think it \nshould. Let me ask unanimous consent to place in the record the \nComputer Week, ``Why Connected Devices Are Transforming Our \nPersonal and Working Lives in a Multitude of Ways.\'\'\n    They are also a growing security risk of attackers who are \nhijacking these devices and turning them into an internet of \nthings botnets. So I would ask to place that in the record.\n    Mr. Richmond. Without objection.\n    [The information follows:]\n           Article Submitted by Honorable Sheila Jackson Lee\n             how botnets pose a threat to the iot ecosystem\n                               april 2019\nNicholas Fearn, Computer Week\nhttps://www.computerweekly.com/feature/How-botnets-pose-a-threat-to-\n        the-IoT-ecosystem\nWhile connected devices are transforming our personal and working lives \n        in a multitude of ways, they are also a growing security risk--\n        attackers are hijacking these devices and turning them into \n        internet of things botnets\n    Connected technology already plays a dominant role in our daily \nlives. From mobile phones to tablet PCs, smart devices allow us to \ncommunicate with friends and family, keep up-to-date with what is \nhappening in the world, stay entertained, accelerate productivity in \nthe workplace, and much more.\n    But although the connected ecosystem is pretty expansive in 2019, \nit is about to get even bigger in coming years. We are on the cusp of \nan era when nearly everything around us has some form of internet \nability, such as home appliances, cars, office equipment, city \ninfrastructure, and health care devices.\n    For many, the internet of things (IoT) will mark the next major \nrevolution for mankind. According to figures from Statista, there will \nbe 31 billion devices connected to the internet by 2025, and Gartner \npredicts that the average family home will have 500 smart devices by \n2022. Meanwhile, IDC claims that spending on the IoT will reach $745 bn \nin 2019.\n    However, while IoT technology offers a great deal of opportunity, \nit is also causing a major security epidemic. Hackers are increasingly \nexploiting connected devices to harvest sensitive data, send spam, take \ncontrol of networks and launch cyber attacks around the world.\n    Botnet attacks have become commonplace, with CenturyLink Threat \nResearch Lab estimating that 195,000 such attacks take place every day \nand Accenture putting the average cost at $390,752. It is clear that \nthe continued expansion of the IoT ecosystem means more potential \naccess points and weak areas that need to be mitigated. But how can \nthat be achieved?\nA growing crisis\n    Traditionally, criminals have used malware to infect devices. \nHowever, as the connected ecosystem expands and new technologies enter \nthe market, they are finding different ways to launch more complex and \ndevastating attacks. Botnets are a good example of this.\n    Mike Benjamin, head of Black Lotus Labs at CenturyLink, says \nbotnets are becoming a pervasive problem across the internet and \nattackers are increasingly using IoT devices building their botnets. \nThis, he claims, is creating a big security problem for consumers and \nbusinesses.\n    Botnets are particularly challenging because they evolve over time \nand new forms constantly emerge, one of which is TheMoon. Benjamin \ntells Computer Weekly: ``Threat researchers at CenturyLink\'s Black \nLotus Labs recently discovered a new module of IoT botnet called \nTheMoon, which targets vulnerabilities in routers within broadband \nnetworks.\'\'\n    Benjamin explains that a previously undocumented module, deployed \non MIPS devices, turns the infected device into a Socks proxy that can \nbe sold as a service. ``This service can be used to circumnavigate \ninternet filtering or obscure the source of internet traffic as a part \nof other malicious actions,\'\' he says.\n    Attackers are using botnets such as TheMoon for a range of crimes, \nincluding credential brute forcing, video advertisement fraud and \ngeneral traffic obfuscation. ``For example, our team observed a video \nad fraud operator using TheMoon as a proxy service, impacting 19,000 \nunique URLs on 2,700 unique domains from a single server over a 6-hour \nperiod,\'\' says Benjamin. ``TheMoon is a stark reminder that the threat \nfrom IoT botnets continues to evolve. They are becoming more \nsophisticated and capable of more significant damage.\'\'\nBotnets are always advancing\n    Like Benjamin, 451 Research IoT analyst Ian Hughes believes botnets \nare a prevalent security risk because they are always changing. He says \nthat over the past few years, many forms of botnet have been created in \nline with the evolution of the technology industry and with advances in \nsoftware engineering.\n    ``Pre-cloud, the target would be viral infection on PCs through \ninstallation of patches to programs, usually accidentally by the \nuser,\'\' says Hughes. ``With the increase in connectivity, and the use \nof the internet and the web in a cloud era, the options for nefarious \ncode to be run on machines increased.\n    ``Not only did the technology introduce more potential holes, but \nthe ability for individual and groups to share information with one \nanother, such as code, made weaknesses in systems much more well-known. \nSystems have also evolved from specific hardware and software \ncombinations, which, when bespoke, are harder to gain control of en \nmasse, to ones running general-purpose virtual machines, containers or \nservices.\'\'\n    And as more devices connect to the internet, this challenge will \nonly grow, says Hughes. ``We have an increasing number of devices with \nrelatively cheap compute power on board, all connected to the internet \nand able to run any form of software, and be managed remotely,\'\' he \nsays.\n    ``We also have a growing and eager market to instrument areas such \nas industrial manufacture, as well as the consumer space with IoT, \nwhich offers great benefits, but also increases the attack surface and \noptions for bad actors to engage with. With an ever-more connected \nenvironment, a device such a simple surveillance video camera, in the \ncase of the Mirai botnet, can have some of its processing hijacked and \ndirected at almost anything else.\'\'\n    To tackle botnets, Hughes says all networks and all devices need \nnot only high levels of security monitoring and regular updates, but \nalso known levels of trust within a system. ``These levels of trust are \nstarting to be built upwards from the chip manufacturers as well as the \ndevice and software industry,\'\' he says. ``Of course, it only takes one \nrelease of a product at any level cutting some corners to get to \nmarket, to leave something wide open for hackers.\'\'\nPoor security\n    It is clear that the continued adoption of IoT devices is creating \na unique opportunity for attackers. Steven Furnell, senior IEEE member \nand professor of information security at Plymouth University, notes how \npoorly secured connected devices can be exploited.\n    ``We\'ve seen numerous reports of individual devices being \nexploited, we\'ve seen a growth in malware, and we\'ve had the Mirai \nbotnet already demonstrating the significant potential to harness \nvulnerable devices,\'\' he says.\n    ``What this clearly illustrates is that we\'ve failed to learn from \nthe past. Around 15 years ago, we had wireless access points being sold \nwithout encryption enabled and with default passwords. Security was \navailable, but it required users to be aware enough to switch it on and \nchange from the defaults.\n    ``Unsurprisingly, many didn\'t do so, and exploitation of \nunprotected access points was commonplace as a result. It was only once \nthat wireless networks had become synonymous with vulnerability that \nthe position ultimately changed, and manufacturers moved to enabling \nsecurity out-of-the-box by default.\'\'\n    Furnell believes the IoT ecosystem is experiencing a similar \nsituation, putting pressure on manufacturers to develop more robust \nsecurity mechanisms to protect users. ``We have since seen the same \nsort of thing happen with IoT devices,\'\' he says. ``Devices have \nshipped either without security, without it enabled, or with universal \ndefaults--all of which render them vulnerable to misuse, including the \npotential for enlistment within botnets.\n    ``Moving forward, the fundamental point is that IoT devices need to \nhave security available and we cannot leave it to individual users\' \ndiscretion about whether to enable it. There have been some positive \nmoves. Last year, the Department for Digital, Culture, Media and Sport \nand the National Cyber Security Centre issued a code of practice for \nthe security of consumer IoT devices.\n    ``This proposes a set of 13 practices that developers, \nmanufacturers and retailers could adopt to improve security, with the \nfirst of these being the elimination of universal defaults for \nusernames and passwords.\'\'\nCracking down on botnets\n    Although there is no silver bullet solution for mitigating the risk \nof botnets, there are a number of helpful best practices. ``When \ndeploying an IoT device of any type, the three most important questions \nneed to be: Have we configured strong credential access? What is our \nupdate strategy for firmware changes? What URLs and IP address does the \ndevice need for its operation?\'\' says Tim Mackey, senior technical \nevangelist at Synopsys.\n    ``When IoT devices are deployed within a business environment, best \npractice dictates that a separate network segment known as a VLAN \nshould be used. This then allows for IT teams to monitor for both known \nand unknown traffic impacting the devices. It also allows teams to \nensure that network traffic originates from known locations.\n    ``For example, if a conference room projector is accessible via Wi-\nFi, the network the device uses should be restricted to only internal \nand authenticated users. Public access to the device should always be \nrestricted. Following this model, exploitation of the device would then \nrequire a malicious actor to first compromise a computer belonging to \nan authenticated user.\'\'\n    Mackey says regular IT audits of IoT networks should then be \nperformed to ensure only known devices are present, with the device \nidentification mapped back to an asset inventory containing a current \nlist of firmware versions and a list of open source components used \nwithin that firmware.\n    ``This open source inventory can then be used to understand when an \nopen source vulnerability impacting a library used within the firmware \nhas a published vulnerability,\'\' he says. ``Armed with this \ninformation, a proactive update and patching model can be created for \ncorporate IoT devices.\n    ``Also, inspection of the firmware should identify what external \nAPIs (application programming interfaces), URLs and services the \nfirmware is configured to operate against.\n    ``These endpoints should be confirmed with the supplier as \nlegitimate with confirmation of their function. Once confirmed, the IoT \nnetwork that the device associated with the firmware is configured for \ncan then have firewall restrictions defined, allowing the IoT devices \naccess only to their known API dependencies. These tasks should be \nconsidered part of an overall device access model consistent with the \nprinciples of zero trust.\'\'\n    Spencer Young, regional vice-president for Europe, the Middle East \nand Africa at security firm Imperva, says the best way to discover and \nmitigate a botnet is to find its command and control (CnC) server. \n``The most effective way is to look into the communication between the \nCnC and its bots,\'\' he says. ``Once you start searching for exploit \nattempts, you can start to pick up possible indicators of a botnet.\n    ``For example, if the same IPs attack the same sites at the same \ntime while simultaneously using the same payloads and attack pattern, \nit is fairly likely that they\'re part of the same botnet.\n    ``However, all initiatives to combat the growth of botnets through \nindustry standards and legislation are likely to continue to occur only \non a regional or country level. As far as industry-wide efforts go, it \nis hard to imagine a scenario in which a global security standard for \nbotnet detection and defence could be agreed upon, applied and \nenforced.\'\'\n    Given the regulatory challenges and continued rise in the number of \nconnected devices, botnet attacks are likely to keep increasing. Young \nsays that as our devices evolve, both in terms of sophistication and \nconnectivity, so will botnets. This, he believes, will mean that \noperators will be provided with more capacity and new, more advanced \nattack options.\n    So preparation is key, says Young. ``To mitigate future attacks, \nall businesses must be prepared to defend against an attack when it \narises,\'\' he says. ``Investing in the ability to parse your cyber \nthreatscape, successfully identify botnet attacks and build an \nintelligent defence is not just a security concern--it\'s a frontline \nbusiness issue.\'\'\n    If one thing is certain, it is that the threat of botnets will only \nincrease as the connected ecosystem rapidly expands and new connected \ntechnologies enter the market. And while attackers will continue to \nfind new ways to take control of networks and leverage botnets, there \nare clear ways in which IT practitioners and organisations can mitigate \nthe risk here--most notably the issue of improving weak security \nmechanisms.\n    It may be that attackers are often one step ahead, but by being \nmore proactive, security teams can also leapfrog ahead on occasions.\n\n    Ms. Jackson Lee. Let me ask a question again, Mr. Krebs, on \nmaybe something that is within your jurisdiction. What is being \ndone to incentivize election officials to report suspected \nmalicious cyber activity, and how arduous are the reporting \nprocesses? What did we learn from the tabletop vote exercise?\n    If you can hold that question? Then the second one is on \nthe issue of botnets, which are networks of private computers \ninfected with malicious software and controlled as a group \nwithout the owner\'s knowledge, i.e., to send spam messages or \nlaunch attacks against networks or computing services.\n    One of the new exploits involved using voiceover IP on the \ninternet to launch an attack that targets a phone number for \ncalls that are auto-dialed or redirected for the purpose of \npreventing legitimate telecommunications from occurring. We \nknow what the Russians did in 2016. Is your office considering \nthis type of threat to public elections posed by botnets?\n    If you would answer those two serious questions.\n    Mr. Krebs. Yes, ma\'am. So in terms of general incentives to \nelection officials, steady engagement, regular engagement \nproviding them an understanding of the things we can do to help \nthem out. Our incentive is the support service.\n    We provide them assistance. We help them manage the risk to \ntheir systems, build a relationship, build trust and confidence \nthat I can help them. If they have a bad day, they will come to \nme. I have confidence that we are building those relationships \nand we will get there.\n    In terms of specific botnet mitigation, two fronts on this. \nIn the Executive Order 13800, there was a requirement to \ndevelop a botnet report. We worked on that with Commerce and \nTIA, set out a work plan with industry on countering botnets.\n    So we are addressing this from two angles. One, working \nwith industry to actually address the botnet challenge more \nholistically. But also we work with election officials to help \nthem understand the threat posed by botnets and put counter-\nbotnet or botnet, I am sorry, DDoS mitigation capabilities in \nplace in their system.\n    So if they do experience some sort of DDoS attack then, \nwhich is effectively what we are talking about here, then they \nhave the security mitigations in place.\n    Ms. Jackson Lee. You said it was Executive Order 1300?\n    Mr. Krebs. 13800.\n    Ms. Jackson Lee. 13800.\n    Mr. Krebs. Yes, ma\'am. May 2017.\n    Ms. Jackson Lee. All right. Let me thank you very much.\n    I yield back.\n    Mr. Richmond. I thank the gentlelady.\n    I thank the witnesses for their valuable testimony and \nMembers for their questions. The Members of the committee may \nhave additional questions for the witnesses, and we ask that \nyou respond expeditiously in writing to those questions. \nWithout objection, the committee record shall be kept open for \n10 days.\n    Hearing no further business, the committee stands \nadjourned.\n    [Whereupon, at 3:46 p.m., the subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n  Questions From Chairman Bennie G. Thompson for Christopher C. Krebs\n    Question 1. CISA carries out a broad cybersecurity mission that \nincludes protection of 99 Federal agency networks, hundreds of \nthousands of U.S. critical infrastructure entities, and covers the \nwaterfront of infrastructure and networks that support our day-to-day \nlife. And, CISA does so on a budget that is one-eighth that allocated \nto the Pentagon. If CISA\'s budget doubled tomorrow, what are some of \nthe priorities you would pursue?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Since 2014, Congress has repeatedly expanded CISA\'s \ncybersecurity authorities and responsibilities, including late last \nyear when Congress voted to make CISA an operational component. \nNevertheless, CISA\'s budget has remained fairly flat and, if the fiscal \nyear 2020 request were enacted, it would actually see its budget cut.\n    How does this square with the challenges of reorganizing, staffing, \nand operating this new agency?\n    Answer. Response was not received at the time of publication.\n    Question 2b. This is a pivotal time for CISA. Might forcing CISA to \noperate on a less-than-adequate budget have lasting effects on the \nsuccess of the agency?\n    Answer. Response was not received at the time of publication.\n    Question 3. Earlier this year, the DHS Inspector General reported \nthat CISA\'s election security activities are being carried out by a \nskeleton crew, and outreach to local election officials are stretching \nCISA\'s field teams extremely thin. The fiscal year 2020 budget requests \n$22 million for support to State and local election officials. Is this \nenough to reconcile the need for ``improved planning, more staff, \nclearer guidance\'\' and other deficiencies identified by the IG?\n    Answer. Response was not received at the time of publication.\n    Question 4a. In 2013, a fertilizer plant exploded in West, Texas, \nkilling a dozen first responders. Last year, a Houston facility caught \nfire after a back-up generator failed during Hurricane Harvey. This \nyear alone, there have been multiple explosions at chemical facilities \nin Texas that caused major portions of the city to shut down and \nresidents being told to shelter in place for days. The CFATS program is \na vital National security program that requires security measures at \nthe Nation\'s highest-risk chemical facilities. The fiscal year 2020 \nbudget proposes slashing CFATS budget by $18 million. How can you \njustify such a dramatic cut to a program that is operating effectively, \nhas bipartisan support, and has such demonstrable value to the chemical \nsector?\n    Answer. Response was not received at the time of publication.\n    Question 4b. On February 26, 2019, this committee held a hearing on \nCFATS with the director of the Infrastructure Security Compliance \nDivision. At that hearing, I requested and was promised information on \nCFATS-covered facilities. Following that hearing, I submitted Questions \nfor the Record for which no response has been provided. Moreover, I was \nasked to submit some of my requests in a separate letter, which I did, \nand yet again have not received a response. What is the status of this \ncorrespondence?\n    Answer. Response was not received at the time of publication.\n    Question 5. As National interest in cybersecurity has grown, I \nworry that we are losing focus on DHS\'s long-standing mission to \nprotect physical assets. As CISA reorganizes and plans for the future, \nwhat is your long-term goal for the Infrastructure Security Division?\n    Answer. Response was not received at the time of publication.\n    Question 6. On April 26, 2019, the Office of Management and Budget \n(OMB) issued a memorandum titled, Centralized Mission Support \nCapabilities for the Federal Government which pre-designates CISA as \nthe lead for cybersecurity shared services across the Federal networks. \nI support this designation but am concerned that OMB\'s draft plan \ndesignates the Department of Justice (DOJ) as the functional lead for \nSecurity Operations Center (SOC) as a Service with DHS preforming an \noversight role. This structure may prove to be unsuccessful given \nprevious challenges in their interagency relationship. What is the \nrationale for establishing DOJ as the lead for ``SOC as a Service\'\' \ninstead of establishing it within CISA, which is statutorily \nresponsible for securing Federal networks?\n    Answer. Response was not received at the time of publication.\n    Question 7a. With respect to the National Risk Management Center \n(NRMC)--can you describe how the series of initiatives, or sprints, \nthat began last year will feed into a larger strategy to help \nGovernment and the private sector better manage risk?\n    Are these initiatives intended to be short-term engagements or will \nthey become permanent?\n    Answer. Response was not received at the time of publication.\n    Question 7b. Are responsibilities from the Infrastructure Security \nDivision being transferred to the NRMC? If so, what impact does the \nshift in responsibilities have on morale at the Infrastructure Security \nDivision?\n    Answer. Response was not received at the time of publication.\n    Question 8. Recently, the NRMC released a list of 55 ``National \nCritical Functions\'\' (NCF). The shift from protecting ``critical \nsectors\'\' to ``critical functions\'\' is a major realignment. Until now, \nthe Federal framework for securing critical infrastructure has been \nbased on DHS, as the lead Federal coordinator, working with designated \nSector-Specific Agencies who act as liaisons and coordinators within a \nsector. The NCF list is a more integrated approach, and efforts to \nsecure a single function will likely cross into multiple sectors and \nrequire more coordination. How do you expect CISA\'s role as coordinator \nto evolve in order to secure this more expansive, complex list of \nfunctions?\n    Answer. Response was not received at the time of publication.\n    Question 9. Thus far, DHS has released a 3-page overview of the \nNational Critical Functions. What more do you expect to release to the \npublic, and to Congress? What is your time line for doing so?\n    Answer. Response was not received at the time of publication.\n    Question 10. CISA plans to build upon its National Critical \nFunctions work to build a Risk Register, which will identify scenarios \nthat could degrade these functions, tier them by severity, and enable \nbetter prioritization of mitigation activities for critical \ninfrastructure. What is the time line for the creation of the Risk \nRegister?\n    Answer. Response was not received at the time of publication.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'