b"<html>\n<title> - DEFENDING AGAINST FUTURE CYBER ATTACKS: EVALUATING THE CYBER SPACE SOLARIUM COMMISSION RECOMMENDATIONS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                 DEFENDING AGAINST FUTURE CYBER ATTACKS: \n                  EVALUATING THE CYBER SPACE SOLARIUM \n                  COMMISSION RECOMMENDATIONS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                       PROTECTION, AND INNOVATION\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 17, 2020\n\n                               __________\n\n                           Serial No. 116-79\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n                               \n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n43-867 PDF                  WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------                               \n                               \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           Mark Walker, North Carolina\nJ. Luis Correa, California           Clay Higgins, Louisiana\nXochitl Torres Small, New Mexico     Debbie Lesko, Arizona\nMax Rose, New York                   Mark Green, Tennessee\nLauren Underwood, Illinois           John Joyce, Pennsylvania\nElissa Slotkin, Michigan             Dan Crenshaw, Texas\nEmanuel Cleaver, Missouri            Michael Guest, Mississippi\nAl Green, Texas                      Dan Bishop, North Carolina\nYvette D. Clarke, New York           Jefferson Van Drew, Texas\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                                 ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           Mark Walker, North Carolina\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             John Joyce, Pennsylvania\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     6\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     8\n\n                               Witnesses\n\nHon. Angus King, a United States Senator from the State of Maine, \n  and Co-Chair, Cyberspace Solarium Commission:\n  Oral Statement.................................................     9\n  Joint Prepared Statement.......................................    11\nHon. Michael Gallagher, a Representative in Congress from the \n  State of Wisconsin, and Co-Chair, Cyberspace Solarium \n  Commission:\n  Oral Statement.................................................    18\n  Joint Prepared Statement.......................................    11\nMs. Suzanne Spaulding, Commissioner, Cyberspace Solarium \n  Commission:\n  Oral Statement.................................................    20\n  Joint Prepared Statement.......................................    11\nDr. Samantha Ravich, Ph.D., Commissioner, Cyberspace Solarium \n  Commission:\n  Oral Statement.................................................    21\n  Joint Prepared Statement.......................................    11\n\n \n  DEFENDING AGAINST FUTURE CYBER ATTACKS: EVALUATING THE CYBER SPACE \n                  SOLARIUM COMMISSION RECOMMENDATIONS\n\n                              ----------                              \n\n\n                         Friday, July 17, 2020\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                            Subcommittee on Cybersecurity, \n                                 Infrastructure Protection,\n                                            and Innovation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 12:30 p.m., \nvia Webex, Hon. James R. Langevin [Member of the subcommittee] \npresiding.\n    Present: Representatives Jackson Lee, Langevin, Rice, \nUnderwood, Slotkin, Thompson; Katko, and Joyce.\n    Mr. Langevin. Good afternoon. The Subcommittee on \nCybersecurity, Infrastructure Protection, and Innovation will \ncome to order.\n    Good afternoon, everyone. I want to thank the co-chairs of \nthe Cyberspace Solarium Commission and Commissioners Spaulding \nand Ravich for participating in today's hearing. I would also \nlike to thank the gentleman from Louisiana, Mr. Richmond, for \nallowing me the honor of chairing this subcommittee in his \nabsence.\n    I have the privilege of serving on the Solarium Commission \nwith the witnesses testifying here today. I can honestly say \nthat working on a report was one of the highlights of my \nCongressional career--research, outreach, and deliberation was \na testament to our 2 co-chairs, Senator King--here today to \ntestify this afternoon. I hope our subcommittee will take full \nadvantage of the wealth of knowledge of the virtual witnesses \nat the witness table.\n    The commission's report outlines a strategy of layered \ncyber deterrence, and includes 82 recommendations on how the \nGovernment can implement the strategy. I am looking forward to \ndiscussing those recommendations with my colleagues today, \nparticularly those that would strengthen the cybersecurity--the \nCybersecurity and Infrastructure Security Agency by increasing \nits capabilities and clarifying its relationship with the \nintelligence community and sector-specific agencies.\n    I am also looking forward to covering the essential role of \nCongress in implementing our Nation's cybersecurity posture. \nFrom the outset of the--and thanks to the work of our dedicated \nexecutive director, Mark Montgomery, we deliberated with a bias \ntoward action. After all, as the Members of the subcommittee \nknow full well, the status quo in cyber space sees us making--\nstatus quo in cyber space sees us making steady progress, while \nthe threat increases exponentially.\n    We need to act, and act now, to change that dynamic and get \nahead of the curve. I am proud to report that leaders of this \nsubcommittee, including Chairman Richmond, Ranking Member \nKatko, and Representatives Jackson Lee, Rice, Slotkin, Green, \nand Joyce all have recommendations to the forthcoming National \nDefense Authorization Act and impending--and to implement \naspects of the Solarium report.\n    It is an honor to share the virtual dais with Members \ncommitted to addressing this quintessential information-age \nchallenge, and I am sure the committee and this subcommittee \nwill continue to play a vital role in implementing the report.\n    I encourage our witnesses to discuss why Congress is so \nimportant to moving the conversation forward on cybersecurity, \nand I encourage my colleagues to probe the decision making \nbehind the strategy and recommendations.\n    The events of this year provide an interesting context in \nwhich to review the Solarium recommendations. The COVID-19 \npandemic has amended and altered the way we live, the way we \nwork, and the way we govern. Overnight, nearly half of employed \nadults became teleworkers, putting added stresses on our \ninfrastructure, and creating new opportunities for hackers to \nwreak havoc.\n    Now Congress is holding remote hearings, and State and \nlocal governments have become e-governments with little time to \ntransition. Many State and local governments are also finding \nthat, due to the antiquated IT systems and the fact that their \ndata aren't in the cloud, that they are unable to scale and \nsecure vital programs like unemployment insurance, highlighting \nthe need for modernization as part of the security push.\n    Our adversaries have noticed the broader attacks surface. \nJust yesterday, CISA, in conjunction with allies in the UK and \nCanada, announced that Russian operatives are targeting health \ncare organizations doing research on the virus.\n    [Audio malfunction.]\n    Mr. Langevin [continuing]. The breach of Twitter that saw \nmany prominent accounts linking to a Bitcoin scam. It doesn't \ntake much imagination to see what chaos one could sow with such \naccess on Election Day if a bad actor was pushing out \ndisinformation.\n    The realities of 2020 make clear that a comprehensive \nwhole-of-Nation approach to cybersecurity is necessary, but--is \na necessity, but we do not yet have one. So we lack a clear \nleader in the White House whose mission it is to focus on \ncybersecurity. We lack clear understanding of roles and \nresponsibilities, both within Government and--between \nGovernment and the private sector. We lack clear metrics to \nmeasure our progress.\n    The Cyberspace Solarium Commission report cannot fix all of \nthe challenges that we face in cyber space. But it does chart a \nbold course, and it does not shy away from the trade-offs we \nwill need to make to decisively improve our cybersecurity \nposture.\n    The report makes clear that everyone, from Government, to \nprivate-sector companies, to Congress itself needs to make \nmeaningful changes. We need to expect more from Government: \nCloser coordination across agencies; stronger collaboration \nwith critical infrastructure; and a--and critically, a greater \nemphasis on planning. We need to strengthen Government \nagencies--in particular, CISA--to do so.\n    We also need to expect more from the private sector. We \nneed companies to truly accept the risk that they take in cyber \nspace by accepting the consequences of failing to protect their \ndata and networks.\n    We also need technology companies, what the report calls \n``cybersecurity enablers,'' to do more to make the secure \nchoice the default choice. Too often we see a rush to be first \nto market, not secure in a market. Too often we see entities \nlike the ISPs not protecting the small and medium-sized \ncustomers, because they don't believe it is their job. More \nimportantly, where the public and private interests at--the \nnexus of critical infrastructure that this committee is charged \nwith protecting. We need to ensure the private sector is doing \nits part to protect itself, while acknowledging that they can't \ngo it alone.\n    So this is part of the end-state we desire in the Solarium \nreport, a state where we are resilient enough to deter our \nadversaries and agile enough to push back when they insist on \ntesting our defenses. To that end, to end--to--that end-state \nis in reach, but it will require the work of this subcommittee \nand of the experts that we have invited before us if we are to \nachieve that goal.\n    So I look forward to beginning what I am sure will be a \nfruitful series of discussions on how to implement the Solarium \nreport.\n    I again thank our witnesses who are here today. I am \ngrateful that the co-chairs of the Cyber Solarium Commission \ncould be here, Senator Angus King and Congressman Mike \nGallagher.\n    I am honored that Suzanne Spaulding could be here, as well, \nand I look forward to all of our witnesses' testimony today.\n    [The statement of Mr. Langevin follows:]\n                  Statement of Hon. James R. Langevin\n                             July 17, 2020\n    I had the privilege of serving on the Solarium Commission with the \nwitnesses testifying here today, and I can honestly say that working on \nour report was one of the highlights of my Congressional career. Our \nthoughtful research, outreach, and deliberation was a testament to our \ntwo co-chairs, Senator King and Congressman Gallagher, and I hope our \nsubcommittee takes full advantage of the wealth of knowledge at the \nvirtual witness table.\n    The commission's report outlines a strategy of layered cyber \ndeterrence and includes 82 recommendations on how the Government can \nimplement that strategy. I am looking forward to discussing those \nrecommendations with my colleagues today--particularly those that would \nstrengthen the Cybersecurity and Infrastructure Security Agency by \nincreasing its capabilities and clarifying its relationship with the \nintelligence community and sector-specific agencies.\n    I am also looking forward to covering the essential role of \nCongress in improving our Nation's cybersecurity posture. From the \noutset of the commission--and thanks to the work of our dedicated \nexecutive director, Mark Montgomery--we deliberated with a bias toward \naction. After all, as the Members of this subcommittee know full well, \nthe status quo in cyber space sees us making steady progress while the \nthreat increases exponentially.\n    We need to act, and act now, to change that dynamic and get ahead \nof the curve. I am proud to report that leaders on this subcommittee, \nincluding Chairman Richmond, Ranking Member Katko, and Representatives \nJackson Lee, Rice, Slotkin, Green and Joyce all have amendments to the \nforthcoming National Defense Authorization Act to implement aspects of \nthe Solarium report. It is an honor to share the (virtual) dais with \nMembers committed to addressing this quintessential Information Age \nchallenge, and I am sure the committee--and this subcommittee--will \ncontinue to play a vital role in implementing the report.\n    I encourage our witnesses to discuss why Congress is so important \nto moving the conversation forward on cybersecurity. I encourage my \ncolleagues to probe the decision making behind the strategy and the \nrecommendations.\n    The events of this year provide an interesting context in which to \nreview the Solarium Commission's recommendations. The COVID-19 pandemic \nhas upended and altered the way we live, the way we work, and the way \nwe govern. Almost overnight, nearly half of employed adults became \nteleworkers, putting added stress on our infrastructure and creating \nnew opportunities for hackers to wreak havoc.\n    Now Congress is holding remote hearings, and State and local \ngovernments have become e-governments with little time to transition. \nMany State and local governments are also finding, that due to \nantiquated IT systems and the fact that their data aren't in the cloud, \nthey are unable to scale and secure vital programs like unemployment \ninsurance, highlighting the need for modernization as part of the \nsecurity push.\n    Our adversaries have noticed the broader attack surface. Just \nyesterday, CISA--in conjunction with allies in the United Kingdom and \nCanada--announced that Russian operatives are targeting health care \norganizations doing research on the virus. And 2 days ago, we saw a \nmajor breach of Twitter that saw many prominent accounts linking to a \nBitcoin scam. It doesn't take much imagination to see what chaos one \ncould sow with such access on Election Day if a bad actor was pushing \nout disinformation.\n    The realities of 2020 make clear that a comprehensive, whole-of-\nNation approach to cybersecurity is a necessity, but we do not yet have \none. We lack a clear leader in the White House whose mission it is to \nfocus on cybersecurity. We lack clear understanding of roles and \nresponsibilities, both within Government and between Government and the \nprivate sector. We lack clear metrics to measure our progress.\n    The Cyberspace Solarium Commission report cannot fix all the \nchallenges we have in cyber space. But it does chart a bold course, and \nit does not shy away from the trade-offs we will need to make to \ndecisively improve our cybersecurity posture. The report makes clear \nthat everyone--from Government to private-sector companies to Congress \nitself--needs to make meaningful changes.\n    We need to expect more from Government: Closer coordination across \nagencies, stronger collaboration with critical infrastructure, and, \ncritically, a greater emphasis on planning. And we need to strengthen \nGovernment agencies--in particular CISA--to do so.\n    We also need to expect more from the private sector. We need \ncompanies to truly accept the risks they take in cyber space by \naccepting the consequences of failing to protect their data and \nnetworks. We also need technology companies--what the report calls \n``cybersecurity enablers''--to do more to make the secure choice the \ndefault choice. Too often, we see a rush to be first to market, not \nsecure to market. Too often, we see entities like ISPs not protecting \ntheir small and medium-sized customers because they don't believe it's \ntheir job.\n    Most importantly, where the public and private intersect, at the \nnexus of critical infrastructure that this committee is charged with \nprotecting, we need to ensure the private sector is doing its part to \nprotect itself while acknowledging that they can't go it alone.\n    This is part of the end-state we desire in the Solarium report, a \nstate where we are resilient enough to deter our adversaries and agile \nenough to push back when they insist on testing our defenses. That end-\nstate is in reach, but it will require the work of this subcommittee--\nand of the experts we have invited before us--if we are to achieve that \ngoal.\n\n    Mr. Langevin. With that, I am now proud to yield to Mr. \nKatko for his opening remarks.\n    Mr. Katko. Thank you, Mr. Chairman, I appreciate your \ncomments. Before I begin I want to congratulate one of the \nSolarium members on the birth of his first child, \nRepresentative Gallagher.\n    Grace Ellen Gallagher came to this world not too long ago, \nand we welcome her in. You--I will raise--I will hoist a pint \nin her honor soon.\n    I want to thank all the commissioners for their work on the \nCyberspace Solarium Commission, and congratulate them on \nproducing a truly game-changing report and recommendations that \naccompany that report that take a bold step in the direction of \nreinventing our Nation's cybersecurity policy and architecture. \nThe commission's legislative proposals accompanying the \nrecommendations are enabling Congress to act quickly and \ndecisively on these urgent measures.\n    I am interested in all the recommendations in the report, \nand I have gone through all of them, but I am really focused on \nseveral of them today, and they are as follows: Strengthening \nthe Cybersecurity and Infrastructure Agency, or CISA, and its \nwork force; evaluating CISA's facilities needs; strengthening \nthe CISA director position, and making the assistant directors \nclear positions--the National cyber director; authorizing CISA \nto threat hunt on the gov domain, .gov domain; developing a \nstrategy to secure email; and modernizing the digital \ninfrastructure of State and local governments, and small and \nmid-sized businesses.\n    As Ranking Member on the Cybersecurity, Infrastructure \nProtection, and Innovation Subcommittee, my top priority among \nthe commission's recommendations is strengthening and \nclarifying CISA's authority, and vastly increasing its funding \nto allow it to carry out its role as the Nation's risk manager, \ncoordinating the protection of critical infrastructure and \nFederal agencies and departments from cyber threats.\n    I introduced this recommendation as a bill, together with \nMr. Ruppersberger, and cosponsored his amendment to the NDAA, \nwhich requires CISA to assess what additional resources are \nnecessary to fulfill its mission. This assessment should \nexamine CISA's work force composition and future demands, and \nreport to Congress on the findings.\n    Under this bill, CISA would also evaluate its current \nfacilities and future needs, including accommodating \nintegration of personnel, critical infrastructure partners, and \nother Department and agency personnel, and make recommendations \nto GSA. GSA must evaluate CISA's recommendations and report to \nCongress within 30 days on how best to accommodate CISA's \nmissions and goals with commensurate facilities.\n    The facilities evaluation dovetails with the commission's \nrecommendation for an integrated cyber center within CISA. That \nis critically important.\n    In conjunction with Chairman Richmond's CISA director \namendment to the NDAA bill that I cosponsored, I reintroduced \nmy CISA director bill. The bill and amendment elevate and \nstrengthen the CISA director position to reflect the \nsignificant role that it plays, and making the position the \nequivalent of an assistant secretary or military service \nsecretary. They limit the term of the CISA director to 2 5-year \nterms, which ensure the agency has stable leadership, and de-\npoliticizes the assistant director positions by making them \ncareer positions.\n    A related amendment that my fellow colleague, Mr. Green, \ncosponsored and I cosponsored, clarifies CISA's authority to \nconduct continuous threat hunting across the .gov domain. This \nwill increase CISA's ability to protect Federal networks, and \nallow CISA to provide relevant threat information to critical \ninfrastructure.\n    Finally, the recommendation to establish a National cyber \ndirector within the White House, offered as an amendment to the \nNDAA by my colleague and friend, Mr. Langevin, is another \nlegislative proposal I am cosponsoring. This Presidentially-\nnominated and Senate-confirmed National cyber director would be \nthe principal cybersecurity adviser to the President, tasked \nwith developing, counseling the President on, and supervising \nimplementation of a National cyber strategy, which is sorely \nneeded. This leadership will bring focus to our Nation's \ncybersecurity as a top strategic priority.\n    I look forward to hearing from our witnesses today about \nthese Solarium recommendations and many others that fall under \nthe jurisdiction of our subcommittee, as well as working with \nmy colleagues to attach many of the commission's \nrecommendations as possible to the NDAA, another must-pass \nvehicle, or pass as stand-alone bills.\n    I want to thank the Chairman for holding this important \nhearing. I look forward again to convening in person with my \ncommittee colleagues. But I want to take a moment before I \nclose to really command the members of the Solarium Commission: \nMr. King, Mr. Gallagher, Ms. Spaulding, Mr. Langevin, and all \nthe others.\n    I think that what you did is what they did after 9/11 with \nrespect to terrorism. You are anticipating the issues before we \nhave a catastrophic attack. I commend all of you for doing \nthat. That is why I think this is such an important hearing we \nare having today.\n    So the bipartisanship that has been shown on this, the lack \nof politics, and understanding the issues, and understanding \nthe threat and attacking it, it is exactly what we should be \ndoing. I commend everyone for that.\n    With that, Mr. Chairman, I yield back.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n    Thank you, Mr. Chairman.\n    I want to thank all of the commissioners for their work on the \nCyberspace Solarium Commission and congratulate them on producing a \ngame-changing report and recommendations that take a bold step in the \ndirection of reinventing our Nation's cybersecurity policy \narchitecture. The commission's legislative proposals accompanying the \nrecommendations are enabling Congress to act quickly and decisively on \nthese urgent measures.\n    The recommendations I am most interested in hearing about today \nare, strengthening the Cybersecurity and Infrastructure Security Agency \n(CISA) and its workforce, evaluating CISA's facilities needs, \nstrengthening the CISA director position and making the assistant \ndirectors career, the National cyber director, authorizing CISA to \nthreat hunt on the .gov domain, securing email, developing a strategy \nto secure email, and modernizing the digital infrastructure of State \nand local governments and small and mid-sized businesses.\n    As Ranking Member on the Cybersecurity, Infrastructure Protection, \nand Innovation Subcommittee, my top priority among the commission's \nrecommendations is strengthening and clarifying the Cybersecurity \nInfrastructure Security Agency's (CISA) authority and vastly increasing \nits funding to allow it to carry out its role as the Nation's risk \nmanager coordinating the protection of critical infrastructure and \nFederal agencies and departments from cyber threats. I introduced this \nrecommendation as a bill, which requires CISA to assess what additional \nresources are necessary to fulfill its mission. This assessment should \nexamine CISA's workforce composition and future demands and report to \nCongress on the findings.\n    Under the bill, CISA would also evaluate its current facilities and \nfuture needs including accommodating integration of personnel, critical \ninfrastructure partners, and other Department and agency personnel and \nmake recommendations to GSA. GSA must evaluate CISA's recommendations \nand report to Congress within 30 days on how best to accommodate CISA's \nmission and goals with commensurate facilities. The facilities \nevaluation dovetails with the commission's recommendation for an \nintegrated cyber center within CISA.\n    I reintroduced my bill elevating and strengthening the CISA \ndirector position to reflect the significance of the role, making the \nposition the equivalent of an assistant secretary or military service \nsecretary. My bill limits the term of the CISA director to 2, 5-year \nterms, which ensures the agency has stable leadership. It also \ndepoliticizes the assistant director positions by making them a career.\n    A related legislative proposal that I am working with colleagues to \npass, clarifies CISA's authority to conduct continuous threat hunting \nacross the .gov domain. This will increase CISA's ability to protect \nFederal networks and allow CISA to provide relevant threat information \nto critical infrastructure.\n    Finally, the recommendation to establish a National cyber director \nwithin the White House is another legislative proposal I am \ncosponsoring. This Presidentially-nominated and Senate-confirmed \nNational cyber director would be the principle cybersecurity advisor of \nthe President, tasked with developing, counseling the President on, and \nsupervising the implementation of a National cyber strategy. This \nleadership will bring focus to our Nation's cybersecurity as a top \nstrategic priority.\n    I look forward to hearing from our witnesses today about these \nSolarium recommendations and the many others that fall under the \njurisdiction of our subcommittee as well as working with my colleagues \nto attach many of the commission's recommendations to the National \nDefense Authorization Act (NDAA), another must-pass vehicle or pass as \nstand-alone bills.\n    In closing, I want to thank the Chairman for holding this important \nhearing and I look forward to again convening in person with my \ncommittee colleagues.\n\n    [Pause.]\n    Mr. Katko. I can't hear anything, Jim----\n    Mr. Langevin. I was muted, sorry about that. I thank the \nRanking Member for his comments, and I want to join with him.\n    First of all, I want to thank you, Ranking Member, for your \nleadership on cybersecurity issues, as well as I have been \nhonored to join with the Ranking Member on these cybersecurity \nissues that are before us, and that are moving their way \nthrough the Congress.\n    I also want to join the Ranking Member in congratulating \nthe newest father in the House, Mr. Gallagher, on the birth of \nhis baby girl, Grace, and wish all the best to your entire \nfamily. My congratulations.\n    Also, I should mention not--when I mentioned Senator King \nas co-chair along with Congressman Gallagher and Suzanne \nSpaulding, I glossed over and unintentionally didn't mention \nDr. Samantha Ravich's name, but I am going to read bios on each \nof them in a minute. But I welcome, obviously, Dr. Ravich, and \nthank her for her participation and valuable contribution that \nshe made to this Solarium Commission report, as well.\n    So with that, I thank the Ranking Member again.\n    Members are reminded that the subcommittee will operate \naccording to the guidelines laid out by the Chairman and \nRanking Member in their July 8 colloquy.\n    With that, I ask unanimous consent to waive the committee \nrule 8(a)(2) for the subcommittee during remote proceedings \nunder the covered period designated by the Speaker under the \nHouse Resolution 965.\n    Without objection, so ordered.\n    The Chair now recognizes the Chairman of the full \ncommittee, the gentleman from Mississippi, Mr. Thompson, for an \nopening statement.\n    Mr. Thompson. Thank you very much, Mr. Chair and Ranking \nMember, and our witnesses today.\n    As you know, the Solarium Commission is very forward-\nthinking, something--I compliment our witnesses for their \nbrilliant work that they have done on it. I compliment you \npersonally, being a Member of our committee, having served on \nit.\n    I have a written testimony for the record. In the interest \nof time and, again--forward, I will submit it for the record.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                             July 17, 2020\n    At the outset, I want to acknowledge how fortunate we are, as \nMembers of Congress, to have before us a whole-of-Government, public/\nprivate-sector blueprint for defending the Nation against future cyber \nattacks. Too often, thoughtful documents like this are the product of \nMonday morning quarterbacking that takes place after a catastrophic \nevent has occurred.\n    After the September 11 attacks, the 9/11 Commission studied how the \norganization and policies of the Federal Government led to its failure \nto predict, prevent, and prepare for the attacks, and made a series of \nrecommendations to reorganize the Government and build lacking \ncapabilities.\n    After Hurricane Katrina, Congress identified critical deficiencies \nin Federal emergency management policy and overhauled it in the Post-\nKatrina Emergency Management Reform Act. After the Russian government \nattempted to meddle in our elections in 2016, I co-led a Task Force on \nElection Security to understand vulnerabilities in our election \ninfrastructure, and we issued a report and recommendations to address \nthem. Soon, I expect we will establish a commission to study the \nfailures of the Federal Government that have led to its inept response \nto the COVID-19 pandemic.\n    We are lucky we are here today not to discuss a tragedy, but \nrather, how to organize the Federal Government to effectively avoid \none. At this time, the responsibility for leadership on Federal \ncybersecurity policy rests with Congress.\n    Although there are many well-intentioned, capable people working \nhard to advance sound cybersecurity policy throughout the Executive \nbranch, the lack of consistent leadership from the White House has \nstunted progress. Over 2 years ago, for example, the White House green-\nlighted the elimination of its Cyber Security Coordinator. The result \nis a lack of effective coordination among Federal agencies who compete \nfor cybersecurity authorities, responsibilities, and associated \nbudgets--and Federal agencies approaching Congress with conflicting \npriorities. The time has come for that to stop.\n    Toward that end, I appreciate and support the commission's \nrecommendation that Congress establish a National cyber director. I \nunderstand Congressman Langevin has authored legislation to implement \nthat recommendation and has also submitted it as an amendment to the \nNDAA. I fully support both efforts.\n    I similarly appreciate the commission's recommendations regarding \nstrengthening the Cybersecurity and Infrastructure Security Agency and \nmore clearly defining the roles and responsibilities of CISA and sector \nrisk management agencies. Right-sizing CISA's budget and equipping it \nwith the authorities necessary to carry out its mission to secure \nFederal networks, while also supporting critical infrastructure, has \nbeen a bipartisan priority of committee Members.\n    I am particularly interested in hearing Ms. Spaulding's thoughts on \nthese recommendations given her perspective as the former under \nsecretary of the National Protection and Programs Directorate.\n    Additionally, I am interested in discussing commission \nrecommendations related to implementing a ``carrot and stick'' approach \nto encourage private-sector collaboration with the Federal Government's \ncybersecurity and defense efforts, particularly the proposed \ncodification of ``systemically important critical infrastructure.''\n    Finally, I would be remiss if I did not address the commission's \nobservation that Congress' fractured jurisdiction over cybersecurity \nfrustrates efforts to achieve a comprehensive, cohesive approach to \ncybersecurity. I agree. While I disagree with the commission's \nrecommendation on that point, rest assured that I am working to address \nthe underlying problem.\n\n    Mr. Langevin. I thank you, Chairman Thompson, and I thank \nyou for your leadership, both of the full committee on a whole \nhost of issues, but for your leadership and support on \ncybersecurity, in particular. You have been incredible, and I \nthank you for that, your leadership there.\n    I understand that Mr. Rogers is not able to join us. Is \nthat correct?\n    OK, I believe that is the case. So if Mr. Rogers is not \nhere, then with that, again, I thank the Chairman, and I now \nwelcome our panel of witnesses.\n    First I would again like to welcome Senator Angus King, the \nformer Governor of Maine, who served as co-chair of the \nSolarium Commission. Senator King currently sits on the Senate \nArmed Services Committee and the Senate Committee on \nIntelligence, among others, and has been a vocal leader on \ncybersecurity throughout his tenure. I welcome the Senator \nhere.\n    Next, Representative Mike Gallagher, co-chair of the \nCyberspace Solarium Commission and current Member of the House \nof Representatives for the 8th district of Wisconsin. Mr. \nGallagher is a Member of the House Armed Services Committee, \nand a former Member of this committee. I would also like to \nwelcome Mr. Gallagher back to the committee again, back to \nCongress after his paternity leave, and I thank him for \ninterrupting his paternity leave, being here with us.\n    Again, Mr. Gallagher, congratulations on your daughter, \nGrace. In addition to being a huge Packers fan, I know they \nwill be incredibly very proud of their father for the work that \nyou have done with the commission.\n    Next we will hear from Suzanne Spaulding, a commissioner \nfor the Cyber Solarium Commission and senior adviser at the \nCenter for Strategic and International Studies. Before that Ms. \nSpaulding served as the under secretary for the National \nProtection and Programs Directorate at the Department of \nHomeland Security, which is now the Cybersecurity and \nInfrastructure Security Agency, or CISA. So I look forward to \nhearing her unique perspective and her emphasis on how civics \neducation is an essential component of resiliency.\n    Finally, we have Dr. Samantha Ravich, a commissioner of the \nCyber Solarium Commission, and former deputy national security \nadviser during the Bush administration. Dr. Ravich is currently \nserving as the chair of the Foundation for Defense of \nDemocracy's Center for Cyber and Technology Innovation. I \ndeeply appreciate her coming to speak with us today, and for \nher incredible contributions to, I think, a continuity of the \neconomy.\n    With that, without objection, the witnesses' full \nstatements will be inserted into the record. I now ask each \nwitness to summarize their statements for 5 minutes, beginning \nwith Senator King.\n    Senator King, it was a pleasure serving with you on the \nSolarium Commission, and I look forward to hearing your \ncomments here today. You are now recognized.\n\nSTATEMENT OF HON. ANGUS KING, A UNITED STATES SENATOR FROM THE \n  STATE OF MAINE, AND CO-CHAIR, CYBERSPACE SOLARIUM COMMISSION\n\n    Senator King. Mr. Chairman, thank you very much for holding \nthis hearing. It really means a lot to the work of the \ncommission to be taking this next step.\n    I would say that I use this technology every Wednesday \nmorning for the Senate Prayer Breakfast, and it seems to work \nvery effectively, except when we try to sing hymns. So I think, \nas long as we don't sing any hymns today, we will be OK.\n    I appreciate your time. I also appreciate the involvement \nand engagement of Representative Katko, who has--who outlined a \nseries of bills, all of which we think are important, and I \nreally want to thank him for his work.\n    I want to give a little bit of background. The first thing \nto observe is that, in the last 6 months, we have learned that \nthe unthinkable can happen. The unthinkable can happen. In the \nlast 48 hours, we have learned that cyber is an ever-present \nthreat.\n    As the Chairman mentioned in his opening statement, the \nattack on Twitter, which was a commercial one, but also the \napparent attack by the Russians on the security of our pursuit \nof a vaccine, it is just a reminder that this is not an \nacademic question, but it is something that is really a--front \nand center in threats that this country is facing.\n    The commission that you mentioned several times, and that \nMike Gallagher and I were privileged to co-chair, was set up in \nthe 2019 National Defense Act. It had a unique structure. It \nhad 4 sitting Members of Congress, 4 members from the \nExecutive, and 6 members from the private sector. I can \nhonestly say that, throughout our deliberations--and we had \nover 30 meetings, had 400 interviews, thousands of pages of \ndocuments--there was not a single moment of partisanship or of \npartisan discussion. In fact, I have no idea the party \naffiliation of the other 10 members of the commission who \naren't Members of Congress. That, it seems to me, speaks to the \nimportance and overriding power of this issue that really must \nunite us.\n    So that was the work of the commission. We went through, as \nI mentioned, 30 meetings together. We had stress tests. We had \na sort-of contest of ideas in the middle of last summer, and we \nreally tried to approach this with fresh eyes to look at, \nreally, 2 basic questions: What should our strategy be, and \nwhat should our organizational structure be to--both to \nprotect, to prepare, and to prevent cyber attacks?\n    As you mentioned, there are 82 recommendations in the \nreport, 54 of which have been converted into legislative \nrecommendations and presented to the various committees of both \nthe House and the Senate in the form of fully-drafted \nlegislative proposals.\n    What we are talking about is what is called layered cyber \ndeterrence, and that means resilience so that our adversaries \nfeel that there is not much to be gained by attacking us \nbecause of our security and our protection of our systems, but \nalso a declaratory policy that, if attacked, we will respond.\n    One of the deficiencies in our cyber posture over the last \nseveral decades has been we have a deterrence strategy for a \nmajor sort-of threshold of use of force, but we haven't had a \nstrategy, and we haven't articulated a doctrine that would \nprovide a deterrent for less than use-of-force kind of cyber \nattacks.\n    For that reason, as I have said many times, we are a cheap \ndate. Our adversaries don't--they don't compute the cost of \nattacking us. That has to change. That is the strategic \npicture.\n    The organizational picture is that cyber is scattered \nthroughout the Federal Government. It is in the Defense \nDepartment, it is in the intelligence community, it is in DHS, \nit is in the FBI. We really need to try to straighten out the \norganizational structure.\n    One of my observations has been that messy structure equals \nmessy policy. That leaves with the creation of a National cyber \ndirector in the White House, appointed by the President, \nconfirmed by the Senate, which will give continuity to this \nimportant interest. We want somebody in the Federal Government \nwho wakes up every morning with the mission of protecting this \ncountry in cyber space.\n    Finally, one of the crucial elements that we tried to \naddress in the report--and frankly, it is a difficult one--is \nthe relationship between the Government and the private sector. \nEighty-five percent of the target space in cyber is in the \nprivate sector. The private-sector computers, whether they are \nin the financial sector, or energy, or transportation, or \ntelecommunications, they are the front line troops in this \nbattle. Yet it is the Federal Government that often has the \nresources and the expertise and the ability to pull together \nthis information in order to protect our country.\n    So I will go back to--I think one of you stated--I think \nMr. Katko, Representative Katko, stated and Mike Gallagher said \nthis was our mission from the beginning. We wanted to be the 9/\n11 Commission report without 9/11. That is really what we have \ntried to focus upon in this project.\n    So I want to thank the committee. Now is the time to put \nthese recommendations into law, into practice, if we are going \nto protect our country in the way that we all believe--it can \nbe done, and certainly it should be done. The unthinkable can \nhappen. But we can be prepared, we can prevent, and we can \nprotect this country.\n    Thank you, Mr. Chairman.\n    [The joint prepared statement of Sen. King, Hon. Gallagher, \nMs. Ravich and Ms. Spaulding follows:]\n    Joint Prepared Statement of Senator Angus King, Honorable Mike \n           Gallagher, Samantha Ravich, and Suzanne Spaulding\n                             July 17, 2020\n    The Cyberspace Solarium Commission (CSC) was established by the \nJohn S. McCain National Defense Authorization Act (NDAA) for Fiscal \nYear 2019 to ``develop a consensus on a strategic approach to defending \nthe United States in cyber space against cyber attacks of significant \nconsequences.''\n    The Cyberspace Solarium Commission consists of 14 commissioners, \nincluding 4 currently-serving legislators, 4 Executive branch leaders, \nand 6 recognized experts with backgrounds in industry, academia, and \nGovernment service. Senator Angus King and Representative Mike \nGallagher serve as the co-chairmen. The commissioners spent the past 13 \nmonths studying the issues, investigating solutions, and deliberating \non courses of action to produce a comprehensive report. Our \ncommissioners convened nearly every Monday that Congress was in session \nfor over a year, achieving an impressive benchmark of 30 meetings. The \nstaff conducted nearly 400 interviews with industry, Federal, State, \nand local governments, academia, non-Governmental organizations, and \ninternational partners. The commissioners also recruited our Nation's \nleading cybersecurity professionals and academic minds to vigorously \nstress test the findings and red-teamed the different policy options in \nan effort to distill the optimal approach to securing the United States \nin cyber space. The final report was presented to the public on March \n11, 2020 and identified 82 specific recommendations. These bi-partisan \nrecommendations were then subsequently turned into 52 legislative \nproposals that have been shared with the appropriate committees in the \nSenate and House of Representatives.\n    Ultimately, the commission developed a strategic approach of \n``layered cyber deterrence'' with the objectives of actively shaping \nbehavior in cyber space, denying benefits to adversaries who exploit \nthis domain, and imposing real costs against those who target America's \neconomic and democratic institutions in and through cyber space. Our \ncritical infrastructure--the systems, assets, and entities that \nunderpin our National security, economic security, and public health \nand safety--are increasingly threatened by malicious cyber actors. \nEffective critical infrastructure security and resilience requires \nreducing the consequences of disruption, minimizing vulnerability, and \ndisrupting adversary operations that seek to hold our assets at risk. \nWe believe the future of the U.S. economy and our National security \nrequires both the Executive branch and Congress work in tandem to \nprioritize and grant the following recommendations.\n    First and foremost, the commission found that the Federal \nGovernment lacks consistent and institutionalized leadership, as well \nas a cohesive, clear strategic vision on cybersecurity. As a result, we \nrecommend that Congress establish a National cyber director in the \nExecutive Office of the President to centralize and coordinate the \ncybersecurity mission at the National level. The National cyber \ndirector would work with Federal departments and agencies to bring \ncoherence in the development of cybersecurity policy and strategy and \nin its execution. The position would provide clear leadership in the \nWhite House and signal cybersecurity as an enduring priority in U.S. \nNational security strategy.\n    Second, the Government must continue to improve the resourcing, \nauthorities, and organization of the Cybersecurity and Infrastructure \nSecurity Agency (CISA) in its role as the primary Federal agency \nresponsible for critical infrastructure protection, security, and \nresilience. We recommend empowering CISA with tools to strengthen \npublic-private partnership. Of particular value would be the \nauthorities needed to aid in responding to attempted attacks on \ncritical infrastructure from a variety of actors ranging from nation-\nstates to criminals. Currently, the U.S. Government's authorities are \nlimited exclusively to certain criminal contexts, where evidence of a \ncompromise exists, and do not address instances in which critical \ninfrastructure systems are vulnerable to a cyber attack. To address \nthis gap, Congress should grant CISA subpoena authority in support of \ntheir threat and asset response activities, while ensuring appropriate \nliability protections for cooperating private-sector network owners.\n    Third, elements of the U.S. Government and the private sector often \nlack the tools necessary for successful collaboration to counter and \nmitigate a malicious nation-state cyber campaign. To address this \nshortcoming, the Executive branch should establish a Joint Cyber \nPlanning Office under CISA to coordinate cybersecurity planning and \nreadiness across the Federal Government and between the public and \nprivate sectors for significant cyber incidents and malicious cyber \ncampaigns. Within a similar vein, Congress should also direct the U.S. \nGovernment to plan and execute a National-level cyber table-top \nexercise on a biennial basis that involves senior leaders from the \nExecutive branch, Congress, State governments, and the private sector, \nas well as international partners, to build muscle memory for key \ndecision makers and develop new solutions and strengthen our collective \ndefense.\n    Fourth, the United States must take immediate steps to ensure our \ncritical infrastructure sectors can withstand and quickly respond to \nand recover from a significant cyber incident. Resilience against such \nattacks is critical in reducing benefits that our adversaries can \nexpect from their operations--whether disruption, intellectual property \ntheft, or espionage. Congress should direct the Executive branch to \ndevelop a Continuity of the Economy Plan. This plan should include the \nFederal Government, SLTT entities and private stakeholders who can \ncollectively identify the resources and authorities needed to rapidly \nrestart our economy after a major disruption. In addition, the \ncommission recommends establishing a Cyber State of Distress tied to a \nCyber Response and Recovery Fund, giving the Government greater \nflexibility to scale up and augment its own capacity to aid the private \nsector when a significant cyber incident occurs. These changes will \nensure the infrastructure that supports our most critical National \nfunctions can continue to operate amidst disruption or crisis.\n    Fifth, the commission recommends 2 relevant initiatives to reshape \nthe cyber ecosystem toward greater security for all Americans. The \nfirst, the creation of a National Cybersecurity Certification and \nLabeling Authority, would help create standards and transparency that \nwill allow consumers of technology products and services to use the \npower of their purses over time to demand more security and less \nvulnerability in the technologies they buy. Furthermore, Congress \nshould appropriate funds to the Department of Homeland Security (DHS), \nin partnership with the Department of Energy, Office of the Director of \nNational Intelligence (ODNI), and the Department of Defense (DoD), to \ncompetitively select, designate, and fund up to 3 Critical Technology \nSecurity Centers in order to centralize efforts directed toward \nevaluating and testing security of devices and technologies that \nunderpin our networks and critical infrastructure.\n    Sixth, the U.S. intelligence community is not currently resourced \nor aligned to adequately support the private sector in cyber defense \nand security. While the intelligence community is formidable in \ninforming security operations in instances when the U.S. Government is \nthe defender, its policies and procedures are not aligned to \nintelligence collection on behalf of private entities, which \nconstitutes around 85 percent of our critical infrastructure. To that \nend, Congress should direct the Executive branch to conduct a 6-month \ncomprehensive review of intelligence policies, procedures, and \nresources to identify and address key limitations in order to improve \nthe intelligence community's ability to provide intelligence support to \nthe private sector.\n    Throughout the process of developing its recommendations, the \ncommission always considered Congress as its ``customer.'' Through the \nNDAA, Congress tasked the commission to investigate cyber threats that \nundermine American power and prosperity, to determine an appropriate \nstrategic approach to protect the Nation in cyber space, and to \nidentify policy and legislative solutions. As commissioners, we are \nhere today to share what we learned, advocate for our recommendations, \nand work to assist you in any way we can to solve this serious and \ncomplex challenge.\n             intersection between pandemic and cyber crises\n    The COVID-19 pandemic has been a big wakeup call for us all because \nit illustrates the challenge of ensuring resilience and continuity in a \nconnected world. It is an example of a type of non-traditional National \nsecurity crisis that spreads rapidly through the system, stressing \neverything from emergency services and supply chains to basic human \nneeds. The pandemic has produced cascading effects and high levels of \nuncertainty. This situation undermines normal policy-making processes \nand forces decision makers to craft hasty and ad hoc emergency \nresponses. Complex emergencies that rely on coordinated action beyond \ntraditional agency responses and processes illustrate what the \ncommission saw as an acute threat to the security of the United States.\n    The lessons the country is still learning from the on-going \npandemic are not perfectly analogous to a significant cyber attack, but \nare highly illustrative of the possible consequences due to several \nsimilarities between the 2 types of events. First, both the pandemic \nand a significant cyber attack are global in nature. Second, both the \nCOVID-19 pandemic and a significant cyber attack require a whole-of-\nNation response and are likely to challenge existing incident \nmanagement doctrine and coordination mechanisms. Finally, and perhaps \nmost importantly, prevention is far cheaper and more effective than \nresponse.\n    The global health crisis has reinforced the urgency of many of the \ncore recommendations in the commission's March 2020 report. Responding \nto complex emergencies will require a balance between response agility \nand institutional resilience in the economy and critical infrastructure \nsectors. It relies on strategic leadership and coordination from the \nhighest offices in Government, underscoring the importance of a \nNational Cyber Director. It relies on a strong understanding of the \nrisks posed by a crisis and a data-driven approach to mitigating those \nrisks before, during, and after a crisis, validating the commission's \nrecommendations. Specifically, successfully responding to a crisis \nrelies on clear roles and responsibilities for critical actors in the \npublic and private sector as well as established, exercised \nrelationships and plans, highlighting the importance of Continuity of \nthe Economy planning.\n                             the challenge\n    For the last 20 years, adversaries have used cyber space to attack \nAmerican power and interests. Our adversaries have not internalized the \nmessage that, if they attack us in cyber space, they will pay a price. \nThe more connected and prosperous our society has become, the more \nvulnerable we are to rival great powers, rogue states, extremists, and \ncriminals. These attacks on America occur beneath the threshold of \narmed conflict and create significant challenges for the private sector \nand the public at large.\n    The American public relies on critical infrastructure, roughly 85 \npercent of which--according to the Government Accountability Office--is \nowned and operated by the private sector. Increasingly, institutions \nAmericans rely on--from water treatment facilities to hospitals--are \nconnected and vulnerable. There are also new industries and services, \nlike cloud computing, which our society relies on for economic growth. \nAs we saw last year, hackers don't just target the U.S. Government and \nmilitary personnel--they increasingly target our cities and counties \nwith malware and ransomware attacks.\n    Creating a secure Nation in the 21st Century requires an \ninterconnected system of both public and private networks secure from \nstate and non-state threats. China commits rampant intellectual \nproperty theft to help their businesses close the technological gap, \ncosting non-Chinese firms over $300 billion per year. Massive data \nbreaches, including those suffered by Equifax, Marriott, and the Office \nof Personnel Management (OPM), enable Chinese spies to collect data on \nover a hundred million Americans.\n    Russia targets the integrity and legitimacy of elections in \nmultiple countries while actively probing critical infrastructure. In \nspring 2014, Russian-linked groups launched a campaign to disrupt \nUkrainian elections that included attempts at altering vote tallies, \ndisrupting election results through distributed-denial-of-service \nattacks, and smearing candidates by releasing hacked emails. They \ncontinue to spread hate and disinformation on social media to polarize \nfree societies. But they have not stopped there. The 2017 NotPetya \nmalware attack spread globally, Iran and North Korea attack U.S. and \nallied interests through cyber space. Iranian cyber operations have \ntargeted the energy industry, entertainment sector, and financial \ninstitutions. There are also documented cases of Iranian APTs targeting \ndams in the United States with distributed-denial-of-service attacks. \nNorth Korea exploits global connectivity to skirt sanctions and sustain \nan isolated, corrupt regime. The 2017 WannaCry ransomware attacks hit \nover 300,000 computers in 150 countries, including temporarily \ndisrupting U.K. hospitals. According to United Nations estimates, North \nKorean cyber operations earn $2 billion in illicit funds for the regime \neach year.\n    A new class of criminal thrives in this environment. Taking \nadvantage of wide-spread cyber capabilities revealed by major state \nintrusions, criminal groups are migrating toward a ``crime-as-a-\nservice'' model in which threat groups purchase and exchange malicious \ncode on the dark web. In 2019, ransomware incidents grew over 300 \npercent compared to 2018 and hit over 40 U.S. municipalities. More \nrecently, opportunistic hackers have hijacked hospitals and health care \nsystems during the COVID-19 pandemic, taking advantage of poorly \nprotected systems at their most vulnerable state. Remote access and the \nexpansion of the work-from-home economy continues to increase the \nthreat vectors for criminal actors as the world changes to meet the \nneeds of a global pandemic.\n                           strategic approach\n    The strategy put forth by the Cyberspace Solarium Commission \ncombines a number of traditional deterrence mechanisms and extends \ntheir use beyond the Government to develop a whole-of-Nation approach. \nIt also updates and strengthens our declaratory policy for cyber \nattacks both above and below the level of armed attack. The United \nStates must demonstrate its ability to impose costs while establishing \na clear declaratory policy that signals to rival states the costs and \nrisks associated with attacking America in cyber space.\n    Since America relies on critical infrastructure that is primarily \nowned and operated by the private sector, the Government cannot defend \nthe Nation alone. The public and private sectors, along with key \ninternational partners, must collaborate to build resilience and \nreshape the cyber ecosystem in a manner that increases its security, \nwhile imposing costs against malicious actors and preventing attacks of \nsignificant consequence.\n    Cyber deterrence is not nuclear deterrence. The fact is, no action \nwill stop every hack. Rather, the goal is to reduce the severity and \nfrequency of attacks by making it more costly to benefit from targeting \nAmerican interests through cyber space. Layered cyber deterrence \ncombines traditional methods of altering the cost-benefit calculus of \nadversaries (e.g., denial and cost imposition) with forms of influence \noptimized for a connected era, such as promoting norms that encourage \nrestraint and incentivize responsible behavior in cyber space. \nStrategic discussions all too often prioritize narrow definitions of \ndeterrence that fail to consider how technology is changing society. In \na connected world, those states that harness the power of cooperative, \nnetworked relationships gain a position of advantage and inherent \nleverage. The more connected a state is to others and the more \nresilient its infrastructure, the more powerful it becomes. This power \nrequires secure connections and stable expectations between leading \nstates about what is and is not acceptable behavior in cyber space. It \nrequires shaping adversary behavior not only by imposing costs but also \nby changing the ecosystem in which competition occurs. It requires \ninternational engagement and collaboration with the private sector.\n    Layered cyber deterrence emphasizes working with the private sector \nto efficiently coordinate how the Nation responds with speed and \nagility to emerging threats. The Federal Government alone cannot fund \nor solve the challenge of adversaries attacking the networks on which \nAmerica and its allies and partners rely. It requires collaboration \nwith State and local authorities, leading business sectors, and \ninternational partners, all within the rule of law. This strategy also \ncontemplates the planning needed to ensure the continuity of the \neconomy and the ability of the United States to rebound in the \naftermath of a major, Nation-wide cyber attack of significant \nconsequence. Such planning adds depth to deterrence by assuring the \nAmerican people, allies, and even our adversaries that the United \nStates will have both the will and capability to respond to any attack \non our interests. These 3 deterrent layers are supported by 6 policy \npillars that organize the 82 recommendations that collectively \nrepresent the means to implement our strategy.\n         the need to reorganize the u.s. government (pillar 1)\n    The Legislative and Executive branches must align their authorities \nand capabilities to produce the speed and agility required to defend \nAmerica in cyber space. Greater collaboration and integration in the \nplanning, resourcing, and employment of Government cyber resources \nbetween the public and private sectors is a foundational requirement. \nThe U.S. Government needs strategic continuity and unity of effort to \nachieve the goal of layered cyber deterrence called for by the \nCyberspace Solarium Commission. These actions require adjusting the \nauthorities and alignment of fundamental processes the U.S. Government \napplies to defend its interests in cyber space.\n    First, Congress must reestablish clear oversight responsibility and \nauthority over cyber space within the Legislative branch. The large \nnumber of committees and subcommittees claiming some form of \njurisdiction over cyber issues is actively impeding action and clarity \nof oversight. By centralizing responsibility in the new House Permanent \nSelect and Senate Select Committees on Cybersecurity, Congress will be \nempowered to provide coherent oversight to Government strategy and \nactivity in cyber space.\n    Next, select entities in the Executive branch that deal with \ncybersecurity must be restructured and streamlined. Multiple \ndepartments and agencies have a wide range of responsibilities for \nsecuring cyber space. These responsibilities tend to overlap and at \ntimes conflict. The departments and agencies tend to compete for \nresources and authorities resulting in conflicting efforts that produce \ndiminishing marginal returns. Establishing a National cyber director \nwithin the Executive Office of the President would consolidate \naccountability for harmonizing the Executive branch's policies, \nbudgets, and responsibilities in cyber space while implementing \nstrategic guidance from the President and Congress.\n    In addition to this National cyber director, a properly-resourced \nand empowered CISA will be critical to achieving coherence in the \nplanning and deployment of Government cyber resources. Multiple \nadministrations and Congressional sessions have worked to establish \nCISA as a keystone of National cybersecurity efforts, but work still \nneeds to be done to realize our ambitious vision for this critical \norganization. That includes strengthening its director with a 5-year \nterm and elevated Executive status, adequately resourcing its programs \nto engage with the private sector while managing National risk, and \nsecuring sufficient facilities and required authorities for its vital \nand growing mission. These changes will remove key limitations in \nCISA's ability to forge a greater public-private partnership and its \nmission to secure critical infrastructure.\n    Finally, the U.S. Government must more effectively recruit, \ndevelop, and retain a cyber workforce capable of building a defensible \ndigital ecosystem and deploying all instruments of National power in \ncyber space. That will require designing innovative programs and \npartnerships to develop the workforce, supporting and expanding good \nprograms where they are already in place, and connecting with a diverse \npool of promising talent. In some cases, success in building a robust \nFederal workforce depends on stakeholders outside the Federal \nGovernment, like educators, non-profits, and businesses. Policy makers \nshould support these important partners by providing the tools they \nneed to be effective, like classroom-ready resources, incentives for \nresearch on workforce dynamics, and clear routes for collaborating with \nthe Government.\n                  deterrence by denial (pillars 3/4/5)\n    Denying adversaries' benefits of their cyber campaigns is a \ncritical aspect of ``Layered Cyber Deterrence.'' By ensuring the \nresilience of critical pillars of National power, reducing our National \nvulnerability, and disrupting threats through operationalizing \ncollaboration between the Government and private sector we can \neffectively force adversaries to make difficult decisions regarding \nresourcing, access, and capabilities. The U.S. Government support must \nbe better informed through a Joint Collaborative Environment that would \npool public-private sources of threat information to be coordinated \nthrough a Joint Cyber Planning Office and an Integrated Cyber Center at \nDHS. Paired with our recommendation to conduct a Biennial National \nCyber Tabletop Exercise, that involves senior leaders from the \nExecutive branch, Congress, State governments, and the private sector \nas well as international partners--the United States and her allies \nwill be in a forward-leaning position and ready to lead.\n    Today, under the direction of Presidential Policy Directive 21, \nsector-specific agencies are the lead Federal agencies tasked with day-\nto-day engagement with the private sector on security and resilience. \nHowever, there are significant imbalances and inconsistencies in both \nthe capacity and the willingness of these agencies to manage sector-\nspecific risks and participate in Government-wide efforts. In addition, \nthe lack of clarity and consistency concerning the responsibilities and \nrequirements for these agencies continues to cause confusion, \nredundancy, and gaps in resilience efforts. For this reason, the \ncommission recommends that Congress codify sector-specific agencies in \nlaw as ``sector risk management agencies'' to ensure consistency of \neffort across critical infrastructure sectors and ensure that these \nagencies are resourced to meet growing needs.\n    Denying adversaries' benefits starts with ensuring that our most \ncritical targets are able to withstand and quickly recover from cyber \nattacks. In other words, we must build resilience. Effective National \nresilience efforts fundamentally depend on the ability of the United \nStates to accurately understand, assess, and manage National cyber \nrisk. Current efforts to assess and manage risk at the National level \nare relatively new and are significantly hindered by resource \nlimitations, immaturity of process, and inconsistent capacity across \ndepartments and agencies that participate in National resilience \nefforts. Today, while the U.S. Government plans for continuity of \noperations and continuity of Government, no similar planning exists to \nensure continuity of the economy. This must change, and the planning \nprocess should analyze National critical functions, outlining \npriorities for response and recovery, and identifying areas for \nresilience investments. In doing so, the continuity of the economy plan \nshould identify areas for preservation of data and mechanisms for \nextending short-term credit to ensure recovery efforts. Additionally, \nCongress should also provide CISA with the necessary support to expand \nits current capability to issue Cyber State of Distress declarations in \nconjunction with Cyber Response and Recovery Funding. Furthermore, \nproviding CISA with Administrative Subpoena Authority will dramatically \nimprove the Federal Government's ability to actively notify critical \ninfrastructure owners and operators that are on the front lines and \nbeing attacked by our adversaries who are largely acting with impunity.\n    Denying adversaries' benefits also must lie in driving down our \nNational cyber vulnerability at scale. Today, vulnerability in our \ncyber ecosystem is derived not only from technology, but also human \nbehavior and processes. The commission sought means to improve the \nsecurity of both the technological and human aspects at scale. Moving \nthe technology markets to emphasize security requires creating greater \ntransparency about the security characteristics of technologies \nconsumers buy. This is why the commission recommends the creation of a \nNational Cybersecurity Certification and Labeling Authority and \nCritical Technology Security Centers to collectively to develop and \nfacilitate authoritative, easy-to-understand security certifications \nand labels for technology products. By helping consumers make more \ninformed technology purchases, the market will become a difficult place \nfor vendors who do not prioritize security to do business.\n    Layered cyber deterrence includes shaping cyber actors' behavior \nthrough strengthened norms of responsible state behavior and non-\nmilitary instruments of power, such as law enforcement, sanctions, \ndiplomatic engagement and capacity building. A system of norms, based \non international engagement and enforced through these instruments of \npower, helps secure American interests in cyber space.\n    To strengthen cyber norms and build a like-minded international \ncoalition to enforce them, the commission recommends Congress create \nand adequately resource the Bureau of Cyberspace Security and Emerging \nTechnologies led by an assistant secretary of state. The Bureau would \nbring dedicated cyber leadership and coordination to the Department of \nState.\n    Leading internationally also means having strong and coordinated \nrepresentation in bodies that set global technical standards, \ntherefore, Congress should sufficiently resource the National Institute \nof Standards and Technology to bolster participation in these bodies. \nAmerican values, interests, and security are strengthened when \ninternational technical standards are developed and set with active \nU.S. participation. Engaging fully means we must also facilitate robust \nand integrated participation from across the Federal Government, \nacademia, civil society, and industry; the United States is at its best \nwhen we draw input from all our experts.\n    In parallel to robust participation in multilateral bodies, law \nenforcement activities also provide fruitful ground on which to work \nwith international partners and allies to hold adversaries accountable. \nWe recommend providing the Department of Justice Office of \nInternational Affairs with administrative subpoena authority \nstreamlines the Mutual Legal Assistance Treaties process, enabling U.S. \nlaw enforcement to help allies and partners prosecute cyber criminals. \nAdditionally, the commission recommends Congress create and fund 12 \nadditional Federal Bureau of Investigation cyber assistant legal \nattaches to facilitate intelligence sharing and help coordinate joint \nenforcement actions. Investing in these types of international law \nenforcement activities improve the credibility of enforcement and \nsignal America's commitment to bring malicious actors to justice.\n                deterrence by cost imposition (pillar 6)\n    A key layer of the commission's strategy outlines how to impose \ncosts to deter malicious adversary behavior and reduce on-going \nadversary activities short of armed conflict. As part of this effort, \nthe commission puts forth 2 key recommendations: To conduct a force \nstructure assessment of the Cyber Mission Force (CMF); and to conduct a \ncybersecurity and vulnerability assessments of conventional weapons \nsystems and of the nuclear command, control, and communications \nenterprise.\n    Today, the United States has not created credible and sufficient \ncosts against malicious adversary behavior below the level of armed \nattack--even as the United States has prevented cyber attacks of \nsignificant consequences. Our Nation must shift from responding to \nmalicious behavior after it has already occurred to proactively \nobserving, pursuing, and countering adversary operations. This should \ninclude imposing costs to change adversary behavior using all \ninstruments of National power in accordance with international law.\n    To achieve these ends, the United States must ensure that it has \nsufficient cyber forces to accomplish strategic objectives in and \nthrough cyber space. The CMF is currently considered at full \noperational capability (FOC) with 133 teams comprising a total of \napproximately 6,200 individuals. However, these requirements were \ndefined in 2013, well before our Nation experienced or observed some of \nthe key events that have shaped our Government's understanding of the \ncyber threat. The FOC determination for the CMF was also well before \nthe development of the Department of Defense's (DoD) defend forward \nstrategy. Therefore, we recommend Congress direct the DoD to conduct a \nforce structure assessment of the CMF to ensure the United States has \nthe appropriate force structure and capabilities in light of growing \nmission requirements. This should include an assessment of the resource \nimplications for intelligence agencies in their combat support agency \nroles.\n    If deterrence fails, the United States must also be confident that \nits military capabilities will work as intended. However, deterrence \nacross all of the domains of warfare is undermined, and the ability of \nthe United States to prevail in crisis and conflict is threatened, if \nadversaries can hold key military systems and functions, including \nnuclear systems, at risk through cyber means. Therefore, the commission \nrecommends Congress direct the DoD to conduct a cybersecurity \nvulnerability assessment of all segments of nuclear command, control, \nand communications systems and continually assess weapon systems' cyber \nvulnerabilities.\n    Our hope is that, by implementing these recommendations, we can \nensure our Nation is willing and able to counter and reduce malicious \nadversary behavior below the level of armed conflict, impose costs to \ndeter significant cyber attacks, and, if necessary, fight and win in \ncrisis and conflict.\n                               conclusion\n    The recommendations put forward by the commission are an important \nfirst step to denying adversaries the ability to hold America hostage \nin cyber space and will be critical to our efforts to re-establish \ndeterrence in cyber space. We believe that deterrence is an enduring \nAmerican strategy, but it must be adapted to address how adversaries \nleverage new technology and connectivity to attack the United States. \nCyber operations have become a weapon of choice for adversaries seeking \nto hold the U.S. economy and National security at risk. Near peer \nadversaries such as China and Russia are attempting to reassert their \ninfluence regionally and globally, using cyber and influence operations \nto undermine American security interests. The concept of deterrence \nmust evolve to address this new strategic landscape. Reducing the scope \nand severity of these adversary cyber operations and campaigns requires \nadopting the commission's strategy of layered cyber deterrence--\nimproving our ability to defend our critical infrastructure and \ninvesting in an effective public-private collaboration.\n    To this end, we believe this committee must prioritize a selection \nof the commission's recommendations that include: Strengthening the \nGovernment with a National cyber director, an empowered CISA, a new \nJoint Cyber Planning Office, and improved intelligence support to the \nprivate sector; building resilience with Continuity of the Economy \nPlanning, and a codified ``Cyber State of Distress'' tied to a ``Cyber \nResponse and Recovery Fund''; and, an improved cyber ecosystem with a \nNational Cybersecurity Certification and Labeling Authority, and the \ndesignation of Critical Technology Security Centers.\n    The 2019 NDAA charted the U.S. Cyberspace Solarium Commission to \naddress 2 fundamental questions: What strategic approach will defend \nthe United States against cyber attacks of significant consequence? And \nwhat policies and legislation are required to implement that strategy? \nThe commission has delivered on its mission in the promulgation of \n``layered cyber deterrence'' strategy and the corresponding legislative \nproposals. We now need your help to enact these key legislative \nproposals as they will empower the Government and the private sector to \nact with speed and agility in securing our cyber future.\n\n    Mr. Langevin. Thank you, Senator King. Again, thank you for \nyour leadership on the Cyberspace Solarium Commission. As one \nof the co-chairs, you did an outstanding job, and I was proud \nto serve on that commission. Thank you for your testimony.\n    Now I recognize Congressman Gallagher to summarize the \ncommission statement for 5 minutes.\n    Mr. Gallagher, you are recognized.\n\n   STATEMENT OF HON. MICHAEL GALLAGHER, A REPRESENTATIVE IN \nCONGRESS FROM THE STATE OF WISCONSIN, AND CO-CHAIR, CYBERSPACE \n                      SOLARIUM COMMISSION\n\n    Mr. Gallagher. Thank you, Chairman Langevin, not only for \nchairing this hearing today, but for your immense contributions \nto the commission. Our final report would not have been \npossible, were it not for your leadership. In many areas we \nwere building upon work that you have been doing for the last \ndecade. So it was really great to get to work with you.\n    Thank you to Ranking Member Katko for your engagement from \nthe start of this effort, for meeting with us and our staff \nmultiple times, and for your leadership on these issues.\n    Thank you, Chairman Thompson, for giving us this forum \ntoday.\n    Let me just echo what my co-chair, Senator King--who is \nmarried to a Packers fan, I should note--said at the outset, \nwhich is, you know, we were--we come from different parties, we \nwere appointed by partisans on different sides, and certainly \nthe outside experts, Commissioner Spaulding and Ravich were, as \nwell. But it would have been impossible to determine the party \naffiliations if you were just to listen to one of the many \ndebates we had as we met as a commission.\n    I think what came out of this process was a truly \nnonpartisan report that attempts to put the interests of the \ncountry ahead of any parochial or political interests. So this \nreally has been an issue that every Presidential administration \nfor the past 25 years, Democrats and Republicans, has tried to \nfigure out: How do we defend U.S. interests and promote U.S. \nvalues in cyber space?\n    Despite these well-intentioned efforts, our networks are \nvulnerable, if not already compromised. Our country has lost \nhundreds of billions of dollars to nation-state-sponsored \nintellectual property theft via cyber means. A major cyber \nattack on our Nation's critical infrastructure and our economic \nsystem would create chaos and lasting damage.\n    So, in an effort to forestall such a future, the Cyberspace \nSolarium Commission examined a broad range of structures and \npolicies that could more effectively defend our Nation in cyber \nspace.\n    I should admit our public relations plan, when we released \nthe report publicly on March 11, 2020, did not factor in a \nglobal pandemic taking over the conversation. But that is all \nthe more reason why it is important to have hearings like this \ntoday. We hope that, not only will you digest our full report, \nbut also read our pandemic annex.\n    But I just would highlight a few of the commission's key \nrecommendations up front here.\n    One, reform the U.S. Government structure and organizations \nfor cybersecurity. This starts with establishing a National \ncyber director situated within the Executive office of the \nPresident, who is Senate-confirmed and supported by the Office \nof the National Cyber Director, as Senator King outlined.\n    It also continues with strengthening CISA, as \nRepresentative Katko outlined, so that CISA can better serve as \nthat central core element to support and integrate the Federal, \nState, and local, and private-sector cybersecurity efforts.\n    I think it is important to note that the overall approach \nwe are taking here is not to create a bunch of new \norganizations within the Federal Government, but rather an \nattempt to elevate and empower existing organizations like \nCISA, who have made important progress in recent years, but \nneed more support from Congress.\n    Second, I just would say we have a variety of \nrecommendations on promoting National resilience, specifically \nthat Congress should codify the roles of sector-specific \nagencies, focusing National risk management efforts, and also \ndeveloping and maintaining a continuity-of-the-economy planning \nprocess so that we think through the unthinkable now, so we are \nnot having to make things up on the fly in the wake of a cyber \n9/11.\n    Then third and finally, I just would highlight the need to \nreshape the cyber ecosystem toward greater security. We are \nrecommending, for example, that Congress establish and fund a \nNational cybersecurity certification and labeling process to \nestablish and manage a program on security certification and \nlabeling of ICT products, as well as establish a Bureau of \nCyber Statistics charged with collecting and providing data on \ncybersecurity.\n    These recommendations, and many more like them in the \nreport, are all designed to implement the commission's \nrecommended strategy of layered cyber deterrence, which is our \ntheory for how we evolve into a harder target, a better ally, \nand a worse enemy in how we better defend our Nation, our \neconomy, and our way of life in cyber space.\n    So thank you for giving us the opportunity to present our \nfindings here today. We look forward to the debate. Again, I \njust want to highlight not only the contributions of the \ncommissioners that you will hear from, but also our wonderful \nstaff who has dedicated a year of their life to this important \neffort.\n    I yield back.\n    Mr. Langevin. Thank you, Chairman Gallagher. Again, I \ncommend you for your leadership on the Solarium Commission. \nBoth you and Senator King made a great team in co-chairing the \nCyberspace Solarium Commission. We are greatly indebted to you \nfor your work and service.\n    With that, I thank you for your testimony, and I now \nrecognize Ms. Spaulding to summarize the commission's statement \nfor 5 minutes.\n    [Pause.]\n    Mr. Langevin. Commissioner Spaulding, you are muted. We \nneed to unmute you.\n    There you go, you are unmuted.\n\n   STATEMENT OF SUZANNE SPAULDING, COMMISSIONER, CYBERSPACE \n                      SOLARIUM COMMISSION\n\n    Ms. Spaulding. Thank you, Chairman Langevin. Thank you, \nChairman Thompson, Ranking Member Katko, and Members of the \ncommittee. Thank you for this opportunity to be here today to \ntestify. It is an honor to be here with my fellow witnesses.\n    Particularly, Chairman Langevin, an honor it was to work \nwith you again, having worked with you in 2007 on the \nCommission for Cybersecurity for the 44th President, which you \nco-chaired. I want to thank you for your long, outstanding \nleadership on cybersecurity issues.\n    The bipartisanship, nonpartisanship which you have heard \ntoday, really, that tone was set at the top by our 2 co-chairs, \nSenator King and Congressman Gallagher. So thank you for that.\n    Of course, a pleasure to work with Commissioner Ravich.\n    I want touch briefly today on 3 key areas that I think \nshould and must be acted on very quickly, given the \nvulnerabilities particularly, as we have noted, with the \npandemic.\n    The first is strengthening DHS's Cybersecurity and \nInfrastructure Security Agency, or CISA, as the organization \nthat I once led at DHS is now called, thanks in no small \nmeasure to the work of this committee and Chairman Thompson, \nand I thank you for that.\n    With malicious cyber actors targeting hospitals, vaccine \ndevelopment, and governments at every level, and a stay-at-home \nwork force presenting a massive attack surface, CISA's work has \nnever been more important. This is why the commission urges \nCongress to provide CISA promptly with the resources and \nauthorities, including administrative subpoena authority, that \nit needs to be the National risk manager; to serve as the \ncentral civilian cybersecurity authority to support Federal, \nState, local, territorial, and Tribal governments, and the \nprivate sector; to conduct continuity of the economy planning, \na concept that Commissioner Ravich brought to the commission, \nso important; identify systemically important critical \ninfrastructure; and coordinate planning and readiness across \nGovernment and the private sector.\n    Second, with regard to improving the cyber ecosystem and \nreducing vulnerabilities, the commission turned first to \nimproving the efficiency of the market. We looked at why isn't \nthe market performing its function of driving better \ncybersecurity?\n    A key reason, we determined, was that markets need \ninformation to operate effectively. So we ask that Congress \nestablish that National cybersecurity certification and \nlabeling authority, the kind of underwriter laboratories effort \nthat Congressman Gallagher, mentioned; publish guidelines for \nsecure cloud services; create that Bureau of Cyber Statistics; \npromote a more effective and robust cyber insurance market; and \npass a National data breach notification law.\n    Finally, I believe one of the most important pillars in the \nreport is resilience. We need to reduce the benefit side in the \nadversary's cost-benefit analysis. Often that means reducing \nour dependence upon those network systems, developing \nredundancies, maybe even analog systems. Paper ballots, for \nexample, are a way of building resilience into our election \ninfrastructure.\n    We have a number of urgent election-related \nrecommendations, including reforming regulation of on-line \npolitical advertisements, providing grant funding for States to \nimprove election systems, replace outdated equipment, ensure \nvoter verifiable paper-based systems, and conduct post-election \naudits. These are perhaps the most urgent of our \nrecommendations.\n    I would like to close with our recommendation to build \npublic resilience against information operations that target \nelections, but also democracy as a whole. Media literacy is \nimportant, but we also need to focus on deterring the key \nobjective of our adversaries, which is to weaken democracy by \npouring gasoline on the flames of division that already engulf \non-line discourse, pushing Americans to give up on \ninstitutions, not just elections, but the justice system, the \nrule of law, and democracy itself. They portray our \ninstitutions as not just flawed, but irrevocably broken. Where \nprotesters and judicial reform advocates seek changes to make \nour institutions and our Nation stronger, our adversaries seek \nonly to make us weaker. They want Americans to despair at the \nprospect of bringing about change, to despair at the prospect \nof being able to discern fact from fiction. They want to \ndestroy the informed and engaged citizenry upon which a healthy \ndemocracy depends.\n    To defeat our adversaries objective, the commission calls \nfor reinvigorating civics education to help Americans \nrediscover our shared values, understand why democracy is so \nvaluable, that it is under attack, and that every American must \nstay engaged to hold our institutions accountable and continue \nto move us toward that more perfect union.\n    Thank you for this opportunity, and I look forward to your \nquestions.\n    Mr. Langevin. Thank you, Commissioner Spaulding, again, \nboth for your participation and valuable contributions to the \nSolarium Commission, but your dedication and work on cyber in \ngeneral. With that, thank you for your testimony.\n    Finally, I now recognize Ms. Samantha Ravich to summarize \nthe commission's statement for 5 minutes.\n    Dr. Ravich, you are now recognized.\n\n STATEMENT OF SAMANTHA RAVICH, PH.D., COMMISSIONER, CYBERSPACE \n                      SOLARIUM COMMISSION\n\n    Ms. Ravich. Thank you. Thank you. Chairman Langevin, \nChairman Thompson, Ranking Member Katko, distinguished Members \nof the committee, and my fellow witnesses, whom I have grown to \nknow and greatly admire over this past year. I thank you for \ninviting me to participate in this important hearing about one \nof the most pressing questions that our Government is currently \ntasked with answering: What steps can the Federal Government \nand the private sector do to defend our businesses, our \nmilitary, our citizens, our country against future cyber \nattacks?\n    Our recommendations in the Cyber Solarium Commission \nfocused on shaping the international cyber battle space, \nhardening our resilience, and maintaining our capability, \ncapacity, and credibility to impose costs on the adversary, all \nin the service of deterring the type of catastrophic attack \nthat our 2 esteemed commission chairmen laid out in plainspeak \nin the opening pages of the report.\n    But we would not have lived up to the great responsibility \ngiven to us if we had not thought about what our country would \ndo in the aftermath of a significant cyber attack. So I want to \nspend the next few minutes underscoring one of the commission's \nrecommendations: The need for the United States to develop and \nmaintain a continuity of the economy, or COTE plan, which was \nintroduced last month as a bill in the Senate Banking, Housing, \nand Urban Affairs Committee by Senator Peters.\n    During the Cold War the United States developed continuity \nof operations, COO, and continuity of Government, COG, plans to \nensure that the Government could reconstitute and perform a \nminimum set of essential public functions in the event of a \nnuclear----\n    [Audio malfunction.]\n    Ms. Ravich. While COO, COG--Government contingency planning \nfor the last 60 years, no equivalent effort exists to ensure \nthe rapid restart and recovery of the U.S. economy after a \nmajor disruption, despite the 2017 U.S. National Security \nStrategy identifying economic security as National security, \nand the recognition that the private sector, as much as the \nU.S. Government itself, is a critical component of the security \nof our populace.\n    So think about it for a moment, what it would mean for the \nU.S. military and the security forces of our allies if there \nwas a major attack on bulk power transmission, not only \nknocking out the lights in major metropolitan areas, but taking \ntransportation systems off-line; or if the major stock \nexchanges were compromised; if wholesale payments, medicine, \ntelecommunications, and trade or logistics were brought down.\n    Now think about the difficulties that would create for \nmobilizing and deploying forces if this all occurred during a \ntime of international crisis, not knowing which plane, train, \nor bus to hop on to get to the rally point; leaving loved ones \nat home, scared in the dark and not knowing if their medicine \nor baby formula will still be stocked at the local Walmart; \nmuch of the economic base of the United States potentially \nlosing complete access to their data for good.\n    Creating and exercising a continuity-of-the-economy plan \nwill serve as a visible deterrent to adversaries by \ndemonstrating that the United States has the wherewithal to \nrespond to a significant cyber attack. It will show that we \nwill not be cowed, and that, if the economy upon which our \nlivelihoods depend is brought down by an adversarial cyber \nattack, they, the adversary, will feel our wrath.\n    Our commission's recommendation on COTE revolve around, in \npart, determining any additional authorities or resources that \nwill be required to implement plans in the case of a disaster, \nand establishing a framework for rapidly restarting and \nrecovering core functions in a crisis, giving precedent to \nfunctions whose disruption would cause catastrophic economic \nloss, lead to a runaway loss of public confidence, imperil \nhuman life on a National scale, or undermine response, \nrecovery, or mobilization efforts in a crisis.\n    Continuity-of-the-economy planning might also further \nreview the feasibility of disconnecting critical services or \nspecific industrial control networks if National security \nconcerns overwhelm the need for internet connectivity \ncontinuity.\n    Continuity-of-the-economy planning should also further \nexplore options to store backup, protected data across borders \nwith allies or partners, particularly in areas where economic \ndisruption in either country could have cascading effects on \nthe global economy. This could include technology that \nconsiders what seed data would need to be preserved and \nprotected in a verified format, with a process to assure no \ncompromise or manipulation.\n    Finally, COTE must take into consideration the lack of \nreadiness by the general public. By its very nature, \ncontinuity-of-the-economy planning will not prioritize. It will \nonly prioritize the most essential functions of the country and \nthe locales, both to enable a rapid recovery from a devastating \ncyber attack, and to preserve the strength and will to quickly \npunish the attacker.\n    Many industries will not be included in this planning, and \nmost citizens will not be able to rely on Government assistance \nin the period following an attack. But as is also true of \nnatural disaster preparedness, the American people do not need \nto be helpless. DHS and other relevant agencies should expand \ncitizen preparedness efforts and public awareness mechanisms to \nbe prepared for such an event.\n    COTE, along with many other recommendations in the report, \nseeks to build upon the work of the Cybersecurity and \nInformation Security Agency, CISA, at DHS, what they have been \nworking on for the past couple of years, and seeks to ensure \nthat the United States is prepared to respond and recover to \nthe full range of disruptive cyber attacks below and up to the \nthreshold of COTE.\n    While it is true that there is no magic solution that will \nprotect the United States from cyber attacks in perpetuity, \nthere are steps that the Federal Government can undertake that \nwill significantly improve the Government's ability to protect \nand defend itself from hostile cyber operations.\n    So as we sit here in our virtual COVID world, trying to \nthink the unthinkable and plan for the unplannable, we must ask \nourselves the hardest question of all: What would a cyber day \nafter look like if we didn't undertake continuity-of-the-\neconomy planning?\n    So I thank you for this opportunity to testify--questions \nand discussions. Thank you.\n    Mr. Langevin. Very good. Thank you, Commissioner Ravich, \nfor your testimony and, again, for your leadership on \ncybersecurity. You made a valuable contribution, likewise, to \nthe Solarium Commission process and its recommendations.\n    With that, again, I thank all the witnesses for their \ntestimony.\n    I remind subcommittee Members that we each have 5 minutes \nto question the panel, and I now recognize myself for 5 minutes \nto begin.\n    I will start with you, Senator King. Yesterday we saw a \nmultinational coalition announce that Russian agents were \ntargeting vaccine research through cyber space. In this \npandemic, health care networks are incredibly important to our \nsecurity. And while it is not clear whether the Russians were \nseeking to destroy data, the attempts are clearly troubling.\n    So how would a National cyber director play a role in \npreventing incidents like this?\n    Why did the commission find this construct most efficient?\n    Senator King. Well, I think the key is to have someone in \noverall charge.\n    As I mentioned before, we have got responsibility for cyber \nscattered throughout the Federal Government, a variety of \ndifferent agencies, a variety of different authorities, funding \nlevels. But there is no central coordinating function. There is \nno person with the authority of the White House to settle turf \nwars, to oversee budgets, and to basically forge cooperation \nthrough the various agencies that are involved.\n    It was--I think it was one of the most obvious suggestions \nof the commission that we talked about. Now, we had quite a bit \nof discussion about where it should go, and how it should be \nstructured. The--but the conclusion--one thought was elevate \nCISA, or create a new--essentially, a new Cabinet office. We \nrejected that because, No. 1, it would take a long time. No. 2, \nit would be duplicative of other functions that are already \nthere. It wouldn't have the power and authority of the White \nHouse.\n    So the model we ended up approaching it as is the U.S. \ntrade representative, who has responsibility for trade that \ncuts across a lot of Federal agencies, is Presidentially-\nappointed, Senate-confirmed, and has that authority within the \nExecutive Office of the President.\n    But the fundamental idea--and I used--I was in business \nbefore I got into politics. When I was doing contracting, I \nwanted one throat to choke. That is what we are really talking \nabout here, one person that is responsible, can be held \naccountable. I feel this is, actually, a favor to the \nPresident, to have somebody in that office that he or she can \nhold responsible for, and will be accountable for all the \nvarious complex operations of the Federal Government with \nregard to cyber.\n    Mr. Langevin. Thank you, Senator King. I completely agree \nwith, I concur with you.\n    Congressman Gallagher, on Wednesday we both testified \nbefore Chairwoman Maloney and the Oversight and Government \nReform Committee. You said something very interesting about \nensuring we appropriately balance offensive and defensive \ncyber.\n    Why is strengthening CISA so fundamental to the \ncommission's report?\n    Mr. Gallagher. Thank you. Well, I think, first, let me just \nconnect it to what Senator King just said. I mean, not only is \nit important to have a National cyber director to do \npreplanning, coordinate all the efforts of the Federal \nGovernment, but, as I alluded to in my opening testimony, we \nhave organizations right now that are doing good work. We \nreally felt the best path forward was to elevate, empower them, \nand give them the tools they need to get the job done.\n    Strengthening CISA in that regard is perhaps one of the \nmost important recommendations in our final report. As Senator \nKing and I point out in the Chairman's letter opening the \nreport, it is not just a matter of better enabling CISA to be \nable to do that defensive mission, it is not just a matter of \ngiving CISA, for example, the authority to do persistent threat \nhunting on .gov networks in the way that CYBERCOM and NSA can \ndo that on .mil networks. It is also a matter of making the \nmission of CISA so appealing that CISA can compete for talent \nwith the likes of Google, Apple, Facebook, and win.\n    We know we can't compete when it comes to what we can pay \nsome of the most talented cyber warriors out there, but we can \ncompete on mission. Indeed, that is one of the things that \nGeneral Nakasone told us about the NSA. While he worries about \nretention, he can always compete on mission.\n    So, by giving CISA that elevated position, that really \nappealing mission, we believe that we can sort-of solve the \nhuman element that is endemic to every cyber issue. Because, at \nthe end of the day, while discussions about cyber can get very \ntechnical, they can devolve into jargon about, you know, this \ntech--that--these are fundamentally human problems.\n    I mean, my understanding, at least, of the Twitter hack \nthis week was that it was--they fooled a human being into \nproviding administrative credentials that resulted in the \nattack. So our greatest failures have been human failures. Our \ngreatest successes will also be human successes.\n    So, empowering CISA, giving the director a higher level of \nauthority and a longer term is one step toward that sort of \nhuman solution to human problems in cyber.\n    Mr. Langevin. Thank you for that answer, and very \ninsightful and helpful for everyone to understand. I deeply \nappreciate the work that Director Chris Krebs at CISA, the team \nthere, but they also actually added resources to be able to \ngrow their entire cyber work force, inherent capability there. \nI look forward to supporting that effort.\n    So my time has expired. I now recognize the Ranking Member \nof the subcommittee, Mr. Katko, for 5 minutes.\n    Mr. Katko. Thank you very much, Mr. Chairman, and thank you \nall for, really, a great conversation. It is wonderful to hear \npeople not sniping from side-to-side, which is all being on the \nsame page about what we need to do in a bipartisan manner. It \nis truly inspiring.\n    I do want to talk a little bit more about the leadership \nissue, because I think it is critically important. It is a \ncentral focus upon which all this sort of stuff can happen. For \n20 years I was a Federal organized crime prosecutor, and part \nof that was doing the organized crime drug task force cases. We \nhad our quarterback, and that was the Office of National Drug \nControl Policy. He was over it, and be able to look over all \nthe different disparate agencies that had a hand in drug \nenforcement, and kind-of be that person that the President \nneeds to advise him all drug-related matters.\n    So I know I--Senator King, I heard you talk a little bit \nabout the leadership position, why it is important. But, you \nknow, I want to drill down a little bit farther, just so people \nunderstand why we need it, similar to the ONDCP position.\n    So, Ms. Spaulding, perhaps you could talk about why a \nNational cyber director is important. What are the different \nagencies that are involved in the cybersecurity? Because I know \nI have Homeland Security, Department of Defense. There is a lot \nmore. So I would like to kind-of get an understanding of why we \nneed this coordinated position.\n    Ms. Spaulding. Ranking Member Katko, thank you. You are \nabsolutely right. There is really no major agency in the \nFederal Government that isn't in some way involved in \ncybersecurity. Certainly every agency is involved in ensuring \nthat it is able to perform its mission-essential functions on \nbehalf of the American public in the wake of cyber threats and \ncyber risks.\n    So the National cyber director is absolutely essential. We \ncannot help but have this cyber activity distributed across the \nGovernment. The, you know, Department of Energy is the--they \nare the experts in the electric sector.\n    [Audio malfunction.]\n    Ms. Spaulding [continuing]. In the financial services \nsector. Having those agencies bring that sector expertise \ntogether with cyber expertise is really important.\n    So if you are going to have it distributed at NSA and FBI \nand DHS and DOE, et cetera, then you need that central \ncoordination function. That is why that National cyber director \nis so important.\n    Again, having been the under secretary, that is the--was \nthe equivalent of the director of CISA, I think that White \nHouse support is critically important. It really should not in \nany way undermine CISA's coordination role across civilian \ngovernment and with the private sector, but stand behind and \ngive the imprimatur of the White House as CISA endeavors to \nundertake those activities.\n    Mr. Katko. OK, thank you very much. I--in the interest of \ntime I will forgo asking Senator King, because, really, I \nunderstand fully what the issue is.\n    But I will note that, from the leadership position, and \nhaving that consistent leadership at the top of CISA, and de-\npoliticizing the assistant director positions are very \nimportant adjuncts to that, and attracting and maintaining the \ntalent.\n    But I do want to talk for a second, because we have 4 \nnuclear power plants in my district. We have a major grid \nissues in upstate New York. So, Ms. Ravich, I want to ask you \nreal quick about my concerns in that area.\n    Some of the most vulnerable areas of our Nation's \ninfrastructure and our local municipal utility services often \nhave limited budgets to support their cyber capabilities. Was \nthere a discussion at all during the commission's work as to \nhow to potentially assist State and municipal power and water \nutilities with their cyber-related mitigation and controls and \ncoordination?\n    Ms. Ravich. Yes, thank you. Thank you very much. We \nactually did look particularly at water utilities. There are \n70,000 water utilities across the United States. There are \n3,000 water utilities alone in the State of California. That is \nequal to all electric utilities across the country. Many of \nthem are very small. Many of them, to cut costs and deal with \npersonnel issues for the last number of years, have put on--\nincorporated some technology that, frankly, isn't safe. Some of \nthe technology has been made in adversarial countries, and now \nit is in our water systems. So, while you may be able to live \nin the dark for a day or 2 without energy, try living without \nwater.\n    So we recognize this, and we had long conversations about \nwhat could be done to help State, local, Tribal, territorial, \nespecially, and create--ask for, as a recommendation, the \ncreation of a cybersecurity assistance fund, knowing that, \nagain, State and local, you know, needs best practices, needs \nassistance. They are not going to be the repository of all \ncybersecurity best practices. To make us all safe, we \nabsolutely have to, from the Federal Government on down, help \nthe smallest among us.\n    Mr. Katko. Thank you very much. It is an important issue. I \nhave got plenty more questions, but I know I am out of time. So \nI yield back, Mr. Chairman.\n    Mr. Langevin. Very good, Mr. Katko. Thank you for your line \nof questions.\n    I just wanted to yield to--if the Chairman is on still, I \nwill yield to Chairman Thompson. If not, we will go to \nCongresswoman Sheila Jackson Lee.\n    OK, I believe Mr. Thompson has stepped away, so \nCongresswoman Sheila Jackson Lee is recognized for 5 minutes.\n    Ms. Jackson Lee. Thank you very much, Mr. Chairman. I \nappreciate this very important hearing, and I am delighted to \nbe here with the--some very important witnesses that include \nCommissioner Ravich, as well as Commissioner Spaulding and my \ncolleagues, Representative Gallagher and Senator King. I thank \nthem both for their service on this committee.\n    Particularly, I will join with my voice, Congressman \nGallagher, to congratulate you on the birth of a beautiful baby \nand, I might imagine, where opportunities are not limited. So I \nam delighted, and wish your family the best.\n    This is a very important hearing that deals with addressing \nthe question of the recommendations by the Cyberspace Solarium \nCommission related to how the Federal Government can be more \nsecure. I am wearing a mask because I am in the epicenter here \nin Houston, Texas. I just came to my office to be a part of \nthis very important hearing. But we are fighting against very \nlarge numbers of COVID-19. In fact, of course, we are about \n75,000 cases here in Houston, my home town, and 717 deaths.\n    Interestingly, cyber is part of how we will survive, \nbecause many people have turned toward cyber and connecting \nthrough the system.\n    I wholeheartedly agree with the need for a cyber National \ndirector, and I support that. I am also introducing an \namendment to protect--to NDAA to protect the security of \nemails. I want to thank Congressman Langevin for his leadership \nand support of the amendment, cosponsoring it, as well as \nCongressman Gallagher.\n    I want to raise 2 questions as quickly as I can. Yesterday \nwe were alerted to a coordinated hack of major U.S. Twitter \naccounts, including those of President Obama, Elon Musk, Bill \nGates, Mike Bloomberg, and former U.S. President Joe Biden, and \nmany others. At that time, where misinformation--at this time, \nwhere misinformation poses one of the greatest threats to \nNational security, we need cybersecurity policy that will \nuphold the truth.\n    The commission made a number of recommendations designed to \nimprove collaboration between CISA and the private sector. So I \nwould appreciate it if--I first go to Commissioner Ravich--to \nelaborate on any recommendations that you believe would have \nthe potential to prevent a similar breach--that we have asked \nfor our private sector to ramp up their system. I think the \nGovernment needs to not deny the First Amendment rights, but \nhas to have a forceful place in this. I would welcome the \ncomments of our two co-chairs, Congressmen Gallagher and King, \nbut I will start with Commissioner Ravich on that question.\n    Let me ask my second question, just so it is on the record \nfor answering, and that is we are very much dependent, \npotentially, on the ending of COVID-19, on vaccines. We have \njust determined over the last couple of days that Russia has \nbeen interfering with the cyber, or the research on vaccines by \na number of our companies, which really mean life or death for \nmany Americans.\n    So, Commissioner Ravich, would you answer the first \nquestion about the violations of Twitter accounts? Thank you.\n    Ms. Ravich. Yes. Thank you. Thank you very much. You know, \nwe absolutely looked at--and this was, again, before COVID \nstarted and we were all working from home and relying on these \ndevices on these networks to be able to interact with our \nGovernment, to be able to register to vote, to be able to go to \nthe DMV virtually, our Social Security payments. Now we are \nrealizing that many of these networks could be untrustworthy.\n    So a few things that we certainly highlighted in our \noriginal report, and then in our pandemic annex, things like \nthe internet of things security, that individuals, our \npopulace, should not have to be cybersecurity experts. It is \nabsurd in this day and age to say that, when my mom or my \nneighbor goes to the store and buys a router, that they have to \nbe cybersecurity experts to know which one is going to protect \nthem better.\n    The same way, when you see the locked icon on your email, \nthe idea that I should automatically know that this is a \ntrusted certificate. No, there have to be better safeguards in \nplace from the Government itself.\n    So the commission really took kind-of 2 tacks at this. One \nis what are--what is the responsibility inside the Government? \nHow can we push ahead with better cybersecurity recognition of \nwhat is secure for individuals that they know what to buy and \nwhat not?\n    But also, what are the responsibilities from the private \nsector, right? The Government can only do its job if it \nunderstands attribution better. What is being attacked? What \ntype of industrial control systems are most in the crosshairs \nof a Russia or Iran or a China or North Korea? Right? So the \nU.S. Government needs better information and data to be able to \ndo intel sharing back to the private sector.\n    So these are some of the things that the commission really \nfocused on. But it has to be a different type of relationship \nbetween the U.S. Government and the private sector than really \nexisted before, if we are all going to be safer.\n    Ms. Jackson Lee. Thank you. If Senator Gallagher and \nRepresentative--Senator King and Representative Gallagher could \ntake a moment to comment on Russia's----\n    Mr. Langevin. Congresswoman, you are not coming through.\n    Ms. Jackson Lee [continuing]. Research.\n    Mr. Langevin. Congresswoman Jackson Lee, you are coming \nthrough gargled.\n    Ms. Jackson Lee. Senator? Senator King.\n    Mr. Langevin. Senator King is muted.\n    Senator King. Could you restate the question, \nCongresswoman? I couldn't hear it.\n    Ms. Jackson Lee. I would be happy to.\n    Senator King. Yes.\n    Ms. Jackson Lee. I thank the Chairman for indulging.\n    I just want you to focus on the interference that has been \nreported by recent reports about Russia's interference in our \nvaccine research--COVID-19 is a pandemic in our Nation surging \nin many States--as it relates to the work that we are doing \nhere to shore up our cyber systems.\n    Maybe Representative Gallagher would comment, as well. But \nthe Russian's interference with vaccine research, how important \nthe report of the Solarium Commission's report is in the work \ngoing forward.\n    Can you hear me? Did you hear me?\n    Senator King. Yes, I can. I did. Thank you very much.\n    First I want to send my warmest thoughts to the people of \nHouston. I know what you are going through. I have seen it, and \nI am following it, and it is a very tough time. I know it means \na lot to them that you are there with them on this--in this \nterrible time.\n    What the Russians appear to be doing, I think there are a \ncouple of lessons to be learned from this.\n    No. 1, there are no boundaries for what our adversaries \nwill do.\n    No. 2, the Russians are doing something that the Chinese, \nin fact, have been doing for many years, which is, essentially, \ntheft of intellectual property. The estimates are that Chinese \ntheft of intellectual property has cost our economy billions of \ndollars. So clearly, this is one of the most important areas \nthat we need to shore up our defenses.\n    We attended to this in a number of different ways in the \nreport. But the fundamental--I think one of the fundamental \nissues is, as I mentioned in my opening statement, they have to \nunderstand that there is a price to be paid for this. If the \nRussians or the Chinese or the Iranians or whoever it is comes \nafter us and does something like this, and we can attribute it \nto a particular country, there needs to be--there need to be \nconsequences. There need to be results. Otherwise, they will \nkeep doing it. Why wouldn't they?\n    So that is the kind of strategic area that we are talking \nabout. But then also, we need to be more defense-oriented. It \nis very interesting that--I can't remember--85 percent of cyber \nrisk rests upon individuals doing things like clicking on \nphishing emails. In other words, the most basic kind of cyber \nhygiene would be tremendously important in protecting our \ncompanies and our country from these kinds of attacks.\n    I don't know how they got into those vaccine companies, but \nit wouldn't be surprising at all if it was some kind of \nphishing expedition that got the credentials, that got the \npassword.\n    So the Government has a lot of things that we can do, and \nthey are all in our report, or many of them are in our report. \nBut we also need to support and encourage the citizens to \nunderstand the magnitude of this risk, because it may not be \nthat they hit the Pentagon, but they are going to try to hit \nsmaller companies and get into the system in that way.\n    So you raise a very important question that I think we \nreally have focused upon, and must continue to do so.\n    Mr. Langevin. Thank you, Ms. Jackson Lee.\n    Ms. Jackson Lee. Thank you. Thank you so very much. Thank \nyou.\n    Mr. Langevin. Mr. Joyce is now recognized for 5 minutes.\n    Ms. Jackson Lee. Thank you very much.\n    Mr. Joyce. Thank you. Thank you, Senator King, \nRepresentative Gallagher, Dr. Ravich, and Commissioner \nSpaulding.\n    I will join in congratulating you, Mike, on the birth of \nyour wonderful daughter. This is an important time in life, and \nyet you are stopping that new family moment and joining with \nus.\n    Each of us, each of us is aware of the hostile cyber--and \nyou mentioned that, Dr. Ravich.\n    I think that the discussion, Senator King, that you just \ntalked about is important, as well. But Mike Gallagher said \nsomething that is important to this conversation. Our greatest \nfailure will be in human failure. Senator King, you mentioned \nthat, how easy it is for someone to open an email and allow \nthat integration into someone's personal cyber world to be \nshared and, ultimately, potentially destroyed.\n    Five years the DMARC protocol has been established. It is \ndeployed very, very sporadically, but it has increased. What I \nam going to ask both you, Commissioner Ravich, and Commissioner \nSpaulding to address is what barriers exist to that old \ndeployment of DMARC, so that potential integration can occur, \nand potential protection occur, as well.\n    Ms. Ravich. OK, I don't know if I should go first.\n    Well, first of all, I think it is a great point, because \nwe, obviously, would all be more secure if the uptake on \nprotocols like that were more expansive. It goes back to some \nof the other things that we were looking at on the commission \ndirectly, which will get to your point.\n    We had looked at things such as final goods assembly \nliability, rights? I mean, you know, kind-of as I was saying \nbefore, why should my mom be a cybersecurity expert, right? Why \nshould my doctor be a cybersecurity expert? They should be able \nto go--and the devices that they are buying, they should know \nthat they are secure.\n    The same thing when I--if you sent me an email, I should \nknow it is from you. Right now, frankly, in not all places are \nthings like trusted certificates actually to be trusted.\n    So we didn't want to be too prescriptive in terms of how \nthe private sector needs to start to layer on much greater \nsecurity in IoT, for instance, and devices, hardware, and \nsoftware. So we recommended a number of different ways to kind-\nof skin that cat.\n    But it is true, we are living in a time where, if we don't \nmake these types of devices, hardware, software more secure, we \nwill all be more at risk.\n    Ms. Spaulding. Congressman, I couldn't agree more, and \nthank you for your leadership on this important issue.\n    You are absolutely right that email is one of the most \ntroubling vectors, and most frequent and common vectors for \nmalicious cyber activity to get into networks and systems. \nDMARC, domain-based message authentication reporting and \nconformance, is one of the protocols that has proven to be most \neffective, really, at stopping this kind of activity, so \ncritically important.\n    You ask why isn't it then just uniformly adopted across the \nboard? You are correct that it is gaining ground, and its \nadoption is moving forward. But I think it is leaders, CEOs, \nboards of advisers, secretaries of departments and agencies, \nleaders across the board need to support their chief \ninformation security officers when they make these kinds of \nrecommendations. It is those leaders that decide about resource \nallocation, and that becomes very important.\n    To do that, it is helpful to be able to show a return on \ninvestment. That, again, requires information. It is one of the \nreasons that the commission has a recommendation that would \nrequire key companies to report more information about \nmalicious cyber activity, so that we can begin to build the \nkind of repository of data that allows us to be able to tell \nthose decision makers who are allocating resources the costs of \nnot implementing something as basic as DMARC.\n    Mr. Joyce. I think that cost issue is important. I just \nhave seconds left, but I am perplexed by only 80 percent of \nFederal agencies are reported to be implementing DMARC. Are \nthere specific obstacles that we in Congress should address to \nsee that all Federal agencies----\n    Ms. Spaulding. So I think the number--I suspect that that \n80 percent covers most, if not all, of the major departments \nand agencies of the Government. There are lots of very tiny--\nthe Millennium Challenge Corporation, the Denali Commission, et \ncetera--that really just need a lot of hand-holding to make \nthese technical changes.\n    But I applaud you. Keep, you know, keeping their feet to \nthe fire, and keep pushing this. It is really important. But \nthank you.\n    Mr. Joyce. Thank you, Commissioner. Thank you, and I yield \nmy time.\n    Mr. Langevin. I thank the gentleman.\n    Before I turn to Miss Rice, I need to step away from the \nChair for a few minutes. There is a press conference and a \nmeeting with our Governor that I need to--a virtual one that I \nneed to jump on to. It is COVID-related, and related to our \nsmall business community. So I will be stepping away as briefly \nas possible, and Ms. Underwood will be taking the gavel to \nchair the hearing, going forward. I hope to make it back before \nthe conclusion.\n    In the event--in the unlikely event that I am not able to \nget back before this is concluded, I do want to thank our \npanelists today for their testimony, their leadership on the \nSolarium Commission, and their leadership on cyber, which I am \ngrateful for.\n    With that, Miss Rice is recognized now for 5 minutes.\n    Miss Rice. Thank you so much, and I want to thank all of \nthe--my 2 colleagues and our private-sector witnesses here \ntoday, members of this commission.\n    As I--if we do not implement every single recommendation in \nthis report, shame on us, as a Government. I mean, it is just \nsuch common-sense stuff. With everything that is going on right \nnow in the world, we see in this report why it is so important \nto implement every single recommendation.\n    Congressman Gallagher, I just want to go to you first, \nbecause it seems to me that this is a constant, constant issue \nthat comes up between public and private partnership. Why is \nit, you know, that it is hard for us to get that right?\n    I mean, do you think it is possible to continue incentive-\nbased public-private cybersecurity partnerships as part of an \neffective cyber defense program, or do you think it is going to \ncome to Congress having to more strongly consider imposing \nmandates?\n    Mr. Gallagher. Well, I think the other commissioners would \nagree that the approach we have largely taken in this report \nwas to try and incentivize the private sector to work more \nclosely with the Federal Government or, as we say in the \nChairman's letter, try and incentivize the C-suite types in the \nprivate sector to take cybersecurity seriously.\n    There are areas, however, where we are, you know, imposing \nfurther requirements that some in the private sector will no \ndoubt view as onerous, such as the need for large, publicly-\ntraded companies to do mandatory penetration testing.\n    But I do think--and connected to the earlier series of \nquestions on the Russian hack and things like that--I think, \nculturally, what we are trying to do here is shift the culture \nin the intelligence community and at CISA--and this is my \nverbiage, not contained in the final report--from a culture of \nneed-to-know to more toward need-to-share.\n    So it is not just that we need the private sector to step \nup and do more for their own security, but we also want our \ncybersecurity professionals in the Federal Government to be in \na posture where they are constantly sharing information with \nthe private sector, so that they are seen as a valued partner \nwith the private sector, and the private sector doesn't view \nthem suspiciously.\n    So, toward that end, we recommend creating a joint \ncollaborative environment, a common and interoperable \nenvironment for sharing and fusing threat information inside, \nand other relevant data across the Federal Government, and then \nbetween the public and private sectors. Our recommendation to \nstrengthen a public-private, integrated cyber center within \nCISA is intended to allow for that closer collaboration between \nthe public and private sector.\n    Then finally, we have a recommendation about establishing a \njoint cyber planning office under CISA to coordinate \ncybersecurity, planning, and readiness across the Federal \nGovernment and between the public and private sector.\n    So I guess, in sum, I still maintain hope that we can \npursue an incentive-based approach. But you are right to \nsuggest that I think everything hinges on that--the level of \ntrust between the private sector and the public sector. Because \nthe reality is, as Senator King and I say in the opening \nletter, you know, we are not the Chinese Communist Party. We \ncan't just dictate outcomes for the private sector, nor should \nwe want to, right? We want to maintain the free and open and \ninnovative environment we have in America.\n    So it is a delicate balance, but it is one we hope we have \nstruck well in the commission's final report.\n    Miss Rice. Yes. So it sounds like a little bit of \nterritorialism, too, which is one of the things that we learned \nabout in a post-9/11 world. To see that possibly still kind-of \nrearing its head is not a good thing.\n    You know, I just want to be very mindful of my time, and \nall of our witnesses' time. I have to give a shout out to Chris \nKrebs, because I think he is doing such a great job at CISA, \nespecially in the area of election security, really reaching \nout to individual States to help them secure their election \ninfrastructure.\n    But I would like to ask both Ms. Ravich and Spaulding, in \nlight of the threats and challenges associated with the \nupcoming 2020 election, do you think the Federal Government is \ndoing enough to defend elections from foreign interference?\n    Ms. Spaulding. So I am happy to start on that. I think not \nyet, no.\n    I agree with you. I think Chris Krebs and the men and women \nat CISA are doing a terrific job, and working very hard with \nState and local election officials, who I think are also taking \nthis very seriously. But our--in the commission report we have \na number of recommendations that we really hope Congress will \nact on, and will act very quickly.\n    One of those, obviously, is the reforming of on-line \npolitical advertising to prevent foreign interference in that \nregard.\n    But the other is providing the wherewithal, the support to \nour State and local officials so that--in the form of grants, \nso that they can do the things that need to be done to put \nsecure systems in place, but also to put paper-based audit \ncapabilities in place so that we can reassure the public about \nthe legitimacy of the process when it is challenged.\n    Ms. Ravich. Yes, so let me jump in. That is very \nthoughtful, as always, what Suzanne had said.\n    You know, our commission report, as the 2 co-chairmen said, \nis--has 3 parts of layered defense. When you look at elections, \neach part of that layered defense has to be deployed, right?\n    So shaping international behavior, it is not only us that \nis being attacked in our election, it is all free and \ndemocratic nations. So the----\n    [Audio malfunction.]\n    Ms. Ravich [continuing]. With partner nations, our friends \nand allies, those who believe in democracy and free enterprise, \nso that together we can share lessons learned and bolster our \nsystems.\n    The second, resilience. Suzanne spoke about it, as always, \nyou know, brilliantly. The Election Assistance Commission needs \na stable budget, needs senior cyber expertise because this is \nnot one and done. It is not like we are going to protect our \nsystems, and then that is it, we don't ever have to protect \nthem again. It is going to be consistent and constant.\n    The third part of layered defense is imposed costs, right? \nSo the adversaries that try to undermine what makes us a great \nNation, you know, have to actually really understand there will \nbe costs imposed upon them for this.\n    So the 3 parts of layered defense you can see when you look \nat the question of elections, how they all must relate to one \nanother to make us more secure.\n    Miss Rice. Thank you so much. If we can't protect our \nelections, I mean, that will doom our democracy, I think, \nquicker than anything else.\n    So I want to thank you all so much for being here today, \nand I yield back.\n    Ms. Underwood [presiding]. Thank you. I now recognize \nmyself for 5 minutes.\n    I would like to start by thanking Chairman Thompson for \ncalling today's hearing, and Chairman Langevin for his \ndedicated work to strengthen America's cybersecurity, both as a \ncommissioner and as a valuable Member of this committee. \nCybersecurity advocates like Mr. Langevin have been sounding \nthe alarm for years about America's vulnerability to cyber \nattacks.\n    As a representative from Illinois, a State that experienced \na major cyber attack in our election system in 2016, I am well \naware that such attacks pose a threat at all levels of \ngovernment, and so a whole-of-Government response is required.\n    In the last few months the COVID-19 pandemic has exposed \nthis vulnerability like never before. As Americans have \nstruggled to telework securely, overworked hospitals have \nsuffered ransomware attacks. Cyber attacks have targeted \nvaccine developers, and more.\n    I am pleased that the commission built on the \nrecommendations in the March report by publishing a white paper \nin May on cybersecurity lessons from the pandemic. In this \nwhite paper, the commission found that maligned foreign \ndisinformation operations are undermining public health: ``The \nresulting confusion is threatening to become a literal matter \nof life and death.''\n    Ms. Spaulding, can you elaborate on how disinformation \nimpacts our cybersecurity, public health, or other areas of \nNational security, even to the point of life and death?\n    Ms. Spaulding. Absolutely, Congresswoman, thank you for \nthat really important question that--we have seen our \nadversaries take advantage of this situation, and putting out \ndisinformation around COVID that confuses the public. It may \nnot be that they are able to convince the public necessarily of \nthe narrative that they are pushing, but they create confusion, \nwhich is deadly enough. If the public gives up, as I say, on \ntheir ability to figure out what is fact when--at a time when \ngiving the American public facts about what they should be \ndoing to protect themselves, their families, their communities, \nand our Nation, that is extremely destructive.\n    When we see the COVID coming together with our elections as \nelection officials are making decisions about how to adjust, \nwhether to adjust elections in light of the pandemic, and then \nthose are winding up in courts--and we have seen disinformation \naround all 3 of those: COVID, elections, and the courts--and \nthat is a really dangerous combination that threatens the \npeaceful transition of power.\n    Ms. Underwood. Thank you. I agree with the commission's \nassessment of the severe and even deadly security threat posed \nby disinformation, which is why, in the last month, I \nintroduced the Protecting Against Public Safety Disinformation \nAct. This bill would direct the Department of Homeland Security \nto assess maligned foreign disinformation operations that \nthreaten public safety and share their findings with State and \nlocal authorities like public health departments, emergency \nmanagers, and first responders.\n    The commission's recommendations repeatedly highlight the \nrole of State and local officials in hardening our \ncybersecurity posture. Ms. Spaulding, why is it so important \nfor State and local officials to be involved in our National \nresponse to disinformation and other cybersecurity threats?\n    Ms. Spaulding. So we have gotten used to the idea that \nState and local officials are on the front lines of responding \nto disasters in the real world. We have to understand, as you \nsay, that they are also often on the front lines of responding \nto disinformation that causes confusion in their communities.\n    We know that local sources of information are often more \ntrusted than National sources. We also know that they are being \ntargeted, both with ransomware, with traditional cyber \nactivity, but that traditional cyber activity can also be \ndesigned to undermine public confidence, so part of an \ninformation operation. They need to be supported in combating \nthat.\n    Ms. Underwood. Thank you. As you may know, the personal \ninformation of 76,000 Illinois voters was accessed by Russian \noperatives in 2016. Since then, our State and local election \nofficials have been working hard to improve election systems \nand infrastructure. But due to limited resources, some have \nfaced challenges in upgrading legacy machines and hiring \nadditional cybersecurity personnel. Now, when State budgets \nacross the country have been devastated by this pandemic, \nFederal support is more urgently needed than ever.\n    So over 2 months ago, the House passed a bill, the Heroes \nAct, which would provide $3.6 billion for election security \ngrants in the State. Unfortunately, the Senate has yet to act \non this bill. We know that election security grants like those \nin the Heroes Act would equip these State and local officials \nwith the resources that they desperately need in order to \nsecure our elections and our National security ahead of the \nelection in November.\n    With that, I yield back. I have to step away, and so Miss \nRice will now Chair the hearing. Thank you.\n    Miss Rice [presiding]. Thank you so much. I--it looks like \nwe have come to the end of the questioning, so I would love to \nthank the--all our witnesses for your valuable testimony today, \nand the Members for their questions.\n    This is a report that every single Member of Congress needs \nto digest, and immediately get on board doing something about, \nand implementing as many of these recommendations as we can.\n    The Members of the subcommittee may have additional \nquestions for the witnesses, and we ask that you respond \nexpeditiously in writing to those questions.\n    Without objection, the committee record shall be kept open \nfor 10 days.\n    Hearing no further business, other than to congratulate \nMike Gallagher once again on lovely baby Grace, the \nsubcommittee stands adjourned. Thank you all.\n    [Whereupon, at 2 p.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n"