b"<html>\n<title> - RESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY DIRECTORATE</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\nRESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE \n       FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND \n     INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY \n                              DIRECTORATE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                       PROTECTION, AND INNOVATION\n                       \n                                OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 11, 2020\n\n                               __________\n\n                           Serial No. 116-68\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n                               \n                              \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n42-345 PDF                  WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------                               \n                               \n                               \n                               \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           Mark Walker, North Carolina\nJ. Luis Correa, California           Clay Higgins, Louisiana\nXochitl Torres Small, New Mexico     Debbie Lesko, Arizona\nMax Rose, New York                   Mark Green, Tennessee\nLauren Underwood, Illinois           John Joyce, Pennsylvania\nElissa Slotkin, Michigan             Dan Crenshaw, Texas\nEmanuel Cleaver, Missouri            Michael Guest, Mississippi\nAl Green, Texas                      Dan Bishop, North Carolina\nYvette D. Clarke, New York           Jefferson Van Drew, Texas\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                                 \n                                 ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           Mark Walker, North Carolina\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             John Joyce, Pennsylvania\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     6\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. Christopher C. Krebs, Director, Cybersecurity and \n  Infrastructure Security Agency, U.S. Department of Homeland \n  Security:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     9\nMr. Andre Hentz, Acting Deputy Under Secretary for Science and \n  Technology, U.S. Department of Homeland Security:\n  Oral Statement.................................................    13\nMr. William Bryan, Senior Official Performing the Duties of the \n  Under Secretary for Science and Technology Directorate, Science \n  and Technology Directorate, U.S. Department of Homeland \n  Security:\n  Prepared Statement.............................................    14\n\n                                Appendix\n\nQuestions From Hon. Sheila Jackson Lee for Christopher C. Krebs..    35\n\n \nRESOURCING DHS'S CYBERSECURITY AND INNOVATION MISSIONS: A REVIEW OF THE \n       FISCAL YEAR 2021 BUDGET REQUEST FOR THE CYBERSECURITY AND \n     INFRASTRUCTURE SECURITY AGENCY AND THE SCIENCE AND TECHNOLOGY \n                              DIRECTORATE\n\n                              ----------                              \n\n\n                       Wednesday, March 11, 2020\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                            Subcommittee on Cybersecurity, \n                                 Infrastructure Protection,\n                                            and Innovation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 11:05 a.m., in \nroom 310, Cannon House Office Building, Hon. Cedric L. Richmond \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Richmond, Thompson, Jackson Lee, \nLangevin, Rice, Underwood, Slotkin; Katko, Rogers, Walker, \nGreen, and Joyce.\n    Mr. Richmond. Good morning. I would like to thank Director \nKrebs and Acting Deputy Under Secretary Hentz to discuss the \nfiscal year 2021 budget priorities for the Cybersecurity and \nInfrastructure Security Agency, CISA, and the Science and \nTechnology Directorate, S&T.\n    Before I begin I would like to commend my colleague, \nCongressman Jim Langevin, for his work on the Cyberspace \nSolarium Commission.\n    The Solarium Commission's final report will be formally \nreleased hours from now, and I look forward to working with you \nand Chairman Thompson to codify important recommendations aimed \nat empowering CISA and better securing our elections.\n    I understand Director Krebs was very engaged in the \ncyberspace solarium. Toward that end, I will be interested in \nknowing if the fiscal year 2021 budget request from CISA is \nsufficient to implement the recommendations aimed at increasing \nCISA's capacity and, if not, what additional resources will be \nnecessary.\n    At the outset I want to debunk the myth that the Federal \nagencies can do more with less. I support eliminating waste and \nincreasing efficiency, but the fact is that with more you can \ndo more.\n    Technology is evolving and creating opportunities for our \nadversaries to hack critical infrastructure, disrupt our \nelections, and hold State and local government networks \nhostage. CISA must be equipped to be an effective Federal \npartner and S&T must be positioned to develop and identify \ntechnology to strengthen our defenses.\n    The President's fiscal year 2021 budget fails to do either \nof those important components. Last year committee Democrats \nled a bipartisan letter to appropriators seeking additional \nfunding for CISA's cybersecurity mission. Together we succeeded \nin increasing CISA's cyber budget by $350 million, accelerating \nefforts to secure Federal networks, and ramping up CISA's \nthreat analysis and response capabilities for private-sector \ncritical infrastructure owners and operators and State and \nlocal governments.\n    Despite bipartisan support for an increase in CISA's \ncybersecurity budget, the President's budget cuts it by over \n$150 million. I don't understand how a cut of that magnitude \nmakes communities trying to defend themselves against \nransomware attacks, Federal networks, or critical lifeline \nservices, from power to communications, any more secure.\n    Director Krebs, you know your mission. I want to know what \nresources you need to do it.\n    I would also like to express my concern about the \nadministration's decision to eliminate the CFATS program. To \nthe best of my knowledge, there is no intelligence that \nsuggests that the security risk to chemical facilities has \ndiminished. There is no evidence that a voluntary security \nframework will yield the same security results as a regulatory \nprogram. You can be certain that members of this committee will \nnot allow CFATS to expire.\n    I am also concerned about the administration's continued \nefforts to cut S&T. Last fall this committee held a hearing \nexploring the security threats posed by emerging technologies. \nDespite ample evidence that U.S. investment in research and \ndevelopment is lacking, this budget cuts research and \ndevelopment for cybersecurity, as well as important university \nprograms and centers of excellence. We cannot afford to \ncontinue to defer investments in R&D, and I will work hard to \nrestore funding.\n    Before I close, I want to make clear my expectation that \nMembers of this committee will receive accurate, candid \nintelligence about threats to our elections. Last month the \nintelligence community's assessment of whether the Russian \nGovernment's influence activities were intended to advance the \nPresident's re-election appeared to change overnight, because \nthe President did not like the intelligence. As Members of \nCongress, we must have the information necessary to understand \nthe threat and ensure you have budget and resources you need to \ndefend against sophisticated cyber threats.\n    With that, I thank the witnesses for being here, and I \nyield back the balance of my time.\n    [The statement of Chairman Richmond follows:]\n                Statement of Chairman Cedric L. Richmond\n                             March 11, 2020\n    The Solarium Commission's final report will be formally released \nhours from now, and I look forward to working with you and Chairman \nThompson to codify important recommendations aimed at empowering CISA \nand better securing our elections. I understand Director Krebs was very \nengaged in the Cyberspace Solarium.\n    Toward that end, I will be interested in knowing if the fiscal year \n2021 budget request for CISA is sufficient to implement the \nrecommendations aimed at increasing CISA's capacity and, if not, what \nadditional resources will be necessary. At the outset, I want to debunk \nthe myth that Federal agencies can do more with less. I support \neliminating waste and increasing efficiency, but the fact is that with \nmore you can do more.\n    Technology is evolving and creating opportunities for our \nadversaries to hack critical infrastructure, disrupt our elections, and \nhold State and local government networks hostage. CISA must be equipped \nto be an effective Federal partner and S&T must be positioned to \ndevelop and identify technology to strengthen our defenses. The \nPresident's fiscal year 2021 budget does fails both of these important \ncomponents.\n    Last year, Committee Democrats led a bipartisan letter to \nappropriators seeking additional funding for CISA's cybersecurity \nmission. Together, we succeeded in increasing CISA's cyber budget by \n$350 million, accelerating efforts to secure Federal networks and \nramping up CISA's threat analysis and response capabilities for \nprivate-sector critical infrastructure owners and operators and State \nand local governments.\n    Despite bipartisan support for increasing CISA's cybersecurity \nbudget, the President's budget cuts it by about over $150 million. I \ndon't understand how a cut of that magnitude makes communities trying \nto defend themselves against ransomware attacks, Federal networks, or \ncritical lifeline services--from power to communications--any more \nsecure.\n    Director Krebs, you know your mission. I want to know what \nresources you need to do it. I would also like to express my concern \nabout the administration's decision to eliminate the CFATS program.\n    To the best of my knowledge, there is no intelligence that suggests \nthat the security risks to chemical facilities has diminished. There is \nno evidence that a voluntary security framework will yield the same \nsecurity results as a regulatory program.\n    You can be certain the Members of this committee will not allow \nCFATS to expire. I am also concerned about the administration's \ncontinued efforts to cut S&T.\n    Last fall, this committee held a hearing exploring the security \nthreats posed by emerging technologies. Despite ample evidence that \nU.S. investment in research and development is lacking, this budget \ncuts R&D for cybersecurity as well as important University Programs and \nCenters of Excellence. We cannot afford to continue to defer \ninvestments in R&D, and I will work hard to restore funding.\n    Before I close, I want to make clear my expectation that Members of \nthis committee will receive accurate, candid intelligence about threats \nto our elections. Last month, the intelligence community's assessment \nof whether the Russian government's influence activities were intended \nto advance the President's re-election appeared to change overnight \nbecause the President did not like the intelligence.\n    As Members of Congress, we must have the information necessary to \nunderstand the threat and ensure you have budget and resources you need \nto defend against sophisticated cyber threats.\n\n    Mr. Richmond. I would recognize the Ranking Member of the \ncommittee, Mr. Katko, for 5 minutes.\n    Mr. Katko. Thank you, Mr. Chairman.\n    Thank you, Mr. Krebs, for being here. Thank you also for \nparticipating yesterday in the election security briefing. It \nwas very helpful and informative and, as always, your input was \nwell received.\n    I want to echo the sentiments of my colleague, the \nChairman, about the cyber solarium and the work that has been \ndone on it. I know you were an integral part of that, and I \nknow Mr. Langevin has, as well. I look forward to a bipartisan \neffort implementing as many, if not all, of his policies into \nlaw and--on the Homeland side. Working closely with both sides \nnow to get that done is, I think, critical.\n    Our Nation faces digital and physical threats daily that \nhave the potential to disrupt, damage, and destroy their \ntargets. These threats will only grow in magnitude, frequency, \nand sophistication in years ahead, as you well know, as cyber \nadversaries, particularly nation-state actors, seek political, \neconomic, and National security advantages.\n    The Federal Government works with public and private-sector \npartners to prevent and deter current threats, but also to plan \nfor the future. The Cybersecurity Infrastructure Security \nAgency Act, or CISA, was tasked by Congress in 2018 to serve as \nthe Nation's risk advisor, providing for the timely sharing of \ninformation, analysis, and assessment, and facilitating \nresilience building and mitigation in the .gov domain, State \nand local governments, and the private sector across \nindustries.\n    Today we will take a closer look at CISA's plans and how \nthey intend to carry out and achieve their mission. I must say \nI agree with Ms.--the chair. Cutting CISA's budget is not a \nreally good idea at all. In fact, the opposite is true. We need \nto expand your resources so you can better handle the emerging \nthreats.\n    CISA is responsible for securing the civilian Federal \nnetworks, monitoring emerging threats across sectors 24/7/365, \nsecuring our Nation's chemical facilities, advising State and \nlocal governments on election security, partnering with the \npublic and private sector to protect soft targets in crowded \nplaces, and identifying and addressing risks to our National \ncritical functions.\n    During the past year CISA completed its transition to a \nstand-alone agency subject to DHS oversight. I am very \ninterested in hearing how strengthening CISA's authorities \ncould further clarify civilian cybersecurity risk management \nauthorities, and CISA's role as a convener of public-private \npartnerships.\n    As we have spoken in private, and in my office, and \nelsewhere, I am very interested in you telling us what else you \nneed, and you know we will respond if you tell us what you \nneed. I encourage you not to be shy about it, Mr. Krebs.\n    I look forward to hearing about CISA's plans to continue \nits progress securing our supply chain and tackling risk to our \nNational critical functions and election infrastructure.\n    Finally, I invite you to share insights on CISA's work with \nState and local governments to secure the 2020 elections from \nthe hindsight of Super Tuesday and other election primaries.\n    We will also hear from the Directorate of Science and \nTechnology, or S&T, about how they plan to execute their \nmission in the year ahead. S&T, through partnerships with the \nFederal Government, academia, and industry, develops innovative \nsolutions to aid the Department of Homeland Security in \nachieving its mission more effectively, efficiently, and \naffordably.\n    I look forward to hearing from both of our witnesses and my \ncolleagues to see how we can work together--and the keyword is \n``together''--to ensure DHS is capable of protecting our Nation \nfrom digital and physical threats. This is the inherently \nbipartisan effort we are all involved in, and we should proceed \nin that manner.\n    With that I yield back.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n    Thank you, Mr. Chairman, for holding this hearing, and thank you to \nour distinguished witnesses for being here today.\n    Our Nation faces digital and physical threats daily that have the \npotential to disrupt, damage, and destroy their targets. These threats \nwill only grow in magnitude, frequency, and sophistication in the years \nahead as cyber adversaries particularly nation-state actors seek \npolitical, economic, and National security advantages.\n    The Federal Government works with public and private-sector \npartners to prevent and deter current threats, but also to plan for the \nfuture.\n    The Cybersecurity and Infrastructure Security Agency Act, or CISA, \nwas tasked by Congress in 2018 to serve as the Nation's risk advisor, \nproviding for the timely sharing of information, analysis, and \nassessment, and facilitating resilience building and mitigation in the \n.gov domain, State and local governments, and the private sector across \nindustries.\n    Today we will take a closer look at CISA's plans and how they \nintend to carry out and achieve their mission.\n    CISA is responsible for: Securing the civilian Federal networks; \nmonitoring emerging threats across sectors 24/7/365; securing our \nNation's chemical facilities, advising State and local governments on \nelection security; partnering with the public and private sector to \nprotect soft targets and crowded places; and identifying and addressing \nrisks to our National critical functions.\n    During the past year CISA completed its transition to a stand-alone \nagency subject to DHS oversight. I am interested in hearing how \nstrengthening CISA's authorities could further clarify civilian \ncybersecurity risk management authorities and CISA's role as a convener \nof public-private partnerships.\n    I look forward to hearing about CISA's plans to continue its \nprogress securing our supply chain and tackling risks to our National \ncritical functions and election infrastructure.\n    Finally, I invite Director Krebs to share his insights on CISA's \nwork with State and local governments to secure 2020 elections from the \nhindsight of Super Tuesday and other election primaries.\n    Today we also will hear from the Science & Technology Directorate, \nor S&T, about how they plan to execute their mission in the year ahead.\n    S&T, through partnerships within the Federal Government, academia, \nand industry, develops innovative solutions to aid the Department of \nHomeland Security in achieving its mission more effectively, \nefficiently, and affordably.\n    I look forward to hearing from both our witnesses and my colleagues \nto see how we can work together to ensure DHS is capable of protecting \nour Nation from digital and physical threats.\n\n    Mr. Richmond. The gentleman from New York yields back. I \nnow recognize the Ranking Member of the full committee to give \nan opening statement.\n    Mr. Rogers.\n    Mr. Rogers. Thank you, Mr. Chairman, and thank you for \nholding this important hearing. I want to thank the witnesses \nfor being here, and taking the time to prepare for these \nhearings. I know it takes a lot of time, and that you have got \nother things to do, but we appreciate it. It is very helpful to \nus.\n    Today's threats can be cyber, or physical, or man-made, or \nnatural. They can emerge from nation-states, criminal \norganizations, or terrorists. Just in the last 2 months we have \ndealt with cyber threats from Russia and Iran, ransomware \nattacks and disinformation campaigns on social media. These are \nthe threats we know about. Many more may be lurking on the \nnetworks.\n    Unless we do something about it, these threats will only \ngrow. CISA is the agency Congress created to do something about \nthis. CISA's work is critical. That is why I was disappointed \nto see this year's budget request for the agency. I am very \nconcerned that any cuts like this would undermine CISA's \nability to successfully carry out its mission.\n    But I do take comfort in knowing, from my 18 years here, \nthat the President only proposes budgets; we write budgets. I \ncan tell you these cuts are not going to take place.\n    I look forward to hearing from Director Krebs on how he \nintends to mitigate the growing cybersecurity threats with a \nsmaller budget, if that were to happen.\n    I also look forward to hearing from S&T on the important \nwork it is doing to develop new technologies to defend our \nhomeland.\n    [The statement of Ranking Member Rogers follows:]\n                Statement of Ranking Member Mike Rogers\n                             March 11, 2020\n    Thank you, Mr. Chairman, for holding this hearing, and to our \nwitnesses for being here today.\n    Today's threats can be cyber or physical, manmade or natural. They \ncan emerge from nation-states, criminal organizations, and terrorists.\n    Just in the last 2 months, we've dealt with cyber threats from \nRussia and Iran, ransomware attacks, and disinformation campaigns on \nsocial media.\n    These are the threats we know about. Many more may be lurking on \nour networks.\n    Unless we do something about it, these threats will only grow.\n    CISA is the agency Congress created to do something about it.\n    CISA's work is critical.\n    That's why I was disappointed to see this year's budget request for \nthe agency.\n    I'm very concerned these cuts will undermine CISA's ability to \nsuccessfully carry out its critical mission.\n    I look forward to hearing from Director Krebs on how he intends to \nmitigate growing cybersecurity threats with a smaller budget.\n    I also look forward to hearing from S&T on the important works it's \ndoing to develop new technologies to defend our homeland.\n\n    Mr. Rogers. With that, Mr. Chairman, I yield back, and \nthank you.\n    Mr. Richmond. The gentleman yields back.\n    Other Members are reminded that statements may be submitted \nfor the record.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                             March 11, 2020\n    Around this time last year, this subcommittee held a hearing to \ndiscuss the fiscal year 2020 budget request.\n    At the time, Acting Secretary McAleenan had just replaced Secretary \nNielson amid a flurry of leadership changes throughout the Department \nof Homeland Security.\n    Today you report to Acting Secretary Chad Wolf, the fifth person to \nserve as Secretary during this administration and the third to serve as \nSecretary since CISA became an operational component in November 2018. \nI have raised concerns about the lack of consistent leadership at the \nDepartment in the past, but I think it is particularly relevant in \nconversations about the future of CISA and S&T.\n    Both CISA and S&T play critical roles in defending the homeland. \nCISA is charged with coordinating the Federal efforts to defend \ncritical infrastructure against physical and cyber attacks and \nprotecting the .gov. S&T is responsible for putting cutting-edge \ntechnologies into the hands of DHS's boots on the ground to enable the \nworkforce to do their jobs better and safer.\n    Despite their critical missions, neither of these agencies are \nwithout their challenges. CISA has been an operational component for \nless than 2 years.\n    As foreign adversaries increasingly rely on cyber tools to \nundermine our democratic institutions, surveil critical infrastructure \nnetworks, and hold State and local government networks hostage, \nCongress and the public have demanded more of CISA. But Trump \nadministration has never provided Congress with a candid assessment of \nhow much funding is necessary for CISA to accommodate the increased \ndemands for its services. The White House has been without a White \nHouse cybersecurity coordinator for nearly 2 years, leaving Federal \nagencies to coordinate cybersecurity activities amongst themselves.\n    Although CISA's leadership has been steady and widely respected \nboth within the Federal Government and among the private-sector \nstakeholder community, a strong, only a strong, Senate-confirmed \nSecretary can effectively advocate for CISA's budget need and policy \npositions at the White House.\n    In the absence of strong DHS leadership, the White House proposes \nto gut CISA's budget by over $250 million, cutting funding for \ncybersecurity activities and eliminating the Chemical Facility Anti-\nTerrorism Standards Program (CFATS).\n    As a Member of Congress with a number of chemical facilities in my \nCongressional District and a long-time advocate for ensuring chemical \nfacilities across the Nation are not weaponized by terrorists, I was \nparticularly troubled to learn the administration supports eliminating \nthe program.\n    I believe that if DHS had a permanent Secretary in place, the White \nHouse would not have proposed eliminating the program. Accordingly, on \nMonday, I introduced legislation to extend the CFATS program for 18 \nmonths, and I expect CISA to support that effort. I would also note \nthat the lack of consistent leadership at DHS has similarly undermined \nS&T's mission.\n    The Science and Technology Directorate has been victim of too many \n``course corrections'' to count and has struggled to solidify its \nposition as the research and development hub among DHS's components.\n    Moreover, its budget is most frequently raided to pay for the \nPresident's political promises or to cut spending in order to comply to \nbudget caps. The President's fiscal year 2021 budget request is no \ndifferent--reducing cyber R&D and cutting University Programs in half.\n    We cannot continue to defer investments in R&D for homeland \nsecurity technologies. A permanent Secretary would understand that. I \nwill not ask either of you to explain how these proposed cuts will make \nus safer because they will not. Instead, I hope that you will be frank \nwith Congress about the resources you need to do your jobs.\n\n    Mr. Richmond. Let me welcome our panel of witnesses.\n    First I would like to welcome Chris Krebs, the director of \nthe DHS Cybersecurity and Infrastructure Security Agency, back \nto testify before this panel.\n    Director Krebs has been at the helm of DHS's cybersecurity \nactivity since 2017, and he has been an integral player in \nshaping and developing the Department's election security \ncapabilities.\n    Next we have Mr. Andre Hentz. He is the acting deputy under \nsecretary for science and technology. Deputy Under Secretary \nHentz has been with S&T since 2014, and in his current role \nsince 2017.\n    Without objection, the witnesses' full statements will be \ninserted into the record.\n    I now ask each witness to summarize his or her statement \nfor 5 minutes, beginning with Dr. Krebs--Director Krebs, I am \nsorry.\n    Mr. Krebs. I will take doctor.\n    Mr. Richmond. I made you a doctor overnight.\n    [Laughter.]\n\nSTATEMENT OF CHRISTOPHER C. KREBS, DIRECTOR, CYBERSECURITY AND \n  INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Krebs. Chairman Richmond, Ranking Member Rogers, \nRanking Member Katko, and Members of the subcommittee.\n    Happy Cyberspace Solarium Report Rollout Day. Congressman \nLangevin, thanks for all your efforts there, and thank you for \nrecognizing the significance and importance of CISA in the \nbroader National cybersecurity efforts. So thank you for that. \nThank you for today's opportunity to address the Cybersecurity \nand Infrastructure Security Agency's--CISA's--fiscal year 2021 \nbudget.\n    The 2021 budget provides meaningful investment in CISA's \nability to lead the National effort to safeguard and secure \ncritical infrastructure from cyber and physical threats. To \naccomplish this mission, we must work with our partners where \nthey are, not where we are. Accordingly, this budget invests an \nadditional field-based personnel that are located outside the \nD.C. Beltway, where our partners are found.\n    My statement focuses on each of our priorities: Protection \nof Federal networks; election infrastructure security; securing \noperational technology; supply chain risk management; and soft \ntarget security.\n    First, with Federal cybersecurity, across the Federal \nGovernment our ability to defend networks has improved. The \nbudget will help CISA establish a cybersecurity shared services \noffering that will centralize, standardize, and deliver best-\nin-class cybersecurity capabilities to Federal agencies. \nThrough this effort CISA will develop service standards, \nevaluate individual offerings, and oversee a marketplace of \nqualified cybersecurity services for Federal customers.\n    We must also invest in our people. CISA is leading a \nGovernment-wide training program for all Federal cybersecurity \nprofessionals. This includes a rotational program, training \nprogram, and re-skilling academy. Training cybersecurity \nprofessionals is a crucial part of closing the gap on workforce \ndemands for CISA and across our Government.\n    But perhaps the most high-profile threat today is attempts \nby nation-state actors to interfere in our elections. Over the \nlast several years, as you heard yesterday, we have been--\nbecome close partners with the election community, and we are \nfocusing on broadening the reach and depth of assistance, \nemphasizing the criticality of election audit ability, \nprioritizing the need to patch vulnerabilities in election \nsystems, and developing locality-specific cybersecurity \nprofiles that officials can use to manage risk.\n    Also, we are focusing on operational technologies or \ncontrol systems, those components that operate our critical \ninfrastructure. The increasing integration and connectivity of \nthose technologies has vastly increased the potential impact of \ncyber threats. Included in this year's budget is funding to \nexpand our control system security efforts, including sensing \nanalytics and partner training platforms.\n    We are also investing in our efforts to understand and \nmanage supply chain security risks. CISA's Supply Chain Risk \nManagement Task Force has brought together 20 Federal agencies \nand 20 of the largest companies in information communications \nsectors to reach consensus on how to best manage risk. We are \nnot using--rather, we are using this forum to understand what \nis working and what is not, sharing best practices and crowd-\nsourcing solutions to close out supply chain risk management \ngaps.\n    At CISA we also recognize that far too often our Nation is \nconfronted with violent attacks on places such as entertainment \nvenues, places of worship, and schools. Funding in this budget \nto support CISA's school safety initiatives, including \nstewardship of the Federal School Safety Clearinghouse, a one-\nstop shop for local officials to find resources that help \nprovide children with a safe learning environment.\n    Before closing, research and development is critical to \nCISA's mission. CISA and S&T are committed to effective \ncoordination. We are partnering to advance threat-driven cyber \nanalytics and development of a cyber risk framework. This \nproject is an important first step in the larger plan to \nenhance analytics in conjunction with big data and machine \nlearning.\n    In closing, I would like to briefly touch on my keys to \nsuccess for CISA in 2020. Those keys to success are threefold: \nFirst, we must continue focusing on our strengths; second, we \nmust seek strategic alignment with our interagency partners, \nnot compete with them; and third, we must be a customer-centric \norganization.\n    So what are our strengths? Convening, bringing a broad \nrange of partners together to tackle tough challenges, sharing \nactionable information, and collectively identifying best \npractices for areas like Federal and State and local \ncybersecurity and soft target security.\n    Who must we align with? Our partners in the intelligence \ncommunity and law enforcement, the Department of Defense, and \nelsewhere in the civilian government. This is crucial, if we \nare going to be successful, for instance, in election security, \nas well as control systems.\n    Last, if we are not intensely focused on our customers, we \nare doing it wrong. We must continue to push--to support out \nacross this great Nation and help infrastructure partners big \nand small. Ransomware is the perfect example of how we must \nbecome a customer-centric organization.\n    So with that, thank you for the opportunity to be here \ntoday. Thank you for your prior investments at CISA. I look \nforward to discussing this year's budget, and I look forward to \nyour questions.\n    [The prepared statement of Mr. Krebs follows:]\n               Prepared Statement of Christopher C. Krebs\n                             March 11, 2020\n    Good afternoon Chairman Richmond, Ranking Member Katko, and \ndistinguished Members of the subcommittee, thank you for the \nopportunity to testify regarding the fiscal year 2021 President's \nbudget for the U.S. Department of Homeland Security's (DHS) \nCybersecurity and Infrastructure Security Agency (CISA). The fiscal \nyear 2021 President's budget of $1.78 billion for CISA reflects our \ncommitment to safeguard our homeland, our values, and our way of life.\n    CISA strengthens the cybersecurity of Federal networks and \nincreases the security and resilience of our Nation's critical \ninfrastructure. Safeguarding and securing critical infrastructure is a \ncore DHS mission. The fiscal year 2021 President's budget recognizes \nthe criticality of this mission and ensures the men and women of CISA \nhave the resources they need to achieve it.\n    CISA's defends the homeland against the threats of today, while \nworking with partners across all levels of government and the private \nsector to secure against the evolving risks of tomorrow--``Defend \nToday, Secure Tomorrow.''\n    As the Nation's risk advisor, CISA is a hub of efforts to build \nNational resilience against a growing and interconnected array of \nthreats; organizing risk management efforts around securing the \nNational Critical Functions that underpin National security, economic \ngrowth, and public health and safety; and ensuring Government \ncontinuity of operations. CISA marshals its wide-ranging domain \nexpertise and central coordination role to guide partners in navigating \nhazards ranging from extreme weather and terrorism to violent crime and \nmalicious cyber activity. We identify high-impact, long-term solutions \nto mobilize a collective defense of the Nation's critical \ninfrastructure.\n    The fiscal year 2021 President's budget for CISA has been \nreorganized under new budget lines to fully reflect the operational \nvision for CISA. The CISA Act of 2018 reorganized the National \nProtection and Programs Directorate into an operational component, and \nthe budget should reflect the new organization. For instance, \nmanagement and operational watch activities that were previously spread \nacross multiple budget lines are now merged into a single funding line \nthat will serve as a nexus of cyber, physical, and communications \nintegration. The new funding lines also combine all regional field \noperations, including Protective Security Advisors and Cybersecurity \nAdvisors, into a single report channel. This enhances the ability of \nCISA to engage with critical infrastructure partners outside the \nbeltway, where they are located. If adopted, this new structure will \nstreamline authority, increase transparency, and better enable CISA to \nexecute the funding.\n                            cisa priorities\n    Nefarious actors want to disrupt our way of life. Many are inciting \nchaos, instability, and violence. At the same time, the pace of \ninnovation, our hyper connectivity, and our digital dependence has \nopened cracks in our defenses, creating new vectors through which our \nenemies and adversaries can strike us. This is a volatile combination, \nresulting in a world where threats are more numerous, more widely \ndistributed, highly networked, increasingly adaptive, and incredibly \ndifficult to root out.\n    CISA is strengthening our digital defense as cybersecurity threats \ngrow in scope and severity. The fiscal year 2021 President's budget \ncontinues investments in Federal network protection, proactive cyber \nprotection, infrastructure security, reliable emergency communications \nfor first responders, and supply chain risk management.\n    CISA, our Government partners, and the private sector, are all \nengaging in a more strategic and unified approach toward improving our \nNation's defensive posture against malicious cyber activity. In May \n2018, DHS published the Department-wide DHS Cybersecurity Strategy, \noutlining a strategic framework to execute our cybersecurity \nresponsibilities during the next 5 years. Both the Strategy and \nPresidential Policy Directive 21--Critical Infrastructure Security and \nResilience emphasize an integrated approach to managing risk.\n    CISA ensures the timely sharing of information, analysis, and \nassessments to build resilience and mitigate risk from cyber and \nphysical threats to infrastructure. CISA's partners include \nintergovernmental partners, the private sector, and the public. Our \napproach is fundamentally one of partnerships and empowerment, and it \nis prioritized by our comprehensive understanding of the risk \nenvironment and the corresponding needs of our stakeholders. We help \norganizations manage their risk better.\n    The fiscal year 2021 President's budget includes $1.1 billion for \ncybersecurity initiatives at CISA to detect, analyze, mitigate, and \nrespond to cybersecurity threats. We share cybersecurity risk \nmitigation information with Government and non-Government partners. By \nissuing guidance or directives to Federal agencies, providing tools and \nservices to all partners, and leading or assisting the implementation \nof cross-Government cybersecurity initiatives, we are protecting \nGovernment and critical infrastructure networks.\n    Within the cybersecurity initiatives funding amount, the fiscal \nyear 2021 President's budget includes $660 million for cybersecurity \ntechnology and services, including Continuous Diagnostics and \nMitigation (CDM) and National Cybersecurity Protection System (NCPS) \nprograms. These programs provide the technological foundation to secure \nand defend the Federal Government's information technology against \nadvanced cyber threats.\n    NCPS is an integrated system-of-systems that delivers intrusion \ndetection and prevention, analytics, and information-sharing \ncapabilities. NCPS primarily protects traffic flowing into and out of \nFederal networks. One of its key technologies is the EINSTEIN intrusion \ndetection and prevention sensor set. This technology provides the \nFederal Government with an early warning system, improves situational \nawareness of intrusion threats, and near-real time detection and \nprevention of malicious cyber activity. Funding included in the budget \nwill allow NCPS to begin transitioning capabilities to use commercial \nand Government cloud services to the greatest extent possible. The \nfunding will also support newly-developed information sharing and \nintrusion prevention capabilities into the operational environment.\n    CDM provides Federal network defenders with a common set of \ncapabilities and tools they can use to identify cybersecurity risks \nwithin their networks, prioritize based on potential impact, and \nmitigate the most significant risks first. The program provides Federal \nagencies with a risk-based and cost-effective approach to mitigating \ncyber risks inside their networks. The fiscal year 2021 President's \nbudget includes funding to continue deployment and operation of \nnecessary tools and services for all phases of the CDM program. Funding \nwill cover completion of activities to strengthen management of \ninformation technology assets including for cloud and mobile-based \nassets and protection of data on networks that carry highly-sensitive \nand critical information. By pooling requirements across the Federal \nspace, CISA is able to provide agencies with flexible and cost-\neffective options to mitigate cybersecurity risks and secure their \nnetworks.\n    Funding for cybersecurity initiatives also includes $408 million \nfor cybersecurity operations. Within this category, approximately $264 \nmillion is dedicated to threat hunting and vulnerability management \noperations. Threat hunting activity identify, analyze, and address \nsignificant cyber threats across all domains through detection \nactivities, countermeasures development, as well as hunt and incident \nresponse services. Vulnerability management capabilities include \nassessments and technical services, such as vulnerability scanning and \ntesting, penetration testing, phishing assessments, and red teaming on \noperational technology that includes the industrial control systems \nwhich operate our Nation's critical infrastructure, as well as \nrecommended remediation and mitigation techniques that improve the \ncybersecurity posture of our Nation's critical infrastructure.\n    The budget includes funding to support CyberSentry. This voluntary \nprogram is designed to detect malicious activity on private-sector \ncritical infrastructure networks, including operational technology, \nsuch as industrial control systems. The pilot will utilize network \nsensor systems to detect threats; collect threat data; increase the \nspeed of information sharing; and produce real-time, effective, \nactionable information to the companies vulnerable to malicious \nattacks.\n    Funding is also included to support cybersecurity capacity \nbuilding. Capacity building is delivering tools and services to \nstakeholders to strengthen cyber defenses and coordinating policy and \ngovernance efforts to carry out CISA's statutory responsibility to \nadminister the implementation of cybersecurity policies and practices \nacross the Federal Government. The budget provides funding for a \ncybersecurity shared services office that will centralize, standardize, \nand deliver best-in-class cybersecurity capabilities to Federal \nagencies. Through this effort, CISA will develop service standards, \nevaluate individual offerings, and oversee a marketplace of qualified \ncybersecurity services to Federal customers.\n    Through this budget, CISA will lead a Government-wide cybersecurity \ntraining program for all Federal cybersecurity professionals, including \nan interagency cyber rotational program, a cybersecurity training \nprogram, and a cyber-reskilling academy. Training cybersecurity \nprofessionals will be a crucial part of closing the gap on workforce \ndemands for CISA and across Government. This effort also includes \nfunding for CISA to continue hosting the annual President's Cup \nChallenge, a cyber competition to test the skills of the Federal cyber \nworkforce.\n    The fiscal year 2021 President's budget request also includes \nfunding for State and local Government cybersecurity and infrastructure \nassistance prioritized for election security. These resources are \ninstitutionalizing and maturing CISA's election security risk-reduction \nefforts, allowing the agency to continue providing vulnerability \nmanagement services such as cyber hygiene scans, and on-site or remote \nrisk and vulnerability assessments, organizational cybersecurity \nassessments, proactive adversary hunt operations; and enhanced threat \ninformation sharing with State and local election officials.\n    For infrastructure security, the fiscal year 2021 President's \nbudget includes $96 million for protecting critical infrastructure from \nphysical threats through informed security decision making by owners \nand operators of critical infrastructure. Activities include conducting \nvulnerability and consequence assessments, facilitating exercises, and \nproviding training and technical assistance Nation-wide. The program \nleads and coordinates National efforts on critical infrastructure \nsecurity and resilience by developing strong and trusted partnerships \nacross the Government and private sector. This includes reducing the \nrisk of a successful attack on soft targets and crowded places, from \nemerging threats such as unmanned aircraft systems. Funding supports \nCISA's school safety initiatives, including stewardship of the Federal \nSchool Safety Clearinghouse, the expansion of existing school security \nactivities, and the development of additional resources and materials \nfor safety to provide children with a safe and secure learning \nenvironment.\n    This year's budget eliminated funding for the Chemical Facilities \nAnti-Terrorism Standards program while simultaneously increasing \nfunding significantly for the Protective Security Advisors program. \nThis will allow CISA to provide voluntary support for chemical \nfacilities without the unnecessary burden of regulatory requirements, \nplacing the chemical sector on par with all the other critical \ninfrastructure sectors for which CISA has oversight.\n    The fiscal year 2012 President's budget includes $158 million for \nemergency communications to ensure real-time information sharing among \nfirst responders during all threats and hazards. CISA enhances public \nsafety interoperable communications at all levels of Government across \nthe country through training, coordination, tools, and guidance. We \nlead the development of the National Emergency Communications Plan to \nmaximize the use of all communications capabilities available to \nemergency responders--voice, video, and data--and ensures the security \nof data and information exchange. CISA supports funding, sustainment, \nand grant programs to advance communications interoperability, such as \ndeveloping annual SAFECOM Grant Guidance in partnership with Public \nSafety stakeholders, and partnering with FEMA Grants Program \nDirectorate to serve as communications subject-matter experts for FEMA-\nadministered grants. We assist emergency responders and relevant \nGovernment officials with communicating over commercial networks during \nnatural disasters, acts of terrorism, and other man-made disasters \nthrough funding, sustainment, and grant programs to support \ncommunications interoperability and builds capacity with Federal, \nState, local, Tribal, and territorial stakeholders by providing \ntechnical assistance, training, resources, and guidance. The program \nalso provides priority telecommunications services over commercial \nnetworks to enable National security and emergency preparedness \npersonnel to communicate during telecommunications congestion scenarios \nacross the Nation.\n    The President's budget includes $167 for the Integrated Operations \nDivision. This division is charged with coordinating CISA's front line, \nexternally facing activities in order to provide seamless support and \nan expedited response to critical needs. These funds include $82 \nmillion to support 373 protective security advisors and cybersecurity \nadvisors located across the country. Protective Security Advisors \nconduct proactive engagement and outreach with Government at all levels \nand critical infrastructure. Additionally, cybersecurity advisors \nexpand the DHS cyber field presence across the country. These resources \nbetter enable CISA to reach critical infrastructure partners and other \nstakeholders where they live outside the beltway.\n    The fiscal year 2021 President's budget fully funds CISA's risk \nmanagement activities, including $91.5 million for the National Risk \nManagement Center (NRMC). The NRMC is a planning, analysis, and \ncollaboration center working to identify and address the most \nsignificant risks to our Nation's critical infrastructure. The NRMC \nalso houses the National Infrastructure Simulation and Analysis Center \n(NISAC), which provides homeland security decision makers with timely, \nrelevant, high-quality analysis of cyber and physical risks to critical \ninfrastructure across all sectors during steady state and crisis action \noperations. Increased funding will support election security, securing \n5G telecommunications, and supply chain risk analysis.\n    The new Stakeholder Engagement and Requirements program is funded \nat $38 million. This funding will support the coordination and \nstewardship of the full range of CISA stakeholder relationships; the \noperation and maintenance of the CISA stakeholder relationships; the \noperation and maintenance of the CISA stakeholder relationship \nmanagement system; the implementation of the National Infrastructure \nProtection Plan voluntary partnership framework; the management and \noversight of National infrastructure leadership councils; and the \neffective coordination among the National critical infrastructure \nstakeholder community in furtherance of shared goals and objectives.\n    The President's budget asks for $24 million within the Science and \nTechnology Directorate (S&T) to continue research and development \nefforts in support of CISA's cybersecurity mission. CISA and S&T have \nmade tremendous strides in collaborating to advance joint priorities. \nIn fiscal year 2019, CISA and S&T awarded a project to create a \n`pipeline' for low technology readiness-level efforts to mature and \ntransition into CISA. Workstreams in this pipeline are advancing \nthreat-driven cyber analytics and development of a cyber risk \nframework. This project is an important first step in the larger plan \nfor CISA and S&T to enhance analytics in conjunction with big data and \nmachine learning. Subsequent efforts in fiscal year 2020 and beyond are \nplanned to leverage hyperscale cloud platforms and significantly \nadvance the data and analytics capabilities of CISA.\n    Finally, Congress provided a substantial investment last year to \nconsolidate CISA in a new state-of-the-art headquarters facility at \nDHS's St. Elizabeth's Campus. CISA currently must operate from 8 \ndifferent leased locations spread across the National Capital Region, \nin facilities not capable of fully supporting CISA operational demands, \nwhich contributes to administrative inefficiencies. The fiscal year \n2021 President's budget provides $459 million to the General Services \nAdministration for the continued consolidation of DHS facilities at the \nSt. Elizabeth's Campus. Included in this amount are funds for both \nadditional DHS component building construction and also campus \ninfrastructure enhancements, such as additional parking, that are \ncritical to the success of CISA's future relocation to the campus.\n                               conclusion\n    In the face of increasingly sophisticated threats, CISA employees \nstand on the front lines of the Federal Government's efforts to defend \nour Nation's Federal networks and critical infrastructure. The threat \nenvironment is complex and dynamic with interdependencies that add to \nthe challenge. As new risks emerge, we must better integrate cyber and \nphysical risk in order to effectively secure the Nation. CISA \ncontributes unique expertise and capabilities around cyber-physical \nrisk and cross-sector critical infrastructure interdependencies.\n    I recognize and appreciate this committee's strong support and \ndiligence as it works to resource CISA in order to fulfill our mission. \nYour support over the past few years has helped bring additional \nFederal departments and agencies into NCPS more quickly, speed \ndeployment of CDM tools and capabilities, and build out our election \nsecurity efforts. We at CISA are committed to working with Congress to \nensure our efforts cultivate a safer, more secure, and resilient \nhomeland while also being faithful stewards of the American taxpayer's \ndollars.\n    Thank you for the opportunity to appear before the subcommittee \ntoday, and I look forward to your questions.\n\n    Mr. Richmond. Thank you, Director.\n    I now recognize Acting Deputy Under Secretary Hentz to \nsummarize his statement for 5 minutes.\n\n  STATEMENT OF ANDRE HENTZ, ACTING DEPUTY UNDER SECRETARY FOR \n  SCIENCE AND TECHNOLOGY, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Hentz. Good afternoon, Chairman Richmond, Ranking \nMember Katko, Ranking Member Rogers, and distinguished Members \nof the subcommittee. Thank you for inviting me here today to \ntestify on the President's budget for fiscal year 2021, which \nincludes a request for $643 million for the Science and \nTechnology Directorate within the Department of Homeland \nSecurity.\n    S&T's research develops activities which support a broad \nrange of DHS missions, including domain threat awareness, \ndelivery of mitigation strategies, and creating novel \ntechnologies and approaches for the components, first \nresponders, and other partners across the Homeland Security \nenterprise.\n    Our customers put their lives on the line every day to keep \nour Nation safe. Having the correct tools, techniques, and/or \ntechnologies can be vital to the operational safety and \nsuccess.\n    Research and development must enable efficient, effective, \nand secure operations across all DHS security missions by \napplying timely, scientific, engineering, and innovation \nsolutions. This is how S&T delivers results. Technology \ninnovation cycles are rapidly changing, and the nature of the \nthreats we see are dynamic.\n    It is important to note, however, that S&T represents less \nthan one-half of 1 percent of the entire Federal R&D budget. \nLet me repeat that: S&T represents less than one-half of 1 \npercent of the entire Federal research and development budget, \nand we strive every day to get as much value out of those funds \nas possible.\n    Under my leadership, with Mr. Bryan, S&T has strengthened \nour relationship with our customers by providing impactful \nsolutions to those on the front line. We continue to solidify \nand strengthen S&T's core capabilities and provide deliberative \napproaches to program execution that ensures timely delivery \nand solid returns on investment for our Nation's taxpayers.\n    The fiscal year 2021 request includes $5 million for \nquantum information sciences, including artificial \nintelligence. S&T is beginning to focus on machine learning, \nwith the goal of mitigating risk to potential misuse of \nartificial intelligence, and identifying opportunities and \napplications for the use of trustworthy artificial \nintelligence, while providing privacy protection and developing \nnew governance and policy frameworks for artificial \nintelligence and machine learning.\n    The fiscal year 2021 budget request provides $14.3 million \nfor S&T's Probabilistic Analysis for National Threats, Hazards, \nand Risk program, known as PANTHR. PANTHR aligns S&T's chemical \nand biological hazard awareness and characterization activities \nto provide timely, accurate, and defensible decision support \ntools and knowledge to stakeholders. Working with the \nCountering Weapons of Mass Destruction Directorate, PANTHR is \nleveraging S&T's National Biodefense Analysis and \nCountermeasures Center to address pertinent scientific \nquestions and DHS operational concerns regarding the surface \nstability and decontamination of COVID-19. Funding in 2021 \nwould allow PANTHR to develop additional assessment \ncapabilities to address growing infrastructure concerns such as \nthe bio-economy, and fill other critical gaps regarding weapons \nof mass destruction risks to the homeland.\n    The administration is also focusing on targeted violence \nand terrorism prevention, and S&T's 2021 requests includes $7 \nmillion for research to inform policy, strategy, tactics, \ntechniques, and procedures in this area. S&T is actively \nworking to support technology integration and techniques to \nreduce the likelihood of mass violence and improve the ability \nto prevent and respond to a mass violent event.\n    The fiscal year 2021 budget request supports S&T's Office \nof University Programs in two vital efforts, our centers of \nexcellence and working with minority-serving institutions. \nCenters of excellence that receive funding in fiscal year 2021 \nwill conduct research and development that aligns with the \nadministration's priorities to strengthen border security, \ncybersecurity, infrastructure protection, and prioritize \ntransnational criminal investigations.\n    Finally, the 2021 budget requests at $18.9 million in a \nprocurement, construction, and investment account for S&T to \nbegin to address the decontamination and closure of the Plum \nIsland Animal Disease Center. S&T is committed to our mission \nto deliver effective, innovative insights, methods, and \nsolutions for critical needs of DHS components, first \nresponders, and our operational partners in the Homeland \nSecurity space.\n    Chairman Richmond, Ranking Member Katko, Ranking Member \nRogers, and Members of the committee, thank you again for the \nopportunity to appear before you today, and for your continued \nsupport of S&T. I look forward to answering your questions.\n    [The prepared statement of Mr. Bryan, as presented by Mr. \nHentz, follows:]\n                  Prepared Statement of William Bryan\n                             March 11, 2020\n    Good afternoon Chairman Richmond, Ranking Member Katko, and \ndistinguished Members of the subcommittee. Thank you for inviting me \nhere today to testify on the President's budget request for fiscal year \n2021, which includes a request of $643.7 million for the Science and \nTechnology Directorate (S&T) within the U.S. Department of Homeland \nSecurity (DHS).\n    S&T's research and development (R&D) activities support a broad \nrange of DHS missions, including domain threat awareness, delivering \nmitigation strategies, and creating novel technology and approaches for \nthe components, first responders, and other partners across the \nhomeland security enterprise. Our customers put their lives on the line \nevery day to keep our Nation safe, and having the correct tools, \ntechniques, and/or technologies can be vital to the operators' safety \nand success.\n    We must enable efficient, effective, and secure operations across \nall homeland security missions by applying timely scientific, \nengineering, and innovative solutions through research, design, test \nand evaluation, and acquisition support. This is how S&T delivers \nresults. Technology innovation cycles are rapidly changing and the \nnature of the threats we see is dynamic. This combination presents a \nsignificant challenge to traditional R&D approaches as well as meeting \ncomponent requirements and needs in a fiscally constrained R&D \nenvironment. S&T is less than 1 percent of the entire Federal R&D \nbudget--and we strive every day to get as much value out of those funds \nas possible.\n    Therefore, it is my responsibility to ensure an efficient, \neffective, and nimble organization is in place to address R&D needs of \nHomeland Security front-line operators, particularly the DHS \noperational components and first responders, today and into the future. \nEither through the identification of existing technologies or the \ntimely development of new technology, S&T can provide them with the \ntools they need to safely and effectively protect the homeland and the \nAmerican people. Under my leadership S&T has strengthened our \nrelationships with our customers, the DHS operational components and \nfirst responders, to provide impactful solutions to those on the front \nline. We continue to solidify and strengthen S&T's core capabilities \nand provide a deliberative approach to program execution that ensures \ntimely delivery and solid return on investment for our Nation's \ntaxpayers.\n    S&T has become more agile and responsive, ready to move quickly in \nresponse to changes in the threat environment, and makes use of \nexisting technologies, when available, that can be adapted and \nleveraged to expedite the development of vital capabilities. S&T has \nsignificantly enhanced its ability to transfer capabilities to where \nthey are most needed by working closely with operators, component \npartners, and industry to deliver effective solutions. The revitalized \nS&T has strengthened its relationships with DHS components, first \nresponders, and other customers, and results in a more integrated \napproach to innovation, requirements gathering, and problem solving. At \na strategic level, S&T has created a capability to identify, \nprioritize, and report on emerging technology risks facing the United \nStates. Together with DHS Policy, S&T will identify and assess emerging \ntechnologies most likely to significantly improve operations and/or \nthreaten the DHS mission over the next 2-5 years. Results will support \nsenior DHS executives as they prioritize the list of technologies and \nshape the DHS investment portfolio to address risk.\n    A strong cross-Department cybersecurity R&D program is critical for \nDHS. The Cyber Security & Infrastructure Security Agency (CISA) and S&T \nhave made tremendous strides in resetting the relationship, directing \nR&D resources into mission support of CISA requirements. CISA and S&T \nhave established repeatable processes to identify capability gaps, \nprioritize needs, and execute on RD&I needs. The fiscal year 2021 \ncybersecurity R&D budget request is for $24 million and places all \ncyber R&D funding with S&T.\n    S&T is currently partnered with the National Institutes of \nArtificial Intelligence (AI) with the goal of mitigating risks to \nmisuse of AI, identifying opportunities and applications of AI within \nthe homeland security mission space, improving privacy protection, and \ndeveloping new governance and policy frameworks for artificial \nintelligence and machine learning. S&T is working with its operational \nDHS component partners to assess opportunities for leveraging Automated \nMachine Learning (AutoML) and related data preparation tools as a means \nof accelerating understanding and use of this technology within the DHS \nenterprise. In fiscal year 2021, S&T will examine and characterize the \nstate of artificial intelligence research relative to future homeland \nsecurity mission applications. Research activities will focus on the \ndevelopment of core capabilities that enable trustworthy artificial \nintelligence to improve core automation capabilities that are secure, \nprivate, and trusted for critical homeland security applications.\n    The fiscal year 2021 budget request provides $14.4 million for \nS&T's Probabilistic Analysis for National Threats Hazards and Risks \n(PANTHR) program that aligns S&T's chemical and biological hazard \nawareness and characterization activities to provide timely accurate \nand defensible decision support tools and knowledge to stakeholders. \nPANTHR is currently supporting the Countering Weapons of Mass \nDestruction Office (CWMD) to address the on-going Coronavirus outbreak \nby providing consolidated up-to-date information regarding the virus to \nDHS components. PANTHR is currently leveraging the capabilities of one \nof the DHS laboratories, the National Biodefense Analysis and \nCountermeasure Center (NBACC), which is addressing pertinent scientific \nquestions and DHS operational concerns regarding Coronavirus surface \nstability and decontamination. PANTHR funding in fiscal year 2021 would \nfurther support the expansion of these National capabilities to address \ncurrent and emerging chemical and biological concerns. Additionally, \nthe fiscal year 2021 request would allow PANTHR to develop additional \nassessment capabilities to address growing infrastructure concerns, \nsuch as the bio-economy, and fill other critical technical hazard data \ngaps regarding WMD risks to the Homeland.\n    S&T is requesting $35.9 million in the fiscal year 2021 budget to \ndirectly address Customs and Border Protection (CBP), the U.S. Coast \nGuard (USCG), the U.S. Secret Service (USSS), and the Federal \nProtective Service (FPS) requirements for Countering Unmanned Aircraft \nSystem (CUAS) requirements. In close coordination with our operational \ncustomers, S&T is responsible for the initial CUAS deployment \narchitecture, technology selection, system integration, system test, \ntraining and cyber compliance. The fiscal year 2021 S&T CUAS investment \nwill focus on mission interoperability with the Department of Defense \nand Department of Justice in the National Capital Region, improved CUAS \ncapabilities for DHS components, and addressing future threats. UAS \nthreats to critical infrastructure and security activities will likely \nincrease in the near future as the number of UAS introduced into the \nNational airspace continues to increase. However, currently the use of \ntechnical means to detect, track, and disrupt malicious UAS operations \nremains limited.\n    S&T is dedicated to developing or adopting innovative tools for DHS \ncomponents, and the fiscal year 2021 budget request supports that \neffort. For example, the S&T Opioid Detection project continues to \nintegrate advanced technologies, including narcotics anomaly detection \nalgorithms and chemical sensing technologies, into CBP international \nmail facilities, and to evolve efforts directed at detecting synthetic \nopioids in additional operational environments in response to changing \ntrafficking dynamics. Increased funding will also further improve the \nunderstanding of supply chain logistics and intelligence to aid in \ntargeting, investigations, and ultimately, disruption of international \nsmuggling. The administration is also focusing on Targeted Violence and \nTerrorism Prevention, and S&T is a vital partner using research to \ninform policy, strategy, tactics, techniques, and procedures. S&T is \nactively working to support technology integration and techniques to \nreduce the likelihood of mass violence and improve the ability to \nprevent and respond to a mass violence event.\n    The fiscal year 2021 request continues support for S&T's Silicon \nValley Innovation Program (SVIP) at $10 million, which leverages \ninnovative commercial capabilities from across the country through non-\ntraditional Government contractors to rapidly deliver technology to \nfulfill DHS component-defined requirements. This program fosters rapid \ndevelopment and delivers tested technology into the field in a much \nshorter time frame than is possible under traditional vehicles. S&T's \nSVIP collaborates with DHS operational components to provide solutions \nthat enhance overall situational awareness, detection, tracking, \ninterdiction, and apprehension.\n    To date, S&T's SVIP has awarded $18 million in funding and \nprocessed over 485 applications across 14 topic areas. S&T has worked \nwith 49 small start-up companies from 15 different States and leveraged \nover $500 million in private-sector investment that aligns on-going \nprivate-sector activity with DHS operational component requirements. \nSVIP has successfully transitioned 3 technologies into CBP operational \nenvironments including a new generation of radar to support U.S. Border \nPatrol operations. This radar technology was incorporated into 58 \nBorder Patrol towers on the Southwest Border and a similar amount are \nplanned for transition in 2020.\n    The fiscal year 2021 budget request adds a Procurement, \nConstruction, and Improvements account to address the decontamination \nand closure of the Plum Island Animal Disease Center. S&T is on time \nand on budget to complete the construction of the National Bio and \nAgro-Defense Facility (NBAF). This state-of-the-art facility will be \ntransferred to the U.S. Department of Agriculture upon completion of \nconstruction and will be the Nation's only Bio Safety Level 4 \nlaboratory that is capable of studying large animal diseases in \nlivestock, such as African Swine Fever and Foot and Mouth Disease. \nAfter NBAF is completed, the Plum Island facility will require \ndecontamination. The $18.9 million of the fiscal year 2021 request will \nbegin decontamination activities and stand up the program office to \nmanage this multi-year effort.\n    The fiscal year 2021 budget request supports S&T's Office of \nUniversity Programs in two vital efforts, our Centers of Excellence \n(COE) and working with Minority Serving Institutions (MSI).\n    The fiscal year 2021 budget request allows for the continuation of \nthe University-based COEs that are focused on homeland security mission \nneeds. COEs that will receive funding in fiscal year 2021 will conduct \nresearch and development that aligns with the administration's \npriorities to strengthen border security, cybersecurity and \ninfrastructure protection, and prioritize trans-national criminal \ninvestigations. S&T conducts rigorous evaluations of each Center's \nperformance using established criteria to help inform project funding \ndecisions that meet operator needs and stay focused on transferring or \ntransitioning research and technology outputs into field use.\n    S&T seeks to leverage and utilize the unique intellectual capital \nin the MSI community to address current and future homeland security \nchallenges and to provide relevant learning opportunities to diverse \nand highly talented individuals and inspire the next generation of \ndedicated to homeland security professionals. Our efforts provide \nlearning opportunities for students that already are pursuing Science, \nTechnology, Engineering, and Mathematic (STEM)-related degrees. These \nawards support MSIs in their efforts to attract highly technical \nstudents and provide exposure and mentorship opportunities with DHS \nprograms. S&T's efforts with MSIs are important for ensuring students \ndevelop the cross-functional skills essential to their flourishing and \nmeeting the demanding needs of the homeland security missions. By \nestablishing continuous relationships between COEs, MSIs, DHS component \nagencies, and private-sector entities, S&T is expanding partnering \ninstitutions and providing resources needed for students to gain \nmeaningful work experiences that prove invaluable to the growth of \ntheir careers in homeland security-related areas.\n    S&T's mission is to deliver effective and innovative insight, \nmethods, and solutions for the critical needs of DHS components and our \noperational partners in homeland security.\n    Chairman Richmond, Ranking Member Katko, and Members of the \ncommittee, thank you again for the opportunity to appear before you \ntoday and for your continued support of S&T.\n    I look forward to answering your questions.\n\n    Mr. Richmond. I want to thank the witnesses for their \ntestimony. I will remind each Member that he or she will have 5 \nminutes to question the panel.\n    I will now recognize myself for 5 minutes for questions.\n    Director Krebs, in January 2017 the Office of the Director \nof National Intelligence issued a report concluding that the \nRussian government meddled in the 2016 Presidential election, \nand that Russia's goal was to assist the campaign of now-\nPresident Trump.\n    Last month several news outlets reported that President \nTrump removed the acting director of national intelligence, \nJoseph McGuire, had the staff from his office brief bipartisan \nmembers of the House Permanent Select Committee on Intelligence \non foreign threats to U.S. elections. Are you familiar with \nthat?\n    Mr. Krebs. I am certainly aware of the intelligence \ncommunity assessment of 2017, and recall seeing some of the \npress reports. Yes, sir.\n    Mr. Richmond. Initial reports indicated that ODNI staff \ntold Members in the briefing that the Russian government, once \nit--was once again attempting to meddle in our elections to \nbenefit President Trump's re-election. This is the same thing \nthat Russia did in 2017, when they interfered in the U.S. \nelection to help President Trump. Wouldn't that be the same \nassessment?\n    Mr. Krebs. I am sorry, is the--can you repeat the question? \nI am trying to understand what----\n    Mr. Richmond. Well, the intelligence is the same \nintelligence from 2017 that Russia is trying to interfere in \nthe election.\n    Mr. Krebs. So I certainly can't talk to the intelligence. I \nwould defer to the intelligence community on the specific \nassessments. We are planning as if the Russians and others are \ncoming back for the 2020 election to again attempt to \ninterfere.\n    Mr. Richmond. Let me just get to the--my main point on this \nis that we need to believe in the intelligence that we are \ngetting. All of the reports indicate that the assessment and \nintelligence changed once the President didn't like it.\n    We, as Members of Congress, need to know that we are going \nto get the whole truth and nothing but the truth from our \nintelligence communities, because we have a responsibility to \nact whether we like it--don't like the information.\n    So the real question to you is can we believe and trust \nthat the information we are getting from you, and you all in \nthe intelligence community, is the whole truth and nothing but \nthe truth?\n    Mr. Krebs. Yes, sir, absolutely.\n    Mr. Richmond. Let me shift a little bit to CFATS. I \nrepresent, probably, the No. 1 and No. 2 largest petrochemical \ndistrict in the country. I am concerned that--where the \nproposed budget eliminates the CFS program. Last year officials \nfrom CISA testified before this committee that CFATS is a vital \npart of our Nation's counter-terrorism efforts, and very much a \npressing need in view of the continuing level of chemical \nterrorism threats.\n    January 15, DHS issued an alert warning about heightened \nthreats from Iran, specifically in the chemical sector. So can \nyou share any information you have about what intelligence \nassessments or security assessments CISA has completed to \nsupport the elimination of the CFATS program, and how will \neliminating CFATS make my constituents safer?\n    Mr. Krebs. So thank you for the question specific to the \nJanuary alert related to the heightened tensions of Iran. I \ndon't believe that was associated with any specific \nintelligence product targeting chemical--the chemical sector. \nThat was more--again, back to my opening comment about being a \ncustomer-centric organization, that was a request that came in \nfrom the chemical sector that said, ``Can you guys pull \nsomething together for the sector that will speak specifically \nto Iran and the things the chemical sector can do to protect \nthe sector?''\n    So more broadly on the CFATS issue, I think where we are \nright now is that, you know, over 15 years or so of \nimplementation of the CFATS program, there is no question that \nwe have changed the risk management dynamics across that \nsector. At the same time, the threat landscape has also \nshifted. Some of the players that were heavy in the 2005 to \n2007 period are not necessarily on the map any more. In the \nmean time, other actors have spread up. The economy, in and of \nitself, how it works, supply chain, chemicals and commerce have \nalso shifted.\n    So I think part of what we are looking to accomplish here \nis, if you look back at CFATS in general and the application of \nthe regulatory program to the sector, it really only \nencompasses about 3,300 facilities. So, if you look back at the \nfiscal year 2020 budget, that is about $72 million across 3,300 \nfacilities.\n    What we are looking to accomplish here is, as we have \nfundamentally changed the way risk is managed in the chemical \nsector across at least 3,300 facilities, what opportunity do we \nhave to extend that risk management opportunity across the \n40,000 facilities of the chemical sector?\n    My sense is that, regardless of what happens here--and of \ncourse, we will implement whatever Congress and--passes, and \nthe President signs, whether it is a re-authorization of CFATS \nor a shift to a voluntary program. But the bigger point here is \nwe are looking for this opportunity to more broadly change risk \nmanagement posture across the chemical sector.\n    Mr. Richmond. My last question would be do you support a \ntemporary extension of CFATS so Congress can determine the \nappropriate path forward, No. 1; and No. 2, do you maintain a \nlist of unfunded priorities so that--if you have money, things \nthat you would do?\n    Mr. Krebs. Sir, we do have a significant list of PDOs, or \nprogram opportunities that we would be able to--if funded, we \nwould be able to execute, of course.\n    On your private--on your first question, you know, again, \nwe are in a transition planning process right now with about a \nmonth, a little over a month or so, out from expiration of the \nprogram. So we are focused on transitioning right now. But \nwhatever happens, again, we have the funding for the rest of \nthe year to execute the program if there is a temporary \nextension put in. Thanks.\n    Mr. Richmond. Thank you, and I yield back. I now recognize \nthe Ranking Member, the gentleman from New York, Mr. Katko, for \n5 minutes.\n    Mr. Katko. Thank you, Mr. Chairman. Mr. Krebs, I want to \nkind-of ask you about the Cyberspace Solarium report in \ngeneral, but really talk about how it may impact the budget if \nthose recommendations get implemented.\n    So I view this Solarium report as one of the critical \nthings we can do in Congress this year, and I really believe \nthat the next 9/11 could absolutely, positively be, God forbid, \na cyber attack that is cataclysmic. I am not sure we are ready \nfor it. I think this report recognizes that, and it \nrecognizes--and it makes a series of recommendations.\n    I know part of it is on the defense side, and I--you know, \nwe are more interested in the homeland side in this committee, \nobviously. So if you could, talk from the homeland side on what \nare some of the big things in that report, and how it might \nbe--might impact the budget going forward, so we can plan for \nit.\n    Mr. Krebs. So thank you for that. It is interesting, and I \nam sure Congressman Langevin shares this. Being so close to the \nwheel and the development of the report, you see the \nrecommendations, and they just make a lot of sense to us. But \nit is good that someone that is not developed in the--you know, \nwas not involved in the process also thinks they make sense, \nand this doesn't just kind-of fall flat.\n    So the--kind-of the pickup I have seen today, at least, has \nbeen very, very positive that there is some innovative, bold \nrecommendations in the report. But more importantly, there are \nrecommendations within the report that are practical and \neminently implementable. That is the most important aspect of \nthe report in and of itself, that whatever is in it, that we \ncan actually do it.\n    To your point about that defense/offense divide, that was \none of the important policy signals that comes out of the \nreport--to me, at least--that this is not just about investing \nin the Department of Defense and General Nakasone's teams. It \nis also about ensuring that CISA and the rest of the civilian \ncybersecurity space and the private sector have the direction, \nguidance, and resources they need to be able to implement.\n    Some of the key takeaways that I have, the report--I think \nI will focus on 3.\n    First is that it squarely puts CISA at the central \ncoordination point for civilian cybersecurity defense, and that \nbrings all the Federal partners together, but that also, \nimportantly, brings the Federal--or the private sector, as well \nas State and local partners together.\n    There are going to be some significant employment \nimplications here. Do we have the facilities that we need to \ntruly set up a collaboration space? We are operating in about 9 \ndifferent facilities in Baghdad.\n    Mr. Katko. A bunch of them, and they do seem to be all over \nthe place.\n    Mr. Krebs. We have 9 facilities in the National Capital \nRegion that we have been in since 2005, when I was a contractor \nwith the prior organization, one of the first inhabitants of \nthe building. We need a refresh. So we are going through that \nprocess right now with the St. Elizabeths program.\n    We just need to make sure that we have the access for our \nprivate-sector partners to the facility, that we can \naccommodate regular access from private-sector partners, and \nmake it an experience that they want to actually participate \nin. It is a kind-of if-you-build-it-they-will-come sort-of \napproach. So that aspect we are focused on.\n    There is another piece of it, continuity of the economy, \nthat we are working through right now. That is kind-of, in some \npart, a manifestation of our National critical functions work \nthat we launched last year. We are also seeing that play out \nright now across the COVID response. So we have developed a \nframework for analyzing broader supply chain impacts of COVID \nacross 4 different elements.\n    The first is, is there a commodity disruption that would \ndisrupt a business or a function?\n    The second is, is there a workforce disruption that you may \nnot be able to continue delivering that service or function?\n    Then there are 2 kind-of demand-side issues. No. 1, you \nhave over-demand, and that could be, like, the N95, you have \ntoo much demand and, therefore, you have a cratering within the \nfunction. On the flip side of that, you may see in \ntransportation there is a lack of demand. So the function then \ndegrades.\n    So those are the sorts of things that we want to push into \nthat continuity of the economy. We have the rubric, but we \nare--you know, to fully implement that recommendation is going \nto require significant analytic investments within the agency.\n    Then last, workforce, workforce, workforce. As I mentioned \nin my opening, to be successful in this space, to be truly a \ncustomer-centric organization, I have to have personnel out in \nthe field, not just engineers here in District of Columbia, but \ncustomer service professionals out where our customers are. \nThat is going to require a significant investment in personnel.\n    Mr. Katko. Thank you very much. It does sound like there is \ngoing to be more requests, from a financial standpoint, from \nthe committee and from other committees to implement these \nplans. As we work them out and tease them out and get them into \nlegislative formats, we will definitely revisit those issues. \nSo thank you very much for that.\n    Mr. Hentz, what--if you could, just describe quickly, what \nare the key legislative priorities for your organization this \nyear?\n    Mr. Hentz. Thank you, Chairman, Ranking Member. What we \nwere----\n    Mr. Katko. I will take Chairman.\n    Mr. Hentz [continuing]. Trying to do right now is----\n    [Laughter.]\n    Mr. Hentz. What we are trying to do right now is prioritize \nthe list of requirements from our operational components.\n    To specifically answer your question, those priorities look \nlike countering unmanned aerial systems, things like 5G and \nother supply chain risk mitigators. Obviously, support to \nborder and commerce, as well as our support to emerging \nbiological and chemical risk.\n    So those are our core primary equities right now that we \nare trying to focus on.\n    Mr. Katko. Thank you very much. I am interested in that. I \nwill yield back, but I just want to note in Syracuse, New York \nthey are going to start building a 5G manufacturing facility, \nthe first one in the country that is going to have all American \ncomponents, which is critical for cybersecurity, going forward.\n    We also have one of the largest unmanned aerial system \nresearch corridors, from Rome Labs to Syracuse, New York. So we \nare at the tip of the spear with some of your priorities. So I \nlook forward to working with you further on those, going \nforward. I hope we can continue the lines of communication.\n    With that I yield back, Mr. Chairman.\n    Mr. Richmond. The gentleman yields back. I now recognize \nthe gentleman from Rhode Island, Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Let me begin by \nthanking you for--and the Ranking Member for the supportive \ncomments about the Solarium Commission project, and the report \nthat we are issuing today, and, Mr. Chairman, for your \nleadership on the issue of cyber, and I look forward to \ncontinuing to collaborate with you on these--on this important \ntopic.\n    Good morning to Director Krebs and Mr. Bryan, thank you \nvery much for being here today. Mr. Hentz, I appreciate your \nbeing here today, I look forward to hearing what you have to \nsay.\n    Director Krebs, I guess I want to begin with you, and \nexpress my appreciation to you for your participation in the \nCyberspace Solarium Commission. Your contributions to that \neffort, and the dialog that took place, and the ultimate \nfindings, your contributions were invaluable. Obviously, the \nreport is being released today, and I am very proud of the work \nthat we did bring, in bringing together many different \nstakeholders and coming up with a series of recommendations, as \nyou pointed out, I think, are eminently doable, and that I hope \nwill advance the ball on cybersecurity.\n    So my first question, the report identifies various ways \nthat CISA should work with sector-specific agencies to improve \ninformation sharing and collaboration with private-sector \nentities. So, for example, the report highlights that we need \nmore clarity in statute of what is required of SSAs in order to \nensure that you have the information that you need to do your \njob.\n    So, Director Krebs, do you agree that Congress should work \nto lay out the responsibilities of SSAs to both their private-\nsector partners and to CISA? That we should research them \nappropriately to perform these functions?\n    Well, I will stop there, and then I have other questions.\n    Mr. Krebs. So I think this is where we need to strike the \nright balance. It certainly makes a whole lot of sense to me \nthat sector-specific agencies--of which I actually own 8 of \nthem, between IT, comms, critical manufacturing, chemical, \nnuclear, emergency services--that we develop within those \nsector-specific agencies the specific requirements and \nattributes of those sectors.\n    You know, we can handle the core cybersecurity, whether it \nis the business side or the control system side. We can develop \nthat core capability. But what I need is the specifics of the \nsector to be layered on top of that understanding, and I can't \ninvest in significant treasury, or banking, finance, so that is \nabsolutely the responsibilities that we would be looking to be \nclearly articulated.\n    Mr. Langevin. Can you talk about how CISA plans to work \ntoward implementing the recommendations, if you would?\n    Mr. Krebs. Well, I--so, right now, it--now that the report \nis out we have that kind of--the triage list, working through, \nof course, some of the templates that the--Executive Director \nMontgomery has pushed out. So we have got those identified, and \nthe sorts of resources that we will need, the things we could \ndo now, the things we will have to do down the road, but also \nworking with the Commission on what will require legislative \nassistance.\n    You know, I think there is a significant amount of the \nrecommendations that we can implement right now. But, \nobviously, with some of the requirements for--whether it is IOT \nstandards or some of the additional requirements on critical \ninfrastructure, that is going to require either Congressional \naction or some sort of regulatory proceeding.\n    Mr. Langevin. So, like my other colleagues here today, I \nalso want to be on record as saying that I am very concerned \nabout the cuts to CISA's budget proposed by the administration.\n    Look, the National Risk Management Sector--Center, in \nparticular, is a critical component of the Solarium \nCommission's recommendations, especially when it comes to \nsyncing up the cyber expertise that CISA has with the sector-\nspecific enterprise and the SSAs. So do you believe that the \nNRMC will be able to carry out its own mission, in addition to \nthe ones recommended by the Solarium report, with the requested \namount of funding?\n    Mr. Krebs. So I think--the way that I see the budget is--\nRanking Member Rogers mentioned, you know, the proposal and the \nactual budgeting piece.\n    You know, I am on the formulation and implementation side. \nThe way the 2021 budget was developed, given the timing of \nformulation, the timing of the 2020 appropriations, they were \nout of step. So the 2021 budget request, the President's budget \nrequest, was built on the 2019 enacted. So if you look at it \nin--through that lens, it is actually an increase over the 2019 \nenacted.\n    Because we didn't receive the fiscal year 2020 \nappropriations until late December, by that time the 2021 \nPresident's budget was already baked, from my--from where I \nsit, at least. So it was out of my control, that was already \ncooked. There was not time to kind-of re-peg it against the \n2020.\n    So what you see, instead, in the President's budget \nrequest, are the key areas of focus for the agency. There is \nplenty of room for investment. The National Risk Management \nCenter, for instance, has plenty of room for investment to get \nthe additional analytic capabilities, we would need, if that is \nwhat the Congress decides.\n    Mr. Langevin. Clearly, CISA is going to need additional \nresources to do the job that we are expecting you to do. I \nappreciate the job that you are doing, as director, and your \nteam at CISA. Thank you for that.\n    With that, Mr. Chairman, I yield back.\n    Mr. Richmond. The gentleman from Rhode Island yields back. \nI now recognize the gentleman from Alabama, Mr. Rogers, for 5 \nminutes.\n    Mr. Rogers. Thank you, Mr. Chairman.\n    Mr. Krebs, you know, it has been reported that there are \nover 300,000 cybersecurity job vacancies in the country at \npresent. So we have a real challenge. That is across, you know, \nthe private and public sectors. How many job vacancies do you \nhave that you are struggling to fill?\n    Mr. Krebs. At the moment we have got about 655 vacancies \nwithin the agency, about 151 of those are cybersecurity. I have \nabout a 95 percent retention rate on the cybersecurity side, \nwhich is good, and it is improving.\n    What we are doing right now, particularly as we continue to \nhire against the fiscal year 2020 funding--in that set, again, \npeg the FTE rate higher. We are trying to look at hiring as a--\nfrom a systematic approach. So left to right, from--you know, \nidentifying the job to actually getting a person in a seat with \nthe PIV card and a machine, ready to roll. That requires a \nwhole host of partners within CISA and without. So, really \ntrying to flush out who owns these things, what are the \nbottlenecks, and then what is the plan we are putting against \nit.\n    So a couple examples of choke points or bottlenecks that we \nare seeing, it is the hiring manager develops a position \ndescription. The problem with the hiring manager doing that is \na hiring manager is a collateral job. It is an other-duties-as-\nassigned. So I have someone who is a program manager and an \nengineer, but also has to do a hiring manager job.\n    So we are saying, OK, maybe we relieve them of the hiring \nmanager responsibility and have full-time hiring managers \nthat--their job, at least on a 6-month, maybe cyclical basis, \nwould be to just work position descriptions, just work the \ninterview process. We think that can streamline and make a more \nefficient process.\n    We also have to look at----\n    Mr. Rogers. Have you started that?\n    Mr. Krebs. Yes, sir. We did. We--a couple of weeks ago we \nlaunched a task force to focus just on this sort of thing.\n    Mr. Rogers. I am sorry to interrupt you.\n    Mr. Krebs. So we are going to be plowing through those PDs \nand the selections, which then gets us to the subsequent piece, \nthe security.\n    For instance, in the past we have looked at cybersecurity \njobs as requiring top secret SCI clearances. We are challenging \nthose assumptions. You know what? I might not need out in the \nfield anybody that has a TS. Secret might be fine. So let's \ntake a stab at that. If they need TS down the road, then we can \nput them in for that process. The TS is a--the top secret \nclearance is a significant additional time lag in hiring. So we \nare going to change the way we write PDs. Plus there are other \npolicy and process issues.\n    Again, some of that security clearance review I have to \noutsource to other parts of the Department, so let's see what \nwe can do there.\n    But also, like, just getting smarter about how we write \nposition descriptions. So working in part with the Aspen Group \nand the--their cybersecurity working group, they issued a \nseries of recommendations on how to improve cybersecurity \nhiring.\n    One of them that we have adopted is how do you--don't over-\nspec the position description. So you are trying to hire a \njob--someone into a job. Don't say you have got to be able to \ndo 15 things. Just tell them the 2 or 3 things you need them to \ndo. So those are the sorts of things.\n    We are just trying to bring a little bit of reality into \nthe hiring process, and we have already seen a 12 percent \ndecrease in our time to hire. So, in some cases, it is--that is \nonly--you know, that goes from, like, 260 days to maybe 240 \ndays, just trying to improve these numbers a little bit, and \nincrementally do it. But we think we have got processes in \nplace. We will be able to dramatically cut the hiring process.\n    Mr. Rogers. Do you feel--have you found that your salary \nand benefit packages is adequate to compete for talent?\n    Mr. Krebs. I--so thank you for bringing that up, because I \nneglected to mention it.\n    We have been provided a series of different retention and \nhiring incentives that we can use, including tuition \nreimbursement, up to 25 percent hiring--or, rather, retention \nbonus. So I can actually, I think, generally, compete in the \nmarket. Certainly not on the top, top, top, top end, but we can \nprovide--between mission and pay and just quality of life, we \nthink we can do a pretty good job here.\n    So it is just about getting out there, and making sure we \nare using smarter, you know, platforms, and really hitting some \nof the on-line--like, LinkedIn, and things like that, \naggressively recruiting across those platforms.\n    Mr. Rogers. Have you found that you have been able to bring \nin many CISA employees through the Scholarship for Service \nprogram?\n    Mr. Krebs. We have used that, and that is one of the key \npartners that we bring folks in, particularly at the--kind-of \nthe lower and mid-level of the GS structure, not at the higher \nGS-15. But we need to take greater advantage of that, that is \nthe way I see it.\n    For us, it is somebody is doing recruiting for us, and we \nhave just got to go kind-of collect resumes. We can make on-\nthe-spot--at the SFS hiring fairs we can make on-the-spot \noffers and immediately get the process started, and that shaves \n2 weeks off.\n    Mr. Rogers. I would love to take the lead on helping you \nwith that particular issue. I think the Scholarship for Service \nprogram is a very under-used tool. So if you will get with me, \nlet me know whatever you need, I will take the ball and run \nwith that.\n    Thank you, Mr. Chairman.\n    Mr. Krebs. Thank you.\n    Mr. Richmond. The gentleman from Alabama yields back. I now \nrecognize the gentlewoman from New York, Miss Rice, for 5 \nminutes.\n    Miss Rice. Thank you so much, Mr. Chairman.\n    Director Krebs, as you responded in--as you said in \nresponse to a question by Mr. Langevin, it is clear that it is \ngoing to be up to Congress to translate many of the Cyberspace \nSolarium Commission's recommendations into legislation, or \nlegislative proposals. But I think it is worth noting that the \nfiscal year 2021 budget request would not advance the \nSolarium's vision for CISA, which I think is problematic, to \nsay the least.\n    But my question is how is--how do you plan to invest in 5G \nsecurity and resilience, supply chain security, and election \nsecurity with less money?\n    Mr. Krebs. So if you look at the past 3 years, we started \nfrom scratch. I will use election security as an example. We \nstarted from scratch. We had zero election-specific money. Over \nthe past 3 years Congress has invested about $102 million in \nour election security effort. Last year was about--it was about \n$43 million. The fiscal year 2020 budget--2021 budget has, I \nthink it is, about $30.5 pegged against election security.\n    What we are using that, those funds, to do is, yes, provide \nspecific election capabilities, but also invest in broader \ncapacity and capabilities within the agency on vulnerability \nmanagement, threat hunting, any of those sorts of \nvulnerabilities--scanning capabilities, remote penetration \ntesting. So we will continue to do that. The more we put in \nthere, it will directly benefit elections, but also the broader \ncritical infrastructure community.\n    But again, with more I can always do more. So, again, \nwhatever you will, of course, appropriate, we will be able to \nimplement and execute against.\n    Miss Rice. So I think one of the problems with the election \ninterference is--putting aside what the intent is, putting \naside what countries like Russia and China--what specific \ncandidate they are trying to help, put that determination \naside. When you look at just the overwhelming amount of \ndisinformation that is out there, how do you address that \nissue?\n    So if a specific campaign sees this just repeated \ndisinformation--that, obviously, we will just assume is \nnegative--against one particular person, what do you suggest a \ncampaign--and whether it is a Republican or a Democratic \ncampaign, because disinformation is at the heart of what is \nhappening here, and it--you know, the attempt to sway the \nopinions of everyday Americans.\n    So how would you suggest that people and campaigns handle \nthat?\n    Mr. Krebs. So, stepping back a little bit in the broader \ndisinformation issue, and countering disinformation, we tend to \nview it as a supply and demand problem. On the supply side, you \nactually--you have these--or the influence operators, whether \nit is Russia, Iran, China, whomever it is, doesn't matter, \npushing that information. Right?\n    So there are capabilities across the intelligence \ncommunity, the law enforcement community, within the private \nsector on the social media platforms that can disrupt that \nsupply, but do it in a content-neutral way that is more about \ntagging actors, sharing those, illuminating campaigns.\n    You know, I got to give a lot of credit to the social media \norganizations for--you know, compared to 2016, we are light \nyears ahead of where we were. Is there room to improve? \nAbsolutely. There is more that can be done, particularly with \nencouragement, I think, from the Congress.\n    But there is another side to all of this.\n    So, specific to your question, if you see it, report, you \nknow, send it in to the FBI, send it to the social media \nplatforms. They have dedicated teams that are monitoring, but \nalso have intake mechanisms so that they can identify and then \ntake down these campaigns.\n    But the more important aspect of this--so we are--this is a \nWhack-a-Mole game if we are always chasing the latest disinfo \ncampaign. What we have got to do is focus also on the demand \nside. The demand side is the American people. So how do we \ncreate a more discerning public, a more informed, educated \npublic on the things that are happening across the news and the \nmedia and the social media platforms they see?\n    So that is what we have put a lot of effort into, and \nthat--you know, I think probably the most known, well-known \nthing we have done there is the War on Pineapple, which was \nlast year we launched a program that distilled down how \ndisinformation operations work, how the Russians do it, but we \ndid it not in a way that it is Russia, it is whether you like \npineapple on your pizza or not. So it is a very kind of non-\nconfrontational issue, but it is educational. We got \nSecretaries of State, election directors involved, pitted on \neither side. Even the--I think the armed forces of Canada got \ninvolved in the whole thing, so we had a foreign influence \noperator in here, but it doesn't matter.\n    [Laughter.]\n    Mr. Krebs. Anyway, it was educational. It actually took \noff. People started to get it.\n    So there is a civic education opportunity in front of us, \nand those are the things we are looking to do with the social \nmedia platforms, as well as academia and some of the other \nnonprofits that are involved here.\n    Miss Rice. I would like to follow up with you on that. \nThank you very much.\n    I yield back.\n    Mr. Richmond. The gentlelady from New York yields back. I \nnow recognize the gentleman from North Carolina, Mr. Walker, \nfor 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    Mr. Hentz, is that the correct--so yes. Since the military \ndoctrines of Russia, China, North Korea, and Iran include EMPs, \nelectromagnetic pulse attacks, with their cyber strategies, and \nthat our civilian infrastructure is highly vulnerable to EMPs, \nhow is DHS addressing the existential threat of an EMP attack \nso that Americans can be assured they are safe?\n    Mr. Hentz. Thank you for the question. So what we have \ndone, specifically, is formed a very tight relationship with \nCISA, who, from the Department, owns the mission space, per the \n18 NDA, I believe it was, to ensure that there is a cooperative \npublic-private partnership between their organization and \ncritical infrastructure owner-operators.\n    What we have done, specifically, is a T&E assessment to \nhelp with a better understanding of how one might go about \nshielding their critical infrastructure, how to better \nobfuscate critical elements that might be subject to EMP, GMD, \nand other types of solutions, and then working with CISA, \npropagate that information throughout the mission spaces \nthrough which they operate to ensure that everyone has good \nhygiene practices.\n    But at the end of the day, what we are really driven by is \na demand signal from CISA and its mission partners in the field \nto help inform what our R&D should be.\n    Mr. Walker. Thank you for that answer.\n    Director Krebs, CISA has started their team closely \nmonitoring the coronavirus, and is working with critical \ninfrastructure partners to prepare for possible disruptions \nthat--they may stem from wide-spread illnesses. How is the \nagency ensuring the disruptions are minimized to critical \ninfrastructure sectors such as the emergency services sector, \nor the nuclear reactors, materials, and waste sector, both of \nwhich DHS has designated as the sector-specific agency in the \nevent of a large outbreak?\n    Can you address some of that?\n    Mr. Krebs. Yes, sir. So we established within CISA about--\nit was early February we stood up an enhanced coordination \ncell, and designated a mission manager. So that really was--is \nthe nexus of all COVID-related activity within the agency.\n    Under that we have got a series of lines of effort. The \nfirst line of effort is physical protective measures and \nrecommendations. That typically takes CDC guidance, and then \napplies sector-specific guidance on top. That looks at \ndifferent business models: ``If you are heavy into public \nengagement, like a hotel or a sporting venue, here are the \nthings you should be doing.'' But it also looks at industrial \nenvironments, including pipelines, chemical, electricity.\n    We also have a line of effort focused on cybersecurity. So, \nas organizations move to telework, what are the cybersecurity \nconsiderations? Because the attack profile changes. You might \nbe using more VPNs, so make sure you have got your Citrix and \nother VPNs patched, things like that.\n    But also targeting and looking into the phishing campaigns \nthat we have already seen the bad actors using as an incentive \nor enticement to get people to click on links.\n    We are also looking at these continuity of the economy \naspects, as I already talked about, those 4 elements of how a \nfunction may be degraded.\n    Then, looking deeply at disinformation, as well, so working \nwith our intelligence community partners of how is disinfo \nplaying out across COVID, and this is important in the election \nspace. Particularly, we had a call last week with about 600 \nState and local election officials about, you know, what are \nthe hygiene practices they can take, but also what are we \nseeing in the disinfo space, and how can we dispel any sort of \ncoronavirus or COVID impacts on voter turnout, for instance.\n    You are already starting to see some of those discussions \ntake place into action. Earlier this week Secretary Frank \nLaRose from Ohio announced that any voting precincts in nursing \nhomes or assisted living communities will be moved out----\n    Mr. Walker. OK.\n    Mr. Krebs [continuing]. They will not be taking place. So \nwe think that is a great outcome that we need to--we want to \ncontinue pushing that information----\n    Mr. Walker. A very thorough answer. My follow-up, would a \ndecrease in funding for fiscal year 2021 threaten the \nfunctionality or security of any of these components that you \nmentioned if an outbreak were to occur?\n    Mr. Krebs. So I think, based on the 2020 budget, we have \nbeen able to build capacity. The 2021 budget will allow us to \ncontinue that activity. I think what you would see is \nenhancements wouldn't be able to happen, necessarily. That is \none thing that we are looking at right now on COVID with the \nNational Risk Management Center, in particular, what additional \nanalytic capability do we need to bring in right now to do \nprospective analysis. That, of course, is going to continue, \nlikely, past the fiscal year break.\n    Mr. Walker. So security, not necessarily compromised, but \nenhancements moving forward would be inhibited. Is that fair?\n    Mr. Krebs. I think steady--it is--you know, we can maintain \nwhat we have, but we see the threat landscape shifting, and so, \nyou know, the ability to further invest in capabilities, I \nthink, would benefit.\n    Mr. Walker. Thank you, Mr. Chairman. I yield back.\n    Mr. Richmond. Thank you, the gentleman from North Carolina \nyields back. I now recognize the gentlewoman from Michigan, Ms. \nSlotkin, for 5 minutes.\n    Ms. Slotkin. Great. Thanks to both of you for being here.\n    Mr. Hentz, I am interested in this idea of how the \nDepartment of Homeland Security can move new ideas, \nparticularly on the issue of border security, new technology \nthat might help us secure our borders more efficiently. How do \nyou take that right now, from pilot project to actual scaled \nuse?\n    It is a problem we have in the Defense Department. I am on \nthe Armed Services Committee. I have a bill that is trying to \nbridge this gap. But can you explain to us, and potentially \nexplain some of the gaps we have in going from great idea that \nmaybe the private sector has to a scalable, usable piece of \ntechnology?\n    Mr. Hentz. Sure. So thank you for the question.\n    The first thing that we try to do is get a really refined \nunderstanding of what the operational gap is from that \ncomponent.\n    So, in this case, let's say, we are working with CBP. We \nestablished them as a board of director-type member for our \ninnovation approach. What we have done is stood up capabilities \nsuch as the Silicon Valley Innovation Program--it is more so \nabout the idea of finding unique innovation in industry--and we \npaired those innovators, those non-traditional performers, with \nthose operators.\n    Once they completely understand the use case, what we do is \nalmost like a shark tank-like type of approach to determining \nwhether or not their solution is actually, No. 1, usable and \neffective in an operational environment, and then, No. 2, does \nit then scale?\n    Now, where the deficiency is, such--I think you are going \nfor, is that we, as an S&T organization, we don't have \nacquisition authority. So, while we may go off and find these \nunique end-state types of solutions that are coming out of the \nemerging market, it is still incumbent upon the operator, like \na CBP or a CISA, to program for those acquisitions. Because we \ndon't have that authority, we don't then, by definition, go off \nand buy that solution for that operational component.\n    So I think that that is one of the main----\n    Ms. Slotkin. Yes.\n    Mr. Hentz [continuing]. Deterrence for quick adaptation.\n    The other is more predictability around other transactions \nauthorities. By us using other transactions authorities, or the \noperators using 880 authority, that would also give the \nDepartment a head start, a jump, if you will, where it is not a \nbig, traditional acquisition.\n    Ms. Slotkin. Yes. So I am working on a bill with some of my \ncolleagues across the aisle called the Intel at Our Borders \nAct, which basically requires the Department to provide a \ncomprehensive strategy on how to integrate some of these new, \nemerging technologies. It is actually something CBP, our local \nfolks in Michigan, the Northern Border, have been super excited \nabout. They have helped us draft the bill.\n    So more to follow, but we would love any notes for the \nrecord on what would be helpful for you to actually make this \nmore effective.\n    Director Krebs, I just want to thank you for your approach \nto this committee. I know it is a strange thing for both of you \nto be up here sort-of defending your budget which cuts your \nbudget, but knowing that we will put money back in your budget. \nThat is a complicated thing to do, and I want to thank you for \nhaving your--I think it is--he is your assistant director for \ncybersecurity--Bryan Ware came up and did a briefing, sort of a \nget-to-know-you thing, and that stuff makes such a difference \nwhen you are talking to a committee that is looking to help \nyour department. So thank you for doing that.\n    Can you tell me--we--I constantly do these events with my \nlocal governments, who feel pretty wholly unprepared to manage \ncybersecurity on their own. They just--some of them are working \npart-time, this is not their primary job. They are trying to do \ntheir best. I know that we have put in--again, like, this \ncommittee has been great about talking about building up \nresources for our local officials to provide for themselves.\n    But in your perfect world, you know, it seems like we can't \nkeep doing this, where we are expecting really small \ncommunities to defend themselves. They hold the private data of \nour residents. So what has to happen? Where are we going? Help \nus forecast how we are going to better protect ourselves, since \nour local communities are on the front lines.\n    Mr. Krebs. So it is going to require--and, yes, I think \nabout this almost nonstop, and nowhere is this more acute than \nin election security, of course, with 8,800 jurisdictions \nacross the country that are managing, in a lot of cases, \nsignificantly outdated systems. They are just operating from a \nlack of funding.\n    So I think there are a couple of challenges here.\n    First is just the governance aspects, when you have just \nthis diversity of ways that States manage, or are able to \nmanage, based on home rule or otherwise, requirements across \ndistributed counties and jurisdictions.\n    There is also a funding issue, of course. The States just \nhave significantly different funding profiles than the Federal \nGovernment that can run a deficit.\n    Then, just the availability to services. There is not a lot \nof acquisition leverage or procurement leverage when you are \ntalking about a local jurisdiction.\n    So, at the governance piece, we are continuing to just \nraise awareness with State governments, with State \nlegislatures. You know, my theory is that awareness leads to \ninvestment, which builds capabilities. We are going to have to \ncontinue beating the drum on cybersecurity awareness. That is, \nI know, sometimes a shocking thing to hear, that people still \nneed to be made aware of cyber risks, but it just--it remains \nthe case. We need the leadership to understand this.\n    The second thing on the funding, understanding that there \nare a couple different bills floating around on providing \ngrants to State and locals, I think those are certainly useful \nthings we need to work through, and we need to get to a spot \nwhere, like FEMA has, the Disaster Relief Fund, you know, what \ndoes a cyber equivalent look like? But, at the same time, we \nare not sitting back and waiting. We--in the recent FEMA/\nHomeland Security grant program, which I am sure you all heard \nfrom your chiefs of police and emergency management, we did put \nsome requirements in there for cybersecurity and election \nsecurity investments, which, over the last 7, 8, probably 10 \nyears, has been a National preparedness report, key area of \nlack of preparation.\n    Then, last, what more can I do in the Federal Government \nspace to provide additional services out to Federal partners? \nSo the continuous diagnostics and mitigation platform, for \ninstance, is something that we can open up. It is on the GSA \nschedule, we can do that. Some States don't have the ability to \nbuy from GSA, so we need to change that behavior, but also make \nthings affordable.\n    The DOTGOV Act, which allows for the actual .gov domains to \nopen up. There is a $400 requirement. Four hundred dollars in \nlocal jurisdictions in Michigan or elsewhere, that is a \ndifference-maker. That can be, you know, somebody's bonus. So \nthese are the things we need to work through.\n    Then last, we are making--we are working through standing \nup a protective DNS service for the Federal Government. How do \nwe open that recursive protective DNS program or platform for \nState and locals, as well? I see centralization and opening up \nservices like that as the key to changing risk outcomes for \nState and local partners.\n    Mr. Richmond. The time of the gentlelady from Michigan is \nexpired. I now recognize the gentlelady from Illinois, Ms. \nUnderwood, for 5 minutes.\n    Ms. Underwood. Thank you, Mr. Chairman.\n    Several weeks ago a school district that serves my \ncommunity in Crystal Lake, Illinois was hit with a ransomware \nattack. The school officials did pretty much everything right. \nThey took the servers off-line, they protected sensitive data, \nthey avoided major disruptions in student learning, they \nplanned ahead. They even had a cyber insurance policy. But it \nstill took over a month to get the student computers back on-\nline, and the attack cost over $800,000, not all of which is \ncovered by even good insurance.\n    The fact is that ransomware attacks our business, and that \nbusiness is good. While both CISA and Congress have made \nimportant steps, they aren't enough for schools like those in \nCrystal Lake.\n    So, Director Krebs, can you tell us more about the profile \nof these kinds of attackers, and are they nation-state actors \nor affiliates, organized cyber criminals, lone actors? Can you \njust say something about the----\n    Mr. Krebs. Yes, ma'am. I am smiling because your \n``ransomware is business, and business is good'' line, I have \nused that before, and it is absolutely what is going on.\n    Ms. Underwood. Yes, sir.\n    Mr. Krebs. So the way we look at ransomware right now is \nthere are kind-of 3 things that are going to have to change.\n    First is we have to continue investing in the defensive \nside. Yes, they did all the right things, but I am sure that, \nwhen you go and do the post-mortem, there were elements that \ncould have been implemented to protect. You know, really, what \nwe are finding is just some simple measures like multi-factor \nauthentication, appropriate Windows administration, lease \nprivilege, things like that can just stop it from happening, \nand then go to the next partner. The--or the target.\n    The second thing we have to do is disrupt the economic \nmodel, disrupt the business model.\n    Ms. Underwood. Right.\n    Mr. Krebs. It--like you said, business is good. That is why \nit continues. So how do we disrupt that? Are there things we \ncan do, the Congress can do to target the ransomware actors, to \ntake a look at actually paying out ransomware, whether that is \na public policy issue or not? I think that is a good question \nthat we need to take a hard look at.\n    Then the third thing we have to do is what more can the \nFederal Government do, not just from a defensive side, but from \nmore of an aggressive, almost defend-forward perspective, do to \ndisrupt these behaviors? You know, we know where these guys \noperate. They are not in the United States, they are in Russia \nand elsewhere. What can we do to put additional pressure on \nthem from the intelligence community and from the Department of \nDefense and----\n    Ms. Underwood. But would you characterize the actors--how \nwould you characterize the attackers themselves?\n    Mr. Krebs. The actors themselves are criminals.\n    Ms. Underwood. OK.\n    Mr. Krebs. They are straight-up criminals. Not necessarily, \nyou know, in this case--you know, I mentioned Russia, so it is \nnot like they are necessarily FSB, but they are cyber criminals \noperating in the sovereign space of some of our adversaries in \nsome cases.\n    Ms. Underwood. Yes. So I thank you for outlining those next \nsteps that we can all take to protect our communities and \ncritical assets that we all have within our own organizations \nfrom ransomware attacks.\n    I do think that there is more room for leadership from CISA \nand from law enforcement here.\n    Mr. Krebs. Yes, ma'am.\n    Ms. Underwood. My constituents weren't sure, for example, \nwhether to leave the evidence of the attack intact, or to try \nto get the operation up and running quickly to serve their \nstudents.\n    So, if you can just offer, you know, advice for what to do \nfor communities that are experiencing this type of attack----\n    Mr. Krebs. So we have issued a significant amount of \nguidance and best practices, not complicated, 80-page guidance \nstuff, but 1-page, 2-page sort-of guidance for our partners.\n    One thing that I don't think we have explored quite enough \nis working with you and Congress, understanding the influence \nyou have back home----\n    Ms. Underwood. Right.\n    Mr. Krebs [continuing]. With your partners in the school \ndistricts and the public health community. Please encourage \nthem to work with us. There are things that we could do to help \nthem to make sure that they don't have that bad day.\n    Ms. Underwood. Right.\n    Mr. Krebs. Because $800,000 to a small community in your \njurisdiction----\n    Ms. Underwood. It is significant.\n    Mr. Krebs. It is. That can be back-breaking in some cases--\n--\n    Ms. Underwood. So do you think that there are technical \nstandards that hardware and software products should meet in \norder to limit their vulnerability to ransomware attacks?\n    Mr. Krebs. Again, a lot of this ransomware is just a matter \nof somebody clicking on a link. It is often delivered by spear \nphishing. In some cases it is delivered by a remote desktop \nprotocol, ports being open, things like that. So this is not \nnecessarily a hard sec or software sec issue. It is \nconfiguration. It is Windows administration, Windows \nadministration, Windows administration.\n    Ms. Underwood. Right.\n    Mr. Krebs. Those are the sorts of things that we need to \ninvest in. It is just awareness, and how can we just configure \nfrom the get-go better postures.\n    Ms. Underwood. OK. So Mr. Cuccinelli, your colleague, is \ngoing to be coming to testify before the larger committee this \nafternoon, and he has said that CISA has been assessing \n``issues of concern,'' potential impacts to infrastructure from \ncoronavirus in the event of significant community spread in the \nUnited States. Those are clips of his quotes.\n    Significant community spread is already happening. So, \nDirector Krebs, can you just talk about what impacts to \ncritical infrastructure that you are seeing, and what should \nour States and localities expect to come in the weeks and \nmonths?\n    Mr. Krebs. Yes, ma'am. So we are trying to break it out \nfrom the tactical today, and the PPE, or the personal \nprotective equipment----\n    Ms. Underwood. Yes.\n    Mr. Krebs [continuing]. That is out there into the more \nstrategic, longer-term analysis. I talked about it a little bit \nearlier, but through our National Risk Management Center, and \nthe National critical functions approach, what we are trying to \ndo is understand what those key elements of degradation might \nbe.\n    We have identified 4 key aspects. The first is disruption \nof a commodity, of a key commodity, like a widget in a--that \nwould go into a car, some sort of device that would go into a \ncar that would prevent it from rolling off the line, for \ninstance.\n    The second is workforce disruption. So whether it is \nabsenteeism, sick-outs, or other sorts of issues, particularly \nacross different business models.\n    The third and fourth are more about the demand. So, in some \ncases, like N95 you would have an increase of demand, where you \ncan't meet it.\n    Ms. Underwood. Right.\n    Mr. Krebs. Then the other, the fourth element, is a \ncratering of demand. That could be, in some cases, \ntransportation. So we try to pull those all together.\n    We are seeing automotive, we are seeing IT and comms \ndisruptions, and then also soft goods.\n    Ms. Underwood. Well, as you are publishing documents to the \ncommunities about those, can you keep our committee informed? \nWe appreciate it.\n    Thank you, and I yield back.\n    Mr. Richmond. The time of the gentlelady is expired. I want \nto thank the witnesses for their valuable testimony, and the \nMembers for their questions.\n    The Members of the committee may have additional questions \nfor the witnesses, and we ask that you respond expeditiously in \nwriting to those questions.\n    Without objection, the committee records shall be kept open \nfor 10 days.\n    Hearing no further business, the committee is adjourned.\n    [Whereupon, at 12:13 p.m., the subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n    Questions From Hon. Sheila Jackson Lee for Christopher C. Krebs\n    Question 1. Director Krebs, I represent Houston, Texas. It is one \nof the largest metropolitan cities in the country, hosts one of the \nbusiest international airports and is also home to one of the largest \nexport hubs in America. As of yesterday, there were 13 cases of COVID-\n19 in Texas.\n    First, what are you doing, and what is the Government doing, to \nspread true information about the virus and its potential impacts?\n    Answer. Response was not received at the time of publication.\n    Question 2. In last week's CISA Insights document, you identified 4 \nrisk management strategies related to supply chain security and the \nCoronavirus (COVID-19).\n    For the record, can you tell me what advice CISA is giving to help \nStates and industry prepare and be resilient against a COVID-19 \npandemic?\n    Answer. Response was not received at the time of publication.\n    Question 3. How is the Department of Homeland Security preparing \nState and local election administrators for the November Election given \nCoronavirus will still be with us until there is a vaccine?\n    Answer. Response was not received at the time of publication.\n\n                                 [all]\n</pre></body></html>\n"