[Joint House and Senate Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
SECURING U.S. SURFACE TRANSPORTATION FROM CYBER ATTACKS
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY
and the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND INNOVATION
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 26, 2019
__________
Serial No. 116-2
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
35-378 PDF WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas Mike Rogers, Alabama
James R. Langevin, Rhode Island Peter T. King, New York
Cedric L. Richmond, Louisiana Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey John Katko, New York
Kathleen M. Rice, New York John Ratcliffe, Texas
J. Luis Correa, California Mark Walker, North Carolina
Xochitl Torres Small, New Mexico Clay Higgins, Louisiana
Max Rose, New York Debbie Lesko, Arizona
Lauren Underwood, Illinois Mark Green, Tennessee
Elissa Slotkin, Michigan Van Taylor, Texas
Emanuel Cleaver, Missouri John Joyce, Pennsylvania
Al Green, Texas Dan Crenshaw, Texas
Yvette D. Clarke, New York Michael Guest, Mississippi
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
Hope Goins, Staff Director
Chris Vieson, Minority Staff Director
------
SUBCOMMITTEE ON TRANSPORTATION AND MARITIME SECURITY
J. Luis Correa, California, Chairman
Emanuel Cleaver, Missouri Debbie Lesko, Arizona, Ranking
Dina Titus, Nevada Member
Bonnie Watson Coleman, New Jersey John Katko, New York
Nanette Diaz Barragan, California John Ratcliffe, Texas
Val Butler Deming, Florida Mark Green, Tennessee
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Alex Marston, Subcommittee Staff Director
Kyle Klein, Minority Subcommittee Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas John Katko, New York, Ranking
James R. Langevin, Rhode Island Member
Kathleen M. Rice, New York John Ratcliffe, Texas
Lauren Underwood, Illinois Mark Walker, North Carolina
Elissa Slotkin, Michigan Van Taylor, Texas
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Moira Bergin, Subcommittee Staff Director
Sarah Moxley, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
STATEMENTS
The Honorable J. Luis Correa, a Representative in Congress From
the State of California, and Chairman, Subcommittee on
Transportation and Maritime Security:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Debbie Lesko, a Representative in Congress From the
State of Arizona, and Ranking Member, Subcommittee on
Transportation and Maritime Security:
Oral Statement................................................. 3
Prepared Statement............................................. 5
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Lousiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 8
Prepared Statement............................................. 9
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Prepared Statement............................................. 3
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 6
Prepared Statement............................................. 7
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 11
WITNESSES
Panel I
Mr. Robert Kolasky, Director, National Risk Management Center,
Cybersecurity and Infrastructure Security Agency, U.S.
Department of Homeland Security:
Oral Statement................................................. 13
Prepared Statement............................................. 15
Ms. Sonya T. Proctor, Director, Surface Division, Office of the
Security Policy and Industry Engagement, Transportation
Security Administration:
Oral Statement................................................. 19
Prepared Statement............................................. 20
Panel II
Mr. James A. Lewis, Senior Vice President, Center for Strategic
and International Studies:
Oral Statement................................................. 38
Prepared Statement............................................. 39
Ms. Rebecca Gagliostro, Director, Security, Reliability, and
Resilience, Interstate Natural Gas Association of America:
Oral Statement................................................. 42
Prepared Statement............................................. 44
Mr. Erik Robert Olson, Vice President, Rail Security Alliance:
Oral Statement................................................. 46
Prepared Statement............................................. 49
Mr. John Hultquist, Director of Intelligence Analysis, FireEye:
Oral Statement................................................. 53
Prepared Statement............................................. 54
SECURING U.S. SURFACE TRANSPORTATION FROM CYBER ATTACKS
----------
Tuesday, February 26, 2019
U.S. House of Representatives,
Subcommittee on Transportation and Maritime
Security, and the
Subcommittee on Cybersecurity, Infrastructure Protection
and Innovation,
Committee on Homeland Security,
Washington, DC.
The subcommittees met, pursuant to notice, at 10:03 a.m.,
in room 310, Cannon House Office Building, Hon. J. Luis Correa
[Chairman of the Subcommittee on Transportation and Maritime
Security] presiding.
Present: Representatives Correa, Richmond, Cleaver, Jackson
Lee, Langevin, Watson Coleman, Rice, Barragan, Underwood,
Slotkin, Lesko, Walker, and Taylor.
Also present: Representative Thompson.
[Editor's Note.--Due to technical difficulties, audible
portions of this transcript were not recorded and those
instances have been marked accordingly.]
Mr. Correa. Good morning everyone. Seeing the time of 10:05
having arrived, I would like to gavel down and chair--and call
the Subcommittees on Transportation and Maritime Security, and
Cybersecurity, Infrastructure Protection, and Innovation, to
order.
Today's hearing marks the first hearing of this Congress
for the Subcommittee on Transportation and Maritime Security. I
am excited to be chairing this subcommittee in this Congress
and to be joined by our Ranking Member, Congresswoman Lesko
from Arizona; I understand she is getting snow in Arizona, that
is----
Mrs. Lesko. Right, that is--we were. It was crazy----
Mr. Correa. You were?
Mrs. Lesko. In Phoenix.
Mr. Correa. Save the water.
We have a great panel of distinguished Members on both
sides of the aisle and I look forward to working with all of
you to tackle the security challenges facing the transportation
and maritime sectors.
I am glad to hold our first hearing, jointly with the
Cybersecurity Subcommittee, and its leaders, Chairman Richmond,
and Ranking Member Katko, who, Mr. Katko, unfortunately is not
able to join us today.
I am also happy to welcome our two panels today of
witnesses and I look forward to your testimony.
We are here today to discuss a very important topic:
Cybersecurity in our Nation's mass transit, rail, pipeline, and
other surface transportation systems. Cyber threats are a
growing concern for security experts across many sectors and
the surface transportation sector is no different. Millions of
Americans, we rely on surface transportation every day and an
attack against a large subway system or pipeline could have
hugely negative effects on all of us.
Government and industry have both struggled to address
cyber threats which have evolved quickly and have become more
and more complex and I believe DHS is well-positioned to lead
cybersecurity in the efforts across critical infrastructure
sectors including the surface transportation sector.
Last year, Congress established a Cybersecurity
Infrastructure and Security Agency, or CISA, making clear its
status as the preeminent Cybersecurity Agency within the
Federal Government. CISA works closely with TSA which is
responsible for securing all modes of transportation. In
December 2018 working with CISA, TSA released a Cybersecurity
Roadmap that sets priorities for securing transportation from
cyber threats.
The Roadmap is an important first step in the right
direction, but it has to be followed by concrete action. In
coordination with CISA, TSA must ensure owners and operators
have access to the resources, intelligence, guidelines, and
assessments needed to ensure the cybersecurity of their systems
is as good as it can get.
Government and industry stakeholders together must also
address supply chain security concerns. We must make sure that
surface transportation systems are not made vulnerable to cyber
espionage due to unchecked foreign manufacturing of subways
[inaudible] some have questioned whether DHS has paid enough
attention to Pipeline security and have raised the idea of
moving the responsibility from securing pipelines to another
department and Ms. Proctor I do hope you address that issue
during your comments [inaudible] because it would go against
the reasons Congress established DHS, TSA, and CISA.
Only DHS has the scope of authorities and access to
intelligence needed to address cyber threats across critical
infrastructure sectors. DHS has made significant progress in
securing pipelines, including recent updates of TSA's Pipeline
Security Guidelines and it should be allowed to build upon
these on-going efforts.
This hearing provides a great opportunity to discuss the
work of both Government and the private sector to ensure all
modes of transportation are secure from cyber threats and I
look forward to a very productive conversation.
[The statement of Chairman Correa follows:]
Statement of Chairman J. Luis Correa
February 26, 2019
We have a great panel of distinguished Members on both sides of the
aisle, and I look forward to working with you all to tackle the
security challenges facing the transportation and maritime sectors. I
am glad to hold our first hearing jointly with the Cybersecurity
Subcommittee and its leaders, Chairman Richmond and Ranking Member
Katko. I am also happy to welcome our two panels of witnesses today. We
look forward to your testimony.
We are here today to discuss an important topic: The cybersecurity
of our Nation's mass transit, rail, pipeline, and other surface
transportation systems. Cyber threats are a growing concern for
security experts across many sectors--and the surface transportation
sector is no different. Millions of Americans rely on surface
transportation every day for critical services, and an attack against a
large subway system or pipeline could have a hugely negative impact.
Government and industry have both struggled to address cyber
threats, which are evolving quickly and becoming more complex. However,
I believe DHS is well-positioned to lead cybersecurity efforts across
critical infrastructure sectors, including the surface transportation
sector.
Last year, Congress established the Cybersecurity and
Infrastructure Security Agency, or CISA, making clear its status as the
preeminent cybersecurity agency within the Federal Government. To
secure surface transportation from cyber attacks, CISA works closely
with TSA, which is responsible for securing all modes of
transportation.
In December 2018, working with CISA, TSA released a Cybersecurity
Roadmap, which sets priorities for securing transportation from cyber
threats. The publication of this roadmap is an important step in
addressing the cybersecurity of transportation, but it must be followed
by concrete action.
In the surface mode, TSA works collaboratively with the system
owners and operators who provide front-line security at the local
level. In coordination with CISA, TSA must ensure owners and operators
have access to the resources, intelligence, guidelines, and assessments
needed to ensure the cybersecurity of their systems.
Government and industry stakeholders together must also address
supply chain security concerns. We must make sure that surface
transportation systems are not made vulnerable to cyber espionage due
to unchecked foreign manufacturing of subway cars or other
infrastructure.
Finally, some have questioned whether DHS has paid enough attention
to pipeline security and have raised the idea of moving responsibility
for securing pipelines to another department. Doing so would be
foolhardy and go against the reasons Congress established DHS, TSA, and
CISA. Only DHS has the scope of authorities and access to intelligence
needed to address cyber threats across critical infrastructure sectors.
For example, only TSA has authority to issue Security Directives to
require immediate implementation of security measures across or within
modes of transportation in the face of an imminent threat or on-going
attack.
DHS has made significant progress in securing pipelines, including
recent updates to TSA's Pipeline Security Guidelines, and it should be
allowed to build upon its on-going efforts.
This hearing provides a great opportunity to discuss the work of
both Government and private industry to secure all modes of
transportation from cyber threats, and I look forward to a productive
conversation.
Mr. Correa. Now I would like to recognize the Ranking
Member of the subcommittee, the gentlewoman from Arizona, Mrs.
Lesko, for an opening statement.
Mrs. Lesko. Thank you, Mr. Chairman.
Thank you to all of you that are here today including the
people coming as our testifiers.
First, I would like to ask people to keep Representative
Katko, in your prayers because his father passed away and that
is why he is not here today and so Mr. Chairman, I do ask for
unanimous consent for Representative Katko's statement to be
added to the record.
Mr. Correa. Without objection.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
Thank you, Mr. Chairman, and thank you for holding a hearing on
this important issue.
I am pleased that my first subcommittee hearing as Ranking Member
of the Cybersecurity, Infrastructure Protection, and Innovation
subcommittee is a joint hearing with the subcommittee I was honored to
chair for 4 years.
Our world is increasingly connected. Our phones, computers, cars,
and televisions are only some of the things we use every day that are
vulnerable to a cyber attack that causes disruptions.
But what about those objects that affect our everyday life, that we
either don't see or don't consider them to be vulnerable to cyber
attacks like pipelines that undergird this country's energy sector or
the metro cars we rely on to get us around?
A cyber attack on the industrial control systems for our
operational technology could wreak havoc across our Nation. It is an
attack vector that we must take seriously and work to secure these
technologies from motivated attackers.
Fortunately, we have two partners who are well-equipped to address
these vulnerabilities. TSA brings the expertise about our pipelines and
mass transit systems while CISA is the cyber expert. I want to
reiterate what my colleague, Ranking Member Lesko said in her opening
statement--TSA and CISA are stronger because of their ability to work
together. Their value is made greater by the wealth of resources within
DHS to help surface transportation operators be prepared for the cyber
threats.
As a committee, we must be vigilant in making sure the various
sectors of our economy are protecting their assets from physical and
cyber harm. We cannot allow for those technologies that are
foundational to our livelihood be a tool for a bad actor to launch a
cyber attack.
Thank you to our witnesses for taking the time this morning to
speak on this topic. I look forward to hearing from you.
Mrs. Lesko. Thank you, Mr. Chairman, and thank you for
holding a hearing today on this very important topic.
TSA has security authorities over America's surface
transportation modes including 6,700 mass transit systems,
passenger and freight rail as well as motor coach in both rural
and urban communities. In addition, pipelines are considered a
mode of surface transportation for natural gas and hazardous
materials. Across the United States, including in my home State
of Arizona, TSA is responsible for securing more than 2\1/2\
million miles of pipelines carrying natural gas and other
materials that quite literally fuel our economy.
While much progress has been made to provide better
physical security for surface transportation, there remains
growing concerns surrounding the cybersecurity of our Nation's
surface transportation assets. As cyber actors become more
sophisticated and surface transportation systems become
increasingly reliant on computer systems, the vulnerability of
this critical sector grows along with the risks posed by
nefarious actors who may seek to exploit cybersecurity
vulnerabilities to cause service disruptions or conduct
economic espionage.
In general, surface transportation systems utilize a number
of interconnected information systems that, when exposed,
present cybersecurity vulnerabilities. According to the
American Public Transit Association, cyber attacks against
surface transportation operators can destroy an agency's
physical systems, render them inoperable, hand over control of
systems to an outside entity, or threaten the privacy of
individuals or customers.
In the 115th Congress, the Republican Majority worked in a
bipartisan manner to enact the TSA Modernization Act, the
first-ever authorization of TSA since the agency was created in
2001. We also enacted the Cybersecurity and Infrastructure
Security Agency Act of 2018 which created CISA in order to
reform critical security programs within the Department and
better equip DHS to support the cybersecurity of transportation
systems.
Additionally, TSA Administrator Pekoske has worked to
restructure the agency to reflect evolving mission needs. It is
important to note that while threats against our transportation
sector may be evolving, they are not diminishing. Legitimate
concerns have been raised as to the ability of TSA to provide
necessary security for surface transportation assets and
particularly pipelines.
While I believe TSA is best positioned as the Government's
authority on transportation security, it is incumbent upon the
agency to demonstrate its commitment to securing all modes of
transportation. The Department of Homeland Security and its
components must work to mitigate growing cybersecurity threats
and work hand-in-hand with industry partners to promote a
culture of security and keep America's economy fueled and
moving with the public's confidence.
I do look forward to hearing the testimony before us today
and thank you for being here.
I yield back, Mr. Chairman.
[The statement of Ranking Member Lesko follows:]
Statement of Ranking Member Debbie Lesko
February 26, 2019
TSA has security authorities over America's surface transportation
modes, including 6,700 mass transit systems, passenger and freight
rail, as well as motorcoach, in both rural and urban communities. In
addition, pipelines are considered a mode of surface transportation for
natural gas and hazardous materials. Across the United States,
including in my home State of Arizona, TSA is responsible for securing
more than 2.5 million miles of pipelines carrying natural gas and other
materials that quite literally fuel our economy.
While much progress has been made to provide better physical
security for surface transportation there remains growing concern
surrounding the cybersecurity of our Nation's surface transportation
assets.
As cyber actors become more sophisticated and surface
transportation systems become increasingly reliant on computer systems,
the vulnerability of this critical sector grows, along with the risk
posed by nefarious actors who may seek to exploit cybersecurity
vulnerabilities to cause service disruptions or conduct economic
espionage.
In general, surface transportation systems utilize a number of
interconnected information systems that, when exposed, present
cybersecurity vulnerabilities. According to the American Public Transit
Association, cyber attacks against surface transportation operators can
destroy an agency's physical systems, render them inoperable, hand over
control of systems to an outside entity or threaten the privacy of
individuals or customers.
In the 115th Congress, the Republican Majority worked in a
bipartisan manner to enact the TSA Modernization Act, the first-ever
authorization of TSA since the agency was created in 2001. We also
enacted the Cybersecurity and Infrastructure Security Agency Act of
2018, which created CISA in order to reform critical security programs
within the Department and better equip DHS to support the cybersecurity
of transportation systems. Additionally, TSA Administrator Pekoske has
worked to restructure the agency to reflect evolving mission needs.
It is important to note that while threats against our
transportation sector may be evolving, they are not diminishing.
Legitimate concerns have been raised as to the ability of TSA to
provide necessary security for surface transportation assets, in
particular pipelines. While I believe TSA is best positioned as the
Government's authority on transportation security, it is incumbent upon
the agency to demonstrate its commitment to securing all modes of
transportation. The Department of Homeland Security and its components
must work to mitigate growing cybersecurity threats and work hand-in-
hand with industry partners to promote a culture of security and keep
America's economy fueled and moving with the public's confidence.
Mr. Correa. Thank you very much.
I will--I would like to recognize the Chair of the
Committee on Homeland Security, Mr. Bennie Thompson, for some
opening remarks, sir.
Mr. Thompson. Thank you very much, Chairman Correa; Ranking
Member Lesko, on your maiden voyage as Ranking Member, welcome.
I would also like to express my sympathies to Ranking
Member Katko on the loss of his father.
But also, this hearing today is very important, the cyber
threats facing the U.S. surface transportation sector. Since
the 9/11 attacks, the U.S. Government has focused on closing
gaps in physical aviation security by Federalizing passenger
and baggage screening, hardening cockpit doors, and deploying
improved screening technologies and training.
In September 2018 the subcommittees held a joint hearing
highlighting the potential harm from important undisclosed
vector cyber threats in aviation. Today we will provide the
same attention to cybersecurity threats to the surface
transportation sector.
With TSA dedicating most of its resources to protecting
aviation, the surface transportation sector including freight
and passenger trains, commuter rails, mass transit, buses, and
pipelines presents relatively a soft target for mass casualty
attacks. We rely on these diverse assets not only for our
shipping and other transports of natural gas, and a host of
other activities essential to the health of our economy and
National security.
In recent years, surface transportation systems overseas
have been hit by terrorist attacks. On our own shores, New York
City's subway was a target of a failed terrorist plot in
December 2017. Given the level of risk to surface
transportation, I am concerned that we have not sufficiently
protected this sector against cyber threats.
To date no cyber attacks have disrupted the actual
operations of surface transportation systems but attacks have
resulted in financial disruption and affected public confidence
in various modes of surface transportation. These small-scale
attacks have shown that a relatively simple intrusion could up
end surface transportation services causing significant harm
and disruption.
Last year Congress established Cybersecurity and
Infrastructure Security Agency or CISA as the operational
agency within the Federal Government [inaudible] on
cybersecurity information sharing. CISA will continue to play a
critical role in providing cybersecurity resources within DHS
including to TSA and to industries, to combat cyber threats to
critical infrastructure. TSA for its part maintains
responsibility for the security of all modes of transportation.
Working together within DHS, CISA and TSA are uniquely
positioned to address cyber threats in transportation.
I would note that DHS's authorities and capabilities across
critical infrastructures' sectors in all modes of
transportation makes it better positioned to secure pipelines
than the Department of Energy, despite some suggestions to the
contrary.
In December 2018, in coordination with CISA, TSA released
its first-ever Cybersecurity Roadmap, providing a vision for
the future of cybersecurity across all modes of transportation,
while DHS is headed in the right direction much work remains.
In many cases surface transportation sector-owners and -
operators struggle with the same cyber challenges that plague
other industries: A National shortage of skilled cybersecurity
personnel; a work force with minimal cybersecurity training and
awareness; and resource constraints across the board.
Finally, at a hearing on surface transportation security, I
would be remiss if I did not point out that TSA remains non-
compliant with requirements to publish surface transportation
security regulations which were enacted over a decade ago in
the Implementation Recommendations of the 9/11 Commission Act
of 2007.
I would like to at some point, Mr. Chairman, hope to get a
response to why we have not had that take place.
With that I yield back.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
February 26, 2019
Since the 9/11 attacks, the U.S. Government has focused on closing
gaps in physical aviation security by Federalizing passenger and
baggage screening, hardening cockpit doors, and deploying improved
screening technologies and training.
In September 2018, the subcommittees held a joint hearing
highlighting the potential harm from an important, underdiscussed
vector: Cyber threats to aviation. Today, we will provide the same
attention to cybersecurity threats to the surface transportation
sector.
With TSA dedicating most of its resources to protecting aviation,
the surface transportation sector--including freight and passenger
trains, commuter rail, mass transit, buses, and pipelines--presents a
relatively soft target for mass-casualty attacks. We rely on these
diverse assets not only support for our personal and business travel,
but also commercial shipping, the transport of natural gas, and a host
of other activities essential to the health of our economy and National
security.
In recent years, surface transportation systems overseas have been
hit by terrorist attacks. On our own shores, New York City's subway was
the target of a failed terrorist plot in December 2017. Given the level
of risk to surface transportation, I am concerned that we have not
sufficiently protected this sector against cyber threats.
To date, no cyber attacks have disrupted the actual operations of
surface transportation systems, but attacks have resulted in financial
disruption and affected public confidence in various modes of surface
transportation. These small-scale attacks have shown that a relatively
simple intrusion could upend surface transportation services, causing
significant harm and disruption.
Last year, Congress established Cybersecurity and Infrastructure
Security Agency, or CISA, as the operational agency within the Federal
Government charged with serving as the primary civilian interface for
cybersecurity information sharing. CISA will continue to play a
critical role in providing cybersecurity resources within DHS,
including to TSA, and to industry to combat cyber threats to critical
infrastructure.
TSA, for its part, maintains responsibility for the security of all
modes of transportation.
Working together within DHS, CISA, and TSA are uniquely positioned
to address cyber threats to transportation.
I would note that DHS's authorities and capabilities across all
critical infrastructure sectors and all modes of transportation makes
it better positioned to secure pipelines than the Department of Energy,
despite some suggestions to the contrary.
In December 2018, in coordination with CISA, TSA released its
first-ever Cybersecurity Roadmap, providing a vision for the future of
cybersecurity across all modes of transportation.
While DHS is headed in the right direction, much work remains. In
many cases, surface transportation sector owners and operators struggle
with the same cyber challenges that plague other industries: A National
shortage of skilled cybersecurity personnel, a workforce with minimal
cybersecurity training and awareness, and resource constraints across
the board.
Owners and operators must also address supply chain concerns,
including those posed by the emergence of a Chinese state-owned
enterprise manufacturing subway cars for U.S. mass transit systems.
Government and industry must work together to ensure that cyber threats
and vulnerabilities are fully understood and appropriately addressed.
Finally, at a hearing on surface transportation security, I would
be remiss if I did not point out that TSA remains non-compliant with
requirements to publish surface transportation security regulations,
which were enacted over a decade ago in the Implementing
Recommendations of the 9/11 Commission Act of 2007.
The rules required under the law would help TSA to better assess
and address vulnerabilities within the surface transportation sector,
including cybersecurity vulnerabilities.
I look forward to hearing from this panel of witnesses today, and I
hope they will give us a candid assessment of the cybersecurity posture
of our surface transportation sector.
Mr. Correa. Thank you, Chairman Thompson, for those opening
statements.
Now I would like to recognize the co-Chair of this hearing
today, Mr. Richmond, Chairman of the Cybersecurity,
Infrastructure Protection, and Innovation Subcommittee for an
opening statement. Welcome, sir.
Mr. Richmond. Thank you, Mr. Chairman.
I will recognize the Chairman of the whole--full committee,
Mr. Bennie Thompson, from Mississippi.
I will also join my colleagues in extending my condolences
to Congressman Katko. As a person who has lost two fathers, I
understand what he is going through and we wish him the best.
I want to start by congratulating Congressman Correa, on
becoming Chairman of the Transportation and Maritime Security
Subcommittee. I look forward to working with you to improve the
cybersecurity posture of our transportation infrastructure.
Last fall our subcommittees held a joint hearing to assess
cybersecurity risks to aviation. We learned that cyber threats
to aviation are persistent, that cyber tools can be used to
engage in cyber espionage or undermine confidence in the
aviation industry and that the safety of air travelers requires
us to stay a step ahead of bad actors.
In short, we learned that cybersecurity posture of the
aviation sector is a National security, economic security, and
public safety imperative. The same can be said for the
cybersecurity posture of our surface transportation systems.
Surface transportation includes roads, rail, maritime
facilities, and pipelines and my district is rich in all of
them so I am glad that we are beginning the 116th Congress with
this hearing.
Compared to the aviation sector, surface transportation
receives relatively little in Federal funding to support
security. Outside of the Transit Security Grant Program which
is awarded to public transportation entities and primarily used
to secure against physical threats, surface transportation
owners and operators foot the bill for security themselves.
But the Federal Government is not off the hook, it plays a
critical role in providing the situational awareness, security
assessments, and guidance to stakeholders that inform surface
transportation security investments.
In a decade-and-a-half since it was established, the
Department of Homeland Security has matured its ability to
convene stakeholders, leverage its cross-component expertise,
and share actionable intelligence analysis and guidance to help
address pressing National security challenges.
Whether or not the Federal Government can effectively
partner with stakeholders to secure surface transportation
modes from cyber attacks, rests on DHS's ability to continue to
perform and build on these capabilities. Approximately 125,000
miles of pipelines valued at 1.9 billion move oil and gas
through Louisiana every day. The industry employs over 2,500
people in the State; toward that end I was pleased that the
Pipeline Cybersecurity Initiative was one of the first
priorities announced by the new National Risk Management Center
last year and updated Pipeline Security Guidelines were finally
released last March.
I am encouraged that the Department is redoubling its
efforts to improve the cybersecurity of pipelines by enhancing
the in-house collaboration between CISA and TSA, and engaging
with the private sector.
I believe the Pipeline Security Initiative has the
potential to provide a more comprehensive understanding of the
unique cybersecurity risks to pipelines, particularly as the
sector relies more on the industrial internet of things; that
knowledge will empower stakeholders to address cybersecurity
risks more strategically. Although the Initiative was first
announced as one of the NRMC's initial sprint, I hope that it
will evolve into a more permanent collaboration.
I am concerned however that the updated Pipeline Security
Guidelines do not address supply chain risk management;
moreover I would be interested to know how TSA is implementing
the 10 recommendations the Government Accountability Office
made in December related to its management of Pipeline Security
Program. The safety of my community and the economy of my
district depends on DHS getting this mission right.
I would be remiss if I did not also raise my concerns about
the cybersecurity posture of both passenger and freight rail,
particularly as passenger rail cars incorporate automatic train
control, network and train-line control and monitoring and
diagnostics, among other technologies.
Last month I read a troubling report of a Chinese rail
company significantly under-bidding competitors to win transit
rail contracts in four major markets. I am aware of China's
political and economic ambitions. The intelligence community
and Congress have been clear in cautioning against the use of
Chinese telecommunications products.
But it is unclear to me whether the Federal Government has
assessed what, if any additional cybersecurity threat is posed
by contracting with a Chinese company to purchase railcars with
advanced technologies. It is also unclear whether the Federal
Government is providing any guidance to local transit
authorities to ensure cybersecurity is incorporated into their
procurement process.
I look forward to discussing these issues with the
witnesses today and I yield back the balance of my time.
[The prepared statement of Chairman Richmond follows:]
Statement of Chairman Cedric Richmond
February 26, 2019
Last fall, our subcommittees held a joint hearing to assess
cybersecurity risks to aviation. We learned that cyber threats to
aviation are persistent, that cyber tools can be used to engage in
cyber espionage or undermine confidence in the aviation industry, and
that the safety of air travelers requires us to stay a step ahead of
bad actors.
In short, we learned that the cybersecurity posture of the aviation
sector is a National security, economic security, and public safety
imperative. The same can be said for the cybersecurity posture of our
surface transportation systems.
Surface transportation includes roads, rail, maritime facilities,
and pipelines, and my district is rich in all of them, so I'm glad we
are beginning the 116th Congress with this hearing. Compared to the
aviation sector, surface transportation receives relatively little in
Federal funding to support security.
Outside of the Transit Security Grant Program--which is awarded to
public transportation entities and primarily used to secure against
physical threats--surface transportation owners and operators foot the
bill for security themselves.
But the Federal Government is not off the hook. It plays a critical
role in providing the situational awareness, security assessments, and
guidance to stakeholders that inform surface transportation security
investments.
In the decade-and-a-half since it was established, the Department
of Homeland Security has matured its ability to convene stakeholders,
leverage its cross-component expertise, and share actionable
intelligence analysis and guidance to help address pressing National
security challenges.
Whether or not the Federal Government can effectively partner with
stakeholders to secure surface transportation modes from cyber attacks
rests on DHS's ability to continue to perform and build on these
capabilities.
Approximately 125,000 miles of pipelines--valued at $1.9 billion--
move oil and gas through Louisiana every day. The industry employs over
2,500 people in the State. Toward that end, I was pleased that the
Pipeline Cybersecurity Initiative was one of the first priorities
announced by the new National Risk Management Center last year and the
updated Pipeline Security Guidelines were finally released last March.
I am encouraged that the Department is redoubling its efforts to
improve the cybersecurity of pipelines by enhancing the in-house
collaboration between CISA and TSA and engaging with the private
sector.
I believe the Pipeline Cybersecurity Initiative has the potential
to provide a more comprehensive understanding of the unique
cybersecurity risks to pipelines, particularly as the sector relies
more on the industrial internet of things. That knowledge will empower
stakeholders to address cybersecurity risks more strategically.
Although the Initiative was first announced as one of the NRMC's
initial ``sprint,'' I hope that it will evolve into a more permanent
collaboration. I am concerned, however, that the updated Pipeline
Security Guidelines do not address supply chain risk management.
Moreover, I will be interested to know how TSA is implementing the
10 recommendations the Government Accountability Office made in
December related to its management of the Pipeline Security Program.
The safety of my community and the economy of my district depend on DHS
getting this mission right.
I would be remiss if I did not also raise my concerns about the
cybersecurity posture of both passenger and freight rail, particularly
as passenger rail cars incorporate automatic train control, network and
trainline control, and monitoring and diagnostics, among other
technologies. Last month, I read troubling reports of a Chinese rail
company significantly underbidding competitors to win transit rail
contracts in four major markets.
I am aware of China's political and economic ambitions. The
intelligence community and Congress have been clear in cautioning
against the use of Chinese telecommunications products.
But it is unclear to me whether the Federal Government has assessed
what, if any, additional cybersecurity threat is posed by contracting
with a Chinese company to purchase rail cars with advanced
technologies.
It is also unclear whether the Federal Government is providing any
guidance to local transit authorities to ensure cybersecurity is
incorporated into their procurement processes.
I look forward to discussing these issues with the witnesses and I
yield back the balance of my time.
Mr. Correa. Thank you, Chairman Richmond. I also would like
to congratulate you on your Chairmanship; I look forward to
working with you as well.
Other Members of the subcommittee are reminded that under
the committee rules, opening statements may be submitted for
the record.
[The statement of Honorable Jackson Lee follows:]
Statement of Honorable Sheila Jackson Lee
Good morning Chairman Correa and Chairman Richmond, Ranking Member
Lesko and Ranking Member Katko, for convening today's joint hearing on
``Securing U.S. Surface Transportation From Cyber Attacks.''
At the outset, let me congratulate Chairman Correa and Chairman
Richmond on your elections to lead the Homeland Security Subcommittees
on Transportation and Maritime Security and Cybersecurity,
Infrastructure Protection and Innovation Committee, respectively.
I look forward to continuing to work with each of you along with
returning Members of the committee and welcome an outstanding group of
new Members on both sides of the aisle, whom I trust will find the
important work advanced by this committee as fulfilling and rewarding
as I have since joining it as its inception.
Today's witnesses:
Panel I
Mr. Bob Kolasky, director, National Risk Management Center,
Cybersecurity and Infrastructure Security Agency, U.S.
Department of Homeland Security;
Sonya T. Proctor, director, Surface Division, Office of
Security Policy and Industry Engagement, Transportation
Security Administration.
Panel II
Ms. Rebecca Gagliostro, director, security, reliability, and
resilience, Interstate Natural Gas Association of America;
James A. Lewis, senior vice president, Center for Strategic
and International Studies;
Erik Robert Olson, vice president, Rail Security Alliance;
Mr. John Hultquist, director of intelligence analysis,
FireEye (Minority witness).
I thank each of today's witnesses for bringing their expert view on
the state of cybersecurity and surface transportation in the United
States.
I note that several of today's witnesses warn about China and the
security of transportation systems in the United States.
Their concern is shared by the Department of Defense in its annual
report to Congress: Military and Security Developments Involving the
People's Republic of China 2018.
The report states that China obtains foreign technology through
imports, foreign direct investment, industrial and cyber espionage, and
establishment of foreign research and development (R&D) centers.
In addition, an assessment of Cyber Operations by DoD said that
People's Liberation Army researchers believe that building strong cyber
capabilities is necessary to protect Chinese networks and advocate
seizing ``cyber space superiority'' by using offensive cyber operations
to deter or degrade an adversary's ability to conduct military
operations against China.
These findings by the DoD give our committee ample reason to
consider the cybersecurity implications of China's activity in the
transportation sector.
The Transportation Security Administration (TSA) is responsible for
both the physical security and cybersecurity of all modes of
transportation, including pipelines.
In November 2018, TSA released the ``TSA Cybersecurity Roadmap for
2018,'' its first-ever cybersecurity roadmap.
The Roadmap will guide TSA's oversight of the cybersecurity of the
transportation systems sector over the next 5 years by focusing on four
priority areas, which include risk identification, vulnerability
reduction, consequence mitigation, and enabling cybersecurity outcomes.
In addition, the Roadmap emphasizes TSA's commitment to recruiting,
retaining, and training technical and cyber talent to improve its
ability to engage with stakeholders on cybersecurity and information
technology issues.
Finally, the Roadmap highlights TSA's collaboration with the
Cybersecurity and Infrastructure Security Agency (CISA), which is the
operational component within DHS charged with serving as the primary
Federal civilian interface for cybersecurity information sharing.
We know the threats that computing devices and systems face, which
are almost too numerous to count:
Bot-nets;
Ransomware;
Zero Day Events;
Malware;
Denial-of-Service Attacks;
Distributed Denial-of-Service Attacks;
Pharming;
Phishing;
Data Theft;
Data Breaches;
SQL Injection;
Man-in-the-Middle Attack.
The list goes on, but suffice to say that as hard as any one person
in our Government is working to stop cyber attacks there are likely
another thousand attempting to breach a system or device or technology
used by a United States citizen.
Vulnerabilities of computing systems are not limited to intentional
attacks, but can include acts of nature, human error, or technology
failing to perform as intended.
I am particularly concerned about cybersecurity of transportation
for pipelines, bridges, tolls, air traffic control systems, commercial
aircraft, ports, and automobiles.
Government agencies and political institutions around the world
have acknowledged that air traffic management and control (ATM/ATC)
vulnerabilities could be used to undermine National security.
Any breach of the U.S. air traffic control system can lead to
flight interruptions that may result in cancellations.
The number, type, and severity of cyber threats experienced by
ports, service providers, or port customers are unknown because victims
generally prefer not to report incidents and to pay or absorb costs
resulting from breaches or thefts.
Another reason for underreporting is that companies and ports often
are unaware that their cybersecurity has been breached.
In January 2019, the American Association of Port Authorities
(AAPA) identified nearly $4 billion in crucial port and supply chain
security needs over the next 10 years.
The AAPA says that funding is needed to ensure America's port
facilities are properly equipped to address new and evolving security
challenges.
The report recommends refocusing the Federal Emergency Management
Agency's Port Security Grant Program to better meet the security
infrastructure needs of publicly-owned commercial seaports and related
maritime operations.
AAPA recommends funding an estimated $2.62 billion in maintenance
and upgrades to port security equipment and systems, and another $1.27
billion for investments to tackle cybersecurity, active shooter, drone
mitigation, resiliency, and other evolving security threats.
It is reported that the U.S. Government invests $100 million
annually in the Port Security Grant Program.
This grant program began after 9/11, and it is estimated that by
the end of 2017, container volumes through U.S. ports have increased 71
percent and total foreign trade tonnage had increased 37 percent, while
cruise passenger traffic nearly doubled by the end of 2018.
During this time, 85 percent of AAPA U.S. member ports report that
they anticipate direct cyber or physical threats to their ports to
increase over the next 10 years.
The 2017 APM Maersk cyber attack illustrates how an incident can
start outside the United States and have a cascading impact on ports
and terminal operations across the globe.
Further evidence on the cyber vulnerability of ports, comes from
October 15, 2014, in a report by CyberKeel entitled, ``Maritime Cyber-
Risks,'' which focused on financial thefts; alteration of carrier
information regarding cargo location; barcode scanners used as hacking
devices (a variation of the light bulb vulnerability described above);
targeting of shipbuilding and maritime operations; cyber-enabled large
drug smuggling operations; compromising of Australian customs and
border protection; spoofing a vessel Automated Identification System
(AIS); drilling rig cyber attack; vessel navigation control hack; GPS
jamming; vulnerabilities in the Electronic Chart Display and
Information System; and a Danish Maritime Authority breach.
In 2015, I hosted a briefing on ``Cyber Security Threat Posed by
the Ability to Hack Automobiles,'' which provided information on the
growing threat of remote attacks against moving vehicles and the
privacy of consumer data captured by automotive systems.
Finally, the use of untrustworthiness of transportation
infrastructure can have significant impacts on our Nation's economy.
An important part of cybersecurity is establishing and maintaining
a cybersecurity culture both within the Federal Government and
throughout the private sector.
We must change the way we perceive and respond to cybersecurity
vulnerabilities and threats.
We must be steadfast in our resolve to protect the Nation's
transportation system from cyber threats.
I look forward to the testimony of today's witnesses.
Thank you.
Mr. Correa. With that being said I welcome the first panel
of witnesses.
Our first witness is Mr. Bob Kolasky, who serves as
director of the National Risk Management Center at the
Cybersecurity and Infrastructure Security Agency at the
Department of Homeland Security. As director he oversees the
Center's efforts to facilitate strategic cross-sector risk
management approach to cyber and physical threats to our
critical infrastructure.
Next we will have Ms. Sonya Proctor, who serves as director
of the Surface Division within the Office of Security Policy or
OSP, at the Transportation Security Agency. Ms. Proctor's
responsibilities include developing risk-based and effective
security policy in collaboration with stakeholders in surface
transportation modes.
Without objection, the witnesses' full statements will be
inserted into the record and I will ask each witness to
summarize his or her statements in 5 minutes, beginning with
Mr. Kolasky.
Welcome, sir.
STATEMENT OF ROBERT KOLASKY, DIRECTOR, NATIONAL RISK MANAGEMENT
CENTER, CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Kolasky. Thank you, Chairman.
Chairman Correa, Chairman Thompson, Chairman Richmond,
Ranking Member Lesko, and Members of the subcommittee, good
morning and thank you for the opportunity to testify regarding
the Department's on-going and collaborative efforts to
strengthen the cybersecurity of our Nation.
Today, as the subject of the hearing, I will focus my
remarks on surface transportation including pipelines, mass
transit, freight, rail, and our highways.
First however I do want to thank the committee for its
leadership in establishing the Cybersecurity and Infrastructure
Security Agency, CISA. By creating our new agency in law,
Congress formally recognized DHS's role as the leader of the
National effort to safeguard Federal networks and critical
infrastructure from cyber and physical threats.
CISA delivers organization-specific and cross-sector risk
management support to enhance the resiliency of our Nation's
critical infrastructure. We are the main Federal interface for
sharing cyber-threat indicators. We provide a broad range of
cybersecurity threat detector response and coordination
capabilities to assist industry across all sectors, including
surface transportation, for securing their operations. Our
capabilities bring together the intelligence committee, law
enforcement, international partners, and the private sector.
As part of CISA, I serve as the director of the National
Risk Management Center. The Center brings together industry and
Government for collaborative planning, analysis, and
prioritization in order to reduce risk to critical
infrastructure. These efforts complement and support the day-
to-day operations across our agency and are intended to focus
on the most significant risks facing the Nation's critical
infrastructure. To that end cyber threats remain one of the
most significant strategic risks for the United States.
Critical infrastructure cyber incidents however are rarely
sector-specific which means we can't afford to take a sector-
specific approach to risk management. Our adversaries target
common vulnerabilities in systems across sectors. They target
companies in one sector to launch attacks on a [inaudible] the
growing interdependencies across sectors demand an integrated
approach.
An attack on the transportation sector has operational
impact and transcends the operations across the transportation
sector. That is one reason why we did establish the National
Risk Management Center. Planning, operations, and information
sharing to secure critical infrastructure must not be
stovepiped; this is because of the global, borderless,
interconnected nature of cyber space where strategic threats
can manifest in the homeland without advance warning and speed
of collaboration is essential.
In the coming months the National Risk Management Center
will finalize the identification of a set of National Critical
Functions. National Critical Functions are defined as the
functions of Government and the private sector, so vital to the
United States that their disruption, corruption, or dysfunction
could have a debilitating impact on National security, economic
security, National public health, or safety, and we identified
these in partnership with industry and our colleagues across
the Government.
Through this process we have already identified functions
associated with surface transportation such as the movement of
commodities through pipelines and the generation of electricity
that need to be prioritized. Because of that last year as you
all mentioned, we launched the Pipeline Security Initiative to
build upon past work in the sector.
This effort is a partnership between CISA, TSA, the
Department of Energy, as well as industry. CISA is coordinating
risk management planning and tasking its cybersecurity
operations, provide technical capabilities in support of my
colleague Sonya and her team as the sector-specific agency.
TSA's relationship with the sector and understanding of
pipeline operations is critical to the success of this
initiative.
The Pipeline Security Initiative is conducting
cybersecurity assessments on pipelines to identify and mitigate
vulnerabilities. The first comprehensive assessment was
completed in December 2018 and we expect to do 9 more this
year. These are some of the most comprehensive, in-depth, cyber
assessments the U.S. Government has done on pipelines to date.
Based on these assessments the NRMC will be conducting initial
analysis of how best to reduce risk to the Nation's pipeline
infrastructure, working with industry to prioritize mitigation
activities.
Another example of our work to support the transportation
sector is industrial control security. Much of our Nation's
surface transportation is dependent on industrial control
systems to monitor, control, and safeguard operation. We at
CISA have a long history of working to provide technical
expertise and to share information with ICS vendors and we will
continue to do that with a focus on surface transportation.
The final area I want to talk about, the National Risk
Management Center's efforts are our efforts around supply chain
security. To address supply chain risks CISA has established an
Information and Communications Technology Supply Chain Risk
Management Task Force. This is a public-private partnership to
facilitate mitigation of emerging supply chain threats.
Work is on-going on 4 separate work streams intended to
improve threat information, better understand priority Supply
Chain risks, and incentivize and enhance Supply Chain Risk
Management. This work will help transportation sectors as well
as critical infrastructure and Federal networks.
In closing, CISA will continue to be a partner to our
Government and industry colleagues with the twin imperative of
addressing the cyber threats we see today and shaping the risk
environment of tomorrow. I am convinced that such an approach
will leave us better prepared to address any challenges we face
from our adversaries now and in the future.
Once again thank you for the opportunity to appear before
the subcommittee today. I look forward to your questions.
[The prepared statement of Mr. Kolasky follows:]
Prepared Statement of Robert Kolasky
February 26, 2019
Chairman Richmond, Chairman Correa, Ranking Member Katko, Ranking
Member Lesko, and Members of the subcommittees, thank you for the
opportunity to testify regarding the U.S. Department of Homeland
Security's (DHS) on-going efforts to reduce and mitigate risks to our
Nation's critical infrastructure. I have the privilege of serving as
the director of the National Risk Management Center (NRMC) at the
Cybersecurity and Infrastructure Security Agency (CISA). The NRMC
operates as a planning, analysis, and collaboration center bringing
together industry and multiple parts of Government to identify,
analyze, prioritize, and reduce risks to critical infrastructure. The
NRMC's efforts are centered on the ``secure tomorrow'' mantle of CISA's
mission--complementing and drawing from the day-to-day information
sharing, technical analysis, and operational assistance missions from
elsewhere in the agency.
My testimony today will focus on the cybersecurity of surface
transportation systems, including pipelines, mass transit systems,
freight rail systems, and highways. Both CISA and the Transportation
Security Administration (TSA) play a critical role in accomplishing
this mission. CISA is leading National efforts to defend the Nation's
critical infrastructure today and secure tomorrow by partnering with
industry and Government to reduce risk from cyber, physical, and hybrid
threats. Thanks to Congress's leadership and passage of the
Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L.
115-278), we are now even better poised to further the maturation of
the organization to best reflect our essential mission and role in
securing cyber space. CISA's efforts to secure surface transportation
are carried out in close coordination with the TSA and Department of
Transportation, the Sector-Specific Agencies (SSA) for the surface
transportation portion of the Transportation Systems Sector.
cyber threats
Cyber threats remain one of the most significant strategic risks
for the United States, threatening our National security, economic
prosperity, and public health and safety. The past several years have
marked a growing awareness of the cyber domain in the public
consciousness. We have seen advanced persistent threat actors,
including hackers, cyber criminals, and nation-states, increase the
frequency and sophistication of their attacks. Our adversaries have
been developing and using advanced cyber capabilities in attempts to
undermine critical infrastructure, target our livelihoods and
innovation, steal our National security secrets, and threaten our
democratic institutions.
Cybersecurity threats affecting surface transportation have the
potential to impact the industrial control systems that operate
pipelines, mass transit, freight rail systems, and our highway
infrastructure. For example, America depends heavily on the 2.7 million
miles of pipeline crisscrossing our country. Increasingly, the business
operations and control systems that are vital to the continuity of this
part of our energy posture are threatened by cyber attacks from nation-
states and other malicious actors. Many pipelines are now supplied with
industrial control systems, automated pressure regulators, and control
valves. If this pipeline infrastructure is intentionally attacked,
control valves and pressure regulators could be affected. Failure of
these technologies could lead to pressure surges causing emergency
shutdowns, unexpected explosions and fires, and other serious
consequences. The recently-published Worldwide Threat Assessment of the
intelligence community states, ``China has the ability to launch cyber
attacks that cause localized, temporary disruptive effects on critical
infrastructure--such as disruption of a natural gas pipeline for days
to weeks--in the United States.''
Similarly, trains are now supplied with on-board information
technology (IT) systems that provide and receive real-time updates on
track conditions, train position, train separation, car status, and
other operational data. While such technologies are designed to provide
faster and more reliable communications, these wireless communication
advances result in trains no longer functioning as closed systems, thus
increasing the cyber risks.
Today's industrial control systems within highway infrastructure
are often not only automated but highly integrated. Interconnected road
networks are controlled by numerous systems and devices such as traffic
signal systems, ramp metering systems, road weather information
systems, and field devices that feed into a traffic management center.
If an individual system or device was deliberately attacked, the
potential to affect multiple control systems would be a distinct
reality.
cybersecurity priorities
CISA, our Government partners, and the private sector are all
engaging in a more strategic and unified approach toward improving our
Nation's overall defensive posture against malicious cyber activity. In
May of last year, DHS published the Department-wide DHS Cybersecurity
Strategy, outlining a strategic framework to execute our cybersecurity
responsibilities during the next 5 years. Both the Strategy and
Presidential Policy Directive 21--Critical Infrastructure Security and
Resilience, emphasize that we must maintain an integrated approach to
managing risk.
The National Cyber Strategy, released in September 2018, reiterates
the criticality of collaboration and strengthens the Government's
commitment to work in partnership with industry to combat cyber threats
and secure our critical infrastructure. Together, the National Cyber
Strategy and DHS Cybersecurity Strategy guide CISA's efforts to secure
Federal networks and strengthen critical infrastructure. DHS works
across Government and critical infrastructure industry partnerships to
share timely and actionable information as well as to provide training
and technical assistance. Our work enhances cyber threat information
sharing between and among governments and businesses across the globe
to stop cyber incidents before they occur and quickly recover when they
do. By bringing together all levels of government, the private sector,
international partners, and the public, we are enabling a collective
defense against cybersecurity risks, while improving our whole-of-
Government incident response capabilities, enhancing information
sharing of best practices and cyber threats, strengthening our
resilience, and facilitating safety.
CISA's National Cybersecurity and Communications Integration Center
(NCCIC) provides entities with information, technical assistance, and
guidance they can use to secure their networks, systems, assets,
information, and data by reducing vulnerabilities, ensuring resilience
to cyber incidents, and supporting their holistic risk management
priorities. The NCCIC operates at the intersection of the Federal
Government, State and local governments, the private sector,
international partners, law enforcement, intelligence, and defense
communities. The Cybersecurity Information Sharing Act of 2015 (Pub. L.
114-113) established DHS as the Federal Government's central hub for
the sharing of cyber threat indicators and defensive measures. CISA's
automated indicator sharing capability allows the Federal Government
and private-sector network defenders to share technical information at
machine speed.
Much of our Nation's surface transportation infrastructure is
dependent on industrial control systems to monitor, control, and
safeguard operational processes. Many of the industrial control systems
currently in use were built for operability, efficiency, and
reliability during an era when security was a lower priority than it is
today. CISA has a well-established history of working to secure
industrial control systems across critical infrastructure. In 2004, DHS
established the Control Systems Security Program to address growing
concerns over the security of industrial control systems. Since 2009,
DHS has maintained the Industrial Control Systems Joint Working Group
as the primary body for communicating and partnering across all
critical infrastructure sectors and the government at all levels to
accelerate the design, development, and deployment of secure industrial
control systems. CISA's industrial control systems cybersecurity
capabilities include malware and vulnerability analysis; an operational
watch floor to monitor, track, and investigate cyber incidents;
incident response; international stakeholder coordination; and the
creation and dissemination of threat briefings, security bulletins, and
notices related to emerging threats and vulnerabilities impacting these
technologies.
national risk management
Our adversaries' capabilities on-line are outpacing our stove-piped
defenses. Specifically, there has been a critical gap in cross-sector,
cross-government coordination on critical infrastructure security and
resilience. Working together with the private sector and other
Government partners, we are taking collective action to strengthen
cross-sector, cross-government coordination against malicious cyber
actors.
Through the NRMC within CISA, we have stepped up our efforts to
provide a comprehensive risk management approach to cyber and physical
security. The NRMC is a core component of DHS's efforts to take a
holistic cross-sector approach to managing risks to the critical
functions that drive our economy and are necessary to our National
security. Through the NRMC, Government and industry are coming together
to create a more complete understanding of the complex perils that
threaten the Nation's critical infrastructure.
Risk is increasingly cross-sector in nature. A siloed approach to
risk identification and management simply will not work. By the nature
of the threat, and infrastructure design, risk transcends
infrastructure sectors, is shared across State and National lines, and
is held by both Government and industry. As an example, we recently
briefed industry on cyber activities that have been attributed to
China. Attempts to steal intellectual property do not discriminate
between sectors of our economy. From biotechnology, to aircraft
components, to advanced rail equipment, and electrical generation
equipment--information is at risk, and it can be weaponized. Similarly,
the cascading nature of cyber incidents across sectors is very real. We
need to look no further than NotPetya, the most costly cyber attack in
history--which we have attributed to Russia--to see how risk easily
jumps across sectors and continents and how it can hit private sector
organizations particularly hard.
national critical functions
Historically, the U.S. Government has focused on prioritizing
critical infrastructure from the perspective of assets and
organizations. A different approach for prioritization is needed to
better address system-wide and cross-sector risks and dependencies.
CISA, through the NRMC, is leading an effort to develop a set of
National Critical Functions to guide critical infrastructure risk
management.
National Critical Functions are defined as ``the functions of
Government and the private sector so vital to the United States that
their disruption, corruption, or dysfunction would have a debilitating
impact on National security, economic security, National public health
or safety.'' This construct forces a risk management conversation that
is less about whether an entity is a business or Government, and more
about what an entity does to manage risk and what risk it enables. This
framework allows us to look at issue sets in the risk management space
not in isolation, but with a more holistic context.
We are partnering with SSAs and all 16 critical infrastructure
sectors, including the Transportation Systems, Communications,
Financial Services, and Energy sectors to identify and validate
National Critical Functions. This list will be finalized in the coming
months and will form the basis for subsequent analysis--including
consequence modeling and dependency analysis--in order to develop a
Risk Register of the most pressing threats facing the critical
infrastructure community. Such a Risk Register will guide collective
action between Government and industry on how to best address risk
management.
In doing the critical functions work, we have already identified
aspects associated with surface transportation, such as pipeline
operations, that need to be prioritized in terms of security. Although
we are in our early stages of that work, we agree with the committee on
the pressing need to address risks associated with nation-state
exploitation of vulnerabilities that link information to infrastructure
operations and which could have significant consequences on community
and economic security.
surface transportation cybersecurity
The Pipeline Security Initiative is a partnership between CISA,
TSA, the Department of Energy, and industry. Bad actors have shown
interest in infiltrating systems in sectors with less mature cyber
hygiene, and using that access to better understand ways to manipulate
equipment in sectors with more advanced security protocols. This can
lead to critical pipeline systems, including water, natural gas, and
liquid fuels, being at risk.
By leveraging the TSA's SSA expertise and CISA's technical
cybersecurity capabilities, the Pipeline Security Initiative is working
to improve our ability to identify and mitigate vulnerabilities to the
pipeline ecosystem. This initiative uses different voluntary
assessments--ranging from single and multi-day inspections to self-
assessments--to help our industry partners identify and mitigate
potential vulnerabilities and provide the Government with a broader
view of pipeline security risk.
In December 2018, we completed our first comprehensive assessment
under this new initiative. This initial assessment served as a
successful test-bed to ensure that tools and other techniques offer the
detail and data necessary to conduct the comprehensive analysis needed
to ensure critical services and product flow through the pipeline
systems. We anticipate 9 more assessments in 2019.
supply chain risks
Information and communications technology (ICT) is critical to
every business and Government agency's ability to carry out its mission
efficiently and effectively. Vulnerabilities in ICT can be exploited
intentionally or unintentionally through a variety of means, including
deliberate mislabeling and counterfeits, unauthorized production,
tampering, theft, and insertion of malicious software or hardware. If
these risks are not detected and mitigated, the impact to the ICT could
be a fundamental degradation of its confidentiality, integrity, or
availability and potentially create adverse impacts to essential
Government or critical infrastructure systems.
Increasingly sophisticated adversaries seek to steal, compromise,
alter, or destroy sensitive information on systems and networks, and
risks associated with ICT may be used to facilitate these activities.
The Office of the Director of National Intelligence (ODNI) acknowledges
that ``the U.S. is under systemic assault by foreign intelligence
entities who target the equipment, systems, and information used every
day by Government, business, and individual citizens.'' The
globalization of our supply chain can result in component parts,
services, and manufacturing from sources distributed around the world.
ODNI further states, ``Our most capable adversaries can access this
supply chain at multiple points, establishing advanced, persistent, and
multifaceted subversion. Our adversaries are also able to use this
complexity to obfuscate their efforts to penetrate sensitive research
and development programs, steal intellectual property and personally
identifiable information, insert malware into critical components, and
mask foreign ownership, control, and/or influence of key providers of
components and services.''
CISA has launched the ICT Supply Chain Risk Management (SCRM) Task
Force as a public-private partnership to mitigate emerging supply chain
threats. The Task Force is the main private-sector point of entry for
our SCRM efforts and is jointly chaired by DHS and the chairs of IT and
Communications Sector Coordinating Councils. The Task Force is focused
on supply chain threat information sharing, supply chain threat mapping
and assessment, establishing criteria for qualified bidder and
manufacturer lists, and incentivizing the purchase of ICT from original
manufacturers and authorized resellers.
conclusion
In the face of increasingly sophisticated threats, DHS employees
stand on the front lines of the Federal Government's efforts to defend
our Nation's critical infrastructure from natural disasters, terrorism
and adversarial threats, and technological risk such as those caused by
cyber threats. The coming revolution of autonomous operations of
infrastructure and other core functions, which combines data, machine
learning, algorithms, and computing power and which is associated with
massive new markets in artificial intelligence, smart cities, and
quantum computing is going to radically change the nature of National
security. The underpinning systems enabling functioning infrastructure
have become more complex, and design considerations have created new
vulnerabilities. Combine the reality of adversaries who are seeking to
achieve strategic gain in the global marketplace and there is an
essential imperative to have security remain a first-order
consideration for key infrastructure deployments and in the
establishment of supply chains.
CISA is working with partners to meet this century's risks. Doing
so requires being vigilant about security risk today and playing the
long game--which will require continued collaboration between the
Executive and Legislative branches. As the committee considers these
issues, we are committed to working with Congress to ensure that this
effort is done in a way that cultivates a safer, more secure, and
resilient homeland.
Thank you for the opportunity to appear before the committee today,
and I look forward to your questions.
Mr. Correa. Thank you, Mr. Kolasky.
I will now recognize Ms. Proctor, for your testimony; if
you can summarize your statements in 5 minutes. Thank you.
STATEMENT OF SONYA T. PROCTOR, DIRECTOR, SURFACE DIVISION,
OFFICE OF THE SECURITY POLICY AND INDUSTRY ENGAGEMENT,
TRANSPORTATION SECURITY ADMINISTRATION
Ms. Proctor. Thank you.
Good morning, Chairman Thompson, Chairman Correa, and
Richmond, and Ranking Member Lesko, and distinguished Members
of the subcommittee. Thank you for the opportunity to appear
before you this morning to discuss the Transportation Security
Administration's efforts to secure surface transportation
systems including oil and natural gas pipelines from
cybersecurity risks. I also want to thank you for the TSA
Modernization Act and the support of that.
TSA is committed to securing the transportation sector,
which includes pipelines, against evolving and emerging risks
such as cyber attacks; partnering with our private-sector
partners to secure surface transportation from cyber attacks is
a critically important and complex undertaking.
The U.S. surface transportation system is a complex
interconnected and largely open network comprised of mass
transit systems, passenger and freight railroads, over-the-road
bus operators, motor carrier operators, pipelines, and maritime
facilities. The various modes that make up the system operate
daily in close coordination with and proximity [inaudible]
transportation system, operating securely and safely.
Every year more than 10 billion trips are taken on 6,800
U.S. mass transit systems which range from small bus-only
systems in rural areas to large multi-modal systems in urban
areas. Over-the-road bus operators carry approximately 604
million inter-city bus passengers each year; over 3,300
commercial bus companies travel on the 4 million miles of
roadway in the United States and on more than 600,000 highway
bridges and through over 470 tunnels. Those same roads,
bridges, and tunnels support the movement of goods throughout
the country by 8 million large-capacity commercial trucks.
As for our railroads and pipelines, more than 570
individual freight railroads carrying essential goods, operate
on nearly 140,000 miles of track and 2.75 million miles of
pipelines owned and operated by approximately 3,000 private
companies, transporting natural gas, refined petroleum
products, and other commercial products.
TSA's functions and authorities as a security agency are
uniquely structured to tackle the challenges at the
intersections of surface transportation and cyber risks. To
secure these networks, TSA leverages its mature intelligence
and analysis capability along with its vetting and
credentialing programs to ensure it can quickly develop and
promulgate risk mitigation guidelines and measures to
effectively [inaudible] efforts are bolstered by strong
partnerships, trust, and collaboration with our Federal
industry and partners.
In this regard industry works with TSA to share their own
unique vulnerabilities and security needs. Through this open
communication we collaboratively develop programs and
guidelines for industry to voluntarily adopt to increase their
overall security posture an approach that has yielded
significant security investments and improvements beyond what
the agency would have achieved from a regulatory approach
alone. We believe that this voluntary and collaborative
approach to developing and implementing security measures has
been successful.
However, we also recognize that should arise based on an
eminent threat or real-world event the TSA administrator has
unique authority to require immediate implementation of certain
security measures through the issuance of security directives.
In December 2018 the TSA administrator issued the agency's
Cybersecurity Roadmap which will guide efforts to prioritize
cybersecurity measures within TSA and across the transportation
system over the next 5 years. TSA approaches both cybersecurity
and physical security by identifying, assessing, and mitigating
the risk. TSA helps surface owners and operators identify
vulnerabilities and risks in their operations and works with
them to develop and implement risk mitigating solutions.
In closing TSA has been able to support the improvement of
both physical and cybersecurity across all surface modes of
transportation, including pipelines, thanks to the trust and
relationships we have cultivated with our Federal partners and
industry as evidenced by the programs and resources TSA has
collaboratively developed and implementing for our surface
transportation stakeholders. TSA is committed to securing the
Nation's surface transportation system from terrorist
activities and cyber attacks.
TSA looks forward to working with Congress on these efforts
and thank you for the opportunity to discuss these issues here
with you today. I look forward to the subcommittee's questions.
[The prepared statement of Ms. Proctor follows:]
Prepared Statement of Sonya T. Proctor
February 26, 2019
Good morning Chairmen Correa and Richmond, Ranking Members Lesko
and Katko, and distinguished Members of the subcommittees. Thank you
for the opportunity to appear before you to discuss the Transportation
Security Administration's (TSA) efforts to secure surface
transportation systems including oil and natural gas pipelines from
cybersecurity risks.
TSA is committed to securing the transportation sector, which
includes pipelines, against evolving and emerging risks, such as cyber
attacks. Partnering with our private-sector partners to secure surface
transportation from cyber attacks is a critically important and complex
undertaking. As the director of national intelligence recently stated,
our adversaries and strategic competitors have cyber attack
capabilities they could use against U.S. critical infrastructure,
including U.S. surface transportation. As a disruption to any of these
systems would negatively impact our economy, commerce, and well-being,
the cyber attack threat is driving the Department of Homeland
Security's efforts to increase the cyber resilience of surface
transportation.
surface transportation
The U.S. surface transportation system is a complex,
interconnected, and largely open network comprised of mass transit
systems, passenger and freight railroads, over-the-road bus operators,
motor carrier operators, pipelines, and maritime facilities. The
various modes that make up this system operate daily in close
coordination with and proximity to one another. Americans and our
economy depend on the surface transportation system operating securely
and safely.
Every year more than 10 billion trips are taken on 6,800 U.S. mass
transit systems, which range from small bus-only systems in rural areas
to large multi-modal systems in urban areas. Over-the-road bus
operators carry approximately 604 million intercity bus passengers each
year. Over 3,300 commercial bus companies travel on the 4 million miles
of roadway in the United States and on more than 600,000 highway
bridges greater than 20 feet in length and through over 470 tunnels.
Those same roads, bridges, and tunnels support the movement of goods
throughout the country by 8 million large capacity commercial trucks.
As for our railroads and pipelines, more than 570 individual
freight railroads carrying essential goods operate on nearly 140,000
miles of track, and 2.75 million miles of pipelines, owned and operated
by approximately 3,000 private companies, transport natural gas,
refined petroleum products, and other commercial products.
TSA's functions and authorities as a security agency are uniquely
structured to tackle the challenges at the intersections of surface
transportation and cyber risks. To secure these networks, TSA leverages
its mature intelligence and analysis capability, along with its vetting
and credentialing programs to ensure it can quickly develop and
promulgate risk mitigation guidelines and measures to effectively
coordinate and address evolving risk.
TSA's security efforts are bolstered by strong partnerships, trust,
and collaboration with our Federal and industry partners. In this
regard, industry works with TSA to share their own unique
vulnerabilities and security needs. Through this open communication, we
collaboratively develop programs and guidelines for industry to
voluntarily adopt to increase their overall security posture--an
approach that has yielded significant security investments and
improvements beyond what the agency would have achieved from a
regulatory approach alone.
We believe that this voluntary and collaborative approach to
developing and implementing security measures has been successful.
However, we also recognize that should the need arise, based on an
imminent threat or real-world event, the TSA administrator has unique
authority to require immediate implementation of certain security
measures through the issuance of Security Directives (SDs).
TSA also actively collaborates with law enforcement entities, such
as the Federal Bureau of Investigation (FBI), the Department of
Justice, and the Joint Terrorism Task Force, to address attacks on
critical infrastructure and supporting networks. For example, TSA works
with the FBI to share intelligence information and host joint working
groups on investigation and enforcement for attacks on surface
transportation infrastructure. TSA also serves on the Energy Sector
Government Coordinating Council, co-chaired by the Department of Energy
and the DHS Cybersecurity and Infrastructure Security Agency (CISA), to
discuss energy and pipeline security issues, provide insight on
relevant intelligence, and coordinate at the Federal level on pipeline-
related security recommendations and programs. Additionally, TSA works
closely with the Pipeline and Hazardous Materials Safety Administration
within the Department of Transportation for incident response and
monitoring of pipeline systems.
tsa cybersecurity roadmap
In December 2018, the TSA administrator issued the agency's
Cybersecurity Roadmap, which will guide efforts to prioritize
cybersecurity measures within TSA and across the transportation system
sector over the next 5 years. The Cybersecurity Roadmap identifies 4
priorities which will help the agency achieve its cybersecurity goals:
Identify cybersecurity risks;
Reduce vulnerabilities to our systems and critical
infrastructure across the transportation systems sector;
Mitigate consequences if and when incidents do occur; and,
Strengthen security and ensure the resilience of the system.
The TSA Cybersecurity Roadmap has been supplemented with the
development of an implementation plan which will assist in resource
allocation to this critical area. In coordination with CISA, the
Federal Government's lead cybersecurity agency, the TSA Cybersecurity
Roadmap brings TSA's cybersecurity efforts into alignment with both the
National Cyber Strategy and the DHS Cybersecurity Strategy.
tsa's cybersecurity efforts for surface transportation
TSA approaches both cybersecurity and physical security by
identifying, assessing, and mitigating any risks. TSA helps surface
owners and operators identify vulnerabilities and risks in their
operations, and works with them to develop and implement risk-
mitigating solutions.
TSA's cybersecurity approach to its critical infrastructure mission
is based on the National Institute of Standards and Technology (NIST)
cybersecurity framework, which is designed to provide a foundation that
industry can implement to sustain robust cybersecurity measures. TSA
shares information and resources with industry to support adoption of
the framework.
TSA cybersecurity resources and efforts for all modes of surface
transportation include:
Cybersecurity Toolkit.--Provides information on an array of
resources, recommendations, and practices available at no cost
to surface transportation entities.
Cybersecurity Counterterrorism Guides.--``Pocket'' resource
guides to help educate all levels of surface transportation
professionals on potential cyber threats, actions they can
take, and best practices. Over 59,000 cybersecurity guides have
been distributed across all modes of surface transportation.
Cybersecurity ``5N5'' Workshops.--Provides owners and
operators of critical infrastructure with an awareness of
existing cybersecurity support programs, resources, familiarity
with the NIST Framework, and an opportunity to discuss
cybersecurity challenges and share best practices. Workshop
participants leave with immediate benefit by receiving 5 non-
technical cybersecurity actions to implement over 5 days (5N5).
Cybersecurity Awareness Messages (CAMs).--Disseminates
information to stakeholders either in response to real-world
events or in anticipation of significant anniversaries or
holidays to support the transportation security community's
efforts to increase their cybersecurity posture, and recommends
voluntary cybersecurity protective measures.
Daily Cybersecurity Reports.--The Public Transit and Over-
the-Road Bus Information Sharing and Analysis Centers
distribute daily cybersecurity awareness reports to their
members.
Pipeline-specific cybersecurity efforts include:
TSA Pipeline Security Guidelines.--Initially developed in
2010 and revised in 2011, the Guidelines were revised again in
2018 to align with the NIST Cybersecurity Framework. TSA added
a new cybersecurity section to more accurately reflect the
current threat environment to help inform industry on how best
to allocate their security resources based on their operations.
TSA-Federal Energy Regulatory Commission (FERC) Joint
Voluntary Cyber Architecture Reviews.--Assesses the pipeline
system's cybersecurity environment of operational and business
critical network controls. These controls include the networked
and segregated environments of Industrial Control System
components, such as Supervisory Control and Data Acquisition,
Distributed Control Systems, Remote Terminal Units, Human
Machine Interfaces, and Process Logic Controllers.
Pipeline Cybersecurity Assessments.--DHS has established an
initiative to evaluate the cybersecurity posture of critical
oil and natural gas pipeline systems to determine their
cybersecurity practices and promote resilience. TSA has
partnered with CISA to develop on-site cyber assessments of key
pipeline systems as part of the Pipeline Security Initiative.
The assessments will provide pipeline owners with a
comprehensive evaluation and discovery process, focusing on
defense strategies associated with asset owners' specific
control systems network and segregated control assets. We plan
to evaluate as many critical pipeline systems as possible on
their cybersecurity posture by the end of this fiscal year, as
time and funding allows.
Corporate Security Review (CSR) Program and Critical
Facility Security Review (CFSR) Programs.--CSRs are conducted
to evaluate existing corporate security policies, procedures,
and practices, and make recommendations for improving existing
corporate security posture. The TSA CSRs have been updated to
include a more comprehensive and robust review of the
cybersecurity policies, plans, and practices that the pipeline
industry is employing. The CFSR program evaluates the top 100
most critical pipeline systems in the United States, collecting
site-specific information from the facility operator on
security policy, procedures, and physical security measures.
The CFSR program assessment questions have also been updated to
include cyber-specific measures.
Classified Briefings.--TSA sponsors Classified briefings for
pipeline owners and operators. These briefings provide owners
and operators with a need to know on updated pipeline cyber
threat information.
pipeline security success through voluntary actions
TSA had great success in working with the pipeline community to
develop and implement voluntary guidance and programs to enhance their
overall security programs and raise their baseline levels of security.
Specifically, the pipeline community has been very supportive and
receptive to our Pipeline Security Guidelines, including the addition
of a comprehensive cybersecurity section. The guidelines serve as the
de facto standard for pipeline security programs, and were developed in
close coordination with the pipeline industry. Major pipeline industry
associations continue to show support of and collaboration with the
measures set forth in the guidelines. Associations such as the American
Gas Association, the Interstate Natural Gas Association of America, and
the American Petroleum Institute, have written ``membership
statements'' committing to voluntary adherence to the Pipeline Security
Guidelines.
Pipeline operators have shown a willingness and ability to
voluntarily implement the mitigation measures set forth in the
guidelines. We have strong evidence that an industry-backed voluntary
program to reduce risk by increasing compliance with the guidelines is
working. TSA conducted 23 CSRs in fiscal year 2018, and those pipeline
operators assessed had a 90 percent compliance rate regarding Corporate
Security Program Management; an 85 percent compliance rate regarding
Security Incident Management; and an 80 percent compliance rate
regarding the TSA recommended cybersecurity practices detailed in the
2011 Guidelines. In addition, we have seen a strong increase in
corporate compliance when comparing results from a second review to a
company's first review. For 10 companies where we have conducted a
second CSR, we have seen the number of recommendations made decrease
from a total of 446 recommendations (first review) to 146 (second
review). In addition, companies have implemented corrective actions on
over 81 percent of the recommendations made during our CFSRs. This very
high rate regarding corrective actions is indicative of industry
acceptance and adherence to TSA Guidelines. In fiscal year 2019, we
will compile similar CSR data based on the updated 2018 Guidelines,
which will help determine how and where we apply additional resources
to the pipeline industry.
conclusion
In closing, TSA has been able to support the improvement of both
physical and cybersecurity across all surface modes of transportation,
including pipelines, thanks to the trust and relationships we have
cultivated with our Federal partners and industry. As evidenced by the
programs and resources TSA has collaboratively developed and
implemented for our surface transportation stakeholders, TSA is
committed to securing the Nation's surface transportation system from
terrorist and cybersecurity attacks. TSA looks forward to working with
Congress on these efforts. Thank you for the opportunity to discuss
these important issues. I look forward to the subcommittees' questions.
Mr. Correa. Thank you, Ms. Proctor.
I thank both of our witnesses for their comments.
Remind the Members that each one of us will have 5 minutes
for questions.
I will now recognize myself for some questions. Ms.
Proctor, I would like to start out with you. TSA currently
relies on voluntary standards for pipeline [inaudible] tell me,
is this good or bad?
Ms. Proctor. The approach that we use for working with the
pipeline industry has been very successful. Yes, we indeed do
use a voluntary approach, our Pipeline Security Guidelines were
developed with the industry and they were developed to allow a
voluntary involvement with the pipeline industry. What we know
is that with these guidelines we have flexibility to adjust the
guidelines to the threat environment and certainly if the
threat dictates, if there is a significant threat, the
administrator of TSA has the authority to issue a security
directive to focus on that threat and to require security
measures to address that specific threat.
Mr. Correa. So, Ms. Proctor, you are saying because of the
characteristics of cyber attacks that specific regulations
would be counterproductive in this area?
Ms. Proctor. Yes, Mr. Chairman. The nature of cyber threats
is that they are constantly emerging. They are emerging--much
faster than the Government's ability to write regulations to
address them and in this fashion if there is a significant
cyber threat the administrator may address that through a
security directive.
Mr. Correa. Any thoughts about how you would keep us as
policy makers apprised of your progress or lack thereof since
you are looking at really voluntary standards, self-reporting?
Ms. Proctor. Mr. Chairman, we would be happy to report to
this committee on our progress with industry on the progress of
the assessments that we conduct with industry; we actually go
out and conduct corporate security reviews, looking at the
headquarters, planning, the planning for cybersecurity plans,
physical plans, and we go out into the field and conduct
assessments at critical facilities. We conduct critical
facility, security reviews in the field and we are comparing
what we see in the field to the agreed-upon Pipeline Security
Guidelines.
Mr. Correa. Complying with the cybersecurity challenge can
be very expensive, for the private sector or Government. So my
question to you is, the private sector, do you see them
complying voluntarily with what they have got to do? Which is
to come up with the best practices, minimum standards or do you
have to push folks to go in the right direction; do you have to
push folks to do the right thing?
Ms. Proctor. Sir, what we have witnessed is that the
voluntary approach has been very successful. We have found that
the companies are making those investments in their own
cybersecurity, as well physical security, and they are doing
that to protect their ability to carry on their business as
well so we do believe that it has been effective in this
voluntary environment.
Mr. Correa. Quickly, another area, the realignment, TSA is
realigning some of its functions. Can you explain to us how
this realignment will affect surface transportation security?
Ms. Proctor. As a result of the realignment that
Administrator Pekoske has directed, the Surface Division assets
are going to shift over into the security operations area where
they will join with our Transportation Security Inspectors who
are already in the field, that Field Force is 200-plus strong
so we will be combining our surface division--our current
surface division assets with the 200-plus Transportation
Security Inspectors in the field, they will be working with us
in conjunction with our transportation security partners in the
field.
Mr. Correa. Thank you very much.
I am going to yield the remainder of my time.
I will now recognize our Ranking Member for the
Transportation Subcommittee, the gentlewoman from Arizona, Mrs.
Lesko, for some questions.
Ma'am.
Mrs. Lesko. Thank you, Mr. Chairman.
My first question is for either Ms. Proctor or Mr. Kolasky,
or both. Some have suggested that other Federal agencies take
over the role of physical and cybersecurity for pipelines, such
as the Department of Energy and I was wondering if one of you
or both of you can comment on why you think that it is
important that it remains under the purview of TSA and
Department of Homeland Security?
Ms. Proctor. Thank you, Ranking Member. We do believe that
the security of pipelines is best placed under the Department
of Homeland Security and the assets that the Department of
Homeland Security can bring to bear for the security of the
pipelines.
As has been mentioned here today, we are working very
closely with CISA to conduct comprehensive cybersecurity
assessments on pipelines and the authority that I mentioned
that the administrator, the TSA administrator has, gives him
the authority to require whatever measures are necessary to
secure the pipelines to be implemented almost immediately at
his direction, to secure the pipelines from any type of threat,
whether that threat is a cyber threat or whether it is a
physical threat.
Mr. Kolasky. If I could just add to that, Ranking Member
Lesko, you know, one of the things we recognize, Sonja, and I,
and our offices recognized is that we have some unique
capability across DHS that we can apply to the pipeline threat
and within the agency, the partnership we have established has
really served as a force multiplier to TSA cybersecurity
efforts.
The other thing I would augment that with, why I think this
is a good place for it to be, is the fact that a lot of the
nature of these risks, the control systems, the fact that
pipelines contribute to other critical infrastructures are
cross-sector and we really are a place and we serve as the hub
to bring information across sectors when we learn about risks
to some operational technologies, we can quickly get it in the
hands of TSA, to get out to the pipeline owners and operators,
we work together on that.
There's just a lot of shared risk in this space and
separating critical infrastructure, too much across agencies
you know, really runs the risk of creating stovepipes. I mean,
right now we have got a nice blended mix of working with
agencies, we work closely with the Department of Energy but I
don't think you want to take cybersecurity responsibilities out
of DHS and put them further afield because of that they are
more just challenge----
Mrs. Lesko. I have one more question for, Ms. Proctor. Let
me just read this from my notes. Recently the GAO determined
that, in a recent audit, determined that [inaudible] risk had
failed to identify critical facilities due to a lack of clarity
from TSA on defining of facilities' criticality. To remedy
these challenges GAO recommended that the TSA administrator
take 10 actions with which TSA concurred [inaudible] what
actions have been taken so that these high risks are
identified?
Ms. Proctor. Yes ma'am. Certainly, we have reviewed the GAO
report. We concur with the recommendations that GAO offered and
we are in the process now of addressing those recommendations
that were made by GAO. As you noted there were 10
recommendations that were made by GAO and four of those
recommendations deal with the pipeline risk ranking tool that
we used to help establish risk in the pipeline industry so we
are diligently working on all of the recommendations but we do
expect to have at least the first recommendation concluded
within about 60 days.
Mrs. Lesko. Thank you, ma'am.
I yield back my time.
Mr. Correa. Thank you, Mrs. Lesko.
I now recognize the Chairman of the Cybersecurity
Subcommittee, the gentleman from Louisiana, Mr. Richmond.
Mr. Richmond. I will pick up where the Ranking Member left
off and, Ms. Proctor, your answer indicates that you will
accomplish number 1 out of 10 in 60 days, what about the other
9?
Ms. Proctor. Mr. Chairman, we are working on all of those
10 recommendations at the same time. We have limited resources
to work on all of them at the same time so we are working to
address the ones that we know that we can satisfy and those
involve, again there were 4 that were associated with the risk
ranking tool, so we are working directly on those, as well as
the one that addresses the policy that we need to put in place
for the review of the actual guidelines.
Mr. Richmond. Let me just give you kind of an overview of
my district, largest petrochemical footprint in the country. We
are neighbors to chemical facilities. We have all of the major
rail lines running through our communities and for the most
part they are good corporate neighbors, good employers, and
they pay well.
However when we look at the risk associated with that, we
have to make sure we mitigate it because on those rail cars
that come through our communities are dangerous chemicals and
every other thing that you can think of. So when we are looking
at this, are we communicating the best, do we have strategic
partnerships set up? It is important to us and so as we talk
about the cyber risk for, let us say rail, and our pipelines
and our oil rigs and all of those, that now a lot of that is
controlled electronically.
If you think about the BP disaster which was an accident,
think of a BP disaster that was an attack, so how are we
communicating with those companies? But have we done anything
to make sure that those companies are holding their
subcontractors in their supply chain to the same high standards
that we want to hold them to?
Mr. Kolasky. So I can talk a little bit about of the nature
of your question. As you know, you mentioned chemical, you
know, through the CFATs regulation we put additional
requirements on chemical security, some of the facilities that
dealt with that. You know, you referenced the oil and natural
gas industry which operates pipelines that produces a lot of
what you are talking about; we work closely with the oil and
natural gas industry, with the Department of Energy.
You know, specifically in terms of supply chain risk, we
agree that this is an area that we have got to get deeper into,
people understanding the supply chain, I think there's an
understanding of that.
I referenced in my opening remarks a task force that we
have established with critical infrastructure owners and
operators which are focused particularly on threat information
sharing, setting up processes through threat-based decision
making, where should threat-based decision-making criteria be
established, that will be an interagency process where we are
able to get threat information out to help owners and operators
make a decision about companies or products they might not want
inserted in the supply chain; we are advocating, more deeply
understanding what is in a supply chain, that is an important
element.
But then there's also, it has to be mitigation steps, you
know, are people [inaudible] again is that written in the
expectation to do so in the contracts, that is the kind of
stuff we are studying the Task Force to make recommendations to
the Federal Government, how to do that for our own Federal
networks but also for critical infrastructure owners and
operators and what incentives will get people deeper in.
So you know, I would summarize a problem that we probably
don't have enough information out there to help everyone be
smarter buyers that could [inaudible] in talking industry we
will understand why the information might not lead to the right
decisions being made or us taking too much risk on, we don't
want to deal with this by just cutting off things but we want a
better understanding of risks that is being put into supply
chains and when there are [inaudible] that could be put out
there.
Mr. Richmond. Well, and I guess I will just say before Ms.
Proctor takes a shot of it but think of passenger rail which is
almost completely electronic, what are we doing to ensure the
traveling public safety and do we have a sense of urgency
understanding the risk that is out there?
With that, Mr. Chairman, I will yield back the balance of
my time.
Mr. Correa. Thank you, Chairman Richmond.
The Chair will now recognize other Members for questions
that they may want to ask.
In accordance with our committee rules, I will recognize
Members who were present at the start of the hearing, based on
seniority in the committee, alternating between Majority and
Minority. Those Members coming in later will be recognized in
the order of their arrival.
The Chair recognizes for 5 minutes, the gentlelady Ms.
Barragan, from California.
Ms. Barragan. Thank you.
I am going to actually, going to follow up on a question
that Congressman Richmond just asked. In December 2016 L.A.
Metro received a terror threat from abroad. It led to
heightened security and this terror threat was on a commuter
rail station, one that went into downtown Los Angeles, impacted
about a 150,000 riders a day on this line. So my question, it
was very similar to what Mr. Richmond just asked, but didn't
get an answer from. So I am going to follow up there.
When we talk about cybersecurity risk, to what degree are
we considering the safety of the traveling public as well, and
passenger rail and mass transit rely on computerized systems; a
cybersecurity attack on the system could also mean risking the
safety of the traveling public. What is being done to mitigate
these risks to the public and both of you can answer.
Ms. Proctor. We provide both information and intelligence
and that intelligence is delivered sometimes in an unclassified
setting but it is also delivered in a Classified setting, that
is one of the most important things that we do, is keeping the
systems informed about the level of threat, the type of threat,
which gives them the information that they need to apply
mitigating measures to that particular threat.
In conjunction with the supply chain issues that my
colleague mentioned, those issues put them in the best position
to ensure the safety of the traveling public. Most of our
transit systems have either their own law enforcement component
or they have an agreement with their local law enforcement
agency to provide security for the system. We have found them
to be very engaged.
We have found them to be involved not only in receiving
information not only from TSA but from our colleagues at the
FBI, with the Joint Terrorism Task Force and with their
[inaudible] to be effective. When we receive information that
suggests that some threat is present in mass transit you will
often see an increased visibility; uniformed law enforcement
officers including the VIPER teams from TSA, the ground-based
Federal Air Marshals who support our surface transportation.
We take that information very seriously and as soon as we
receive information that suggests that there might be some
threat to the system and whether that threat is physical or
cyber, we reach out to those systems to make sure that they are
aware so they can start to apply mitigating measures.
Ms. Barragan. Right.
Mr. Kolasky, do you want to add anything to that?
Mr. Kolasky. Yes. Let me talk to, specifically about the
rail. So Sonya mentioned information sharing, we know a lot
about cyber information, cyber things that might be happening
but one thing we did, a couple years ago is work with the rail
industry to attach cyber indicators, things that could be
happening in terms of tactics, techniques of a cyber attack, to
controls that would be most useful in a rail transit context.
So you know, we took general information and we organized it by
using the NIST Cybersecurity Framework, working with industry
where we could take specific indicators and say, if you see
this sort of stuff, here's what you might want to do in a rail
system, it is--it is that customization that helps.
Then I would just add on the physical security which you
referenced in 2016 and another thing we do DHS is you know, try
to enhance soft-target security and technology development that
can be deployed in transit settings you know, through our
Science and Technology Directorate partnership with TSA and
[inaudible] and do stuff through funding in transit systems so
you know, we are getting better every [inaudible].
Ms. Barragan. Recruiting and retaining a skilled cyber work
force is something the DHS and this committee has had a top
priority to do. Historically CISA has struggled to fill
important cybersecurity positions and I understand that TSA is
also looking to grow its cybersecurity work force. Mr. Kolasky,
does the new National Risk Management Center have enough of the
right people to carry out the ambitious goals you described
without depleting personnel from other parts of CISA?
Mr. Kolasky. We have all pledged not to cannibalize each
other so I think that is a good strategy here.
You know, we started with a good basis of analysts who have
experience, thinking about strategic risk, analyzing strategic
risks, doing planning, but we will be continuing hiring as we
go forward to establishing the National Risk Management Center,
we have about 20 positions that we are in the process of
filling so you know, as a director of an organization I always
want more talent; we are going to be pushing for it. I think we
have the ability to recruit people, becoming the Cybersecurity,
Infrastructure Security Agency is motivating us to get better
candidates; we are using tools, incentives to hire people and
things like that, but we want to keep pushing.
Ms. Barragan. Yield back.
Mr. Correa. Thank you, Mrs. Barragan.
I will now call on the gentlelady from New York, Miss Rice,
for 5 minutes for questions.
Miss Rice. I am familiar with one of the largest subway
systems that we have in this country, New York City Subway
System. It is a system that services 5.7 million people every
single day, traveling through 472 subway stations and across
662 miles of track--that is 1.8 billion people per year so I
wonder if there is a strategy specifically. I need to look into
this with the NYPD which I think is probably one of the premier
law enforcement agencies that you work hand-in-hand with.
Is there a strategy, and more importantly in New York City
where everyone is very impatient, and likes to get from Point A
to Point B as quickly as possible? You know, after 9/11
everything changed about how you travel, when you go into the
airport.
Is there a public appetite for that kind of security system
before you enter any system and I guess this is really a
rhetorical question so that is just to throw that out there and
I mentioned the impatience of New Yorkers because anything that
slows down their travel is something that they will probably
squawk about but you know, I would hate to have that be
instituted after a terrible tragedy happens where the appetite
might be more [inaudible] another thing, I'd like to ask you
about is China's growing footprint in the United States.
Industrial supply chain and infrastructure. They are rooted in
part by the emergence of the state-owned China Railway Rolling
Stock Corporation, CRRC for short, which I am sure you are all
well aware but they have won 4 out of 5 large U.S.
transportation [inaudible] has won contracts with the
Metropolitan transportation authorities in Philadelphia,
Boston, Chicago, and Los Angeles.
Another source I believe of the anxiety around these
acquisitions concerns is the development that CRRC won these
contracts by placing low bids. Many critics point to the fact
that the company receives support from Chinese government
through state subsidies which other contractors do not.
But also you know, you have Members of Congress, the
Pentagon, and industry experts that have stated concerns about
China's capabilities in deploying Chinese manufactured subway
railcars to engage in cyber espionage and surveillance, similar
to the Government's concern when it comes to Huawei in the
telecommunications field. What is the level of concern that
either one of you have? You know, and I guess this is a supply
chain question as well, but it seems to me that this is like a
big red flag; I know that New York does not contract with CRRC
but just your thoughts on that, it seems like just such a huge
red flag.
Mr. Kolasky. So two versions of thoughts. One thing that we
have to do, what we can to protect our information to not allow
China to use business information. [inaudible] There is an
increased threat and risk out there.
If you ask our specific concerns about any one of these, it
is less about whether it is CRRC or anything, it is about
practices that have been put in place to make sure that risk
isn't being introduced into the system.
So you know, this really comes into procurement questions,
do we have tight procurement, let us please not go with the
lowest bidder price-wise if you are a Metro Transit Authority,
let us make sure that they hit pretty tough security
requirements and then you can make a price-based decision but
the security requirements have to be built into the contracts,
part of those security requirements is looking at the
manufacturing, where the manufacturer's going, getting eyes on
as a procurer with technical expertise to make sure risk isn't
being introduced at the point of manufacturing [inaudible] how
you set up the maintenance so I don't want----
Miss Rice. Do you set up those requirements or at least the
laundry list of things that States and municipalities should
look at. How many States adhere to them?
Mr. Kolasky. So, I mean, we are still in the process of
working with the Transit Authorities. We had a conversation on
Friday where we shared some intelligence information around
that to help make decisions. Right now, I think there's an
opportunity for companies to put greater requirements into
procurement language, that is something that the TSA and us
will be working with the industry on.
Miss Rice. So what would be the pushback against adhering
to your guidelines?
Mr. Kolasky. I think when you talk to chief operating
officers, security officers, they want to do that, it is
pressures that they get from other pressures in----
Miss Rice. With costs?
Mr. Kolasky. Yes. So you know, we understand that these
decisions are trade-offs. We want to be in the side of pushing
hard for security, recognizing that there are other pressures,
the business in the Transit Authority space.
Miss Rice. Whether it is interference in our election
process which is well-documented. I mean, we have so many
vulnerabilities across so many fundamental infrastructures in
this country that we have to have a serious conversation about
this and I just think that if you are going to set up
guidelines, we have to try to understand why States are not
going to adopt them and abide by them, if you are the agency
from whom they are supposed to be getting this?
Mr. Kolasky. Sure there is good procurement in there.
We agree you know, we will set the guidelines, we will help
them do that. When security-based procurement decisions or
informed procurement decisions are not happening, that is where
the Executive branch and Legislative branch should have a
conversation about what are the limitations for that happening.
I don't know, I don't want vulnerabilities to turn into
risk, they are vulnerabilities as you said but let us really
take a risk-based approach to where the priority should before
activity.
Miss Rice. When you come up with those guidelines, what
data are you using to kind-of push that information out, what
are you basing your concerns on in terms of the supply chain,
the procurement process?
Mr. Kolasky. Based on, first of all, seeing systems, so
where we see vulnerabilities let us stick with elections
perception, we have gone out and we have worked with States and
counties to look at their election systems, see some common
vulnerabilities, we do that.
Also working with the vendors in areas to understand you
know, areas where additional guidelines would help their own
security side and taking advice through these protected
conversations, through the Critical Infrastructure Partnership
Advisory Council structure, we are hearing me, as somebody who
wants to make a security decision, do not feel like I have all
the information I need to make a security decision. So it is
these conversations that help us.
Miss Rice. Do you have anything that you want to add?
OK.
Thank you. I yield back.
Mr. Correa. Thank you, Miss Rice.
I will call in the gentleman from Rhode Island, Mr.
Langevin.
Mr. Langevin. Thank you, Mr. Chairman.
I want to welcome our witnesses here today and thank you
for your testimony.
Before I begin, I just want to mention I concur with
Chairman Thompson [inaudible] keep the pipeline, cybersecurity
in the realm of TSA and not see it shipped over to DOE so I
think that is an important point to make and I am glad that it
is been raised here today.
Obviously with all this and I think this hearing is
essential to focus on transportation security especially to
cybersecurity, these are the things that keep me up late at
night you know, as you know, where is the most damage that can
be done is in the area of critical infrastructure, in a number
of fields and so one of the aspects I want to focus on today is
on pipeline security and obviously you need the right policies
and procedures and plans put in place, you need the right
people with the right expertise.
So, Ms. Proctor, let me start with you, December 2018 GAO
report indicated that staffing in the Pipeline Security
Division was a major challenge with a number of empties ranging
from 14 all the way down to 1, across several fiscal years.
What is the current staffing level of the Pipeline Security
Division?
Ms. Proctor. Today the current staffing level is 5 but I
think it is important to say that with the realignment that has
been directed by the administrator, we will be shifting into
the Security Operations organization where we will have the
benefit of the additional Transportation Security Inspectors in
the field. You know, there are 200-plus of them that will serve
all of surface transportation so our Pipeline Section will be
much larger, we will draw from that pool of Transportation
Security Inspectors to provide the training and the experience
to put them in the Pipeline Section.
Mr. Langevin. How many do you estimate will be in and
specifically dedicated to pipeline security, or are you talking
about, they are going to be leveraged across all those fields
and from time to time they will rotate into the pipeline
security, I am not clear on your answer?
Ms. Proctor. Well, we think the Pipeline Section is going
to require specialized training so we are going to put those
people in there, provide the training and make sure that they
are qualified to go out and do those assessments.
We have not arrived at a final number yet, we are still
working on some of the staffing issues or the shifting of
personnel because it will serve all of our surface
transportation partners in a way that is going to allow us to
put more people in the field working directly with our surface
transportation partners.
Mr. Langevin. So of the 5 that you mentioned, those staff,
how many have expertise in cybersecurity specific?
Ms. Proctor. I am sorry we have none that have specific
cybersecurity expertise. They do have pipeline expertise but
not cyber expertise.
Mr. Langevin. I find that a troubling answer but let me ask
you, across all TSA services, service transportation of course,
how many specialize in cybersecurity?
Ms. Proctor. TSA does not have cybersecurity specialists.
We rely on our colleagues at CISA for cyber expertise. I mean,
that is a specialized field so we do rely on the DHS experts to
provide that input and they have, we work directly with them
when we were developing the Pipeline Security Guidelines, and
got input from them to develop the current Pipeline Security
Guidelines that have a cybersecurity section in them.
Mr. Langevin. OK. So we will stay on the topic of pipeline
security, approximately how many Critical Pipeline Systems are
there again in the United States? You maybe talked about this
earlier on, but----
Ms. Proctor. That number varies depending on mergers and
acquisitions, the number we work with is somewhere around a
120.
Mr. Langevin. OK so I [inaudible] at end of the year, I
mean, in your view given the number of pipelines that we are
talking about, is that adequate? Because it does not seem so to
me.
Ms. Proctor. I don't want to suggest that those are all of
the pipeline assessments that we do so we still do critical
facilities, security reviews and those are separate from the 10
comprehensive cyber assessments that we are doing with CISA so
we will continue to do those critical facilities security
reviews. We completed 62 of those last year, even given the
resources that we are working with now, but the 10 that we are
referring to are going to participate in the Comprehensive
Cyber Security Assessments that we are doing with CISA.
Mr. Langevin. OK, before my time runs out, I want to ask
you, Ms. Proctor, again the TSA Cybersecurity Roadmap provides
for the development of an implementation plan to see it put
into practice so had the actual implementation plan then
developed?
Ms. Proctor. We are in the process of developing that plan
now. You know, we recognize the priorities in the cybersecurity
plan and the value that it is going to bring to us in surface
transportation. That plan is relatively new but we are
reviewing that plan now to determine how we can implement that
in surface transportation.
Mr. Langevin. When do you think the plan will actually be
finalized and is Congress going to be provided a copy of that?
Because we would like a copy.
Ms. Proctor. We would be happy to provide a copy of that
finalized plan and I can certainly provide you an update on
when--when we believe that is going to be finalized. As
indicated, we are working through a number of requirements
right now including the GAO requirements so we are working on
all of those concurrently.
Mr. Langevin. All right. Before my time runs out, I just
want to ask this though, how do you expect the [inaudible] with
the roll-out of the Roadmap and what additional resources, if
any, are required to carry out the new plan once it is
finalized?
Ms. Proctor. The Cybersecurity Roadmap is going to require
more coordination with CISA and we will have to determine the
resources based on how we see that plan rolling out and how we
see it being implemented across all of the surface
transportation modes, but we have been working very closely
together, so those are some things that we are going to have to
continue to work and to ensure that we can carry out the
administrator's intent on that plan.
Mr. Langevin. But the resources are going to be factored
in, and actually as the plan is finalized you are working
through those additional resource requests now as well?
Ms. Proctor. I am sorry, I didn't----
Mr. Langevin. You are planning for additional resource
requests once the plan is finalized, is what I am hearing you
saying, correct?
Ms. Proctor. Yes sir.
Mr. Langevin. OK.
Thank you very much.
I will yield back.
Mr. Correa. Thank you, Mr. Langevin.
Now would like to call the gentlewoman from New Jersey,
Mrs. Watson Coleman, for 5 minutes of discussion.
Mrs. Watson Coleman. Thank you, Mr. Chairman.
Thank you very much for your testimony. What is the
greatest threat from a cybersecurity attack on the pipeline? Is
it that it would cut the flow of the natural gas or is it that
it would blow up, what is it?
Ms. Proctor. So we recognize that the threats to pipeline
from a cyber perspective do exist. Most of our significant
pipelines are controlled to some extent by computer systems
that manipulate valves and switches and controls----
Mrs. Watson Coleman. Right.
Ms. Proctor. So that impact would more likely affect the
operation of the system. We would assume that it would affect
more the operation of the system, the flow perhaps of the
commodity.
Mrs. Watson Coleman. Is there any other kind of threat that
could result in either a leakage or an explosion that could be
triggered by some nefarious actors?
Mr. Kolasky. So I think we would like to have a follow-up
conversation with you about threats where we can be more
specific in a different setting. I don't mean to put you off--
--
Mrs. Watson Coleman. OK.
Mr. Kolasky. But I think that is more appropriate.
Mrs. Watson Coleman. Thank you, because I am concerned. Do
you work with FERC at all?
Ms. Proctor. Yes ma'am, we do.
Mrs. Watson Coleman. Because in New Jersey, in my district,
there's a PennEast pipeline and I visited a home and the
pipeline is going through that person's yard and as close as
you are to me, is as close to the pipeline is to the woman's
bedroom and so things like that concern me about the siting of
these pipelines but in addition FERC hasn't had the
responsibility, the requirement of saying whether the pipelines
are in the vicinity and that could be somehow accessed so that
we don't have so many pipelines, we just have the efficiency
that we need and you don't deal with that issue with FERC at
all in terms of siting, right?
Ms. Proctor. No ma'am. We don't deal with the issue of
siting at all. We do work closely with FERC and we have
conducted Cyber Architecture Assessments with FERC so----
Mrs. Watson Coleman. But that is not proximity. That is not
location, that is infrastructure, right?
Ms. Proctor. Correct.
Mrs. Watson Coleman. If we have to have this conversation
in another setting but we keep talking about the
vulnerabilities that exists either in supply chain or in
cybersecurity or in any way impacting the safety and security
of any rail transportation, any pipelines and we say that we
are doing things to advise our clients, whomever of these
vulnerabilities.
Can you tell me in this setting: (A) How we identify these
vulnerabilities, and (B) how does the procurer ensure that
there's language or whatever that protects that item that they
are purchasing that is being built by China or anybody else? Is
that something that we can discuss here?
Mr. Kolasky. Yes. To some extent. I mean, first of all, I
want to reinforce that most of these worst-case scenarios,
there is a lot of fail-safes, there's layered defenses broken,
built in here and you know, one of our overall strategies is to
get better, better, better to make this stuff, the worst case
that you are imagining, incredibly complex and only
accomplishable by having physical access or doing things that
are likely to be picked up by a Layered Defense System.
So first and foremost strategy, it is better understanding
what is already put in place and putting in places to share
information as quickly as possible. When you make something
really complex just like with a terrorist attack, you are more
likely to see the plotting that is going on there----
Mrs. Watson Coleman. Yes.
Mr. Kolasky. We have come a long way in that direction. Our
adversaries might continue to get better but you know----
Mrs. Watson Coleman. Yes.
Mr. Kolasky. By making things complex is a good risk
management strategy.
Mrs. Watson Coleman. But I also want to know that when you
are purchasing rail cars, what is it that you tell the agency
that is advertising, these specific things are how you mitigate
the possible compromising of the safety and security of your
car or whatever?
Mr. Kolasky. Sure. So----
Mrs. Watson Coleman. And----
Mr. Kolasky. At the basic level we give them an overview of
business practices of companies and links to Chinese
intelligence doctrine, things that are available to understand
that there may be----
Mrs. Watson Coleman. I am going to assume----
Mr. Kolasky. Risks introduce into the system and then we
talk through what good procurement strategies are.
Mrs. Watson Coleman. I want to assume, worst-case scenario,
that we are purchasing cars from a company that means us no
good. I want to know specifically how do we protect against
that--what do we look for specifically to make sure that
whatever thing is that might compromise the safety of that car
and its passengers. How do we see it, how do we know it, how do
we look for it? [inaudible]
Mr. Kolasky. It leads to a follow-on discussion.
The last thing I would say is that one of the things we are
bringing in from a procurement perspective is the Federal
Government as a whole has experience in procuring things that
are really, really important to us and need to be secure and so
part of what we can do with DHS working with some of our folks
who do even bigger procurement is bring some of those
practices, share that with industry around so the relationship
with us and DOD and that sort of--in the testing that goes on
in National Labs, that stuff's really important to get to----
Mrs. Watson Coleman. OK.
Mr. Kolasky. The level of fidelity you want.
Mrs. Watson Coleman. So I thank you.
My time is up and I just want to say, Mr. Chairman, I
somehow would like to have a discussion in another environment
as to exactly what these things are.
Mr. Correa. I would love to do that, if we can I will.
Mrs. Watson Coleman. Thank you very much.
Mr. Correa. I will talk to the staff and, Mrs. Watson
Coleman, let us see if we can do that.
Thank you very much and recognize Ms. Slotkin for 5 minutes
of questions. Thank you.
Ms. Slotkin. Yes. Hi, sorry to be late. I apologize. I am
happy to be the only one at this giant table down here.
I apologize if this is slightly repetitive. I like the--
some of my other fellow Congress men and women, have pipelines
going through my district, some of them extremely close to the
homes, many of them the route had been changed without the
citizens' awareness and there's a lot of citizens who are
concerned about their safety, as we all would be.
So can you just walk me through in sort-of clear terms No.
1, what you have done to prevent cyber attack and then No. 2,
if there's a specific threat or a risk; I am from the
intelligence community, former CIA officer and was definitely
aware that there was plenty of time, there were Classified
information, threats, concerns, new techniques, that were
Classified so we couldn't actually communicate with local
businesses, with local communities, local law enforcement, even
on the real nature of the threat so what have--what are we
sort-of doing to protect ourselves and then tell me about your
modus operandi on presenting information down to unclassified
users?
Ms. Proctor. So with regard to the threat and this goes
back to our information sharing. Two weeks ago, I believe we
had a Classified briefing with members of the industry. It was
a Top-Secret Classified briefing to talk about the threat. As a
matter of fact, tomorrow we have another meeting with another
Classified briefing with industry so we have found ways with
our intelligence colleagues of providing the necessary
information that our industry partners need in order to protect
their industry from cyber threats so from the intelligence
perspective we have been able to manage that with our
intelligence partners.
I don't believe that there has been an unresolved issue
with the intelligence that we are providing. We are providing
everything that we can provide in the appropriate atmosphere,
with people who have the appropriate clearances so in terms of
the information I believe that we are getting that out to the
right people.
Mr. Kolasky. And----
Ms. Proctor. On the--cyber side, I am going to let----
Mr. Kolasky. You referenced community-level law
enforcement, and this is where the fusion centers, the DHS,
sponsors, come in very handy, there are somewhere around 85
around the country and both with industry but more particularly
with law enforcement and people who have been close to
community-level decisions [inaudible] teleconferences and
things like that.
Then implied in your question, obviously is not everyone is
going to have a clearance no matter how good we get at doing
that so you know, we want to push, giving more out, the
unclassified assessment, as you probably can guess what was in
the Worldwide Threat Assessment that Director Coats talked
about, that takes a while to get that statement to be made but
that statement becomes important because it lights a fire on
the importance of this issue and we have been following up with
industry both in the Classified and unclassified community
space with that.
Ms. Slotkin. So related to that, if there was an incident
and because of declassification or problems with sharing, that
information did not get to the company, who is the senior
accountable official, who would be responsible for that mishap,
would it happen?
Mr. Kolasky. We within CISA have the ability to give
private-sector clearances out so we will facilitate private-
sector members getting access to information, depending on the
nature of the information you are talking about it is on us as
a Government, who have that information to give as quickly as
possible to the cleared community. I am not going to speculate
on the exact hypothetical--it is our job to make sure we have
opened up the channels to give Classified information.
We in other parts of the Government also have 1-day reading
authorities where if you don't have a clearance but you need to
have this information and so you know, I think we all feel
obligated to make sure that information gets in the hands of
somebody who could do something as soon as possible once we
know that is credible information.
Ms. Slotkin. OK. I would just say, again CIA and FBI
weren't communicating particularly well during 9/11. There has
to be accountability if there's mistakes; I am not saying
anyone's you know, God forbid, planning for mistake but it is
nice to know that you know, who is responsible for making sure
we pushed down this information to industry.
But I will yield back the rest of my time.
Mr. Correa. Thank our witnesses for your comments.
Now if I may, I would like to take a 5-minute recess and
then come back and start with our second panel.
Members please try to be back in 5 minutes. Thank you very
much.
[Recess.]
Mr. Correa. The committee will now come to order.
We will start with our second panel.
Our first witness is Mr. James Lewis, serves as senior vice
president and the director of the Technology and Public Policy
Program at the Center of Strategic International Studies.
Next we will have Ms. Rebecca Gagliostro, my apologies, who
is the director of security, reliability, and resilience at the
Interstate Natural Gas Association of America which is
comprised of 27 members representing a vast majority of
interstate natural gas transmission pipeline companies.
Next, we will have Mr. Erik Olson, who is a vice president
of the Rail Security Alliance, which is a coalition of North
American freight, rail car manufacturers, suppliers, unions,
and steel interest.
Finally, will have Mr. John Hultquist, who serves as
director of intelligence and analysis at FireEye. He has over
10 years of experience, covering cyber espionage, hacktivism,
and has worked in senior intelligence analyst positions in the
Department of State.
Without objection the witnesses' full statements will be
inserted to the record.
I will ask now each witness to summarize their statements
for 5 minutes, beginning with Mr. Lewis.
Thank you, welcome sir.
STATEMENT OF JAMES A. LEWIS, SENIOR VICE PRESIDENT, CENTER FOR
STRATEGIC AND INTERNATIONAL STUDIES
Mr. Lewis. Thank you. I thank the committee for the
opportunity to testify.
We have entered an era of connected devices sometimes
called the internet of things that offers real economic benefit
but comes with increased risk to homeland security and much of
this risk comes from the global supply chain. Most
infrastructure and transportation systems as you have heard are
connected to the internet in some way and depend on computers
for their operation. This includes electrical power systems,
pipelines, telecommunications and increasingly vehicles which
continuously connect back to their manufacturer wherever that
manufacturer is located and these connections provide
opportunities for espionage and service disruption.
As the committees have heard for many years, the state of
cybersecurity remains poor. Most networks can be hacked, cyber
crime continues to grow, and cyber attack is an essential part
of state conflict.
Our task is to mitigate risk. One way to do this is to ask
how a device connects to the internet, what information it
transmits, and how much transparency and control an operator
has over this data and connection.
Another way is to use three metrics: The value of data
collected; the critical [inaudible] variable data; perform
critical functions or whose disruptions could produce mass
effect, need to be held to higher standards.
Currently the internet of things is probably more
vulnerable to disruption than the regular good old internet.
For critical infrastructure we can ask how we would continue to
operate in the event of a malicious incident and to what degree
our control over these infrastructures are shared with a
foreign manufacturer.
Products from China require special attention. The
combination of increased Chinese espionage, new national
intelligence law on China, pervasive surveillance, and
heightened military tensions have led to a dangerous situation
but the United States and China share a deeply integrated
industrial base, disentangling this would be costly, although
some now talk of a divorce. China is not the only country that
could exploit cyber vulnerabilities and critical
infrastructure. Iran and Russia have probed pipelines and other
infrastructures, including electrical power.
There are several steps we can take to reduce risk. The
most obvious is to improve network and device security. DHS's
Cyber and Infrastructure Security Agency, CISA, should be the
center of this effort.
The development of security standards is essential. The
NIST Cybersecurity Framework is a strong start but it needs to
be amplified and expanded for specific technologies. Any
defensive measure must accept that we cannot keep a determined
opponent out of our networks. This means that we must also
consider measures to increase resiliency and allow for
continued operation, integrated environments; this is the goal
that DOD has. Better security requires oversight. This is
clearly a task for the committee but also for CISA.
Finally, a defensive approach by itself is inadequate. The
United States needs to develop credible threats to deter
foreign attackers and persuade them that interference in
critical infrastructure comes with the unacceptable risk of
retaliation. We do not have this now. That would be a useful
thing to do.
We haven't talked about the security premium which is what
many of us call it, it has come up several times [inaudible] in
part because it is subsidized by the government. There might be
a Chinese intent, it is worth looking at, this subsidy but it
means for companies--and we see this particularly with Huawei--
they must choose between buying cheap good equipment or more
expensive equipment that is secure, and that is a difficult
choice. I am not sure everyone will always come out in the same
place.
Thank you for the opportunity to testify. I look forward to
your questions.
[The prepared statement of Mr. Lewis follows:]
Prepared Statement of James A. Lewis
February 26, 2019
I would like to thank the committee for the opportunity to testify.
My testimony will discuss the risks to homeland security from the use
of Chinese technology and equipment.
Chinese companies face a serious branding problem in many
countries. There is a level of distrust that has been created in good
measure by Chinese government policies. The most prominent of these
policies are China's aggressive mercantilism, its disregard for
international law, its massive espionage campaign, and, for the United
States, its announced intention to displace America and become the most
powerful country in the world, reshaping international rules and
practices to better fit the interest of China's rulers.
Espionage has been a part of the of the Sino-American relationship
since China's opening to the West in 1979. It is worth remembering that
at this time, the United States and China shared a common enemy--the
Soviet Union. This created incentives for cooperation that have long
vanished. Chinese espionage initially focused on repairing the
disastrous effects of Maoist policies on China's economic and political
development. This meant the illicit or coercive acquisition of Western
technology. As China's cyber capabilities improved, beginning in the
late 1990's, some PLA units turned to hacking as a way to supplement
their incomes, moonlighting by stealing Western intellectual property
and then selling it to Chinese companies.
The illicit acquisition of technology is still a hallmark of
Chinese espionage activity, but there have been significant changes
since President Xi Jinping came to power in 2013. One of the first
things Xi did, reportedly, is order an inventory of Chinese cyber
espionage activities. He found that many of these had not been ordered
by Beijing, that Beijing did not have full control over tasking and
assets, and some operations were for private interest and did not meet
China's strategic requirements.
Xi changed this. The Chinese military has been reorganized as part
of a larger effort to modernize the PLA. Xi's anti-corruption campaign
greatly reduced the ability of PLA units to ``moonlight.'' Chinese
intelligence collection is better organized, more focused on strategic
priorities, and, some would say, better in performing its missions.
This comes at a time when, according to the U.S. intelligence
community, Chinese espionage has reached unprecedent levels. Today,
these efforts focus on the acquisition of advanced military and
commercial technologies, since China still lags the United States in
technology, as well as military and government targets.
The United States and China reached an agreement in 2015 to end
commercial cyber espionage, but it is generally believed that this
agreement has broken down in the last year. At the risk of sounding
overly dramatic, some would describe this situation as an undeclared
espionage war between China and the United States. In fact, this is not
a war, but a very intense contest where the United States is largely on
the defensive. Our allies also face a similar problem with Chinese
efforts in Australia, Japan, Germany, the United Kingdom, Canada, and
other advanced economies.
These activities create distrust, and a more specific ground for
distrust is China's 2017 National Intelligence Law. For some years, the
United States had advised China to move away from an informal, ad hoc
system of rules and put in place a formal legal structure based on
laws. The Chinese took our advice and one result is that long-standing
Chinese policies and practices have been codified into the 2017
Intelligence Law. The most important part of that law for today's
hearing is that it creates a legal obligation for Chinese companies to
cooperate fully with intelligence agencies upon request. There are no
grounds for appeal or an ability to refuse such requests.
This means that a Chinese company could be completely innocent of
any wrongdoing, its products harmless, but a decision by the Chinese
government could change that in an instant. In the context of an
increasingly aggressive global espionage campaign, often conducted
using cyber techniques, there are reasonable grounds for the distrust
of Chinese products. The first question to ask is not whether you trust
a Chinese company, but whether you trust the Chinese government.
Concerns over the Intelligence Law have become so significant, in
part because of the implications of using Huawei telecommunications
equipment, that China's official news agency felt obliged last week to
put out a press release calling for a comprehensive and accurate
translation. China's Foreign Ministry pointed out that while Article 7
of the law stipulates the obligation for Chinese companies and
individuals to ``support, assist, and cooperate'' with the country's
intelligence service, Article 8 stipulates that China's intelligence
service should carry out its work according to law, protect human
rights, and safeguard the legal rights and interests of individuals and
organizations. Unfortunately, this promise is undercut by China's
recent behavior in regard to human rights and in the protection (better
expressed as the absence of protections) for the intellectual property
of foreign companies.
We should note that China's government expresses similar concerns
over their reliance on Western technology, in part because they assume
the relationship between Western companies and government is the same
as the relationship between Chinese companies and the government. This
official distrust of Western products is one reason why Beijing is
spending billions of dollars to develop national sources of supply for
many technologies. These subsidies also provide commercial benefit, in
building national champions in Chinese industry and in eroding Western
companies' market position.
China also leads the world in building a national system of
pervasive domestic surveillance. Communications and social media are
monitored, and an array of sensors monitor and record activities in
urban areas. This sensor data is correlated with information held by
the government on Chinese residents' behavior and communications. This
pervasive surveillance is not popular among many Chinese, but it is
increasingly difficult to escape. One concern is that China will to
some degree extend this pervasive surveillance to countries and persons
of interest outside of China or extend its extensive cyber espionage
campaign to include coercive actions, like disrupting critical
services. This is not something China would do lightly, but the risk
cannot be dismissed.
The combination of increased espionage, new legal obligations,
pervasive surveillance, and heightened military tensions make for an
uncomfortable and potentially dangerous situation, with implications
for U.S. security. The United States and China share a deeply
integrated industrial base, constructed during the time when we assumed
that China was moving in the direction of becoming a market economy and
a security partner. Disentangling this deeply integrated supply chain
would be costly and damaging to both countries, but some in America now
talk about a ``divorce'' while China is spending heavily to reduce its
reliance on the United States.
Beyond the espionage risk, there is potential risk for critical
infrastructure that is growing. As more devices become connected to the
internet and reliant on software, the opportunities for disruption will
grow. This is not specifically a China problem, but a change in the
technological environment as millions of devices connect to the
internet in ways that China (or other malicious actors) could exploit
for coercive purposes.
As the committee has heard for many years, the state of
cybersecurity remains poor and almost any network or device can be
hacked with enough persistence. Cyber crime continues to grow, and
cyber tools have become an essential part of state conflict. If it is
any consolation, China's cybersecurity is worse than ours, if only
because of their frequent use of pirated software. Improving
cybersecurity should be a potential area for cooperation between the
two countries, but the current state of relations does not permit that.
An environment of connected devices, often called the internet of
things, is formed by devices that connect to the global internet,
usually without human intervention. We all have heard of smart cars but
many large systems in infrastructure and transportation also rely on
computers and connectivity. This environment will provide real economic
opportunities and benefits, but it also comes with an increase in risk.
Our task should be to estimate this risk and then develop strategies to
mitigate it. Different technologies and different companies create
different levels of risk, and there are several ways to assess this.
One way to scope risk is to ask how a device connects to the
internet, what on-board sensors it has, what information it collects
and transmits, and how much transparency, insight, and control an
operator has over this data and connection. Many large capital goods,
such as power technologies, pipelines, telecommunications and ships,
are continuously connected over the internet to their manufacturer, to
allow for status reports, maintenance scheduling, and for the updating
of software. This continuous connection provides an opportunity to
collect information and to disrupt services. Instead of an update, a
command could be sent to turn off or to reduce speed.
We have seen several examples of Chinese devices that report home,
from drones to surveillance cameras, with the concern that under the
new intelligence law, the Chinese government could compel the provision
of the data collected by these technologies. This kind of monitoring
and collection has been a standard practice for intelligence agencies
that will certainly extend to the internet of things, and the risks of
connected devices is compounded when their home is in a hostile foreign
power.
We could scope risk by measuring the cybersecurity status of
connected devices. The National Institute of Standards and Technology
(NIST) is developing, in partnership with industry, standards for the
security of IOT devices. But this is still at a relatively early stage.
In general, the internet of things will be no more secure than the
existing internet and may be more vulnerable, since many IOT devices
will use simple computers with limited functionality.
We can also assess risk by using three metrics--the value of the
data accessible through or collected by the IOT device, the criticality
of a function the connected device provides, and scalability of
failure. Devices that create or collect valuable data, perform crucial
functions, or that can produce mass effect, need to be held to higher
standards and face greater scrutiny.
For critical infrastructure, we need to ask the same questions
about using Chinese products that we would ask for any critical
infrastructure protection policy: How sensitive are the operations and
the data associated with or accessible through the infrastructure, what
would happen if the infrastructure was disrupted by an opponent, how
would we continue to operate and then recover in the event of a
malicious incident, and for foreign products, and to what degree is
control or access shared with the foreign manufacturer?
The type of data collected and transmitted is a crucial element of
a risk assessment. Intelligence analysis data is driven by access to
large amounts of data and the ability to correlate it with other data.
Data analytics provides new intelligence insights. A well-known example
is the hack attributed to China of the Office of Personnel Management
(OPM) and the theft of personal information. It is likely that OPM was
one of a series of related hacks, of insurance companies, airlines, and
travel agencies, that provided additional data that could be used to
gain insight into America, personnel and practices. This means that
even seemingly insignificant data, if correlated with other
information, may provide influence value. The more ``granular'' the
data, and whether it refers to specific individuals, the greater its
value. Less granular data, such as how many people are sitting on a
train or at which stop they exit, may not pose much risk.
Managing our new competition with China will be difficult given the
close interconnection between the U.S. and Chinese economies. This is a
30-year commercial and technological partnership not easily dismantled
by either side. Given the deep interconnections that have grown between
the Chinese economy and the rest of the world, a bifurcation similar to
that seen during the Cold War is not possible, and it is not now in our
interest. A greater degree of separation between the two economies is
necessary but must be carefully developed for specific technologies and
based on a judgment on the risk that their use could provide China with
an intelligence, military, or unfair commercial advantage.
These risks are manageable, and we have to contrast them to the
risk to the America economy from a violent disruption of trade with
China. Generally speaking, a complete divorce is not in our interest;
and it is certainly not in China's interest. There are specific
technologies and circumstances that require greater scrutiny and
countermeasures, but this does not apply across the board (at least at
this time). Working with our allies, we can modify China's behavior to
make this relationship more stable and less risky. We have done so in
the past, but this will be a process that will take years to complete,
and in the interim, there are steps we must take to reduce the risk of
Chinese interference and espionage.
The most obvious is continued work to improve network and device
security. This will require some measure of regulatory action and close
partnership with the affected industries and operators. One size does
not fit all when it comes to regulation, so the potential risk of IOT
and Chinese technology must be managed using the sector-specific model
developed in the previous administration, and partnerships between
companies, agencies with oversight, and DHS's new Cybersecurity and
Infrastructure Security Agency (CISA) should be the core of this
effort.
The development of security standards is a necessary complement to
any regulation or voluntary action. The NIST Cybersecurity Framework is
a good starting point for this but must be extended and modified for
different kinds of transportation systems. CISA's Transportation
Systems Sector Cybersecurity Framework Implementation Guide, published
in June 2015, provides guidance to owners and operators on how to
assess and implement cybersecurity standards.
All of these measures--voluntary action, regulation, and
standards--must be predicated on the knowledge that we cannot keep
opponents out of our networks and devices. We can make it harder for
them but not impossible. This means that measures to increase
resiliency, to allow for some level of continued operation in degraded
conditions is essential. This adds expense to critical infrastructure,
of course, and one part of any plan is to ask how this additional
burden will be funded and whether the increase in risk is outweighed by
the potential savings--we should not automatically assume that the mere
existence of risk cancels out financial benefits.
All of these steps require oversight to assess risk and
improvement. This is clearly a task for Congress and this committee,
but also for the responsible agencies, industry bodies, and, in
particular, for CISA. The key question for assessment is whether the
use of the Chinese technology increases the risk of disruption or
espionage, and the answer to this will depend in good measure on how
the Chinese products connect to the internet.
Finally, a purely defensive approach will be inadequate. The United
States needs to develop and articulate credible counterthreats to
dissuade and deter foreign attackers. This may require more than
sanctions and indictments. Although they are useful and have effect
over the long term, they may need to be reinforced other punitive
measures, part of a larger strategy on how to impose consequences and
change opponent thinking. Given the level of vulnerability and the
potential increase in risk from both the acquisition of foreign
technology and the digitizing of critical services, we must persuade
opponents that any interference will come with unacceptable risk or
retaliation by the United States.
There are trade issues that I have not touched upon, such as the
Chinese practice of building national champions through government
subsidies and, in some cases, industrial espionage. China also uses
non-tariff barriers and other protectionist mechanisms to hobble or
block competition from foreign firms in China. These Chinese practices
harm our National interests and should be opposed as part of a larger
effort to change China's behavior and move it in the direction of
reciprocity.
I thank the committee for the opportunity to testify and look
forward to any questions.
Mr. Correa. Thank you, Mr. Lewis.
Now I would like to recognize, Ms. Gagliostro, to summarize
her statements in 5 minutes.
STATEMENT OF REBECCA GAGLIOSTRO, DIRECTOR, SECURITY,
RELIABILITY, AND RESILIENCE, INTERSTATE NATURAL GAS ASSOCIATION
OF AMERICA
Ms. Gagliostro. Thank you.
I am delighted to be here today to share our thoughts on
cybersecurity in the pipeline industry. My name is Rebecca
Gagliostro, director of security, reliability, and resilience
at the Interstate Natural Gas Association of America.
INGAA is a trade association that advocates regulatory and
legislative positions of importance to the Interstate Natural
Gas Pipeline Industry. Our 28-member companies operate
approximately 200,000 miles of interstate natural gas pipelines
that are analogous to the interstate highway system. Like the
highways that are the arteries for so much of our Nation's
commerce, interstate natural gas pipelines are the
indispensable link between U.S. natural gas producers and
consumers.
In my role at INGAA, I work directly with our members to
ensure that our pipeline infrastructure remains resilient,
safe, and secure. Cybersecurity is a priority for the Natural
Gas Pipeline Industry. INGAA member companies work worked
diligently to secure our Nation's critical gas transmission
infrastructure from both cyber and physical security threats.
Cybersecurity has been identified as the top operational risk
by the executive leadership of our member companies and we take
the management of this risk very seriously.
Last year in recognition of this priority, INGAA's board of
directors set forward with its commitment the Pipeline Security
Statement. This Statement enumerates specific actions that all
of our member companies are taking as part of their security
program. The Statement emphasizes among other things, our
commitments to following the Transportation Security
Administration's Pipeline Security Guidelines.
Industry security efforts seeks to reduce the risk posed by
successful attack targeting our infrastructure. A foundational
element of a well-informed risk management program is
comprehensive information sharing. This is the key point that I
would like to emphasize. Real-time actionable information is
vital to ensuring our pipeline operators are equipped with the
latest intelligence on threats.
Information sharing is occurring today between INGAA member
companies and other industry stakeholders through the work of
our Information Sharing and Analysis Centers also known as
ISACs, however this is not industry's responsibility alone. It
is imperative that we also have a cooperative working
relationship with our Government partners to help facilitate
information sharing.
We would like to note that there is strong information
sharing occurring today with our partners at TSA and the
Department of Homeland Security and we would like to see this
relationship continue.
INGAA believes that TSA's Pipeline Security Program is
making a difference as it continues to improve. We understand
that TSA has accepted the Government Accountability Office's
recommendations for improving the management of its Pipeline
Security Program and it is now in the process of implementing
changes in response to those recommendations. INGAA strongly
believes that if followed these recommendations will help to
make a stronger and more robust program.
The increasing threat of nation-states cybersecurity
attacks and interdependencies across our critical
infrastructures means that we must work together across
industry and Government to protect ourselves against threats.
The work that TSA and the Department of Homeland Security are
doing with the National Risk Management Center is a very
positive step toward the end goal of protecting the Nation from
cybersecurity threats.
Threats to critical infrastructure cannot be evaluated in
isolation; all critical infrastructures are being targeted,
therefore we must identify the best ways to work together to
protect our National security.
In October, TSA and DHS announced their joint partnership
in the Pipeline Cybersecurity Assessment Initiative which is
working to conduct Comprehensive Cybersecurity Assessments to
pipeline infrastructure. Assessments play a critical role in
providing the assurance that these programs are working. TSA
has already piloted one INGAA member assessment in 2018 and our
members continue [inaudible] we believe that progress has been
made in securing our pipeline infrastructure and we should
continue to focus on improving TSA's Pipeline Security Program.
The growing threat of nation-state cyber attacks requires a
coordinated and comprehensive approach backed by strong
information sharing across all critical infrastructures sectors
and across all Federal agencies supporting National Security.
TSA's on-going work with the National Risk Management Center is
helping to bridge that gap.
We urge Congress to support TSA's efforts to improve its
program and provide the necessary guidance and funding for
additional program-management staffing and cybersecurity
expertise that can work alongside the National Risk Management
Center and support the Pipeline Cybersecurity Assessment
Initiative. We believe that this, in addition to the efforts
that are already under way, will help to make TSA successful in
its mission to protect the Nation's pipeline infrastructure.
Thank you.
[The prepared statement of Ms. Gagliostro follows:]
Prepared Statement of Rebecca Gagliostro
February 26, 2019
Good morning Chairmen Correa and Richmond, Ranking Members Lesko
and Katko, and Members of the subcommittees. I am delighted to be here
today to share our thoughts on cybersecurity in the pipeline industry.
I am Rebecca Gagliostro, the director of security, reliability, and
resilience at the Interstate Natural Gas Association of America
(INGAA). INGAA is a trade association that advocates regulatory and
legislative positions of importance to the interstate natural gas
pipeline industry in the United States. INGAA's 28 members operate
approximately 200,000 miles of interstate natural gas pipelines that
are analogous to the interstate highway system. Like the highways that
are the arteries for so much of our Nation's commerce, interstate
natural gas pipelines are the indispensable link between U.S. natural
gas producers and consumers. In my role at INGAA, I work directly with
our members to ensure that our pipeline infrastructure remains
resilient, safe, and secure.
Cybersecurity is a priority for the natural gas pipeline industry
INGAA member companies work diligently to secure our Nation's
critical gas transmission infrastructure from cyber and physical
security threats. The boards of directors and executive leadership of
our member companies have identified cybersecurity as a top operational
risk and take the management of this risk very seriously. Last year, in
recognition of this priority, INGAA's board of directors stepped
forward with its Commitments to Pipeline Security\1\ statement, which
enumerates specific actions that all of our member companies are taking
to identify, protect, detect, respond to, and recover from security
threats targeting our systems. In addition, the statement emphasizes
our members' commitments to following the Transportation Security
Administration's (TSA's) Pipeline Security Guidelines and the National
Institute of Standards and Technology's (NIST's) Cybersecurity
Framework, and to engaging in comprehensive information sharing across
the industry and with our Federal partners. These are the foundations
to building and maintaining strong pipeline security programs.
---------------------------------------------------------------------------
\1\ INGAA Commitments to Pipeline Security, https://www.ingaa.org/
File.aspx?- id=34310&v=db10d1d2.
---------------------------------------------------------------------------
INGAA's commitments provide a high-level roadmap of what our member
companies are doing to secure our infrastructure, as appropriate for
public dissemination. In practice, our members' security programs are
far more extensive than the information that may be conveyed by these
commitments. It is our firm belief that we must be continually vigilant
and entirely committed to the on-going improvement of our security
defenses because the adversaries seeking to harm infrastructure of all
kinds, including natural gas pipelines, are nimble and the threats they
pose are evolving.
Pipeline operators take a risk-management approach to addressing
security threats
Industry security efforts seek to reduce the risk posed by a
successful attack targeting our infrastructure. This risk-informed
approach helps us prioritize our actions and allocate appropriate
resources toward the highest priority. Pipeline operators utilize a
variety of tools and resources, like the NIST Cybersecurity Framework
and the TSA Pipeline Security Guidelines, to build well-rounded
cybersecurity programs that effectively assess and manage the risks
that we face. We recognize that cybersecurity risk management
strategies must be comprehensive in nature and must implement measures
to both reduce the likelihood of a successful attack and mitigate the
impacts of a successful attack, should one occur. As such, pipeline
operators assess their security programs using a variety of resources
such as Federal assessment programs, self-assessments, peer reviews,
and third-party vulnerability and penetration tests. Exercises and
tabletops also play an important role in testing our security programs,
sharing information with our peers about our security practices, and
planning for how we will work across industry, interdependent sectors
and with first responders during an incident.
A foundational element of a well-informed risk management program
is comprehensive information sharing. This is a key point that deserves
emphasis. Real-time, actionable information is vital to ensuring
pipeline operators are equipped with the latest intelligence on
threats, including known tactics, techniques, and mitigative measures.
This, in turn, enables operators to evaluate their risks and tailor an
approach that best fits the needs of their individual systems and
environments. Strong information sharing already occurs today between
INGAA member companies and other industry stakeholders through the work
of our information sharing and analysis centers (ISACs), including the
Downstream Natural Gas (DNG) ISAC and the Oil and Natural Gas (ONG)
ISAC. However, this cannot be industry's responsibility alone. It is
imperative that we also have a cooperative relationship with our
Government partners to facilitate rapid information sharing. It is
worth emphasizing that the pipeline industry has a strong information-
sharing relationship with our partners at TSA and U.S. Department of
Homeland Security (DHS). We would like to see this relationship of
trust continue and develop, as we look toward these agencies to
declassify threat intelligence and provide us with the timely,
actionable information necessary to protect our systems and
infrastructure.
The Transportation Security Administration pipeline security program is
improving
The Aviation and Transportation Security Act (Pub. L. 107-71)
(``ATSA'') vested the Transportation Security Administration with
authority over pipeline security. Pursuant to this authority, TSA
offers guidance on expected practices and procedures necessary to
secure the Nation's critical pipeline infrastructure. TSA offers
several programs, tools, and products to assist pipeline operators with
protecting their infrastructure, including Critical Facility Security
Reviews, Corporate Security Reviews, Pipeline Cybersecurity
Assessments, Smart Practices, I-STEP, Security Awareness Training
Videos, and the International Pipeline Security Forum.
TSA acknowledges that there remains room for improvement in its
pipeline security program. The agency has accepted the recommendations
for improving the management of its pipeline security program that were
made by the Government Accountability Office and is in the process of
implementing them. INGAA strongly believes that if followed, these
recommendations will help to make a stronger and more robust program.
Following the tragic events of September 11, 2001, TSA's security
program was rooted in the physical security threats targeting our
critical infrastructure. As acknowledged in a recent statement by
Director of National Intelligence Dan Coats, sophisticated nation-
state-backed cybersecurity capabilities present a real threat to our
critical infrastructure. These threats have led to increased emphasis
by TSA and our sector on protecting pipeline infrastructure from
cybersecurity threats. It is important to stress that these threats are
faced by all critical infrastructure and not just natural gas
pipelines. The increasing interdependence across the segments of our
Nation's critical infrastructure means that we must work together
across industry and Government to protect ourselves against these
threats.
The work that TSA and DHS are doing through the National Risk
Management Center (NRMC) is a very positive step toward the end goal of
protecting the Nation from cybersecurity threats. These agencies are
working together to understand how sophisticated, nation-state threat
actors seek to identify ways to harm all U.S. critical infrastructure.
We believe this approach is significant because these threats cannot be
analyzed effectively in isolation. All critical infrastructure is being
targeted; therefore, we must identify the best ways to work together to
protect our National security.
In October, these agencies announced the Pipeline Cybersecurity
Assessment Initiative, which is working to conduct comprehensive
cybersecurity assessments of natural gas infrastructure to better
understand the unique risks faced by our infrastructure as well as to
identify how best to protect it. In addition to having a recognized
baseline of practices, assessments are critical to providing assurance
that these programs are working. TSA has already piloted one INGAA
member assessment in 2018, and INGAA members continue to volunteer to
participate in these new assessments in 2019.
Next steps for building upon progress to secure pipeline infrastructure
INGAA believes that progress has been made in securing our pipeline
infrastructure and that the focus should be on continuing to improve
TSA's pipeline security program. Threat actors regularly develop and
refine their tactics, and we must do the same. The increased
coordination between TSA and DHS's Cybersecurity and Infrastructure
Security Agency (CISA) through the NRMC is an appropriate response to
the enhanced need for cybersecurity expertise to support industry's
efforts to protect our critical infrastructure against these growing
threats. We understand TSA has embraced GAO's recommendations as a
roadmap for improving its pipeline security program and is already
taking steps to respond to them.
INGAA and its member companies will continue to support TSA's
efforts. This includes volunteering for assessments, sharing
information about indicators of compromise and about how member
companies are securing their infrastructure, and participating in
cross-sector exercises so we can better determine how the different
segments of critical infrastructure must work together.
The growing threat of nation-state-backed attacks requires a
coordinated and comprehensive approach across all critical
infrastructure and across all Federal agencies supporting National
security. INGAA believes that TSA's on-going work with the NRMC and
CISA is bridging that gap. We urge Congress to support TSA's efforts to
improve its program and to provide the necessary guidance and funding
for additional program management staffing and cybersecurity expertise
that can work directly with the NRMC and support the new Pipeline
Cybersecurity Assessment Initiative. INGAA believes that this
supplement to efforts already under way will help make TSA successful
in its mission to protect the Nation's pipeline infrastructure.
Mr. Correa. Thank you very much for your testimony.
Now I will recognize, Mr. Olson, for 5 minutes.
STATEMENT OF ERIK ROBERT OLSON, VICE PRESIDENT, RAIL SECURITY
ALLIANCE
Mr. Olson. Chairman Correa, Chairman Richmond, Ranking
Member Lesko, and Members of the subcommittees, my name is Erik
Olson, and I am the vice president of the Rail Security
Alliance. The Rail Security Alliance is a coalition of North
American freight rail manufacturers, suppliers, unions, and
steel interests, committed to ensuring the economic and
National security of our passenger and freight rail systems. On
behalf of our coalition thank you for the opportunity to
testify on the critical topic of securing our surface
transportation systems against cyber and privacy threats.
With thousands of miles of railroad covering the United
States, freight rail regularly transports everything from
sensitive U.S. military equipment, to toxic and hazardous waste
every day. On the passenger side millions of Americans rely on
the commuter rail system daily. U.S. Rail System is also highly
sophisticated, relying on a constantly expanding network of
technology that dramatically increases its risks to cyber
attack and hacking.
Today I want to draw the committee's attention to a
particular threat arising from foreign investments in this
industry that jeopardizes directly the future of America's
Passenger and Freight Rail Systems. This threat is China.
China is strategically targeting the U.S. rail
manufacturing sector with aggressive anti-competitive tactics
and how do we know that? Well, to date they have secured 4 U.S.
metropolitan transit contracts in Boston, Chicago,
Philadelphia, and Los Angeles, largely by utilizing anti-
competitive under-bidding practices. These aggressive and anti-
competitive activities are not unusual for China state-owned
rail sector and raise grave National concerns, security
concerns that demand immediate attention.
Without decisive action America's industrial, military, and
other Government interests could be forced to rely
significantly or wholly on rail cars made by the Chinese
government thus creating massive cyber vulnerabilities that
threaten our Nation.
The Made in China 2025 Initiative, a key component of
China's 13th 5-Year Plan identifies the rail manufacturing
sector as a top target for Chinese expansion. This initiative
has systematically and deliberately driven strategic investment
and financing activities of the state-owned China Railway
Rolling Stock Corporation, CRRC, in third-country markets and
the United States. CRRC is wholly owned by the government of
China. It has 90 percent of China's domestic market for
production of rail locomotives, bullet trains, passenger
trains, and Metro vehicles.
In just the last 5 years alone in the United States, we
have witnessed CRRC execute a business strategy to take market
share in the U.S. transit rail manufacturing sector deploying
near-limitless financing from its home government, allowing
CRRC to establish itself as a formidable force in the U.S. rail
transit manufacturing base.
Emboldened with these contract victories, CRRC continues to
target other U.S. cities including our Nation's capital. In
September the Washington Metropolitan Transit Authority, WMATA,
issued a request for proposal for the new 8000-series Metro
Car. This RFP includes numerous technologies which are
susceptible to cyber attacks. Whoever is selected to supply
rail cars for WMATA will become a partner in the day-to-day
operations of a Metro System whose stops include the Pentagon,
the Capitol, as well as unfettered access to D.C.'s tunnels and
underground infrastructure. As CRRC itself has stated, their
objective is to conquer the rest of the global rail market--
need I say more? Whether they be State, local, or Federal
funds, American taxpayer dollars should not be used to
subsidize the activities of a Chinese state-owned enterprise
and compromise American security.
Based on the experiences of Australia, which this graph
denotes, whose domestic industry, CRRC was able to wipe out in
under a decade, we are equally concerned that CRRC will
leverage its growing presence in the U.S. transit rail
production to then pivot into freight rail assembly; we cannot
allow this to happen here.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Olson. Yet the Department of Homeland Security deems
the U.S. rail sector as a part of the Nation's critical
infrastructure, running through every major American city and
every military base in the Nation. We have had extensive
discussions with representatives from DOD and based on those
discussions, I am confident that the Secretary of Defense will
express his concerns on this matter as well.
As China's CRRC becomes more dominant [inaudible] should
the United States rely on a Chinese state-owned enterprise for
the production of our countries freight and passenger rail
cars, the position of RSA is a resounding, no. The strategic
targeting of our Nation's infrastructure by the government of
China and its state-owned enterprises poses a fundamental
threat to the fabric of our critical infrastructure and is a
pressure point for malicious cyber actors to threaten not only
the economic and National security of the United States but our
standing as a global power.
Thank you again for the opportunity to testify. I look
forward to answering any questions you may have.
[The prepared statement of Mr. Olson follows:]
Prepared Statement of Erik Robert Olson
February 26, 2019
introduction
Chairman Correa, Chairman Richmond, Ranking Member Lesko, Ranking
Member Katko, and Members of the subcommittees, my name is Erik Olson
and I am the vice president of the Rail Security Alliance. The Rail
Security Alliance is a coalition of North American freight rail car
manufacturers, suppliers, unions, and steel interests committed to
ensuring the economic and National security of our passenger and
freight rail systems. On behalf of our coalition, thank you for the
opportunity to testify on the critical topic of securing our surface
transportation systems against cyber and privacy threats.
Rail in the United States is an integral component of our critical
infrastructure and our way of life. With nearly 140,000 miles of
railroad covering the United States, freight rail regularly transports
key commodities, sensitive U.S. military equipment, hazardous waste,
potentially toxic and hazardous chemicals, and flammable liquids across
the country every day. On the passenger side, millions of Americans
rely on commuter rail systems every day. The U.S. rail system is also
highly sophisticated, relying on a constantly expanding network of
technology and digitization that dramatically increases its risk to
cyber attack and hacking.
Today, I want to draw the committee's attention to a particular
threat arising from foreign investment in this industry that
jeopardizes the future of America's passenger and freight rail systems.
China is strategically targeting the U.S. rail manufacturing sector,
with aggressive, strategic, and anticompetitive actions. Thus far they
have secured four U.S. metropolitan transit contracts, largely by
utilizing anticompetitive under-bidding practices. With China's
government picking up U.S. transit rail manufacturing contracts, the
Chinese are now using their rail manufacturing capabilities to assail
the U.S. freight manufacturing sector in a move that is reminiscent of
what has already occurred in third-country markets such as Australia.
This activity is a pattern for China's state-owned rail sector and
raises grave National security concerns. Without action, America's
industrial, military, and other Government interests could be forced to
rely significantly or wholly on rail cars made by the Chinese
government, thus creating massive cyber vulnerabilities that threaten
our military and industrial security.
china's state-owned enterprises target u.s. rail manufacturing
The ``Made in China 2025'' initiative, a key component of China's
13th Five-Year plan,\1\ identifies the rail manufacturing sector as a
top target for Chinese expansion. This initiative has systematically
and deliberately driven strategic investment and financing activities
of the state-owned China Railway Rolling Stock Corporation (CRRC) in
third-country markets and the United States. CRRC is wholly owned by
the government of China and it has 90 percent of China's domestic
market for production of rail locomotives, bullet trains, passenger
trains, and metro vehicles.\2\ In 2015, CRRC reported revenues of more
than $37 billion \3\--significantly outpacing the entire U.S. rail car
market, which had $22 billion of output during the same year.\4\
According to Chinese state media, CRRC plans to increase overseas sales
to $15 billion by next year alone. This represents about double the
level of export orders from just 4 years ago \5\ and according to
CRRC's own presentation materials the U.S. market remains a prime
target to, as they put it, ``conquer.''\6\
---------------------------------------------------------------------------
\1\ U.S.-China Economic and Security Review Commission, 2016 Report
to Congress, November 2016, at 100.
\2\ Langi Chiang, China's largest train maker CRRC Corp announces
12.2 billion yuan in contracts, South China Morning Report, July 23,
2015. https://www.scmp.com/business/companies/article/1842983/chinas-
largest-train-maker-crrc-corp-announces-122-billion-yuan.
\3\ CRRC Corporation, 2015 CRRC Annual Report, https://
www.crrcgc.cc/Portals/73/Uploads/Files/2016/8-23/
636075436968234671.pdf.
\4\ Oxford Economics, Will We Derail US Freight Rolling Stock
Production?, May 2017, at 24.
\5\ Brenda Goh, China Trainmaker CRRC to build more plants abroad
in expansion plan: China Daily, REUTERS, Dec. 5, 2016, http://
www.reuters.com/article/us-crrc-expansion-idUSKBN13U0EJ.
\6\ @CRRC_global, ``Following CRRC's entry to Jamaica, our products
are now offered to 104 countries and regions. So far, 83 percent of all
rail products in the world are operated by #CRRC or are CRRC ones. How
long will it take for us conquering the remaining 17 percent?''
Twitter, January 11, 2018. https://twitter.com/CRRC_global/status/
951476296860819456.
---------------------------------------------------------------------------
Using State-backed financing, subsidies, and an array of other
government resources, CRRC has strategically targeted and sought to
capture the U.S. railcar manufacturing sector. In just the last 5 years
the United States has witnessed CRRC establish rail assembly operations
for transit railcars in 3 States, along with additional research and
bidding operations in several others. By beginning with a business
strategy to take market share in the U.S. transit rail manufacturing
sector and deploying near-limitless financing from its home government
to help lower the well-below-market bids for new U.S. metropolitan
transit projects, CRRC has quickly established itself as a formidable
force in U.S. transit rail competition.
Several recent cases involving CRRC bids for new transit rail
projects serve as compelling examples of the strategy being employed by
China to capture our rail systems:
CRRC bid $567 million to win a contract with the
Massachusetts Bay Transit Authority (MBTA) in Boston in 2014,
coming in roughly 50 percent below other bidders.\7\
---------------------------------------------------------------------------
\7\ Bonnie Cao, After Winning MBTA Contract, China Trainmaker CRRC
Plans American Expansion, Boston Globe, Sept. 11, 2015. https://
www.bostonglobe.com/business/2015/09/11/after-winning-mbta-contract-
china-trainmaker-crrc-plans-american-expansion/jnS1kU7uHWF-
GR9gjWmDEjM/story.html.
---------------------------------------------------------------------------
In 2016, CRRC won a contract to provide transit rail for the
Chicago Transit Authority (CTA), bidding $226 million less than
the next-highest bidder.\8\
---------------------------------------------------------------------------
\8\ Corilyn Shropshire, First Step to New CTA Rail Cars: Build the
Factory in Chicago, Chicago Tribune, Mar. 16, 2017. http://
www.chicagotribune.com/business/ct-cta-new-railcar-plant-0316-biz-
20170315-story.html.
---------------------------------------------------------------------------
In early 2017, CRRC bid $137.5 million for a contract with
Southeastern Pennsylvania Transportation Authority (SEPTA) in
Philadelphia, underbidding the next-lowest bidder--which had a
robust local manufacturing presence--by $34 million.\9\
---------------------------------------------------------------------------
\9\ Jason Laughlin, Mass.-Based Company with Chinese Backing Beats
Local Group for SEPTA Car Contract, The Philadelphia Inquirer, Mar. 21,
2017. http://www.philly.com/philly/business/transportation/Mass-based-
company-with-Chinese-backing-beats-out-local-group-for-SEP- TA-car-
contract.html.
---------------------------------------------------------------------------
In March 2017, CRRC finalized a contract with the Los
Angeles County Metropolitan Transportation Authority for its
transit rail system worth up to $647 million.\10\ Again, China
did this by leveraging below-market financing, which in turn
undercut other bidders.
---------------------------------------------------------------------------
\10\ Keith Barrow, Los Angeles Orders CRRC Metro Cars,
International Railway Journal, Mar. 24, 2017. http://
www.railjournal.com/index.php/north-america/los-angeles-orders-crrc-
metro-cars.html.
---------------------------------------------------------------------------
Emboldened with these contract wins, CRRC continues to target other
U.S. cities, including our Nation's capital. In September, the
Washington Metropolitan Transit Authority (WMATA), which is the second-
largest mass transit system in the country, issued a Request for
Proposals (RFP) for the new 8000-series metro car. This RFP includes
video surveillance, monitoring and diagnostics, data interface with
WMATA, and automatic train control systems that are susceptible to
cyber attacks. In response to concerns expressed by a number of
lawmakers, including the Vice Chairman of the Senate Intelligence
Committee, WMATA re-issued its RFP to include additional cybersecurity
protections.\11\
---------------------------------------------------------------------------
\11\ Sean Lyngaas, D.C. Metro system beefs up supply chain
cybersecurity provisions for new rail cars, Cyberscoop, February 6,
2019. https://www.cyberscoop.com/metro-dc-subway-cyberscecurity-rfp/.
---------------------------------------------------------------------------
But the Rail Security Alliance's concerns do not end there.
Whomever is selected to supply rail cars for WMATA will become a
partner in the day-to-day operations of a Metro system whose stops
include the Pentagon and the Capitol, as well as unfettered access to
our Nation's tunnels and underground infrastructure.
We couple this reality with two additional critical facts. First, a
Classified report written by WMATA's inspector general recently
concluded that there were significant shortcomings in WMATA's
enterprise-level cybersecurity posture.\12\ Second, just last week the
New York Times noted that ``businesses and government agencies in the
United States have been targeted in aggressive attacks by . . . Chinese
hackers . . . ''.\13\ So, in light of China's pervasive history of
cyber espionage and hacking, it is the position of the Rail Security
Alliance that we cannot trust a Chinese state-owned enterprise to
build, own, or operate in U.S. critical infrastructure.
---------------------------------------------------------------------------
\12\ Ryan Johnston, D.C. Metro needs to improve its cybersecurity,
audit finds, Statescoop, July 9, 2018. https://statescoop.com/wmata-
incident-response-audit-calls-for-improved-cybersecurity-plan/.
\13\ Nicole Perlroth, Chinese and Iranian Hackers Renew Their
Attacks on U.S. Companies, New York Times, February 18, 2019. https://
www.nytimes.com/2019/02/18/technology/hackers-chinese-iran-usa.html.
---------------------------------------------------------------------------
These developments are even more alarming because they provide CRRC
the opportunity to pivot into freight rail assembly, a subsector of
rail not protected by the same Buy America requirements as transit
rail, and one that represents a troubling vulnerability if overtaken by
the government of China. Even so, CRRC is making steady and deliberate
headway into this sector with the launch of Vertex Rail Corporation and
American Railcar Services. Vertex Rail Corporation is now, a defunct
freight rail assembly facility that was based in Wilmington, North
Carolina. On the other hand, American Railcar Services is a separate
assembly facility headquartered in Miami, FL that maintains assembly
operations in Moncton, New Brunswick.
Concerns about CRRC's transition into freight rail manufacturing
are best illustrated by the recent experiences of third-country markets
like Australia, whose freight rail manufacturing sector CRRC entered in
2008. In less than 10 years, CRRC effectively decimated the sector,
forcing the 4 domestic suppliers out of business and out of the rail
market which left only CRRC standing. Today, almost no meaningful
Australian passenger or freight rolling stock manufacturing exists--
CRRC's Australia footprint is almost exclusively that of an assembler
of Chinese-made parts and a financier of purchases from CRRC. We cannot
let that happen here.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
implications for national security
Unlike the U.S. maritime shipping industry, whose security is
protected by the Jones Act, a measure that requires vessels
transporting goods between U.S. ports to be U.S.-built and majority
U.S.-owned, freight rail in America has been left comparatively
unprotected. Yet, the Department of Homeland Security (DHS) deems the
U.S. rail sector as part of the Nation's critical infrastructure,\14\
noting that 140,000 rail miles enable U.S. freight rail to run through
every major American city and every military base in the Nation. The
Department of Defense (DoD), which itself maintains a fleet of more
than 1,300 rail cars, has also designated nearly 40,000 miles of
freight rail as part of the Strategic Rail Corridor Network (STRACNET),
a comprehensive rail network that connects military bases and maritime
ports across the country.\15\ We have had extensive discussions with
representatives from the Department of Defense, and based on those
discussions I am confident that the Secretary of Defense would express
his concerns on this matter as well.
---------------------------------------------------------------------------
\14\ Presidential Policy Directive 21 (PPD-21) identifies 16
critical infrastructure sectors, including ``Transportation Systems.''
The Department of Homeland Security defines ``Freight Rail'' as 1 of
the 7 key subsectors. See generally, PPD-21, Critical Infrastructure
Security and Resilience, Feb. 12, 2013, https://www.whitehouse.gov/the-
press-office/2013/02/12/Presidential-policy-directive-critical-
infrastructure-security-and-resil and Transportation Systems Sector,
Dep't of Homeland Sec., Mar. 25, 2013, http://www.dhs.gov/
transportation-systems-sector.
\15\ ``Strategic Rail Corridor Network (STRACNET),'' Global
Security, 2012. https://www.globalsecurity.org/military/facility/
stracnet.htm.
---------------------------------------------------------------------------
Because freight rail transports not only military freight and
industrial products, but also nuclear material and hazardous chemicals
that can be safely and effectively transported only by rail, there is a
serious risk that the technologies in these systems could be
compromised by a malicious actor. As noted by Brig. Gen. John Adams
(USA, Ret.) in a 2018 report on the vulnerabilities of freight
rail,\16\ our rail system's rapidly expanding internet of things (IoT)
capabilities presents an array of National security challenges that
include:
---------------------------------------------------------------------------
\16\ National Security Vulnerabilities of the U.S. Freight Rail
Infrastructure and Manufacturing Sector--Threats and Mitigation,
Brigadier General John Adams, US Army (Retired), October 22, 2018.
---------------------------------------------------------------------------
A digitized railroad network/the internet of things.--
Integrated teams of data scientists, software developers, and
engineers develop and apply technology across every aspect of
the Nation-wide freight rail network, effectively increasing
the vulnerability of industrial control systems, train
operations, and perhaps even the industry's metadata
warehousing centers to cyber threats.
Rail Signaling.--Congress has mandated the installation of
positive train control (PTC) systems on much of the Nation's
rail systems as a means of preventing specific accidents. A
malicious cyber breach of PTC or underlying existing rail
signaling systems could wreak havoc and cause accidents or
derailments on the highly interdependent freight railway
network.
Locomotives.--Rail locomotives rely upon hundreds of sensors
to monitor asset health and performance of train systems.
On-board Freight Car Location & Asset Health Monitoring.--
Thousands of freight cars are equipped with telematics or
remote monitoring equipment, many of which are carrying
hazardous materials like chlorine, anhydrous ammonia, ethylene
oxide, and flammable liquids. This tracking technology includes
a wireless communication management unit to track precise near-
real-time location via GPS, direction of travel, speed, and
dwell time within the Transportation Security Administration
(TSA)'s 45 designated high-threat urban areas (HTUAs).\17\
---------------------------------------------------------------------------
\17\ The Transportation Security Administration defines an HTUA as
an area comprising one or more cities and the surrounding areas,
including a 10-mile buffer zone.
---------------------------------------------------------------------------
End-of-Train Telemetry (EOT).--The FRA requires all freight trains
operating on excess of 30 mph to be equipped with a 2-way EOT device
that tracks GPS location and can allow a locomotive engineer to
initiate an emergency brake application, a critical safety feature for
trains that can stretch upwards of 10,000 feet long (See Attachment A).
The presence of these evolving technologies underscores the clear
danger of a foreign country, and particularly the government of China
and its state-owned enterprises, having undue control of freight
manufacturing in the U.S. market. Already, there are reports of Chinese
manufacturers investigating the production of their own ``telematics''
technology to allow the monitoring and control of their rail cars.\18\
On the transit side, China is already boasting about how it has
utilized the latest advances in AI and facial recognition technology to
identify and track its 1.4 billion citizens,\19\ creating a very real
prospect that they could do the same here in the United States.
---------------------------------------------------------------------------
\18\ China plans ``smart trains'' to take on global rail companies,
CHINA DAILY, March 10, 2016, http://english.chinamil.com.cn/news-
channels/2016-03/10/content_6952271_2.htm.
\19\ Surveillance Cameras Made by China Are Hanging All Over the
U.S., The Wall Street Journal, November 12, 2017. https://www.wsj.com/
articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-
s-1510513949.
---------------------------------------------------------------------------
conclusion
As China's CRRC becomes more dominant as a U.S. rail manufacturer,
there are urgent and compelling questions we must answer regarding
whether a growing presence of, and reliance upon freight or passenger
cars from a major state-owned Chinese rail enterprise is likely to
compromise the security and safety of industrial, military, and
civilian transportation systems in the United States. For that reason,
we are grateful that Congress passed legislation last year that would
mandate the Department of Homeland Security, in coordination with the
Committee on Foreign Investment in the United States and the Department
of Transportation, produce a report on the National security threats of
Chinese SOE investment in our rolling stock manufacturing sector,\20\
and we strongly urge the committee to work with DHS as that report is
completed.
---------------------------------------------------------------------------
\20\ See. H.R. 5515--John S. McCain National Defense Authorization
Act for Fiscal Year 2019, Sec. 1719(c).
---------------------------------------------------------------------------
We greatly appreciate the committee's interest in addressing these
critical issues. The strategic targeting of our Nation's infrastructure
by the government of China and its state-owned enterprises poses a
fundamental threat to the fabric of our critical infrastructure and is
a pressure point for malicious cyber actors to threaten not only the
economic and National security of the United States, but to our
standing as a global power.
Thank you again for the opportunity to testify. I look forward to
answering any questions you may have.*
---------------------------------------------------------------------------
* Attachment A has been retained in committee files and is
available at https://go.americanmanufacturing.org/page/-/
Adams_Freight_Rail.pdf.
Mr. Correa. Thank you, for your statements.
I would like to recognize Mr. Hultquist, for 5 minutes.
STATEMENT OF JOHN HULTQUIST, DIRECTOR OF INTELLIGENCE ANALYSIS,
FIRE EYE
Mr. Hultquist. Chairman Correa, and, Ranking Member Lesko,
for convening this joint hearing today. My name is John
Hultquist, and I am the director of intelligence analysis for
FireEye. My team of over 150 intelligence analysts and
researchers pore over data we collect from FireEye's global
networks of devices, incident response, researchers monitoring
the criminal underground and many more sources to understand
the global cyber threat.
FireEye is supporting the transportation and energy sectors
here at home. We are protecting TSA with email--thank you--and
web inspection and we are providing support to DHS's
subscription to our intelligence reporting.
At DOE we are supporting network and file inspection,
malware analysis, and protecting their data from threats down
at their endpoints. The Department is the largest civilian
agency, consumer of our intelligence reporting which provides
focused visibility into threats targeted at the energy sector.
Today I will focus primarily on threats on the horizon that
FireEye is watching develop in the Middle East, Ukraine, South
Korea, where Iran, Russia, North Korea, are the most active.
Despite a dearth of recent specific examples of pipeline
targeting by state actors that we have observed, targeting the
sector is consistent with the behavior of several state actors
who have carried out disruptive and destructive operations.
Pipelines sit at the nexus of two well-established interests
for state actors, energy and transportation. For example, oil
and gas has been the major focus of a long-term destructive
malware campaign by Iran in the Gulf.
Though these attacks have targeted critical infrastructure
organizations, they have primarily affected business-focused IT
systems rather than sensitive controls systems. Nonetheless
Iranian-sponsored threat actors have caused significant, costly
disruptions from 2012 to as recently as 2018 using this
capability.
The Middle East was also the scene of the most
disconcerting attack on control systems we have observed. In an
industrial plant, they have suffered a disruption when
attackers inadvertently triggered a shutdown using a malware we
call Triton. They triggered the shutdown because they were
attempting to manipulate automated safety systems, one of the
last lines of defense to protect human life. We believe this
activity originated from a Russian government organization.
Transportation and logistics systems have been unrecognized
but fruitful focus for state cyber attackers as well. During
and between attacks on Ukraine's grid, attempts were made by
the same Russian actors to gain access to rail, air, and sea
transportation routes and hubs to varying degrees of success.
Many of the companies which posted major losses from the
NotPetya Ransomware incident in the hundreds of millions of
dollars were also in the logistics business, despite this
industry not having been specifically targeted. Such a pattern
could indicate that logistics organizations may be especially
economically vulnerable to incidents of this nature.
Like pipeline operations, transit networks have been
subjected to ransomware operations and denial-of-service
attacks which have on occasions resulted in disruption to
service. Ransomware which has affected many municipal services
has been used to hold transit systems hostage in return for
payment. The websites associated with mass transit systems
which are often crucial to their business have also been
subjected to denial-of-service attacks, in some cases
disrupting travel. Both ransomware and denial-of-service are
capabilities used by state actors.
The complexity of transit networks and the potential for
cascading economic consequences from disruption, bear
similarities to pipelines, however transit networks offer an
additional attraction to would-be attackers. Transit is a
highly-visible sector with which the public regularly
interacts; this factor is especially relevant as many cyber
attacks appear to be more focused on psychological effects and
undermining confidence in institutions and creating lasting
physical effects.
It is important to bear in mind that our adversaries are
not necessarily preparing for a doomsday situation or any
lasting blow but a asymmetric scenario where they can project
power onto our shores. Ultimately their aim may be to sow chaos
rather than to achieve some complex military objective.
Thank you, again for the opportunity to participate in
today's discussion. I am happy to answer any of your questions.
[The prepared statement of Mr. Hultquest follows:]
Prepared Statement of John Hultquist
February 26, 2019
Thank you, Chairman Richmond, Ranking Member Katko, Chairman
Correa, and Ranking Member Lesko for convening this joint hearing
today. We appreciate the opportunity to share FireEye's perspective on
threats to the transportation and energy sectors and provide an
overview of how the private sector is helping to secure those sectors.
introduction
My name is John Hultquist, and I'm the director of intelligence
analysis for FireEye. My team of over 150 intelligence analysts and
researchers pore over data we collect from FireEye's global networks of
devices, managed defense of 7 global Security Operations Centers, our
incident response, researchers we have monitoring the criminal
underground, and many more sources to understand the global cyber
threat. We have teams focused on criminal threats, cyber espionage,
cyber physical, and strategic problems, as well as vulnerabilities.
Ultimately, we provide intelligence reporting and services used by
Government and commercial clients around the world.
In addition to the 300-plus security professionals responding to
computer intrusions, FireEye has over 200 cyber-threat analysts on
staff in 18 countries, speaking 30 different languages, to help us
predict threats and better understand the adversary--often by
considering the political and cultural environment of the threat
actors. We have an enormous catalog of threat intelligence, and it
continues to grow everyday alongside the continually increasing attacks
on organizations around the world.
FireEye is supporting the transportation and energy sectors here at
home. We're protecting the Transportation Security Administration with
both email and web inspection, managed by the Department of Homeland
Security's Enterprise Security Operations Center. As TSA continues to
stand up its intelligence capabilities, we are providing support
through its subscription to our intelligence reporting.
Additionally, we assist in protecting the Department of Energy by
supporting network and file inspection, malware analysis, and
protecting their data from threats down to their endpoints. We provide
the ability for deep forensics inspection of all network traffic
managed by the Department's Enterprise Security Operations Center. As
DOE continues to enhance its cyber capabilities, we provide visibility
to meet the Data Taxonomy Metrics. The Department is the largest
civilian agency consumer of our intelligence reporting, which provides
focused visibility into the threats targeted at the energy sector.
In addition to my role at FireEye I'm an adjunct professor at
Georgetown University and the founder of CYBERWARCON, a conference on
the cyber attack and information operations threat.
I have been working in cyber intelligence for over a decade, most
of it at FireEye, but before that I worked as a contract cyber
intelligence analyst with the Defense Intelligence Agency and State
Department. Prior to that I worked briefly at the Surface
Transportation and Public Transit Information Sharing and Analysis
Center where I was an analyst exploring threats to the sector we will
be discussing today. Part of my duties there were to forecast domestic
threats by exploring global incidents. Though much of this work was
focused on counterterrorism, I believe the methodology I employed there
is applicable to this problem. If we want to forecast threats to
surface transportation, we have to look globally for the actors who may
target this sector, and explore not just how they carry out attacks,
but why.
Today I will talk about a few incidents that have already affected
surface transportation, but I will focus primarily on threats on the
horizon that FireEye is watching develop in the Middle East, Ukraine,
and South Korea, where Iran, Russia, and North Korea are most active.
My team has had some success with this method. In 2014, we exposed an
actor, who we call Sandworm Team, which was carrying out cyber
espionage in Ukraine and who was soon after exposed in U.S. critical
infrastructure. A year later this actor caused the first known blackout
by cyber attack in the Ukraine.
pipelines
Criminal, state, and hacktivist actors have all demonstrated an
interest in pipeline operators. Pipeline operators have been the victim
of criminal ransomware incidents on multiple occasions. Hacktivist
actors have threatened pipelines for environmental and other political
reasons. We have seen some specific interest in pipeline infrastructure
from state actors as well. APT1, an actor tied to China's People's
Liberation Army, carried out an intrusion campaign attempting to gain
access to pipeline operators in 2012. While we do not think the
campaign aimed to cause any immediate effects, at the time we did
assess that it was reconnaissance of our infrastructure that could be
leveraged over the long term.
Despite the dearth of additional specific examples of pipeline
targeting, targeting the sector is consistent with the behavior of
several state actors who have carried out disruptive and destructive
operations. Pipelines sit at the nexus of two well-established
interests for these state attackers: Energy and transportation. Despite
a relatively brief history of disruptive and destructive cyber attacks
against critical infrastructure, several incidents have focused on
these sectors where the potential for cascading economic and
psychological effects on the target population is considerable.
Energy, particularly oil and gas and the electrical power industry,
has been the continued focus of threat actors who have either carried
out disruptive cyber attacks or who appear to be tasked with preparing
for such an operation. Destructive and disruptive attacks on oil and
gas have almost become common in the Middle East where our U.S.
adversaries are showcasing their capabilities and improving their
skills.
For example, oil and gas has been the major focus of a long-term
destructive campaign by Iran in the Gulf using destructive malware
commonly referred to as ``Shamoon.'' Though these attacks have targeted
critical infrastructure organizations, they have primarily affected
business-focused IT systems rather than the sensitive control systems
which run production. Nonetheless, Iranian-sponsored threat actors
caused significant, costly disruptions from 2012 to as recently as
December 2018, the last time we observed one of these incidents.
The Middle East was also the scene of the most disconcerting attack
on control systems we have observed. An industrial plant there suffered
a disruption when attackers inadvertently triggered a shutdown using
malware we call TRITON. They triggered that shutdown because they were
attempting to manipulate automated safety systems, one of the last
lines of defense to protect human life. We believe the attackers were
developing the ability to create an unsafe condition using the control
systems, while simultaneously disabling the safety systems designed to
mitigate the attack. Such a scenario could have led to major disruption
of operations, economic loss, and even loss of life. We believe this
activity originated from a Russian government organization called the
Central Scientific Research Institute of Chemistry and Mechanics. It is
unknown whether these actors had been tasked to target the plant for
some specific geopolitical goal or if they were using this Middle
Eastern facility as a testbed to improve their capability.
In principal, methodologies honed in the Middle East against oil
and gas could be applied to our pipeline sector. Destructive attacks
could be used to interrupt the administration of these complex systems,
potentially causing economic repercussions that cascade through the
myriad of downstream users who depend on reliable service. A more
complex scenario, like the TRITON incident, could also target
pipelines, which could be manipulated to potentially disastrous
consequences if actors can gain access to control and safety systems.
Transportation and logistics systems have been an underrecognized
but fruitful focus for state cyber attackers as well. During and
between well-known attacks in Ukraine which turned off the power to
portions of the country, attempts were made by the same Russian actors
to gain access to rail, air, and sea transportation routes and hubs, to
varying degrees of success. In fact, we saw evidence indicating that
while they were prepping the first attack that briefly disabled power
service in the Ukraine, the actors we call Sandworm Team were also
compromising airport and rail services. There are plausible but
unverified reports of an attack which lead to disruption of rail
service coincided with the second attack on Ukraine's grid.
As in the case of the Middle East, in Ukraine, we see technically
complex cyber attacks that strike at the most sensitive industrial
control systems, such as those that caused blackouts, as well as
attacks that are not focused on these systems at all. Both types of
attack have been successful. While grid attacks were undoubtedly
watershed events, the most economically damaging attack we have ever
encountered was fake ransomware called NotPetya. This fake ransomware-
encrypted drives just like its real criminal counterpart, but the state
actors behind it never intended to decrypt this information for any
amount of money, essentially making it a destructive tool. The malware
spread rapidly, locking up vital systems and causing major disruptions
to global companies. The result was over 10 billion dollars in damages,
according to one White House estimate. Most notably, however, many of
the companies which posted major losses in the hundreds of millions
were in the logistics business, despite this industry not having been
specifically targeted. Such a pattern could indicate that logistics
organizations may be especially economically vulnerable to cyber
attacks of this nature.
transit
Like pipeline operations, transit networks have been subjected to
ransomware operations and denial-of-service attacks, which have, on
occasion, resulted in disruption to service. Ransomware, which has
affected many municipal services, has been used to hold transit systems
hostage in return for payment. An attack like this in San Francisco
took tickets systems off-line, but operations continued when riders
were offered free passage. In most cases we believe the attackers were
financially motivated, though it is worth noting that these incidents
expose a vulnerability that state actors, who have used a fake
ransomware capability, could exploit.
In addition to ransomware incidents, the websites associated with
mass transit systems, which are often crucial to their business, have
been subjected to denial-of-service attacks. These incidents, which
involve the use of a network of hijacked computers to jam a website
with bogus traffic, have in some cases frozen operations. We have seen
this phenomenon as far afield as Ukraine and Sweden. In 2017, transit
systems in Sweden came under a prolonged attack by an unknown actor who
disrupted travel. It is worth noting that like ransomware, denial of
service is a capability used by state actors. And just as ransomware
allows these actors to carry out attacks while hiding their true
intentions, state actors have purported to be hacktivists and taken
credit for denial-of-service attacks, hiding their hand it the
operations. This was the case in the United States, where Iranian
hackers attacking our financial system claimed to be a pan-Arab
hacktivist. Furthermore, there is a reduced barrier to entry for these
types of attacks, and even states without this capability could source
it from the criminal underground.
The complexity of transit networks and the potential for cascading
economic consequences from disruption bear similarities to pipelines;
however, transit networks offer an additional attraction to would-be
attackers--transit is a highly-visible sector with which the public
regularly interacts. This factor is especially relevant as many cyber
attacks appear to be more focused on psychological effects and
undermining confidence in institutions than creating lasting physical
effects.
One example of a highly-visible cyber attack which affected the
populace is the destructive campaign against South Korean media and
banking in 2013. Though this campaign failed to interrupt broadcasts,
it did interrupt some banking services, including on-line banking and
ATMs. The result was a visible crisis that affected the everyday lives
of South Koreans and which might have been even greater if broadcasts
were halted. Blackouts fall into this same category of having far-
reaching psychological effects. A disruption to transit could have a
similar effect.
conclusion
Thus far, U.S. critical infrastructure has been probed by actors
from China, Russia, Iran, and North Korea. In many cases, these actors
have focused heavily on electricity generation; however, our experience
with them abroad suggests a much broader interest in creating
disruptive or destructive effects. We should take these lessons to
heart now and prepare for incidents across the transportation sector.
It's important to bear in mind that our adversaries are not
necessarily preparing for a doomsday situation, or any lasting blow,
but an asymmetric scenario where they can project power within our
shores. Ultimately, their aim may be to sow chaos rather than achieve
some complex military objective. Nonetheless, these incidents could
have economic and psychological effects we cannot ignore.
Thank you again for the opportunity to participate in today's
discussion. And thank you for your leadership improving cybersecurity
in the transportation and energy sectors. I look forward to working
with you to strengthen the partnership between the public and private
sectors and to share best practices to thwart future cyber attacks.
Mr. Correa. I thank our panelists for their testimony.
If I may, I would like to recognize myself for 5 minutes of
questions. I will start out with, Mr. Lewis, you made a comment
at the end of your statement about credible threat, we need to
be a credible threat, can you explain that a little bit?
Mr. Lewis. Certainly. Thank you, Mr. Chairman.
When we look at the behavior of Russia, China, Iran and to
some extent North Korea, they are the most dangerous attackers
but they are also very calculating, they are very rational and
they ask themselves, ``If I do this to the Americans, what is
the likelihood that the Americans will do something back?'' and
if they believe there is no risk that we will do anything back,
they are more likely to undertake some sort of hostile or
coercive action.
Mr. Correa. In this committee last year, the full Committee
on Homeland Security, I asked the question, at what point does
a cyber attack constitute a declaration of war on the United
States? Any thoughts?
Mr. Lewis. This is [inaudible] was an attack that caused
death or destruction or casualties, it would qualify as
justifying a forceful response. Unfortunately, we haven't seen
very many of them and if you look at what the Russians did in
2016, it wouldn't fall under that category so this is something
that I believe the intelligence community and cyber command are
working through. We need a new framework, if you cause death or
destruction, you fear a risk, that you fear that the United
States will retaliate. If you don't do that, people kind-of
feel like they can get away with it.
Mr. Correa. If you threaten our democracy or destabilize
our Government, is that an act of war and I would ask that
question to all of you?
Mr. Lewis. Under the current legal construct, the answer
would be no, right. You could make a case that by threatening
the political integrity of the United States, it would qualify
as an act of war but our main problem is that we became aware
this was happening in April 2016, that is almost 3 years ago
and we still have not done very much back.
Mr. Correa. Mr. Olson, you talked a little bit about the
challenge of Chinese assets, Chinese buying essentially their
way into our markets, they are buying their markets and you
talk about a threat, could you relate that back to the China's
new 27 intelligence law that compels companies, Chinese
companies to cooperate with the Chinese government?
Mr. Olson. Sure. So I am not fully familiar with the law
itself, I mean, I have read articles about it. I mean, our
concern is that this is a wholly-owned, state-owned enterprise
that has a board of directors with members of the Communist
Party and we know that when they set up shop here in United
States that we believe they are been directed by Beijing and
the cyber issues, privacy issues, and just the economic
security that stems from that is our main concern from RSA's
point of view.
Mr. Correa. Same question, to Mr. Hultquist.
Mr. Hultquist. Right, I am not familiar with that exact
regulation but it is not uncommon for Russia or China to
enforce or compel companies to work with their cybersecurity or
their Signals Intelligence agencies to gather information.
Mr. Correa. Thank you very much.
I am going to yield the remainder of my time.
I will now recognize the gentle person from Arizona, Mrs.
Lesko.
Mrs. Lesko. Thank you, Mr. Chairman.
My first question is for, Mr. Hultquist, hello sir. I have
a couple of questions into one. Basically, how well do you
think the industry uses ISAC, the information you know, where
you share information with the industry [inaudible] and my
secondary question is, what are the risks from insider threats?
Mr. Hultquist. I had actually previously worked at a couple
of the ISACs, actually the Surface Transportation and Public
Transit ISAC, I worked there briefly before moving into the
cyber world. They have made a lot of great strides in the cyber
space and several of them I think on are very, very mature and
are making a big difference.
On one of the problems though is that we sometimes take
this myopic view of our sector and we have failed to see
threats coming because we are overly focused on just our own
sector and it is important to look at our own sector but the
actor who turned off the lights in Ukraine, was also targeting
air, and rail, and all these other sectors, not because the
lights were you know, particularly [inaudible] sometimes if we
you know, we focus too much that way, we can kind-of miss that.
I am sorry, your second question.
Mrs. Lesko. Was, what is the risk of insider threats, like
people that are working for, let us say, the rail system or
passenger rail?
Mr. Hultquist. Many of the----
Mrs. Lesko. Or pipelines?
Mr. Hultquist. Major critical infrastructure incidents that
we have seen throughout history have involved an insider
component, a contractor who didn't get hired on was upset about
their situation and decided to lock things up or I believe
there was a situation where they pumped toxic stuff into a
[inaudible] critical infrastructure.
Mrs. Lesko. What can be done about it, do you think?
Mr. Hultquist. Probably a more complex or a more robust
vetting process and recognition that when people move in and
out of an organization, security measures need to be sort-of
re-looked at particularly do they still have access, things of
that nature.
Mrs. Lesko. Thank you, sir.
My next question is for the gentleman with the rail system
and you had mentioned--I read this article that I think it was
in The Washington Post, entitled, ``Could a Chinese-made Metro
Car, spy on us?'' I think you were quoted in this and some of
the transit authorities in this article, the Chicago Transit
Authority, the Massachusetts Bay Transportation Authority, they
basically said that none of the critical software components
were being produced in China.
What are your thoughts on that, are they misspoken or you
know, they said that they are considering bids from CRRC but
that the critical software components are not made in China and
in fact one of the Massachusetts Bay Transportation Authority
spokesman said, ``The design process for new rail cars includes
a cybersecurity analysis based on the U.S. Department of
Defense Military System Safety Standard,'' so I am glad that we
are bringing this up because I think it is a legitimate concern
but it seems like at least from these people, spokesman, that
the critical infrastructure is not made in China.
Can you comment?
Mr. Hultquist. Yes. What I would say to that is that our
concern is you can try to mitigate and the we heard from Ms.
Proctor, earlier that the cyber concerns are ever-evolving. I
don't know all the parts or the list of the parts but many
parts are being made in China, the shells for Los Angeles and
for Boston are being made in China and shipped to Springfield,
Massachusetts so our position at RSA's risk avoidance.
We don't know what can be put into a shell. We don't know
what technology can be hid in there. The Chinese have a long
view [inaudible] attack but we also think of it from a point of
privacy. When you have access to the tunnel [inaudible] the
CCTV, can you get access to the Wi-Fi system? We know how they
profile their own citizens and it does not take a lot to lead
to the fact that maybe you could do that here especially in the
Metro region.
Mrs. Lesko. Thank you, sir.
I yield back my time.
Mr. Correa. Thank you, Mrs. Lesko.
I recognize the gentleman from Louisiana, Chairperson
Richmond.
Mr. Richmond. Thank you, Mr. Chairman.
This will be for Ms. Gagliostro and Mr. Olson. It is
basically describing your relationship with TSA-DHS as a whole
but TSA and CISA. Has there been rail stakeholder involvement
in the implementation and the goals outlined in the Pipeline
Cybersecurity Initiative and, Mr. Olson, in your view, are DHS
and TSA being proactive enough in sharing information about
cyber threats and best practices within rail systems, and to
both of you all, what could they be doing differently or more?
Ms. Gagliostro. So I would say that yes, there has been
rail stakeholder involvement beyond the efforts of the Pipeline
Cybersecurity Initiative because as you know, that Initiative
was only announced in October but prior to that TSA has been
working to build its security program for over a decade now,
has a very strong working relationship with industry. We
regularly engage in Pipeline Sector stakeholder calls to share
information about threat indicators that they are getting and
also information about the tools that they are providing to
industry to help us with their security programs.
I think that the work that TSA is doing right now to have
more coordination with DHS and the CISA Office, and the
National Risk Management Center is a very positive step in the
right direction of looking more comprehensively across these
nation-state threats in particular that are targeting all
critical infrastructure to make sure that we are empowering
industry to learn from how these threats are looking
[inaudible].
Mr. Olson. To echo I agree that from my understanding, I
mean, the folks at the Rail Security Alliance represents our
private industry and we know they have been talking, TSA has
their private briefings we heard that from, Ms. Proctor,
earlier that they have been doing Classified briefings for
members both in the Passenger Rail Sector and also the Freight
Rail Sector. I think there can always be more and more
involvement, we have certainly reached out to them to have
conversations as well on this point.
What I would say on the what could be done, what could they
be doing more is DHS actually has a study sitting at Homeland
Security right now that they need to complete by the end of the
fiscal year, we would love to work with you all and work with
the Department of Homeland Security on this study and ensure
that private sectors' voice is heard as they are completing
this risk assessment of what state-owned enterprises, how they
could affect the U.S. transit and freight rail market.
Mr. Richmond. Thank you for your time.
Mr. Chairman, I do have prior commitments so I will yield
the balance of my time through the gentleman from Missouri, Mr.
Cleaver.
Mr. Correa. Thank you, Chairman Richmond.
Mr. Cleaver, go ahead.
Mr. Cleaver. Thank you, Mr. Chairman.
I was mayor of Kansas City all during the 1990's up until
2000 and I can remember one of the most frightening periods of
my term as mayor came when we received word, we were not
notified but we received word, there was very likely going to
be a shipment of [inaudible] and taken to the Nevada, Yucca
Mountain and there was a lot of resentment [inaudible] the
largest freight-rail site in the country and St. Louis 200
miles away is No. 3.
We are a [inaudible] have been extremely concerned over the
years about the transportation of waste but also how vulnerable
we are and particularly in the Midwest because you know, no
matter what the discussion is, it's probably even freight, we
tend to focus on East Coast, West Coast, maybe a little part of
the North Coast and the Midwest is wide open.
I always like to remind people that the first major
terrorist attack in this country occurred right in the middle--
Midwest at Oklahoma City at the Murrah Federal Building. It has
nothing to do with rail but the point I am raising, Mr. Lewis,
and, Mr. Olson, is that I am not sure that there is any
appropriate attention being given to that part of the country
where a lot of the rail is centered.
Mr. Olson. I tend to agree with you, Congressman. I know
that you know, the Class Is, the freight rail manufacturers are
all working on these issues and working on the cyber aspects of
this and the security aspects of this. RSA's position and has
been as our concern is allowing the Chinese to come in and make
freight railcars----
Mr. Cleaver. Yes, sir.
Mr. Olson [continuing]. And be a part of the system and the
security challenges come with that. As you know, freight rail
carries grain, from toxic waste, to military equipment, and our
view is from RSA, as soon as you allow the Chinese into the
system and they are building cars they are able to track where
all these things are going and get a birds-eye view on where we
are moving commodities, we are moving helicopters, where we are
moving people and that is of grave concern for us from a
National security perspective and we share your concerns sir.
Mr. Cleaver. Mr. Lewis.
Mr. Lewis. Thank you, Congressman. You know, I think
there's two questions you always want to ask, does the device
connect back home and there is a surprising answer to that
increasingly as we connect things to the internet. I was
reading yesterday about a smart doorbell that was inadvertently
relaying peoples' voices back to China so rail cars are a good
target, rail lines are a good target, they're traditional
military targets, good target for disruption.
The other thing you would want to ask though is when is it
in the opponents' interest to do so and in that sense, they are
looking at it from a National perspective. They are looking at
from where the least-defended parts of the country, where can
they achieve the most effect so in that way may be the Midwest
is a good target.
Mr. Cleaver. Yes. I would argue that there is some evidence
to suggest that it is a target and of course my question, Mr.
Chairman, is you know, when are we going to give the necessary
attention? I mean, you know, when I am asked you know, the
question, I am no longer in the mayor's office but the people
wants to know, Homeland Security, so when are they going to
give us the attention that they have been giving New York and
Boston and San Francisco and Los Angeles and I guess I should
say, it is still up in the air, until something happens. Is
that [inaudible].
Mr. Lewis. Attention has gone to the largest metropolitan
areas and so you are really the top 12 SMSA, Standard
Metropolitan Statistical Areas and so the question is, can we
expand that? It is a question of cost and also of personnel as
we have heard so that tends to mean that if you are not in the
top 12, the top 20, you might not be getting the same attention
as others.
Mr. Correa. Thank you, Mr. Cleaver. Thank you very much and
I would like to recognize the gentle person from New York, Miss
Rice.
Miss Rice. So, Mr. Lewis, just to continue on that so you
had said at the beginning right at the end of your original
statement, you talked about the cost factor. Can you just
expound on that a little bit more?
Mr. Lewis. Certainly. Thank you. We have heard from the
other witnesses too that in many cases Chinese companies are
subsidizing--it is part of a larger very aggressive
mercantilist policy that the Chinese follow and so that allows
them to offer products at a lower price and the information we
saw in Australia and them squashing the competition there, you
can find that in other industries so you have a subsidized
price with pretty good equipment----
Miss Rice. Right.
Mr. Lewis. Some unknown risk for surveillance or disruption
and the buyers have to make a decision, do I pay more for
security or do I go with the lower cost and------
Miss Rice. So why is the Federal Government allowing them
to make that decision at their level, regardless of whether the
money that they are using is State money or Federal money. I
mean, I would assume if it is Federal money then we have
absolute say over their decision-making process but is it that
difference--about what pocket of money they are taking it from?
Mr. Lewis. We--thank you. We have not come to terms until
recently with the fact that there's a risk in buying from China
so our supply chains are deeply integrated and so you know,
when you go to the store and you turn--very often it will say,
Made in China. Up until a few years ago people thought, oh
well, you know, they are going to become a market--this is
fine, so we have--we are just starting to think about how we
disentangle that. Part of it might be asking about what
technologies are sensitive, where's there additional risk?
You have all seen all the news on Huawei in the papers and
this is a [inaudible].
Miss Rice. What are we waiting for in this field?
Mr. Olson. I would just add, I mean, Congress did examine
this issue last year when it came to Federal Transit Authority
dollars, there was actually a 1-year ban put in place in the
Senate THUD bill. It was unfortunately stripped out of the
final version that you know, you guys passed on February 15
because it was deemed controversial because there are certain
members that have state-owned enterprise Chinese facilities in
their district and so they are trying to preserve jobs back
home.
I will also note--yes, you are right when it comes to the
bucket of dollars there are some of these local governments
because of the deep discounts that the Chinese are giving, the
case of Boston is a very poignant one where the Chinese came in
as low as much as 50 percent below some other competitors and
so Massachusetts waved FTA dollars, there's no Buy America
protections, there's no Federal dollars involved in this
project and they have just used State money and therefore the
Chinese are able to build many components and the shells and
ship them over here so unless we have an outright Federal ban
or some Federal law that says, you can't do this, I would
assume that States continue to buy because of price.
Miss Rice. So I am just wondering how we sound the alarm
bell. I mean, I just don't know, if we are allowing elected
Members of Congress to be more concerned about preserving jobs
in their districts than they are a National security, we have a
problem so if you wouldn't mind, Mr. Olson, just talking a
little bit, can you just expound on that more because this has
to be done. If this administration does not think that this is
a priority, it is not going to trickle down, it is just not.
Mr. Olson. I agree with you wholeheartedly. We are a 3-
year-old organization. We started because we saw this market
entry in such a quick fashion and the 4 contracts quickly
awarded to CRRC. They have built a freight assembly facility in
Wilmington, North [inaudible] so opportunities like this to
testify and get in front of more Members, I mean, we are
advocacy; we are trying to get in front of as many Members of
Congress, and State and local officials to raise the alarm
bells and we are partnering as much as possible with officials
within the Trump administration to raise more awareness.
Miss Rice. Well, I want to thank Chairman Correa, very much
for actually you know, putting this hearing together.
I want to thank all of you so much because we sit here in
this little bubble here in Washington and you know, the very
common theme that I have heard from everyone who has sat at
that table is, we have to keep the lines of communication open.
This is not a private-sector issue. This is not a public-sector
issue. This is a Keep America Safe issue, and Our Democracy
Safe issue, and I hope that you know, going forward and I know
with people like you will be able to; I hope we can have this
conversation in a bipartisan fashion so thank you all for being
here.
I yield back the balance of my time.
Mr. Correa. Thank you, Miss Rice. I agree with you about
sounding the alarm. It is a very interesting question.
Now I would like to recognize, Mrs. Watson Coleman, from
New Jersey.
Mrs. Watson Coleman. Thank you. Thank you, Mr. Chairman.
So if we have these companies that are owned by the Chinese
company making things in the United States of America,
technically we could have professionals from security,
cybersecurity whatever to be able to go in, announced and
unannounced and check right----
Mr. Olson. Of course.
Mrs. Watson Coleman. We probably could?
Mr. Olson. Yes.
Mrs. Watson Coleman. Do we? Do you know, if we do?
Mr. Lewis. It does not work and so that is the main
problem.
Mrs. Watson Coleman. It does not work, why?
Mr. Lewis. It does not work because first a lot of the--it
never did.
Mrs. Watson Coleman. Yes.
Mr. Lewis. Pardon me. A lot of the technology is connected
back to the manufacturer----
Mrs. Watson Coleman. OK.
Mr. Lewis. So that they can do updates; you don't know if
it is malicious traffic or innocent traffic. Second there is
just a lot of opportunities in rail car or an airplane to
hide----
Mrs. Watson Coleman. We are just trying to figure this out.
You know, Mr. Olson, this one paragraph [inaudible] what do
you think the Federal Government's role should be here in
ensuring that this does not happen here?
Mr. Olson. So first off, RSA's continued position is,
taxpayers' dollars should not be used to be subsidizing the
state-owned enterprise from China period, end of story.
Second, I would love to work with all of you as we look at
other ways to do bans or outright bans on this technology from
being on our system. I think it is too scary to allow Chinese
government-directed company to operate in the United States
especially when they are building a good chunk of the materials
in China itself.
Mrs. Watson Coleman. Because the interest actually is not
blowing us up as it is much as just owning us?
Mr. Olson. Tracking us.
Mrs. Watson Coleman. Owning us.
WMATA which oversees the Washington Metro System was
currently working to procure new rail cars and updates its
procurement requirements to include the enhanced [inaudible]
safeguards.
Mr. Olson. RSA's position is as, Mr. Lewis, stated, it is
never enough. If you are going to be building components and
parts in China, you can never do enough to mitigate. Our
position at RSA continues to be risk avoidance, let's just not
buy them.
Mrs. Watson Coleman. So let's not allow our money to be
spent on purchasing Chinese----
Mr. Olson. Correct.
Mrs. Watson Coleman. OK.
I am good. Thank you.
I yield back.
Mr. Correa. Thank you very much for those questions.
Now I would like to recognize the good lady from Texas, Ms.
Jackson Lee.
Ms. Jackson Lee. Thank you very much Mr. Chairman.
Having just come in, let me first of all thank the
witnesses of the first panel and thank those of the second
panel [inaudible] events I have been on this committee since 9/
11 and have seen the maturing of terrorist potential and
utilization of now technology different from bringing down a
plane or using it as a torpedo into major structures here in
the United States, though it certainly is well-known that
certain elements still believe that aviation is a crucial and
serious part, but I would be interested--or infrastructure is a
crucial and serious part of potential of attacking the United
States.
So, I am going to ask each of your question as to whether
or not you are--do you think we are fully prepared for zero-day
potential events; start with, Ms. Gagliostro?
Ms. Gagliostro. So I would say, in dealing with any sort of
cybersecurity threats, the most important way for us to be
prepared and respond is through working with our Federal
partners on having strong information sharing on what we are
learning so zero-day threats are always a challenge because it
is what you don't know yet but I think being cognizant of the
threat indicators and patterns of behavior and paying attention
to those that we can be alerted to those threats quickly as
possible.
Ms. Jackson Lee. You think the United States should address
those questions through legislation that would emphasize the
partnership between the Federal Government and the private
sector?
Ms. Gagliostro. I think the best way to address that is
through strong partnership between the Federal Government and
the private sector.
Ms. Jackson Lee. So legislation that dictates that would be
helpful?
Ms. Gagliostro. To the extent that we don't think it is
effective today.
Ms. Jackson Lee. Mr. Lewis.
Mr. Lewis. Thank you. First, I would distinguish between
state and non-state actors. No terrorist group currently has
the capability nor will acquire in the foreseeable future the
capability to launch a damaging cyber attack. This has been
true for years, it is based on evidence from a number of----
Mr. Correa. Could you repeat that please?
Mr. Lewis. No terrorist group currently has the capability
to launch a damaging cyber attack.
Ms. Jackson Lee. But please know that my zero-day is not
limited to nation-states.
Mr. Lewis. Exactly right. We have 4 very capable opponents
who have certainly done the reconnaissance to launch these
kinds of attacks against----
Ms. Jackson Lee. Why don't you just recite their names for
the records?
Mr. Lewis. Russia, China, Iran, and North Korea, right,
they all have the capability, it is a question of when they
would use it so on the defensive side all the work that you
have heard from my colleagues, perhaps some improvement in
standards.
On the offensive side, as we discussed earlier [inaudible].
Ms. Jackson Lee [continuing]. Be effective focusing the
Government on those issues?
Mr. Lewis. Ma'am, I have asked senior officials at DHS, if
they need more legislative authority, their position is no, but
I think it would be useful to look and see where there are gaps
in the existing legislation that might help them do better at
protecting------
Ms. Jackson Lee. Then they do need it because there are
gaps.
Mr. Olson [continuing]. And then, Mr. Hultquist, you
follow?
Mr. Olson. I would agree with my colleagues on the panel
here and we would not oppose further legislation if it gives
more authority to fill as you said gaps for DHS.
You know, our position from the Rail Security Alliance is
that we have already allowed the Chinese in and that we need to
stop the bleeding and not have them further infiltrate more
transit systems and especially the freight systems so we are
looking at it from that angle of hardware in the United States
already.
Ms. Jackson Lee. Thank you.
Mr. Hultquist. We have had good success anticipating a lot
of these events by looking at the places where these actors are
most active--Ukraine, the Middle East, South Korea--so I would
argue that getting that information, the observables out of
those spaces to the private sector who would likely bear the
brunt of any attack is probably the most important thing we can
do.
Ms. Jackson Lee. So if you have any legislation that
focuses on some of the elements that you have just mentioned--
--
Mr. Hultquist. Absolutely, enforcing public-private
partnership I think would be really important.
Ms. Jackson Lee. Just last question, Mr. Chairman,
cybersecurity is becoming harder because of the connected
nature of wireless technology, how long can we secure large
complex systems when very small devices can pose risks? Whoever
feels most capable to answer that question, I would be
delighted.
Mr. Lewis. I will start. We can't secure them now so it is
hard to see how it gets much worse but I think that as you add
more and more connected devices, the ability to create some
sort of havoc--we talked about the smart doorbells.
Another one I just heard about is you know, those visible
braces you have got? Some of them are connected to the internet
and you can just think of endless numbers of complications,
between smart cars, smart ships, robots; they are moving into a
world where the number of things that can be hacked is growing
exponentially.
Ms. Jackson Lee. Thank you.
So anyone else on how do we--yes sir?
Mr. Hultquist. We add more potential for disruption but we
also add more factors for the threat actors to gain access to
critical systems or systems that we care about.
Ms. Jackson Lee. Anyone else.
Mr. Chairman, I will just conclude by saying that there are
gaping holes with our cyber system. This committee is best
suited to try to address those questions and gaping holes can
create opportunities for havoc and I think this committee and
the Oversight on Transportation, Natural Gas, is crucial in its
work and I hope we will pass legislation dealing with some of
these very large holes that----
Mr. Correa. I concur with you, Ms. Jackson Lee, and I
think----
Ms. Jackson Lee. They create danger.
Mr. Correa. We have got a job to do here in terms of
addressing those gaping holes.
It seems like every time we turn around there is a new
toothbrush with a chip on it so when you are brushing your
teeth somebody's going to know how many times you do it a day
and my point is there is no privacy anymore and it looks like
all of our information is interconnected in some form or
another, whether it is a commercial venture, a state somewhere
around the world so, Mr. Lewis, you intrigue me again with your
comments about the deterrence, is there a price to pay for what
and when, and when does that trigger?
Good questions.
I want to thank all the witnesses for their valuable
testimony and all the Members here for their questions.
The Members of the committee may have additional questions
for the witnesses and we ask that you respond to them
expeditiously and in writing. Pursuant to Committee Rule
VII(D), the hearing record will be held open for [inaudible].
Thank you to all the committee Members, of both committees,
or I should say panels.
We stand adjourned.
[Whereupon, at 12:22 p.m., the subcommittees were
adjourned.]
[all]