b"<html>\n<title> - CYBERSECURITY CHALLENGES FOR STATE AND LOCAL GOVERNMENTS: ASSESSING HOW THE FEDERAL GOVERNMENT CAN HELP</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\nCYBERSECURITY CHALLENGES FOR STATE AND LOCAL GOVERNMENTS: ASSESSING HOW \n                    THE FEDERAL GOVERNMENT CAN HELP\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                       PROTECTION, AND INNOVATION\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 25, 2019\n\n                               __________\n\n                           Serial No. 116-29\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n                               \n                               \n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n38-782 PDF                  WASHINGTON : 2020                     \n          \n--------------------------------------------------------------------------------------\n                               \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           John Ratcliffe, Texas\nJ. Luis Correa, California           Mark Walker, North Carolina\nXochitl Torres Small, New Mexico     Clay Higgins, Louisiana\nMax Rose, New York                   Debbie Lesko, Arizona\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             Van Taylor, Texas\nEmanuel Cleaver, Missouri            John Joyce, Pennsylvania\nAl Green, Texas                      Dan Crenshaw, Texas\nYvette D. Clarke, New York           Michael Guest, Mississippi\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                                 \n                                 ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           John Ratcliffe, Texas\nLauren Underwood, Illinois           Mark Walker, North Carolina\nElissa Slotkin, Michigan             Van Taylor, Texas\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     5\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\n\n                               Witnesses\n\nMs. Keisha Lance Bottoms, Mayor, City of Atlanta:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    10\nMr. Thomas Duffy, Chair, Multi-State Information Sharing and \n  Analysis Center (MS-ISAC), Senior Vice President of Operations, \n  Center for Internet Security:\n  Oral Statement.................................................    12\n  Prepared Statement.............................................    14\nMr. Ahmad Sultan, Affiliated Researcher, Center for Long-Term \n  Cybersecurity, School of Information, University of California, \n  Berkeley:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    20\nMr. Frank J. Cilluffo, Director, McRary Institute for Cyber and \n  Critical Infrastructure, Auburn University:\n  Oral Statement.................................................    30\n  Prepared Statement.............................................    32\n\n                             For the Record\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Statement of Talib I. Karim, CEO STEM4US!, Inc.................    49\n\n \nCYBERSECURITY CHALLENGES FOR STATE AND LOCAL GOVERNMENTS: ASSESSING HOW \n                    THE FEDERAL GOVERNMENT CAN HELP\n\n                              ----------                              \n\n\n                         Tuesday, June 25, 2019\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                            Subcommittee on Cybersecurity, \n                                 Infrastructure Protection,\n                                            and Innovation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 3:07 p.m., in \nroom 310, Cannon House Office Building, Hon. Cedric L. Richmond \n(Chairman of the subcommittee) presiding.\n    Present: Representatives Richmond, Langevin, Rice, \nUnderwood, Slotkin, Thompson (ex officio), Katko, Taylor, and \nRogers (ex officio).\n    Mr. Richmond. The Subcommittee on Cybersecurity, \nInfrastructure Protection and Innovation will come to order.\n    The subcommittee is meeting today to receive testimony on \ncybersecurity challenges for State and local governments, \nassessing how the Federal Government can help.\n    Good afternoon. I want to welcome the panelists to today's \nhearing on cybersecurity at the State and local level. This is \na topic that I believe deserves far more attention than it \ngets.\n    Since joining this subcommittee, I found that, while we can \nall agree that cybersecurity is an important topic, it can \nstart to feel unapproachable to people on the ground. As \nChairman, I want to spend some time looking at how \ncybersecurity impacts real people, like the ones I represent in \nthe Second Congressional District of Louisiana. I know that my \nconstituents work long hours and have hard jobs, sometimes more \nthan one. Many of them are not thinking about phishing emails \nor ransomware or whether a hostile foreign government has \ngained access to the networks that control their drinking \nwater, their transportation, or their medical care.\n    While the Federal Government has an important role to play \nin securing these networks, State and local governments own \nthem. The staffing, structure, and resources available to State \nand local agencies vary across the country, but many of them \nare operating with a shoestring budget. Like Federal agencies, \nthey are increasingly being targeted with sophisticated cyber \nattacks. Time and time again, we have seen that these attacks \ncan be debilitating, taking out the tools and services people \nneed to access health benefits, buy a home, or even call 9-1-1.\n    As any city official who has recovered from one of these \ncyber disruptions can tell you, the aftermath can have a hefty \nprice tag. This is a drain on taxpayer dollars, time, and \nlabor, all of which are in short supply at the State and local \nlevels.\n    We also know that these attacks are becoming more frequent \nand more advanced. According to the security firm, Recorded \nFuture, there have been at least 170 ransomware attacks carried \nout on county, city, or State governments since 2013, including \n20 reported so far this year. That is just the incidents that \nwere reported. The actual numbers are probably far higher.\n    But there is another problem as well. Today, we rely on the \ninternet to an extent that we never have before. Access to \nconnected devices and an understanding of how to use them \nsecurely is the very foundation of economic mobility. Yet we \nalso know that many in our communities do not have the same \nmeans, access, or opportunity to build a level of comfort with \ntechnology.\n    While we talk a lot about how automation might impact the \nwork force, we talk less about how poor cyber hygiene and low \ntech literacy can present a real economic barrier to entry. \nRight, now studies show that the most vulnerable underserved \namong us, low-income, immigrants, or elderly populations, are \nthe most likely to fall victim to an on-line scam or click the \nwrong link. These mistakes can be costly, especially for \nsomeone on the margins. Negative experiences like these may \nalso lead many to steer clear of important on-line services, \nlike on-line banking, health management tools, or even email.\n    This response, left unchecked, will only serve to deepen \neconomic divides and allow our most vulnerable populations to \nfall further behind. We have to confront this head-on. I look \nforward to hearing from this panel on how we might do that.\n    This is not a State or local problem but a National one, \nand we should invest accordingly at the Federal level. \nUltimately, we cannot expect underresourced, understaffed State \nand local governments to defend their networks from State-\nsponsored hackers from Russia, China, and Iran. Toward that \nend, I am working on a comprehensive package to improve the \ncybersecurity posture of our State and local governments.\n    I look forward to hearing from our witnesses today about \nopportunities to address this important National security \nissue.\n    [The statement of Chairman Richmond follows:]\n                Statement of Chairman Cedric L. Richmond\n                             June 25, 2019\n    This is a topic that I believe deserves far more attention than it \ngets. Since joining this subcommittee, I have found that--while we can \nall agree that cybersecurity is an important topic--it can start to \nfeel unapproachable to people on the ground. As Chairman, I want to \nspend some time looking at how cybersecurity impacts real people--like \nthe ones I represent in the 2d District of Louisiana. I know that my \nconstituents work long hours and have hard jobs, sometimes more than \none. Many of them are not thinking about phishing emails or ransomware \nor whether a hostile foreign government has gained access to the \nnetworks that control their drinking water, transportation, or medical \ncare. And, while the Federal Government has an important role to play \nin securing these networks, State and local governments own them. The \nstaffing, structure, and resources available to State and local \nagencies vary across the country--but many of them are operating with a \nshoestring budget. And, like Federal agencies, they are increasingly \nbeing targeted with sophisticated cyber attacks.\n    Time and again, we've seen that these attacks can be debilitating--\ntaking out the tools and services people need to access health \nbenefits, buy a home, or even call 9-1-1. As any city official who has \nrecovered from one of these cyber disruptions can tell you, the \naftermath can have a hefty price tag. This is a drain on taxpayer \ndollars, time, and labor--all of which are in short supply at the State \nand local levels. We also know that these attacks are becoming more \nfrequent and more advanced. According to security firm Recorded Future, \nthere have been at least 170 ransomware attacks carried out on county, \ncity, or State governments since 2013--including over 20 reported so \nfar this year. That's just the incidents that were reported. The actual \nnumbers are probably far higher.\n    But there's another problem, as well. Today, we rely on the \ninternet to an extent that we never have before. Access to connected \ndevices--and an understanding of how to use them securely--is the very \nfoundation for economic mobility. Yet we also know that many in our \ncommunities do not have the same means, access, or opportunity to build \na level of comfort with technology. While we talk a lot about how \nautomation might impact the workforce, we talk less about how poor \ncyber hygiene and low tech literacy can present a real economic barrier \nto entry. Right now, studies show that the most vulnerable, under-\nserved among us--low-income, immigrants, or elderly populations--are \nthe most likely to fall victim to an on-line scam or click on the wrong \nlink. These mistakes can be costly, especially for someone on the \nmargins. And, negative experiences like these may also lead many to \nsteer clear of important on-line services--like on-line banking, health \nmanagement tools, or even email. This response, left unchecked, will \nonly serve to deepen economic divides and allow our most vulnerable \npopulations to fall further behind. We have to confront this head-on, \nand I look forward to hearing from this panel on how we might do that. \nThis is not a State or local problem, but a National one--and we should \ninvest accordingly, at the Federal level.\n    Ultimately, we cannot expect under-resourced, under-staffed State \nand local governments to defend their networks from state-sponsored \nhackers from Russia, China, and Iran. Toward that end, I am working on \na comprehensive package to improve the cybersecurity posture of our \nState and local governments. I look forward to hearing from our \nwitnesses today about opportunities to address this important National \nsecurity issue.\n\n    Mr. Richmond. With that, I now recognize the Ranking Member \nof the subcommittee, the gentleman from New York, Mr. Katko, \nfor an opening statement.\n    Mr. Katko. Thank you, Mr. Chairman.\n    Thank you, all of our witnesses, for being here today. It \nis an important topic that couldn't possibly be more timely, as \nyou all well know.\n    Our State and local governments are prime targets for cyber \nattacks. A May 2019 report by Record Future found that \nransomware attacks on State and local governments increased by \n39 percent in 2018 to 53 attacks. You know that all too well, \nMs. Bottoms. In the first 4 months of 2019 alone, there have \nalready been 21 attacks, including my home State of New York.\n    In 2018, the National Association of State Chief \nInformation Officers found that many States typically spend \nonly 1 or 2 percent of their budgets on cybersecurity. Most \nemploy fewer than 15 full-time cyber professionals. It is not \nsurprising, particularly given the burgeoning budget challenges \nmany State and local governments face and the talent pipeline \nissues we have discussed in previous hearings.\n    It will take work on a collective level from Federal, \nState, and local governments, as well as outside stakeholders, \nto improve the situation. But it is clear that action is needed \nand needed now.\n    This hearing today is an important step, and I commend the \nChairman for convening it. I look forward to hearing from our \nwitnesses about their ideas about how to help.\n    I will soon introduce a bill, the State and Local \nCybersecurity Improvement Act, which will direct the \nCybersecurity and Infrastructure Security Agency, or CISA, \nwithin the Department of Homeland Security to develop a \nresource guide for State and local officials to navigate the \nchallenges of protecting their networks.\n    My bill will also create two new grant programs. The first \nis a one-time grant for State and local governments to identify \ntheir high-value assets and system critical architecture. To \nprotect something, you must know it is worth protecting. The \nsecond grant program that will be part of this bill will help \nState and local governments conduct exercises to train, \nprepare, and evaluate their ability to respond to an attack.\n    Working through an exercise allows a government to identify \nweaknesses in their current plan and establishes protocols and \nprocedures to be prepared in the worst-case scenarios. My bill \nwill help State and local governments be better prepared to \ndefend their cyber networks. But the work we need to do to \naddress this issue does not end with my bill. This is a \ncollaborative effort. It is Democrats and Republicans. It is \nall of you at the table and everyone at every level of \ngovernment. That is what we are going to need to attack this \nproblem in an effective manner.\n    I look forward to working with my colleagues on this issue \nmoving forward, and I want to thank the Chairman and our \nwitnesses for speaking with us today.\n    Mr. Chairman, I yield back.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n                             June 25, 2019\n    Our State and local governments are prime targets for cyber \nattacks. A May 2019 report by Record Future found that ransomware \nattacks on State and local governments increased by 39 percent in 2018, \nto 53 attacks. And in the first 4 months of 2019 alone, there have \nalready been 21 attacks, including in my home State of New York.\n    In 2018, the National Association of State Chief Information \nOfficers found that many States typically spend only 1 to 2 percent of \ntheir budget on cybersecurity. Most employ fewer than 15 full-time \ncyber professionals.\n    This is not surprising, given the budgeting challenges many State \nand local governments face and the talent pipeline issues we have \ndiscussed in previous hearings.\n    It will take work from Federal, State, and local governments, as \nwell as outside stakeholders, to improve this situation, but it is \nclear that action is needed.\n    This hearing today is an important step, and I look forward to \nhearing from our witnesses about their ideas about how to help.\n    I will introduce a bill, the State and Local Cybersecurity \nImprovement Act, which directs the Cybersecurity and Infrastructure \nSecurity Agency within the Department of Homeland Security, to develop \na resource guide for State and local officials to navigate the \nchallenges of protecting their networks.\n    My bill also will create two new grant programs. The first is a \none-time grant for State and local governments to identify their High-\nValue Assets and system-critical architecture. To protect something, \nyou must know what is worth protecting.\n    The second grant program helps State and local governments conduct \nexercises to train, prepare, and evaluate their ability to respond to \nan attack. Working through an exercise allows a government to identify \nweaknesses in their current plan and establishes protocols and \nprocedures to be prepared in case the worst happens.\n    My bill will help State and local governments be better prepared to \ndefend their cyber networks. But the work we need to do to address this \nissue does not end with my bill. I look forward to working with my \ncolleagues on this issue.\n\n    Mr. Richmond. The gentleman from New York yields back.\n    I now recognize the Chairman of the full committee on \nHomeland Security for 5 minutes.\n    Mr. Thompson. Good afternoon. I want to thank Chairman \nRichmond for holding today's hearing on an especially timely \ntopic, the cybersecurity challenges in the State and local \ngovernments.\n    Just last week, Riviera Beach, a small city in Florida, \nagreed to pay a $600,000 ransom demand after hackers crippled \ncity computer systems. Unfortunately, Riviera Beach is not \nalone. Hackers have been wreaking havoc on cities from Atlanta \nto Baltimore to Albany, and actually many more. These bad \nactors range from unaffiliated cyber criminals to sophisticated \nstate actors, including Iran, and their interest in breaching \nState and local networks is only growing.\n    Since the Russian Government engaged in a historic campaign \nto meddling in the 2016 elections, officials at all levels of \ngovernment have devoted time and resources to improve the \nsecurity of election infrastructure. For its part, Congress \nappropriated $380 million, a down payment, for foreign grants \nto State and local election officials to replace unsecure \nelection equipment, improve network security, and provide \ncybersecurity training to election officials. Additionally, for \n2 fiscal years, Congress has provided the Cybersecurity and \nInfrastructure Security Agency additional funding to provide \ncybersecurity services upon request to election officials.\n    But administering elections is only one of the many \nimportant responsibilities carried out by State and local \ngovernments. These attacks that have come about have disrupted \nnetworks and local police departments, officers that process \nreal estate transactions, and public health department, just to \nname a few.\n    So I am looking forward to the testimony from our witnesses \ntoday. As a former mayor myself, I understand the problems \ncities have, and mayors more specifically. So I look forward to \nMayor Bottoms' testimony. But I am also eager to hear from MS-\nISAC, which serves as the cyber threat information-sharing hub \nfor State and local governments and spearheads State and local \ncoordination on securing election infrastructure.\n    Finally, I look forward to understanding the disperate \nimpact of cybersecurity incidence on vulnerable populations and \nhow the Federal Government can partner with State and local \ngovernment to address them.\n    I thank our witnesses for being here today, and I yield \nback the balance of my time.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                             June 25, 2019\n    Just last week, Riviera Beach--a small city in Florida--agreed to \npay a $600,000 ransom demand after hackers crippled city computer \nsystems. Unfortunately, Riviera Beach is hardly alone. Hackers have \nbeen wreaking havoc on cities from Atlanta to Baltimore to Albany. \nThese bad actors range from unaffiliated cyber criminals to \nsophisticated state actors--including Iran--and their interest in \nbreaching State and local networks is only growing. Since the Russian \ngovernment engaged in a historic campaign to meddling in the 2016 \nelections, officials at all levels of government have devoted time and \nresources to improve the security of election infrastructure. For its \npart, Congress appropriated $380 million--a down payment--to fund \ngrants to State and local election officials to replace unsecure \nelection equipment, improve network security, and provide cybersecurity \ntraining to election officials.\n    Additionally, for 2 fiscal years, Congress has provided the \nCybersecurity and Infrastructure Security Agency additional funding to \nprovide cybersecurity services--upon request--to election officials. \nBut administering elections is only one of the many important \nresponsibilities carried out by State and local governments. So far \nthis year, there have been over 20 reported cyber attacks against \ngovernment agencies. These attacks disrupted networks in local police \ndepartments, offices that process real estate transactions, and public \nhealth departments, just to name a few. The impacts ranged from \njeopardizing 9-1-1 calls, grinding real estate transactions to a halt, \nand preventing health officials from warning the public when a bad \nbatch of illegal drugs causes overdoses. Unfortunately, the \nsophistication of hackers is outpacing the speed at which State and \nlocal governments can implement IT modernization programs and phase out \nlegacy technologies. Moreover, the attack surface is growing as more \njurisdictions are integrating ``smart city'' technologies into the \nexecution and delivery of government services.\n    As other sectors improve their cybersecurity posture, State and \nlocal governments struggling to keep pace with technology are becoming \nlow-cost, high-value targets. It is time for the Federal Government to \ndo more. Every year, States assess cybersecurity as one of the 32 core \ncapabilities in which they are least proficient. At the same time, \nStates rarely use their Homeland Security Grant to invest in \ncybersecurity as they stretch these funds to support traditional \nterrorism preparedness and response capabilities.\n    Make no mistake, State and local governments need to invest in \nsecurity, especially as they invest in smart city technology. But it is \ntime to improve the way the Federal Government helps them. Toward that \nend, I am pleased that Mayor Keisha Lance Bottoms is here today to \nshare the lessons learned from the ransomware attack in Atlanta and to \nunderstand how the Federal Government can better help victims prevent, \nrespond to, and recover from cyber attacks. I am also eager to hear \nfrom the MS-ISAC, which serves as the cyber threat information-sharing \nhub for State and local governments, and spearheads State and local \ncoordination on securing election infrastructure. Finally, I look \nforward to understanding the disparate impacts of cybersecurity \nincidents on vulnerable populations and how the Federal Government can \npartner with State and local governments to address them. Addressing \nthe cybersecurity challenges ahead will require strong partnerships \namong all levels of government, and I am eager to understand how \nCongress can help ensure that Federal resources are most effectively \nleveraged.\n\n    Mr. Richmond. The gentleman from Mississippi yields back.\n    I now recognize Mr. Rogers, the Ranking Member of the full \ncommittee on Homeland Security, for 5 minutes.\n    Mr. Rogers. Thank you, Mr. Chairman.\n    I thank our witnesses for being here today, especially Mr. \nCilluffo from Auburn University's McCrary Institute for Cyber \nand Critical infrastructure security located in my district.\n    The McCrary Institute serves as an invaluable resource to \nour State and the Nation with its cybersecurity and critical \ninfrastructure work. Cybersecurity is a tremendous challenge \nfacing all levels of government.\n    Our State level governments have seen first-hand through \nincreased ransomware attacks that leave citizens without \nservices and cities in panic. I am glad that our hearing today \nwill discuss how Federal Government is already lending a \nhelping hand and how we can improve the level of assistance.\n    I appreciate Mr. Cilluffo highlighting the great work we \nare doing in Alabama to help address these issues, like the \ncyber magnet school to address the talent shortage, and the \nAlabama Security Operations Center, which provides centralized \ncybersecurity management for Alabama's State agencies. I had \nthe honor of visiting there about a month ago; it was pretty \nimpressive.\n    In many ways, Alabama is setting the example for other \nStates as we confront the challenges of cybersecurity.\n    With that, I yield back, Mr. Chairman.\n    [The statement of Ranking Member Rogers follows:]\n                Statement of Ranking Member Mike Rogers\n    Thank you, Mr. Chairman.\n    And thank you to our witnesses for being here today. Especially Mr. \nCilluffo, from Auburn's McCrary Institute for Cyber and Critical \nInfrastructure Security in my district.\n    The McCrary Institute serves as an invaluable resource to our State \nand the Nation with its cybersecurity and critical infrastructure work.\n    Cybersecurity is a tremendous challenge facing all levels of \ngovernment.\n    Our State and local governments have seen that first-hand through \nincreased ransomware attacks that leave citizens without services and \ncities in a panic.\n    I am glad that our hearing today will discuss how the Federal \nGovernment is already lending a helping hand and how we can improve the \nlevel of assistance.\n    I appreciate Mr. Cilluffo highlighting the great work we are doing \nin Alabama to help address these issues--like our Cyber Magnet School \nto address the talent shortage and the Alabama Security Operations \nCenter, which provides centralized cybersecurity management for \nAlabama's State agencies.\n    In many ways, Alabama is setting the example for other States as we \nconfront the challenges of cybersecurity.\n    Thank you Mr. Chairman. I yield back.\n\n    Mr. Richmond. The gentleman from Alabama yields back.\n    I would like to remind other Members of the subcommittee \nthat, under the rules, opening statements may be submitted for \nthe record.\n    I want to welcome our panel of witnesses here today. First, \nI am very pleased to welcome Mayor Keisha Lance Bottoms of the \ncity of Atlanta, Georgia, who oversaw the city's response to a \nmajor ransomware attack in March 2018. Under Mayor Bottoms' \nleadership, the city took a number of bold corrective actions \nto manage and mitigate damage and prevent future attacks.\n    Thank you, Mayor, for your participation and your \nwillingness to share the lessons you have learned in cyber \nincident response.\n    Next, we have Mr. Thomas Duffy from the Center for Internet \nSecurity, who is currently serving as the chair of the Multi-\nState Information Sharing Analysis Center, MS-ISAC. The MS-ISAC \nserves as an important partner and liaison between DHS and \nState and local officials when it comes to sharing information \nand coordinating around cyber threats. I look forward to \nhearing his insights on how we might tackle this problem.\n    Next, we also have Mr. Ahmad Sultan, who is here today in \nhis personal capacity to discuss the research conducted while \nserving at UC Berkeley's Center for Long-Term Cybersecurity. \nHis research focused on how underserved residents, including \nlow-income residents, seniors, and foreign language speakers, \nface higher than average risk of becoming victims of cyber \nattacks and are less equipped to respond. I am sure that his \ncomments will shed light on an important area of cybersecurity \nthat is typically overlooked.\n    Last but certainly not least, I would like to welcome Mr. \nFrank Cilluffo, the director of the McCrary Institute for Cyber \nand Critical Infrastructure at Auburn University. Mr. Cilluffo \npreviously served as a Presidential appointee in the Department \nof Homeland Security, as an adviser to former director Tom \nRidge. He has also testified before this committee and \nelsewhere on the Hill dozens of times.\n    Welcome back to the committee, Mr. Cilluffo, and thank you \nfor your testimony.\n    Without objection, the witnesses' full statements will be \ninserted in the record.\n    I now ask each witness to summarize his or her statement \nfor 5 minutes, beginning with you, the Honorable Keisha Lance \nBottoms.\n\n   STATEMENT OF KEISHA LANCE BOTTOMS, MAYOR, CITY OF ATLANTA\n\n    Ms. Bottoms. Good afternoon. My name is Keisha Lance \nBottoms, and I am the mayor of Atlanta, Georgia, the cradle of \nthe civil rights movement and the 10th largest economy in the \nUnited States. Thank you to Chairman Richmond and to Chairman \nThompson and to each of you for having me here today. It is an \nhonor to join you.\n    In the early morning hours of March 22, 2018, 77 days into \nmy term as mayor and only 4 days into the tenure of our new \nCOO, Atlanta's government experienced a ransomware cyber attack \nwhich impacted our operations and our ability to provide \nservices to our residents and our visitors.\n    To paint a broader picture of that day, the city of Atlanta \nhas nearly 9,000 employees, and it goes without saying that \nmany rely on technology to do their jobs and to keep the city \nrunning. We were incapacitated.\n    Fortunately, our daily mission-critical services, such as \nfire, police, and ambulance, were not severely impacted, and \nneither was our water supply. However, some departments and \ngovernment entities suffered irreparable damage, including our \npolice department which lost stored dash cam video footage. The \nAtlanta Municipal Court had to cancel and reschedule hearings. \nOur customer service interface, known as ATL311, was knocked \noff-line. Many other applications were impacted or affected, \ndelaying the delivery of city services.\n    As the first day unfolded, it became clear to us that \ncriminals had attacked the city's computer systems, and we \nmoved quickly to mitigate those circumstances. The first few \nhours of the attack were critical for limiting damage and \ndetermining our steps going forward. We notified law \nenforcement and key partners, including our insurance carrier, \nour government partners, the media, and the public.\n    We also needed to learn in detail what systems, functions, \nand operations were impacted. That may sound simple, but during \nan emergency, the process of identifying every compromised \nsystem was challenging, especially without the assistance of \ntechnology.\n    Out of an abundance of caution, we took some systems off-\nline and hired an outside security firm to assist with our \nresponse. We soon discovered that attackers were demanding a \nransom payment of $51,000 in bitcoins to unlock our systems. We \nrefused to pay.\n    The cost of recovery, to date, has been approximately $7.2 \nmillion, and that number is still climbing. Some costs have \nbeen reimbursed under our cyber insurance policies, which, \nthankfully, for the first time, we had obtained just a few \nmonths before the attack.\n    Last November, Federal authorities charged two Iranians \nwith the attack and outlined their massive scheme to breach \ncomputer networks of local governments, health care systems, \nand other public entities.\n    Our cyber attack was not unique. Digital extortion is now a \ncommon occurrence affecting many organizations in the public \nand private sectors, and cyber threats are becoming much more \nhostile and frequent. We must continue to understand how to \nprotect ourselves against these attacks when they occur.\n    The good news is that Atlanta is rebounding from this \nattack and sharing its experience with other cities. But the \nreality is that, as elected officials, we often make \ninvestments in infrastructure that people can see. In my nearly \n2-year campaign for mayor, not once did a constituent ask me \nabout my investment in cybersecurity.\n    Following our unfortunate experience, we have been advising \nother cities to help them better understand the continuity \nmeasures that are needed. We are adopting a more flexible and \nhardened infrastructure using advanced technologies and the \ncloud to diversify and minimize our risk. We are also \nemphasizing the importance of cross-functional response teams, \nincluding our Federal and State government partners.\n    But no city can do this effectively without strong \npartnerships. Through our process, Atlanta has worked with the \nFBI, Department of Homeland Security, the Secret Service, and \nthe private sector. The work we did to prepare for the Super \nBowl earlier this year is a great example of that \ncollaboration. We are staying proactive so that we can \nunderstand and better manage this ever-changing landscape.\n    We have also learned that you can never completely protect \nyour computer network. Quite frankly, that remains our biggest \nchallenge. Atlanta is more prepared and resilient than ever, \nbut we continue to need strong partnerships. Many cities, \nespecially small cities, simply lack the resources needed to \ndevelop the safety net that is needed to protect against these \nattacks.\n    The Federal Government should also expand programs that \nshare real-time threat information, which is often critical in \navoiding and mitigating threats. Also, we should have Federal \nprograms in place to provide cybersecurity disaster relief \nfunding that will help offset some of these costs. Last, we \nneed your help to ensure the safety and security of the \nelectoral process as city and State governments administer the \nelections that are the foundation of our democracy.\n    With the support and assistance of partners such as the \nDepartment of Homeland Security and this distinguished \ncommittee, all of our cities and our country can be safer and \nbetter prepared.\n    Thank you.\n    [The prepared statement of Ms. Bottoms follows:]\n               Prepared Statement of Keisha Lance Bottoms\n                             June 25, 2019\n    Good afternoon. My name is Keisha Lance Bottoms and I am the mayor \nof Atlanta, Georgia, the cradle of the Civil Rights Movement and the \nanchor of the 10th-largest economy in the United States.\n    I want to thank Chairman Bennie Thompson and Subcommittee Chairman \nCedric Richmond for inviting me today to testify at this important \nhearing. I am honored to be here.\n    In the early morning hours of Thursday, March 22, 2018--77 days \nafter I was sworn in as the 60th Mayor of Atlanta--the city experienced \na ransomware cyber attack which impacted our operations and our ability \nto provide services to our residents and visitors.\n    Fortunately, mission-critical services such as fire, police, and \nambulance services, and our water supply, were not affected.\n    However, some departments and governmental entities suffered \nirreparable damage.\n    The Atlanta Municipal Court had to cancel and reschedule hearings, \nsuffering a major interruption. ATL311, our customer service interface \nfor our residents, was knocked off-line.\n    Many other applications were impacted or affected, delaying the \nprovision of services by the city.\n    As that first day unfolded and the city learned more details about \nthe disruption, it became clear to us that criminals had attacked the \ncity's systems.\n    As this committee knows, one of the most common and successful ways \nthat criminals can attack entities is through phishing. Phishing scams \nuse social engineering to trick a user into clicking on a link which \ncan then infect the system with malware. Depending on the malware used, \nit can take over and encrypt the user's computer. Ransomware can also \ndelete or permanently corrupt files and destroy them forever, something \nwe experienced in Atlanta.\n    The city of Atlanta moved quickly to address the impacts and to \nmitigate the attack, notifying law enforcement and key partners, \nincluding our insurance carrier, outside counsel, Government partners, \nand the media. We also hired an outside cybersecurity firm to assist \nwith our response.\n    While like other crimes, in the case of a cybersecurity attacks, it \ncan take days and even months to fully understand the depth and breadth \nof what may have been impacted.\n    The city assessed which systems, functions, and operations were \nimpacted. That might sound simple, but during an emergency, identifying \nevery compromised system was difficult to accomplish, especially \nwithout the assistance of technology.\n    Although the overall impact was not substantial throughout our \ninfrastructure, we took some systems off-line out of an abundance of \ncaution.\n    The city soon learned that the attackers were demanding a ransom \npayment of $51,000 in Bitcoin to unlock our systems, which we refused \nto pay.\n    The cost of recovery to date has been about $7.2 million and we \nexpect it will go higher.\n    Some costs have been reimbursed under Atlanta's cyber insurance \npolicies, with the hope that more will be reimbursed.\n    However, cyber insurance policies vary greatly, and not all \npolicies cover the wide-ranging impacts that a cyber attack can do to a \ncompany or a city. It is critical to seek expert advice and counsel to \nensure that the policies purchased can cover the damages that can be \nsustained.\n    As this committee knows, in November 2018, the U.S. Department of \nJustice charged two Iranians with the attack and outlined the wide-\nranging plan they crafted to attack countless local governments, health \ncare systems, and other public entities.\n    Unfortunately, the city of Atlanta's cyber attack was not an \nisolated occurrence. As organizations integrate technology into every \naspect of our lives, cybersecurity risk is ever present. If not \nsecured, systems across public and private entities will continually be \nsubject to attack and digital extortion.\n    Cities such as Savannah, Georgia; Dallas, Texas; and Baltimore, \nMaryland have been attacked. The attack in Baltimore affected its 9-1-1 \nsystem, which further underscores how these attacks threaten the actual \nhealth and safety for each of us.\n    Cyber threats are becoming more hostile and frequent, so all \norganizations must understand how to protect themselves against these \nattacks when they do occur.\n    The good news is that the city of Atlanta is using its experience \nto become a ``model city'' for how municipalities can protect against, \nand prepare for, cyber attacks.\n    We are adopting a more flexible and hardened infrastructure by \nutilizing advanced technologies in order to diversify and minimize \nrisk.\n    We are emphasizing the importance of cross-functional incident \nresponse teams that include Federal and State government partners.\n    We are strengthening our human capital to make certain that the \nbest and the brightest are guarding our systems.\n    We are in a good place going forward. Atlanta and the State of \nGeorgia represent one of the Nation's elite cybersecurity hubs, ranking \nthird in the Nation with companies that focus on information security, \nand generating more than $4.7 billion in annual revenue.\n    More than 115 cybersecurity firms call Georgia home, including \nCybersecurity 500-ranked Secureworks, Pindrop, NexDefense, and Ionic \nSecurity.\n    Based on the city's ``lessons learned'' we can now help other \ncities to take cybersecurity seriously and plan to put in place manual \nprocesses for mission-critical applications and services to \nspecifically address cyber risks.\n    This includes ensuring cities have carried out a thorough risk \nassessment of their systems, including both infrastructure and business \npractices.\n    No city can do this effectively without partnerships. The city of \nAtlanta has worked with the FBI, the Department of Homeland Security, \nthe Secret Service, and the private sector. The work done to prepare \nfor Super Bowl LIII (53) was a great example of these collaborative \nefforts.\n    The priority at the city of Atlanta is to build a culture of \ncybersecurity where all our technology experts and partners are around \nthe table.\n    We intend to stay pro-active in order to understand and manage the \never-evolving landscape.\n    We are re-focusing on operational basics--Detection, Response, and \nRecovery.\n    On detection, we need to be able to quickly identify anomalies and \npotential issues; on response, once a problem is identified, we need to \nrapidly seek to contain the risk; and on recovery, we will better \nunderstand the impacts of an attack and have cyber-specific recovery \nand business-continuity plans in place ready to be deployed \nimmediately.\n    One component of a ``down to the basics'' plan is to have an on-\ngoing program to educate employees and help them identify a phishing \nemail; as well as require the use of strong passwords, and prioritize \nfunding and empower cyber leadership, as we have done in Atlanta.\n    Regardless of the protective measures that are employed, \ncybersecurity risks are now part of our everyday lives. We've learned \nthat you can never completely protect a computer network.\n    But there are steps that can be taken.\n    For example, cities should establish clear processes and be ready \nto implement their cyber incident-response plan, just as they do in \nanticipation of other emergencies.\n    While the city of Atlanta is more prepared and more resilient, many \nlocal and State governments are not, and need the help of the Federal \nGovernment.\n    Specifically, the Federal Government can help by passing \nlegislation and providing funding to assist State and local governments \nin preventing, preparing for, and responding to cyber threats and \nincidents. It is also important to emphasize the need for the Federal \nGovernment to provide emergency funding and support during an actual \ncyber attack. Having access to funds at the time of an attack would not \nonly accelerate responsiveness and restoration; but, would also result \nin fewer municipalities paying ransoms and ultimately decrease the \noccurrence of local governments as targets.\n    Second, the Federal Government can assist by empowering its \nagencies to develop and share best practices with State and local \ngovernments. Many small municipalities do not have the resources \nnecessary to development and implement these best practices.\n    Third, the Federal Government should expand its programs that share \nreal-time threat information with State and local governments as this \ninformation is often critical in avoiding or mitigating threats.\n    Next, when an attack does occur, the Federal Government should have \nprograms in place to provide cybersecurity disaster relief funding to \nhelp offset recovery and restoration costs borne by State and local \ngovernments.\n    Last, many State and local governments administer elections and \nneed help in ensuring the safety and security of the electoral process.\n    We are living in a different digital world now. Nation-state actors \nand other foreign adversaries are attacking our State and local \ngovernments and we need a strong Federal partner to defend against \nthose threats.\n    We know the threats will continue. What we're planning for today \nmay look different tomorrow.\n    With the support and assistance of partners such as the U.S. \nDepartment of Homeland Security and this distinguished committee, all \nour cities, and our country, can be safer by being prepared.\n    Thank you.\n\n    Mr. Richmond. Thank you, Mayor Bottoms, for your testimony.\n    I now want to recognize Mr. Duffy to summarize his \nstatement for 5 minutes.\n\n   STATEMENT OF THOMAS DUFFY, CHAIR, MULTI-STATE INFORMATION \nSHARING AND ANALYSIS CENTER (MS-ISAC), SENIOR VICE PRESIDENT OF \n            OPERATIONS, CENTER FOR INTERNET SECURITY\n\n    Mr. Duffy. Thank you.\n    Chairman Thompson, Chairman Richmond, and Ranking Member \nKatko, and Members of the subcommittee, thank you for inviting \nme here today. My name is Thomas Duffy, and I am the chair of \nthe Multi-City Information Sharing and Analysis Center, or MS-\nISAC, which is operated by the Center for Internet Security.\n    We have a cooperative agreement with the Department of \nHomeland Security to work with State, local, Tribal, and \nterritorial governments across the country. We serve as a focal \npoint for cyber prevention, protection, response, and recovery \nof the Nation's State, local, Tribal, and territorial \ngovernments.\n    I have spent my career in service to State and local \ngovernments, including the past 15 years with the MS-ISAC. \nToday, I will discuss the current level of cyber maturity in \nState and local governments, the major security concerns, and \nthe recommendations on how the Federal Government can help.\n    Membership in the MS-ISAC and the more recently created \nElections Infrastructure ISAC has tripled in the past year-and-\na-half, which is a clear indication that the State and local \ngovernments have a growing need for assistance, guidance, and \nsupport. We conduct an annual cybersecurity maturity assessment \ncalled the Nation-wide Cybersecurity Review, which measures the \ngaps and capabilities of cyber programs of the State and local \ngovernments.\n    So what have we learned from these annual reviews? We have \nlearned that the States continue to report higher overall \nmaturity scores than the local counterparts. Not surprising. \nWhile improvements have been noted, there is still much to be \ndone at all levels of government.\n    We have also learned that the same top 5 security concerns \ndominate this discussion year after year. No. 1 concern in 2018 \nwas lack of sufficient funding; No. 2 was the increasing \nsophistication of threats; No. 3 was the lack of documented \nprocesses; No. 4 was emerging technologies; and No. 5, as \nmentioned earlier, is the inadequate supply of cybersecurity \nprofessionals.\n    Addressing these challenges requires resources as well as \nState and National strategies. We need to increase a pool of \ncybersecurity professionals, plan for investments in our IT \ninfrastructure, and secure that security is built into the \nproducts and services.\n    So what can the Federal Government do to assist? First, let \nme note that DHS has been very supportive and proactive in \naddressing the increasing cyber challenges faced by State and \nlocal governments, especially in the election sector. There are \ntwo areas I would recommend for cyber support, one that \nrequires funding, which you are used to, and one that only \nrequires some interagency cooperation, which would be nice to \nsee.\n    First, the Federal Government should consider establishing \na dedicated State and local cybersecurity grant program. When \nthe initial Homeland Security grants were created, \ncybersecurity threat is not what it is today. Most of the funds \nwere dedicated to antiterrorism activities, which was \nappropriate. Over time, the grant funds have decreased while \nthe cyber threat has expanded exponentially, and the terrorism \nthreat still exists. Thus, there is a smaller pool of funding \nfor a much larger pool of threats. More money is going to \nsustain activities, leaving less money for new initiatives.\n    I would suggest if a cyber grant program is established, \npriority be given or funds set aside to programs that support \nState and local partnerships. Leveraging the combined resources \nof State and local partnerships will serve as a force \nmultiplier. Really, you get the value out of the funds.\n    Second, the Federal Government should adopt a single audit \napproach when auditing State programs for compliance with \nsecurity guidelines with the cognizant Federal agencies. In \n1984, the Single Audit Act was passed, which proved to be a \ncost-effective method to audit non-Federal entities. Once one \naudit is conducted in lieu of multiple audits of individual \nprograms, then the single audit standard is applied. The same \nshould apply to cybersecurity audits of State programs by \nFederal agencies. This would save resources, both at the State \nlevel and the Federal level, resources that could be reinvested \nto improving our cybersecurity posture.\n    While State and local governments have made progress in key \nareas, so have our adversaries. The dizzying array of \ncybersecurity requirements has made it difficult to develop \neffective programs, a lack of funding stalls progress, and a \nlack of capable talent compounds the negative impacts of \nransomware and other attacks. We must do better.\n    In closing, our success or failure will be determined on \nour ability to work together at all levels of government to \nevade, counter, or neutralize the endless risk that State and \nlocal governments face. Each of these efforts requires \nresources--time, money, and energy--that are currently in short \nsupply. If we are to make the progress required of us in \nmeeting our collective missions, we must work together on this \nNational problem.\n    I thank you for the opportunity to address the subcommittee \ntoday.\n    [The prepared statement of Mr. Duffy follows:]\n                   Prepared Statement of Thomas Duffy\n                             June 25, 2019\n    Chairman Thompson, Chair Richmond, Ranking Member Katko, and \nMembers of the subcommittee, thank you for inviting me today to this \nhearing. My name is Thomas Duffy and I serve as the senior vice \npresident of operations and security services at the Center for \nInternet Security, a global nonprofit focused on improving \ncybersecurity for public and private organizations. I also serve as the \nchair of the Multi-State Information Sharing and Analysis Center (MS-\nISAC), which is the focal point for cyber threat prevention, \nprotection, response, and recovery for the Nation's State, local, \nTribal, and territorial governments as well as all 79 Fusion Centers.\n    I have spent my career in service to State and local governments, \nincluding the past 15 years with the MS-ISAC. I appreciate the \nopportunity today to share our thoughts on the current state of \ncybersecurity in State and local governments, focusing on how the \nFederal Government can help. I look forward to offering ideas on how we \ncan collectively build on the progress being made to secure the State \nand local government cyber infrastructure.\n    In short, I will: (1) Introduce you to the current level of cyber \nmaturity in and local governments (2) the major challenges faced by and \nlocal governments and (3) recommendations on how the Federal Government \ncan help.\n           about center for internet security and the ms-isac\n    The Center for Internet Security's (CIS') was established in 2000 \nas a nonprofit organization and its primary vision is to lead the \nglobal community to secure our connected world through the \nidentification, development, validation, information sharing, and \nsustainment of best practice solutions for cyber defense. CIS was \ninstrumental in establishing the first guidelines for security \nhardening of commercial IT systems at a time when there was little \nsecurity standards, best practices, or leadership.\n    The MS-ISAC was formed in 2004 under the auspices of the State of \nNew York, and transitioned to CIS in 2010. The Elections Infrastructure \nInformation Sharing and Analysis Center (EI-ISAC) was formed in 2018, \nin response to the need to have a dedicated focus on protecting our \nNation's election infrastructure.\n    Today, CIS works with the global security community using \ncollaborative deliberation processes to define security best practices \nfor use by Government and private-sector entities. The approximately \n200 professionals at CIS provide cyber expertise in three main program \nareas: (1) The Multi-State and more recently the Elections \nInfrastructure Information Sharing and Analysis Center, the MS-ISAC and \nEI-ISAC respectively; (2) the CIS Benchmarks; and (3) the CIS Critical \nSecurity Controls. I describe each briefly below.\n    MS-ISAC.--\\1\\In 2010, the U.S. Department of Homeland Security \n(DHS), under the then-National Protection and Programs Directorate \n(NPPD), partnered with CIS to host the MS-ISAC, which has been \ndesignated by DHS as the focal point for cyber threat prevention, \nprotection, response, and recovery for the Nation's State, local, \nTribal, and territorial governments as well as all 79 Fusion Centers \nNation-wide. MS-ISAC members include all 56 States and territories and \nmore than 5,000 other State and local government entities. MS-ISAC's \n24x7 cybersecurity operations center provides: (1) Cyber threat \nintelligence that enables MS-ISAC members to gain situational awareness \nand prevent incidents, consolidating and sharing threat intelligence \ninformation with the DHS National Cybersecurity and Communications \nInformation Center (NCCIC); (2) early warning notifications containing \nspecific incident and malware information that might affect them or \ntheir employees; (3) IP and domain monitoring (4) incident response \nsupport; and (5) various educational programs and other services. \nFurthermore, MS-ISAC provides around-the-clock network monitoring \nservices with our so-called ``Albert'' network monitoring sensors for \nmany State and local government networks, analyzing over 1 trillion \nevent logs per month. Albert is a cost-effective Intrusion Detection \nSystem (IDS) that uses open-source software combined with the expertise \nof the MS-ISAC 24x7 Security Operations Center (SOC) to provide \nenhanced monitoring capabilities and notifications of malicious \nactivity. In 2018, MS-ISAC analyzed, assessed, and reported on over \n56,000 instances of malicious activity to over 6,000 MS-ISAC members.\n---------------------------------------------------------------------------\n    \\1\\ Find out more information about the MS-ISAC here: https://\nmsisac.cisecurity.org/. List of MS-ISAC services here: https://\nwww.cisecurity.org/wp-content/uploads/2018/02/MS-ISAC-Services-Guide-\neBook-2018-5-Jan.pdf.\n---------------------------------------------------------------------------\n    EI-ISAC.\\2\\.--In 2018 CIS was tasked by DHS to stand up an \ninformation sharing and analysis center focused on the Nation's \nelections infrastructure. Leveraging the resources of the MS-ISAC, CIS \nestablished the Elections Infrastructure Information Sharing and \nAnalysis Center (EI-ISAC). The EI-ISAC is now fully operational with \nall 50 States participating and over 1,700 total members, including \nelections vendors. The EI-ISAC provides elections officials and their \ntechnical teams with regular updates on cyber threats, cyber event \nanalysis, and cyber education materials. During the 2018 primaries and \nmid-term elections the EI-ISAC hosted the National Cyber Situational \nAwareness Room, an on-line collaboration forum to keep elections \nofficials aware of cyber and non-cyber incidents and potential cyber \nthreats. More than 600 elections officials participated in these \nforums. Moreover, the MS-ISAC was processing data from 135 Albert \nsensors monitoring the networks, which supported on-line elections \nfunctions such as voter registration and election night reporting. The \nAlbert sensors processed 10 petabytes of data during 2018, resulting in \nover 3,000 actionable notifications to elections offices.\n---------------------------------------------------------------------------\n    \\2\\ A list of EI-ISAC services can be found here: https://\nwww.cisecurity.org/ei-isac/ei-isac-services/.\n---------------------------------------------------------------------------\n    CIS Benchmarks.--CIS is also the world's largest producer of \nauthoritative, community-supported, and automatable security \nconfiguration benchmarks and guidance. The CIS Security Benchmarks \n(also known as ``configuration guides'' or ``security checklists'') \nprovide highly-detailed security setting recommendations for a large \nnumber of commercial IT products, such as operating systems, database \nmanagement systems, virtual private cloud environments, and for most of \nthe major vendors network appliances. These benchmarks are vital for \nany credible security program. The CIS Security Benchmarks are \ndeveloped though a collaborative effort of public and private-sector \nsecurity experts. Over 200 consensus-based Security Benchmarks have \nbeen developed and are available in PDF format free to the general \npublic on the CIS or NIST web site. An automated benchmark format along \nwith associated tools is also available through the purchase of a \nmembership. CIS has also created a number of security configured cloud \nenvironments, called ``hardened images'' that are based on the \nbenchmarks that we are deploying in the Amazon, Google, and Microsoft \ncloud environments. These hardened images help ensure that cloud users \ncan have confidence in the security provided within the cloud \nenvironment they select. The CIS-hardened images are used world-wide by \norganizations ranging from small, nonprofit businesses to Fortune 500 \ncompanies.\n    The CIS Security Benchmarks are referenced in a number of \nrecognized security standards and control frameworks, including:\n  <bullet> NIST Guide for Security-Focused Configuration Management of \n        Information System\n  <bullet> Federal Risk and Authorization Management Program (FedRAMP) \n        System Security Plan\n  <bullet> DHS Continuous Diagnostic Mitigation Program\n  <bullet> Payment Card Industry (PCI) Data Security Standard v3.1 \n        (PCI) (April 2016)\n  <bullet> CIS Critical Security Controls.\n    CIS Controls.--\\3\\In 2015, CIS became the home of the CIS Critical \nSecurity Controls, previously known as the SANS Top 20, the set of \ninternationally-recognized, prioritized actions that form the \nfoundation of basic cyber hygiene and essential cyber defense ground \ntruth. They are developed by an international consensus process and are \navailable free on the CIS web site. The Critical Security Controls or \njust the CIS Controls have been assessed as preventing up to 90 percent \nof pervasive and high risks cyber attacks.\\4\\ The CIS Controls act as a \nblueprint for system and network operators to improve cyber defense by \nidentifying specific actions to be done in a priority order--achieving \nthe goals set out by the NIST Cybersecurity Framework (CSF). Moreover, \nthe CIS Controls are specifically referenced in the NIST CSF as one of \nthe tools to implement an effective cybersecurity program.\\5\\\n---------------------------------------------------------------------------\n    \\3\\ Find out more information about the CIS Controls and download \nthem for free here: https://www.cisecurity.org/critical-controls.cfm.\n    \\4\\ Up to 91 percent of all security breaches can be auto-detected \nwhen release, change, and configuration management controls are \nimplemented. IT Process Institute: https://www.sans.org/cyber-security-\nsummit/archives/file/summit-archive-1533052750.pdf.\n    \\5\\ NIST Framework, Appendix A, page 20, and throughout the \nFramework Core (referred to as ``CCS CSC''--Council on Cyber Security \n(the predecessor organization to CIS for managing the Controls) \nCritical Security Controls).\n---------------------------------------------------------------------------\n    The MS-ISAC, and more recently the EI-ISAC, are operated pursuant \nto a Cooperative Agreement with Department of Homeland Security. \nMembers include all 50 States, all 50 State election directors, almost \n6,000 local governments, 88 Tribal governments, all 5 U.S. territories \nand the District of Columbia. Local government members represent over \n80 percent of the U.S. population.\n     cybersecurity challenges faced by state and local governments\n    Cyber protections at all levels of government are critical, and \ncentral to the fiduciary responsibility to protect the data that is \nentrusted to Government by our citizens and businesses. Local \ngovernments connect to State governments, State governments connect to \nthe Federal Government. All levels of government have a shared \nresponsibility for safeguarding information. Data on citizens is \ntracked from cradle to grave, from the issuance of your birth \ncertificate, to the filing your death certificate.\n    Regarding the question ``has the cybersecurity posture of and local \ngovernments improved?''--the answer is yes. There are, however, other \nrelated and equally important questions that should be asked. If the \nquestion is ``have and local governments kept pace with advancing \nthreats and the rapidly expanding cyber infrastructures that need to be \nprotected?'', the answer is probably not. If the question is ``are \nState and local governments prepared to build, maintain, and evolve \ntheir cybersecurity programs commensurate with the risks that they will \nface in the future?'', the answer is again, probably not. Both State \nand local governments continue to make news for ransomware, cyber \ncrime, and other cybersecurity-related issues every week.\n    The cyber threat landscape continues to evolve faster than our \npreparedness activities and protective measures, and the number of \nentry points to our systems continues to grow at an accelerated rate. \nWe are constantly playing a game of catch up. There is no silver bullet \nto solve the problem. Software providers continue to issue patches for \nsystem vulnerabilities daily! Keeping up with this is an enormous \nchallenge for all organizations, large and small.\n    The MS-ISAC conducts an annual cybersecurity maturity assessment, \ncalled the Nation-wide Cybersecurity Review (NCSR), of State and local \ngovernments. The NCSR, based on the NIST Cybersecurity Framework, is a \nself-assessment tool developed by CIS in concert with State and local \ncybersecurity professionals.\n    What have we learned from the annual NCSR over the past few years?\n    The assessment uses a scale of 1-7 to measure cybersecurity \nmaturity, and establishes a score of 5 as the minimum-security level \norganizations should strive for. The State average in 2018, was 4.7, \nwith 44 percent States achieving the baseline of 5. The local \ngovernment average is 3.4, with only 18 percent achieving the baseline \nminimum of 5. There have been improvements over time, with the States \nimproving by 5 percent over the past 3 years and local governments \nimproving by 17 percent. States on average report higher maturity \nscores than local governments. While improvements have been noted, \nthere is much that still needs to be done, especially at the local \ngovernment level.\n    One constant finding of the NCSR has been the top 5 security \nconcerns, which remain unchanged for the past 5 years, the only \ndifference being that the order of priority has changed every year. The \ntop 5 concerns in 2018 were:\n    1. Lack of sufficient funding.--State and local governments \n        struggle with balancing operational needs to improve their IT \n        infrastructure and providing adequate cyber defense \n        simultaneously. Threat actors continually attacking State and \n        local governments with ransomware and breaching their legacy \n        defense mechanisms to steal private data, causing an increase \n        need to provide incident response, improve IT network defense, \n        and reprioritize budgets to implement security best practices \n        and security controls that often require major operating system \n        and proprietary software migrations. The cybersecurity budget \n        must to compete with other programs, such as education, \n        infrastructure like roads and bridges, health care and law \n        enforcement, for funding. The value of security investments is \n        not obvious to public. Public officials don't run on a platform \n        of ``I am going to upgrade our IT infrastructure!''. It is only \n        after it is too late, that they realize a missed opportunity to \n        prevent a major compromise, that requires a major investment in \n        cybersecurity.\n    2. Increasing sophistication of threats.--It is no secret that \n        threat actors, threat groups, and/or advanced persisted threats \n        funded by nation states to carry out cyber espionage are \n        increasing. Sophisticated malware like Emotet, which \n        ``reinvents'' itself weekly to avoid detection by traditional \n        defenses, is a good example of the bad guys making cyber \n        defense a 24x7x365 job. In addition, threat actors are using \n        realistic and effective spear phishing and phishing campaigns \n        to gain access to State and local government systems and end-\n        users' workstations and mobile devices.\n    3. Lack of documented processes.--Mature organizations have \n        formally documented policies, standards, and procedures. \n        Implementation is tested, verified, and reviewed regularly to \n        ensure continued effectiveness. This not found in most State \n        and local governments. Many processes in managing government \n        systems remain ad hoc. This is well-documented in the NCSR. The \n        priorities are to ``keep the lights on'', respond to \n        emergencies, managing new projects, roll out new technologies, \n        etc. One of the enhancements planned for 2019 in the NCSR is to \n        included links to policies and standards where this is \n        identified as a need in the NCSR submission. However, resources \n        will be required to implement the policies and standards and \n        ensure they are tested, verified, and reviewed regularly.\n    14. Emerging technologies.--The future is now. Major urban areas \n        are in the progress of building 5G communications \n        infrastructures to support the rapidly growing need for \n        connectivity to support autonomous vehicles, data streaming \n        services, consumer electronics, and smart devices. IoT devices \n        are now finding their way into daily government operations. \n        HVAC systems are now connected to the internet as are medical \n        devices. Drone technology is being deployed across all levels \n        of government. Each of these technologies require organizations \n        to expand the scope of protective measures that need to be \n        implemented, tested, and verified regularly. They also \n        introduce new opportunities for attackers to exploit networks \n        looking for vulnerabilities or lapses in security. Status quo \n        will not protect your network. The defenses need to continually \n        evolve. We must proactively put in place security measures that \n        effectively defend against current and future cyber threat \n        attacks.\n    5. Inadequate supply of security professionals.--The NCSR clearly \n        highlights what is a National problem--the shortage of skilled \n        cybersecurity professionals. This impact of this lack of talent \n        is even more impactful for State and local governments entities \n        due to lower pay. State and local governments are at a major \n        disadvantage in recruiting cybersecurity professionals. Vacant \n        positions mean some critical work may not be accomplished.\n    Each year, the DHS issues a National Preparedness Report on the \nchallenges that all organizations, public and private, face in \npreparedness. It includes a capabilities assessment in 32 core areas \nreported by every State. The 2018 report noted:\n    1. Cyber threats are a rapidly-evolving threat, joining nation-\n        state threats and terrorism as an area of significant public \n        concern.\n    2. Since 2012, States and territories have consistently reported \n        cybersecurity as their least proficient capability.\n    Just this past weekend CISA reported on ``a recent rise in cyber \nactivity directed at United States industries and government agencies \nby Iranian regime actors and proxies.'' Improving our cybersecurity \nposture will take time. We must act now.\n             recommended actions for the federal government\n    Addressing these challenges requires resources as well as State and \nNational strategies. We need to: Increase the pool of cybersecurity \nprofessionals, plan for investments in our IT infrastructure, and \nensure that security is built into products and services.\n    What can the Federal Government do to assist State and local \ngovernments?\n    DHS has been very supportive in addressing the increasing \nchallenges of State and local governments posed by expanding cyber \nthreats, including funding of the Multi-State ISAC and Election \nInfrastructure ISAC, allowing State and local governments to \nparticipate in the Federal Virtual Training Environment (FedVTE), \nallowing State and local governments to participate the Scholarship for \nService Program sponsored by the National Science Foundation. It has \nalso developed the National Cybersecurity and Technical Services \nprogram that provides network scanning and penetration testing among \nits many service offerings. It has been very active in improving the \nsecurity of our Nation's election infrastructure and developing and \nsponsoring local, State, and National cyber exercises. A National-level \nelection exercise sponsored by DHS last week.\n    There are two areas that I would recommend consideration be given \nto additional Federal cyber support to the State and local community.\n    First, DHS should establish a dedicated State and local government \ncybersecurity grant program. When the initial Homeland Security Grant \nprograms were created, the cybersecurity threat was not what it is \ntoday. Most of the funds were dedicated to anti-terrorism efforts, as \nwas appropriate. Over time the grant funds have decreased, while cyber \nthreat has expanded exponentially and the terrorism threat still \nexists. Thus, a smaller pool of funding is available for a large pool \nof threats. More money is going to sustain activities, leaving less \nmoney for new initiatives. If a cyber grant program is established, \npriority should be given, or funds set aside, to programs that support \nState and local partnerships. Leveraging the combined resources of \nState and local governments will serve as force multiplier. There are \nseveral great examples of State and local partnerships including the \nWisconsin Cyber Response Team that was organized by the State to \nrecruit local government staff to be regional cyber incident responders \nfor local governments. Local government staff that met minimum \nqualifications were chosen to be part of the regional teams and \nreceived advance training by the State, that led to led to incident \nresponse certifications. The regional teams have responded to over 30 \nincidents since its inception.\n    Second, the Federal Government should adopt a ``single audit'' \napproach when auditing State programs for compliance with the security \nguidelines of the cognizant Federal agencies. In 1984, the Single Audit \nAct was passed. The Act refers to a ``single audit'' because it \nconsolidated multiple audits of non-Federal agencies required for each \naward into a single audit. The stated purpose was to promote sound \nfinancial management of Government funds by non-Federal organizations, \npromote uniform guidelines for audits, and reduce the burden on \nnonprofits by promoting efficient and effective use of audit resources. \nIt proved to be a cost-effective method audit of non-Federal entities. \nOne audit is conducted in lieu of multiple audits of individual \nprograms and single audit standard is applied. The same should apply to \nthe security audits of State programs by Federal agencies.\n    The following are some of the Federal agencies that audit State \nsystems: Centers for Medicare & Medicaid Services, Internal Revenue \nService, Social Security Administration, Department of Agriculture, and \nDepartment of Health and Human Services. Although the compliance/audit \nrequirements are often based on NIST SP 800-53, they vary in the amount \nof time required by the State to meet the requirements. For example, \nsome Federal agencies send an on-site audit team to the State to review \nsecurity controls while other Federal agencies rely on the completion \nof a written questionnaire. Regardless, there are multiple audits being \nconducted that duplicate each other, and place a drain on scarce State \nresources dedicated to protecting State systems. Let these resources be \nfreed up to develop and implement new cyber protective measures. The \n``single audit'' concept would create savings for both the Federal and \nState governments, savings that could be re-invested to enhance their \ncybersecurity posture.\n                                closing\n    Defending our Nation from rapidly-advancing cyber threats has \nbecome a critical, yet incredibly difficult task. The overwhelming \nvulnerability inherent in the ``internet of everything'' caught us off \nguard, forcing most organizations into reactive mode, and the asymmetry \nof cyber warfare ensures that the good guys are always at a \ndisadvantage. All this while we increasingly rely on a safe, secure, \nand trustworthy internet to do everything from ordering groceries to \nordering drone strikes.\n    And while State and local governments have made progress in key \nareas, so have our adversaries. The dizzying array of cybersecurity \nrequirements has made it difficult to develop effective programs, a \nlack of funding stalls progress and a lack of capable talent compounds \nthe negative impacts of ransomware and other attacks. We must do \nbetter.\n    Our success or failure will be determined by our ability to have \nall levels of government work together to evade, counter, or neutralize \nthe endless risks that State and local governments state face. Each of \nthese efforts require resources--time, money, and energy--that are \ncurrently in short supply. If we are to make the progress required of \nus in meeting our collective missions, we must work together.\n\n    Mr. Richmond. Thank you, Mr. Duffy, for your testimony.\n    I now recognize Mr. Sultan to summarize his statement in 5 \nminutes. Thank you.\n\n STATEMENT OF AHMAD SULTAN, AFFILIATED RESEARCHER, CENTER FOR \n LONG-TERM CYBERSECURITY, SCHOOL OF INFORMATION, UNIVERSITY OF \n                      CALIFORNIA, BERKELEY\n\n    Mr. Sultan. Chairman Thompson, Ranking Member Rogers, \nChairman Richmond, Ranking Member Katko, and Members of the \nsubcommittee, thank you for inviting me to testify on the topic \nof cybersecurity challenges for State and local governments. My \nname is Ahmad Sultan, and I am testifying in my personal \ncapacity as the author of a white paper published by the Center \nfor Long-Term Cybersecurity and which was facilitated by the \ncity and county of San Francisco.\n    The findings of my research detailed in my written \ntestimony are alarming, but they are not surprising. \nUnderserved respondents in San Francisco defined as low-income \nearners, seniors, or immigrants have poor cybersecurity \noutcomes. Poor outcomes is a researcher's way of saying that \ntheir devices have been infected with viruses and malware, \nhacked, or phished for money. They don't follow best practices \nfor preventative care and they don't have enough knowledge \nabout curative care.\n    So for today's hearing, I will focus on ways in which we \nreconcile the macro with the micro, reconciling Government's \nattempts to enhance National security with a play of \nindividuals and their struggle to use digital devices to \nimprove social mobility. Stated simply, while organizations and \nGovernment invest millions of dollars to defend themselves from \ncyber attacks, a critical part of society is falling through \nthe cybersecurity cracks, underserved and vulnerable \npopulations.\n    This comes at a time when an increasing number of our daily \nactivities are governed by internet services. Low levels of \ncyber hygiene, which refers to best practices that improve on-\nline security, pose serious challenges to the well-being of \nunderserved populations.\n    Fear of cyber threats creates a distinct on-line experience \nfilled with fear, low confidence, and distrust. It prevents \nunderserved users from taking advantage of economic \nopportunities on the internet. These include job search \nservices, listing platforms, social networking, and email. \nThese services are crucial to remaining competitive in today's \njob market.\n    Like a mirror to the physical world, low levels of cyber \nhygiene and knowledge are associated with low-income household \nand low-educational attainment. Most figures on poor \ncybersecurity outcomes are also underreported. In fact, most \nunderserved respondents I surveyed and spoke to didn't even \nknow about basic concepts: Spam, viruses, or on-line scams. \nInternet evangelists had promised a digital reality that would \neven the playing field across demographics.\n    But today, we are replicating the same gender and race-\nbased patterns of inequality on-line that the existing social \nstructures around us enforce off-line. This inequality in \noutcomes is a form of market failure that governments need to \ncorrect.\n    The reason cybersecurity experts adapt concept from public \nhealth literature like cyber hygiene is because of the unique \ninterconnectedness of networks and society. Poor cybersecurity \npractices can cause viruses and malware to spread. This, in \nturn, can impact people, businesses, and infrastructure. It \ndeepens inequalities for those already most vulnerable to \nexisting economic and social forces but also reduces trust in \non-line services for all.\n    Take, for example, the concept of zombie botnets. Hackers \ncan control hundreds of thousands of devices without the device \nowner's knowledge or consent. They can program them to attack \nspecific targets, including businesses and infrastructure. Even \nlocal government staffs suffer from porous practices. The \nincreasing frequency of ransomware attacks on local government \nsystems is a testament to that fact, and these attacks are \nbound to increase as more city services are digitized.\n    The risk of ignoring cyber preparedness is too high. 5G \nnetworks and AI systems promise smart cities. Important \nmunicipal services will be powered by strong mobile connections \nand trained machine learning systems. We need to pursue a \nholistic approach where cybersecurity concerns are addressed at \na societal level, much like public health issues.\n    While the underprivileged in society are disproportionately \naffected and most likely to be targeted by attackers and \nscammers, awareness of cybersecurity threats and best practices \nneeds to seep into public discourse. Digital literacy is not \nenough; it needs to be paired with cybersecurity awareness.\n    This is not just a State and local government problem. \nCyber vulnerabilities are not bound by geographical boundaries. \nIt is incumbent upon Federal, State, and local governments to \ncollaborate to solve the problem.\n    But State and local governments face many constraints of \nincreasing awareness. These include fiscal and budgetary \nchallenges, lack of social and technical expertise, low \norganizational capacity, and geographically-bound networks.\n    Promoting cyber hygiene through trainings, public service \ninitiatives, and public-private partnerships can lead to \nsignificant gains in the life of underserved populations, while \nprotecting businesses and Government systems from cyber \nthreats. But to achieve these gains, State and local \ngovernments will require financial support and guidance from \nthe Federal Government. It is my hope that policy makers \nrecognize the challenges ahead and rise to the occasion.\n    Thank you again, Chairman Richmond and Representative \nKatko. I am happy to answer any of your questions.\n    [The prepared statement of Mr. Sultan follows:]\n                   Prepared Statement of Ahmad Sultan\n                             June 25, 2019\n    Chairman Richmond, Ranking Member Katko, and Members of the \nsubcommittee. Thank you for inviting me here today to testify on the \ntopic of cybersecurity challenges for State and local governments.\n    My name is Ahmad Sultan and I am testifying in my personal capacity \nas the author of a white paper published by the Center for Long-Term \nCybersecurity. This paper was adapted from my Master's thesis at UC \nBerkeley's Goldman School of Public Policy, titled ``Cybersecurity \nAwareness for the Underserved Population of San Francisco''. The \nresearch was funded by the Center for Long-Term Cybersecurity, and it \nwas commissioned by the city and county of San Francisco's Committee on \nInformation Technology. The scope of my testimony is based on my \nexpertise in cybersecurity before joining ADL. Any views presented here \nare not on behalf of or necessarily reflective of ADL positions or \nbeliefs.\n    The topic of today's hearing should be of interest to Government \npolicy makers, researchers, and to individual targets of cyber attacks. \nThanks to the rise of mobile devices, the ``digital divide'' which is \nthe gap between those who have access to on-line services and those who \ndo not--has been shrinking, yet there exists a stark contrast in the \non-line experience of low-income and high-income individuals.\\1\\ As the \nadoption of digital services becomes more wide-spread, a new divide has \nemerged between those who can manage and mitigate potential \ncybersecurity threats and those who cannot.\n---------------------------------------------------------------------------\n    \\1\\ Digital gap between rural and nonrural America persists. \n(n.d.). Retrieved from https://www.pewresearch.org/fact-tank/2019/05/\n31/digital-gap-between-rural-and-nonrural-america-persists/.\n---------------------------------------------------------------------------\n    While the increasing frequency of cyber attacks, which caused \ncatastrophic data breaches \\2\\ have led to organizations and \ngovernments investing billions of dollars to defend themselves, a \ncritical part of society is falling through the cybersecurity cracks: \nUnderserved populations, defined as low-income earners, seniors, or \nimmigrants.\n---------------------------------------------------------------------------\n    \\2\\ Includes the 2015 Office of Personnel Management breach in \nwhich an estimated 21.5 million records of personally identifiable \ninformation were stolen, and the 2014 Sony Pictures Hack, which \nincluded 47,000 unique Social Security numbers.\n---------------------------------------------------------------------------\n    This comes at a time when an increasing number of Americans' daily \nactivities are facilitated and governed by internet services. Low \nlevels of cyber-hygiene, which refers to the best practices and steps \nthat internet users take to maintain system health and improve on-line \nsecurity, pose serious challenges to the economic, social, and \nemotional well-being of underserved populations, weaken the security of \nsystems in businesses and government, and pose existential threats to \nthe democratic values of liberty, equality, and justice for all.\n    The findings of my own research into the topic of cybersecurity \nawareness, detailed later in this testimony, are alarming but not \nsurprising. Underserved respondents in San Francisco have poor \ncybersecurity outcomes and do not follow best practices. A large number \nof respondents do not know about the existence of common threats like \nviruses and on-line scams.\n    Yet, the interconnected nature of on-line networks means that poor \ncybersecurity outcomes for underserved populations can affect countless \nothers. It not only deepens inequalities for those already most \nvulnerable to existing economic and social forces, but reduces trust in \non-line services for all. With 5G networks and Artificial Intelligence \nsystems promising smarter cities where key Government services are \npowered by strong mobile connections and trained machine learning \nalgorithms, the risk of ignoring poor cybersecurity outcomes are at an \nall-time high.\\3\\ It is imperative that we work diligently toward \nraising awareness and educating underserved populations about \ncybersecurity.\n---------------------------------------------------------------------------\n    \\3\\ Toward AI Security: Global Aspirations for a More Resilient \nFuture--CLTC UC Berkeley Center for Long-Term Cybersecurity. (n.d.). \nRetrieved from https://cltc.berkeley.edu/towardaisecurity/.\n---------------------------------------------------------------------------\n    Solutions exist but they require close coordination between \nFederal, State, and local governments.\n                      why should government care?\n    A large number of Americans from low-income households have low \ndigital literacy and cybersecurity skills, and many do not own \ninternet-connected devices or have broadband internet at home. While \ninternet adoption has been sporadic over the last few years,\\4\\ \nimproved internet access in cities across the country means millions of \nAmericans are expected to become active internet users, many of whom \nwill have little knowledge on cybersecurity. Even as connectivity \nincreases, the cybersecurity divide threatens to exacerbate existing \ninequalities.\n---------------------------------------------------------------------------\n    \\4\\ Demographics of Internet and Home Broadband Usage in the United \nStates. (2019, June 12). Retrieved from https://www.pewinternet.org/\nfact-sheet/internet-broadband/.\n---------------------------------------------------------------------------\n    According to recent estimates by Pew,\\5\\ roughly 3-in-10 American \nadults with household incomes below $30,000 a year (29 percent) do not \nown a smartphone. More than 4-in-10 do not have home broadband services \n(44 percent) or a traditional computer (46 percent). And a majority of \nlower-income Americans are not tablet owners. By comparison, each of \nthese technologies is nearly ubiquitous among adults in households \nearning $100,000 or more a year, coupled with higher levels of \neducational attainment and cybersecurity outcomes.\n---------------------------------------------------------------------------\n    \\5\\ Digital divide persists even as lower-income Americans make \ngains in tech adoption. (n.d.). Retrieved from https://\nwww.pewresearch.org/fact-tank/2019/05/07/digital-divide-persists-even-\nas-lower-income-americans-make-gains-in-tech-adoption/.\n---------------------------------------------------------------------------\n    The lack of cybersecurity preparedness for large swathes of \nunderserved populations is concerning for a variety of reasons. These \ninclude:\n  <bullet> Cybersecurity inequality.--Underserved populations who tend \n        to be the most vulnerable to real-world social and economic \n        forces are also the most vulnerable to cyber threats like \n        scams, viruses, harassment, and disinformation. Like a mirror \n        to the physical world, low levels of cyber hygiene and \n        cybersecurity knowledge are associated with low-income \n        households and low education attainment. Most figures on poor \n        cyber outcomes are also underreported. This is because many \n        underserved users are unaware of cyber threats and do not know \n        if their devices have been hacked or if they have been victim \n        to a cyber scam. This inequality in cybersecurity outcomes is a \n        form of market failure that governments need to correct through \n        trainings and strategic public-private partnerships.\n  <bullet> Digital Inequality.--Internet users exist on a cybersecurity \n        spectrum that includes users who can defend against cyber \n        threats and those who cannot. Low levels of cyber hygiene \n        create a distinct on-line experience filled with fear, low \n        confidence, and distrust that I have seen lead to a complete \n        withdrawal from internet use. Without addressing the underlying \n        causes for the distinct differences in the on-line experience, \n        underserved populations are being denied a wide range of \n        opportunities and conveniences.\n  <bullet> Diminished Economic Opportunities.--Fearing cyber threats, \n        large numbers of underserved users are not taking advantage of \n        economic opportunities on the internet. These include job \n        search services like LinkedIn, listing platforms like \n        Craigslist, social networking, email, or on-line banking. All \n        these services are crucial to remaining competitive in today's \n        job market. They are also excluded from obtaining lower prices \n        through on-line shopping, on-line health services, and digital \n        financial inclusion services.\n  <bullet> First Amendment Protections.--The internet, and social media \n        platforms in particular, are viewed as the new public squares. \n        Cyber threats can be used to silence speech, create fear, and \n        disrupt key Democratic processes.\n    Yet, poor cybersecurity outcomes are not exclusive to underserved \npopulations as the lack of awareness of best practices and capacity for \nnegligence exists at all levels of society. A holistic approach is \nrequired where cybersecurity outcomes are addressed at a societal \nlevel, much like public health issues. This is because poor \ncybersecurity practices can cause viruses, scams, and data breaches to \nspread and impact countless people, devices, infrastructure and entire \norganizations in unpredictable ways. The increasing frequency of \nattacks on local government systems are a product of poor cyber \nhygiene, even in populations that have higher digital literacy. In just \nthe last 3 years, the State and local governments of Colorado, \nBaltimore, Atlanta, San Francisco, Jackson County, Riviera Beach, \nImperial County, Sammamish have had to deal with ransomware attacks.\\6\\ \n\\7\\\n---------------------------------------------------------------------------\n    \\6\\ Calvert, S., & Kamp, J. (2019, June 07). Hackers Won't Let Up \nin Their Attack on U.S. Cities. Retrieved from https://www.wsj.com/\narticles/u-s-cities-strain-to-fight-hackers-11559899800.\n    \\7\\ As More Governments Get Hacked, Concerns Grow Over Mounting \nCosts. Retrieved from https://www.governing.com/topics/finance/gov-\ngovernment-costs-hacked.html.\n---------------------------------------------------------------------------\n    The reason cybersecurity researchers and experts adapt lessons and \nconcepts, like cyber hygiene, from public health literature is because \nof the unique interconnectedness of society and networks. Human error \nis the weakest link in both fields and has the potential to \ninadvertently cause unimaginable damage. While the underprivileged in \nsociety are disproportionately affected and most likely to be targeted \nby attackers and scammers, awareness of cybersecurity threats and best \npractices needs to seep into public discourse at a societal level. \nDigital literacy is not enough, it needs to be paired with \ncybersecurity awareness.\n    This is not just a State and local government problem. Cyber \nvulnerabilities exist across the country, and cyber attacks can flow \nseamlessly between State and city lines. It is incumbent upon Federal, \nState, and local governments to provide programs and engage in \nstrategic partnerships that aim to improve cybersecurity outcomes.\n                  how can the federal government help?\n    State and local governments face many constraints to improving \ncybersecurity awareness. These include fiscal and budgetary challenges, \nlack of social and technical expertise, low organizational capacity, \nand geographically-bound networks. While I provide a detailed list of \nrecommendations in a later section of this document, some ways that the \nFederal Government can assist State and local governments include:\n  <bullet> Direct funds toward local cybersecurity awareness \n        trainings.--Local governments can partner with nonprofits to \n        roll out trainings aimed at improving the cybersecurity \n        knowledge and outcomes for underserved residents. These \n        trainings can be expensive as they require devices and \n        equipment, qualified trainers, monetary or other incentives for \n        participants, and fixed locations scattered throughout the \n        city. Local government budget might not be able to justify \n        prioritizing these expenses.\n  <bullet> Design baseline training programs.--Not all State and local \n        governments have the capacity or expertise to design a \n        cybersecurity training program. The Federal Government should \n        work with local governments to design a baseline training \n        program which details the core topics that all training \n        programs should address. While the Federal Government should \n        design the baseline topics and curriculum, the programs should \n        be informed by and tailored to the ground realities of each \n        city and should not limit any government from going further \n        than its selected baseline topics.\n  <bullet> Develop and rollout public awareness campaigns.--Public \n        awareness campaigns are more cost-effective and can scale \n        better to reach larger audiences when developed centrally. This \n        streamlines the process of disseminating content to schools, \n        broadcast TV, on-line and physical publications, social media \n        platforms, and radio.\n  <bullet> Coordinate public-private partnerships.--The Federal \n        Government is uniquely positioned to work with private \n        technology companies to create advice resources, cross-company \n        collaborations in areas like phishing scams and coordinated \n        disinformation campaigns, and technological solutions like \n        cybersecurity chat bots and apps for smart phones that no \n        longer receive security updates. As I will explain later in \n        this testimony, underserved populations tend to place a high \n        level of trust on advice resources provided by private \n        technology companies. It would be highly inefficient for every \n        State and local government to individually approach technology \n        companies for their own respective solutions.\n       study: cybersecurity awareness for underserved populations\n    A growing number of cities across the United States have invested \nin digital literacy training programs that aim to educate underserved \npopulations in the basics of computer usage and commonly-used \nsoftware.\\8\\ Such programs often combine the provision of digital \nservices, such as free public wi-fi, with digital literacy training to \nhelp groups who are at risk of digital and social exclusion. These \ninitiatives are often led by nonprofits and local governments and aim \nto improve citizens' skills and confidence, as well as increase their \nmotivation to engage in on-line activity.\n---------------------------------------------------------------------------\n    \\8\\ https://www.digitalinclusion.org/digital-inclusion-\ntrailblazers/.\n---------------------------------------------------------------------------\n    San Francisco has a digital literacy initiative under its Office of \nDigital Equity,\\9\\ where the city government works with local partners \nin the nonprofit space to provide digital literacy training to its \nresidents, the vast majority of whom come from low-income households, \nare immigrants, and seniors. Early discussions with city residents were \nrevealing: They expressed frustration at their inability to prevent and \nresolve cyber attacks such as phishing scams, viruses, and harassment. \nThey were afraid of using important on-line services like banking apps \nand social media platforms.\n---------------------------------------------------------------------------\n    \\9\\ https://sfcoit.org/digitalequity.\n---------------------------------------------------------------------------\n    The theory of change in digital literacy programs normally involve \nencouraging internet use to increase employment, education, creativity, \nand entrepreneurship. But vulnerable populations are easily discouraged \nfrom using important internet services when faced with complex threat \nvectors.\n    We widen digital inequities and reduce the efficacy of digital \nliteracy trainings when we do not actively teach cybersecurity. \nMoreover, by neglecting the duty to educate and inform, we leave a \nlarge portion of the population at the mercy of bad actors who can \nexploit digital vulnerabilities for their own gain.\n                           research findings\n    I conducted a survey of underserved residents in the city and \ncounty of San Francisco to understand the scope and nature of the \nunderserved communities' cybersecurity outcomes, and to create \nevidence-based solutions. These residents were either low-income \nearners ($25,000 household income or less), senior citizens (65 years \nof age or older), or foreign language speakers (whose primary spoken \nlanguage is not English). The 48-question survey was designed to gauge \nthe scope and nature of residents' cybersecurity outcomes, and to \nunderstand their cybersecurity knowledge and abilities.\n    A total of 295 respondents were surveyed. This included 153 \nrespondents from the underserved population. While this is not \ntechnically a representative sample, these were the maximum number of \nrespondents I could survey who were enrolled in digital literacy \nprograms across San Francisco. Their experiences revealed through \nsurveys, semi-structured interviews and roundtable discussions reflect \nsocial and structural inequities that have persisted for too long. In \naddition to the 153 underserved respondents, 142 respondents from the \ncomparison group were also surveyed.\nPOOR CYBERSECURITY KNOWLEDGE AND SKILL LEVEL\n    Underserved respondents generally have a poor understanding of \nbasic cybersecurity concepts such as on-line scams and viruses. They \nalso have low skill level and motivation to follow best practices as \ngauged by cyber hygiene-relevant questions. These include setting a \ncomplex password for on-line accounts and employing preventative \nmethods when reading and interacting with the contents of an email.\n    I designed a Knowledge and Skill index to make meaningful \ncomparisons between the underserved and comparison group respondents. \nThe maximum combined score for the Knowledge and Skill index is 18.0.\n  <bullet> Average cybersecurity Knowledge and Skill index score for \n        the underserved respondents = 9.0/18\n  <bullet> Average (and Median) cybersecurity Knowledge and Skill index \n        score comparison group respondents = 15.0/18\n    Underserved respondents struggle with fundamental cybersecurity \nknowledge questions. When asked about their knowledge of core \ncybersecurity concepts, 20 percent indicated they did not know about \non-line crime, 21 percent were not familiar with email spam, 26 percent \ndid not know about computer or phone ``viruses,'' and 31 percent did \nnot know about anti-virus software. Respondents indicated they did not \nunderstand the risks associated with sharing their private account \npasswords or writing down their passwords on paper.\nVICTIMS OF CYBER CRIME\n    A large number of respondents from the underserved group reported \nbeing targets of cyber scams and internet viruses. Respondents provided \ninformation about the types of personal information that has either \nbeen stolen from them on-line, or that they have divulged to a complete \nstranger on-line. Together, these results paint a picture of an \nunderserved population in San Francisco that is highly vulnerable to \ninternet fraud.\n  <bullet> Nearly 26 percent of the underserved respondents reported \n        that they have been a target of a cyber scam, compared with 15 \n        percent for the comparison group.\n  <bullet> Nearly a third (31 percent) of those scammed have been \n        scammed 3 times or more.\n  <bullet> Forty percent of underserved respondents reported that their \n        computer and/or phone has been infected by a virus at least \n        once.\nAWARENESS OF CYBER CRIME VICTIMHOOD\n    Although many underserved respondents reported being a victim of \ncyber crime, an equally large number of respondents are not aware \nwhether they have been a victim to a cyber scam, if their devices have \never had a virus, or if they ever provided personal information to a \ncomplete stranger on-line.\n  <bullet> Nineteen percent of underserved respondents do not know if \n        they have ever been a victim to a cyber scam.\n  <bullet> Forty-one percent do not know if their device has ever had a \n        virus.\n  <bullet> Forty-four percent think they have provided personal \n        information to complete strangers on-line but cannot remember \n        the exact details.\nINTERNET WITHDRAWAL IS RELATED TO LOW CONFIDENCE\n    A significant portion of the underserved sample self-assess as \nhaving either ``high confidence'' (36 percent) or ``low confidence'' \n(38 percent) in their ability to protect themselves from on-line crime. \nHigh-confidence respondents can be described as being ``over-\nconfident'' in their cybersecurity skills while demonstrating poor \nlevels of precaution and possessing low levels of cybersecurity \nknowledge, while ``low-confidence'' respondents can be described as \nbeing ``overly concerned'' about existing risks on-line while \npossessing and demonstrating above-average cybersecurity knowledge and \nprecaution.\n  <bullet> Self-assessed ``low-confidence'' underserved respondents are \n        more concerned about the existence of cyber crime than \n        underserved and comparison group respondents.\n  <bullet> For example, 47 percent of low-confidence underserved \n        respondents do not use on-line banking due to cyber crime, \n        compared to 8 percent in the comparison group. These services \n        also include social media use, downloading software, and email.\n  <bullet> This suggests that trust and security play a larger role in \n        determining on-line service usage for the underserved as \n        compared to the comparison group.\nCYBERSECURITY ADVICE RESOURCES DETERMINE CYBERSECURITY OUTCOMES\n    Underserved respondents tend to rely on informal resources for \nadvice about cybersecurity which leads to worse cybersecurity outcomes. \nIn fact using on-line resources for advice on cybersecurity is expected \nto increase a respondent's cybersecurity index score by roughly 0.23 \npoints. The only other predictor with a statistically significant \ncoefficient is Educational Attainment--the higher the level of \nschooling achieved, the higher will be the cybersecurity index score.\n  <bullet> 39 percent of underserved respondents rely on friends/\n        relatives for cyber advice\n  <bullet> Only 21 percent of underserved respondents refer to \n        websites, and 7 percent refer to Government websites.\n  <bullet> More than a third of respondents (34 percent) do not seek \n        cybersecurity advice from any resource. Comparison group \n        respondents are more likely to seek help (82 percent) and are \n        more than twice as likely to rely on websites for cybersecurity \n        advice (48 percent).\n                            recommendations\n    Federal, State, and local governments have a variety of options and \napproaches available to improve cybersecurity awareness of underserved \npopulations.\nGAIN AN UNDERSTANDING OF THE SITUATION IN YOUR COMMUNITY\n    The Federal Government should work with cities seeking to improve \ncybersecurity awareness of local underserved populations to gain a \nbaseline understanding of their specific situation. They can do this by \ndesigning and directing funds toward surveys or informational workshops \nto assess major areas of interest and/or lack of knowledge among \nresidents. Based on my experience, I recommend partnering with local \ncommunity organizations that serve low-income residents, English \nlanguage learners, and senior citizens. In addition to assessing \ncybersecurity awareness, use this initial outreach as an opportunity to \nassess what modes of training (e.g. 1-hour workshops, half-day \nworkshops, etc.) might be most suitable for different constituencies. \nIt is also important to identify what translation or technology \nresources might be required to facilitate trainings for the largest \nnumber of underserved citizens.\nDEVELOP TAILORED TRAININGS TO BOOST CYBERSECURITY AWARENESS\n    Many cities already offer (or are planning to offer) digital \nliteracy trainings. My findings suggest that such programs should \ninclude explicit targeted cybersecurity awareness and training \ncomponents, which the Federal Government can direct funds toward. A \ncustomized cybersecurity awareness program that is tailored to the \nspecific needs of the community--with topics and content prioritized on \nresearch-based understanding of the local community's specific needs--\ncould help improve the knowledge and skill level of participants, which \nwould improve cybersecurity outcomes and increase internet service \nengagement. Potential long-term benefits include improved economic and \nsocial indicators for members of the underserved population.\n    Trainings should be customized for different audiences, and should \ntarget areas where citizens possess lower levels of digital literacy. \nTrainers should also incorporate an awareness of the cultural \nsensitivities and trust habits of the disparate communities. Analysis \nof survey responses from San Francisco, for example, suggests that \nrespondents from different communities access different knowledge \nsources. For example, while a larger percentage of Hispanic/Latino \nrespondents rely on teachers for advice on matters of cybersecurity, \nAfrican American and Caucasian respondents said they are more likely to \nrefer to websites, while Asian respondents are more likely to refer to \nfriends and relatives.\nDEVELOP A PUBLIC SERVICE CYBER HYGIENE CAMPAIGN\n    The Federal Government can promote cyber-hygiene awareness and \nsuggest best-practices through public service announcements and a \ncybersecurity campaign on television, in schools, digital platforms, \npublic libraries, radio, and other communication channels.\nPUBLIC-PRIVATE PARTNERSHIPS\n    In addition to providing training to residents directly, the \nFederal Government has the opportunity to partner with private-sector \ntechnology companies and service providers to address system-level \ncybersecurity concerns, such as the technological protections that are \nbuilt into devices and systems. Effective system-level protections make \nit easier for residents to maintain good cyber hygiene.\nDEVELOP A CYBERSECURITY ADVICE WEBSITE\n    Members of the public already have access to reliable and free \nresources for cybersecurity, including the United States Computer \nEmergency Readiness Team advice website.\\10\\ Yet in many cities, \ninformation about cybersecurity and related resources is disaggregated \nand difficult to find.\n---------------------------------------------------------------------------\n    \\10\\ ``Tips.'' Virus Basics/US-CERT. Accessed September 11, 2018. \nhttps://www.us-cert.gov/ncas/tips.\n---------------------------------------------------------------------------\n    The Federal Government can work with private-technology firms to \ndevelop reliable websites that provide cybersecurity advice. It may be \nfeasible to develop a phone chatbot that can help residents with basic \ninformation security questions.\\11\\ Such chatbots can be designed to \ncommunicate in several languages, and provide clearly defined answers \non core cybersecurity knowledge questions, as well as offer step-by-\nstep instructions based upon best practices. Chatbots should also be \ndesigned to be highly secure and transparent, with reminders to users \nnot to share personally identifiable information, as this software \ncould in theory be vulnerable to attacks aimed at capturing data and \nsubverting the quality of information provided.\\12\\\n---------------------------------------------------------------------------\n    \\11\\ Security chatbots have become increasingly popular over the \nlast few years. For example, Endgame developed Artemis, a language \nagnostic platform that integrates to Amazon's virtual assistant Alexa \nand provides cybersecurity advice to analysts. See ``Four Ways Chatbots \nAre Transforming Cybersecurity.'' Endgame. June 16, 2017. Accessed \nSeptember 11, 2018. http://www.endgame.com/blog/executive-blog/four-\nways-chatbots-are-transforming-cybersecurity.\n    \\12\\ ``Expect a New Battle in Cyber Security: AI versus AI.'' \nSymantec. Accessed September 11, 2018. http://www.symantec.com/blogs/\nexpert-perspectives/ai-versus-ai.\n---------------------------------------------------------------------------\nPARTNER WITH COMPANIES TO DEVELOP APPS FOR USE ON OLDER AND UNSUPPORTED \n        PHONES\n    Underserved populations tend to use older smartphones that are \noften unsupported by software makers. As a result, older smartphones \nare not guaranteed to get new security updates, and some software \nupdates for older devices are not compatible with new phones.\\13\\ This \nis especially a problem for users with Android phones, where the market \nconsists of hundreds of smartphone manufacturers using different and \nmodified versions of Android's OS. According to Google's own figures, \ntwo-thirds of Android devices world-wide run older versions of the OS \nthat are no longer receiving security updates.\\14\\ For Apple's iOS \ndevices, that figure is 5 percent.\\15\\ Apple does provide software \nupdates to phones older than 5 years. Even if they follow best \npractices in cyber hygiene, users with older smartphones are still \nhighly vulnerable to cyber crime because patches are not automatically \ninstalled for known vulnerabilities.\n---------------------------------------------------------------------------\n    \\13\\ For more on security updates and smartphone compatibility, \nrefer to Emspak, Jesse. ``When Does an Old Smartphone Become Unsafe to \nUse?'' Tom's Guide. April 09, 2017. Accessed September 11, 2018. http:/\n/www.tomsguide.com/us/oldphones-unsafe,news-24846.html.\n    \\14\\ ``Distribution Dashboard/Android Developers.'' Android \nDevelopers. Accessed September 11, 2018. https://developer.android.com/\nabout/dashboards/.\n    \\15\\ Apple Inc. ``App Store.'' Purchase and Activation--Support--\nApple Developer. Accessed September 11, 2018. https://\ndeveloper.apple.com/support/app-store/.\n---------------------------------------------------------------------------\n    The Federal Government should engage smartphone manufacturers like \nApple, Google, and Samsung to develop workarounds that protect older \nsmartphones that cannot accept the latest round of security updates. \nThese workarounds could include prompting older smartphones to activate \ndevice encryption settings, password manager apps, virtual private \nnetworks (VPN), and two-factor authentication software. Companies that \ndevelop operating systems should also be asked to develop stricter app \nsecurity review and enforcement guidelines that can review the catalog \nof existing apps as well as newly-submitted apps for security bugs.\n    As a potential challenge, Google has little control over the \nupdates sent to Android phones in which the OS has been heavily \nmodified by the manufacturer, who in many cases retains control over \nsoftware updates. The Federal Government will need to develop a \nstrategy with Google to reach smartphone manufacturers who are outside \nof the Google software update landscape.\nCREATE A DIGITAL PHISHING/SCAM COALITION\n    More than half of all emails are spam \\16\\--and that figure \ncontinues to rise. Spam is the primary delivery mechanism for cyber \nattacks like phishing and malware.\\17\\ And while phishing attacks \ndisguised as fake invoice emails are a popular form of phishing, there \nare 9 other forms of phishing emails that are harder to spot, such as \nMail Delivery Failure emails and order emails. In fact, reports of W-2 \ntax filer phishing scams--one of the most dangerous and effective email \nphishing scams, according to the IRS \\18\\--increased by 870 percent \nbetween 2016 and 2017.\n---------------------------------------------------------------------------\n    \\16\\ ``Latest Intelligence for August 2017.'' Symantec. Accessed \nSeptember 11, 2018. https://www.symantec.com/connect/blogs/latest-\nintelligence-august-2017.\n    \\17\\ ``2018 Internet Security Threat Report.'' Symantec. Accessed \nSeptember 11, 2018. http://www.symantec.com/securitycenter/threat-\nreport.\n    \\18\\ ``Dangerous W-2 Phishing Scam Evolving; Targeting Schools, \nRestaurants, Hospitals, Tribal Groups and Others.'' Internal Revenue \nService. Accessed September 11, 2018. http://www.irs.gov/newsroom/\ndangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-\nhospitals-tribal-groups-and-others.\n---------------------------------------------------------------------------\n    To address this challenge, the Federal Government should build \ncoalitions of organizations that can target popular and successful \nphishing scams. Models for such public-private initiatives include the \nDigital PhishNet initiative, developed jointly by the FBI's National \nCyber-Forensics & Training Alliance,\\19\\ and the Advance Fee Fraud \nCoalition, developed by African Development Bank, Microsoft, Yahoo, and \nthe Western Union Company.\\20\\ Companies should target overlapping \nscams and phishing efforts by utilizing contacts in the private sector.\n---------------------------------------------------------------------------\n    \\19\\ The Digital Phishnet (DPN) collects and develops intelligence \nregarding high priority and sophisticated phishing and identify theft \nschemes. DPN uses threat intelligence received from approximately 300 \ncompanies. For more visit: http://www.ncfta.net/.\n    \\20\\ The collaborative effort was designed to educate internet \nusers so they are better able to protect themselves against fraudulent \nactivities on-line and to improve INTERPOL's data collection efforts on \ncyber fraud. For more on this: http://www.affcoalition.org/.\n---------------------------------------------------------------------------\n    Federal Government officials can also partner with international \ninitiatives such as the Unsolicited Communications Enforcement Network \n(UCENET),\\21\\ which identifies and shares threats to the broad on-line \ncommunity and facilitates enforcement compliance checks. Private-sector \nrepresentatives are encouraged to designate a spam enforcement contact, \ncoordinate with law enforcement agencies, and report on new technology \ntrends that affect anti-spam strategies.\n---------------------------------------------------------------------------\n    \\21\\ Formerly known as the London Action Plan (LAP): https://\nwww.ucenet.org/history/.\n---------------------------------------------------------------------------\n                               conclusion\n    It has been an honor to appear before this distinguished panel of \npolicy makers and practitioners. Thank you, Chairman Richmond and \nRanking Member Katko, for your dedication to addressing cybersecurity \nvulnerabilities, and for thinking about ways in which the Federal \nGovernment can assist State and local efforts.\n    Promoting cyber hygiene through trainings, public service \ninitiatives, and public-private partnerships can lead to significant \ngains in the lives of underserved populations and protect businesses as \nwell as Government systems from cyber threats. But to achieve these \ngains, State and local governments will require support and guidance \nfrom the Federal Government. It is my hope that policy makers recognize \nthe challenges ahead and rise to the occasion. Thank you and I will be \nhappy to answer any of your questions.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Richmond. Thank you, Mr. Sultan.\n    We now have Mr. Cilluffo.\n\nSTATEMENT OF FRANK J. CILLUFFO, DIRECTOR, MC RARY INSTITUTE FOR \n      CYBER AND CRITICAL INFRASTRUCTURE, AUBURN UNIVERSITY\n\n    Mr. Cilluffo. Thank you, Chairman Richmond, Ranking Member \nKatko. A real privilege to have Chairman Thompson here. Of \ncourse, the great Ranking Member and Congressman from the State \nof Alabama, Mr. Rogers. It is a privilege to join you today.\n    As we all know, cybersecurity challenges are daunting \nenough to deal with at the Federal level. At the State and \nlocal, Tribal and territorial levels, where resources and, in \nmany cases, expertise are in relatively shorter supply, these \nchallenges are exponentially more difficult to tackle. \nRecognizing this mismatch and taking steps to address it is an \nabsolute imperative. Your leadership in confronting this issue \nhead-on today and in legislation that I am happy to hear coming \nfrom both the Chairman and the Ranking Member that is \nreportedly under discussion is commendable.\n    For too long, State and local have been an afterthought in \nour National cybersecurity planning efforts. This must change. \nStates and localities perform many essential functions, as you \nmentioned, Mr. Chairman, that affect real people every day 24/\n7. The potential consequences are serious. Bear in mind that \ncyber threat actors can cause loss of life, property damage, \nand, of course, financial loss by disrupting critical \ninfrastructure or using ransomware and other forms of malware.\n    The bad guys have taken notice, including that State and \nlocal are softer targets and are increasingly in their \ncrosshairs. The ransomware incidents that victimized in Atlanta \nand Baltimore are case in point but are by no means the end of \nthe story.\n    The scale and scope of the problem is striking. Data on \nreported ransomware attacks reveal that 48 States and the \nDistrict of Columbia have been hit. Targets include police and \nsheriff departments, schools and libraries, health agencies, \ntransit systems, courts, and the list goes on and on and on. No \njurisdiction is too small or too large.\n    While ransomware might be front and center right now, and \nunderstandably so, we need to recognize that the cyber threat \nlandscape includes many more disruptive and destructive \nmodalities of attack. Quite honestly, ransomware is at the low \nend of the most concerning cyber potential attacks we can \nwitness. Cyber attackers will continue to target weak links. \nThat is the bottom line.\n    Cyber needs at the State and local level are truly many. \nMore money, more experts, more tools, more threat intelligence \ninformation sharing and awareness, more collaboration between \ngovernments and industry, among governments, and regionally, \njust to name a few.\n    Against this background and backdrop, what should the \nFederal Government do? I think Mr. Duffy hacked my email \nbecause my recommendations are very similar to his.\n    First, as things now stand, less than 4 percent of grant \nmonies from the Homeland Security Grant Program are directed to \ncybersecurity. This is clearly not reflective of current threat \nenvironment. Congress should enact a dedicated Federal grant to \nshore up State and local cybersecurity capabilities through \nCISA at the Department of Homeland Security. It should be risk-\nbased, have built-in metrics, and include a level of matching \nfunds, since simply throwing money at the problem is not the \nanswer. Topping the list of needs include identifying highest-\nvalue assets, exercises, training, and, of course, technical \nsupport.\n    Second, CISA should expand its field presence to provide \ntechnical assistance and incident response support. In effect, \na geek squad for those really bad days so the mayor could call \nsomeone.\n    No. 3, pull a page and leverage lessons learned from the \nemergency management community by building regional approaches \nto capacity building and pooling of resources and expertise \namong States to offer mutual assistance. The EMAC model in \nemergency preparedness environment has serves us well and I \nthink ought to be replicated and tweaked for cyber.\n    No. 4, obviously circumscribed election assistance since \ntrust and faith in the electoral process is the very bedrock of \nour democracy. Some good momentum here, but we need to continue \ndoubling down and make sure we are ready for the next round of \nelections.\n    So while I touched largely on technology training, incident \nresponse, and work force, this is by no means exhaustive.\n    I want to close on a little bit of a good news story, and \nthat is this is not all the Federal Government's problem, of \ncourse. The Federal Government can, must, and should do more to \nsupport our men and women at State and local, but ultimately \nthere is a lot of good activity occurring at the State and \nlocal level, and I think it should be recognized.\n    One in particular I am proud of, and I might be biased, \nbecause I serve as a trustee, but in the State of Alabama, they \nhave created a new magnet school focused 7 through 12 grade for \ncyber and engineering. This is what we need to do. When we talk \nwork force, it is not only at the collegiate level, at the \nplaces of higher learning like my great university, but it is \nreally at the K-12 level. I think we need to be spending more \ntime, more money, more resources to be able to get them and get \nthem young, because they are the women and men who are going to \nbe driving the solution sets going forward.\n    So I have never had an unspoken thought. I can go on \nforever, but I will close here. The one thing, Mr. Chairman, I \nshould say is, while I am testifying on behalf of the McCrary \nInstitute, a lot of these thoughts came from a committee I \nchaired for the Homeland Security Advisory Council that I was \nco-chair. I am just not speaking on behalf of DHS.\n    So thank you, Mr. Chairman.\n    [The prepared statement of Mr. Cilluffo follows:]\n                Prepared Statement of Frank J. Cilluffo\n                             June 25, 2019\n    Chairman Richmond, Ranking Member Katko, and distinguished Members \nof the subcommittee, thank you for this opportunity to testify before \nyou today. As we all know, cybersecurity challenges are daunting enough \nto deal with at the Federal level. At the State, local, Tribal, and \nterritorial (SLTT) levels, where resources and in many cases expertise \nare in relatively shorter supply, these challenges are exponentially \nmore difficult to tackle. Recognizing this mismatch and taking steps to \naddress it is an absolute imperative in a country as large, varied, and \ndecentralized as the United States.\n    Your leadership in confronting this issue head-on today and in \nlegislation that is reportedly under discussion \\1\\ is deeply \ncommendable as these are important steps in breaching a real and \npressing gap in our National and economic security posture. We must \nwork to safeguard the continuity of commerce and the delivery of \nmission-critical services for the American people. Unless and until we \nfoster and have in place a robust baseline capability across the board, \nfrom a State and local standpoint, we will remain more vulnerable than \nwe ought to be to nation-state and non-state cyber actors with \nmalicious intent.\n---------------------------------------------------------------------------\n    \\1\\ Maggie Miller, ``House Homeland Security Republicans to \nintroduce slew of cybersecurity bills,'' The Hill (June 18, 2019), \nhttps://thehill.com/policy/cybersecurity/448971-house-homeland-\nsecurity-republicans-to-introduce-slew-of-\ncybersecurity?wpisrc=nl_cybersecurity202&- wpmm=1.\n---------------------------------------------------------------------------\n    In testifying before you today, I will be sharing thoughts about \nhow to move forward smartly. These ideas pertain only to those Federal \nentities that fall within the jurisdiction of the committee. Moreover, \na number of these recommendations are based on the May 2019 Interim \nReport of the Homeland Security Advisory Council's State, local, \nTribal, and territorial cybersecurity subcommittee.\\2\\ I served as co-\nchair of that effort, together with Paul Goldenberg (co-chair) and \nRobert Rose (vice-chair). However, I testify before you today in my \ncapacity as director of Auburn University's McCrary Institute for Cyber \nand Critical Infrastructure Security.\n---------------------------------------------------------------------------\n    \\2\\ https://www.dhs.gov/sites/default/files/publications/\n19_0521_final-interim-report-hsac-state-local-tribal-territorial-\nsubcommittee.pdf.\n---------------------------------------------------------------------------\n                           setting the scene\n    State and local governments face the full panoply of threats that \nthe Federal Government does, from hostile nation-state actors to cyber \ncriminals and everything in between. To the extent that the Federal \nGovernment is effectively outgunned and outmatched in this fight, the \nState and local level are all the more so. The potential consequences \nare serious: Bear in mind that cyber threat actors can cause loss of \nlife, property damage, and financial loss by disrupting critical \ninfrastructure operations or other means.\n    Nor is the cyber threat spectrum static. It continues to expand and \nevolve, sharpening focus on State and local targets. The ransomware \nincidents in Atlanta \\3\\ and Baltimore \\4\\ that disrupted city \noperations are cases in point and by no means will they be the end of \nthe story. To the contrary, the scale and scope of the problem is \nstriking, affecting everywhere from relatively robust States to major \nmetropolitan areas to smaller cities and counties. Data on reported \nransomware attacks reveal that 48 States and the District of Columbia \nhave been hit. Targets include police and sheriff departments, schools \nand libraries, health agencies, transit systems, and courts--the list \ngoes on and seemingly, no jurisdiction is too small or too large to go \nunaffected. The first known case of ransomware targeted the Swansea \nPolice Department in Massachusetts in November 2013 and since then \nentities from Anchorage to Augusta have joined the ranks.\\5\\\n---------------------------------------------------------------------------\n    \\3\\ Benjamin Freed, ``One year after Atlanta's ransomware attack, \nthe city says it's transforming its technology,'' StateScoop (March 22, \n2019), https://statescoop.com/one-year-after-atlantas-ransomware-\nattack-the-city-says-its-transforming-its-technology/.\n    \\4\\ Emily Stewart, ``Hackers have been holding the city of \nBaltimore's computers hostage for 2 weeks,'' Vox (May 21, 2019), \nhttps://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbin-\nhood-mayor-jack-young-hackers.\n    \\5\\ Allan Liska, ``Early Findings: Review of State and Local \nGovernment Ransomware Attacks'' (Recorded Future: 2019), https://\ngo.recordedfuture.com/hubfs/reports/cta-2019-0510.pdf.\n---------------------------------------------------------------------------\n    Cyber attackers and adversaries will continue to target weaker \nlinks in the U.S. chain so long as it remains profitable or otherwise \nbeneficial to these threat actors to do so. To make matters worse, the \ninternet of things with all that it entails from smart cars to smart \ncities and beyond will expand the surface of attack by orders of \nmagnitude. Security must therefore be more than a footnote or \nafterthought, especially where critical infrastructure is concerned. In \naddition, both cyber and physical infrastructure are vulnerable to \nattack, and the one can cause disruption or destruction in the other. \nThis convergence of cyber domain and the physical world is another \nsignificant feature of the threat landscape.\n    Looking ahead, State and local infrastructure and the cyber \nvulnerabilities that inhere in it will take on added salience for \ndefenders and attackers alike. Election year 2020 reinforces the point: \nStates and local communities will again be at the tip of this spear, \ntaking a multiplicity of approaches to administering voting. There is \nno one model or mechanism of cybersecurity governance in use at the \nState level, whether for elections or taken more broadly. Approaches \nare varied and so too are capabilities. The same is true at the local \nlevel, only more so.\n    There are examples and pockets of State and local government \ncybersecurity excellence to be sure; but there are also significant \ngaps and seams where the Federal Government can help and can do so \nwithout subverting the principle that the level of government that is \nclosest to the people knows best how to serve them. Cyber needs at the \nState and Local level are many: More money, more experts, more tools, \nmore information/awareness and more collaboration (between Government \nand industry, and among governments and regions)--to name just a few.\n    Against this background what can and should the Federal Government \ndo? How best can the Federal Government leverage its resources in the \nbroadest sense of the word, to help State and local governments amplify \ntheir strengths and mitigate their weaknesses? Enhancing the pool of \nfinancial resources available to support a range of cybersecurity \npurposes is just one--albeit very important--way. Other ideas are set \nout below.\n                         moving forward smartly\nDirected Federal Funding\n    Funding is crucial of course and building capability is impossible \nwithout it. Purchasing, maintaining and upgrading equipment, hardware, \nand software comes at a financial cost. So too does recruiting and \nretaining skilled workers. Educating the next generation and expanding \nthe cyber workforce by training or retraining the existing talent pool \nalso requires an investment of dollars, time, and effort. For all of \nthese purposes and more, a Federal grant program to shore up State and \nlocal cybersecurity capabilities is needed and long overdue. As things \nnow stand, less than 4 percent of grant monies from the Homeland \nSecurity Grant Program are directed to cybersecurity. This is not a \ntenable situation. Nor is the answer to redirect existing monies for \ncyber purposes. Robbing Peter to pay Paul simply will not work.\n    A dedicated Federal grant program should have built-in safeguards \nto ensure that there is return on Federal investment in the form of \nmeasurable State/local and by extension National capabilities. Simply \nthrowing Federal money at the problem is not the answer. Instead, there \nmust be a thoughtful strategy and accompanying metrics to support the \nrequest for funds and any subsequent grant. The program would therefore \nbe risk-based and tailored to particular context. Among the purposes \nthat such a program could and should support would be both State-level \nand regional exercises. Notably momentum for directed Federal funding \nis building as evidenced for example by the recommendations in the May \n2019 Interim Report of the Homeland Security Advisory Council's State, \nlocal, Tribal, and territorial cybersecurity subcommittee.\\6\\\n---------------------------------------------------------------------------\n    \\6\\  https://www.dhs.gov/sites/default/files/publications/\n19_0521_final-interim-report-hsac-state-local-tribal-territorial-\nsubcommittee.pdf.\n---------------------------------------------------------------------------\nAmplify Training Opportunities\n    The Federal Government could further assist by providing \nopportunities for State and local officials to gain and hone \ncybersecurity skills, as well as how to identify and counter foreign \ninfluence. While education and training programs certainly do exist \nthey are neither as numerous nor as evenly available across the country \nas would be ideal. A National focal point where those whose community \nis underserved by training opportunities could advance their skills and \ncareer and by extension the National interest, would serve us all \nwell.\\7\\ All the equipment, tools, and resources in the world will be \nof little assistance if the technical expertise needed to employ them \nto full advantage is not cultivated in the requisite official quarters.\n---------------------------------------------------------------------------\n    \\7\\ Note also that the HSAC's SLTT Cybersecurity Subcommittee \nInterim Report recommends the creation of a National Cybersecurity \nAcademy to train SLTT Government employees--an idea whose time has \ncome.\n---------------------------------------------------------------------------\n    Among the beneficiaries of such training could be State and Major \nUrban Area Fusion Centers, whose cyber-specific capabilities have long \nlagged behind their other homeland security and law enforcement \ncapabilities.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Frank J. Cilluffo, Joseph R. Clark, Michael P. Downing, and \nKeith D. Squires, Counterterrorism Intelligence: Fusion Center \nPerspectives (June 2012).\n---------------------------------------------------------------------------\nLeverage Lessons Learned\n    Over the past 20 years, the country has learned many lessons about \npreparing for, responding to, and bouncing back from major incidents \nsuch as terrorist attacks and natural disasters. These experiences have \nultimately made us smarter, stronger, and more resilient as a Nation, \nthough we still have a ways to go. Among these lessons is the value of \ntaking a regional approach to capacity building and mutual assistance, \nwhich builds upon existing relationships and arrangements, and follows \nlogically and naturally from proximity and geography, rather than \nduplicating efforts and according formal borders/boundaries undue \ninfluence. The EMAC--Emergency Management Assistance Compact--concept \nis as relevant here as in the traditional emergency management context. \nPioneered in the South, use of the construct has expanded over time \\9\\ \nand would transpose well to the cyber domain. The basic idea is to pool \nresources and expertise in order to offer mutual assistance.\n---------------------------------------------------------------------------\n    \\9\\ EMAC Overview (August 2006), https://www.fema.gov/media-\nlibrary-data/20130726-1726-25045-0915/060802emac.pdf.\n---------------------------------------------------------------------------\n    When it comes to cybersecurity, such an approach would for example \nhave States undertake planning, incident response, and resilience \nenhancement measures from a regional perspective. Here the Federal \nGovernment could and should act in support of these efforts including \nby acting to expand awareness of best practices and guidance on how \nbest to implement them.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ Note that the HSAC's SLTT Cybersecurity Subcommittee Interim \nReport also highlights the value of a regional approach.\n---------------------------------------------------------------------------\n    A further lesson learned over time relates to recognizing the \nimportance of being out in the field rather than at headquarters. There \nis no substitute to having boots on the ground. To this end, the \nDepartment of Homeland Security's Cybersecurity and Infrastructure \nSecurity Agency (CISA) should extend its operations and work toward \nhaving State cybersecurity coordinators for all 50 States to provide \ntechnical assistance and incident response support. This would broaden \nand complement existing DHS efforts and field personnel (State \nCybersecurity Advisors) focused on community engagement and awareness \nas well as the provision of enhanced strategic advisory services. The \narrangements proposed here would also help convey and highlight the \nFederal consequence management capabilities and tools that can support \nand supplement State capabilities--in effect a bad day ``geek squad.''\nCircumscribed Election Assistance\n    One of the most significant cybersecurity challenges to State \ngovernments relates to the 2020 election and in particular preparing to \nadminister the vote and ultimately doing so. Protecting the integrity \nof the process from beginning to end is of paramount importance as this \nexercise provides the bedrock for our democracy; trust and faith in the \nprocess is the glue that binds us together. The Federal Government can \nand should share more widely and actively its unique informational and \nother assets with State-level counterparts for the targeted purposes of \nidentifying and mitigating threats in this context.\\11\\\n---------------------------------------------------------------------------\n    \\11\\ But note that the Multi-State Information Sharing and Analysis \nCenter (MS-ISAC) does yeoman's work in terms of amplifying situational \nawareness (for example by providing threat alerts to all 50 States and \nmanifold localities); and helping to coordinate incident response. For \ndetails, see https://www.cisecurity.org/ms-isac/.\n---------------------------------------------------------------------------\n    To be clear, this would involve concerted Federal efforts to create \nand maintain a rich picture of the threat from the National perspective \nand a companion effort to support State officials in responding \neffectively and timely to that dashboard as it specifically pertains to \nthem/their State.\\12\\ Such a division of labor is properly respectful \nof the division of powers and capitalizes upon the strengths that \nreside at each level of government. By working together in this way, \nthe Nation stands the best chance of defeating adversary attempts to \nexploit not just our technology but also our hearts and minds, by means \nof weaponizing information and influence. Fortunately, we are seeing \nsome positive indicators already, with (DHS) CISA deepening its \noutreach to and work with the Nation's Governors.\n---------------------------------------------------------------------------\n    \\12\\ A variation of this idea is proposed in the HSAC's SLTT \nCybersecurity Subcommittee Interim Report.\n---------------------------------------------------------------------------\n    This series of recommendations focuses on technology, training, \nincident response, and the workforce. The list is not exhaustive and \nspeaks instead to the actions that could have the highest impact on the \ncybersecurity challenges of greatest priority in the context of State \nand local government.\n                      ending on a good news story\n    In addition to assessing how the Federal Government can help State \nand local governments to address cybersecurity challenges, it is \nimportant to acknowledge that there is good work under way outside the \nFederal sphere and that State and local entities are taking substantial \nsteps to help themselves. Keep in mind that States have a correlative \nand on-going responsibility to lead and lean forward, and should not \nexpect the Federal Government to supplant State efforts or to be there \nall the time. In this regard consider for example the Alabama School of \nCyber Technology and Engineering (full disclosure: I serve on the \nSchool's Board of Trustees). This magnet school for grades 7 through 12 \nwill stand up in August 2020 in the Huntsville Research Park. Our \nvision for the ASCTE is to ``educate, develop, and inspire the next \ngeneration of leading National professionals and technologists in \nengineering and cyber technology.''\\13\\\n---------------------------------------------------------------------------\n    \\13\\ https://www.alabamasce.org/school.\n---------------------------------------------------------------------------\n    This effort complements the many cybersecurity programs and \ninitiatives including partnerships with industry and government that \nare under way at Auburn University and other educational institutions \nwithin the State of Alabama and in the Southeast more broadly. While \nthe coasts of this country tend to garner the bulk of attention when it \ncomes to coverage of cyber and science & technology matters more \ngenerally, it is important to recognize that other jurisdictions are \nquietly plowing ahead on significant efforts in these same issue areas \nthat are so critical to our National security. These under-reported \nsuccesses serve us all well since Federal measures alone will not get \nus to goal or keep us there even if they could.\n    Thank you once more for this opportunity to participate in this \nimportant conversation and assessment.\\14\\ I look forward trying to \nanswer any questions that you may have.\n---------------------------------------------------------------------------\n    \\14\\ I would also like to thank my colleague Sharon Cardash, deputy \ndirector of the Center for Cyber and Homeland Security, for her \nassistance in preparing this testimony.\n\n    Mr. Richmond. Thank you, Mr. Cilluffo.\n    I thank all the witnesses for their testimony.\n    I will remind each Member that he or she will have 5 \nminutes to question the panel. I will now recognize myself for \nquestions.\n    The first question, I will just direct it to you, Mayor \nBottoms. Historically, cities and States have spent a much \nsmaller percentage of their overall budgets on cybersecurity \nthan Federal agencies and similarly situated private entities. \nA recent study from National Association of State Chief \nInformation Officers shows that most States spend only 1 to 2 \npercent of their overall IT budget on cybersecurity.\n    So the question for you would be, in Atlanta, what are the \nlimitations does your city face when trying to develop and \nimplement robust cybersecurity controls, strategies, and \nresource plans?\n    Ms. Bottoms. Thank you for the question. When we \nexperienced our cyber attack, it was very clear to us that we \nsimply were not prepared. It was not where we had made the \nnecessary investments.\n    People don't see cybersecurity. They see sidewalks, they \nsee potholes. We were allocating our resources accordingly and \nwe were also putting patches on gaping holes.\n    That being said, it is the reason that we did not pay our \nransomware, because we knew that we needed to build a stronger, \nsafer system. We have allocated resources accordingly. Now \nthere is also an expectation from the public that it is \nnecessary for us to budget for our cybersecurity network in the \nsame way that we budget for our other priorities within the \ncity.\n    We are also messaging that to the public, that this is \nequally a priority, and that messaging is a lot easier now, \nbecause the public has felt that impact. In many ways, people \nare becoming very sensitized to cyber attacks.\n    We are continuing to work with our private partners as \nwell. We are very fortunate in Atlanta that we have a very \nbooming tech industry, also with Georgia Tech and the Atlanta \nUniversity Center. So there is an interest in helping us in \nways that other cities may not have that benefit. But also, it \nis important that Federal funding trickle down into our cities \nto allow cities like Atlanta, and especially our smaller \ncities, opportunities to purchase cyber insurance and in the \nsame way that we did to be able to actually bill the system \nthat is needed. Because in so many cities, that system simply \ndoes not exist at this point.\n    Mr. Richmond. As a chief executive of a city, how hard is \nit to retain the cybersecurity professionals and the talent \nthat you need to do this when we have a severe shortage of \ncybersecurity professionals and the private sector pays a lot \nmore than the public sector? So how are you addressing that \nchallenge, and how can we help with that?\n    Ms. Bottoms. It is extremely difficult for us, because we \nare competing with the private sector. We really are looking \nfor people and are fortunate that we have people who actually \nare interested in public service. But funding is always \nnecessary and would be extremely helpful for us to offset and \nto be able to compete accordingly.\n    We have increased our budget in our DIT department, but it \nis still not enough. It is always a challenge for us to attract \nand retain talent, because we simply cannot pay what the \nprivate sector pays.\n    Mr. Richmond. You mentioned it a second ago and you said \nthat now you are fortunate. When I look at our cities, and I \nwill just take my own, for example, that constituents are \nconcerned with sanitation being on time, street lights, police \nofficers, and potholes. The city of Atlanta is now very keenly \naware of the threat of cybersecurity.\n    What advice would you have for other mayors who have not \nbeen attacked yet but still face those competing pressures of \nreal brick-and-mortar infrastructure compared to cyber \ninfrastructure?\n    Ms. Bottoms. You have to plan and prioritize accordingly. \nWe were very fortunate in that it was not our 9-1-1 system, but \nit very well could have been. Ironically, our public may say \nthat they received a bit of a reprieve because they couldn't \npay traffic tickets and they couldn't pay their water bills.\n    But that being said, our cities must prioritize and \nanticipate in the same way that we anticipate for any other \nmajor disaster to hit our cities, because, really, that is what \nit is. It is simply a disaster when it hits your city.\n    Mr. Richmond. Well, I see that my time has expired, so I \nwant to thank the witnesses.\n    I will now recognize the Ranking Member, Mr. Katko, for 5 \nminutes of questioning.\n    Mr. Katko. Thank you, Mr. Chairman.\n    I want to make a couple of observations before I ask some \nquestions. First of all, Mayor Bottoms, I want to commend you \nfor having the political courage to stand up to this ransomware \nattack and not pay the ransom. That takes guts, and I commend \nyou for that.\n    Just out of curiosity, you said there was two Iranians that \nwere charged with this?\n    Ms. Bottoms. There were two Iranians.\n    Mr. Katko. Have they been brought to justice yet?\n    Ms. Bottoms. They have been charged. I am not sure what the \nstatus is. But we were very fortunate in that they were \nactually identified, which is very unusual, as I understand it.\n    Mr. Katko. Very unusual. That is why I am curious. Were \nthey in the United States or don't you know?\n    Ms. Bottoms. They were not.\n    Mr. Katko. OK. All right. Well, that is just a great \nexample of the threats that we face.\n    Mr. Duffy and Mr. Cilluffo, I think you both kind-of \ntouched on this, the importance of the Federal, State, and \nlocal partnerships. You know, as a Federal organized crime \nprosecutor, I would be dead without Federal, State, and local \ntask forces. It is really the same concept. The synergistic \nqualities of having all these different players come to the \ntable, work together under the same roof, there is no \nsubstitute for that. They all bring different strengths to the \ntable. I commend you for understanding how important that is as \nwell.\n    Mr. Cilluffo, I am very disturbed about the less than 4 \npercent of Homeland Security funds grant money going toward \ncybersecurity. You know, I was thinking back to pre-9/11. We \nhad plenty of alarms out there, and we didn't pay enough \nattention or prioritize those alarms, and we paid a dear price \nfor that.\n    It kind-of seems like we are doing the same thing again \nhere. We understand the concerns. The alarm bells are going off \nawfully loud. Before we have a catastrophic cyber event, we \nbetter get our act together and prioritize with more funding \nand more attention.\n    On a somewhat smaller but important scale, that is what \nthat bill I was talking about to you all was about. It would \ndevelop basically a front page for CISA so any State or local \ngovernment could go to that page and understand exactly where \nthe resources are instead of trying to fish around for them. So \nthat is step 1 of the bill.\n    Step 2 are to grant programs for State and local grants to \nidentify high-value assets so you can prioritize what needs to \nbe protected most, and then we can address those accordingly.\n    The third thing would be is to grant State and local \ngovernments--to provide grants to State and local governments \nto conduct exercises, tabletop and what have you, to train, \nprepare, and evaluate responsibilities.\n    So those are the things that I think are important. I would \nlike to hear feedback from all of you, if we have time, as to \nwhat you think about the bill and whether it would help. Mr. \nDuffy, you could start.\n    Mr. Duffy. Yes, I certainly think the bill would be very \nhelpful. You know, certainly the exercises are critical. I can \nsay that DHS and FEMA have been pretty active in the exercise \narea. They just held the National-level election exercise last \nweek. I know some of the House member staffs were participating \nin that.\n    There is a National cyber storm exercise coming up. There \nis a guard exercise coming up. Certainly, more exercises are \nneeded. More participants need to be active in the exercise \nprogram.\n    I think the State and local partnership is critical. A lot \nof States--I mean, 5 years ago, the States weren't doing much \nwith the local government relative to cybersecurity. That has \nchanged quite a bit. You know, they do recognize that the local \nsystem is connected to State. So local problems can become \nState problems in a hurry. State systems connect to Federal \nGovernment. So, again, State problems could be Federal problems \nin a hurry.\n    A lot of States, such as New York, Wisconsin, Iowa, have \nbeen using the Homeland Security money to help the local \ngovernments. I know New York State just released a $50,000 \ngrant to counties. So they are working on that.\n    Mr. Katko. Right.\n    Mr. Duffy. Certainly, Wisconsin is doing it with the State-\nwide incident response team with using members of local \ngovernment as volunteers. So there is money out there, but they \nneed more of that.\n    Mr. Katko. All right. Message received.\n    Mr. Cilluffo.\n    Mr. Cilluffo. Well, Mr. Katko, I think the legislation, as \nyou laid it out, nails it. I mean, every one of those items is \nneeded and needed desperately. There is an old adage: Policy \nwithout resources is rhetoric. But it is more than just the \nresources. The resources are important. That puts skin in the \ngame. But at the end of the day, you do need to get to the \npoint that you can build the relationships.\n    The Joint Terrorism Task Forces, the JTTFs, those entities \nare worth more than any weight in gold in terms of building \ntrust between the women and men who have to work together in \nvery tough situations. So I do think that exercises--we \nshouldn't be picking up the playbooks on game day. We have got \nto be exercising this beforehand. We shouldn't be needing the \noffensive and defensive coordinators on game day. Everyone \nneeds to get to know one another.\n    While we are doing some of this at the Federal level, and \nCongress Langevin knows very well, there is a commission \nlooking at some of how of the inner agency gets together that \nwe had the privilege to serve on together at the Federal level. \nBut that is not anywhere near where it needs to be at the State \nand local level. So whatever advocacy, count on me being there.\n    Mr. Katko. I am out of time, but I do want to observe that \nthis is perhaps one of the best qualified panels I have seen in \na hearing in quite a while, so I appreciate the witnesses.\n    I yield back.\n    Mr. Richmond. The gentleman's time has expired.\n    I know recognize the Chairman of the full committee, Mr. \nThompson, for 5 minutes.\n    Mr. Thompson. Thank you very much, Mr. Chairman.\n    Mayor Bottoms, one of the challenges we have as Members of \nCongress, people say, well, if you would just give us the \nmoney, we can fix it. But our challenge is, do we set \nparameters of guidelines with the money so that at the end of \nthe day we can measure how successful the goal has become?\n    So if Congress did somehow get in the business of helping \nState and locals fortify its cyber systems, do you see any \npushback with the resources coming with some criteria by which \nthe money would be sent?\n    Ms. Bottoms. Absolutely not, Mr. Thompson. What I see is it \nwould be welcome, because we have a challenge with, No. 1, \nhiring professionals as we compete with the private sector. \nAlso, in having--I believe it should be at least a baseline \nstandard with what our systems and security systems should be \nin place.\n    For many years, again, we were allocating small amounts of \nmoney per our budget toward our system, and we were not \naddressing the real needs and upgrading in the way that we \nshould. With this cyber attack, it made us allocate a much \nlarger portion of our budget than we ordinarily would have to \ndo something as simple as create the cloud. I think that with \npartnership with our Federal partners and with the allocation \nof resources, I think that it will help put cities on a much \nstronger footing and also create a baseline of standards that \nmany cities may not even be aware of until they are faced with \nsomething as disastrous as a cyber attack.\n    Mr. Thompson. Mr. Duffy, you talked a little bit about this \nin your comments. Do you want to share your opinion on that?\n    Mr. Duffy. Yes. I think anything when they are distributing \ngrant money, there certainly should be conditions relative to \nhow smart was the money spent. Just throwing money at the \nproblem is not the solution. Money has feet. One thing they \nneed to do is identify what their gaps are, what are their \nweaknesses, and identify how are they using that money to plug \nthose holes that are in their networks. What are the metrics \nyou want so they can prove that the money was well spent. As I \nsaid, throwing the money at it won't solve the problem. But \nmetrics and accountability should go hand-in-hand with any \ngrants that are out there.\n    Mr. Thompson. Mr. Cilluffo, are you comfortable with the \nresponses that have been received?\n    Mr. Cilluffo. Congressman Thompson, absolutely. I do just \nwant to underscore it is important. We have learned lessons the \nhard way after 9/11 in terms of how all the funds were \ndisbursed and used. But I think it is now a much more refined \nprocess, and I think we need to do the very same with respect \nto cyber.\n    I mean, we absolutely need the resources, but we need to \nalso make sure we are measuring what matters. The one thing \nthat I would like to see is a match coming from State and \nlocal, that they are committed, that they are willing to put a \npercentage of whatever outcome of their own resources to \nmaximize the impact. But it is needed.\n    Mr. Thompson. Thank you.\n    I yield back, Mr. Chairman.\n    I will yield my minute to the Chair.\n    Mr. Richmond. I just wanted to make a point. I am not \nneedling my colleagues on either side of the aisle, but this \ngoes back to the Federal Government and our role as the Federal \nGovernment of helping municipalities and others who are--some \nthings are beyond their capacity, whether it is talent-wise or \nmoney-wise.\n    So do you think that we can provide more cybersecurity in \nthis country with less money? Does anybody think we can provide \nmore cybersecurity with less resources?\n    Mr. Duffy. I would say no.\n    Mr. Richmond. OK. Can we secure more airports with less TSA \nagents? No?\n    Mr. Sultan. No.\n    Mr. Cilluffo. I think you can do more. That doesn't mean it \nis going to be 100 percent, because cybersecurity--it is not an \nend state.\n    Mr. Richmond. Well, no. My question is going toward this \ngeneral thing. When we go through our budget cycles, the mantra \nis usually we are going to do more with less. I am just asking, \nis this an area that we believe we can do more with less money, \njust like TSA?\n    I just wanted to highlight that we have different \nchallenges in this country in this time and day. It costs money \nto protect the American people. It is not that we just want to \nspend, spend, spend. What we really want to do is protect, \nprotect, protect our people, their assets, and their resources.\n    With that, I will recognize the gentleman from Texas, Mr. \nTaylor, for 5 minutes.\n    Mr. Taylor. Thank you, Mr. Chairman. I appreciate this \nhearing. I think this is important.\n    Just to kind-of go through one specific item that has come \nto my attention. Sometimes cities lose control of their data, \nright? So cities provide municipal services, water service, \nelectric service. They have everybody's address. They have got \ntheir phone numbers. They have got their credit card \ninformation.\n    Is there a standard or a Federal requirement of some kind \nto tell the consumer, to tell their citizens, hey, we have lost \nyour data, it got breached? Is there some kind of standard out \nthere that--I am not aware of one, but maybe you can tell me \nthat there is.\n    Mr. Duffy, do you know of a standard?\n    Mr. Duffy. Yes. Well, most States have a breach \nnotification law. So if there is a breach and the breach \nreaches a certain criteria relative to the number of \nindividuals that are impacted, there is a requirement that they \ndo notify the individuals.\n    Where it gets rather difficult is, say, someone's credit \ncard is compromised by a local town, and they may not have the \nperson's individual address to identify to contact them. So \nthen they have to work with their credit card company, because \nthey are the ones that have the relationship with the \nindividuals.\n    But I think almost every State, not quite every State, does \nhave breach notification laws.\n    Mr. Taylor. Did you want to follow up with that?\n    Mr. Sultan. Congressman Taylor, I do think--and people have \nattempted to move toward a National data breach notification \nlaw, which I think we really do need, because there is lots of \nconfusion. You have seen one State, you have seen one State. \nThat is a good thing. That is what a Federalist form of \ngovernment is.\n    But when it comes to data breach notification, we should \nhave consistency across the board. I know some of your \ncolleagues have pushed for this for a while. My argument is \nkeep pushing.\n    Mr. Taylor. Do you think it is incumbent on the Federal \nGovernment to devise standards for cities, counties, you know, \nsubdivisions of the U.S. Government to force cybersecurity? I \nmean, to have a Federal standard. Hey, this is--you need to \nresponse in this amount of time to this. You need to have this \nstandard of security.\n    Is that something that we should be looking toward doing, \nMr. Duffy?\n    Mr. Duffy. Well, I think, certainly, the standard should be \na goal that folks should strive to achieve. One of the things \nwe suffer from now, there are so many standards out there. \nThere are so many criteria. Just as I mentioned with the \nFederal auditors. I was speaking to a State chief information \nsecurity officer yesterday on this topic, and he told me that \nat the end of April, he had 4 different teams of Federal \nauditors on all asking different questions. Even the Federal \nGovernment doesn't ask the same questions.\n    Mr. Taylor. So who are the 4 different teams? Like where do \nthe 4 different standards come from?\n    Mr. Duffy. I can find out for you.\n    Mr. Taylor. OK. Mr. Cilluffo, do you----\n    Mr. Cilluffo. You know, I think that the private sector \nneeds to be part of whatever it is we are driving here. So I \nthink that there are standards that may not only be legislated, \nbut here is the--the reality is the private sector is on the \nfront lines of this war. Just like how many cities went into \nbusiness and how many companies went into business thinking \nthey had to defend against foreign intelligence services. It is \nan unlevel playing field. It is. But the question is, do we \nhave enough to know what a single standard is? I am not 100 \npercent sure. I am not smart enough to figure that out.\n    But I do think we have a series of them. I do think, at \nleast with data breach notification, that is something worth \nfighting for.\n    Mr. Taylor. Mr. Duffy, I think I cut you off. Did you want \nto finish?\n    Mr. Duffy. No. Just on the data breach notification. I \nthink the importance of a National standard is that businesses, \nespecially small businesses that are now on the internet and \ndoing business around the country, they now have to understand \nhow to respond to a data breach with regulations in place in 50 \ndifferent States. It is hard for them to be able to follow what \nthey need to do if there is a breach when there is 50 different \nregulations I have to follow.\n    Mr. Taylor. OK.\n    Ms. Bottoms. Mr. Taylor, may I just add, within hours of \nour attack, we went before the public to notify the public, \nbecause we didn't know if we were dealing with just a cyber \nransomware attack or if we were dealing with a data breach. We \nfound it extremely helpful to communicate that to the public, \nand it was appreciated. I think it gave us a little more \nleeway. The public was much more appreciative and patient with \nus during that recovery. So I do think it is helpful.\n    Mr. Taylor. Thank you.\n    I yield the balance of my time to the gentleman from New \nYork.\n    Mr. Katko. Thank you very much, my colleague.\n    Mr. Cilluffo, just a very quick question. As many cities \nlook to become smart cities, including the city of Syracuse, \nare they also considering, to your knowledge, cybersecurity \nrisks associated with an internet of things and additional \nconnectivity?\n    Mr. Cilluffo. Well, thank you, Congressman Katko. That is \nan issue that should keep everyone here up at night.\n    Mr. Katko. Indeed.\n    Mr. Cilluffo. Smart cities are amazing opportunities. But \nit also exponentially expands the attack surface and can touch \nindividual citizens directly that the only way to try to get \nour arms around this is to bake security into the design at the \nearly stages, design and planning stages of smart cities. So \nshame on us if we are not thinking about this, but easier said \nthan done.\n    The highways of tomorrow are going to be paved in silicon \nas much as they are in asphalt. The reality is, is this is the \nfuture, and to retrofit afterwards is going to be exceedingly \ndifficult, if not impossible. So big issue. Great opportunity. \nJust let's make sure it is not a footnote or an afterthought in \nour smart city planning.\n    Mr. Katko. Thank you, Mr. Taylor.\n    Thank you, Mr. Chairman.\n    Mr. Richmond. The gentleman's time has expired.\n    I now recognize the gentleman from Rhode Island, Mr. \nLangevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Thank you for \nholding this hearing.\n    I want to thank our panel of witnesses, some of whom are \nvery familiar to me and I have had the opportunity to meet \nwith, so thank you for all that you are doing on this topic. I \nhave covered a lot of important issues, and concerning the data \nbreach notification, I agree. You know, we are focused right \nnow on a different topic, but I have got a bill in for a 30-day \ndata breach notification, which would be a 30-day Federal \nstandard, and I think that is something that we should move \nalong.\n    We talk about cyber work force, of course, and we shouldn't \nlook at this in terms of competition and try to--in terms of \nhow the local, State, or Federal Government can compete for the \ntalent that is out there. We really need to focus on growing \nthe pie itself, not just our piece of the pie at the local, \nState, or Federal. That is, obviously, looking more deeply into \nour educational system and how we can incentivize people going \ninto this field.\n    But let me go back to what we are talking about and the \nissue of what is the right balance of, you know, State, local, \nand Federal attention support on cyber. So I have been trying \nto draw attention to and prioritize cybersecurity now for over \na decade, and the problems of getting focus of dollars are, \nunfortunately, not new and they exist across the private sector \nand the Federal Government as well.\n    So one of my concerns, though, is that the Federal \ninvestments will supplant rather than complement State and \nlocal funding, and I don't want to see that. We see that \nbetween the--you know, with the private sector, even critical \ninfrastructure. We say the private sectors, you know, fine to \nsay--they are quick to say, if you want us to do more on \ncybersecurity, well, then, you pay for it, but, you know, \neverybody really does have a role here.\n    So for the panel, I wanted to ask, how can we better ensure \nthat cybersecurity is a priority for leadership in State and \nlocal governments? What will incentivize State and local \nleaders to make adequate investments in this space?\n    Mr. Duffy. One of the things that is happening recently \nwith the FEMA grants, I mentioned earlier that we conduct a \nNation-wide cybersecurity review of State and local \ngovernments, and right now, participation is voluntary. We have \nhad relatively high participation in the State, around 90 \npercent, but the local government has been low, and that is \nintended to identify gaps in the capabilities where they should \nbe investing their money.\n    With the new Homeland Security grant funding, there is a \nnew requirement that recipients and subrecipients must take the \nNation-wide cybersecurity review to find out, to identify where \ntheir gaps are, where their investments should be made. The \nnice thing about it, it is a confidential assessment, so the \ninformation on the assessment goes to them to help them develop \na strategy where they should be making their investments.\n    I certainly share your concern on it should not supplant \nfunds. You know, it should be for new initiatives. That is \nalways something that I think is real difficult for the \nguidance writers, but I defer to them on how they get that in \nthere.\n    Mr. Langevin. Anybody else on the panel care to comment?\n    Mr. Sultan. Congressman, I think it is a really good \nquestion. I have previously worked very closely with the city \nand county of San Francisco's administration, especially with \ntheir digital staff, and I think if the city administration \nbegan having a frank conversation with the digital staff that \nwork for the cities, they would understand that they are highly \nunequipped at this moment to deal with massive amounts of cyber \nattacks that are happening on a daily basis.\n    Right now, the cybersecurity staff are not solely focused \non cybersecurity. They usually have dual roles, and \ncybersecurity is usually a secondary role. So when they begin \nworking and focusing on cybersecurity, they have to read \ndocuments that range between 300 to 500 pages. These are \nreferred to as NIST documents that provide standards for \ncybersecurity.\n    So when you look at these overworked staff that have to \ndeal with cybersecurity standards, it can be incredibly \ncumbersome, frustrating, and difficult to deal with as the city \nisn't focusing on providing sole cybersecurity staff.\n    Ms. Bottoms. As one of the panelists mentioned, I think \nmatching funds in the same way that we seek matching funds for \ntransportation and infrastructure projects, I think that that \nwould be a great incentive for cities, because we are making \nthe investments but often not enough. But I think any \nopportunity for us to have matching funding will also encourage \nus to invest more on our end.\n    Mr. Langevin. I completely agree.\n    Mr. Cilluffo. Congressman Langevin, I was just going to \nbring up that other point. But also in the opening statement by \nRanking Member Katko, I think he said it was 1 or 2 percent of \nthe IT spend is going toward security. Best practice in the \nprivate sector is 8 to 11 percent. So we really do need to \nbridge that gap there, and I think Mayor Lance Bottoms said it \nstraight up, and the reality of matching funds would go a long \nway.\n    I think it is also great that you have the executive \ntestifying, not the CISO and--because ultimately, cybersecurity \nis an executive issue. It is not going to be relegated to the \nIT department. That is important, but it is ultimately \nunderstanding how cyber fits in to the risk of the company, \ncountry, or city.\n    Mr. Langevin. Very good.\n    Thank you all for your answers and your attention to this. \nI agree with a lot of what has been said, so thank you very \nmuch.\n    Mr. Chairman, I yield back.\n    Mr. Richmond. The gentleman from Rhode Island yields back.\n    Before I recognize the gentlelady from New York, Mayor \nBottoms, I understand you have a hard 4:15 stop?\n    Ms. Bottoms. OK.\n    Mr. Richmond. So let me just--before you get up, ask the \ngentlelady from Illinois and New York, do you have--did either \nof you have a specific question for the mayor?\n    Well, with that, Madam Mayor, thank you for leaving your \nbusy city and coming up here to provide valuable insight to \nthis committee. So with that, we will just pause and give you a \nsecond to break. We don't want you to miss your plane back to \nAtlanta.\n    Ms. Bottoms. Thank you.\n    Mr. Richmond. The Saints and the Falcons will see each \nother twice this year.\n    Ms. Bottoms. Thank you again.\n    Mr. Richmond. I now recognize the gentlelady from New York, \nMiss Rice.\n    Miss Rice. Thank you, Mr. Chairman.\n    This question is for any or all of you, the Ranking Member, \nMr. Katko, and I recently wrote to the New York Metropolitan \nTransportation Authority expressing concerns over the \npossibility of buying subway railcars from a Chinese state-\nowned entity. We did that because we were concerned that State \nand local governments don't have the proper resources to \nprepare for the threats posed by state actors since these types \nof National security decisions have typically taken place at \nthe Federal level.\n    How do we address this issue of supply chain--the supply \nchain issue at the local and State level?\n    Mr. Cilluffo. Miss Rice, I will take first crack. So I \ntestified recently before Transportation and Infrastructure on \nthe CRRC and State-owned enterprises and the concerns that \nposes for the country, and I think they are genuine, real \nrisks, especially when we start thinking about ZTE, Huawei, 5G. \nThis is going to be the underpinning of modern societies, and \nwe don't want it built on quicksand. So I think these are big \nissues.\n    It took Congress, though, to help bridge a gap because \nHuawei is cheap. It is much cheaper. When you are in a city and \na community and you want to do all you can for your citizens, \nyou are going to find the most cost-effective way to do that. \nSo you raise a really good question.\n    Miss Rice. Well, it is hard to ignore that, though, Mr. \nCilluffo----\n    Mr. Cilluffo. Impossible to ignore.\n    Miss Rice [continuing]. Because they always come in lowest \nbid. Always.\n    Mr. Cilluffo. They are subsidized, on top of it, and they \nhave got concessionary financing on top of that, so it is a \ntriple whammy against some of these States. But I think when \nthe Federal Government takes strong actions to ban certain \ntechnologies, that should be a nod toward State and local as \nwell.\n    Miss Rice. I totally----\n    Mr. Cilluffo. At least for Federal grants.\n    Miss Rice. Yes. I agree with you, and so, hopefully, we are \ngoing to get some answers there.\n    Mr. Cilluffo. Mr. Sultan, you mentioned this in your \nwritten testimony and, Mr. Cilluffo, you referred to the magnet \nschool for 7th through 12th graders. Can you just talk more \nabout that? Because I think one of the biggest problems that we \nhave in this field, on top of the funding--and you have all \nalluded to this as well--is the talent pool. We have to start \nbuilding a talent pool because these issues are not going to go \naway.\n    So can you explain, Mr. Cilluffo, a little bit more about \nthis magnet school? Do we have to be--I understand the \neducation and curriculum issues are run at the State level, but \nshould this be a mandatory curriculum?\n    Mr. Cilluffo. I will be very brief because I am sure Mr. \nSultan has some thoughts. I am very proud of this magnet school \nbecause we do need to get them younger. I used to run an MBA \nwith the focus on cybersecurity, and I would bring my students \nto a residency overseas in Estonia. In Estonia, you have got a \nsmall country, and I think you have been on a codel with Mr. \nMcCaul, they are teaching coding at kindergarten. So--and then \nonce you start hitting gumnaasium, or high school, they are \nalready going into that particular--we need something similar \nhere.\n    So we need to make sure that everyone is cyber aware and \nsavvy. So we have got to integrate cyber into all existing \ncurricula and then we need more ninjas. We do need more very \ndeep cyber expert work force, but we need both. I am really--\nand not just because I am the--we need more women, not only in \nSTEM but in cyber.\n    Miss Rice. Amen to that.\n    Mr. Cilluffo. Quite honestly, my students, they were the \nstrongest, but we really do need to attract different types of \nstudents to be part of that solution set. We are just missing \nout on too much talent.\n    Miss Rice. Well, we are just starting with the whole STEM \nreaching out to young girls--well, not just, but, you know, \nwithin the last 5 to 10 years, and this should be added to that \nfor sure.\n    Mr. Cilluffo. At the top of that list.\n    Miss Rice. Yes.\n    Mr. Sultan.\n    Mr. Sultan. I just want to add that cybersecurity trainings \nare incredibly difficult to accomplish successfully. What \nhappens is that, often, people become more scared after \ncybersecurity training. A lot of trainers use FAIR appeals very \neffectively and very ineffectively a lot of times. So what \nhappens is that the participants of these trainings become so \nafraid--and there is a lot of literature on how cybersecurity \ntrainings fail--that they begin to withdraw from using the \ninternet. They begin to withdraw from using key internet \nservices that could enrich their own lives. And so----\n    Miss Rice. How do you address that issue? I mean, it is \nwhat it is. It is frightening.\n    Mr. Sultan. It is frightening, but I think a lot of \nparticipants, at least those that I have interviewed and \nsurveyed personally, fall on a spectrum of confidence and \ntrust. If you understand where they fall on that spectrum, you \ncan actually change it very easily.\n    So often at times participants can have over low \nconfidence, low confidence that is below their actual \nunderstanding and skill level. So you can actually correct that \nthrough measures by trying to discuss with them what their \ncultural understanding, their background of cybersecurity is, \nwhere they get resources, how they can improve those resources, \nand overall improve their understanding of realistic threat \nassessment as opposed to exaggerating the threat assessment, \nwhich a lot of trainers do.\n    Miss Rice. Very interesting point. I have a lot more \nquestions, but my time is up. Thank you.\n    I yield back.\n    Mr. Richmond. The gentlelady yields back.\n    Now the gentlewoman from Illinois is recognized for 5 \nminutes.\n    Ms. Underwood. Thank you, Mr. Chairman, and thank you all \nfor calling today's hearing on this critically important topic.\n    Cybersecurity is a challenge for State and local \ngovernments across America, but the suburban and rural \ncommunities that I represent in northern Illinois don't have \nthe resources that big cities have, and as such, are at an \nincreased risk of cybersecurity attacks.\n    A city official told us that he relies heavily on informal \nnetworks with other city officials and on professional IT \nassociations, such as GMIS International, to ensure that the \ncity's cybersecurity needs are met.\n    Mr. Sultan, in your testimony, you referenced concerns for \ncybersecurity inequality between rural and urban or suburban \ncommunities. What steps could the Federal Government take to \nbridge this inequality gap?\n    Mr. Sultan. The Federal Government could support local \ngovernments, understanding where the baseline is for the rural \nareas and especially the urban areas as well. Figure out how \nlow-income households and how low-income communities fair in \nterms of their understanding and skill level on cybersecurity.\n    They can conduct surveys to better gauge where those \npopulations fall, and then they can actually conduct trainings. \nThey can actually partner with private technology companies to \nprovide software updates to phones that are outdated. They can \nprovide system level support. They can facilitate trainings \nwith the private technology companies, but not to supplant the \nFederal Government's networks with the populations, because you \ndon't want the private technology companies determining what \nthose trainings look like.\n    So there are a host of options for the Federal and local \ngovernments to improve and understand their populations' \ncybersecurity needs.\n    Ms. Underwood. Thank you. Do you have any recommendations \nfor rural communities that are at just the beginning stages for \nsetting up their infrastructure? You know, the idea that a \nlocal community would even know which private company to \napproach is something that I think we sort-of take for granted \nfor people that are just beginning to bolster their \ncapabilities.\n    Mr. Sultan. That is an excellent point, and I think that is \nwhere the Federal Government can play a really important role, \nbecause the Federal Government has the ability and the \nopportunity to connect with these private technology companies \nin ways that are far more realistic and centralized than local \ngovernments can.\n    They can also create public awareness campaigns, push them \nout into schools, push them out into television, on social \nmedia platforms, on radio. Because without a public awareness \ncampaign, people aren't going to be very interested in even \nparticipating in those trainings. I had to use a lot of \nincentives to get vulnerable populations to even come to \ndiscuss their needs about cybersecurity. So if you offer a \ntraining, the chances are they might not appear.\n    Ms. Underwood. Right. Do you have any advice for local \ngovernments to better educate their communities on the \nappropriate personal cybersecurity best practices?\n    Mr. Sultan. I think--in terms of staff?\n    Ms. Underwood. Uh-huh.\n    Mr. Sultan. I think with staff you can improve trainings, \nbut you can also simplify the cybersecurity documentation that \nthey are currently working with. They are using centralized \ndocumentation that spans hundreds of pages, they are fairly \ndry, not very interesting, and I think you can make trainings \nthat are more engaging. So instead of just trying to pass off a \ndocument to staff that probably have other responsibilities \nother than cybersecurity, they are probably responsible for IT \nand system infrastructure, you could focus on cybersecurity \nthrough engaging trainings. Those could be digital trainings. \nThey don't have to be personal trainings so they can scale \nbetter.\n    Ms. Underwood. Chairman Richmond recently convened this \ncommittee to address the lack of diversity in our talent \npipeline for the cybersecurity field. We touched on the need \nfor gender diversity in particular. But as you know, that there \nis a real high number, significant number of unfilled \ncybersecurity jobs across the country.\n    So, Mr. Duffy, do you have any feedback or ideas for what \nCongress and the Federal Government can do to attract more \nskilled cybersecurity professionals, particularly from diverse \nbackgrounds?\n    Mr. Duffy. Yes. One of the things you need to do is \ncertainly identify those individuals that may have not thought \nthey had a talent in cybersecurity. We work closely with the \nSANS Institute and with the Governors around the country with \nsomething called the CyberStart Program. This is something that \nis basically industry funded. Twenty-six Governors participated \nin this past year. What the program is, the schools develop \nthese programs or they try to identify individuals who may not \nhave an interest in technology but have a real aptitude. So how \ndo they go about finding those folks that have an aptitude but \nnot the interest, and that is what the program is about.\n    It is the third year of the program. The first year of the \nprogram, there--shouldn't be surprised, like 85 percent of the \nparticipants were boys. So in year two, they did it for girls \nonly because they wanted to deal with the gender issue. So this \nyear, they have a combination. One program is for the boys and \nthe girls, but yet a second program is just for the girls only \nbecause they are trying to work on the gender issue.\n    Ms. Underwood. Excellent. Well, it is my hope that as we \nhave models like this that private industry is supporting, that \nwe can count on the Cybersecurity and Infrastructure Security \nAgency to develop innovative programs to help States and local \nofficials who don't have expertise and maybe who don't have a \nlocal private company to sponsor something in their community. \nThis is something that is important everywhere and we want to \nmake sure that we are properly prepared.\n    Thank you all so much for being here.\n    Thank you, Mr. Chairman, for convening this hearing. I \nyield back.\n    Mr. Richmond. The gentlelady from Illinois yields back.\n    I want to thank the witnesses for their valuable testimony \nand the Members for their questions.\n    The Members of the committee may have additional questions \nfor the witnesses and we ask that you respond expeditiously in \nwriting to those questions.\n    I would ask unanimous consent to insert into the record \nwritten testimony in today's hearing from Talib Karim of \nSTEM4US!, Inc.\n    [The information follows:]\n            Statement of Talib I. Karim, CEO STEM4US!, Inc.\n                             June 24, 2019\n    Good afternoon. My name is Talib I. Karim, and I am a co-founder \nand chief executive officer for STEM4US!, Inc. As background, I have \nspent over 2 decades working on cybersecurity and other public policy \nissues. This includes serving chief counsel and legislative director to \nCongresswoman Sheila Jackson Lee, a senior Member of the Homeland \nSecurity Committee.\n    STEM4US! is a non-profit organization based in Washington, DC, that \nworks with universities, businesses, Government entities, and other \nnon-profits to scale investments, training, and promotion of the \ncybersecurity and other STEM fields. Our goal is to transform the STEM \nworkforce by creating 600,000 new cybersecurity professionals by 2030. \nTo ensure that the STEM field reflects the rich diversity of this \nNation, we aim to ensure that at least 50 percent of these new \ncybersecurity workers are African Americans, Latinos, and women. By \nfocusing on diversity, we can foster creativity and offer a range of \nperspectives and ideas in the cybersecurity realm.\n    Today, several factors impede the ability of State and local \ngovernments to protect critical infrastructures from cyber attacks. \nAmong these structural impediments are regulations at the State and \nlocal levels, limited resources, and an expanded attack surface. We \nwish to raise a few constructive points regarding this important topic.\n    First, insufficient funding and staff has been identified by \nmembers of State and local governments as one of the key barriers to \neffective cybersecurity. Without the necessary funding, it is difficult \nfor State and local governments to hire the qualified cybersecurity \nexperts necessary for providing cybersecurity protection. Cybersecurity \nexpenditure constitutes a small percentage of the overall budget: \nAccording to a 2015 report, most State cyber budgets are between 0-2 \npercent of the overall IT budget. This means that governments do not \nhave the resources or expertise necessary for a resilient cybersecurity \ninfrastructure. Therefore, it is imperative that cybersecurity becomes \na greater spending priority for governments. By addressing the lack of \nbudgetary resources, governments will be able to hire and retain a \ngreater number of cybersecurity personnel.\n    In order to achieve this goal, STEM4US! proposes what we've called \nthe ``Cybersecurity Pell Grant.'' Under this proposal, Congress would \nauthorize and appropriate $1.5 billion each year, for a 10-year period \nto fund free cybersecurity and related training. This training would be \noffered at 250 Historically Black Colleges and Universities and other \nMinority-Serving Institutions along with community colleges and high \nschools. If fully funded for 10 years, the grant could create more than \n600,000 new, more adequately trained American cybersecurity workers.\n    If our proposed legislation is enacted, the grants would support 15 \nweeks of cyber training. The tracks of the cyber training would include \ncyber defense and incident handling skills as well as drone maintenance \nand operations. Additionally, each training program would have the \ncapacity to train 300 students per year in 3 cohorts--spring, fall, and \nsummer. Therefore, through this initiative, STEM4US! would create a \npipeline of talented and skilled cybersecurity workers. These newly-\ntrained cyber workers would work for Government agencies or contractors \nin their respective communities. This, in turn, would create a Nation-\nwide network of cybersecurity personnel who would increase the \nresiliency of their State and local governments to cyber attacks. These \ngrants would result in a hardening of the Nation's critical \ninfrastructure.\n    Earlier this year, STEM4US! organized a fly in that allowed our \nstakeholders to meet with staff from this committee along other House \nand Senate leaders to discuss our ``Cybersecurity Pell Grants'' \nproposal. To advance this idea, we call on the Subcommittee Chair and \nRanking Member to partner and both sponsor a bill that would capture \nthis proposal.\n    The field of cybersecurity is one of the fastest-growing job fields \nin the Nation, but there is a critical shortage of qualified \ncybersecurity personnel. Therefore, there is a clear imperative to \nexpand the Nation's cybersecurity workforce. Our proposed \n``Cybersecurity Pell Grants'' would ensure that State and Federal \nGovernment agencies have an ample source of cybersecurity workers they \nneed to protect the Nation's cybersecurity infrastructure.\n    STEM4US! appreciates this opportunity to provide this testimony.\n\n    Mr. Richmond. Without objection, the committee record \nshould be kept open for 10 days.\n    Hearing no further business, the committee stands \nadjourned.\n    [Whereupon, at 4:25 p.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n"