[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


                 DEFENDING AGAINST FUTURE CYBER ATTACKS: 
                  EVALUATING THE CYBER SPACE SOLARIUM 
                  COMMISSION RECOMMENDATIONS

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                       PROTECTION, AND INNOVATION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 17, 2020

                               __________

                           Serial No. 116-79

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 
                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
43-867 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            Mike Rogers, Alabama
James R. Langevin, Rhode Island      Peter T. King, New York
Cedric L. Richmond, Louisiana        Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     John Katko, New York
Kathleen M. Rice, New York           Mark Walker, North Carolina
J. Luis Correa, California           Clay Higgins, Louisiana
Xochitl Torres Small, New Mexico     Debbie Lesko, Arizona
Max Rose, New York                   Mark Green, Tennessee
Lauren Underwood, Illinois           John Joyce, Pennsylvania
Elissa Slotkin, Michigan             Dan Crenshaw, Texas
Emanuel Cleaver, Missouri            Michael Guest, Mississippi
Al Green, Texas                      Dan Bishop, North Carolina
Yvette D. Clarke, New York           Jefferson Van Drew, Texas
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
                       Hope Goins, Staff Director
                 Chris Vieson, Minority Staff Director
                                 ------                                

     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND 
                               INNOVATION

                Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas            John Katko, New York, Ranking 
James R. Langevin, Rhode Island          Member
Kathleen M. Rice, New York           Mark Walker, North Carolina
Lauren Underwood, Illinois           Mark Green, Tennessee
Elissa Slotkin, Michigan             John Joyce, Pennsylvania
Bennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)
    officio)
               Moira Bergin, Subcommittee Staff Director
           Sarah Moxley, Minority Subcommittee Staff Director
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8

                               Witnesses

Hon. Angus King, a United States Senator from the State of Maine, 
  and Co-Chair, Cyberspace Solarium Commission:
  Oral Statement.................................................     9
  Joint Prepared Statement.......................................    11
Hon. Michael Gallagher, a Representative in Congress from the 
  State of Wisconsin, and Co-Chair, Cyberspace Solarium 
  Commission:
  Oral Statement.................................................    18
  Joint Prepared Statement.......................................    11
Ms. Suzanne Spaulding, Commissioner, Cyberspace Solarium 
  Commission:
  Oral Statement.................................................    20
  Joint Prepared Statement.......................................    11
Dr. Samantha Ravich, Ph.D., Commissioner, Cyberspace Solarium 
  Commission:
  Oral Statement.................................................    21
  Joint Prepared Statement.......................................    11

 
  DEFENDING AGAINST FUTURE CYBER ATTACKS: EVALUATING THE CYBER SPACE 
                  SOLARIUM COMMISSION RECOMMENDATIONS

                              ----------                              


                         Friday, July 17, 2020

             U.S. House of Representatives,
                    Committee on Homeland Security,
                            Subcommittee on Cybersecurity, 
                                 Infrastructure Protection,
                                            and Innovation,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 12:30 p.m., 
via Webex, Hon. James R. Langevin [Member of the subcommittee] 
presiding.
    Present: Representatives Jackson Lee, Langevin, Rice, 
Underwood, Slotkin, Thompson; Katko, and Joyce.
    Mr. Langevin. Good afternoon. The Subcommittee on 
Cybersecurity, Infrastructure Protection, and Innovation will 
come to order.
    Good afternoon, everyone. I want to thank the co-chairs of 
the Cyberspace Solarium Commission and Commissioners Spaulding 
and Ravich for participating in today's hearing. I would also 
like to thank the gentleman from Louisiana, Mr. Richmond, for 
allowing me the honor of chairing this subcommittee in his 
absence.
    I have the privilege of serving on the Solarium Commission 
with the witnesses testifying here today. I can honestly say 
that working on a report was one of the highlights of my 
Congressional career--research, outreach, and deliberation was 
a testament to our 2 co-chairs, Senator King--here today to 
testify this afternoon. I hope our subcommittee will take full 
advantage of the wealth of knowledge of the virtual witnesses 
at the witness table.
    The commission's report outlines a strategy of layered 
cyber deterrence, and includes 82 recommendations on how the 
Government can implement the strategy. I am looking forward to 
discussing those recommendations with my colleagues today, 
particularly those that would strengthen the cybersecurity--the 
Cybersecurity and Infrastructure Security Agency by increasing 
its capabilities and clarifying its relationship with the 
intelligence community and sector-specific agencies.
    I am also looking forward to covering the essential role of 
Congress in implementing our Nation's cybersecurity posture. 
From the outset of the--and thanks to the work of our dedicated 
executive director, Mark Montgomery, we deliberated with a bias 
toward action. After all, as the Members of the subcommittee 
know full well, the status quo in cyber space sees us making--
status quo in cyber space sees us making steady progress, while 
the threat increases exponentially.
    We need to act, and act now, to change that dynamic and get 
ahead of the curve. I am proud to report that leaders of this 
subcommittee, including Chairman Richmond, Ranking Member 
Katko, and Representatives Jackson Lee, Rice, Slotkin, Green, 
and Joyce all have recommendations to the forthcoming National 
Defense Authorization Act and impending--and to implement 
aspects of the Solarium report.
    It is an honor to share the virtual dais with Members 
committed to addressing this quintessential information-age 
challenge, and I am sure the committee and this subcommittee 
will continue to play a vital role in implementing the report.
    I encourage our witnesses to discuss why Congress is so 
important to moving the conversation forward on cybersecurity, 
and I encourage my colleagues to probe the decision making 
behind the strategy and recommendations.
    The events of this year provide an interesting context in 
which to review the Solarium recommendations. The COVID-19 
pandemic has amended and altered the way we live, the way we 
work, and the way we govern. Overnight, nearly half of employed 
adults became teleworkers, putting added stresses on our 
infrastructure, and creating new opportunities for hackers to 
wreak havoc.
    Now Congress is holding remote hearings, and State and 
local governments have become e-governments with little time to 
transition. Many State and local governments are also finding 
that, due to the antiquated IT systems and the fact that their 
data aren't in the cloud, that they are unable to scale and 
secure vital programs like unemployment insurance, highlighting 
the need for modernization as part of the security push.
    Our adversaries have noticed the broader attacks surface. 
Just yesterday, CISA, in conjunction with allies in the UK and 
Canada, announced that Russian operatives are targeting health 
care organizations doing research on the virus.
    [Audio malfunction.]
    Mr. Langevin [continuing]. The breach of Twitter that saw 
many prominent accounts linking to a Bitcoin scam. It doesn't 
take much imagination to see what chaos one could sow with such 
access on Election Day if a bad actor was pushing out 
disinformation.
    The realities of 2020 make clear that a comprehensive 
whole-of-Nation approach to cybersecurity is necessary, but--is 
a necessity, but we do not yet have one. So we lack a clear 
leader in the White House whose mission it is to focus on 
cybersecurity. We lack clear understanding of roles and 
responsibilities, both within Government and--between 
Government and the private sector. We lack clear metrics to 
measure our progress.
    The Cyberspace Solarium Commission report cannot fix all of 
the challenges that we face in cyber space. But it does chart a 
bold course, and it does not shy away from the trade-offs we 
will need to make to decisively improve our cybersecurity 
posture.
    The report makes clear that everyone, from Government, to 
private-sector companies, to Congress itself needs to make 
meaningful changes. We need to expect more from Government: 
Closer coordination across agencies; stronger collaboration 
with critical infrastructure; and a--and critically, a greater 
emphasis on planning. We need to strengthen Government 
agencies--in particular, CISA--to do so.
    We also need to expect more from the private sector. We 
need companies to truly accept the risk that they take in cyber 
space by accepting the consequences of failing to protect their 
data and networks.
    We also need technology companies, what the report calls 
``cybersecurity enablers,'' to do more to make the secure 
choice the default choice. Too often we see a rush to be first 
to market, not secure in a market. Too often we see entities 
like the ISPs not protecting the small and medium-sized 
customers, because they don't believe it is their job. More 
importantly, where the public and private interests at--the 
nexus of critical infrastructure that this committee is charged 
with protecting. We need to ensure the private sector is doing 
its part to protect itself, while acknowledging that they can't 
go it alone.
    So this is part of the end-state we desire in the Solarium 
report, a state where we are resilient enough to deter our 
adversaries and agile enough to push back when they insist on 
testing our defenses. To that end, to end--to--that end-state 
is in reach, but it will require the work of this subcommittee 
and of the experts that we have invited before us if we are to 
achieve that goal.
    So I look forward to beginning what I am sure will be a 
fruitful series of discussions on how to implement the Solarium 
report.
    I again thank our witnesses who are here today. I am 
grateful that the co-chairs of the Cyber Solarium Commission 
could be here, Senator Angus King and Congressman Mike 
Gallagher.
    I am honored that Suzanne Spaulding could be here, as well, 
and I look forward to all of our witnesses' testimony today.
    [The statement of Mr. Langevin follows:]
                  Statement of Hon. James R. Langevin
                             July 17, 2020
    I had the privilege of serving on the Solarium Commission with the 
witnesses testifying here today, and I can honestly say that working on 
our report was one of the highlights of my Congressional career. Our 
thoughtful research, outreach, and deliberation was a testament to our 
two co-chairs, Senator King and Congressman Gallagher, and I hope our 
subcommittee takes full advantage of the wealth of knowledge at the 
virtual witness table.
    The commission's report outlines a strategy of layered cyber 
deterrence and includes 82 recommendations on how the Government can 
implement that strategy. I am looking forward to discussing those 
recommendations with my colleagues today--particularly those that would 
strengthen the Cybersecurity and Infrastructure Security Agency by 
increasing its capabilities and clarifying its relationship with the 
intelligence community and sector-specific agencies.
    I am also looking forward to covering the essential role of 
Congress in improving our Nation's cybersecurity posture. From the 
outset of the commission--and thanks to the work of our dedicated 
executive director, Mark Montgomery--we deliberated with a bias toward 
action. After all, as the Members of this subcommittee know full well, 
the status quo in cyber space sees us making steady progress while the 
threat increases exponentially.
    We need to act, and act now, to change that dynamic and get ahead 
of the curve. I am proud to report that leaders on this subcommittee, 
including Chairman Richmond, Ranking Member Katko, and Representatives 
Jackson Lee, Rice, Slotkin, Green and Joyce all have amendments to the 
forthcoming National Defense Authorization Act to implement aspects of 
the Solarium report. It is an honor to share the (virtual) dais with 
Members committed to addressing this quintessential Information Age 
challenge, and I am sure the committee--and this subcommittee--will 
continue to play a vital role in implementing the report.
    I encourage our witnesses to discuss why Congress is so important 
to moving the conversation forward on cybersecurity. I encourage my 
colleagues to probe the decision making behind the strategy and the 
recommendations.
    The events of this year provide an interesting context in which to 
review the Solarium Commission's recommendations. The COVID-19 pandemic 
has upended and altered the way we live, the way we work, and the way 
we govern. Almost overnight, nearly half of employed adults became 
teleworkers, putting added stress on our infrastructure and creating 
new opportunities for hackers to wreak havoc.
    Now Congress is holding remote hearings, and State and local 
governments have become e-governments with little time to transition. 
Many State and local governments are also finding, that due to 
antiquated IT systems and the fact that their data aren't in the cloud, 
they are unable to scale and secure vital programs like unemployment 
insurance, highlighting the need for modernization as part of the 
security push.
    Our adversaries have noticed the broader attack surface. Just 
yesterday, CISA--in conjunction with allies in the United Kingdom and 
Canada--announced that Russian operatives are targeting health care 
organizations doing research on the virus. And 2 days ago, we saw a 
major breach of Twitter that saw many prominent accounts linking to a 
Bitcoin scam. It doesn't take much imagination to see what chaos one 
could sow with such access on Election Day if a bad actor was pushing 
out disinformation.
    The realities of 2020 make clear that a comprehensive, whole-of-
Nation approach to cybersecurity is a necessity, but we do not yet have 
one. We lack a clear leader in the White House whose mission it is to 
focus on cybersecurity. We lack clear understanding of roles and 
responsibilities, both within Government and between Government and the 
private sector. We lack clear metrics to measure our progress.
    The Cyberspace Solarium Commission report cannot fix all the 
challenges we have in cyber space. But it does chart a bold course, and 
it does not shy away from the trade-offs we will need to make to 
decisively improve our cybersecurity posture. The report makes clear 
that everyone--from Government to private-sector companies to Congress 
itself--needs to make meaningful changes.
    We need to expect more from Government: Closer coordination across 
agencies, stronger collaboration with critical infrastructure, and, 
critically, a greater emphasis on planning. And we need to strengthen 
Government agencies--in particular CISA--to do so.
    We also need to expect more from the private sector. We need 
companies to truly accept the risks they take in cyber space by 
accepting the consequences of failing to protect their data and 
networks. We also need technology companies--what the report calls 
``cybersecurity enablers''--to do more to make the secure choice the 
default choice. Too often, we see a rush to be first to market, not 
secure to market. Too often, we see entities like ISPs not protecting 
their small and medium-sized customers because they don't believe it's 
their job.
    Most importantly, where the public and private intersect, at the 
nexus of critical infrastructure that this committee is charged with 
protecting, we need to ensure the private sector is doing its part to 
protect itself while acknowledging that they can't go it alone.
    This is part of the end-state we desire in the Solarium report, a 
state where we are resilient enough to deter our adversaries and agile 
enough to push back when they insist on testing our defenses. That end-
state is in reach, but it will require the work of this subcommittee--
and of the experts we have invited before us--if we are to achieve that 
goal.

    Mr. Langevin. With that, I am now proud to yield to Mr. 
Katko for his opening remarks.
    Mr. Katko. Thank you, Mr. Chairman, I appreciate your 
comments. Before I begin I want to congratulate one of the 
Solarium members on the birth of his first child, 
Representative Gallagher.
    Grace Ellen Gallagher came to this world not too long ago, 
and we welcome her in. You--I will raise--I will hoist a pint 
in her honor soon.
    I want to thank all the commissioners for their work on the 
Cyberspace Solarium Commission, and congratulate them on 
producing a truly game-changing report and recommendations that 
accompany that report that take a bold step in the direction of 
reinventing our Nation's cybersecurity policy and architecture. 
The commission's legislative proposals accompanying the 
recommendations are enabling Congress to act quickly and 
decisively on these urgent measures.
    I am interested in all the recommendations in the report, 
and I have gone through all of them, but I am really focused on 
several of them today, and they are as follows: Strengthening 
the Cybersecurity and Infrastructure Agency, or CISA, and its 
work force; evaluating CISA's facilities needs; strengthening 
the CISA director position, and making the assistant directors 
clear positions--the National cyber director; authorizing CISA 
to threat hunt on the gov domain, .gov domain; developing a 
strategy to secure email; and modernizing the digital 
infrastructure of State and local governments, and small and 
mid-sized businesses.
    As Ranking Member on the Cybersecurity, Infrastructure 
Protection, and Innovation Subcommittee, my top priority among 
the commission's recommendations is strengthening and 
clarifying CISA's authority, and vastly increasing its funding 
to allow it to carry out its role as the Nation's risk manager, 
coordinating the protection of critical infrastructure and 
Federal agencies and departments from cyber threats.
    I introduced this recommendation as a bill, together with 
Mr. Ruppersberger, and cosponsored his amendment to the NDAA, 
which requires CISA to assess what additional resources are 
necessary to fulfill its mission. This assessment should 
examine CISA's work force composition and future demands, and 
report to Congress on the findings.
    Under this bill, CISA would also evaluate its current 
facilities and future needs, including accommodating 
integration of personnel, critical infrastructure partners, and 
other Department and agency personnel, and make recommendations 
to GSA. GSA must evaluate CISA's recommendations and report to 
Congress within 30 days on how best to accommodate CISA's 
missions and goals with commensurate facilities.
    The facilities evaluation dovetails with the commission's 
recommendation for an integrated cyber center within CISA. That 
is critically important.
    In conjunction with Chairman Richmond's CISA director 
amendment to the NDAA bill that I cosponsored, I reintroduced 
my CISA director bill. The bill and amendment elevate and 
strengthen the CISA director position to reflect the 
significant role that it plays, and making the position the 
equivalent of an assistant secretary or military service 
secretary. They limit the term of the CISA director to 2 5-year 
terms, which ensure the agency has stable leadership, and de-
politicizes the assistant director positions by making them 
career positions.
    A related amendment that my fellow colleague, Mr. Green, 
cosponsored and I cosponsored, clarifies CISA's authority to 
conduct continuous threat hunting across the .gov domain. This 
will increase CISA's ability to protect Federal networks, and 
allow CISA to provide relevant threat information to critical 
infrastructure.
    Finally, the recommendation to establish a National cyber 
director within the White House, offered as an amendment to the 
NDAA by my colleague and friend, Mr. Langevin, is another 
legislative proposal I am cosponsoring. This Presidentially-
nominated and Senate-confirmed National cyber director would be 
the principal cybersecurity adviser to the President, tasked 
with developing, counseling the President on, and supervising 
implementation of a National cyber strategy, which is sorely 
needed. This leadership will bring focus to our Nation's 
cybersecurity as a top strategic priority.
    I look forward to hearing from our witnesses today about 
these Solarium recommendations and many others that fall under 
the jurisdiction of our subcommittee, as well as working with 
my colleagues to attach many of the commission's 
recommendations as possible to the NDAA, another must-pass 
vehicle, or pass as stand-alone bills.
    I want to thank the Chairman for holding this important 
hearing. I look forward again to convening in person with my 
committee colleagues. But I want to take a moment before I 
close to really command the members of the Solarium Commission: 
Mr. King, Mr. Gallagher, Ms. Spaulding, Mr. Langevin, and all 
the others.
    I think that what you did is what they did after 9/11 with 
respect to terrorism. You are anticipating the issues before we 
have a catastrophic attack. I commend all of you for doing 
that. That is why I think this is such an important hearing we 
are having today.
    So the bipartisanship that has been shown on this, the lack 
of politics, and understanding the issues, and understanding 
the threat and attacking it, it is exactly what we should be 
doing. I commend everyone for that.
    With that, Mr. Chairman, I yield back.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    Thank you, Mr. Chairman.
    I want to thank all of the commissioners for their work on the 
Cyberspace Solarium Commission and congratulate them on producing a 
game-changing report and recommendations that take a bold step in the 
direction of reinventing our Nation's cybersecurity policy 
architecture. The commission's legislative proposals accompanying the 
recommendations are enabling Congress to act quickly and decisively on 
these urgent measures.
    The recommendations I am most interested in hearing about today 
are, strengthening the Cybersecurity and Infrastructure Security Agency 
(CISA) and its workforce, evaluating CISA's facilities needs, 
strengthening the CISA director position and making the assistant 
directors career, the National cyber director, authorizing CISA to 
threat hunt on the .gov domain, securing email, developing a strategy 
to secure email, and modernizing the digital infrastructure of State 
and local governments and small and mid-sized businesses.
    As Ranking Member on the Cybersecurity, Infrastructure Protection, 
and Innovation Subcommittee, my top priority among the commission's 
recommendations is strengthening and clarifying the Cybersecurity 
Infrastructure Security Agency's (CISA) authority and vastly increasing 
its funding to allow it to carry out its role as the Nation's risk 
manager coordinating the protection of critical infrastructure and 
Federal agencies and departments from cyber threats. I introduced this 
recommendation as a bill, which requires CISA to assess what additional 
resources are necessary to fulfill its mission. This assessment should 
examine CISA's workforce composition and future demands and report to 
Congress on the findings.
    Under the bill, CISA would also evaluate its current facilities and 
future needs including accommodating integration of personnel, critical 
infrastructure partners, and other Department and agency personnel and 
make recommendations to GSA. GSA must evaluate CISA's recommendations 
and report to Congress within 30 days on how best to accommodate CISA's 
mission and goals with commensurate facilities. The facilities 
evaluation dovetails with the commission's recommendation for an 
integrated cyber center within CISA.
    I reintroduced my bill elevating and strengthening the CISA 
director position to reflect the significance of the role, making the 
position the equivalent of an assistant secretary or military service 
secretary. My bill limits the term of the CISA director to 2, 5-year 
terms, which ensures the agency has stable leadership. It also 
depoliticizes the assistant director positions by making them a career.
    A related legislative proposal that I am working with colleagues to 
pass, clarifies CISA's authority to conduct continuous threat hunting 
across the .gov domain. This will increase CISA's ability to protect 
Federal networks and allow CISA to provide relevant threat information 
to critical infrastructure.
    Finally, the recommendation to establish a National cyber director 
within the White House is another legislative proposal I am 
cosponsoring. This Presidentially-nominated and Senate-confirmed 
National cyber director would be the principle cybersecurity advisor of 
the President, tasked with developing, counseling the President on, and 
supervising the implementation of a National cyber strategy. This 
leadership will bring focus to our Nation's cybersecurity as a top 
strategic priority.
    I look forward to hearing from our witnesses today about these 
Solarium recommendations and the many others that fall under the 
jurisdiction of our subcommittee as well as working with my colleagues 
to attach many of the commission's recommendations to the National 
Defense Authorization Act (NDAA), another must-pass vehicle or pass as 
stand-alone bills.
    In closing, I want to thank the Chairman for holding this important 
hearing and I look forward to again convening in person with my 
committee colleagues.

    [Pause.]
    Mr. Katko. I can't hear anything, Jim----
    Mr. Langevin. I was muted, sorry about that. I thank the 
Ranking Member for his comments, and I want to join with him.
    First of all, I want to thank you, Ranking Member, for your 
leadership on cybersecurity issues, as well as I have been 
honored to join with the Ranking Member on these cybersecurity 
issues that are before us, and that are moving their way 
through the Congress.
    I also want to join the Ranking Member in congratulating 
the newest father in the House, Mr. Gallagher, on the birth of 
his baby girl, Grace, and wish all the best to your entire 
family. My congratulations.
    Also, I should mention not--when I mentioned Senator King 
as co-chair along with Congressman Gallagher and Suzanne 
Spaulding, I glossed over and unintentionally didn't mention 
Dr. Samantha Ravich's name, but I am going to read bios on each 
of them in a minute. But I welcome, obviously, Dr. Ravich, and 
thank her for her participation and valuable contribution that 
she made to this Solarium Commission report, as well.
    So with that, I thank the Ranking Member again.
    Members are reminded that the subcommittee will operate 
according to the guidelines laid out by the Chairman and 
Ranking Member in their July 8 colloquy.
    With that, I ask unanimous consent to waive the committee 
rule 8(a)(2) for the subcommittee during remote proceedings 
under the covered period designated by the Speaker under the 
House Resolution 965.
    Without objection, so ordered.
    The Chair now recognizes the Chairman of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for an 
opening statement.
    Mr. Thompson. Thank you very much, Mr. Chair and Ranking 
Member, and our witnesses today.
    As you know, the Solarium Commission is very forward-
thinking, something--I compliment our witnesses for their 
brilliant work that they have done on it. I compliment you 
personally, being a Member of our committee, having served on 
it.
    I have a written testimony for the record. In the interest 
of time and, again--forward, I will submit it for the record.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                             July 17, 2020
    At the outset, I want to acknowledge how fortunate we are, as 
Members of Congress, to have before us a whole-of-Government, public/
private-sector blueprint for defending the Nation against future cyber 
attacks. Too often, thoughtful documents like this are the product of 
Monday morning quarterbacking that takes place after a catastrophic 
event has occurred.
    After the September 11 attacks, the 9/11 Commission studied how the 
organization and policies of the Federal Government led to its failure 
to predict, prevent, and prepare for the attacks, and made a series of 
recommendations to reorganize the Government and build lacking 
capabilities.
    After Hurricane Katrina, Congress identified critical deficiencies 
in Federal emergency management policy and overhauled it in the Post-
Katrina Emergency Management Reform Act. After the Russian government 
attempted to meddle in our elections in 2016, I co-led a Task Force on 
Election Security to understand vulnerabilities in our election 
infrastructure, and we issued a report and recommendations to address 
them. Soon, I expect we will establish a commission to study the 
failures of the Federal Government that have led to its inept response 
to the COVID-19 pandemic.
    We are lucky we are here today not to discuss a tragedy, but 
rather, how to organize the Federal Government to effectively avoid 
one. At this time, the responsibility for leadership on Federal 
cybersecurity policy rests with Congress.
    Although there are many well-intentioned, capable people working 
hard to advance sound cybersecurity policy throughout the Executive 
branch, the lack of consistent leadership from the White House has 
stunted progress. Over 2 years ago, for example, the White House green-
lighted the elimination of its Cyber Security Coordinator. The result 
is a lack of effective coordination among Federal agencies who compete 
for cybersecurity authorities, responsibilities, and associated 
budgets--and Federal agencies approaching Congress with conflicting 
priorities. The time has come for that to stop.
    Toward that end, I appreciate and support the commission's 
recommendation that Congress establish a National cyber director. I 
understand Congressman Langevin has authored legislation to implement 
that recommendation and has also submitted it as an amendment to the 
NDAA. I fully support both efforts.
    I similarly appreciate the commission's recommendations regarding 
strengthening the Cybersecurity and Infrastructure Security Agency and 
more clearly defining the roles and responsibilities of CISA and sector 
risk management agencies. Right-sizing CISA's budget and equipping it 
with the authorities necessary to carry out its mission to secure 
Federal networks, while also supporting critical infrastructure, has 
been a bipartisan priority of committee Members.
    I am particularly interested in hearing Ms. Spaulding's thoughts on 
these recommendations given her perspective as the former under 
secretary of the National Protection and Programs Directorate.
    Additionally, I am interested in discussing commission 
recommendations related to implementing a ``carrot and stick'' approach 
to encourage private-sector collaboration with the Federal Government's 
cybersecurity and defense efforts, particularly the proposed 
codification of ``systemically important critical infrastructure.''
    Finally, I would be remiss if I did not address the commission's 
observation that Congress' fractured jurisdiction over cybersecurity 
frustrates efforts to achieve a comprehensive, cohesive approach to 
cybersecurity. I agree. While I disagree with the commission's 
recommendation on that point, rest assured that I am working to address 
the underlying problem.

    Mr. Langevin. I thank you, Chairman Thompson, and I thank 
you for your leadership, both of the full committee on a whole 
host of issues, but for your leadership and support on 
cybersecurity, in particular. You have been incredible, and I 
thank you for that, your leadership there.
    I understand that Mr. Rogers is not able to join us. Is 
that correct?
    OK, I believe that is the case. So if Mr. Rogers is not 
here, then with that, again, I thank the Chairman, and I now 
welcome our panel of witnesses.
    First I would again like to welcome Senator Angus King, the 
former Governor of Maine, who served as co-chair of the 
Solarium Commission. Senator King currently sits on the Senate 
Armed Services Committee and the Senate Committee on 
Intelligence, among others, and has been a vocal leader on 
cybersecurity throughout his tenure. I welcome the Senator 
here.
    Next, Representative Mike Gallagher, co-chair of the 
Cyberspace Solarium Commission and current Member of the House 
of Representatives for the 8th district of Wisconsin. Mr. 
Gallagher is a Member of the House Armed Services Committee, 
and a former Member of this committee. I would also like to 
welcome Mr. Gallagher back to the committee again, back to 
Congress after his paternity leave, and I thank him for 
interrupting his paternity leave, being here with us.
    Again, Mr. Gallagher, congratulations on your daughter, 
Grace. In addition to being a huge Packers fan, I know they 
will be incredibly very proud of their father for the work that 
you have done with the commission.
    Next we will hear from Suzanne Spaulding, a commissioner 
for the Cyber Solarium Commission and senior adviser at the 
Center for Strategic and International Studies. Before that Ms. 
Spaulding served as the under secretary for the National 
Protection and Programs Directorate at the Department of 
Homeland Security, which is now the Cybersecurity and 
Infrastructure Security Agency, or CISA. So I look forward to 
hearing her unique perspective and her emphasis on how civics 
education is an essential component of resiliency.
    Finally, we have Dr. Samantha Ravich, a commissioner of the 
Cyber Solarium Commission, and former deputy national security 
adviser during the Bush administration. Dr. Ravich is currently 
serving as the chair of the Foundation for Defense of 
Democracy's Center for Cyber and Technology Innovation. I 
deeply appreciate her coming to speak with us today, and for 
her incredible contributions to, I think, a continuity of the 
economy.
    With that, without objection, the witnesses' full 
statements will be inserted into the record. I now ask each 
witness to summarize their statements for 5 minutes, beginning 
with Senator King.
    Senator King, it was a pleasure serving with you on the 
Solarium Commission, and I look forward to hearing your 
comments here today. You are now recognized.

STATEMENT OF HON. ANGUS KING, A UNITED STATES SENATOR FROM THE 
  STATE OF MAINE, AND CO-CHAIR, CYBERSPACE SOLARIUM COMMISSION

    Senator King. Mr. Chairman, thank you very much for holding 
this hearing. It really means a lot to the work of the 
commission to be taking this next step.
    I would say that I use this technology every Wednesday 
morning for the Senate Prayer Breakfast, and it seems to work 
very effectively, except when we try to sing hymns. So I think, 
as long as we don't sing any hymns today, we will be OK.
    I appreciate your time. I also appreciate the involvement 
and engagement of Representative Katko, who has--who outlined a 
series of bills, all of which we think are important, and I 
really want to thank him for his work.
    I want to give a little bit of background. The first thing 
to observe is that, in the last 6 months, we have learned that 
the unthinkable can happen. The unthinkable can happen. In the 
last 48 hours, we have learned that cyber is an ever-present 
threat.
    As the Chairman mentioned in his opening statement, the 
attack on Twitter, which was a commercial one, but also the 
apparent attack by the Russians on the security of our pursuit 
of a vaccine, it is just a reminder that this is not an 
academic question, but it is something that is really a--front 
and center in threats that this country is facing.
    The commission that you mentioned several times, and that 
Mike Gallagher and I were privileged to co-chair, was set up in 
the 2019 National Defense Act. It had a unique structure. It 
had 4 sitting Members of Congress, 4 members from the 
Executive, and 6 members from the private sector. I can 
honestly say that, throughout our deliberations--and we had 
over 30 meetings, had 400 interviews, thousands of pages of 
documents--there was not a single moment of partisanship or of 
partisan discussion. In fact, I have no idea the party 
affiliation of the other 10 members of the commission who 
aren't Members of Congress. That, it seems to me, speaks to the 
importance and overriding power of this issue that really must 
unite us.
    So that was the work of the commission. We went through, as 
I mentioned, 30 meetings together. We had stress tests. We had 
a sort-of contest of ideas in the middle of last summer, and we 
really tried to approach this with fresh eyes to look at, 
really, 2 basic questions: What should our strategy be, and 
what should our organizational structure be to--both to 
protect, to prepare, and to prevent cyber attacks?
    As you mentioned, there are 82 recommendations in the 
report, 54 of which have been converted into legislative 
recommendations and presented to the various committees of both 
the House and the Senate in the form of fully-drafted 
legislative proposals.
    What we are talking about is what is called layered cyber 
deterrence, and that means resilience so that our adversaries 
feel that there is not much to be gained by attacking us 
because of our security and our protection of our systems, but 
also a declaratory policy that, if attacked, we will respond.
    One of the deficiencies in our cyber posture over the last 
several decades has been we have a deterrence strategy for a 
major sort-of threshold of use of force, but we haven't had a 
strategy, and we haven't articulated a doctrine that would 
provide a deterrent for less than use-of-force kind of cyber 
attacks.
    For that reason, as I have said many times, we are a cheap 
date. Our adversaries don't--they don't compute the cost of 
attacking us. That has to change. That is the strategic 
picture.
    The organizational picture is that cyber is scattered 
throughout the Federal Government. It is in the Defense 
Department, it is in the intelligence community, it is in DHS, 
it is in the FBI. We really need to try to straighten out the 
organizational structure.
    One of my observations has been that messy structure equals 
messy policy. That leaves with the creation of a National cyber 
director in the White House, appointed by the President, 
confirmed by the Senate, which will give continuity to this 
important interest. We want somebody in the Federal Government 
who wakes up every morning with the mission of protecting this 
country in cyber space.
    Finally, one of the crucial elements that we tried to 
address in the report--and frankly, it is a difficult one--is 
the relationship between the Government and the private sector. 
Eighty-five percent of the target space in cyber is in the 
private sector. The private-sector computers, whether they are 
in the financial sector, or energy, or transportation, or 
telecommunications, they are the front line troops in this 
battle. Yet it is the Federal Government that often has the 
resources and the expertise and the ability to pull together 
this information in order to protect our country.
    So I will go back to--I think one of you stated--I think 
Mr. Katko, Representative Katko, stated and Mike Gallagher said 
this was our mission from the beginning. We wanted to be the 9/
11 Commission report without 9/11. That is really what we have 
tried to focus upon in this project.
    So I want to thank the committee. Now is the time to put 
these recommendations into law, into practice, if we are going 
to protect our country in the way that we all believe--it can 
be done, and certainly it should be done. The unthinkable can 
happen. But we can be prepared, we can prevent, and we can 
protect this country.
    Thank you, Mr. Chairman.
    [The joint prepared statement of Sen. King, Hon. Gallagher, 
Ms. Ravich and Ms. Spaulding follows:]
    Joint Prepared Statement of Senator Angus King, Honorable Mike 
           Gallagher, Samantha Ravich, and Suzanne Spaulding
                             July 17, 2020
    The Cyberspace Solarium Commission (CSC) was established by the 
John S. McCain National Defense Authorization Act (NDAA) for Fiscal 
Year 2019 to ``develop a consensus on a strategic approach to defending 
the United States in cyber space against cyber attacks of significant 
consequences.''
    The Cyberspace Solarium Commission consists of 14 commissioners, 
including 4 currently-serving legislators, 4 Executive branch leaders, 
and 6 recognized experts with backgrounds in industry, academia, and 
Government service. Senator Angus King and Representative Mike 
Gallagher serve as the co-chairmen. The commissioners spent the past 13 
months studying the issues, investigating solutions, and deliberating 
on courses of action to produce a comprehensive report. Our 
commissioners convened nearly every Monday that Congress was in session 
for over a year, achieving an impressive benchmark of 30 meetings. The 
staff conducted nearly 400 interviews with industry, Federal, State, 
and local governments, academia, non-Governmental organizations, and 
international partners. The commissioners also recruited our Nation's 
leading cybersecurity professionals and academic minds to vigorously 
stress test the findings and red-teamed the different policy options in 
an effort to distill the optimal approach to securing the United States 
in cyber space. The final report was presented to the public on March 
11, 2020 and identified 82 specific recommendations. These bi-partisan 
recommendations were then subsequently turned into 52 legislative 
proposals that have been shared with the appropriate committees in the 
Senate and House of Representatives.
    Ultimately, the commission developed a strategic approach of 
``layered cyber deterrence'' with the objectives of actively shaping 
behavior in cyber space, denying benefits to adversaries who exploit 
this domain, and imposing real costs against those who target America's 
economic and democratic institutions in and through cyber space. Our 
critical infrastructure--the systems, assets, and entities that 
underpin our National security, economic security, and public health 
and safety--are increasingly threatened by malicious cyber actors. 
Effective critical infrastructure security and resilience requires 
reducing the consequences of disruption, minimizing vulnerability, and 
disrupting adversary operations that seek to hold our assets at risk. 
We believe the future of the U.S. economy and our National security 
requires both the Executive branch and Congress work in tandem to 
prioritize and grant the following recommendations.
    First and foremost, the commission found that the Federal 
Government lacks consistent and institutionalized leadership, as well 
as a cohesive, clear strategic vision on cybersecurity. As a result, we 
recommend that Congress establish a National cyber director in the 
Executive Office of the President to centralize and coordinate the 
cybersecurity mission at the National level. The National cyber 
director would work with Federal departments and agencies to bring 
coherence in the development of cybersecurity policy and strategy and 
in its execution. The position would provide clear leadership in the 
White House and signal cybersecurity as an enduring priority in U.S. 
National security strategy.
    Second, the Government must continue to improve the resourcing, 
authorities, and organization of the Cybersecurity and Infrastructure 
Security Agency (CISA) in its role as the primary Federal agency 
responsible for critical infrastructure protection, security, and 
resilience. We recommend empowering CISA with tools to strengthen 
public-private partnership. Of particular value would be the 
authorities needed to aid in responding to attempted attacks on 
critical infrastructure from a variety of actors ranging from nation-
states to criminals. Currently, the U.S. Government's authorities are 
limited exclusively to certain criminal contexts, where evidence of a 
compromise exists, and do not address instances in which critical 
infrastructure systems are vulnerable to a cyber attack. To address 
this gap, Congress should grant CISA subpoena authority in support of 
their threat and asset response activities, while ensuring appropriate 
liability protections for cooperating private-sector network owners.
    Third, elements of the U.S. Government and the private sector often 
lack the tools necessary for successful collaboration to counter and 
mitigate a malicious nation-state cyber campaign. To address this 
shortcoming, the Executive branch should establish a Joint Cyber 
Planning Office under CISA to coordinate cybersecurity planning and 
readiness across the Federal Government and between the public and 
private sectors for significant cyber incidents and malicious cyber 
campaigns. Within a similar vein, Congress should also direct the U.S. 
Government to plan and execute a National-level cyber table-top 
exercise on a biennial basis that involves senior leaders from the 
Executive branch, Congress, State governments, and the private sector, 
as well as international partners, to build muscle memory for key 
decision makers and develop new solutions and strengthen our collective 
defense.
    Fourth, the United States must take immediate steps to ensure our 
critical infrastructure sectors can withstand and quickly respond to 
and recover from a significant cyber incident. Resilience against such 
attacks is critical in reducing benefits that our adversaries can 
expect from their operations--whether disruption, intellectual property 
theft, or espionage. Congress should direct the Executive branch to 
develop a Continuity of the Economy Plan. This plan should include the 
Federal Government, SLTT entities and private stakeholders who can 
collectively identify the resources and authorities needed to rapidly 
restart our economy after a major disruption. In addition, the 
commission recommends establishing a Cyber State of Distress tied to a 
Cyber Response and Recovery Fund, giving the Government greater 
flexibility to scale up and augment its own capacity to aid the private 
sector when a significant cyber incident occurs. These changes will 
ensure the infrastructure that supports our most critical National 
functions can continue to operate amidst disruption or crisis.
    Fifth, the commission recommends 2 relevant initiatives to reshape 
the cyber ecosystem toward greater security for all Americans. The 
first, the creation of a National Cybersecurity Certification and 
Labeling Authority, would help create standards and transparency that 
will allow consumers of technology products and services to use the 
power of their purses over time to demand more security and less 
vulnerability in the technologies they buy. Furthermore, Congress 
should appropriate funds to the Department of Homeland Security (DHS), 
in partnership with the Department of Energy, Office of the Director of 
National Intelligence (ODNI), and the Department of Defense (DoD), to 
competitively select, designate, and fund up to 3 Critical Technology 
Security Centers in order to centralize efforts directed toward 
evaluating and testing security of devices and technologies that 
underpin our networks and critical infrastructure.
    Sixth, the U.S. intelligence community is not currently resourced 
or aligned to adequately support the private sector in cyber defense 
and security. While the intelligence community is formidable in 
informing security operations in instances when the U.S. Government is 
the defender, its policies and procedures are not aligned to 
intelligence collection on behalf of private entities, which 
constitutes around 85 percent of our critical infrastructure. To that 
end, Congress should direct the Executive branch to conduct a 6-month 
comprehensive review of intelligence policies, procedures, and 
resources to identify and address key limitations in order to improve 
the intelligence community's ability to provide intelligence support to 
the private sector.
    Throughout the process of developing its recommendations, the 
commission always considered Congress as its ``customer.'' Through the 
NDAA, Congress tasked the commission to investigate cyber threats that 
undermine American power and prosperity, to determine an appropriate 
strategic approach to protect the Nation in cyber space, and to 
identify policy and legislative solutions. As commissioners, we are 
here today to share what we learned, advocate for our recommendations, 
and work to assist you in any way we can to solve this serious and 
complex challenge.
             intersection between pandemic and cyber crises
    The COVID-19 pandemic has been a big wakeup call for us all because 
it illustrates the challenge of ensuring resilience and continuity in a 
connected world. It is an example of a type of non-traditional National 
security crisis that spreads rapidly through the system, stressing 
everything from emergency services and supply chains to basic human 
needs. The pandemic has produced cascading effects and high levels of 
uncertainty. This situation undermines normal policy-making processes 
and forces decision makers to craft hasty and ad hoc emergency 
responses. Complex emergencies that rely on coordinated action beyond 
traditional agency responses and processes illustrate what the 
commission saw as an acute threat to the security of the United States.
    The lessons the country is still learning from the on-going 
pandemic are not perfectly analogous to a significant cyber attack, but 
are highly illustrative of the possible consequences due to several 
similarities between the 2 types of events. First, both the pandemic 
and a significant cyber attack are global in nature. Second, both the 
COVID-19 pandemic and a significant cyber attack require a whole-of-
Nation response and are likely to challenge existing incident 
management doctrine and coordination mechanisms. Finally, and perhaps 
most importantly, prevention is far cheaper and more effective than 
response.
    The global health crisis has reinforced the urgency of many of the 
core recommendations in the commission's March 2020 report. Responding 
to complex emergencies will require a balance between response agility 
and institutional resilience in the economy and critical infrastructure 
sectors. It relies on strategic leadership and coordination from the 
highest offices in Government, underscoring the importance of a 
National Cyber Director. It relies on a strong understanding of the 
risks posed by a crisis and a data-driven approach to mitigating those 
risks before, during, and after a crisis, validating the commission's 
recommendations. Specifically, successfully responding to a crisis 
relies on clear roles and responsibilities for critical actors in the 
public and private sector as well as established, exercised 
relationships and plans, highlighting the importance of Continuity of 
the Economy planning.
                             the challenge
    For the last 20 years, adversaries have used cyber space to attack 
American power and interests. Our adversaries have not internalized the 
message that, if they attack us in cyber space, they will pay a price. 
The more connected and prosperous our society has become, the more 
vulnerable we are to rival great powers, rogue states, extremists, and 
criminals. These attacks on America occur beneath the threshold of 
armed conflict and create significant challenges for the private sector 
and the public at large.
    The American public relies on critical infrastructure, roughly 85 
percent of which--according to the Government Accountability Office--is 
owned and operated by the private sector. Increasingly, institutions 
Americans rely on--from water treatment facilities to hospitals--are 
connected and vulnerable. There are also new industries and services, 
like cloud computing, which our society relies on for economic growth. 
As we saw last year, hackers don't just target the U.S. Government and 
military personnel--they increasingly target our cities and counties 
with malware and ransomware attacks.
    Creating a secure Nation in the 21st Century requires an 
interconnected system of both public and private networks secure from 
state and non-state threats. China commits rampant intellectual 
property theft to help their businesses close the technological gap, 
costing non-Chinese firms over $300 billion per year. Massive data 
breaches, including those suffered by Equifax, Marriott, and the Office 
of Personnel Management (OPM), enable Chinese spies to collect data on 
over a hundred million Americans.
    Russia targets the integrity and legitimacy of elections in 
multiple countries while actively probing critical infrastructure. In 
spring 2014, Russian-linked groups launched a campaign to disrupt 
Ukrainian elections that included attempts at altering vote tallies, 
disrupting election results through distributed-denial-of-service 
attacks, and smearing candidates by releasing hacked emails. They 
continue to spread hate and disinformation on social media to polarize 
free societies. But they have not stopped there. The 2017 NotPetya 
malware attack spread globally, Iran and North Korea attack U.S. and 
allied interests through cyber space. Iranian cyber operations have 
targeted the energy industry, entertainment sector, and financial 
institutions. There are also documented cases of Iranian APTs targeting 
dams in the United States with distributed-denial-of-service attacks. 
North Korea exploits global connectivity to skirt sanctions and sustain 
an isolated, corrupt regime. The 2017 WannaCry ransomware attacks hit 
over 300,000 computers in 150 countries, including temporarily 
disrupting U.K. hospitals. According to United Nations estimates, North 
Korean cyber operations earn $2 billion in illicit funds for the regime 
each year.
    A new class of criminal thrives in this environment. Taking 
advantage of wide-spread cyber capabilities revealed by major state 
intrusions, criminal groups are migrating toward a ``crime-as-a-
service'' model in which threat groups purchase and exchange malicious 
code on the dark web. In 2019, ransomware incidents grew over 300 
percent compared to 2018 and hit over 40 U.S. municipalities. More 
recently, opportunistic hackers have hijacked hospitals and health care 
systems during the COVID-19 pandemic, taking advantage of poorly 
protected systems at their most vulnerable state. Remote access and the 
expansion of the work-from-home economy continues to increase the 
threat vectors for criminal actors as the world changes to meet the 
needs of a global pandemic.
                           strategic approach
    The strategy put forth by the Cyberspace Solarium Commission 
combines a number of traditional deterrence mechanisms and extends 
their use beyond the Government to develop a whole-of-Nation approach. 
It also updates and strengthens our declaratory policy for cyber 
attacks both above and below the level of armed attack. The United 
States must demonstrate its ability to impose costs while establishing 
a clear declaratory policy that signals to rival states the costs and 
risks associated with attacking America in cyber space.
    Since America relies on critical infrastructure that is primarily 
owned and operated by the private sector, the Government cannot defend 
the Nation alone. The public and private sectors, along with key 
international partners, must collaborate to build resilience and 
reshape the cyber ecosystem in a manner that increases its security, 
while imposing costs against malicious actors and preventing attacks of 
significant consequence.
    Cyber deterrence is not nuclear deterrence. The fact is, no action 
will stop every hack. Rather, the goal is to reduce the severity and 
frequency of attacks by making it more costly to benefit from targeting 
American interests through cyber space. Layered cyber deterrence 
combines traditional methods of altering the cost-benefit calculus of 
adversaries (e.g., denial and cost imposition) with forms of influence 
optimized for a connected era, such as promoting norms that encourage 
restraint and incentivize responsible behavior in cyber space. 
Strategic discussions all too often prioritize narrow definitions of 
deterrence that fail to consider how technology is changing society. In 
a connected world, those states that harness the power of cooperative, 
networked relationships gain a position of advantage and inherent 
leverage. The more connected a state is to others and the more 
resilient its infrastructure, the more powerful it becomes. This power 
requires secure connections and stable expectations between leading 
states about what is and is not acceptable behavior in cyber space. It 
requires shaping adversary behavior not only by imposing costs but also 
by changing the ecosystem in which competition occurs. It requires 
international engagement and collaboration with the private sector.
    Layered cyber deterrence emphasizes working with the private sector 
to efficiently coordinate how the Nation responds with speed and 
agility to emerging threats. The Federal Government alone cannot fund 
or solve the challenge of adversaries attacking the networks on which 
America and its allies and partners rely. It requires collaboration 
with State and local authorities, leading business sectors, and 
international partners, all within the rule of law. This strategy also 
contemplates the planning needed to ensure the continuity of the 
economy and the ability of the United States to rebound in the 
aftermath of a major, Nation-wide cyber attack of significant 
consequence. Such planning adds depth to deterrence by assuring the 
American people, allies, and even our adversaries that the United 
States will have both the will and capability to respond to any attack 
on our interests. These 3 deterrent layers are supported by 6 policy 
pillars that organize the 82 recommendations that collectively 
represent the means to implement our strategy.
         the need to reorganize the u.s. government (pillar 1)
    The Legislative and Executive branches must align their authorities 
and capabilities to produce the speed and agility required to defend 
America in cyber space. Greater collaboration and integration in the 
planning, resourcing, and employment of Government cyber resources 
between the public and private sectors is a foundational requirement. 
The U.S. Government needs strategic continuity and unity of effort to 
achieve the goal of layered cyber deterrence called for by the 
Cyberspace Solarium Commission. These actions require adjusting the 
authorities and alignment of fundamental processes the U.S. Government 
applies to defend its interests in cyber space.
    First, Congress must reestablish clear oversight responsibility and 
authority over cyber space within the Legislative branch. The large 
number of committees and subcommittees claiming some form of 
jurisdiction over cyber issues is actively impeding action and clarity 
of oversight. By centralizing responsibility in the new House Permanent 
Select and Senate Select Committees on Cybersecurity, Congress will be 
empowered to provide coherent oversight to Government strategy and 
activity in cyber space.
    Next, select entities in the Executive branch that deal with 
cybersecurity must be restructured and streamlined. Multiple 
departments and agencies have a wide range of responsibilities for 
securing cyber space. These responsibilities tend to overlap and at 
times conflict. The departments and agencies tend to compete for 
resources and authorities resulting in conflicting efforts that produce 
diminishing marginal returns. Establishing a National cyber director 
within the Executive Office of the President would consolidate 
accountability for harmonizing the Executive branch's policies, 
budgets, and responsibilities in cyber space while implementing 
strategic guidance from the President and Congress.
    In addition to this National cyber director, a properly-resourced 
and empowered CISA will be critical to achieving coherence in the 
planning and deployment of Government cyber resources. Multiple 
administrations and Congressional sessions have worked to establish 
CISA as a keystone of National cybersecurity efforts, but work still 
needs to be done to realize our ambitious vision for this critical 
organization. That includes strengthening its director with a 5-year 
term and elevated Executive status, adequately resourcing its programs 
to engage with the private sector while managing National risk, and 
securing sufficient facilities and required authorities for its vital 
and growing mission. These changes will remove key limitations in 
CISA's ability to forge a greater public-private partnership and its 
mission to secure critical infrastructure.
    Finally, the U.S. Government must more effectively recruit, 
develop, and retain a cyber workforce capable of building a defensible 
digital ecosystem and deploying all instruments of National power in 
cyber space. That will require designing innovative programs and 
partnerships to develop the workforce, supporting and expanding good 
programs where they are already in place, and connecting with a diverse 
pool of promising talent. In some cases, success in building a robust 
Federal workforce depends on stakeholders outside the Federal 
Government, like educators, non-profits, and businesses. Policy makers 
should support these important partners by providing the tools they 
need to be effective, like classroom-ready resources, incentives for 
research on workforce dynamics, and clear routes for collaborating with 
the Government.
                  deterrence by denial (pillars 3/4/5)
    Denying adversaries' benefits of their cyber campaigns is a 
critical aspect of ``Layered Cyber Deterrence.'' By ensuring the 
resilience of critical pillars of National power, reducing our National 
vulnerability, and disrupting threats through operationalizing 
collaboration between the Government and private sector we can 
effectively force adversaries to make difficult decisions regarding 
resourcing, access, and capabilities. The U.S. Government support must 
be better informed through a Joint Collaborative Environment that would 
pool public-private sources of threat information to be coordinated 
through a Joint Cyber Planning Office and an Integrated Cyber Center at 
DHS. Paired with our recommendation to conduct a Biennial National 
Cyber Tabletop Exercise, that involves senior leaders from the 
Executive branch, Congress, State governments, and the private sector 
as well as international partners--the United States and her allies 
will be in a forward-leaning position and ready to lead.
    Today, under the direction of Presidential Policy Directive 21, 
sector-specific agencies are the lead Federal agencies tasked with day-
to-day engagement with the private sector on security and resilience. 
However, there are significant imbalances and inconsistencies in both 
the capacity and the willingness of these agencies to manage sector-
specific risks and participate in Government-wide efforts. In addition, 
the lack of clarity and consistency concerning the responsibilities and 
requirements for these agencies continues to cause confusion, 
redundancy, and gaps in resilience efforts. For this reason, the 
commission recommends that Congress codify sector-specific agencies in 
law as ``sector risk management agencies'' to ensure consistency of 
effort across critical infrastructure sectors and ensure that these 
agencies are resourced to meet growing needs.
    Denying adversaries' benefits starts with ensuring that our most 
critical targets are able to withstand and quickly recover from cyber 
attacks. In other words, we must build resilience. Effective National 
resilience efforts fundamentally depend on the ability of the United 
States to accurately understand, assess, and manage National cyber 
risk. Current efforts to assess and manage risk at the National level 
are relatively new and are significantly hindered by resource 
limitations, immaturity of process, and inconsistent capacity across 
departments and agencies that participate in National resilience 
efforts. Today, while the U.S. Government plans for continuity of 
operations and continuity of Government, no similar planning exists to 
ensure continuity of the economy. This must change, and the planning 
process should analyze National critical functions, outlining 
priorities for response and recovery, and identifying areas for 
resilience investments. In doing so, the continuity of the economy plan 
should identify areas for preservation of data and mechanisms for 
extending short-term credit to ensure recovery efforts. Additionally, 
Congress should also provide CISA with the necessary support to expand 
its current capability to issue Cyber State of Distress declarations in 
conjunction with Cyber Response and Recovery Funding. Furthermore, 
providing CISA with Administrative Subpoena Authority will dramatically 
improve the Federal Government's ability to actively notify critical 
infrastructure owners and operators that are on the front lines and 
being attacked by our adversaries who are largely acting with impunity.
    Denying adversaries' benefits also must lie in driving down our 
National cyber vulnerability at scale. Today, vulnerability in our 
cyber ecosystem is derived not only from technology, but also human 
behavior and processes. The commission sought means to improve the 
security of both the technological and human aspects at scale. Moving 
the technology markets to emphasize security requires creating greater 
transparency about the security characteristics of technologies 
consumers buy. This is why the commission recommends the creation of a 
National Cybersecurity Certification and Labeling Authority and 
Critical Technology Security Centers to collectively to develop and 
facilitate authoritative, easy-to-understand security certifications 
and labels for technology products. By helping consumers make more 
informed technology purchases, the market will become a difficult place 
for vendors who do not prioritize security to do business.
    Layered cyber deterrence includes shaping cyber actors' behavior 
through strengthened norms of responsible state behavior and non-
military instruments of power, such as law enforcement, sanctions, 
diplomatic engagement and capacity building. A system of norms, based 
on international engagement and enforced through these instruments of 
power, helps secure American interests in cyber space.
    To strengthen cyber norms and build a like-minded international 
coalition to enforce them, the commission recommends Congress create 
and adequately resource the Bureau of Cyberspace Security and Emerging 
Technologies led by an assistant secretary of state. The Bureau would 
bring dedicated cyber leadership and coordination to the Department of 
State.
    Leading internationally also means having strong and coordinated 
representation in bodies that set global technical standards, 
therefore, Congress should sufficiently resource the National Institute 
of Standards and Technology to bolster participation in these bodies. 
American values, interests, and security are strengthened when 
international technical standards are developed and set with active 
U.S. participation. Engaging fully means we must also facilitate robust 
and integrated participation from across the Federal Government, 
academia, civil society, and industry; the United States is at its best 
when we draw input from all our experts.
    In parallel to robust participation in multilateral bodies, law 
enforcement activities also provide fruitful ground on which to work 
with international partners and allies to hold adversaries accountable. 
We recommend providing the Department of Justice Office of 
International Affairs with administrative subpoena authority 
streamlines the Mutual Legal Assistance Treaties process, enabling U.S. 
law enforcement to help allies and partners prosecute cyber criminals. 
Additionally, the commission recommends Congress create and fund 12 
additional Federal Bureau of Investigation cyber assistant legal 
attaches to facilitate intelligence sharing and help coordinate joint 
enforcement actions. Investing in these types of international law 
enforcement activities improve the credibility of enforcement and 
signal America's commitment to bring malicious actors to justice.
                deterrence by cost imposition (pillar 6)
    A key layer of the commission's strategy outlines how to impose 
costs to deter malicious adversary behavior and reduce on-going 
adversary activities short of armed conflict. As part of this effort, 
the commission puts forth 2 key recommendations: To conduct a force 
structure assessment of the Cyber Mission Force (CMF); and to conduct a 
cybersecurity and vulnerability assessments of conventional weapons 
systems and of the nuclear command, control, and communications 
enterprise.
    Today, the United States has not created credible and sufficient 
costs against malicious adversary behavior below the level of armed 
attack--even as the United States has prevented cyber attacks of 
significant consequences. Our Nation must shift from responding to 
malicious behavior after it has already occurred to proactively 
observing, pursuing, and countering adversary operations. This should 
include imposing costs to change adversary behavior using all 
instruments of National power in accordance with international law.
    To achieve these ends, the United States must ensure that it has 
sufficient cyber forces to accomplish strategic objectives in and 
through cyber space. The CMF is currently considered at full 
operational capability (FOC) with 133 teams comprising a total of 
approximately 6,200 individuals. However, these requirements were 
defined in 2013, well before our Nation experienced or observed some of 
the key events that have shaped our Government's understanding of the 
cyber threat. The FOC determination for the CMF was also well before 
the development of the Department of Defense's (DoD) defend forward 
strategy. Therefore, we recommend Congress direct the DoD to conduct a 
force structure assessment of the CMF to ensure the United States has 
the appropriate force structure and capabilities in light of growing 
mission requirements. This should include an assessment of the resource 
implications for intelligence agencies in their combat support agency 
roles.
    If deterrence fails, the United States must also be confident that 
its military capabilities will work as intended. However, deterrence 
across all of the domains of warfare is undermined, and the ability of 
the United States to prevail in crisis and conflict is threatened, if 
adversaries can hold key military systems and functions, including 
nuclear systems, at risk through cyber means. Therefore, the commission 
recommends Congress direct the DoD to conduct a cybersecurity 
vulnerability assessment of all segments of nuclear command, control, 
and communications systems and continually assess weapon systems' cyber 
vulnerabilities.
    Our hope is that, by implementing these recommendations, we can 
ensure our Nation is willing and able to counter and reduce malicious 
adversary behavior below the level of armed conflict, impose costs to 
deter significant cyber attacks, and, if necessary, fight and win in 
crisis and conflict.
                               conclusion
    The recommendations put forward by the commission are an important 
first step to denying adversaries the ability to hold America hostage 
in cyber space and will be critical to our efforts to re-establish 
deterrence in cyber space. We believe that deterrence is an enduring 
American strategy, but it must be adapted to address how adversaries 
leverage new technology and connectivity to attack the United States. 
Cyber operations have become a weapon of choice for adversaries seeking 
to hold the U.S. economy and National security at risk. Near peer 
adversaries such as China and Russia are attempting to reassert their 
influence regionally and globally, using cyber and influence operations 
to undermine American security interests. The concept of deterrence 
must evolve to address this new strategic landscape. Reducing the scope 
and severity of these adversary cyber operations and campaigns requires 
adopting the commission's strategy of layered cyber deterrence--
improving our ability to defend our critical infrastructure and 
investing in an effective public-private collaboration.
    To this end, we believe this committee must prioritize a selection 
of the commission's recommendations that include: Strengthening the 
Government with a National cyber director, an empowered CISA, a new 
Joint Cyber Planning Office, and improved intelligence support to the 
private sector; building resilience with Continuity of the Economy 
Planning, and a codified ``Cyber State of Distress'' tied to a ``Cyber 
Response and Recovery Fund''; and, an improved cyber ecosystem with a 
National Cybersecurity Certification and Labeling Authority, and the 
designation of Critical Technology Security Centers.
    The 2019 NDAA charted the U.S. Cyberspace Solarium Commission to 
address 2 fundamental questions: What strategic approach will defend 
the United States against cyber attacks of significant consequence? And 
what policies and legislation are required to implement that strategy? 
The commission has delivered on its mission in the promulgation of 
``layered cyber deterrence'' strategy and the corresponding legislative 
proposals. We now need your help to enact these key legislative 
proposals as they will empower the Government and the private sector to 
act with speed and agility in securing our cyber future.

    Mr. Langevin. Thank you, Senator King. Again, thank you for 
your leadership on the Cyberspace Solarium Commission. As one 
of the co-chairs, you did an outstanding job, and I was proud 
to serve on that commission. Thank you for your testimony.
    Now I recognize Congressman Gallagher to summarize the 
commission statement for 5 minutes.
    Mr. Gallagher, you are recognized.

   STATEMENT OF HON. MICHAEL GALLAGHER, A REPRESENTATIVE IN 
CONGRESS FROM THE STATE OF WISCONSIN, AND CO-CHAIR, CYBERSPACE 
                      SOLARIUM COMMISSION

    Mr. Gallagher. Thank you, Chairman Langevin, not only for 
chairing this hearing today, but for your immense contributions 
to the commission. Our final report would not have been 
possible, were it not for your leadership. In many areas we 
were building upon work that you have been doing for the last 
decade. So it was really great to get to work with you.
    Thank you to Ranking Member Katko for your engagement from 
the start of this effort, for meeting with us and our staff 
multiple times, and for your leadership on these issues.
    Thank you, Chairman Thompson, for giving us this forum 
today.
    Let me just echo what my co-chair, Senator King--who is 
married to a Packers fan, I should note--said at the outset, 
which is, you know, we were--we come from different parties, we 
were appointed by partisans on different sides, and certainly 
the outside experts, Commissioner Spaulding and Ravich were, as 
well. But it would have been impossible to determine the party 
affiliations if you were just to listen to one of the many 
debates we had as we met as a commission.
    I think what came out of this process was a truly 
nonpartisan report that attempts to put the interests of the 
country ahead of any parochial or political interests. So this 
really has been an issue that every Presidential administration 
for the past 25 years, Democrats and Republicans, has tried to 
figure out: How do we defend U.S. interests and promote U.S. 
values in cyber space?
    Despite these well-intentioned efforts, our networks are 
vulnerable, if not already compromised. Our country has lost 
hundreds of billions of dollars to nation-state-sponsored 
intellectual property theft via cyber means. A major cyber 
attack on our Nation's critical infrastructure and our economic 
system would create chaos and lasting damage.
    So, in an effort to forestall such a future, the Cyberspace 
Solarium Commission examined a broad range of structures and 
policies that could more effectively defend our Nation in cyber 
space.
    I should admit our public relations plan, when we released 
the report publicly on March 11, 2020, did not factor in a 
global pandemic taking over the conversation. But that is all 
the more reason why it is important to have hearings like this 
today. We hope that, not only will you digest our full report, 
but also read our pandemic annex.
    But I just would highlight a few of the commission's key 
recommendations up front here.
    One, reform the U.S. Government structure and organizations 
for cybersecurity. This starts with establishing a National 
cyber director situated within the Executive office of the 
President, who is Senate-confirmed and supported by the Office 
of the National Cyber Director, as Senator King outlined.
    It also continues with strengthening CISA, as 
Representative Katko outlined, so that CISA can better serve as 
that central core element to support and integrate the Federal, 
State, and local, and private-sector cybersecurity efforts.
    I think it is important to note that the overall approach 
we are taking here is not to create a bunch of new 
organizations within the Federal Government, but rather an 
attempt to elevate and empower existing organizations like 
CISA, who have made important progress in recent years, but 
need more support from Congress.
    Second, I just would say we have a variety of 
recommendations on promoting National resilience, specifically 
that Congress should codify the roles of sector-specific 
agencies, focusing National risk management efforts, and also 
developing and maintaining a continuity-of-the-economy planning 
process so that we think through the unthinkable now, so we are 
not having to make things up on the fly in the wake of a cyber 
9/11.
    Then third and finally, I just would highlight the need to 
reshape the cyber ecosystem toward greater security. We are 
recommending, for example, that Congress establish and fund a 
National cybersecurity certification and labeling process to 
establish and manage a program on security certification and 
labeling of ICT products, as well as establish a Bureau of 
Cyber Statistics charged with collecting and providing data on 
cybersecurity.
    These recommendations, and many more like them in the 
report, are all designed to implement the commission's 
recommended strategy of layered cyber deterrence, which is our 
theory for how we evolve into a harder target, a better ally, 
and a worse enemy in how we better defend our Nation, our 
economy, and our way of life in cyber space.
    So thank you for giving us the opportunity to present our 
findings here today. We look forward to the debate. Again, I 
just want to highlight not only the contributions of the 
commissioners that you will hear from, but also our wonderful 
staff who has dedicated a year of their life to this important 
effort.
    I yield back.
    Mr. Langevin. Thank you, Chairman Gallagher. Again, I 
commend you for your leadership on the Solarium Commission. 
Both you and Senator King made a great team in co-chairing the 
Cyberspace Solarium Commission. We are greatly indebted to you 
for your work and service.
    With that, I thank you for your testimony, and I now 
recognize Ms. Spaulding to summarize the commission's statement 
for 5 minutes.
    [Pause.]
    Mr. Langevin. Commissioner Spaulding, you are muted. We 
need to unmute you.
    There you go, you are unmuted.

   STATEMENT OF SUZANNE SPAULDING, COMMISSIONER, CYBERSPACE 
                      SOLARIUM COMMISSION

    Ms. Spaulding. Thank you, Chairman Langevin. Thank you, 
Chairman Thompson, Ranking Member Katko, and Members of the 
committee. Thank you for this opportunity to be here today to 
testify. It is an honor to be here with my fellow witnesses.
    Particularly, Chairman Langevin, an honor it was to work 
with you again, having worked with you in 2007 on the 
Commission for Cybersecurity for the 44th President, which you 
co-chaired. I want to thank you for your long, outstanding 
leadership on cybersecurity issues.
    The bipartisanship, nonpartisanship which you have heard 
today, really, that tone was set at the top by our 2 co-chairs, 
Senator King and Congressman Gallagher. So thank you for that.
    Of course, a pleasure to work with Commissioner Ravich.
    I want touch briefly today on 3 key areas that I think 
should and must be acted on very quickly, given the 
vulnerabilities particularly, as we have noted, with the 
pandemic.
    The first is strengthening DHS's Cybersecurity and 
Infrastructure Security Agency, or CISA, as the organization 
that I once led at DHS is now called, thanks in no small 
measure to the work of this committee and Chairman Thompson, 
and I thank you for that.
    With malicious cyber actors targeting hospitals, vaccine 
development, and governments at every level, and a stay-at-home 
work force presenting a massive attack surface, CISA's work has 
never been more important. This is why the commission urges 
Congress to provide CISA promptly with the resources and 
authorities, including administrative subpoena authority, that 
it needs to be the National risk manager; to serve as the 
central civilian cybersecurity authority to support Federal, 
State, local, territorial, and Tribal governments, and the 
private sector; to conduct continuity of the economy planning, 
a concept that Commissioner Ravich brought to the commission, 
so important; identify systemically important critical 
infrastructure; and coordinate planning and readiness across 
Government and the private sector.
    Second, with regard to improving the cyber ecosystem and 
reducing vulnerabilities, the commission turned first to 
improving the efficiency of the market. We looked at why isn't 
the market performing its function of driving better 
cybersecurity?
    A key reason, we determined, was that markets need 
information to operate effectively. So we ask that Congress 
establish that National cybersecurity certification and 
labeling authority, the kind of underwriter laboratories effort 
that Congressman Gallagher, mentioned; publish guidelines for 
secure cloud services; create that Bureau of Cyber Statistics; 
promote a more effective and robust cyber insurance market; and 
pass a National data breach notification law.
    Finally, I believe one of the most important pillars in the 
report is resilience. We need to reduce the benefit side in the 
adversary's cost-benefit analysis. Often that means reducing 
our dependence upon those network systems, developing 
redundancies, maybe even analog systems. Paper ballots, for 
example, are a way of building resilience into our election 
infrastructure.
    We have a number of urgent election-related 
recommendations, including reforming regulation of on-line 
political advertisements, providing grant funding for States to 
improve election systems, replace outdated equipment, ensure 
voter verifiable paper-based systems, and conduct post-election 
audits. These are perhaps the most urgent of our 
recommendations.
    I would like to close with our recommendation to build 
public resilience against information operations that target 
elections, but also democracy as a whole. Media literacy is 
important, but we also need to focus on deterring the key 
objective of our adversaries, which is to weaken democracy by 
pouring gasoline on the flames of division that already engulf 
on-line discourse, pushing Americans to give up on 
institutions, not just elections, but the justice system, the 
rule of law, and democracy itself. They portray our 
institutions as not just flawed, but irrevocably broken. Where 
protesters and judicial reform advocates seek changes to make 
our institutions and our Nation stronger, our adversaries seek 
only to make us weaker. They want Americans to despair at the 
prospect of bringing about change, to despair at the prospect 
of being able to discern fact from fiction. They want to 
destroy the informed and engaged citizenry upon which a healthy 
democracy depends.
    To defeat our adversaries objective, the commission calls 
for reinvigorating civics education to help Americans 
rediscover our shared values, understand why democracy is so 
valuable, that it is under attack, and that every American must 
stay engaged to hold our institutions accountable and continue 
to move us toward that more perfect union.
    Thank you for this opportunity, and I look forward to your 
questions.
    Mr. Langevin. Thank you, Commissioner Spaulding, again, 
both for your participation and valuable contributions to the 
Solarium Commission, but your dedication and work on cyber in 
general. With that, thank you for your testimony.
    Finally, I now recognize Ms. Samantha Ravich to summarize 
the commission's statement for 5 minutes.
    Dr. Ravich, you are now recognized.

 STATEMENT OF SAMANTHA RAVICH, PH.D., COMMISSIONER, CYBERSPACE 
                      SOLARIUM COMMISSION

    Ms. Ravich. Thank you. Thank you. Chairman Langevin, 
Chairman Thompson, Ranking Member Katko, distinguished Members 
of the committee, and my fellow witnesses, whom I have grown to 
know and greatly admire over this past year. I thank you for 
inviting me to participate in this important hearing about one 
of the most pressing questions that our Government is currently 
tasked with answering: What steps can the Federal Government 
and the private sector do to defend our businesses, our 
military, our citizens, our country against future cyber 
attacks?
    Our recommendations in the Cyber Solarium Commission 
focused on shaping the international cyber battle space, 
hardening our resilience, and maintaining our capability, 
capacity, and credibility to impose costs on the adversary, all 
in the service of deterring the type of catastrophic attack 
that our 2 esteemed commission chairmen laid out in plainspeak 
in the opening pages of the report.
    But we would not have lived up to the great responsibility 
given to us if we had not thought about what our country would 
do in the aftermath of a significant cyber attack. So I want to 
spend the next few minutes underscoring one of the commission's 
recommendations: The need for the United States to develop and 
maintain a continuity of the economy, or COTE plan, which was 
introduced last month as a bill in the Senate Banking, Housing, 
and Urban Affairs Committee by Senator Peters.
    During the Cold War the United States developed continuity 
of operations, COO, and continuity of Government, COG, plans to 
ensure that the Government could reconstitute and perform a 
minimum set of essential public functions in the event of a 
nuclear----
    [Audio malfunction.]
    Ms. Ravich. While COO, COG--Government contingency planning 
for the last 60 years, no equivalent effort exists to ensure 
the rapid restart and recovery of the U.S. economy after a 
major disruption, despite the 2017 U.S. National Security 
Strategy identifying economic security as National security, 
and the recognition that the private sector, as much as the 
U.S. Government itself, is a critical component of the security 
of our populace.
    So think about it for a moment, what it would mean for the 
U.S. military and the security forces of our allies if there 
was a major attack on bulk power transmission, not only 
knocking out the lights in major metropolitan areas, but taking 
transportation systems off-line; or if the major stock 
exchanges were compromised; if wholesale payments, medicine, 
telecommunications, and trade or logistics were brought down.
    Now think about the difficulties that would create for 
mobilizing and deploying forces if this all occurred during a 
time of international crisis, not knowing which plane, train, 
or bus to hop on to get to the rally point; leaving loved ones 
at home, scared in the dark and not knowing if their medicine 
or baby formula will still be stocked at the local Walmart; 
much of the economic base of the United States potentially 
losing complete access to their data for good.
    Creating and exercising a continuity-of-the-economy plan 
will serve as a visible deterrent to adversaries by 
demonstrating that the United States has the wherewithal to 
respond to a significant cyber attack. It will show that we 
will not be cowed, and that, if the economy upon which our 
livelihoods depend is brought down by an adversarial cyber 
attack, they, the adversary, will feel our wrath.
    Our commission's recommendation on COTE revolve around, in 
part, determining any additional authorities or resources that 
will be required to implement plans in the case of a disaster, 
and establishing a framework for rapidly restarting and 
recovering core functions in a crisis, giving precedent to 
functions whose disruption would cause catastrophic economic 
loss, lead to a runaway loss of public confidence, imperil 
human life on a National scale, or undermine response, 
recovery, or mobilization efforts in a crisis.
    Continuity-of-the-economy planning might also further 
review the feasibility of disconnecting critical services or 
specific industrial control networks if National security 
concerns overwhelm the need for internet connectivity 
continuity.
    Continuity-of-the-economy planning should also further 
explore options to store backup, protected data across borders 
with allies or partners, particularly in areas where economic 
disruption in either country could have cascading effects on 
the global economy. This could include technology that 
considers what seed data would need to be preserved and 
protected in a verified format, with a process to assure no 
compromise or manipulation.
    Finally, COTE must take into consideration the lack of 
readiness by the general public. By its very nature, 
continuity-of-the-economy planning will not prioritize. It will 
only prioritize the most essential functions of the country and 
the locales, both to enable a rapid recovery from a devastating 
cyber attack, and to preserve the strength and will to quickly 
punish the attacker.
    Many industries will not be included in this planning, and 
most citizens will not be able to rely on Government assistance 
in the period following an attack. But as is also true of 
natural disaster preparedness, the American people do not need 
to be helpless. DHS and other relevant agencies should expand 
citizen preparedness efforts and public awareness mechanisms to 
be prepared for such an event.
    COTE, along with many other recommendations in the report, 
seeks to build upon the work of the Cybersecurity and 
Information Security Agency, CISA, at DHS, what they have been 
working on for the past couple of years, and seeks to ensure 
that the United States is prepared to respond and recover to 
the full range of disruptive cyber attacks below and up to the 
threshold of COTE.
    While it is true that there is no magic solution that will 
protect the United States from cyber attacks in perpetuity, 
there are steps that the Federal Government can undertake that 
will significantly improve the Government's ability to protect 
and defend itself from hostile cyber operations.
    So as we sit here in our virtual COVID world, trying to 
think the unthinkable and plan for the unplannable, we must ask 
ourselves the hardest question of all: What would a cyber day 
after look like if we didn't undertake continuity-of-the-
economy planning?
    So I thank you for this opportunity to testify--questions 
and discussions. Thank you.
    Mr. Langevin. Very good. Thank you, Commissioner Ravich, 
for your testimony and, again, for your leadership on 
cybersecurity. You made a valuable contribution, likewise, to 
the Solarium Commission process and its recommendations.
    With that, again, I thank all the witnesses for their 
testimony.
    I remind subcommittee Members that we each have 5 minutes 
to question the panel, and I now recognize myself for 5 minutes 
to begin.
    I will start with you, Senator King. Yesterday we saw a 
multinational coalition announce that Russian agents were 
targeting vaccine research through cyber space. In this 
pandemic, health care networks are incredibly important to our 
security. And while it is not clear whether the Russians were 
seeking to destroy data, the attempts are clearly troubling.
    So how would a National cyber director play a role in 
preventing incidents like this?
    Why did the commission find this construct most efficient?
    Senator King. Well, I think the key is to have someone in 
overall charge.
    As I mentioned before, we have got responsibility for cyber 
scattered throughout the Federal Government, a variety of 
different agencies, a variety of different authorities, funding 
levels. But there is no central coordinating function. There is 
no person with the authority of the White House to settle turf 
wars, to oversee budgets, and to basically forge cooperation 
through the various agencies that are involved.
    It was--I think it was one of the most obvious suggestions 
of the commission that we talked about. Now, we had quite a bit 
of discussion about where it should go, and how it should be 
structured. The--but the conclusion--one thought was elevate 
CISA, or create a new--essentially, a new Cabinet office. We 
rejected that because, No. 1, it would take a long time. No. 2, 
it would be duplicative of other functions that are already 
there. It wouldn't have the power and authority of the White 
House.
    So the model we ended up approaching it as is the U.S. 
trade representative, who has responsibility for trade that 
cuts across a lot of Federal agencies, is Presidentially-
appointed, Senate-confirmed, and has that authority within the 
Executive Office of the President.
    But the fundamental idea--and I used--I was in business 
before I got into politics. When I was doing contracting, I 
wanted one throat to choke. That is what we are really talking 
about here, one person that is responsible, can be held 
accountable. I feel this is, actually, a favor to the 
President, to have somebody in that office that he or she can 
hold responsible for, and will be accountable for all the 
various complex operations of the Federal Government with 
regard to cyber.
    Mr. Langevin. Thank you, Senator King. I completely agree 
with, I concur with you.
    Congressman Gallagher, on Wednesday we both testified 
before Chairwoman Maloney and the Oversight and Government 
Reform Committee. You said something very interesting about 
ensuring we appropriately balance offensive and defensive 
cyber.
    Why is strengthening CISA so fundamental to the 
commission's report?
    Mr. Gallagher. Thank you. Well, I think, first, let me just 
connect it to what Senator King just said. I mean, not only is 
it important to have a National cyber director to do 
preplanning, coordinate all the efforts of the Federal 
Government, but, as I alluded to in my opening testimony, we 
have organizations right now that are doing good work. We 
really felt the best path forward was to elevate, empower them, 
and give them the tools they need to get the job done.
    Strengthening CISA in that regard is perhaps one of the 
most important recommendations in our final report. As Senator 
King and I point out in the Chairman's letter opening the 
report, it is not just a matter of better enabling CISA to be 
able to do that defensive mission, it is not just a matter of 
giving CISA, for example, the authority to do persistent threat 
hunting on .gov networks in the way that CYBERCOM and NSA can 
do that on .mil networks. It is also a matter of making the 
mission of CISA so appealing that CISA can compete for talent 
with the likes of Google, Apple, Facebook, and win.
    We know we can't compete when it comes to what we can pay 
some of the most talented cyber warriors out there, but we can 
compete on mission. Indeed, that is one of the things that 
General Nakasone told us about the NSA. While he worries about 
retention, he can always compete on mission.
    So, by giving CISA that elevated position, that really 
appealing mission, we believe that we can sort-of solve the 
human element that is endemic to every cyber issue. Because, at 
the end of the day, while discussions about cyber can get very 
technical, they can devolve into jargon about, you know, this 
tech--that--these are fundamentally human problems.
    I mean, my understanding, at least, of the Twitter hack 
this week was that it was--they fooled a human being into 
providing administrative credentials that resulted in the 
attack. So our greatest failures have been human failures. Our 
greatest successes will also be human successes.
    So, empowering CISA, giving the director a higher level of 
authority and a longer term is one step toward that sort of 
human solution to human problems in cyber.
    Mr. Langevin. Thank you for that answer, and very 
insightful and helpful for everyone to understand. I deeply 
appreciate the work that Director Chris Krebs at CISA, the team 
there, but they also actually added resources to be able to 
grow their entire cyber work force, inherent capability there. 
I look forward to supporting that effort.
    So my time has expired. I now recognize the Ranking Member 
of the subcommittee, Mr. Katko, for 5 minutes.
    Mr. Katko. Thank you very much, Mr. Chairman, and thank you 
all for, really, a great conversation. It is wonderful to hear 
people not sniping from side-to-side, which is all being on the 
same page about what we need to do in a bipartisan manner. It 
is truly inspiring.
    I do want to talk a little bit more about the leadership 
issue, because I think it is critically important. It is a 
central focus upon which all this sort of stuff can happen. For 
20 years I was a Federal organized crime prosecutor, and part 
of that was doing the organized crime drug task force cases. We 
had our quarterback, and that was the Office of National Drug 
Control Policy. He was over it, and be able to look over all 
the different disparate agencies that had a hand in drug 
enforcement, and kind-of be that person that the President 
needs to advise him all drug-related matters.
    So I know I--Senator King, I heard you talk a little bit 
about the leadership position, why it is important. But, you 
know, I want to drill down a little bit farther, just so people 
understand why we need it, similar to the ONDCP position.
    So, Ms. Spaulding, perhaps you could talk about why a 
National cyber director is important. What are the different 
agencies that are involved in the cybersecurity? Because I know 
I have Homeland Security, Department of Defense. There is a lot 
more. So I would like to kind-of get an understanding of why we 
need this coordinated position.
    Ms. Spaulding. Ranking Member Katko, thank you. You are 
absolutely right. There is really no major agency in the 
Federal Government that isn't in some way involved in 
cybersecurity. Certainly every agency is involved in ensuring 
that it is able to perform its mission-essential functions on 
behalf of the American public in the wake of cyber threats and 
cyber risks.
    So the National cyber director is absolutely essential. We 
cannot help but have this cyber activity distributed across the 
Government. The, you know, Department of Energy is the--they 
are the experts in the electric sector.
    [Audio malfunction.]
    Ms. Spaulding [continuing]. In the financial services 
sector. Having those agencies bring that sector expertise 
together with cyber expertise is really important.
    So if you are going to have it distributed at NSA and FBI 
and DHS and DOE, et cetera, then you need that central 
coordination function. That is why that National cyber director 
is so important.
    Again, having been the under secretary, that is the--was 
the equivalent of the director of CISA, I think that White 
House support is critically important. It really should not in 
any way undermine CISA's coordination role across civilian 
government and with the private sector, but stand behind and 
give the imprimatur of the White House as CISA endeavors to 
undertake those activities.
    Mr. Katko. OK, thank you very much. I--in the interest of 
time I will forgo asking Senator King, because, really, I 
understand fully what the issue is.
    But I will note that, from the leadership position, and 
having that consistent leadership at the top of CISA, and de-
politicizing the assistant director positions are very 
important adjuncts to that, and attracting and maintaining the 
talent.
    But I do want to talk for a second, because we have 4 
nuclear power plants in my district. We have a major grid 
issues in upstate New York. So, Ms. Ravich, I want to ask you 
real quick about my concerns in that area.
    Some of the most vulnerable areas of our Nation's 
infrastructure and our local municipal utility services often 
have limited budgets to support their cyber capabilities. Was 
there a discussion at all during the commission's work as to 
how to potentially assist State and municipal power and water 
utilities with their cyber-related mitigation and controls and 
coordination?
    Ms. Ravich. Yes, thank you. Thank you very much. We 
actually did look particularly at water utilities. There are 
70,000 water utilities across the United States. There are 
3,000 water utilities alone in the State of California. That is 
equal to all electric utilities across the country. Many of 
them are very small. Many of them, to cut costs and deal with 
personnel issues for the last number of years, have put on--
incorporated some technology that, frankly, isn't safe. Some of 
the technology has been made in adversarial countries, and now 
it is in our water systems. So, while you may be able to live 
in the dark for a day or 2 without energy, try living without 
water.
    So we recognize this, and we had long conversations about 
what could be done to help State, local, Tribal, territorial, 
especially, and create--ask for, as a recommendation, the 
creation of a cybersecurity assistance fund, knowing that, 
again, State and local, you know, needs best practices, needs 
assistance. They are not going to be the repository of all 
cybersecurity best practices. To make us all safe, we 
absolutely have to, from the Federal Government on down, help 
the smallest among us.
    Mr. Katko. Thank you very much. It is an important issue. I 
have got plenty more questions, but I know I am out of time. So 
I yield back, Mr. Chairman.
    Mr. Langevin. Very good, Mr. Katko. Thank you for your line 
of questions.
    I just wanted to yield to--if the Chairman is on still, I 
will yield to Chairman Thompson. If not, we will go to 
Congresswoman Sheila Jackson Lee.
    OK, I believe Mr. Thompson has stepped away, so 
Congresswoman Sheila Jackson Lee is recognized for 5 minutes.
    Ms. Jackson Lee. Thank you very much, Mr. Chairman. I 
appreciate this very important hearing, and I am delighted to 
be here with the--some very important witnesses that include 
Commissioner Ravich, as well as Commissioner Spaulding and my 
colleagues, Representative Gallagher and Senator King. I thank 
them both for their service on this committee.
    Particularly, I will join with my voice, Congressman 
Gallagher, to congratulate you on the birth of a beautiful baby 
and, I might imagine, where opportunities are not limited. So I 
am delighted, and wish your family the best.
    This is a very important hearing that deals with addressing 
the question of the recommendations by the Cyberspace Solarium 
Commission related to how the Federal Government can be more 
secure. I am wearing a mask because I am in the epicenter here 
in Houston, Texas. I just came to my office to be a part of 
this very important hearing. But we are fighting against very 
large numbers of COVID-19. In fact, of course, we are about 
75,000 cases here in Houston, my home town, and 717 deaths.
    Interestingly, cyber is part of how we will survive, 
because many people have turned toward cyber and connecting 
through the system.
    I wholeheartedly agree with the need for a cyber National 
director, and I support that. I am also introducing an 
amendment to protect--to NDAA to protect the security of 
emails. I want to thank Congressman Langevin for his leadership 
and support of the amendment, cosponsoring it, as well as 
Congressman Gallagher.
    I want to raise 2 questions as quickly as I can. Yesterday 
we were alerted to a coordinated hack of major U.S. Twitter 
accounts, including those of President Obama, Elon Musk, Bill 
Gates, Mike Bloomberg, and former U.S. President Joe Biden, and 
many others. At that time, where misinformation--at this time, 
where misinformation poses one of the greatest threats to 
National security, we need cybersecurity policy that will 
uphold the truth.
    The commission made a number of recommendations designed to 
improve collaboration between CISA and the private sector. So I 
would appreciate it if--I first go to Commissioner Ravich--to 
elaborate on any recommendations that you believe would have 
the potential to prevent a similar breach--that we have asked 
for our private sector to ramp up their system. I think the 
Government needs to not deny the First Amendment rights, but 
has to have a forceful place in this. I would welcome the 
comments of our two co-chairs, Congressmen Gallagher and King, 
but I will start with Commissioner Ravich on that question.
    Let me ask my second question, just so it is on the record 
for answering, and that is we are very much dependent, 
potentially, on the ending of COVID-19, on vaccines. We have 
just determined over the last couple of days that Russia has 
been interfering with the cyber, or the research on vaccines by 
a number of our companies, which really mean life or death for 
many Americans.
    So, Commissioner Ravich, would you answer the first 
question about the violations of Twitter accounts? Thank you.
    Ms. Ravich. Yes. Thank you. Thank you very much. You know, 
we absolutely looked at--and this was, again, before COVID 
started and we were all working from home and relying on these 
devices on these networks to be able to interact with our 
Government, to be able to register to vote, to be able to go to 
the DMV virtually, our Social Security payments. Now we are 
realizing that many of these networks could be untrustworthy.
    So a few things that we certainly highlighted in our 
original report, and then in our pandemic annex, things like 
the internet of things security, that individuals, our 
populace, should not have to be cybersecurity experts. It is 
absurd in this day and age to say that, when my mom or my 
neighbor goes to the store and buys a router, that they have to 
be cybersecurity experts to know which one is going to protect 
them better.
    The same way, when you see the locked icon on your email, 
the idea that I should automatically know that this is a 
trusted certificate. No, there have to be better safeguards in 
place from the Government itself.
    So the commission really took kind-of 2 tacks at this. One 
is what are--what is the responsibility inside the Government? 
How can we push ahead with better cybersecurity recognition of 
what is secure for individuals that they know what to buy and 
what not?
    But also, what are the responsibilities from the private 
sector, right? The Government can only do its job if it 
understands attribution better. What is being attacked? What 
type of industrial control systems are most in the crosshairs 
of a Russia or Iran or a China or North Korea? Right? So the 
U.S. Government needs better information and data to be able to 
do intel sharing back to the private sector.
    So these are some of the things that the commission really 
focused on. But it has to be a different type of relationship 
between the U.S. Government and the private sector than really 
existed before, if we are all going to be safer.
    Ms. Jackson Lee. Thank you. If Senator Gallagher and 
Representative--Senator King and Representative Gallagher could 
take a moment to comment on Russia's----
    Mr. Langevin. Congresswoman, you are not coming through.
    Ms. Jackson Lee [continuing]. Research.
    Mr. Langevin. Congresswoman Jackson Lee, you are coming 
through gargled.
    Ms. Jackson Lee. Senator? Senator King.
    Mr. Langevin. Senator King is muted.
    Senator King. Could you restate the question, 
Congresswoman? I couldn't hear it.
    Ms. Jackson Lee. I would be happy to.
    Senator King. Yes.
    Ms. Jackson Lee. I thank the Chairman for indulging.
    I just want you to focus on the interference that has been 
reported by recent reports about Russia's interference in our 
vaccine research--COVID-19 is a pandemic in our Nation surging 
in many States--as it relates to the work that we are doing 
here to shore up our cyber systems.
    Maybe Representative Gallagher would comment, as well. But 
the Russian's interference with vaccine research, how important 
the report of the Solarium Commission's report is in the work 
going forward.
    Can you hear me? Did you hear me?
    Senator King. Yes, I can. I did. Thank you very much.
    First I want to send my warmest thoughts to the people of 
Houston. I know what you are going through. I have seen it, and 
I am following it, and it is a very tough time. I know it means 
a lot to them that you are there with them on this--in this 
terrible time.
    What the Russians appear to be doing, I think there are a 
couple of lessons to be learned from this.
    No. 1, there are no boundaries for what our adversaries 
will do.
    No. 2, the Russians are doing something that the Chinese, 
in fact, have been doing for many years, which is, essentially, 
theft of intellectual property. The estimates are that Chinese 
theft of intellectual property has cost our economy billions of 
dollars. So clearly, this is one of the most important areas 
that we need to shore up our defenses.
    We attended to this in a number of different ways in the 
report. But the fundamental--I think one of the fundamental 
issues is, as I mentioned in my opening statement, they have to 
understand that there is a price to be paid for this. If the 
Russians or the Chinese or the Iranians or whoever it is comes 
after us and does something like this, and we can attribute it 
to a particular country, there needs to be--there need to be 
consequences. There need to be results. Otherwise, they will 
keep doing it. Why wouldn't they?
    So that is the kind of strategic area that we are talking 
about. But then also, we need to be more defense-oriented. It 
is very interesting that--I can't remember--85 percent of cyber 
risk rests upon individuals doing things like clicking on 
phishing emails. In other words, the most basic kind of cyber 
hygiene would be tremendously important in protecting our 
companies and our country from these kinds of attacks.
    I don't know how they got into those vaccine companies, but 
it wouldn't be surprising at all if it was some kind of 
phishing expedition that got the credentials, that got the 
password.
    So the Government has a lot of things that we can do, and 
they are all in our report, or many of them are in our report. 
But we also need to support and encourage the citizens to 
understand the magnitude of this risk, because it may not be 
that they hit the Pentagon, but they are going to try to hit 
smaller companies and get into the system in that way.
    So you raise a very important question that I think we 
really have focused upon, and must continue to do so.
    Mr. Langevin. Thank you, Ms. Jackson Lee.
    Ms. Jackson Lee. Thank you. Thank you so very much. Thank 
you.
    Mr. Langevin. Mr. Joyce is now recognized for 5 minutes.
    Ms. Jackson Lee. Thank you very much.
    Mr. Joyce. Thank you. Thank you, Senator King, 
Representative Gallagher, Dr. Ravich, and Commissioner 
Spaulding.
    I will join in congratulating you, Mike, on the birth of 
your wonderful daughter. This is an important time in life, and 
yet you are stopping that new family moment and joining with 
us.
    Each of us, each of us is aware of the hostile cyber--and 
you mentioned that, Dr. Ravich.
    I think that the discussion, Senator King, that you just 
talked about is important, as well. But Mike Gallagher said 
something that is important to this conversation. Our greatest 
failure will be in human failure. Senator King, you mentioned 
that, how easy it is for someone to open an email and allow 
that integration into someone's personal cyber world to be 
shared and, ultimately, potentially destroyed.
    Five years the DMARC protocol has been established. It is 
deployed very, very sporadically, but it has increased. What I 
am going to ask both you, Commissioner Ravich, and Commissioner 
Spaulding to address is what barriers exist to that old 
deployment of DMARC, so that potential integration can occur, 
and potential protection occur, as well.
    Ms. Ravich. OK, I don't know if I should go first.
    Well, first of all, I think it is a great point, because 
we, obviously, would all be more secure if the uptake on 
protocols like that were more expansive. It goes back to some 
of the other things that we were looking at on the commission 
directly, which will get to your point.
    We had looked at things such as final goods assembly 
liability, rights? I mean, you know, kind-of as I was saying 
before, why should my mom be a cybersecurity expert, right? Why 
should my doctor be a cybersecurity expert? They should be able 
to go--and the devices that they are buying, they should know 
that they are secure.
    The same thing when I--if you sent me an email, I should 
know it is from you. Right now, frankly, in not all places are 
things like trusted certificates actually to be trusted.
    So we didn't want to be too prescriptive in terms of how 
the private sector needs to start to layer on much greater 
security in IoT, for instance, and devices, hardware, and 
software. So we recommended a number of different ways to kind-
of skin that cat.
    But it is true, we are living in a time where, if we don't 
make these types of devices, hardware, software more secure, we 
will all be more at risk.
    Ms. Spaulding. Congressman, I couldn't agree more, and 
thank you for your leadership on this important issue.
    You are absolutely right that email is one of the most 
troubling vectors, and most frequent and common vectors for 
malicious cyber activity to get into networks and systems. 
DMARC, domain-based message authentication reporting and 
conformance, is one of the protocols that has proven to be most 
effective, really, at stopping this kind of activity, so 
critically important.
    You ask why isn't it then just uniformly adopted across the 
board? You are correct that it is gaining ground, and its 
adoption is moving forward. But I think it is leaders, CEOs, 
boards of advisers, secretaries of departments and agencies, 
leaders across the board need to support their chief 
information security officers when they make these kinds of 
recommendations. It is those leaders that decide about resource 
allocation, and that becomes very important.
    To do that, it is helpful to be able to show a return on 
investment. That, again, requires information. It is one of the 
reasons that the commission has a recommendation that would 
require key companies to report more information about 
malicious cyber activity, so that we can begin to build the 
kind of repository of data that allows us to be able to tell 
those decision makers who are allocating resources the costs of 
not implementing something as basic as DMARC.
    Mr. Joyce. I think that cost issue is important. I just 
have seconds left, but I am perplexed by only 80 percent of 
Federal agencies are reported to be implementing DMARC. Are 
there specific obstacles that we in Congress should address to 
see that all Federal agencies----
    Ms. Spaulding. So I think the number--I suspect that that 
80 percent covers most, if not all, of the major departments 
and agencies of the Government. There are lots of very tiny--
the Millennium Challenge Corporation, the Denali Commission, et 
cetera--that really just need a lot of hand-holding to make 
these technical changes.
    But I applaud you. Keep, you know, keeping their feet to 
the fire, and keep pushing this. It is really important. But 
thank you.
    Mr. Joyce. Thank you, Commissioner. Thank you, and I yield 
my time.
    Mr. Langevin. I thank the gentleman.
    Before I turn to Miss Rice, I need to step away from the 
Chair for a few minutes. There is a press conference and a 
meeting with our Governor that I need to--a virtual one that I 
need to jump on to. It is COVID-related, and related to our 
small business community. So I will be stepping away as briefly 
as possible, and Ms. Underwood will be taking the gavel to 
chair the hearing, going forward. I hope to make it back before 
the conclusion.
    In the event--in the unlikely event that I am not able to 
get back before this is concluded, I do want to thank our 
panelists today for their testimony, their leadership on the 
Solarium Commission, and their leadership on cyber, which I am 
grateful for.
    With that, Miss Rice is recognized now for 5 minutes.
    Miss Rice. Thank you so much, and I want to thank all of 
the--my 2 colleagues and our private-sector witnesses here 
today, members of this commission.
    As I--if we do not implement every single recommendation in 
this report, shame on us, as a Government. I mean, it is just 
such common-sense stuff. With everything that is going on right 
now in the world, we see in this report why it is so important 
to implement every single recommendation.
    Congressman Gallagher, I just want to go to you first, 
because it seems to me that this is a constant, constant issue 
that comes up between public and private partnership. Why is 
it, you know, that it is hard for us to get that right?
    I mean, do you think it is possible to continue incentive-
based public-private cybersecurity partnerships as part of an 
effective cyber defense program, or do you think it is going to 
come to Congress having to more strongly consider imposing 
mandates?
    Mr. Gallagher. Well, I think the other commissioners would 
agree that the approach we have largely taken in this report 
was to try and incentivize the private sector to work more 
closely with the Federal Government or, as we say in the 
Chairman's letter, try and incentivize the C-suite types in the 
private sector to take cybersecurity seriously.
    There are areas, however, where we are, you know, imposing 
further requirements that some in the private sector will no 
doubt view as onerous, such as the need for large, publicly-
traded companies to do mandatory penetration testing.
    But I do think--and connected to the earlier series of 
questions on the Russian hack and things like that--I think, 
culturally, what we are trying to do here is shift the culture 
in the intelligence community and at CISA--and this is my 
verbiage, not contained in the final report--from a culture of 
need-to-know to more toward need-to-share.
    So it is not just that we need the private sector to step 
up and do more for their own security, but we also want our 
cybersecurity professionals in the Federal Government to be in 
a posture where they are constantly sharing information with 
the private sector, so that they are seen as a valued partner 
with the private sector, and the private sector doesn't view 
them suspiciously.
    So, toward that end, we recommend creating a joint 
collaborative environment, a common and interoperable 
environment for sharing and fusing threat information inside, 
and other relevant data across the Federal Government, and then 
between the public and private sectors. Our recommendation to 
strengthen a public-private, integrated cyber center within 
CISA is intended to allow for that closer collaboration between 
the public and private sector.
    Then finally, we have a recommendation about establishing a 
joint cyber planning office under CISA to coordinate 
cybersecurity, planning, and readiness across the Federal 
Government and between the public and private sector.
    So I guess, in sum, I still maintain hope that we can 
pursue an incentive-based approach. But you are right to 
suggest that I think everything hinges on that--the level of 
trust between the private sector and the public sector. Because 
the reality is, as Senator King and I say in the opening 
letter, you know, we are not the Chinese Communist Party. We 
can't just dictate outcomes for the private sector, nor should 
we want to, right? We want to maintain the free and open and 
innovative environment we have in America.
    So it is a delicate balance, but it is one we hope we have 
struck well in the commission's final report.
    Miss Rice. Yes. So it sounds like a little bit of 
territorialism, too, which is one of the things that we learned 
about in a post-9/11 world. To see that possibly still kind-of 
rearing its head is not a good thing.
    You know, I just want to be very mindful of my time, and 
all of our witnesses' time. I have to give a shout out to Chris 
Krebs, because I think he is doing such a great job at CISA, 
especially in the area of election security, really reaching 
out to individual States to help them secure their election 
infrastructure.
    But I would like to ask both Ms. Ravich and Spaulding, in 
light of the threats and challenges associated with the 
upcoming 2020 election, do you think the Federal Government is 
doing enough to defend elections from foreign interference?
    Ms. Spaulding. So I am happy to start on that. I think not 
yet, no.
    I agree with you. I think Chris Krebs and the men and women 
at CISA are doing a terrific job, and working very hard with 
State and local election officials, who I think are also taking 
this very seriously. But our--in the commission report we have 
a number of recommendations that we really hope Congress will 
act on, and will act very quickly.
    One of those, obviously, is the reforming of on-line 
political advertising to prevent foreign interference in that 
regard.
    But the other is providing the wherewithal, the support to 
our State and local officials so that--in the form of grants, 
so that they can do the things that need to be done to put 
secure systems in place, but also to put paper-based audit 
capabilities in place so that we can reassure the public about 
the legitimacy of the process when it is challenged.
    Ms. Ravich. Yes, so let me jump in. That is very 
thoughtful, as always, what Suzanne had said.
    You know, our commission report, as the 2 co-chairmen said, 
is--has 3 parts of layered defense. When you look at elections, 
each part of that layered defense has to be deployed, right?
    So shaping international behavior, it is not only us that 
is being attacked in our election, it is all free and 
democratic nations. So the----
    [Audio malfunction.]
    Ms. Ravich [continuing]. With partner nations, our friends 
and allies, those who believe in democracy and free enterprise, 
so that together we can share lessons learned and bolster our 
systems.
    The second, resilience. Suzanne spoke about it, as always, 
you know, brilliantly. The Election Assistance Commission needs 
a stable budget, needs senior cyber expertise because this is 
not one and done. It is not like we are going to protect our 
systems, and then that is it, we don't ever have to protect 
them again. It is going to be consistent and constant.
    The third part of layered defense is imposed costs, right? 
So the adversaries that try to undermine what makes us a great 
Nation, you know, have to actually really understand there will 
be costs imposed upon them for this.
    So the 3 parts of layered defense you can see when you look 
at the question of elections, how they all must relate to one 
another to make us more secure.
    Miss Rice. Thank you so much. If we can't protect our 
elections, I mean, that will doom our democracy, I think, 
quicker than anything else.
    So I want to thank you all so much for being here today, 
and I yield back.
    Ms. Underwood [presiding]. Thank you. I now recognize 
myself for 5 minutes.
    I would like to start by thanking Chairman Thompson for 
calling today's hearing, and Chairman Langevin for his 
dedicated work to strengthen America's cybersecurity, both as a 
commissioner and as a valuable Member of this committee. 
Cybersecurity advocates like Mr. Langevin have been sounding 
the alarm for years about America's vulnerability to cyber 
attacks.
    As a representative from Illinois, a State that experienced 
a major cyber attack in our election system in 2016, I am well 
aware that such attacks pose a threat at all levels of 
government, and so a whole-of-Government response is required.
    In the last few months the COVID-19 pandemic has exposed 
this vulnerability like never before. As Americans have 
struggled to telework securely, overworked hospitals have 
suffered ransomware attacks. Cyber attacks have targeted 
vaccine developers, and more.
    I am pleased that the commission built on the 
recommendations in the March report by publishing a white paper 
in May on cybersecurity lessons from the pandemic. In this 
white paper, the commission found that maligned foreign 
disinformation operations are undermining public health: ``The 
resulting confusion is threatening to become a literal matter 
of life and death.''
    Ms. Spaulding, can you elaborate on how disinformation 
impacts our cybersecurity, public health, or other areas of 
National security, even to the point of life and death?
    Ms. Spaulding. Absolutely, Congresswoman, thank you for 
that really important question that--we have seen our 
adversaries take advantage of this situation, and putting out 
disinformation around COVID that confuses the public. It may 
not be that they are able to convince the public necessarily of 
the narrative that they are pushing, but they create confusion, 
which is deadly enough. If the public gives up, as I say, on 
their ability to figure out what is fact when--at a time when 
giving the American public facts about what they should be 
doing to protect themselves, their families, their communities, 
and our Nation, that is extremely destructive.
    When we see the COVID coming together with our elections as 
election officials are making decisions about how to adjust, 
whether to adjust elections in light of the pandemic, and then 
those are winding up in courts--and we have seen disinformation 
around all 3 of those: COVID, elections, and the courts--and 
that is a really dangerous combination that threatens the 
peaceful transition of power.
    Ms. Underwood. Thank you. I agree with the commission's 
assessment of the severe and even deadly security threat posed 
by disinformation, which is why, in the last month, I 
introduced the Protecting Against Public Safety Disinformation 
Act. This bill would direct the Department of Homeland Security 
to assess maligned foreign disinformation operations that 
threaten public safety and share their findings with State and 
local authorities like public health departments, emergency 
managers, and first responders.
    The commission's recommendations repeatedly highlight the 
role of State and local officials in hardening our 
cybersecurity posture. Ms. Spaulding, why is it so important 
for State and local officials to be involved in our National 
response to disinformation and other cybersecurity threats?
    Ms. Spaulding. So we have gotten used to the idea that 
State and local officials are on the front lines of responding 
to disasters in the real world. We have to understand, as you 
say, that they are also often on the front lines of responding 
to disinformation that causes confusion in their communities.
    We know that local sources of information are often more 
trusted than National sources. We also know that they are being 
targeted, both with ransomware, with traditional cyber 
activity, but that traditional cyber activity can also be 
designed to undermine public confidence, so part of an 
information operation. They need to be supported in combating 
that.
    Ms. Underwood. Thank you. As you may know, the personal 
information of 76,000 Illinois voters was accessed by Russian 
operatives in 2016. Since then, our State and local election 
officials have been working hard to improve election systems 
and infrastructure. But due to limited resources, some have 
faced challenges in upgrading legacy machines and hiring 
additional cybersecurity personnel. Now, when State budgets 
across the country have been devastated by this pandemic, 
Federal support is more urgently needed than ever.
    So over 2 months ago, the House passed a bill, the Heroes 
Act, which would provide $3.6 billion for election security 
grants in the State. Unfortunately, the Senate has yet to act 
on this bill. We know that election security grants like those 
in the Heroes Act would equip these State and local officials 
with the resources that they desperately need in order to 
secure our elections and our National security ahead of the 
election in November.
    With that, I yield back. I have to step away, and so Miss 
Rice will now Chair the hearing. Thank you.
    Miss Rice [presiding]. Thank you so much. I--it looks like 
we have come to the end of the questioning, so I would love to 
thank the--all our witnesses for your valuable testimony today, 
and the Members for their questions.
    This is a report that every single Member of Congress needs 
to digest, and immediately get on board doing something about, 
and implementing as many of these recommendations as we can.
    The Members of the subcommittee may have additional 
questions for the witnesses, and we ask that you respond 
expeditiously in writing to those questions.
    Without objection, the committee record shall be kept open 
for 10 days.
    Hearing no further business, other than to congratulate 
Mike Gallagher once again on lovely baby Grace, the 
subcommittee stands adjourned. Thank you all.
    [Whereupon, at 2 p.m., the subcommittee was adjourned.]

                                 [all]