[Senate Hearing 116-451]
[From the U.S. Government Publishing Office]


                                                       S. Hrg. 116-451

                           CYBERSECURITY_2020

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             SECOND SESSION

                               __________

         WHAT STATES, LOCALS, AND THE BUSINESS COMMUNITY SHOULD
 KNOW AND DO: A ROADMAP FOR EFFECTIVE CYBERSECURITY, FEBRUARY 11, 2020

         EVOLVING THE U.S. CYBERSECURITY STRATEGY AND POSTURE:
          REVIEWING THE CYBERSPACE SOLARIUM COMMISSION REPORT,
                              MAY 13, 2020

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                              

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
40-972 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------
   

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                   Joseph C. Folio III, Chief Counsel
              Colleen E. Berny, Professional Staff Member
               David M. Weinberg, Minority Staff Director
   Christopher J. Mulkins, Minority Senior Professional Staff Member
     Jeffrey D. Rothblum, Minority Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson 



    Senator Peters 



    Senator Hassan 



    Senator Lankford 



    Senator Carper 



    Senator Portman..............................................    25
    Senator Sinema 



    Senator Rosen 



    Senator Hawley...............................................   134
    Senator Romney...............................................   142
Prepared statements:
    Senator Johnson 



    Senator Peters 




                               WITNESSES
                       Tuesday, February 11, 2020

Hon. Christopher C. Krebs, Director, Cybersecurity Infrastructure 
  Security Agency, Department of Homeland Security...............     3
Amanda Crawford, Executive Director, Department of Information 
  Resources, State of Texas......................................     5
Christopher DeRusha, Chief Security Officer, Cybersecurity and 
  Infrastructure Protection Office, State of Michigan............     7

                     Alphabetical List of Witnesses

Crawford, Amanda:
    Testimony....................................................     5
    Prepared statement...........................................    54
DeRusha, Christopher:
    Testimony....................................................     7
    Prepared statement...........................................    65
Krebs, Hon. Christopher C.:
    Testimony....................................................     3
    Prepared statement...........................................    48

                                APPENDIX

CISA Report......................................................    70
Responses to post-hearing questions for the Record:
    Mr. Krebs....................................................   101
    Ms. Crawford.................................................   114
    Mr. DeRusha..................................................   117

                               WITNESSES
                        Wednesday, May 13, 2020

Hon. Angus S. King, Jr., Co-Chair, Cyberspace Solarium Commission   122
Hon. Mike Gallagher, Co-Chair Cyberspace Solarium Commission.....   123
Hon. Suzanne E. Spaulding, Commissioner, Cyberspace Solarium 
  Commission.....................................................   124
Thomas A. Fanning, Commissioner, Cyberspace Solarium Commission..   126

                     Alphabetical List of Witnesses

Fanning, Thomas A.:
    Testimony....................................................   126
    Joint prepared statement.....................................   162
Gallagher, Hon. Mike:
    Testimony....................................................   123
    Joint prepared statement.....................................   162
King, Jr., Hon. Angus S.:
    Testimony....................................................   122
    Joint prepared statement.....................................   162
Spaulding, Hon. Suzanne E:
    Testimony....................................................   124
    Joint prepared statement.....................................   162

                                APPENDIX

Statement submitted by CHIME.....................................   174


                 WHAT STATES, LOCALS, AND THE BUSINESS


 
  COMMUNITY SHOULD KNOW AND DO: A ROADMAP FOR EFFECTIVE CYBERSECURITY

                              ----------                              


                       TUESDAY, FEBRUARY 11, 2020

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:39 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Portman, Lankford, Romney, 
Hawley, Peters, Carper, Hassan, Sinema, and Rosen.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning. This hearing will come to 
order. I want to thank all of our witnesses for their very 
thoughtful written testimony. I am looking forward to your 
answers to our, hopefully, thoughtful questions.
    I am just going to ask that my written statement be entered 
into the record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 45.
---------------------------------------------------------------------------
    I will just keep my comments brief.
    This hearing really came about after I sat down with 
Director Krebs a couple weeks ago, and the point the Director 
is making to me--and I do not want to steal all of his thunder 
is--95 percent of ransomware and so many cyberattacks can be 
prevented, with just basic cyber hygiene. So I want to really 
talk about that.
    So the bottom line and the purpose of this hearing is to--
because I have always said the first line of defense in any 
kind of cybersecurity issues is public awareness, understanding 
what is out there, the sharing of threat information, which is 
a key role of Cybersecurity and Infrastructure Security Agency 
(CISA).
    But, again, having read all the testimony, this ought to be 
pretty good. We have the Federal. We have State and local here, 
but we have with Ms. Crawford, a pretty relevant example of 
what happens when an attack occurs within a State under 
multiple jurisdictions. And what happened, kind of going 
through that case study, I think it would be extremely 
effective. To me, it seemed like a pretty good success story 
when all is said and done based on really what could have 
happened and how long those industries could have been shut 
down.
    So, again, just really looking to raise the profile for the 
public in terms of how serious these cyberattacks are, how 
pervasive they are, and just basic things you can do to protect 
yourself, and that is the main purpose of the hearing.
    So, with that, I will turn it over to Senator Peters.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Senator Peters. Thank you, Mr. Chairman, and also thank you 
to all of our witnesses for coming here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in Appendix on 
page 46.
---------------------------------------------------------------------------
    I am especially pleased that we have Chris DeRusha with us 
here today. He is the Chief Security Officer for the State of 
Michigan and an important partner in combating cyberattacks in 
my home State.
    Chris, I also want to congratulate you on welcoming a baby 
boy last month--actually 2 weeks, 2 weeks old now?
    Mr. DeRusha. That is right. About 2\1/2\ weeks.
    Senator Peters. Two and a half weeks and----
    Chairman Johnson. He looks well rested.
    Mr. DeRusha. We are still counting days.
    Senator Peters. Still counting days.
    As I mentioned to him in the back room, we were happy to 
give him a night last night so he could sleep the entire night 
when he came here to Washington. But thank you for coming and 
appreciate your wife allowing you to be here with us here 
today.
    The cyber threats facing our Nation are becoming 
increasingly sophisticated and we are all at risk--families, 
government agencies, schools, small businesses, and critical 
infrastructure.
    In today's digital world, State and local governments are 
responsible for safeguarding everything from election systems 
to very sensitive personal data, including Social Security 
numbers, credit card information, and of course, medical 
records.
    State and local governments do not always have the tools, 
unfortunately, to defend against cyberattacks. Financial 
constraints, workforce challenges, and outdated equipment, I 
know are all serious challenges for States and cities.
    Attackers always look for the weakest link, and that is why 
we must ensure that everyone from small businesses to our State 
and local governments have the tools that they need to prevent, 
detect, and to respond to cyberattacks.
    That is why I introduced common sense, bipartisan 
legislation with my colleagues on this Committee to help 
bolster our cybersecurity defenses at all levels of government.
    I introduced the bipartisan DOTGOV Act with Chairman 
Johnson and Senator Lankford to help State and local 
governments transition to a more trusted and secure dot-gov 
domain.
    I also introduced the State and Local Government 
Cybersecurity Act with Senator Portman. This will help the 
Department of Homeland Security (DHS) share timely information, 
deliver training and resources, and provide technical 
assistance on cybersecurity threats, vulnerabilities, and 
breaches in States and localities.
    In 2016, in my home State of Michigan, hackers used a 
ransomware attack on the Lansing Board of Water and Light, 
forcing taxpayers to pay a $25,000 ransom to unlock the 
targeted computer systems. My bill would give cities and States 
the tools to prevent and respond to these kinds of attacks more 
effectively.
    Recently, Richmond Community Schools in Michigan were 
closed for a week due to a similar attack demanding a $10,000 
payment. Luckily, their data was not compromised, but this 
attack exposes a dangerous vulnerability as schools maintain a 
considerable amount of sensitive records related to their 
students and employees, including family records, medical 
histories, and employment information.
    I introduced the K-12 Cybersecurity Act with Senator Scott 
to protect students and their data by providing better 
cybersecurity resources and information to K-12 Schools in 
Michigan and well as across the Country.
    It is clear that these kinds of attacks are only growing 
and that they pose a serious risk, and I will continue working 
to ensure that all of our State and local governments have the 
resources, information, and expertise that they need. I will 
keep working with my colleagues on this important issue, and 
you can see that this Committee is very active in this issue as 
well.
    I look forward to hearing your testimony as to how we can 
continue these important efforts.
    Thank you again.
    Chairman Johnson. Thank you, Senator Peters.
    It is the tradition of this Committee to swear in 
witnesses. So if you will all stand and raise your right hand. 
Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Krebs. I do.
    Ms. Crawford. I do.
    Mr. DeRusha. I do.
    Chairman Johnson. You may be seated.
    Our first witness is Christopher Krebs. Mr. Krebs is the 
Director of the Cybersecurity Infrastructure Security Agency at 
the U.S. Department of Homeland Security. Previously, Mr. Krebs 
worked within DHS as the Senior Advisor to the Assistant 
Secretary for Infrastructure Protection and helped establish a 
number of national risk management programs.
    Prior to joining DHS, Mr. Krebs was the Director of 
Cybersecurity Policy for Microsoft, leading their work on 
cybersecurity and technology issues. Mr. Krebs.

 TESTIMONY OF THE HONORABLE CHRISTOPHER C. KREBS,\1\ DIRECTOR, 
  CYBERSECURITY INFRASTRUCTURE SECURITY AGENCY, DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Krebs. Chairman Johnson, Ranking Member Peters, and 
Members of the Committee, thank you for the opportunity to 
testify regarding the Cybersecurity and Infrastructure Security 
Agency's support to State, local, tribal, and territorial 
(SLTT) partners and the private sector to mitigate a broad 
range of cyber threats.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Krebs appear in the Appendix on 
page 48.
---------------------------------------------------------------------------
    Today I would like to discuss how we at CISA see the 
current cyber landscape, how we are posed to assist State and 
local governments, and where we need to go to be most 
effective. This perspective is informed by events and 
experiences over the last several years, some successful and 
others representing humbling moments where we did not quite get 
it right.
    It is important to start by understanding CISA's role. We 
work with partners across all levels of the government and the 
private sector to defend today and secure tomorrow.
    We are the Nation's risk advisor, providing information and 
resources to our partners on a voluntary basis so that they 
make more informed risk management decisions. This approach 
embraces a sense of shared responsibility across all levels of 
government and industry and reflects the reality that the 
landscape, the Nation's critical infrastructure, is primarily 
owned and operated not by the Federal Government, but by our 
partners in industry and State and local government.
    This distributed landscape is further complicated by a 
range of issues, including inadequate governance structures, 
workforce challenges, insufficient resources to maintain 
networks, outdated technologies, and new technologies maybe we 
do not really understand.
    Unfortunately, these dynamics converge to provide an 
attractive playing field for a range of threat actors. The 
headlines tend to focus on the advanced threats posed by State-
sponsored cyber actors like China, Russia, Iran, and North 
Korea.
    Just yesterday, the Department of Justice (DOJ) indicted 
Chinese actors for the Equifax hack. Earlier in the year, 
increased tensions with Iran led to headlines of imminent 
cyberattacks on all manner of our Nation's infrastructure, and 
then there is Russia, Russia's efforts to interfere with our 
elections and target energy systems.
    And yet there is a strong argument that the more pressing 
threat, the threat that the average American will most likely 
encounter comes from criminals in the form of ransomware.
    According to a recent report from EMSISOFT in 2019, 
ransomware attacks impacted at least 966 government agencies, 
educational institutions, and health care providers at a 
potential cost of $7.5 billion.
    What is even more concerning, these statistics are based on 
what we know. We suspect that the majority of ransomware 
attacks are not reported to law enforcement or CISA. It is 
clear that victims are paying, and as they pay, ransomware 
crews are getting better. In other words, ransomware is a 
business, and business is good.
    We have been working to get a better understanding of the 
broad range of risks and seeking to find a common set of 
threads across the threat actors alongside easy-to-understand 
and achievable defensive measures.
    In part, we want to demystify cybersecurity so that the 
entire team from the Chief Executive Officer (CEO) down, not 
just CISA, not only understand but are an active part of the 
defense. In many cases, it is doing the basics like good 
vulnerability management, using multifactor authentication and 
managing administrative privileges, offline backups, and having 
and testing an incident response plan.
    But even doing the basics can be hard in today's massive 
dynamic networks. The point is not 100 percent security. It is 
to make it harder for the bad guys to gain a foothold and then 
move around.
    All that said, the steps we have taken thus far have not 
done enough to meaningfully change the dynamics, particularly 
with ransomware. There is more that we can do, starting with 
improving our collective defense posture. We have to continue 
increasing awareness of the risks and sharing best practices.
    We also must make it easier for our State and local 
partners to work with us in the Federal Government. In part, 
that is by deploying additional dedicated risk advisors, State 
coordinators to the field with clear expectations on what 
services or assistance to expect from the Federal Government 
and what our State or industry partners need to have in-house 
or contracted.
    We also have to bring more value to our partners by 
listening and learning to what it is they actually need. Here, 
the Federal Government can truly shine by developing and 
deploying scalable capabilities, like our cyber hygiene 
scanning and remote capabilities, like remote penetration 
testing, as well as training and exercises, like our recently 
released ransomware Tabletop Exercise in a Box.
    I recognize and appreciate the Committee's strong support 
and diligence as it works to understand this emerging risk and 
identify additional authorities and resources needed to address 
it head on.
    We at CISA are committed to working with Congress to ensure 
our efforts cultivate a safer, more secure, and resilient 
homeland through our efforts to defend today and secure 
tomorrow.
    Thank you for the opportunity to appear before the 
Committee today, and I look forward to your questions.
    Chairman Johnson. Thank you, Director Krebs.
    Our next witness is Amanda Crawford. Ms. Crawford is the 
Executive Director of the Texas Department of Information 
Resources (DIR). In this role, she is responsible for 
implementing the State's technology strategy and defending its 
technology infrastructure.
    Before leading the Department of Information Resources, Ms. 
Crawford served in multiple positions at the Office of the 
Attorney General of Texas, including the Deputy Attorney 
General for Administration and General Counsel (GC). Ms. 
Crawford.

TESTIMONY OF AMANDA CRAWFORD,\1\ EXECUTIVE DIRECTOR, DEPARTMENT  
           OF  INFORMATION RESOURCES, STATE OF TEXAS

    Ms. Crawford. Thank you, Chairman Johnson, Ranking Member 
Peters, and Members. My name is Amanda Crawford. I serve as 
Executive Director for the Texas Department of----
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Crawford appears in the Appendix 
on page 54.
---------------------------------------------------------------------------
    As Chairman Johnson said, I am Amanda Crawford, Executive 
Director of the Texas Department of Information Resources. 
Thank you for inviting me to testify on this important topic 
here today.
    Our mission at DIR is to serve Texas Government by leading 
the State's technology strategy, protecting State technology 
infrastructure, and offering innovative and cost-effective 
solutions for all levels of government.
    Today I will provide the Committee with an overview of the 
August 2019 Texas ransomware attack and recommendations for how 
Texas can benefit from greater Federal resources in the future.
    State preparation and cooperation were the keys to our 
successful response in the August ransomware incident. On 
Friday, August 16, at 8:36 a.m., DIR was notified that eight 
local governments had been simultaneously attacked by the same 
ransomware event. At 10:30 a.m., it was reported to me that 
there were now 19 impacted entities, and the attack had 
compromised a municipal water system.
    At that point, I notified the Office of the Governor, and 
shortly thereafter, Governor Abbott issued the State of Texas' 
first statewide disaster declaration for a cyber event. That 
disaster declaration activated the State Operations Center 
(SOC) to 24/7 operations.
    As you know, things went smoothly from there with DIR 
leading the incident response effort in partnership with six 
State agencies, private vendors, the Federal Bureau of 
Investigation (FBI), DHS, and the Federal Emergency Management 
Agency (FEMA). All involved should be proud that one week after 
the incident began, all 23 impacted entities were remediated to 
the point that State support was no longer needed, and no 
ransom was paid.
    This success can be attributed to the extensive preparation 
at the State level and cooperation between the responders. 
These preparations included State legislation that added a 
cyber event to the definition of a disaster, a frequently 
tested cybersecurity annex to the State Emergency Management 
Plan, and a pre-negotiated managed security services contract 
that is available to all levels of Texas government to prepare 
for and respond to cyber events.
    While Texas is proud of the success and the timeliness of 
how this event was handled, we must focus on the future. The 
threat landscape of cybersecurity is ever evolving, and we 
cannot be caught only able to handle yesterday's battles.
    Additionally, we must now focus on the scope of the attack. 
In August, the managed information technology (IT) service 
provider that was attacked was small enough that even if all of 
its clients had been compromised, the response model that we 
had in place would have worked, but if the numbers had been 
three or four times greater, the model would have been 
stretched beyond its design.
    In order to prepare for tomorrow's threats, we need 
additional resources at both the State and Federal level. A few 
recommendations would be, one, better sharing of classified 
information with State government. If Texas and other States do 
not have greater awareness of threats, which could affect us, 
we cannot be effective in stopping them.
    Two, increasing CISA resources per region. One person to 
deal with close to 9 percent of the United States population 
and the world's tenth largest economy is simply not sufficient.
    Three, clearly communicating what Federal resources are 
available to State and local governments. This information 
needs to be plainly articulated and shared with State and local 
governments, long before we are in the midst of a crisis. A 
single Federal point of contact for cyber events would be 
invaluable.
    Four, balancing the law enforcement need to protect 
investigations with the ability to share information about 
active threats. Having spent nearly 20 years in the Texas 
Attorney General's office, I am very familiar with law 
enforcement and the need to protect sensitive investigation 
information. However, we need to change the default setting in 
these cyber situations from what can we share to what must we 
not share. We are appreciative of the partnership with the FBI 
and would ask that they review whether more information could 
be released.
    Five, expand resources at DHS to shorten wait times for 
their voluntary services. Due to the popularity of some of 
CISA's very valuable services, the wait times can be a minimum 
of 18 months. In cybersecurity, 18 months represents a full 
generation of change and advancement.
    And, six, expanding event notification from Multi-State 
Information Sharing and Analysis Center (MS-ISAC). MS-ISAC is a 
valuable partner for Texas' cybersecurity program. Frequently, 
however, MS-ISAC will not inform us at DIR when an incident has 
occurred at a Texas local government entity. This puts the 
State and local governments at a disadvantage from a response 
recovery or prevention perspective. Old news or partial news 
does not equip State and local governments for responding 
effectively to these cyberattacks.
    In summary, DHS and MS-ISAC provide very valuable 
information and services to Texas when it comes to protecting 
its critical assets and information. While improvements can be 
made, we are engaged in a continuing dialogue with both 
organizations to evolve the services and the information we 
both share.
    Texas stands ready to assist in the continuing effort to 
enhance the security of our Nation's assets and provide input 
when needed.
    I want to again thank the Committee for inviting me here to 
share our perspective with you and look forward to any 
questions you might have.
    Chairman Johnson. Thank you, Ms. Crawford. I can tell by 
some of the reactions of Director Krebs, he liked some of your 
recommendations, probably all of them.
    Our final witness is Christopher DeRusha. Mr. DeRusha is 
the Chief Security Officer for the State of Michigan. 
Previously, he led Ford Motor Company's Enterprise 
Vulnerability Management and Application Security Program. Mr. 
DeRusha also served in the Obama Administration as a Senior 
Cybersecurity Advisor at the Office of Management and Budget 
(OMB), as an Advisor to the Deputy Undersecretary for 
Cybersecurity at DHS. Mr. DeRusha.

 TESTIMONY OF CHRISTOPHER DeRUSHA,\1\ CHIEF SECURITY OFFICER, 
 CYBERSECURITY AND INFRASTRUCTURE PROTECTION OFFICE, STATE OF 
                            MICHIGAN

    Mr. DeRusha. Thank you, Chairman Johnson, Senator Peters, 
and other Committee Members for inviting me to testify today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. DeRusha appears in the Appendix 
on page 65.
---------------------------------------------------------------------------
    As the Chief Security Officer for the State of Michigan, I 
am excited for this opportunity to highlight the steps we are 
taking to better secure our State, but also to discuss some of 
the enduring challenges that we face at the State and local 
level nationally.
    It is no surprise to the Members of this Committee that the 
thread environment we face is, in a word, daunting. Attacks on 
government organizations at all levels continue to rise and 
demonstrate the ever-expanding resources and skills of our 
adversaries.
    One small example, at the State of Michigan, our firewalls 
repel over 90 million potientially malicious probes and 
intrusion attempts every day, and we are far from unique.
    I would like to start by providing a brief overview of our 
efforts at the State level in Michigan. For over a decade now, 
State-level IT and cybersecurity have been centralized under 
one agency, the Department of Technology, Management, and 
Budget. Centralization has enabled the State to enforce common 
security policies, standards, controls across agencies and 
leverage economies of scale when we are procuring new 
technology.
    Some successes we have had as a result are standardized 
risk assessment and security accreditation process for all new 
systems that come into the State; the ability to apply IT 
governance and enforce security policies at all of the State 
agencies; mandatory cyber awareness training and phishing 
exercises, a common operating picture of threats that we face 
for the entire State enterprise; and the ability to act with 
command and control when we respond to incidents.
    In Michigan, we work as a team across several organizations 
with cybersecurity responsibilities, which have been formally 
delineated in a Cyber Destruction Response Plan. Michigan Cyber 
Security (MCS), within my group, hosts a Cybersecurity 
Operations Center with advanced capabilities such as threat 
hunting, incident response, forensics, and vulnerability 
management.
    Michigan State Police's (MSPs) Michigan Cyber Command 
investigates computer-based crimes and coordinates cyber 
emergencies across the State. Where Department of Technology, 
Management, and Budget (DTMB) is primarily focused on 
protecting State-level agencies, Michigan State Police works 
across the State to protect all.
    And Michigan is also fortunate to have both Air and Army 
National Guard units in the State. We work closely with our 
colleagues in the Guard to formalize our coordination in times 
of emergency through joint interactions and exercises.
    While a close working relationship with DTMB, State Police, 
and National Guard is essential, another key relationship we 
have is with DHS's CISA. Michigan is fortunate enough to have a 
cybersecurity liaison dedicated to our State. By having that 
direct line to DHS, we are able to incorporate Federal 
Government threat information into our decisions and streamline 
access to the Federal expertise and resources.
    To that end, the Cybersecurity State Coordinator Act would 
be a major asset to State and national cybersecurity efforts by 
ensuring greater continuity between efforts of State and 
Federal Government, but it would also provide a stronger State 
voice within CISA, helping them better tailor their assistance 
to States and localities who have widely varying levels of 
maturity and needs.
    The State and Local Government Cybersecurity Act, Senate 
Bill 1846, would help States like Michigan access resources, 
tools, training, and expertise developed by our Federal 
partners and national security experts.
    So I want to sincerely thank both the Chairman and Ranking 
Member and the numerous Members of this Committee for their 
bipartisan leadership on these pieces of legislation. The State 
of Michigan fully supports these efforts in seeing both bills 
enacted into law.
    I would like to wrap up my remarks by highlighting the 
needs and challenges of our local government partners. 
Governments at the Federal, State, and local level interact 
with each other digitally every day. So this interdependency 
means that improving the security of any of these levels of 
government requires enhancing security for all.
    As much as State governments face shortages of human and 
financial resources, they are far more scarce for local 
government. Of Michigan's 83 counties, we are home to 
approximately 10 million residents, and only three of these 
counties have uniquely designated chief information security 
officers. Even their websites face legitimacy challenges as 
less than 10 percent use the dot-gov domain, opting instead for 
the easier-to-obtain dot-com, dot-net, or dot-org domains.
    The DOTGOV would seek to ease the process for these 
governments to obtain dot-gov domain names, providing sites 
themselves with greater security, and offering greater 
assurances to residents that they are, in fact, looking at a 
government website. This act is an important step in the right 
direction, and I am very hopeful this will be enacted into law.
    The State of Michigan has also been proactive in developing 
innovative ways to provide support to county and local 
governments. In 2018, our Chief Information Security Officer 
(CISO)-as-a-Service initiative leveraged a centralized pool of 
cybersecurity experts to advise a pilot group of counties on 
their security posture and provide an improvement roadmaps. 
While that benefited those 13 pilot participants, we have over 
1,600 local government networks to secure, to work to secure in 
the State.
    So a successor program, Cyber Partners, is trying to pull 
together a more scalable model to help all counties and local 
governments.
    We are piloting a new initiative that would assess risk 
posture against the CIS top 20 critical controls, develop 
prioritized improvement plans for each local entity, and 
potentially provide additional consultative and managed 
security service on the back end. This work has been essential 
to State and county as we prepare for the upcoming 2020 
elections as well.
    In addition to helping counties and localities improve 
their defensive postures, Michigan is also taking steps to help 
them respond to incidents when they do occur. We have the 
innovative Michigan Cyber Civilian Corps, which is an 
organization of highly qualified cybersecurity professionals 
that have volunteered their skills to respond to incidents at 
critical infrastructure, county, or local government 
organizations. Currently, 100-plus members, strong and growing, 
the group has worked alongside Michigan State Police to help 
numerous organizations respond to significant compromises.
    In closing, our Country's State and local governments are 
on the frontlines of digital conflict, attacked daily by highly 
resourced, advanced, persistent threats, and there remains a 
great deal of work to do to protect the networks we rely on to 
provide essential services to our Nation's public.
    The State of Michigan greatly appreciates the attention 
paid to this issue by the Members of this Committee, and we 
look forward to continuing to work with you to secure our 
critical infrastructure and protect our residents.
    Chairman Johnson. Thank you, Mr. DeRusha.
    I am going to start today. Normally, I kind of defer, but I 
want to kind of set the tone a little bit.
    When I first got here in 2011, that was really when we 
started seeing some of these big cyberattacks. I cannot 
remember the exact timing, but when I got here, everybody said 
we got to do something about cybersecurity.
    So when I was sitting over there on the Committee, I would 
always ask the question: What are the top few things we need to 
do?
    It was always very consistent. The first thing was 
information sharing, which I think we have come a long ways 
toward achieving. It is far from perfect, but I think DHS has 
been recognized as sort of the hub in Federal Government to do 
it. The other one was a data breach notice, some kind of 
national preemptive policy.
    So, silly me, I thought, well, these ought to be two pretty 
simple things to accomplish. Nothing could have been further 
from the truth in terms of data breach for a host of reasons.
    Mr. Krebs, real quick, on a scale of zero to 100, we have 
done nothing to we are at perfection, how far down that road in 
terms of government and private-sector awareness and defense 
are we? I realize this is very subjective, but I want a little 
comfort that we are actually improving. Where were we in 2011?
    Mr. Krebs. 2011, from a State and local perspective, even a 
Federal Government perspective, closer to that kind of zero 
side. I think we are now maybe about halfway across that 
spectrum.
    One thing I would point to is last year's RSA conference. 
Every year, it has a theme. Last year's conference theme was to 
work better, which I take as yes. They are across the C-Suite, 
across the leadership ranks. We are getting more awareness. 
That is really the key. It is that leadership is paying 
attention, is investing, not just the CEO, but the boards, the 
general counsels. Why is that important? Because awareness at 
the leadership ranks leads to investment, which builds 
capabilities.
    You cannot have any of those second-or third-rank items 
without awareness. Awareness takes time, and it takes steady, 
constant engagement. It will not happen overnight. This will 
not be fixed next year. This will take years and years and 
years to continue to get out there and engage.
    Chairman Johnson. But the beauty about cyber defenses is 
they really can be--you do not have to build a fence. I mean, 
you can literally, with the speed of light, where people are 
prepared, you can understand a threat signature and put up the 
defense, correct?
    Mr. Krebs. That is one aspect of defense. It is layered 
defense.
    We have developed a set of recommendations called ``Cyber 
Essentials,'' and basically, we have broken it down into the 
key attributes of success for any effective cybersecurity 
program. It has a strategic element, a technical element, and a 
tactical element.
    The strategic element, it starts at the top. You have to 
have leadership, buy-in. You also have to have a security 
culture across the organization where everybody is a part of 
it, where people are not at the end point clicking on bad 
links.
    The second piece, the technical piece, is about asset 
management, good governance across the organization, but also 
identity management where you are limiting the ability of 
people to make certain changes across their environment, and 
then managing.
    The last piece, as the way I see it right now, is the most 
important. You have to have a good incident response plan that 
you test, and you have to have recoverable backups, and you 
test them as well. That is what is so critical right now in 
ransomware, and that is why Director Crawford was so successful 
across the State of Texas. They had a plan, and they had 
recoverable backups.
    Chairman Johnson. So we obviously deal with FEMA as well, 
and the basic model is the local governments are the first 
responders. When they are overwhelmed, they call on the State. 
When the State is overwhelmed, it calls in the National 
Government.
    But FEMA on a national level, Federal Government, is 
certainly helping, prior to any incident, State and local 
governments prepare. I view that as the exact same model within 
CISA.
    And it is just not like you are going to come--and we can 
talk about this later with what happened in Texas. It is not 
like DHS is going to come and solve your problem. It is about 
making awareness. It is about setting you up for success if 
something were to happen, but in the end, it is the individual. 
It is the enterprise at the State or local government that is 
going to have to respond and fix this themselves, correct?
    Mr. Krebs. Yeah, that is right.
    Chairman Johnson. With help from----
    Mr. Krebs. In fact, the National Cybersecurity Incident 
Response Plan (NCIRP) is the cyber annex to the National 
Response Framework (NRF), which FEMA maintains.
    I am pushing my team into a position where our advisors are 
more along the lines of the National Incident Management 
Assistance Team (IMAT), where we come in, and we are not hands 
on keyboard recovering the networks of Texas and the individual 
counties, because we do not know those networks. They have 
resources in place. Your Managed Security Service Providers 
Service Level Agreements (MSSP SLA) is a perfect example of the 
things that need to happen at the State level, but we can come 
in and say, ``Here is what a good incident response plan looks 
like. Here is how you should prioritize a roadmap to recovery, 
and oh, yeah,'' when she is getting hit up by about 50 
different vendors, ``Here is what you need right now. Here is 
how to sort through some of that.
    Chairman Johnson. But I think it is extremely important 
that we kind of understand what the Federal Government's role 
is and respond accordingly, so you can set up the system, so 
you are prepared, so you do not expect the Federal Government 
to come in and say, ``Here, we are going to solve all your 
problems,'' once a disaster hits.
    The last point I want to make, reading through the 
testimony, obviously we are really focused on State, local, 
territorial, tribal governments. We are concerned about 
enterprise, the critical infrastructure.
    What is not really being covered, but I think the vast 
majority of Americans are concerned about, is their own 
cybersecurity. Ransomware attacks on individuals, I realize 
those are not going to be as profitable, because the fact that 
a big company can pay you millions, an individual maybe can 
only scratch up a couple hundred bucks.
    But I do want to, as you are responding to these to her 
questions from other Senators, kind of keep in mind the 
individual, and I will just ask the question right now. We all 
use our devices. These things, if you are tied into Wi-Fi, you 
are plugged in. They automatically back up every couple weeks. 
They back up to the cloud. Is that adequate? Can ransomware, if 
attacked on a device, even though you have backed that thing 
up, is that an adequate backup or not?
    So if you can just quickly drill down a little bit in terms 
of individual cybersecurity, what we are doing, what 
individuals need to know.
    Mr. Krebs. The more pervasive ransomware crews right now 
are focused on Windows-based systems across enterprises. Are 
there malware capabilities across personal devices? Yes, but as 
long as you have a modern device and keep the software updated, 
then you are generally OK as long as you also do not click on 
bad links and email go to sketchy websites, click on random 
text messages from people you do not know. There are things 
that the individual can do.
    The backup to the cloud is always a good idea, 
particularly, again, these enterprise clouds provided by the 
manufacturer.
    Chairman Johnson. That is an effective backup. Once every 2 
weeks, I mean, your photos, those things, your information is 
being backed up effectively, and even if you do suffer a 
ransomware attack, you should be able to recover.
    Mr. Krebs. Generally speaking.
    Chairman Johnson. Generally.
    Mr. Krebs. Ransomware across individuals is not quite as--
particularly in this iOS devices and the android devices, it is 
not quite as persistent or pervasive as you would see in the 
enterprise environment.
    Chairman Johnson. OK. Appreciate that. Senator Peters?.
    Senator Peters. Thank you, Mr. Chairman.
    Dr. Krebs, you mentioned in your opening comments, the list 
of foreign actors that are very sophisticated, that have been 
attacking us, including the Chinese attack on Equifax. 
Certainly, we are worrying about the election, potential 
interference again from the Russians.
    But we just had a major incident that heightened 
everybody's awareness, and that was after the Iranian attack. 
There was a very higher threat level associated with, perhaps, 
Iranian retaliatory cyberattacks.
    So can you give me an assessment of how the reaction--
looking back now in an after-action? Because we went through 
that. Luckily, nothing happened, to our knowledge, but is there 
a gap that we need to be aware of in terms of our response from 
the Federal level and there is a way for this Committee to help 
you fill that gap?
    Mr. Krebs. So the way I see it, the Department of Homeland 
Security in 2003 was established to do two things, at least my 
part of the organization, bring people together quickly and 
share information rapidly.
    When I look back at what we did in the wake of the 
Soleimani strike on a Friday, we rapidly pulled together a 
broad group of stakeholders and shared information about what 
we knew about the event and how we were thinking about the next 
few weeks or two and then the things that organizations should 
do. We held three calls: Friday afterwards, the next Tuesday, 
and then the following Friday.
    The first call, we had 1,700 connections on the line, and 
then the following Tuesday, we had 5,900 connections on the 
line. The following Friday, we had 5,400 connections.
    In fact, I heard from an individual. I was down in Texas a 
couple weeks ago, and I heard that the CISO, the city of Dallas 
was on the line.
    So these are the sorts of things that we know we can get 
out there and reach thousands, if not tens of thousands of 
people quickly, and share information and products.
    I think some of the feedback we got is that the products we 
sent out, including one we sent out on Monday, that was a--used 
the MITRE Adversarial Tactics, Techniques, and Common Knowledge 
(ATT&CK) Framework of techniques that the adversary uses 
aligned against detections and mitigations that would be 
effective across a network. Those are the sorts of things that 
we want to continue to push out.
    But, again, we pulled rapidly a broad group of stakeholders 
together, got them information that they could use.
    Going forward, I have to have a better playbook in hand. So 
we have done an after-action process. We have developed that 
playbook. We also have to get more resources out in the field. 
I cannot be effective if I am sitting here in Washington, DC. I 
need more dedicated State and local resources.
    The Cyber Coordinator Act, I think, would help us get along 
that way. One of the things I want to make sure I have is a 
State and local dedicated resource in every State Capitol. I am 
under-invested in cyber advisors. I have to get more resources 
out in the field, again, not hands on keyboard. We do not 
rebuild networks, but advising, helping build incident response 
plans, extracting best practices from Texas, from Louisiana, 
and then helping other States understand what they need to do 
as well.
    Senator Peters. Thank you.
    I am going to ask our two other witnesses to give your 
assessment after hearing about the information going out after 
the Soleimani attack.
    Mr. DeRusha, first off, did you get information quickly 
from the Federal Government? Was it adequate? What more would 
you have liked to have seen, and what additional resources 
would you need to bring to bear in order to make it more 
effective? You can answer kind of broadly and then Ms. Crawford 
afterwards.
    Mr. DeRusha. Senator, we did get information right away. 
Chris actually hosted a call sort of immediately and got a lot 
of stakeholders together, and even though there was not a lot 
to share yet, even saying that and letting us know that they 
were on it, thinking about us out in the State and local 
critical infrastructure, it was very helpful. Then in the 
ensuing days, we would get updates on what was known, products 
from the past on known techniques and procedures that that 
adversary uses, so that we can ensure that we are protecting 
ourselves and make sure everybody had that information. So I 
think that DHS did everything that they could to move fast and 
share information.
    I think one of the things we have been talking about here 
is we have discussed the Federal role, which is largely a 
support role. You have and run an operator network. You are 
responsible for it. What is interesting is across the Country, 
we are figuring out the State role. There are a lot of 
innovation going on.
    We have a saying in our community, ``If you have seen one 
State, you have seen one State,'' and we are trying to 
determine, within each State, how does that model work, which 
is why we need these DHS cybersecurity advisors dedicated to 
each State to help us tailor specific plans to our needs, which 
are quite varying.
    The one thing I would say is that the local government and 
critical infrastructure, municipal-owned critical 
infrastructure particularly, they need enduring support.
    As Chris said, DHS can come in and help respond to an 
incident, but to reconstitute a network and ensure those 
essential services continue to get delivered, that is where we 
are really focusing. I look forward to talking more about 
efforts that we have under way in our State today.
    Senator Peters. Great. Thank you. Ms. Crawford.
    Ms. Crawford. I would absolutely agree with Chris' 
assessment on the information that the States received relating 
to the Iranian event. It was extremely helpful. It was very 
timely. It was detailed.
    In fact, I know in Texas, we participated in the calls, and 
we also--I mean, we could not have written a more informative 
document and shared it on our own website to get out to our 
customers at the State and local level on that.
    If anything, really I would say that that was--and that is 
what I alluded to in my earlier comments about that ongoing 
dialogue and this--I do not want to say lessons learned as 
much. It is just this is a new space, and that although, as you 
mentioned, the cybersecurity issue, sir, is not new, it is 
becoming more prevalent. And if anything else, it is getting 
more attention. So leadership is becoming aware.
    Because it is that new space, we are all adapting to it, 
and we are all evolving and trying to figure out what this new 
normal, unfortunately, looks like. So the information we 
received on that latest event was extremely helpful when it 
came to that.
    Then as far as future resources, one of the things, again, 
it is that threat-sharing information, that it is timely, and 
that it is complete. One of the things that we look at--and I 
think the dedicated resources that is tailored to each 
individual State would be very helpful. Texas is unique, and 
building on Chris' comment, everyone is going to have a 
different structure. Every State will have a different 
structure and different maturity. So having a resource that 
understands the constraints within those States as far as 
security would be helpful.
    I think the other thing is trying to navigate, particularly 
in the midst of a crisis, what resources are available. Looking 
back to the August incident, really it was a matter of 
expectation-setting and understanding what exactly are the 
services that the Federal Government can offer, who offers 
them.
    We had multiple Federal partners, and depending on the type 
of event, you may, in fact, reach out to maybe Secret Service. 
Maybe it is FBI. Maybe it is DHS. There are a lot of different 
players, and I say this, working in government and knowing that 
we are not always easy to understand and understand who does 
what and what agency handles everything. So I am speaking from 
experience that I know that on a State level, we work really 
hard to try to improve our communications to our constituents 
and our agency customers on what services we can offer.
    So I think just that expectation-setting and understanding 
a clear playbook of what we can look for would be really 
helpful.
    Senator Peters. Great. Thank you.
    Chairman Johnson. Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you, Mr. Chair and Ranking Members 
Peters for having this hearing. Thank you, all three of you, 
for being here today and for your service.
    I want to start, Director Krebs, with just following up on 
a little bit of the discussion we have already had. Your agency 
obviously has an enormously important and complex mission, and 
I want to thank you for all the hard work that you and your 
entire staff is doing.
    As we have all heard today, cyberthreats against State and 
local entities are dramatically increasing. Across the Nation, 
cities and States have suffered from debilitating ransomware 
attacks that are carried out to extort public funds.
    State and local governments, as our State witnesses have 
made clear today, often struggle both with a lack of available 
resources and with knowing where in the disjointed Federal 
bureaucracy to turn to for guidance and assistance.
    You have talked a little bit about the Cybersecurity State 
Coordinator Act. I am glad we have been able to introduce that 
on a bipartisan basis. Maybe you can expand a little on why 
that is so important and also what your agency is doing to 
ensure that State and local entities have clarity as to where 
in the Federal Government to turn to for help and how are you 
seeking to improve the relationship.
    Mr. Krebs. Yes, ma'am. Thank you for the question. We have 
already talked a little bit about FEMA and how incident 
response happens, which is a useful framing for the 
conversation, particularly when you think about how my agency, 
CISA, and the predecessor organization, National Protection and 
Programs Directorate (NPPD)--I have thankfully forgotten what 
NPDD stands for. But you have to think about how the 
organization was built; first and foremost, Federal network 
security.
    Senator Hassan. Right.
    Mr. Krebs. Second, significant cyber incidents. Significant 
cyber incidents are those that pose a significant national 
security threat or economic security threat.
    We were not built and staffed and resourced to have 
significant support to the State and local governments. That 
just was not in the playing cards.
    Over the last 18 months to 2 years, however, I have 
particularly with an increase of two things--first, ransomware, 
but probably, more obviously, election security. We have had to 
build out our ability to engage at the State and local level, 
and as Director Crawford mentioned, one of the most important 
aspects of all this is understanding that every State is 
different, that the laws are different. Home rule, for 
instance, makes it a challenge sometimes for engaging, but that 
is going to require me pushing force out from D.C. into the 
field again. So what we have to start with is additional 
resources out in the field, No. 1.
    No. 2, I have a decade-plus of significant investment in 
Federal network security. What we have to do is put a little 
bit more on top of that to extract insights, best practices and 
lessons learned, that then we can shift and share with our 
State and local partners. When you think about the 99 Federal 
agencies that comprise the civilian Executive Branch, it is one 
of, effectively, the largest networks in the world.
    Senator Hassan. Right.
    Mr. Krebs. The investments in security makes it one of the 
largest line items for IT security.
    There is a lot of goodness that we can take out of there, 
and I have also pressed the team to think more about not just 
securing the networks, but what can we pull out of the efforts 
we put to secure the networks to share with State and local 
partners. So when we issue binding operational directives or 
emergency directives, we have to not just focus on the Federal 
networks, but developing implementation guidance and additional 
documentation that a State or local partner could immediately 
pick up and run with and down the road need to have concierge-
like service to help them understand what we are doing and how 
they can do it as well.
    Again, this takes time. We need to build out the force but 
also put the insights piece on top of existing investments.
    Senator Hassan. Well, thank you. That is helpful.
    I also wanted to follow up with you on a letter that 
Senators Peters and Schumer and I sent concerning the Multi-
State Information Sharing and Analysis Centers. They are an 
important tool for Federal, State, and local governments to 
share cybersecurity information with each other, and last fall, 
as you know, I sent you a letter along with Senators Schumer 
and Peters asking your agency to ensure that MS-ISACs have 
adequate funding.
    I believe you have some good news to share regarding 
funding for the MS-ISAC, and can you shed some light on that 
for us?
    Mr. Krebs. Yes, ma'am. So, first, yes, they are fully 
funded. I think in the fiscal year (FY) budget, we are talking 
about a base of $11.5 million with an additional 10 on top. So 
we will be supporting the MS-ISAC.
    The MS-ISAC, as you have already heard, is one of our key 
mechanisms for broadly engaging State and locals and also is 
the home of the Election Infrastructure Information Sharing and 
Analysis Center (EI-ISAC) as well.
    But we are not stopping with the Albert sensors and the 
information-sharing mechanisms. We are also trying to 
understand what additional capabilities can we build out down 
the road. There are a number of pilots that we have ongoing; in 
particular, one that I am excited about, an endpoint detection 
response capability. So how can we help push out additional 
capabilities to the field to get the baseline of security up? A 
lot of what we talked about, the basics, we think we can buy. 
The Federal Government has significant advantage in terms of 
negotiation and contracting leverage. How can we bring that to 
the advantage of our State and local partners?
    Senator Hassan. Thank you very much for that, and thanks 
for making sure that the funding was there.
    I want to turn to our State experts here. Ms. Crawford, 
much like Texas, New Hampshire entities have experienced 
ransomware attacks. Last year, Strafford County and the Sunapee 
School District were targets of malicious hackers. Luckily, in 
both cases, quick-thinking professionals spotted the attacks in 
progress and acted to limit their effects.
    In Strafford County's case, despite a temporary 
inconvenience, the county was able to continue operations 
because they had trained and prepared for this type of 
emergency.
    So if both of you can just touch on--I will start with you, 
Ms. Crawford. What kind of training exercise and resiliency 
plans would have helped cities and counties in Texas better 
prevent and respond to cyberattacks like the one you saw in 
August?
    Ms. Crawford. I think really, again, going back to the 
theme of awareness and education.
    Senator Hassan. Yes.
    Ms. Crawford. So one piece of State legislation that I am 
particularly excited about that passed last session in Texas is 
our House Bill 3834 that requires mandatory cybersecurity 
training on an annual basis for every public employee and 
official in the State, and to us, that is key. Cybersecurity is 
everyone's responsibility, which if we could have it tattooed 
on my forehead, then we certainly would.
    But we want to make sure that people understand that and 
that they get that information out there. So those training 
exercises we are actually partnering with CISA on the Tabletop 
Exercise in a Box at our State Information Security Forum, 
where we pull State security professionals from around the 
State. It is coming up in March in Austin, and we will be doing 
that. So that is the key issue there, I think, is the education 
and training.
    What we really see out there particularly with the local 
governments is we have extremely limited resources, and whether 
those resources are trained and skilled workers, whether it is 
funding, there are issues for the local governments that really 
put them at a disadvantage.
    Senator Hassan. Right.
    Ms. Crawford. And so they are frequently going out to 
managed service providers, where you may or may not be getting 
the best services that are out there and particularly in Texas 
when we are looking at when we are spread out over such a large 
geographical area. We have network issues, broadband-to-rural 
issues, all sorts of things that are very difficult, just it is 
a different threat landscape.
    Senator Hassan. OK. Thank you, and I realize I am well over 
time. So, Mr. DeRusha, I will follow up with you, but I was 
very interested in your reference to a Civilian Cyber Corps. 
And that is something that my office will follow up with you 
about because, again, I assume you agree with a lot of what Ms. 
Crawford just had to say but would love to learn more about 
what Michigan in particular is doing. Thank you.
    Chairman Johnson. Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman, and thank you, 
all of you, for your testimony.
    Our State's Chief Information Officer (CIO) and the folks 
that are in Oklahoma are doing a fantastic job. Thanks for 
engaging in this.
    Chris, thanks for all your work at CISA. You have been a 
terrific asset to us, keeping us up to speed on things that you 
see and trying to help us. The information that you put online 
on the website has been very helpful. We have recommended it to 
quite a few folks after the Soleimani response that we had. We 
had excellent briefings from your team. I was able to take that 
information and to be able to do a large conference call in 
Oklahoma with State and local leaders, with businesses, 
infrastructure folks, be able to pass on that same information, 
and for them to be able to double that out. So it is not only 
the thousands of people you are talking with, but the people 
then multiple that message back out from there. It is very 
helpful. So we appreciate your engagement on those things.
    Let me bring up a couple of things that we have talked 
about before. That is election security. It is a concern. It is 
a major focus of your office. Obviously, as we are focusing in 
on what is happening now, everyone is paying attention to Iowa 
and the debacle there or the apps and all those things there. 
That is not really the cyber election issue that we have. It is 
really an outward threat coming at us or someone internal being 
a threat to our systems as well.
    So let me outline a couple of concerns that I have, and I 
would like to hear more of what you are doing.
    In 2018, Congress passed $380 million in election security 
assistance grant money to the States. As of the end of last 
year, States have spent a total of $92 million of that $380 
million allocated to them. About 24 percent of the money that 
we allocated in 2018, they still have not spent by the end of 
2019. We just allocated another $425 million back to those 
States against, which certainly will not be out the door 
because they have not even gotten the money out the door from 
2018 yet still.
    So, with this, there is not a real change in hardware or 
software because the States are sitting on the money rather 
than actually spending the money to improve their structure on 
election security. What is your office doing to be able to help 
us in the election security footprint right now?
    Mr. Krebs. So specific to the Help America Vote Act (HAVA) 
funding, the 700-so-odd million, I would not focus too much on 
the percentages that were spent, particularly the 380 and the 
425, and I think my partners here might be better witnesses to 
answer to that.
    But what I understand is spending money at the State 
government level is really hard.
    Senator Lankford. Right.
    Mr. Krebs. It does not just flow out the door.
    The additional thing is I would rather they spend the money 
right than just spend it.
    Senator Lankford. I would agree.
    Mr. Krebs. This is taxpayers' dollars, and it is multiyear 
money. So when you are talking about hiring in some cases, 
which we have incurred cyber navigators, I think some of the 
money is 5-year money. So they have to account and obligate 
salaries for multiple years.
    Senator Lankford. Some of the States that I have talked to 
that have not spent the money out have said they are 
interacting with your office or with DHS specifically and said, 
``We are doing some background work with them,'' the Federal 
Government is, trying to be able to help them through the 
process. So walk me through what is happening.
    Mr. Krebs. Specifically, what we are doing here, we have 
done a number of risk and vulnerability assessments, 
penetration testing, things of that nature, and we have 
discovered over--I think we have done 24 of these at the State 
and local level, and what we found is we approached 20 and then 
moved up to 21, 22, 23, 24, that we were getting 95 to about 98 
percent of the same results for every vulnerability assessment.
    So we were able to do two things. One is just pack out from 
those assessments, what the key risks, vulnerabilities, or 
other issues that need to be addressed. We then packaged that 
through the Government Coordinating Council (GCC), which we 
established a couple years ago for spending guidance, ``If you 
are going to spend this money, here are the things you need to 
go spend it on,'' and also just pushed those results out to the 
balance of the States that we have not provided our Risk and 
Vulnerability Assessment (RVAs) for because we do not think we 
actually need to do hands-on assessments, because we can, 
again, with 95 percent certainty tell you what we are going to 
find. So we just roll those out to our partners.
    But, again, we have developed guidance based on our 
experience over the last couple years, and we found that we 
will be updating that for this last tranche of money as well.
    Senator Lankford. OK. So anything that you could say at 
this point that is missing from either resources you need or 
resources the States need to be able to prepare for the 
election in 2020?
    Mr. Krebs. So for the 2020 election, I think the plans are 
in place, particularly from a procurement perspective for 
election equipment. They are locked and loaded. They are not 
going to be able to, at scale, replace equipment.
    Senator Lankford. Right.
    Mr. Krebs. The things I would be thinking about for 
election security funding--and this is the decision that needs 
to be made--I really see three buckets of funding. One is 
addressing the immediate risks.
    The way the HAVA formula works right now is it is based on 
the registered population of the 2010 Census. That will 
obviously get updated in 2020.
    Florida Secretary Lee has done something interesting. 
Rather than allocate the Florida HAVA money to the biggest 
jurisdictions, they have actually taken a risk-based approach 
and getting it to the more rural communities that need that 
investment. I think that is probably a good approach for the 
national level. Let us go help New Jersey, for instance, 
transition off their direct recording equipment.
    The second piece is sustainable funding. I do not care how 
much it is, but we just need certainty year over year over 
year.
    The third thing is we want to encourage innovation. So how 
do we do that? I think that it makes sense to have a separate 
pot of money that could be dedicated to innovating around post-
election audits, risk-limiting audits. These things take time 
for concepts, piloting, training, and rollout.
    Senator Lankford. So one of the challenges I get from a lot 
of folks is the attribution and then the law enforcement side 
of it.
    Famously, here in Washington, DC, we had two Romanians that 
hacked into security cameras right before the inauguration in 
2017, and so when the parade route is preparing, two Romanians 
had actually hacked into the cameras along Pennsylvania Avenue 
and caused a major incident here in D.C.
    When tracking it through, we found out it was just two 
folks that did not even know what they had hacked into with a 
ransomware piece, and they are living like the Kardashians in 
Romania off of stealing everybody's money around the world from 
this different threat.
    We were able to identify those folks, arrest them, picked 
them up, but for individuals like that, the repetitive question 
is: How do we law enforcement? How do we handle attribution? 
How do we actually shut down some of these folks that are 
consistently doing thousands of people and doing ransomware 
attacks and such, whether it be companies or individuals?
    Mr. Krebs. So, first and foremost, we have to continue to 
raise the security baseline so that they cannot be successful 
when they come after our networks.
    The second piece we need to think through is how do we 
change the economic model. They are doing it because they are 
getting paid out. The business plan works. How do we change 
those mechanisms? I think there are some bigger policy 
questions in play here that we need to take a look out about 
paying ransom. I think the State of New York has a piece of 
legislation they have sponsored that says something along the 
lines of State and local governments cannot pay.
    I am of the mind, do not pay. Do not pay. First off, you 
are doing a deal with a criminal. How do you know that they are 
going to pay out? And even if you do recover from what we 
understand, the recovery keys are only effective in 20 to 50 
percent of the time, and then you still have to rebuild. That 
takes time as well.
    Then the third thing is we are working with the FBI. I do 
understand that they are prioritizing enforcement, as they have 
for sometime now, but also how do we bring others into the 
fight? How do we have the intelligence community (IC) and other 
aspects of the Federal Government play ball here as well?
    Senator Lankford. All right. Thanks, Chris.
    Chairman Johnson. Just a real quick comment on election 
security, your final comment, encourage innovation. I guess it 
is the conservative in me. One of my favorite sayings is ``All 
change is not progress. All movement is not forward.''
    I still use the optical scanners. That is how we have 
always done it. I think we are kind of going back to the future 
there. The innovation is tied to making sure that it is a more 
secure system as opposed to the whizbang computer and all of a 
sudden we find that is pretty vulnerable.
    Mr. Krebs. If I may, specifically where I am focusing the 
innovation piece right now is on audits, auditing the process, 
post-election audits. Thirty-two States or something like that 
have an audit requirement right now. We need to help those 
other 18-plus get auditing in place, and that takes investment 
as well.
    Senator Lankford. The only point I am making is we have 
been able to do elections for many years, and we started 
innovating and kind of screwed up. But regardless, Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman.
    To each of you, welcome. It is good to see you. Thanks for 
taking the time to visit with us and give us a little update 
and share with us some ideas of what we could all do by working 
together to be more successful.
    As well, while we have 2020 elections coming up, New 
Hampshire today, and in the months leading up to Election Day, 
a whole host of primaries are going to be taking place across 
the country, hopefully no more caucuses like we experienced 
last week in the State of Iowa.
    I will say this. I was out there, a little bit, helping Joe 
Biden when he ran in 1988, when he ran in 2008, and when he ran 
this time. For my money, those are some of the nicest people on 
the planet. They call them ``Iowa nice.'' They are just lovely 
people.
    Chairman Johnson. We call Wisconsin ``nice.'' [Laughter.]
    It is actually ``Wisconsin even nicer.''
    Senator Carper. I think we could all learn from them in 
that regard.
    I like to tell people. People say, ``What is Delaware's 
State motto?'' I say, ``Well, we are the first State to ratify 
the Constitution. So people call us the First State,'' and they 
say, ``Well, what else? If you were not the First State, what 
would you use?'' And we say, ``Friendly, but you will get used 
to it.'' I like that one.
    Our intelligence agencies agree that the foreign 
governments have already taken steps to attempt to interfere in 
our elections, and given that, we must ensure that our State 
and local governments are well equipped to address any 
potential threats to election security.
    I have an old African saying I like to quote. It goes 
something like this, ``If you want to go fast, go alone. If you 
want to go far, go together.'' In this case, it is important 
for us to do both, to go fast and to also go together in order 
to ensure that our State governments have the tools and 
resources available from the Federal Government, while ensuring 
that any vulnerabilities are adequately addressed well before 
this November.
    I just want to start off by asking if you all can--this 
would 
be--Director Krebs, I think we will start with you on this one. 
But, if you could, please, just list some of the most promising 
and productive ways in which CISA has been working with State 
governments to address their election security concerns, and 
what are some of the common issues you are hearing?
    Mr. Krebs. Sir, thank you for the question. I have to say I 
have shamelessly stolen from you in my confirmation hearing. 
You mentioned one of your sayings of ``How are you doing? How 
am I doing? How can I help?'' We have adopted that customer-
centric mindset across the organization. I have also 
shamelessly stolen----
    Senator Carper. When you ask those questions, you tell 
people----
    Mr. Krebs. Absolutely. It is the core and the ethos of what 
we are trying to do here at CISA. We are a customer service 
organization. We have to understand what our partners need, and 
that is going to take time.
    Why does it take time? In Secretary Mattis' recent book, he 
quotes General Washington, President Washington, and his 
leadership philosophy has four key elements: listen, learn, 
help, lead. It is the same thing we are trying to do here. That 
is what we did in the election security community.
    In 2016, we did not really know much of what was going on 
at all. So, as we worked up to 2018, we really listened. We 
listened to what our partners, what our secretaries of State 
needed, what our State election directors needed, what the 
local--and then we learned. We learned about the processes, who 
is who in the zoo, effectively, and then we helped.
    We provided a number of resources establishing the election 
infrastructure, ISAC, providing a series of training and 
exercises. You have probably already heard about some of the 
training 
we provide to State and locals, but also holding three 
national-level--effectively national exercises on tabletop 
exercises--or election security, but again, getting information 
out, getting everybody together, and providing them the help 
they need.
    The last thing, though, this is where we have to lead. We 
have to understand where the risks are, taking into account our 
unique perspective at the Federal Government. We launched an 
initiative last year that really took a look at this 
intersection of ransomware that we are talking about here, and 
what is the thing that we are most concerned about, frankly, 
where the risk really is in elections? It is highly networked. 
It is highly centralized. It is voter registration databases, 
so what would a ransomware infection of a voter registration 
database look like and how we can, A, prevent against that and, 
B, ensure that there is resilience in the system. So, if it 
does happen, it is not leading to a catastrophic failure across 
the election process.
    Senator Carper. All right. Thanks, and thank you for 
attributing. Usually, when I steal people's material, I do not 
attribute. So I especially appreciate that. [Laughter.]
    I just want to again brief you, Director Krebs, if you 
will. In your testimony, I think you referenced a report--I 
believe it was from 2018--that lists China, Russia, and Iran as 
aggressive and capable collectors through their cyber 
capabilities of sensitive U.S. information and technologies.
    I think your testimony goes on to say that our adversaries 
are using their cyber capabilities to undermine critical 
infrastructure, steal our national security, our national 
secrets, and threaten our democratic institutions.
    Your testimony outlined some of the ways in which CISA has 
responded to evolving threats, including offering technical 
services, training programs, and incident management and 
response services.
    Question. What is the participation rate amongst State and 
local governments seeking CISA assistance and assessing the 
cyber posture of their information technology systems as well 
as their election security infrastructure?
    Mr. Krebs. So through the MS-ISAC and the Election 
Infrastructure ISAC, broadly State and local, every State is 
involved both in the MS-ISAC as well as the Election 
Infrastructure ISAC. On the Election Infrastructure ISAC, we 
have about 2,400 to 2,500 local jurisdictions that also 
participate, which is good, but there are 8,800 of them. So we 
still have to make the jump.
    On the broader MS-ISAC, we have a significant amount of 
uptake, but that is, again, information sharing. That is 
getting this documentation out.
    I think where we need to improve is working through, as we 
have already talked, incident response planning, roadmapping 
for effective security, and that is really the cornerstone for 
how all the other services and uptakes will be determined, 
whether they need them or not.
    We offer a range of services. Organizations take what they 
need based on where they are, and it is not going to be 
everything. And taking a CISA service is not dispositive of a 
good cybersecurity posture. We have more work to do again on 
the roadmapping side, and I am looking forward to a couple of 
the internal initiatives that we have that are going to push 
that out in the next year.
    Senator Carper. OK. Last, just a quick one. How is CISA 
proactively reaching out to States locally--and you talked 
about this a little bit, State, local, tribal, and territorial 
governments--that have not requested assistance, that have not 
requested assistance but may be vulnerable?
    Mr. Krebs. We will continue to push out information on the 
CISA through the ISACs and through our normal portals, but what 
you have touched on here at the end was if we are aware of a 
vulnerability out there, how do we engage a stakeholder? And 
this is bigger than State and local partners.
    Through the Cyber Vulnerability Identification Notification 
Act that the Chairman has introduced along with Senator Hassan, 
that is a way that we can--when we understand that there are 
significant vulnerabilities, particularly in critical 
infrastructure, the industrial control system specifically, 
then we can reach out to an internet service provider (ISP), 
work with them to get the information on the customer 
identification, and then provide that customer the information 
they need to secure their networks. That is going to be a 
critical tool in our toolkit going forward.
    Senator Carper. Good. Thanks.
    Mr. Chairman, do you think we might have another round of 
questions?
    Chairman Johnson. Probably.
    Senator Carper. That would be great.
    Chairman Johnson. Talk a little bit more about you are 
constrained right now by not having that subpoena power. I 
wanted to bring that up as long as you are on the topic. Just 
hammer home that point, how important that is.
    Mr. Krebs. So there are a number of tools available. Shodan 
is one of them where you can get an understanding of what 
systems may be connected to the internet that have 
vulnerabilities that a bad guy could exploit.
    So when you hear Director DeRusha talk about the 90 million 
hits or whatever it is against the firewall on a daily basis--
and Texas, I am sure has a similar statistic--a lot of these 
are automated probes and scans that look for vulnerabilities, 
and when they see these vulnerabilities they then try a number 
of techniques to get into the system, and in some cases, this 
is what we are seeing through ransomware actors. They are 
automated processes.
    So we can take a similar approach but to identify the 
vulnerabilities and then plug them, but if I identify a 
vulnerability, usually it is just tied to an Internet Protocol 
(IP) address and that is it. I do not know who the organization 
is. I cannot contact them.
    So what we have to be able to do, then, is go to the 
internet service provider. The internet service provider, by 
law, cannot turn that information over to us absent an 
administrative subpoena.
    They can go direct to the IP owner, but what we have seen 
in the past is some ISPs are also managed security service 
providers. So when they show up and say, ``Hey, you have this 
vulnerability. You need to address it. You should do this,'' it 
looks like an upsell.
    Plus, I am CISA. I am the Nation's civilian cybersecurity 
lead. I should be able to work with partners when we identify 
vulnerabilities, provide them guidance and remediations to 
patch their systems.
    Chairman Johnson. This is power that other agencies have, 
and you do not. And it is a huge constraint on your ability to 
provide cybersecurity defense and information to the private 
sector so they can protect themselves, correct?
    Mr. Krebs. Other agencies have a variety of this for 
different purposes, but ours is purely for defensive 
vulnerability mitigation purposes on critical infrastructure 
systems, not your average user, not your home devices. This is 
the critical infrastructure systems that can have significant 
national consequences.
    Chairman Johnson. Again, I know there are people concerned 
about this, but they really need to be concerned about the 
vulnerability because you do not have this capability. So, 
again, I am just trying to make sure that everybody at least on 
this Committee realizes this is something that has to be 
granted. Senator Portman.

              OPENING STATEMENT OF SENATOR PORTMAN

    Senator Portman. Thank you. Thanks for having the hearing. 
This is really important and timely, given what is happening. I 
saw the two Government Accountability Office (GAO) reports. It 
sounds like you feel as though you have now done what you need 
to do in terms of the election security, recommendations they 
had in their report; is that correct?
    Mr. Krebs. Yes, sir. We released our strategic plan on 
Friday, and if you take a look at it, by the way, it is a 
pretty clean polished document. This is not something I just 
rushed out. It was ready to go. This is the plan we have been 
operating against since next February. We have a very clear 
understanding internal to CISA and with out partners of what we 
are trying to accomplish, and we have had so for a year.
    Senator Portman. All right. In terms of what you talked 
about today, earlier you talked about some of the authorities 
you might be looking for. One that is out there already as 
legislation is to codify or formalize the relationship between 
you and the State Information Sharing Analysis Center, we have 
been talking about. That is 1846. It has passed the Senate 
already. I assume you would like to see that get passed.
    Second is this legislation the Chairman just talked about 
to give you the subpoena power to be able to go to the internet 
service providers. It is very important.
    On the State Coordinator Bill, are you openly supporting 
that? Is the administration supporting that? You have said you 
want to push more expertise down to the State and local level, 
and you would like to have somebody in every State Capitol.
    Mr. Krebs. Yes, sir. That is definitely a capability that 
we could benefit from, additional resources out in the field. 
Yes, sir.
    Senator Portman. Again, that is when this is working 
through the system.
    I want to talk for a second about hiring authorities. That 
is one that we have not gotten into much today. Actually, I am 
sitting next to Tom Carper who worked on this way back in the 
2014 time period. We did pass legislation to help to provide 
you with additional hiring authority, ``exceptional hiring 
authority,'' as it was called. My sense is that that is still 
not enough, that you are still having a difficult time 
attracting to government the kind of cybersecurity expertise 
that you need. By the way, the same is true in the private 
sector. What more can we do there? What more can we give you in 
terms of authorities to be able to ensure you have the right 
people in place at the right time to respond to these 
increasing cyberattacks?
    Mr. Krebs. So I think stepping back a little bit, first 
off, whether it is the Boots on the Ground Act or the ability 
to direct higher authority for certain positions, I think those 
are paving the way for us to be more successful.
    I think we have some internal housekeeping to do in terms 
of the process from left to right, the entire hiring process. 
We have some internal roadblocks that we are working through 
right now that I am confident in the next 6 months, we will be 
able to make significant progress.
    But more importantly, I think----
    Senator Portman. Let me just stay on that for a second, and 
I agree with you. And I am glad to hear you say that.
    We passed this in 2014----
    Mr. Krebs. Yes, sir.
    Senator Portman [continuing]. Excepted service. It is now 5 
years later----
    Mr. Krebs. Yes.
    Senator Portman [continuing]. And no hires have been made.
    Mr. Krebs. That is the Cyber Talent Management System, 
and----
    Senator Portman. Why has it taken 5 years?
    Mr. Krebs. So that is the Department of Homeland Security's 
Management Office that is taking point on that.
    Senator Portman. Right.
    Mr. Krebs. My understanding is by fourth quarter this year, 
they will be fully hiring against those billets. It is a 
reimagining of the civil service, and so it is not an overnight 
process. And it took, I believe, some rulemaking and other 
aspects to get it where it needed to be.
    But we are not waiting for that. We do have direct-hire 
authority. Plus, we have retention incentives up to 25 percent 
for employees, similar to what some of the intelligence 
community and Department of Defense (DOD) may have as well.
    So we are taking full advantage of that, and we have seen 
our attrition rate go down over the last year or so. So we are 
excited by that.
    But I have to buildup the base. So we are working with 
partners through the Scholarship for Service, through the Cyber 
Talent Initiative, where we can have the private sector play a 
role here.
    One of the things I am really excited about is where the 
private sector can play a role--again, this is the Cyber Talent 
Initiative--where they can provide tuition assistance to 
students coming out of college as long as they serve 2-plus 
years or so in the Federal Government, and then they will have 
an opportunity to go out in the private sector.
    For me, that is a good thing. So if I get somebody in and 
have them for 2 to 4 years and then they spin out in the 
private sector, that is not bad. That is good. That means I 
have been able to train people up. I now have an alumni network 
out in the private sector.
    I am a small agency. I am a young agency, not like the FBI, 
big and old. Not old. They have just been around longer than 
us. Not old, been around longer. [Laughter.]
    Senator Portman. Agency, not then individual.
    Mr. Krebs. Correct.
    They have an alumni network. I do not. I have to be able to 
build this up. So when somebody goes out to the private sector, 
they know how to work with us. They know what we can do. They 
know how to work with us. So I am really excited about some of 
these things that are coming down the pike.
    Senator Portman. And you have the authority to be able to 
do that loan forgiveness on the student debt?
    Mr. Krebs. We also have tuition assistance.
    The Cyber Talent Initiative is a different program, where 
the private sector takes over that piece.
    But I think this is the cybersecurity workforce, and I 
think the gap has been built up a little bit. But this is truly 
one of those shared responsibilities where the private sector 
is going to benefit from supporting the Federal Government 
training, the first 4 years of someone's career, giving them 
the appropriate training and then spitting them out. I think it 
is a win-win for everybody.
    Senator Portman. Well, good.
    On the directorate, DHS----
    Senator Carper. Excuse me. Would you yield for just a 
second?
    Senator Portman. Yes. Let me just finish this point.
    I understand they are directing this effort to be able to 
use these cybersecurity accepted service authorities, but I 
hope you will push them on that. You say fourth quarters. I 
mean, it has been 5 years. Here we are.
    Mr. Krebs. Yes, sir.
    Senator Portman. We have worked through the rulemaking. So 
I just hope that can happen soon.
    Mr. Krebs. Yes, sir.
    Senator Carper. I would ask this to not count against 
Senator Portman's time.
    You said build up the gap a little bit, and I am not sure I 
understood what you meant by that.
    Mr. Krebs. I think that it is the cyber workforce hiring 
challenges. I think they are built up a little bit. I think, 
yes, there are significant open positions that we need to fill, 
but I think we also need to be looking further in the 
development cycle and getting better security practices into 
just design development, so that we are not always bolting 
security on at the end. DevSecOps is a great concept.
    Again, it is including the K-12, through the higher 
education, making sure that security is a platform of any 
Science, Technology, Engineering, and Mathematics (STEM) 
education.
    Senator Carper. The thing that was confusing me, I always 
think we are trying to reduce the gap, not build up the gap. 
That is why.
    Mr. Krebs. No, no, no, no, no. We are trying to reduce. 
Yes, sir.
    Senator Carper. Thank you for yielding.
    Senator Portman. No. Of course.
    I would just say one final point. We have been talking a 
lot today about how to identify problems up front, and you have 
talked about some additional authorities you could use to be 
able to do that. And we talked about that today. I think this 
Committee has been responsive to that, and I think it will be 
responsive to every evolving threat out there.
    But you mentioned Equifax. I mean, it is a great example. 
We worked with them, again, in our Permanent Subcommittee on 
Investigations (PSI). We looked at what happened and why were 
they allowing these breaches to take place, which affected so 
many millions of Americans. But now we see it also affected our 
national security in very fundamental ways.
    What we found was they failed to remediate vulnerabilities 
in a timely fashion. They operated outdated legacy systems. I 
am looking at our State partners here, some of whom have 
outdated legacy systems, not that Michigan would or any other 
particular State, like Texas. And they did not have a complete 
list of applications running on their networks.
    So I think being proactive, being able to identify these 
problems up front, can save just an enormous amount of cost and 
hassle for individuals in terms of the consumers, and also, as 
we have seen here, even our national security can be directly 
affected.
    So we want to help you in that, and you have to help us to 
provide you the authorities you need to be able to be 
proactive.
    Thank you, Mr. Chairman. Senator Sinema.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Mr. Chairman, and thank you to 
our witnesses for participating today.
    We live in an increasingly connected world, which brings 
both opportunities and risks. Arizona communities are exploring 
and using smart technologies to improve natural resource usage, 
advance health care delivery, and enhance public safety.
    One great example of Arizona's innovation is our Smart 
Region Consortium. It is a collaborative of applied research 
and implementation partnership between public sector, academia, 
industry, and civic institutions with a vision to transform the 
Greater Phoenix Region into a model for Smart City technology.
    Our State is also leading the way in advancing the 
development of autonomous vehicles, but like so many other 
States, Arizona has also experienced the risks of technology.
    Just last year, we saw the downside to increase reliance on 
technology, both the Camp Verde and Flagstaff Unified School 
Districts suffered ransomware attacks in 2019.
    Camp Verde was able to start their classes on time but 
could not use any of their computers, but Flagstaff was forced 
to delay the start of school by 2 days. The community hospital 
in Wickenburg, Arizona, also has suffered an attack. 
Fortunately, in these cases, fast-acting information technology 
teams worked quickly to contain the problems and minimize the 
damage, but these attacks demonstrate the risks our communities 
face and underscore how critical it is to focus on preparedness 
at the State, local, and for us, tribal levels.
    So my first question is for Mr. Krebs today. Tribal 
representatives from Arizona who work on technology issues 
worry that while they have been welcomed in conversations about 
broadband and connectivity, they have not felt included in 
cybersecurity discussions.
    The DHS 2018 Nationwide Cybersecurity Review also showed 
that Tribal Nations, while improving their cybersecurity 
maturity score from 2017 to 2018, still scored fairly low 
compared to State and local entities in areas such as 
identification protection and response.
    So what steps is DHS taking to better include tribal 
communities and assist them with cybersecurity challenges? And 
how can you help us improve this assistance?
    Mr. Krebs. Yes, ma'am. I think some of the bills that we 
talked about today, including getting more personnel cyber 
advisors out into the field, can help bridge the gap with the 
tribal communities.
    We are also taking a look internal to DHS of what are the 
available grant programs we have and how we can better purpose 
those grants toward cybersecurity purposes but also help 
jurisdictions, whether it is State, local, tribal, or 
territorial, write investment justifications for grant requests 
and then help shepherd those through the process. So it is 
about getting direct help and assistance advisory help as well 
as making resources available to them.
    And then we have as always, our training, our education, 
our technical services that we can provide. It is just a matter 
of I have to start somewhere--and that is with direct 
engagement--and let them know where they are but also what 
resources are available to them from the Federal Government and 
completely recognize that, again, we have not put enough 
resources out in the field to make that happen in an effective 
manner.
    Senator Sinema. Thank you.
    Following up on this topic with Ms. Crawford and Mr. 
DeRusha, from the State perspective, what recommendations do 
you have for ensuring that tribal communities are engaged in 
this process?
    Ms. Crawford. I think our perspective would be for tribal 
communities or any other entities that are out, particularly in 
our area and in rural parts of Texas, again, it is education 
and outreach. And whatever efforts we can do, we certainly work 
on community outreach through our education programs and our 
own office of the State Information Security Officer to try to 
reach all communities and again trying to encourage education 
in these issues from the very beginning, starting with 
elementary school making sure again that cybersecurity is an 
issue that people know about from the very beginning and 
building up that culture throughout the State and tribal 
communities of cybersecurity.
    Mr. DeRusha. So I think we find travel communities in very 
small municipalities similar challenges. There is really not 
even an awareness really of what cybersecurity is and what they 
should be doing. So we like to talk about thinking about these 
things in business risk, for mission risk. Cyberattacks can 
prevent them from delivering whatever services they deliver or 
just having normal operations and sort of helping them 
understand that there is a risk to them, and they do not need 
to necessarily have something of value. They could be just a 
target of opportunity.
    So it is education, awareness, constant outreach. These are 
some of the things that been effective.
    Senator Sinema. Thank you.
    My next question is back for Mr. Krebs. In the May 2019 
interim report to DHS by the State, Local, Tribal, and 
Territorial Cybersecurity Subcommittee, the authors recommended 
that DHS create a dedicated grant program to States for 
cybersecurity. In Arizona, we, of course, have seen the value 
that grants can provide firsthand.
    The Arizona Department of Administration receives grant 
funding to offer anti-phishing and security awareness training 
for smaller and less-resourced Arizona government entities, but 
there are additional tools and training that Arizona would like 
to offer. But we do not have the funds to do so.
    From DHS's perspective, what would be the benefit of the 
type of grant programs that the subcommittee has recommended?
    Mr. Krebs. So, first and foremost, we do have training and 
exercise resources available free of charge through the Federal 
Virtual Training Environment (FedVTE) program. We have 
thousands of hours of training available.
    We are also working right now on our existing Phishing 
Campaign Assessment tool, which is more manual. We are taking 
it to an automated version. That will allow for more scalable 
deployment, and those are the sorts of things, again, if we can 
help tribal organizations have increased access, it starts with 
awareness. Let them know that they are there, and then they can 
go use those services.
    From a grant program, I think there are a couple different 
recommendations going out there and including from the Homeland 
Security Advisory Council subcommittee that touched on this as 
well as some legislation under consideration that would talk 
about $400 million in grants. I think that dedicated funding 
would help them have more repeatable ready access to resources.
    But the other important aspect is it would also incentivize 
investment at the State level because it would require--I am 
not sure the specific matching amount right now, but it would 
also require a matching amount from the State or local 
jurisdiction, which again you can say, ``You need to prioritize 
this. If you put in a little bit, you will get a lot more from 
the Federal Government.'' These are things that we continue 
looking forward to working with the
    Committee on and getting across the finish line.
    Senator Sinema. Thank you, Mr. Krebs.
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Chairman Johnson.
    Thank you for being here, all of you, today for 
participating in this hearing.
    I am proud to say that on Christmas Eve, my Building Blocks 
of STEM Act was signed into law. That is going to help building 
out the workforce. I have a few other bills in the pipeline, 
Cyber Ready Vets, Junior Reserve Officers' Training Corps 
(ROTC) Cyber Training Act and others that will help build 
workforce capabilities in the future.
    None of these things are going to stop happening, like my 
colleagues said. Data breaches are occurring at a record pace. 
More than 4 billion records have been exposed in the first half 
of 2019 alone. Of course, we know the cost, the impacts it has 
on businesses, not to mention the reputational harm that is 
inflicted.
    So one way to mitigate the impacts of cyberattacks on 
businesses is through the development of a comprehensive 
disaster recovery plan that will restore data, applications, 
even maybe save the hardware. And we know that such planning 
can help avoid the worst consequences of cyberattack.
    In a prior life, I started my career as a computer 
programmer. I actually had to create lots of backout plans, do 
robust disaster recovery planning, offsite storage. You name 
it, we had to do it, and testing, testing, testing for some of 
those things, particularly help in the area of ransomware if 
you have offsite storage.
    So despite this, we know large companies do this pretty 
well, but small companies, they really face a financial impact. 
Over 90 percent of businesses in Nevada are small business, and 
when they are targeted for a data breach, they may be doing 
cyber hygiene, but they may not be understanding how they can 
do robust--especially in the area of ransomware, which is 
particularly prevalent. How can we get out the word or training 
packages or templates for our small businesses to understand 
that you can overcome a breach in some ways to at least a 
particular point in time by having a good disaster plan in 
place? Can you talk to me how you are helping businesses do 
those things?
    Mr. Krebs. Yes, ma'am.
    So I think, again, it goes back to continuing to beat the 
drum on awareness, but also doing it in a way, as I mentioned 
in my opening, about demystifying this.
    We pushed out in the fall, a Cyber Essentials document. It 
was probably more complicated than it needed to be, but it 
really comes down to six things that then roll up to three: 
leadership, security, culture. That is the baseline for----
    Senator Rosen. And I am talking about small businesses.
    Mr. Krebs. Again, this is all part of it. It is about when 
you own a small business, you have to be thinking about 
delivering a service as well as ensuring the ability to 
continue to deliver that service. And it is not just----
    Senator Rosen. Are you able to give them some kind of 
templates----
    Mr. Krebs. Yes, ma'am.
    Senator Rosen [continuing]. On your website about are you 
doing that?
    Mr. Krebs. So we are working through a couple of different 
avenues right now.
    We have had relationships in the past with the Small 
Business Administration (SBA), Small Business Development 
Centers (SBDC). That was part of Executive Order (EO) 13800 
that requires an SBDC plan. So we are continuing to work 
through that process, working with the chambers of commerce, 
getting templates out there to understand what incident 
response planning looks like, what recovery looks like, but 
also just good old cyber hygiene plus using some of the 
resources that we have that are not supplanting anything in the 
marketplace, just offering free-of-charge services.
    Senator Rosen. Do you think that you have enough resources 
from us to be able to get this out there?
    Mr. Krebs. Again, I need more people out in the field. I 
need more boots on the ground. I cannot be effective----
    Senator Rosen. Maybe we will get some more of my bills 
passed.
    Mr. Krebs. Yes, ma'am.
    Senator Rosen. We may get some more boots on the ground.
    Mr. Krebs. Yes, ma'am.
    Senator Rosen. I have a second question. Of course, in my 
home State of Nevada, over 250,000 Nevada residents live in 
rural areas, and of course, in Las Vegas, where we have lots of 
active chamber and bigger State and local government presence 
there, my smaller communities do not have that. So how can we 
again share--maybe you can speak about this. Especially in 
Michigan, lots of rural communities. You have the upper 
peninsula up there going on. How do we help them get the 
qualified staff or the qualified training to combat these 
cyberattacks?
    Mr. DeRusha. So, Senator, we think about this, both on the 
prepare and the response side of the equation.
    From the preparedness side, it is a lot about developing 
communities of practice, advertising, making sure that they 
know they have State and Federal resources available to them, 
bringing these communities together so that they can do self-
help and help each other and start to get to know one another.
    We also have a very robust Cyber Civilian Response Corps 
that works in close coordination with our State police. So we 
can actually deploy people out. We have done so in rural 
communities, and what we find in the volunteer is that programs 
that we want, people who live locally to be a part of that. So 
we do try to recruit in some of those rural areas because we 
find that if you can go respond to an incident, return home at 
night, sleep in your own bed, come back the next day or maybe 
do some work and balance that, that that is working pretty well 
for us.
    Senator Rosen. And so building on that, what other efforts 
do you think we can do to increase these shared services, use 
the economy of scale through bulk technology services or using 
the same people to go out to rural areas? How do you think that 
we can best accentuate that?
    Mr. DeRusha. So, Senator, we need scalable models, and we 
need funding.
    I think you can see there is a lot of innovation going 
across States. The National Association of State Chief 
Information Officers (NASCIO) put out a report highlighting 13 
different States' local community initiatives last month. I 
think there is a ton of great innovation going on. We are 
starting to figure out what we need to do in each of our own 
States and how to solve these local problems.
    But in the end, it needs to be in enduring help and 
assistance, and if you are going to procure a security vendor, 
managed security service, for example, to do net-flow 
monitoring, endpoint protection, email protection, that is a 
lot of money.
    Senator Rosen. Right.
    Mr. DeRusha. And that is part of the reason that some of 
the HAVA funds have not been spent yet, because getting those 
contracts together is a lengthy process.
    But these things are very real protections. The market has 
a role to play. All levels of government have a role to play. 
It is just a collaboration.
    Senator Rosen. Thank you.
    I yield back, unless somebody wants to say anything about 
this.
    Thank you, Amanda.
    Ms. Crawford. The only thing I would add, Senator, is, 
again, agreeing with Mr. DeRusha's comments, is one of the 
things we have done in Texas and that we are charged with is a 
cooperative contracts program for IT goods and services. So we 
have the pre-negotiated contracts with State terms and 
conditions at low prices that helps the local governments be 
able to secure those and then our shared technology services 
program through managed security services, but also disaster 
recovery is a service and other elements to allow any level of 
government to participate in that, even the rural communities.
    Senator Rosen. Thank you. Appreciate it.
    Chairman Johnson. Thank you, Senator Rosen.
    I know a couple Senators talked to me about maybe having a 
second round. So for staff, if they want that, get them back 
here. Otherwise, when I am done, we are going to close it out.
    Let me go back to the point I was talking about, about 
individuals, because I want to work back up to the larger 
enterprises, OK?
    The basic question is, Does or why does not backup work? 
So, again, individuals, on an individual device, it just 
automatically backs up the cloud. Does that work, and if it 
does not work, what is preventing it?
    Then go to a small business, where they have my era 
Peachtree or whatever accounting program. Pretty small database 
in the scheme of things. Pretty easy to back the entire thing 
up.
    You go to the next size business, and I will bet you 
Senator Rosen could actually answer this question as well, 
having done all this testing.
    Again, just kind of work our way up from the individual to 
a smaller enterprise to a little bit bigger, more complex, 
different divisions. What is the problem here?
    Do you want to quickly chime in here?
    Senator Rosen. I would venture to just put this out there 
that a lot of people do not do offsite--like if you put 
something in the cloud, you are probably OK, but people do not 
have robust offsite backups. Everything is plugged to their 
computer, on their computer. So when your computer is locked 
up, essentially you cannot get----
    Chairman Johnson. You need the air gap.
    Senator Rosen. If you move something away from the 
compromised system that you can then lay back on and begin to 
function from a starting point, but I will let them----
    Chairman Johnson. Back ages ago when I had my International 
Business Machines Corporation Personal Computer (IBM PC), we 
just had these disk drives. You would plug them in. You back it 
up. You pull it out. And you had your entire system. If 
something ever happened, you would just plug it back in, and 
literally, as long as it takes to book up the computer and plug 
that data in, you were fine, again, smaller enterprise.
    Answer that question. Scale it up from individual, small 
business, more complex, multiple division, multiple site, 
international.
    Mr. Krebs. I think starting at the individual layer, if you 
can update or rather back up, you should. I do not think 
everybody does back up. It is not always enabled by default, 
and then it also, in some cases, depending on how many pictures 
you take--I know how many pictures my wife takes on her phone, 
and she has exceeded her iCloud storage in others. So we have 
to continue looking and buying for additional storage.
    I have five kids. She takes a lot of pictures and videos 
and things like that. So you have to work through that.
    Chairman Johnson. Again, I am technical imbecile. My phone 
just tells me, ``You are going to back up'' or ``You have not 
backed up in 2 weeks. Make sure you are plugged in the Wi-Fi,'' 
and then it backs up. That works.
    Mr. Krebs. I would also say you are probably in the 
minority. A lot of people just ignore that and click through. 
We have to continue increasing awareness on the importance of 
backups and telling people do not just click it away. Do not 
hit no. Do not ex out.
    Chairman Johnson. So this goes into the overall message. 
Ninety-five percent of this can be prevented if you just do 
some basic things. Let your device back up because, if you do, 
you are pretty well protected.
    Mr. Krebs. It takes time. Yes.
    Chairman Johnson. OK. Now let us go to the small business, 
same type of thing. Is it just simply people are not doing it, 
or is there something more complex? Is it they have their 
software and they do not back up their software? They are just 
backing up the data?
    Mr. DeRusha. Senator, I think it is all of those things.
    Again, the big theme here is we are trying to get 
education, understanding, and awareness, and that is a big 
piece of this.
    One of the pieces of advice we give to a small entity is 
even if you leave, if it is an offsite and completely offline, 
a backup, it could be 3 weeks old, a month old. That is OK 
because you can at least roll back to something.
    Whatever criticality level of the entity and skill 
capability level, these things are all going to matter on how 
often they are able to do it and whether or not they are doing 
it at all.
    So we just try to say, ``Hey, based on how critical you 
are, you really should be considering regular backups, ensuring 
offline redundancy.''
    Chairman Johnson. So, again, with modern technology, with 
modern software, why is not this stuff just pretty much 
automatic?
    Mr. DeRusha. It is fairly automatic particularly in the 
larger organization. At the State level, we have hundreds of 
critical applications running. Each of them have their own 
backups in place. A lot of them are backing up in the cloud. We 
have multiple data centers running. So we have a very 
sophisticated apparatus.
    But the fact of the matter is the bad guys are always kind 
of a step ahead. Malware, particularly what they call 
``polymorphic malware,'' is constantly changing. So even if you 
are trying to defend against one old known type, we have seen 
in one day 35 different types of the same malware stream come 
through. It is just a very difficult thing to prevent because, 
if you are connected, there may be a way, if it is not 
perfectly configured, to defeat that, and it is hard to 
perfectly configure systems because that is a very high skill 
level.
    Chairman Johnson. So, again, if you have done the backup, I 
mean, you are not backing up continuously. So there is always 
going to be that gap.
    I will go to Ms. Crawford. Is that the issue? In Texas, you 
may be backing these things up, and then you have to restore 
whatever activity occurred between the last backup and the 
present time.
    Ms. Crawford. Sure. I mean, continual backups is certainly 
a difficult challenge, but having backups that are regular and 
scheduled--and as you said, then there is only the small gap. 
And you decide based on a risk management perspective, what is 
that acceptable risk and what is that length of time for the 
gap and keeping those backups offline.
    In ransomware, your data and information is held hostage, 
and you devalue your hostage when you have backups that you can 
then bring back up and restore. So that instantly helps to put 
a damper on any request for that ransom. So it is crucial and 
important.
    I really think one of the issues, though, with the--and I 
am speaking again for the smaller government entities. It is 
those limited resources, and it is changing the dynamic and 
changing the conversation about cybersecurity. I think when you 
have smaller governments who are looking at their limited 
resources and are you going to spend a dollar on mission or a 
dollar on cybersecurity, for the longest time, they were 
looking at mission. Well, cybersecurity has to be part of the 
mission, and we have to do that and train on that through 
education and outreach and awareness.
    You cannot issue marriage licenses, birth certificates, and 
titles and all of those other things that a local government 
does that is part of their daily business if your systems are 
down, and so it is just increasing that awareness to get folks 
to understand what it is they need to do.
    Chairman Johnson. Mr. DeRusha, you had something?
    Mr. DeRusha. Senator, just to add, back to the individual 
layer, we are looking at some innovative and creative solutions 
to protect residents, potentially, by exploring mobile security 
applications that one could deploy out to residents for free 
download if they chose to download it. What this is doing is 
getting left of that attack, and any anomalies that are coming 
into the phone, it is detecting them. If you have downloaded a 
bad application, it is detecting that. If you go into a bad 
website, it is letting you know on the phone. If you are 
connecting to a bad Wi-Fi connection that is actually a rogue 
network, it is letting you know.
    So these are some innovative solutions that we are looking 
at to try to get ahead of this and prevent that attack from 
occurring and needing the backups.
    Chairman Johnson. I am looking for the private sector to 
handle those things. Director Krebs?.
    Mr. Krebs. One of the things that you have already touched 
on is--you did not say it directly, but security cybersecurity 
is a cost center. You are not going to have significant 
resources plowed into cybersecurity of your networks, 
particularly in small businesses, medium-size businesses. So 
they are resource-strapped. They are personnel-strapped, and 
even though we talk about these things, the basics you need to 
do, in a lot of cases, you are talking about existing legacy 
networks that have other problems that have to be addressed 
first.
    Yes, you should always have a backup offline, and you 
should test it because they do not always work. But you have to 
start somewhere, and we are really pushing vulnerability 
management, asset management, identity management, and then 
good governance across the top.
    Chris talked about all the different apps they have 
running. It is not just about you take an image of the entire 
network and then you have it somewhere. It is a series of 
backups.
    I do not want it to be lost here that, yes, the basics, you 
need to do the basics, but the basics in a lot of cases are 
still really hard.
    Chairman Johnson. Yes. I understand.
    Senator Carper, did you have--I do not want to necessarily 
do full rounds. I have to close this out by 11:30.
    Senator Carper. OK. Thank you. Thanks, Mr. Chairman.
    Let us go to Iran for just a little bit, if we could. Prior 
to our entering into the joint agreement between five countries 
and Iran on an effort to halt their nuclear weapon program. 
Prior to that, they were attacking our financial institutions 
using the internet, cyber attacks, unrelentingly. Within weeks 
following the signing of that agreement, those attacks dwindled 
significantly.
    That reminded me at the time of root causes. The Chairman 
and I are two big proponents of not just addressing the 
symptoms of problems, but also the root causes of problems. 
That experience said to us maybe if we want Iran to back off, 
maybe having that kind of agreement and reward them for backing 
off would actually work.
    I want to go from that timeframe from roughly 5 years ago 
to today and ask this question. It appears there is broad 
consensus, Mr. Krebs, among national security officials, 
including yourself, that Iran, far from being finished with 
retaliation from this attack that we took to take out 
Soleimani, but they are likely to pursue cyberattacks on U.S. 
targets, including State, local, and tribal governments. They 
might hit the pause button for a while but eventually come 
after us again.
    What is more, we have known for sometime now that they are 
capable of doing a fair amount of damage through cyberattacks.
    I believe, Mr. Krebs, you mentioned, I think, before I got 
here--I think you mentioned your interagency coordination after 
the strike on Soleimani, which is good. However, did the 
administration provide any warning to DHS, either through the 
Office of Intelligence and Analysis or to CISA specifically 
regarding an increased likelihood of cyberattack from Iran 
prior to carrying out the Soleimani strike?
    Mr. Krebs. So we have been operating at an enhanced alert 
posture since probably early last summer. June 22, I issued an 
advisory that seemed to indicate there was an increase in 
activity, spear-phishing, credentials stuffing, password 
spraying, those sorts of account compromise technique that the 
Iranians used. We had seen that over the course of the last 
couple months. So we had been already on heightened alert, and 
internal to the Department, we had a contingency plan for just 
this sort of thing.
    I would have to defer to the Secretary and the Acting 
Secretary on the sorts of conversations they were having 
specific to this event with the rest of the administration, but 
we were already planning as if they were active. We had been 
sending out a significant amount of alerts and advisories.
    So when news broke of the strike, we were in place ready to 
go. We snapped into place our engagement mechanisms. That is 
why we were able to get people on the line so quickly because 
we were ready for it.
    There is a different aspect of this as well. The Soleimani 
strike was one of strategic surprise. The way that Iran in 
particular--but pretty much any other effective cyber actor--to 
get these sort of persistence and positioning that they want to 
launch their attacks against their strategic objectives takes 
time. It does not just happen overnight. That is what we saw 
last spring, where they were positioning for access.
    So when the January 2 strike happened, they were either in 
position to do what they wanted to do or they were going to 
have to make a decision to work themselves into position. So we 
had a two-pronged approach of you may already be compromised 
and you need to be looking for the indicators of Iran comprise. 
Alternatively, if they increase their activity, you need to be 
on the lookout for these sorts of techniques, and that is part 
of what we pushed out with our alert.
    Senator Carper. Good. Thank you. Thanks very much.
    I am going to stop picking on you, and then we will let 
these other folks answer a couple questions, if you would. I 
just want to ask the two of you, Ms. Crawford and Mr. DeRusha.
    I want to give each of you--if you will just take a minute, 
to tell us what is working when it comes to your partnership 
with one another, including CISA. What is working?
    Mr. DeRusha. So one of the things that is working is we 
have really tried to integrate DHS CISA advisor into our 
monthly election security meetings, for example. We have 
regular threat information sharing briefings. They have ensured 
that the Secretary and both myself have been brought into 
classified prep briefings, which is really beneficial, 
particularly for officials who are not used to hearing the 
Intel. Actually, I would encourage that there could be more. It 
would be helpful to have more of that actually at the State 
legislature level as well as they are determining whether or 
not they can provide more funds for cybersecurity.
    I would just say that the overall partnership is very 
streamlined and just reinsure that we are integrating and bring 
them along on every step of the way.
    Senator Carper. Ms. Crawford.
    Ms. Crawford. I would agree that we also have a great 
partnership along with our Secretary of State's office in 
receiving briefings on election security issue.
    I mentioned a little bit before about we are taking 
advantage of the CISA's offering of a Tabletop Exercise to 
offer that on cybersecurity at our Information Security Forum 
in Texas.
    I would also say just coming out of the August events, I 
have just been overwhelming impressed with CISA's efforts to 
reach out to us to make sure that the lines of communication 
were open.
    They came down to visit after the August event. We came up 
and visited with their leadership as well to see how we could 
understand better what was offered, and they were very open 
with us about improving the communications line.
    So we definitely feel that they hear us. I mean, we 
certainly would love a dedicated resource, but I know that we 
are not alone with that and that they are working toward that.
    Senator Carper. One last quick question, Mr. DeRusha, for 
you. As a former Senior Cybersecurity Advisor to President 
Obama and speaking from your current role as Chief Security 
Officer for the State of Michigan, how would you assess CISA's 
outreach to their State and local partners?
    Mr. DeRusha. The outreach of Homeland Security? So, as 
Director Krebs has mentioned a number of times, it is really 
about resources, and we see the intent every day of DHS trying 
to get everywhere across the State, particularly in the runup 
to the elections. I think it is just a matter of they need more 
boots on the ground, and again, they need to have a specific 
State representative so that they can get familiar with that 
State and understand how to plug in where they need help, where 
they have already got it covered, and what sort of tailored 
information for different groups is available and useful.
    I really just think that DHS is doing everything it can 
with the resources it currently has, and we just need to work 
to get more funds and more resources.
    Senator Carper. Mr. Chairman, while you were running very 
successful businesses, I was trying to run the National 
Governors Association (NGA). They let me be a chairman for a 
while, and then--actually, they let me be the chairman of 
something called the NGA's Center for Best Practices. It is a 
clearinghouse for good ideas and which can be very helpful to 
Governors, to States in sharing information and best practices.
    I suspect you are already well aware of that and taking 
advantage, but I would just bring it to your attention if you 
are not.
    Thank you all very much for being here and for your work.
    Chairman Johnson. Before I turn to Senator Peters, I just 
want to kind of reinforce that point. I really think CISA has 
the opportunity to really create a model versus an old agency. 
I would call it well-seasoned, the FBI. You have a new agency 
here. You can create the model of a clearinghouse, of a support 
system, without onerous over-regulations.
    To me, the private sector will be ahead of us in many 
respects in terms of how to handle backups for individual 
devices, small enterprise, that type of thing.
    I do not want to see CISA grow so big and have so many 
resources that, all of a sudden, now they are lording over 
State and local governments. I want them to be an effective 
resource. I want to see limited Federal Government but 
effective Federal Government.
    So we want to get that balance. You have a perfect 
opportunity right now as you are standing up this agency, With 
the whole interference in the 2016 election, I think the 
Federal Government has responded beautifully to that, quite 
honestly. Is it perfect? No. But I think CISA and both the 
Obama administration and Trump administration have done a 
pretty good job in, again, laying out that model, very similar 
to FEMA.
    It really is the individual. It is about the enterprise. It 
is about State and local government are the first responders. 
They have to be responsible.
    I do not want anybody to start looking at the Federal 
Government will take care of this for us, ``Why did not you 
prevent this?'' There is a lot we can do in terms of resources 
and vice and making people aware, but in the end, people have 
to take responsibility. So it is about getting that balance 
right.
    Quite honestly, I am encouraged by the direction. I do not 
have a problem with additional resources so we can effect this 
thing, but I am going to always be very wary of too many and 
having CISA or Department of Homeland Security becoming ``I am 
the Federal Government. We are here to help.'' I actually want 
that to be true as opposed to people rolling their eyes when 
the Federal Government comes here offering help. I do not want 
them controlling.
    Senator Carper. But, Mr. Chairman, Senator Portman was nice 
enough to reference some of the work that I had led when I was 
privileged to chair this Committee in the cyber world with some 
of you. My partner in that was Tom Coburn.
    Some of you know Tom has battled cancer, I think, four 
times in his life and beat it, and he is in another battle 
today. Just keep him in thoughts and prayers.
    Chairman Johnson. I agree. Keep Senator Coburn in your 
prayers.
    Senator Carper. You bet. Thanks.
    Chairman Johnson. Senator Peters.
    Senator Peters. Thank you, Mr. Chairman.
    Thanks again to our witnesses for all your great testimony 
today.
    Chairman Johnson and I are on a bill called the DOTGOV Act, 
which will make it easier for State and local governments to 
transition to more secure and trusted dot-gov domains. When 
State and local websites can be mimicked, I think this is 
important protection.
    Mr. DeRusha, could you talk a little bit about dot-gov use 
in Michigan and from your perspective why would transitioning 
to dot-gov really be beneficiary for both State and local 
governments?
    Mr. DeRusha. Absolutely, Senator. So to give just an 
example, if you look at about the top 10 counties in Michigan, 
they are pretty much using dot-com and dot-org, and those top 
10 counties generally represent two-thirds of Michigan's 10 
million population. So right there, we can just look and say we 
have got a challenge.
    By moving to the dot-gov top-level domain, there is just 
inherently more security built in. They have protections in 
place to ensure that compromised passwords are not being 
reused, two-step authentication, and just the trust factor, it 
is really easy to spoof a dot-com or dot-org and pretend to be 
someone you are not and get someone to give you their personal 
information or credentials. So by having the dot-gov,--org in 
place, we would really be able to start stemming some of these 
very common attacks that we see.
    Senator Peters. Thank you. Director Krebs.
    Mr. Krebs. So a couple things here. One is that we can 
preload a number of security services into a dot-gov Uniform 
Resource Locator (URL), and really what we are seeing more than 
anything right now is that local jurisdictions in particular 
are making decisions based on $400. And that is what it is 
costing them to sign up for a dot-gov account. We need to be 
able to solve that problem because you should not put security 
at stake over $400 at a local government level.
    The second piece, as Chris just mentioned, is there is an 
aspect of countering disinformation baked in here as well. What 
we are encouraging organizations right now to do and 
individuals to do is go to your trusted sources for 
information. Do not just listen to the random dot-com or dot-
org or whatever. Go to the trusted source; election officials, 
for instance. Go to the election official's website to find out 
registration information, where you are supposed to go vote. 
That should be a dot-gov. We need to shore up the dot-gov 
registration process to make sure people do not get there and 
have unauthorized access to dot-govs, but assuming we get 
there, this will help counter a lot of particularly election 
disinformation as well.
    Senator Peters. Great. Thank you.
    Mr. DeRusha, you mentioned in your opening comments the 
partnership with the National Guard, both the Air and Army 
National Guard in Michigan. Could you elaborate on how that 
coordination is important and how we should be using those 
resources with State and local governments?
    Mr. DeRusha. Absolutely. So we are fortunate enough to have 
both Army and Air Force Reserve unit cybersecurity protection 
teams in the State. These are some of the best, most talented 
folks. They are highly skilled, trained, and well equipped. So 
they are a fantastic resource, as Texas showed us all when they 
leveraged them during their response, and so we have a very 
close partnership with them.
    We exercise together. We recently did a live exercise, 
simulating a very large attack, and they were there along the 
way. Next month, we are actually going to be doing a training 
exercise on our State network where they will come in, and we 
will start to get more familiar with one another how to work 
together and then get more familiar with our team members and 
our network, so that if we need to go to them for support 
during a crisis, we will just be better prepared for that.
    But I cannot emphasize enough that this is about all 
resources. It is DHS, plus State, plus Guard, plus FBI, plus 
vendors, plus, plus, plus, and I think that is just the key 
thing here. The threat is overwhelming, and we need to be using 
all available resources.
    Senator Peters. Great. Very good.
    Director Krebs, a last question here. More and more 
critical infrastructure at the State and local government are 
relying on systems at data centers, which required, obviously, 
cybersecurity but also physical security. What efforts need to 
be made to ensure the physical security of our data centers?
    Mr. Krebs. That is actually an interesting question, given 
the authorities of my agency. So we are not just the cyber 
agency. We are the cyber and infrastructure security agency. We 
have five different disciplines, the way I see it: IT security, 
industrial control systems security, supply chain security, 
physical security, and insider threat. Those last two pieces--
physical security, that is part of what we were able to do with 
our field force. I have a cadre of about 138 protective 
security advisors that focus on physical security, and you name 
it, whether it is data centers in northern New Jersey, out by 
Dulles Airport, we have done physical security assessments of 
these facilities to make sure that they get the appropriate 
security measures put in place. So this is absolutely critical.
    The thing that I will kind of close out on here, though--
and Director Crawford mentioned managed service providers early 
on. This is an area that, I think, bears some additional 
examination and coordination with our partners.
    MSPs, whether it is the bigs or the medium sizes that 
provide resources at the State and local level, it is a 
community without peer. They do not have a natural aggregation 
point or an association here in D.C.
    Moreover, we have really encouraged State and local 
governments, private sector, medium-size businesses to go to 
the cloud, to go to shared services and models like that, and 
that is the demand side.
    On the flip side, the supply side, there has been a 
recognition that there is a market here, but we have not really 
established what good enough security looks like. I think that 
there is a lot of opportunity for my agency to work with 
managed service providers, help them understand what their 
challenges are. Again, their challenges are that they are a 
community without peer. There have been a lot of cases, large, 
complex, global networks and also a lot of risks baked in of 
contracts they may have signed years ago that they are not 
really sure how to manage that risk long term.
    So I think this is one of those areas that over the next 18 
months, you will see my agency lean in a little bit more to 
really understand the areas of focus that we can manage that is 
an unknown risk right now.
    Senator Peters. All right. Thank you so much.
    Chairman Johnson. Senator Peters, just real quick on MSPs, 
I assume--and I know how dangerous it is to assume, but I have 
always assumed that there is plenty redundancy built into the 
cloud, storage, and that type of thing.
    So if you did have, let us say, a service center attacked 
and go down, you have redundancy, correct?
    Mr. Krebs. It depends. I think with the hyperscale cloud 
providers, you have a significant amount of redundancy 
involved, but again, we have not really defined what best 
practices, what standards look like for MSP. So you might see 
some MSPs with a shared back end, where you could lose it all 
in one fell swoop, others that will have virtualization across 
the platform. But, again, we have not collectively defined what 
good enough looks like, and I think that is an area that we 
need to lean into.
    Chairman Johnson. I think it is just a basic consumer 
protection. Again, I am a limited government kind of guy, but 
to me, this is the kind of regulation that I think the Federal 
Government should be supporting, so I am happy to work with you 
on that.
    Before I close this thing, we did hit election security. So 
I just want to go to Director Krebs a little bit.
    You have heard me kind of lay out my definition in terms of 
what you have to worry about. Vote tallies, voter files, and 
then the whole social media disinformation. Can you just kind 
of go through the vulnerability of those three? Voter tallies. 
What is our vulnerability there? What is the likelihood?
    Again, I know some voting machines have Wi-Fi, but it 
should not be hooked up during the voting. That should be very 
limited use. Then voter files which personally, I think, when 
it comes to CISA is your primary area of concern, certainly my 
area of concern, and then social media disinformation, the 
burden falls there on consumers. We need to be discerning 
consumers of information and how we use it, but can you just 
kind of go through those three?
    Mr. Krebs. I want to approach this maybe from a different 
perspective, but we have done a significant amount of research 
lately in the last year or so working a risk assessment across 
the system of systems that makes up election security. And what 
we found was the greatest opportunity for impact at scale. It 
is where things are highly centralized and highly networked, 
and to your point of the voter files, the voter registration 
data bases, that is precisely where if you wanted to create 
havoc at scale, catastrophically, that is where the adversary 
would hit.
    Last summer, we launched our Voter Registration Database 
Ransomware Initiative, just with this concept in mind. So I 
think, again, that is where a significant amount of the risk 
is.
    On the voter tallies, I interpret that as the voting 
machines that are not necessarily networked. They are highly 
decentralized. So to get an effect at scale is going to be 
really difficult, particularly in an undetected way.
    This lays then into your third piece of voter 
disinformation. You have to question the strategic objectives 
of the adversary. The adversary may not be looking to achieve 
an outcome at scale and in an undetected manner. The outcome 
may be that they want to be detected in one key district in a 
swing State and throw the entire thing into question.
    So I have said this before, but we have some time now 
between November and today that we can continue working through 
these threat scenarios and just let the public know, hey, these 
are the techniques that you may see them do. They may try to 
question or put into doubt the sanctity of these systems. Are 
there vulnerabilities throughout? Yes. Are they easy to exploit 
if you got your hands on? Yes. But there are measures that can 
be put in place, paper backups and audit the process, 
absolutely critical security measures in place.
    So, again, our objective is not 100 percent security. It is 
resilience, and the voting public plays a part here too.
    The third pillar of our strategic plan is to engage the 
American public and let them know what their rights are. You 
have to have a plan for voting. You have to know where you are 
registered to vote. You have to know if there are any voter ID 
requirements. You need to know what your provisional ballot 
rights are, so that if something happens and the e-Poll book is 
acting up--because let us be honest. Things happen on Election 
Day that do not have to be Russian-related. They just happen. 
You know what your plan is. You know how to vote.
    And, last, have a little patience. Election night reporting 
is unofficial results. If it does not get there by nine 
o'clock, it is OK. They have time to validate the system.
    Chairman Johnson. Almost $800 million of spending, again, I 
have been using optically scanned, just fill in the dot. I have 
always thought that was pretty secure. Is there a more secure 
system? And in terms of State and local spending of that, of 
those Federal dollars, I would think that would be a good place 
to start. If you did decide to electronic, maybe you ought to, 
again, go back to the future and do something that is auditable 
because you have a paper ballot filled out by a voter that is 
optically scanned. It is pretty easy to go back and recount in 
that as well.
    Mr. Krebs. So the market itself, I think, is going away 
from these direct recording equipment machines that do not have 
any sort of paper ballot backup.
    There is one instance over the summer that I am aware of. 
The manufacturers themselves are not prioritizing them in their 
production runs. That is not, I think, a longer-term concern. 
The concern is, Do you have a paper ballot backup, and do you 
have a post-election audit process in place? Those are the 
things that we need to prioritize, and I think the numbers 
actually show that, I think, in 2016, it was on the order of 82 
percent.
    Now you should be seeing about 90 to 92 percent of votes 
cast in the United States will be associated with a paper 
ballot, and that includes all the historically known swing 
States. There are scatterings throughout the country of areas 
where there is paper, but the trendlines are in the right way.
    Chairman Johnson. Have you just done a quick analysis of 
what it would cost to have everybody convert to optically 
scanned paper ballots?
    Mr. Krebs. So optically scanned paper ballots is one way of 
doing it. There are other machines.
    Chairman Johnson. What percent of the vote is tallied that 
way?
    Mr. Krebs. So with a Scantron and then an optical scan, off 
the top of my head, I am not sure. We will have to come back 
with you, but there is about an 8 percent set of systems that 
do not have any paper ballot. And that is what we should 
ruthlessly look to phaseout over the next several years.
    Chairman Johnson. Again, my understanding is that DHS has 
done a pretty darn good job--and I will ask the two State and 
local government representatives--of reaching out and making 
sure people are aware of the voter file situation and raising 
the awareness and doing everything they can to be a resource. 
If State and local governments are willing to access their 
capabilities, is that true, Ms. Crawford?
    Ms. Crawford. I know that in Texas, working with the 
Secretary of State's office, they were very appreciative of the 
HAVA money to do these election security assessments. Those 
chose to go, rather than through DHS, but actually through a 
program through DIR to use those funds to do the assessments.
    Just speaking to that and the value of those assessments, 
we had one of our 254 counties who did an assessment and did 
remediation based on what they saw in that assessment. They 
were and should have been a victim of that August ransomware 
event, and that did not happen. I think part of that speaks to 
the value that is truly there once you have these assessments 
and the funding going in looking at these county systems as a 
whole. So that is a positive test case for that.
    Getting 254 counties in a State like Texas to all agree to 
do this and have folks come in has not been without its 
challenges, but I think we have all but three signed up to 
undergo those assessments now. So we are encouraged by that.
    Chairman Johnson. So in terms of what Director Krebs was 
talking about, the greatest vulnerabilities of voter files in 
Texas, again, there is no guarantees, but you are pretty, 
fairly confident that you are obviously fully aware of this and 
taking the steps that you are pretty confident that we should 
not have any problems in 2020?
    Ms. Crawford. I would defer that to our Secretary of 
State's office since they handle that, and we are really just 
essentially the IT provider to do those services. But I am 
confident in the relationship that our Secretary of State's 
office has with DHS in working to address those issues.
    Chairman Johnson. Mr. DeRusha, in terms of Michigan--and, 
again, assessment with the other 50 States? Because you are 
talking amongst each other.
    Mr. DeRusha. Yes. So we collaborate closely with our 
Secretary of State, Bureau of Elections, Michigan State Police. 
We have DHS. We all have a different role and responsibility. 
There is a lot of activity going on.
    So, for example, we are trying to put two-factor 
authentication on all of the county clerks that are going got 
access our registration system, something that the State just 
needs to do.
    But DHS is doing briefings. We are trying to do educational 
briefings, and what we are doing is we are just planning 
together, tailoring those, making sure that there is good 
content for the audience, and then sending one coordinated 
message out and just pulling out in the field together so that 
we bring all resources to bear at once, because otherwise it 
would be overwhelming for them, frankly.
    They also have to make sure the elections work. So we want 
to make sure that we are working together to just make these 
resources available and easy to use.
    Chairman Johnson. OK. Again, I want to thank you all for 
taking the time for your testimony. I cannot tell you how many 
Senators walked by me and said, ``Hey, this is a great hearing. 
We really appreciate this,'' and that was really because you 
did a great job in preparing your written testimony and 
answering the questions in a relevant manner. So thank you very 
much.
    The hearing record will remain open for 15 days until 
February 26, 5 o'clock p.m., for the submission of statements 
and questions for the record.
    This hearing is adjourned.
    [Whereupon, at 11:41 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                    EVOLVING THE U.S. CYBERSECURITY
                  STRATEGY AND POSTURE: REVIEWING THE
                 CYBERSPACE SOLARIUM COMMISSION REPORT

                              ----------                              


                        WEDNESDAY, MAY 13, 2020

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:30 a.m., via 
video conference, Hon. Ron Johnson, Chairman of the Committee, 
presiding.
    Present: Senators Johnson, Lankford, Romney, Scott, Hawley, 
Peters, Carper, Hassan, Sinema, and Rosen.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good morning, everybody. This hearing is 
called to order. I certainly want to welcome the witnesses. We 
have the two co-chairs of the Cyberspace Solarium Commission 
(CSC), Senator Angus King and Congressman Mike Gallagher. If I 
lived just a little bit further north, Congressman Gallagher 
would be my Member of Congress.
    We also are pleased to welcome Suzanne Spaulding, who--I 
will introduce people formally prior to the testimony--and also 
Thomas Fanning, two of the commissioners of the Commission.
    I first of all want to thank the co-chairs and the two 
commissioners for their important work on the Cyberspace 
Solarium Commission. I think the end product is excellent. I 
think it has some solid recommendations that a number of these 
are within our Committee's jurisdiction and we will be working 
hard to evaluate those, and the ones that we can, get them 
passed into law. Other of these recommendations can be done 
through executive action.
    What I would like to spend my time, just enter my formal 
written statement into the record,\1\ I just really want to 
talk about two of the Commission's recommendations. When I got 
here in Congress in 2011, cybersecurity was a hot issue. It 
still is. It is not going away. But I remember the buzzword 
back then is we have to do something about this.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appears in the 
Appendix on page 159.
---------------------------------------------------------------------------
    Now we have made a number of attempts, and quite honestly, 
we made a fair amount of progress. My own sense is that, the 
bad guys, they always have an advantage. But I think we are 
catching up. I think we are closing that gap between offense 
and defense.
    But, there have been some very common themes. The first one 
is we have to do a better job of the information sharing. I 
think we have accomplished that, certainly, certainly with the 
establishment of the Cybersecurity and Infrastructure Security 
Agency (CISA), headed up by Chris Krebs right now.
    By the way, we had a conference call with Director Krebs 
just last week, and he was reporting that, bad actors, cyber 
actors are trying to take advantage of coronavirus disease 
(COVID), trying to steal some of the medical information on 
development of vaccines. So again, this is a persistent threat. 
It is not going away, which is what makes the Commission's work 
so incredibly important.
    But the first recommendation I want to talk about, that, 
quite honestly, we are working hard at getting hopefully 
included in the National Defense Authorization Act (NDAA) so it 
can become law, is the need to put somebody in charge, a 
national cyber director. We held a hearing a couple of years 
ago of the blue-ribbon study panel, and this was another type 
of panel established on biodefense. And it is interesting that 
their No. 1 recommendation is the same as this Commission's, is 
we need somebody in charge.
    Not too long ago we held a hearing on 5G. Once again, the 
No. 1 recommendation out of that committee hearing was we need 
somebody in charge of the implementation and development of 5G 
if we are going to compete in the world. And so now, lo and 
behold, I think the No. 1 recommendation out of this Commission 
is we need somebody in charge.
    Now there is some controversy behind that. Exactly how to 
set it up is complex. I signed on a letter with Senator Rounds, 
who is kind of leading the charge on the Senate Armed Services 
Committee, asking the Commission to continue, while you still 
have your Commission, to study and make recommendations exactly 
how that national cyber director would be established, what 
part of the administration that individual should be placed 
into that they can have the maximum positive impact. So 
hopefully the Commission will stay together and make that 
recommendation and we can get that included into the National 
Defense Authorization Act.
    The other recommendation I want to talk about is something 
that we did cover in a hearing with Director Krebs, both in a 
secure setting as well as in a public hearing, is the need 
for--and this is actually, Senator Hassan and I have a bill on 
this. The bill is called Cybersecurity Vulnerability 
Identification and Notification Disclosure Act of 2020. There 
is just a need for CISA to be able to contact individuals where 
they have noticed that there is a threat, and right now the 
only way they can contact those people is if they can literally 
subpoena the records to find out who those individuals are, to 
identify them so they can contact them. This should not scare 
anybody. It should not be an issue with civil liberties. But it 
is a very necessary authority that CISA needs, and I am going 
to ask everybody on our Committee to do everything we can to by 
hook or by crook, hopefully get that in the National Defense 
Authorization Act as well.
    So anyway, those are the two things I want to concentrate 
on. I do not want to steal the Commissioners' thunder here in 
their testimony, or my Ranking Member, Senator Peters, his 
thunder, with his opening statement. So I will turn now to 
Senator Peters.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Senator Peters. Very good, Mr. Chairman. Thank you. Thank 
you for bringing us together for this hearing and thank you to 
our witnesses for joining us today and for your hard work on 
the Cyberspace Solarium Commission. I would especially like to 
thank our colleague, Senator King, for his leadership on 
cybersecurity policy, and for appearing before us here today 
and subjecting himself to our questions. So thank you, Senator 
King, for doing that.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in the Appendix 
on page 160.
---------------------------------------------------------------------------
    Cyberattacks are clearly one of the greatest threats to our 
national security, and as the Commission found in your report, 
the United States is not thoroughly prepared to defend itself 
in cyberspace. The findings and recommendations included in 
your report could not come at a more important time. 
Adversaries like China, Russia, and Iran have repeatedly 
attempted to hack into our critical infrastructure, interfere 
in our democratic process, and engage in large-scale 
intellectual property theft.
    Most recently, the Chinese government launched a 
cyberattack against our hospitals and health care research 
facilities in an effort to steal information on the coronavirus 
vaccine, an attack that threatened the health and the safety of 
Americans. Every one of these attempted attacks are targeted to 
undermine our national and economic security, and without 
sufficient cybersecurity tools, resources, and skilled 
personnel, these attacks could have a devastating impact on our 
daily lives.
    Your report makes some critical recommendations that 
Congress must consider as we work to ensure that our country is 
better prepared to deter, to prevent, and to recover from 
malicious-style attacks. Your recommendations are very wide-
ranging, but I think they boil down to basically three main 
goals. One, we must work with our allies to promote responsible 
behavior in cyberspace, we must deny benefits to our 
adversaries who exploit our vulnerabilities, and we must impose 
greater costs on those who engage in malicious cyberattacks.
    I have been very proud to work on a bipartisan basis with 
many of my colleagues here on this Committee to advance 
legislation that will help meet some of these goals, and I look 
forward to discussing these recommendations today and finding 
some additional ways for us to come together and to make sure 
that we are dealing with cybersecurity issues.
    So thank you again to all of our witnesses for joining us 
today, and I look forward to your testimony.
    Chairman Johnson. Thank you, Senator Peters. I know this is 
a Web event, not an in-person hearing, but it is the tradition 
of this Committee to swear in witnesses. So I will just ask you 
to swear that the testimony you will give before this Committee 
will be the truth, the whole truth, and nothing but the truth, 
so help you, God.
    Senator King. I do.
    Mr. Gallagher. I do.
    Ms. Spaulding. I do.
    Mr. Fanning. I do.
    Chairman Johnson. Thank you.
    Our first witness is Senator Angus King. Senator King is 
the co-chair of the Cyberspace Solarium Commission. Since 2013, 
Senator King has served as the first independent Senator from 
the State of Maine. Prior to joining the Senate, Senator King 
was the Governor of Maine for two terms. He is a graduate of 
Dartmouth College and the University of Virginia Law School. 
Senator King.

  TESTIMONY OF THE HONORABLE ANGUS S. KING, JR.,\1\ CO-CHAIR, 
                 CYBERSPACE SOLARIUM COMMISSION

    Senator King. Chairman Johnson and Ranking Member Peters, I 
really appreciate the opportunity to testify before you. What I 
would like to do is give you a little background on the 
Commission, what our fundamental findings were, and then talk 
about our strategy of layered cyber deterrence.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Senator King appear in the 
Appendix on page 162.
---------------------------------------------------------------------------
    First, the Commission. It was set up by the 2019 National 
Defense Act, and the mission of the Commission was to establish 
an overall strategic direction for American policy in 
cyberspace, that is No. 1, and No. 2, to make recommendations 
for implementing that strategy.
    The Commission had 14 members, 4 from the Congress, 4 from 
the Executive, and 6 from the private sector. It was entirely 
nonpartisan. There were really no partisan discussions 
whatsoever, and apart from the four Members of Congress, I have 
no idea of the partisan affiliations of any of the other 
members of the Commission.
    We had 29 in-person meetings. We interviewed over 400 
people. We went through thousands of pages of documents. We 
ended up with 81 recommendations, 57 of which require 
legislative action, which have been submitted to the various 
committees and the staffs in the Senate and the House.
    So what are the fundamental findings? The real basis of the 
Commission rests upon three issues. One is reorganization. Get 
the structure right, and the Chair talked about this at the 
beginning. The second is resilience. How do we build cyber 
defenses to keep ourselves safe from attack? And the third is 
response. How do we respond to attacks in such a way as to 
defend our country?
    Now the fundamental strategy, if you will, is called 
layered cyber defense, layered cyber deterrence, and here are 
the layers. No. 1 is shape behaviors. That is, establish norms 
and standards in the international community so that this is 
not a unilateral, one-country kind of effort.
    The second is to deny benefits, and that is to strengthen 
our cyber defense, and part of this is reorganization, part of 
this is strengthening CISA and other agencies that we will talk 
about later this morning. But to basically be more resilient, 
and that includes plans for the recovery of the economy, in the 
case of a cyberattack.
    The third is the strategy of deterrence. We have been 
attacked over and over, over the last 10 or 15 years, and our 
adversaries have paid very little price. We need to establish a 
clear declaratory policy that if you attack the United States 
in cyberspace you will have to pay a cost. And that is really 
the fundamental idea of deterrence, and we have to be clear 
about it, and we have to have our adversaries make the 
calculation that attacking us is going to cost them. I want to 
change their calculus when they are making that decision, and 
that is what the fundamental strategy is that we are going to 
be presenting to you today.
    Thank you very much for holding this hearing. I look 
forward to answering your questions.
    Chairman Johnson. Thank you, Senator King.
    Our next witness is Congressman Mike Gallagher. Congressman 
Gallagher is the Co-Chair of the Cyberspace Solarium 
Commission. He represents Wisconsin's Eighth congressional 
District in the U.S. House of Representatives. He received a 
bachelor's degree from Princeton University and a Ph.D. in 
international relations from Georgetown University.
    Congressman Gallagher served in the United States Marine 
Corps (USMC) for 7 years and did two deployments in Iraq. 
Congressman Gallagher.

    TESTIMONY OF THE HONORABLE MIKE GALLAGHER,\1\ CO-CHAIR, 
                 CYBERSPACE SOLARIUM COMMISSION

    Mr. Gallagher. Thank you, Chairman Johnson, Ranking Member 
Peters, distinguished Members of the Committee. It is an honor 
to be here presenting the findings of the Cyberspace Solarium 
Commission, and thank you to you and your staffs for engaging 
so proactively with the work of the Commission as we try and 
turn our recommendations into actual legislation.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Mr. Gallagher appear in the 
Appendix on page 162.
---------------------------------------------------------------------------
    We start, really, from a sobering recognition, similar to 
the one which animated the original Project Solarium some 67 
years ago, which is to say the status quo is not getting the 
job done. I would wholeheartedly agree with Chairman Johnson 
that we have taken important steps toward reform, such as 
standing up CISA, U.S. Cyber Command (CYBERCOM). But for a 
variety of reasons we have yet to achieve the speed and agility 
that is necessary for survival in cyberspace.
    So how do we get there? As my good friend and fellow co-
chair, Angus King, continually reminds me, structure is policy. 
And I would like to talk a bit about our recommendations 
related to structure.
    First, we believe we must create a House permanent select 
and Senate select committee on cybersecurity in order to 
streamline congressional oversight and authority. Second, we 
believe we must establish a Senate-confirmed national cyber 
director, that Chairman Johnson talked about, to lead national-
level coordination for cyber strategy, and really to serve as 
that public voice for cybersecurity and emerging technology 
issues.
    Third, we believe we need to strengthen CISA to ensure the 
national resilience of critical infrastructure, conduct 
national risk management and cyber campaign planning, and lead 
public-private collaboration, ultimately allowing CISA to 
compete for talent not only with the National Security Agency 
(NSA) but with Google and other attractive private sector 
companies. Fourth, the Commission believe we need to recruit, 
develop, and retain a stronger Federal cyber workforce and 
thereby close our 35,000-person Federal cyber workforce gap.
    And fifth and finally, we believe we need to strengthen our 
cyber supply chains. The Commission has taken an approach that 
believes in the power of free and fair competition to breed 
innovation, but our current strategy amounts to little more 
than occasionally limiting the access of firms that we do not 
trust into our markets. I believe this is not working, and 
consider the competition for 5G, where the Chinese Communist 
Party (CCP) is able to subsidize their national champions, like 
Huawei, thereby advance their goal of dominating the global 
market without having to respond to market forces.
    To counter this, the Commission calls for investing 
information and communications technology (ICT), industrial 
capacity, and reinvigorating our investment in research and 
development (R&D). Of course, this will cost some money, but 
whether, in terms of responding to a pandemic or responding to 
a massive cyberattack, we believe that America can no longer 
afford to depend on the largesse of the Chinese Communist Party 
for critical technologies.
    And with that I would like to once again thank Chairman 
Johnson, Ranking Member Peters, along with my co-chair, Angus 
King, as well as Commissioners Tom Fanning and Suzanne 
Spaulding. What really made this a unique experience was the 
quality of participation we got from our outside experts, the 
Executive Branch, and, of course, the sitting Members of 
Congress. And with that I look forward to your questions.
    Chairman Johnson. Thank you, Congressman Gallagher.
    Our next witness is Suzanne Spaulding. Ms. Spaulding is a 
commissioner of the Cyberspace Solarium Commission and the 
Senior Advisor for Homeland Security Center for Strategic 
International Studies. She was the Under Secretary for the 
Department of Homeland Security's National Protection and 
Programs Directorate (DHS NPPD), now the Cybersecurity and 
Infrastructure Security Agency, from 2011 to 2017.
    Ms. Spaulding previously served 6 years at the Central 
Intelligence Agency (CIA) as Assistant General Counsel (GC) and 
Legislative Advisor to the director's Nonproliferation Center. 
Ms. Spaulding.

      TESTIMONY OF THE HONORABLE SUZANNE E. SPAULDING,\1\ 
          COMMISSIONER, CYBERSPACE SOLARIUM COMMISSION

    Ms. Spaulding. Chairman Johnson, Ranking Member Peters, and 
Members of the Committee, thank you for this opportunity to 
testify here today.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Ms. Spaulding appear in the 
Appendix on page 162.
---------------------------------------------------------------------------
    I want to touch briefly on three areas that I think can and 
should be acted upon quickly, particularly given the 
vulnerabilities that have been exposed by the pandemic. The 
first is strengthening DHS's Cybersecurity and Infrastructure 
Security Agency, or CISA, as the organization that I led as the 
Under Secretary at DHS is now called, thanks in no small 
measure to the work of this Committee, for which I am grateful.
    Congress recognized CISA's central role in our country's 
efforts to reduce cyber risks, and the Commission strongly 
endorsed this view. With malicious cyber actors targeting 
hospitals and health research, and an at-home workforce 
presenting a massive attack surface, CISA's work has never been 
more important, which is why we urge Congress to provide the 
agency promptly with the resources and authorities that it 
needs, including mission support functions, to be able to be 
the national risk manager, provide continuity of the economy 
planning, identify systematically important critical 
infrastructure, and coordinate planning and research across the 
Federal Government and with the private sector.
    Second, with regard to improving the cyber ecosystem and 
reducing vulnerabilities, the Commission understood that 
markets are usually more efficient than government and can 
drive better cybersecurity. We looked at why the market is not 
performing that function today, and a key reason is that 
markets need information in order to be effective. To provide 
this information, we ask that Congress establish a national 
cybersecurity certification and labeling authority to help 
consumers make informed decisions when buying connected 
devices, publish guidelines for cloud security services, create 
a bureau of cyber statistics, promote a more effective and 
efficient cyber insurance market, and pass a national data 
breach notification law.
    Finally, I believe one of the most important pillars in the 
report is resilience. We need to reduce the benefits side in 
the adversary's cost benefit analysis. Sometimes the most cost-
effective way to reduce cyber risks will be reducing our 
dependence on those network systems, developing redundancies, 
perhaps even analog backups or ways of interrupting cyber 
effects. Paper ballots are a way of building resilience into 
election infrastructure, for example.
    We have a number of urgent election-related 
recommendations, but I would like to conclude this morning with 
our recommendations to build public resilience against 
disinformation. Media literacy can help, but we really need to 
focus on defeating a key objective of our adversary, which is 
to weaken democracy by pouring gasoline on the flames of 
division that already occupy online discourse, pushing 
Americans to give up on our institution, not just election but 
the justice system, the rule of law, and democracy. They seek 
to destroy the informed and engaged citizenry upon which our 
democracy depends.
    To defeat our adversaries' objective, the Commission calls 
for reinvigorating civics education, to help Americans 
rediscover our shared values, understand why democracy is so 
valuable, that it is under attack, and that every American must 
stay engaged to hold our institutions accountable and continue 
to move toward a more perfect union.
    Thank you for the opportunity to testify, and I look 
forward to your questions.
    Chairman Johnson. Thank you, Ms. Spaulding.
    Our final witness is Thomas Fanning. Mr. Fanning is also a 
Commission of the Cyberspace Solarium Commission and the 
Chairman, President, and Chief Executive Officer (CEO) of 
Southern Company, one of the nation's leading energy companies. 
Mr. Fanning has worked for Southern Company for more than 38 
years.
    He currently serves as the co-chair of the Electricity 
Subsector Coordinating Council (ESCC), the principal liaison 
between the Federal Government and the electric power sector, 
on matters of national security, from terrorism and 
cybersecurity to disaster recovery. Mr. Fanning has previously 
served on the board of directors and Chairman of the Federal 
Reserve Bank (FRB) of Atlanta. Mr. Fanning.

  TESTIMONY OF THOMAS A. FANNING,\1\ COMMISSIONER, CYBERSPACE 
                      SOLARIUM COMMISSION

    Mr. Fanning. Good morning. Thank you, Chairman Johnson, 
Ranking Member Peters, and members of the Committee for the 
opportunity to testify today.
---------------------------------------------------------------------------
    \1\ The joint prepared statement of Mr. Fanning appear in the 
Appendix on page 162.
---------------------------------------------------------------------------
    The United States is at war, virtually unchecked for years. 
Our adversaries have been stealing our intellectual property 
and disrupting American commerce and our democratic way of 
life. This war is being waged primarily on our nation's 
critical infrastructure, mainly the energy sector, 
telecommunications networks, and our financial system.
    Fully 87 percent of the critical infrastructure in the 
United States is owned and operated by the private sector, 
making collaboration between the private sector and the 
government imperative.
    The Cyberspace Solarium Commission was created to reimagine 
U.S. national security doctrine for this new digital reality.
    The layered cyber deterrence approach outline in the 
Cyberspace Solarium Commission report serves as a practical 
roadmap to protect, repair, hold accountable, and respond to 
existential cyber threats. We propose a three-pronged strategy 
for success: reshape behavior on the battlefield, impose costs 
on our adversaries, and deny benefits to our enemies.
    Certainly there is no internationally accepted principles 
of escalation and de-escalation in cyberspace. The first step 
in reshaping behavior on this battlefield is to define State-
accepted behaviors in cyberspace to include clear consequences 
for behaviors that are not acceptable. Then we need to 
communicate these behaviors not only to our friends but also 
our adversaries who attack us.
    Every day American companies like Southern Company face 
millions of cyberattacks, including from nation-state 
adversaries. With the full support of the private sector, the 
Federal Government must advance a strategy to defend forward 
and maintain an offensive posture in cyberspace through 
regular, persistent engagement with friends and foes alike. 
This engagement must include the full weight of the Federal 
Government, including the Department of Defense (DOD), the 
Federal Bureau of Investigation (FBI), the Secret Service, and 
the intelligence community (IC) to allow for rapid and 
effective responses to these attacks.
    The third strategic prong is to deny benefits to our enemy. 
We do this by strengthening the critical infrastructure's 
ability to maintain continuity against a cyberattack. We must 
also take steps to reshape the cyber ecosystem, the people, 
processes, and technology and data that make up cyberspace 
toward greater security.
    Finally, we must create a true joint effort between private 
industry and government. This means moving beyond information 
sharing to allow common access to actionable intelligence, 
elaborative analysis, joint planning, and joint action. It also 
means clearly identifying the most systemically important 
critical infrastructure and bringing to bear the full resources 
of the United States Government in supporting and defending 
them from nation-state attacks.
    Senators, the cost of inaction is too great. The public and 
private sectors are true partners in this effort and we must 
move forward in better harmony. I am confident the Cyberspace 
Solarium Commission's report and recommendations will help us 
to do that. I am happy to answer any of your questions.
    Chairman Johnson. Thank you, Mr. Fanning.
    Let me just quick start out with Senator King. I am 
assuming you received the letter from Senator Rounds, asking 
the Commission to study, and potentially up to the point of 
legislative language, propose the exact structure for the 
national cyber director. Is that a mission you have accepted, 
and something you may be able to conclude?
    Senator King. Absolutely. Yes, I talked with Senator Rounds 
about that last week, and I think the questions are good ones, 
and I think it is absolutely appropriate that we are going to 
apply ourselves to answering those questions and try to flesh 
out some of the details of how this new office would work, what 
the authorities would be, and how it would fit in with other 
structure of the Federal Government.
    Chairman Johnson. OK. Thanks, Senator King. Congressman 
Gallagher, my second point was giving CISA that subpoena 
authority so that when they identify a threat they are also 
going to be able to find out who is being targeted by that 
threat and provide notice. What are the prospects of, for 
example, Senator Hassan's and my bill to accomplish that? What 
are the prospects in the house?
    Mr. Gallagher. Well, we very much support the 
recommendation and appreciate the work that you are doing. We 
fully support the bill language.
    As for the prospects in the House, I cannot give you a good 
assessment right now, but we are working with the committees 
and really sort of leveraging one of the unique strengths of 
the Commission, which is that Jim Langevin, who was the other 
House member on the Commission, a Democrat, has enormous 
influence within his caucus on these issues. He is a 
subcommittee chair on a relevant cyber-related subcommittee, 
and he has been a champion of this proposal, as well as some of 
the more hotly debated proposals, such as the creation of a 
special elect cybersecurity commission in the House.
    But I just would say we believe that the administrative 
subpoena authority, as called for in the Commission's report, 
and as called for in your legislation, would strengthen CISA's 
ability to be proactively detecting vulnerabilities in critical 
infrastructure and help secure them before they are 
compromised.
    And the final point I would make is this is very much in 
line with the approach we tried to take throughout the report, 
which is not to create a bunch of new agencies with fancy new 
acronyms, but to take a look at the agencies that exist right 
now, particularly CISA, and figure out how do we elevate and 
empower it and give CISA the tools it needs in order to 
accomplish its very important mission.
    Chairman Johnson. If you could spearhead the efforts in the 
House so we can have common language, so if it passes one 
chamber we are not ping-ponging it back and forth. And again, 
my goal would be to get this attached to the National Defense 
Authorization Act.
    Ms. Spaulding, you mentioned the need for a national data 
breach notification. When I started talking about we had to do 
something back in 2011, those are always the first two goals, 
better information sharing and a national preemptive standard 
for data breach, I did not realize how incredibly complex and 
difficult that was. That is part of your recommendation. Do you 
have a secret formula for actually accomplishing that?
    Ms. Spaulding. Unfortunately, Mr. Chairman, we do not. We 
understand that Congress is going to need to work through those 
issues. And our recommendation was really designed to describe 
the elements that we think need to be in such legislation and 
really to try to add wind to your sails as you attempt to 
corral your fellow members into reaching consensus, because it 
is something that is so important to achieve on a national 
level, as you fully understand.
    We have breach notification laws in effect. There are over 
50 of them, and every State has their own. And it is difficult, 
obviously, for businesses who operate across State lines, but 
it also does not result in the kind of statistics and 
information, on a national scale, that could help, for example, 
this national bureau of cyber statistics, that could help 
advance the cyber insurance market, could help Chief 
Information Security Officer (CISOs) who are trying to make 
cases to their management for return on investment. That is the 
kind of information that a national breach law could help 
accomplish.
    Chairman Johnson. As you well know, we are going to need a 
lot of help. I am not even sure we have our sails up, much less 
wind in them.
    Mr. Fanning, you and I have spoken in the past and met 
about my concern about, for example, electromagnetic pulse 
(EMP) and geomagnetic disturbance (GMD) as a threat to our 
national grid. Cyberattacks represent a similar type of threat. 
Can you give us some assurance that we are addressing these 
problems, that we have resiliency within our electrical grid? I 
mean, what progress has been made?
    And I am particularly concerned right now that Iran has 
launched, successfully, a satellite that is circling the globe 
and, coming up over America probably multiple times a day. That 
is a big concern of mine.
    Mr. Fanning. Yes, Senator, thanks, and I appreciate our 
dialogues in the past.
    I think one of the points that I have tried to make is that 
there needs to be comprehensive approaches to all of these 
issues. In fact, when the ESCC, my leadership now there has 
been about 7 years on the ESCC. And we have seen cyber issues, 
we have seen natural disasters like hurricanes and tornadoes, 
and now we see the coronavirus pandemic.
    What we need to do is have a comprehensive approach where 
we harmonize the efforts of government with the efforts of the 
private sector, and let's not forget State and local 
governments and our international partners.
    So the whole idea is to have a comprehensive approach to 
this. I would say that every silo of government, and I would 
say the silos of the strategically important sectors of the 
economy, have been doing a pretty good job. But what we have to 
do in order to advance the ball for America is to harmonize 
these efforts and collaborate.
    Chairman Johnson. Well, again, thank you, Mr. Fanning. I 
will reserve the rest of my time and turn it over to Senator 
Peters.
    Senator Peters. Thank you, Mr. Chairman. My first question 
is for Senator King and Mr. Fanning. News reports have recently 
indicated that the Chinese government has been sponsoring 
cyberattacks against our hospitals, our government networks, 
and our medical research institutions, presumably in search of 
COVID-19 vaccine research. This is clearly unacceptable. It 
puts Americans' lives at risk.
    So my first question to Senator King is how would some of 
the recommendations, specifically in this report of yours, 
enable us to combat these kinds of attacks that we are seeing 
from China?
    Senator King. Unfortunately I think it is important to note 
that China is a long-range problem in cyberspace. They are 
clearly active, they want to be more active, and they are 
coming at us. I think if you go back through our 
recommendations, No. 1, we need to step back and start talking 
about establishing international norms and standards so that if 
there is a violation it is not only us that are calling foul 
but it is the whole world. And I think that has to be part of 
the strategy for combating something like what China is doing.
    Second, we are talking about resilience, which is 
strengthening our defenses.
    But the final piece that I think is so important is to let 
the Chinese and the whole world know that if you pull something 
like this you are going to pay a price. And we do not define 
what the price is. It does not have to be kinetic. It does not 
have to be cyber. It does not have to be any particular price. 
But there will be consequence, because I believe that one real 
problem with the whole cyber posture has been that we have been 
basically taking the punches without responding, and I want our 
adversaries to say maybe if we do this we are going to get 
whacked in some way, shape, or form.
    And so this is exactly the kind of thing that we have been 
talking about, and frankly, one of the things we talked about 
was if you come at us in a time of national crisis, like the 
pandemic, the response will be even stronger. The penalties 
will be stronger.
    And so I think it has to be sort of a comprehensive 
strategy. But you are absolutely right. And, one of the things 
this pandemic has showed us is how vulnerable we are, 
particularly if you stop and think about it, how many people 
are working from home. We have the whole level of target space, 
if you will, that we were not showing to the world just 2 or 3 
months ago.
    Senator Peters. Yes, absolutely. Thank you, Senator King. 
Well said.
    Mr. Fanning, as the CEO of a critical infrastructure 
company I am sure you would like to jump in and add how we 
protect infrastructure from Chinese attacks and others.
    Mr. Fanning. Look, it is all over the place. As I said, my 
company alone gets attacked millions of times a day. That is 
not unusual for any of the major critical infrastructure 
providers.
    One of the things I championed over the years, and now we 
have formed is the Tri-Sector Group----
    Senator Peters. Yes. I know it.
    Mr. Fanning [continuing]. Working with guys like Jamie 
Dimon at JP Morgan, Brian Moynihan at Bank of America (BOA), 
Randall Stephenson at American Telephone and Telegraph (AT&T), 
we developed a joint threat matrix, basically modeling what the 
different kind of consequences and likelihoods are for a whole 
spectrum of attacks. And so now we are developing a wish list. 
Now they show up in the Solarium recommendations. We have been 
kind of working through our work to make sure that we are 
consistent with what really is happening in the private sector 
and what we need to do about it as a Federal Government.
    If I can, an important point in this whole, I think, report 
is you do not see very many words like ``sharing'' and 
``cooperate.'' It is collaborate. Since 87 percent of the 
critical infrastructure is owned by the private sector, and we 
are under relentless attack, we have to first illuminate the 
battlefield. We have to share the effort of the intelligence 
community, of our sector-specific agencies, and then the folks 
that will hold the bad guys accountable--Department of Defense, 
FBI, et cetera. We all have to work together and we all have to 
be accountable to make sure that we keep America safe.
    Senator Peters. Thank you. Thanks to both of you for that 
answer. We must do more to protect our nation's critical 
infrastructure from really these types of attacks, as you 
mentioned, and many other attacks that are happening on a daily 
basis.
    Recently I have pressed the Administration to hold the 
Chinese government accountable. They need to be held 
accountable for irresponsible actions, to make it clear that 
this activity is simply not going to be tolerated, particularly 
during a time of pandemic, and that there needs to be 
consequences for these future attacks, whether it is addressing 
cyber threats or our overreliance on China for medical supplies 
needed to address the coronavirus pandemic. I think we need to 
all stand up to the Chinese government, and we have to 
strengthen our national security. This effort is so important.
    My next question is for Senator King as well. The 
Solarium's recommendations regarding the continuity of the 
economy I think are particularly relevant, given the challenges 
that we are addressing here with the coronavirus pandemic. So 
in the event of a widespread or a prolonged cyberattacks on 
critical infrastructure, I think we all agree that the impact 
could be catastrophic.
    So my question for you, Senator King is can you discuss the 
recommendation, and what lessons do you think we are learning 
from COVID-19 that you think we should be considering for a 
long-term cyberattack?
    Senator King. I think one of the first things we have 
learned is the necessity of planning, the necessity of thinking 
the unthinkable, of putting smart people into a room and 
talking about what could happen and what would happen, and how 
to bring the economy back. I think the continuity of the 
economy planning and setting that up as a real function is one 
of our most important recommendations. And we have to be 
thinking about what happens if the Northeast grid goes down, or 
the Southern grid. But we have to be thinking about the lessons 
that we are learning now, some unanticipated.
    Frankly, I think once we get through this awful situation 
that we are in now, one of the most important things is an 
after-action assessment, what I call an after-action 
assessment. What did we learn and what was missing? What are 
the critical functions? What are the pieces that we need to be 
paying attention to that are likely to be vulnerable?
    Before I finish, also let me mention the Chairman asked a 
question about breach notification. Senator Wicker, Senator 
Cantwell, and Senator Moran, all three have bills on that. I 
think they are good bills. And so I think there are some models 
that we can go forward with.
    But to get back to continuity of the economy, I think it is 
absolutely a critical function. It has to be strategic, it has 
to be specific, and I want to be ready when this happens. It is 
going to happen, Mr. Senator. It is going to happen. I told 
somebody the other day, ``We are seeing the longest wind-up for 
a punch in the history of the world, but that punch is going to 
come.''
    Senator Peters. Yes, absolutely. Thank you for that answer. 
Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator Peters. Let me just 
read off the list of questioners in order: Senators Scott, 
Carper, Hawley, Hassan, Rosen, Romney, and Lankford. Now I do 
not see Senator Scott on the board, so if that is incorrect 
have somebody text me. But right now we will go to Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you, Mr. Chairman. Very nice to see 
all of you here, and Senator King, thanks for your good work on 
so many fronts. Congressman Gallagher, I do not know that I 
have had the pleasure of meeting you but I am happy to see you 
and look forward to that.
    I would say to Tom Fanning, when I heard your first name I 
liked you immediately. That was even before I read your bio. So 
welcome. And Suzanne, it is always great to have a Kappa in the 
house, and we welcome you.
    I am going to ask you to step back just a little bit. I had 
the benefit of actually being up close and personal watching 
what we have done or maybe failed to do, in the Congress in 
this regard, with regard to cybersecurity.
    You will recall, Tom Coburn was my wingman on the Homeland 
Security and Governmental Affairs Committee (HSGAC) for a 
number of years and he worked with you and your colleagues at 
the Department of Homeland Security. I feel we accomplished a 
lot with the support of several of the Members of the Committee 
today in this hearing.
    Just reflect back on some of the steps that we have plugged 
in, including making it easier for the Department of Homeland 
Security to hire people that are needed. With the EINSTEIN, as 
you may recall, we really got a lot done to try to improve our 
ability to defend against cyberattacks. What did we do well, 
and one of the things we have tried to do was try to create a 
system, and we finally did in 2018. But what are some things 
that we did well, and what is the unfinished business please? 
Thank you.
    Ms. Spaulding. It is great to see you, Senator Carper, and 
thank you for the question, and thank you for all of your hard 
work over those years and continuing to today in your 
leadership on cybersecurity and so many other important issues.
    You did accomplish a great deal, and I would say some of 
the most important things were solidifying the authority of 
what was then the National Protection and Programs Directorate 
and is now--again, thank you--CISA, because that is really 
important. Government operates most effectively when it has a 
clear mission, and helping to codify the existing mission of 
the cybersecurity and infrastructure resilience effort at DHS 
was a really important step forward.
    And so your work on the legislation to codify its 
operations center, the National Cybersecurity and 
Communications Integration Center (NCCIC), for example, very 
important to get those authorities in place. Its position, 
codifying its role as the primary central place for the 
business sector to come with information, right, and to be the 
key place that gets information back out to the private sector. 
So clarifying very clearly what that mission is, and that DHS 
has been tagged with that mission, was really important, and 
continues to be important.
    Resourcing the agency, under your term the budget began to 
go up and has continued to rise. But really, it was so far 
behind to begin with that there needs to be significant 
increase in those resources, and particularly as I mentioned, 
for those mission support functions that do not get the 
attention. Typically it is easier to get funding for a specific 
program to go out and do something. But the back office support 
for the procurement, for acquiring the technology that needs to 
be acquired, for example, for the human resource (HR) 
functions, our human resources, so that we can bring in that 
talent that we need so badly to be able to do this mission. 
Funding those adequately becomes very important, and the 
Commission strongly recommends that.
    To continue to make sure that the leadership there has the 
expertise that it needs. So we recommended a 5-year term for 
the CISA head of that agency, so that they can be in there long 
enough to become familiar and then really move out on a 
strategy and making sure that we are doing the mission 
effectively.
    So the things that you started, that the Committee has 
continued to pursue, they need to continue but they need to be 
accelerated. And it all needs to be done as it has been to date 
on a bipartisan basis. I want to thank our co-chairs, Senator 
King and Congressman Gallagher, for leading us in such a 
bipartisan and really nonpartisan way. It is the way 
cybersecurity should be done, and I hope will continue to be 
done.
    Senator Carper. Thank you so much for those comments. Our 
friend and former colleague, Tom Coburn, passed away a little 
more than a month ago, as you may know.
    Ms. Spaulding. Oh, I am sorry to hear that.
    Senator Carper. And he, after a long battle with cancer, he 
left a great legacy, and this is just one, and we keep trying 
to build on that.
    I think you mentioned in your remarks, Suzanne, you used 
the words ``in order to form a more perfect union,'' which is, 
as you know, part of the beginning preamble of our 
Constitution. And it is a reminder again that as much as we 
have tried in past years to do a better job in this regard, the 
threats continue to evolve and the sources of the threats 
continue to evolve. So must the responses to them.
    I remember when, right on the heels of September 11, 2001, 
we created the 9/11 Commission, and it was chaired by, I want 
to say, a former Governor. I forget who the co-chairs were. Lee 
Hamilton. I think Lee Hamilton was one of the co-chairs and a 
former Governor from New Jersey, as I recall, a Republican. And 
they presented us with 40-some recommendations. They were all 
bipartisan recommendations. John Lehman was on the commission, 
a bunch of wonderful people. And our Committee, the Committee 
that is meeting today, literally adopted all but maybe a 
handful out of about maybe 40 recommendations. It was a great 
bipartisan leadership co-chair. In the case of Angus and 
Congressman, and all of you have done today is critically 
important.
    Senator King. Senator Carper, if I could interject, Mike 
Gallagher has characterized our Commission, the work we are 
doing, we want to be the 9/11 Commission without 9/11.
    Senator Carper. That is great.
    Senator King. That is exactly what we are trying to do 
here, to think about how to respond, and how to respond in a 
systematic, across-the-government kind of way, and the private 
sector. But that is the key--the 9/11 Commission, without 9/11.
    Senator Carper. Thank you. When I give commencement 
addresses, Angus, one of the things that I tell my graduates is 
to aim high, work hard, embrace the golden rule, do not quit. 
But one of the areas we have not quit in, but we do not have a 
lot to show for it, are our efforts on data breach, and create 
a national approach, a uniform national approach, instead of 
having 50 States with their own approaches. That is what I 
think the legislature----
    Senator King. That is one of our key recommendations.
    Senator Carper. We look forward to working with you on 
that. There are so many different committees of jurisdictions 
and so many competing issues and interests. But with your help 
and support, and maybe the good bipartisan work, we will 
finally get the ball in the end zone.
    Senator King. Thank you.
    Senator Carper. Thanks so much.
    Chairman Johnson. Thank you, Senator Carper, and we 
certainly appreciate you again pointing out Senator Coburn, 
that that was a huge loss for all of us, from the Senate and 
for this Nation. I also appreciated, Ms. Spaulding used the 
term ``nonpartisan.'' I really prefer that to ``bipartisan.'' 
It just totally eliminates the even thought of partisanship. 
There is nothing partisan about the threat that we really face 
and the solutions we need to enact. So I appreciate that.
    Our next senator is Senator Hawley.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you, Mr. Chairman, and thank you to 
all the witnesses for being here. Thank you for the excellent 
work of this Commission. Congressman Gallagher, can I start 
with you? I want to come back to something that you mentioned 
in your joint testimony, which is how China has used cyber-
enabled economic warfare to fuel its rise, including the theft 
of trillions of dollars' worth of intellectual property and 
attempts to undercut our economic competitors. I particularly 
appreciated your focus on this, and I have appreciated your own 
work in the House on this issue.
    I just want to give you a chance to expand on some of those 
themes which I think are so important. So let me just ask you, 
start by asking when it comes to cyberattacks, what is it you 
see? How does China typically operate? How do they typically 
attack? Whom do they typically target? And what is it that they 
seek to gain or disrupt?
    Mr. Gallagher. Well, just quickly, my own awakening on this 
issue was painful. I spent most of the last decade as a Middle 
East specialist in uniform, not really understanding much about 
the way in which China operated. But I remember vividly getting 
a letter from the Office of Personnel Management (OPM) after 
the massive hack of over 22 million people's--Federal 
Government employees' records, saying, ``Thank you for your 
service but your records have been hacked.''
    And that was really a wake-up call for me to recognize that 
I needed to widen my own aperture and understand what was going 
on. And, of course, General Secretary Xi Jingping had just come 
to power 2 years prior, and I think it is fair to say that even 
the most hawkish sinologists at that time did not yet fully 
understand how aggressive a direction he would take the Chinese 
Communist Party.
    And, of course, since that point we have not only had the 
OPM hack, we have had multiple--a series of attacks that we 
know go all the way back directly to the Chinese Communist 
Party. In addition, we know that there are certain State 
champions, Huawei and Zhongxing Telecommunication Equipment 
(ZTE) in particular, that operate effectively as appendages of 
the Chinese Communist Party. We had the in-depth reporting from 
the Wall Street Journal suggesting that Huawei technology at 
the African Union headquarters essentially beamed back 
information every night at the same time, around midnight. We 
have had something called the Finite State report, which 
pointed out the scale in which Huawei technology has been 
compromised.
    And we found nothing to contradict that assessment in our 
own work on the Commission. If anything, we would emphasize the 
findings of the Blair Huntsman commission, which called the 
transfer of the intellectual property theft on the order of 
$300 billion a year, the greatest transfer of wealth in human 
history.
    I would say that up to this point, and what I alluded to in 
my opening testimony, we have taken primarily a defensive 
approach, which has been necessary but insufficient. In other 
words, we have said, we are going to put Huawei on the entities 
list. We are going to do a variety of things to dissuade our 
allies from operating with certain CCP champions. However, what 
the Commission recommends is adding to that with a positive 
approach that involves a significant investment in research and 
development, finding creative ways to work with allied 
countries on key technologies in order to ensure that we are 
not dangerously dependent on China going forward, and finding a 
way just to make a positive case for American global leadership 
and a contrasting case with what we have seen from the CCP.
    Senator Hawley. Yes. Very good. Thank you for that. Let me 
ask you just a little bit about a closely related topic, which 
is our supply chain vulnerability, and particularly as it 
relates to China. I was pleased to see the report acknowledge 
how extended supply chains threaten the U.S. ecosystem, our 
economic ecosystem, and, of course, I have been an advocate 
myself for reshoring and onshoring supply chains, particularly 
our critical supply chains, whenever and wherever possible.
    Can you elaborate for us on some of the Commission's 
recommendations for addressing supply chain vulnerabilities 
through risk management techniques, and what role in particular 
do you see the private sector playing here?
    Mr. Gallagher. Absolutely. So we recommend, and I believe 
recommendation 4.6 in our report, that Congress directs the 
government to develop and implement an information and 
communications technology industrial-based strategy to ensure 
more trusted supply chains and the availability of critical 
information and communications technology. So this starts with 
a simple identification of which technologies are critical and 
where we have single points of failure in the supply chain, so 
that we are not discovering those single points of failure in 
the midst of a crisis, which I would submit we are, in some 
cases, when it comes to advanced pharmaceutical indicators, 
certain basic medical equipment right now.
    And so we are asking the Federal Government, with an 
enhanced CISA and an enhanced cyber focus more generally, to 
identify proactively where are the areas where, no kidding, we 
either have to bring that manufacturing back to the United 
States, as you have had multiple pieces of legislation aimed at 
doing that, but potentially also work with partners.
    So, for example, when it comes to semiconductors, Taiwan is 
an obvious target for enhanced cooperation. I believe the 
Administration right now is exploring some sort of deal with a 
major Taiwanese Semiconductor Manufacturing Company (TSMC), in 
order to build certain facilities in the United States.
    But it all starts with that identification of our domestic 
and our allied ICT industrial capacity and identifying those 
key areas of risk where a foreign adversary could potentially 
restrict the supply of a critical technology or intentionally 
introduce supply chain compromise at a large scale. And that, 
in turn, should direct our actual investments in those key 
areas and our investments in research and development.
    Senator Hawley. Yes. That is really good. Tell me about 
what role you think the private sector plays here and how we 
get a balance of both requirements and also incentives to help 
the private sector get to where it needs to be.
    Mr. Gallagher. I think this is one of the major things we 
wrestled with throughout the Commission's entire work, which is 
to say how do you get that balance between, we do not want to 
sort of out-CCP the CCP, for lack of a better term. We cannot 
adopt a one-size-fits-all, heavy-handed, top-down series of 
regulations, and Tom Fanning can attest to that better than 
anyone else, given his unique position. How do we, instead, 
pursue that incentivizing approach?
    And what we sort of landed on is there are simple things we 
can do to incentivize the private sector rather than mandate 
they do certain things. So, for example, one of the 
recommendations you see in the report is mandatory penetration 
testing for publicly traded companies, so that they have to 
invest more in cybersecurity. Because what we saw time and 
again is that wherever the C-suite did actually prioritize and 
take cybersecurity seriously, those companies outperformed 
their competitors.
    And so we would like to, for example, over time, see 
certain best practices that are emerging right now become the 
industry standard. So for example, there is something called 
the 1-10-60 rule, where, you are able to detect an intrusion on 
your network in 1 minute, you are able to have someone look at 
it within 10 minutes, and then you are able to isolate it, 
quarantine it within 60 minutes. By incentivizing the C-suite 
to invest in cybersecurity we believe that, over time, best 
practices like that can become the norm.
    And I would say, and Suzanne alluded to this before, we 
deliberately tried to adopt an approach that harnessed market 
forces so that the private sector could step up and respond to 
a clear incentive that the Federal Government is setting.
    Senator Hawley. Very good. Thank you. Thank you all for----
    Senator King. Senator Hawley, I would like to touch on your 
question for a moment.
    Senator Hawley. Yes, please.
    Senator King. The supply chain. No. 1, we have learned in 
the COVID situation how critical the supply chain is and what a 
mistake it is to rely on supplies for critical materials 
outside of our borders.
    The second piece is we have to realize that the Chinese are 
integrating economic policy with intelligence and national 
policy by subsidizing things like Huawei to make it cheaper in 
order to insinuate itself into the nation's, or the world's 
internet infrastructure. We have to realize the cheapest may 
not be always the answer, and maybe a little premium on the 
price to have control of the supply chain is an insurance 
policy.
    And I think that is the way we have to look at this, 
because historically we just said, well, we will get the 
cheapest wherever we can, and that is going to bite us. And 
supply chain, I think, we just have to analyze every piece of 
military equipment and every piece of critical infrastructure 
and say where is it coming from, and is it safe? Because I 
think you have identified one of the most serious issues that 
is facing us, and it is not going to quit.
    Senator Hawley. Thank you. Thank you for that, Senator 
King, and thank you for your leadership over many years on this 
issue, and it is a privilege to get to serve with you on the 
committees that we do.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Senator Hawley. Senator 
Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you for this hearing and thank you to 
our panelists for your work, all the effort you have put in, 
and for being with us in this new remote hearing world we live 
in.
    Senator King, I wanted to start with a question to you. The 
comprehensive report outlines many key steps that the Federal 
Government can take to prevent and mitigate the effects of 
cyberattacks. However, the report is relatively quiet on how 
the Federal Government can help strengthen State and local 
government's ability to prevent against attacks.
    Just recently, the National Governors Association wrote a 
letter to House and Senate leadership, asking for funding to 
help State and local government defend against crippling 
cyberattacks amid the COVID-19 pandemic. And even before this 
crisis, legislation was introduced to both the House and Senate 
to create a sizable Federal cybersecurity grant program for 
State and local governments.
    We all know that our collective cybersecurity is only as 
good as our weakest link, to your last point that you were just 
making, so it is critical that we work to improve our nation's 
cyber resiliency down to our smallest localities. Did you 
examine the possibility of Federal support for State and local 
cybersecurity, and if so, what were your conclusions?
    Senator King. We absolutely did, and, in fact, a major wave 
of ransomware has attacked our cities and towns.
    Senator Hassan. Yes.
    Senator King. We have had small towns in Maine that have 
been talked about--that have had hits of ransomware. I think 
there was something like 45 mentions of State, local, Tribal 
governments.
    But here is what we wrestled with. We believe, and we will 
advocate for the creation of a fund to assist States and 
localities in dealing with these issues, not only money but 
also technical expertise, which CISA has and we have throughout 
the Federal Government. But part of it, part of the thing we 
wrestled with was what I call moral hazard. We do not think the 
Federal Government should relieve the States of their own 
obligations to protect their own networks and to do what is 
necessary.
    So what we proposed was a matching program, where it would 
start with a 90 percent Federal share, 10 percent match for 
improving critical infrastructure on the State level, which, 
year by year, would scale up and end up be 50-50. We want the 
States to be engaged as well. We do not want them to say, 
``Well, cybersecurity is the Fed's job. That is not our job.'' 
That will not work.
    So that was the way we approached it, but we understood, 
and believe deeply, that working with the States on critical 
infrastructure is absolutely important. I mean, it is 
elections. National Guard has a role to play here. I think 
there are a lot of ways that we can integrate with the States 
properly.
    But it needs to be a shared responsibility, I guess is the 
way I would put it. The Commission wrestled with this but that 
is where we came out.
    Senator Hassan. I thank you for that. I would make the 
note, and New Hampshire has seen ransomware attacks on very 
small jurisdictions, tiny school systems.
    Senator King. Yes.
    Senator Hassan. When it comes to town meeting time, or when 
it comes to State budget balance, what you do not want to do is 
have the matching obligation be so great that you put at risk 
Federal cybersecurity because a small town cannot meet a cyber 
obligation, or a State has to cut its budget to balance it. So 
those are always the things we have to think about.
    I wanted to move on to Ms. Spaulding, and I wanted to build 
on something that Senator Johnson asked about. As you know, one 
of the Solarium conditions, recommendations is for Congress to 
pass the Cybersecurity Vulnerability Identification and 
Notification Act. The bipartisan bill passed our Committee, and 
Senator Johnson and I are continuing to work to pass the bill 
into law.
    Ms. Spaulding, drawing on your experience at the Department 
of Homeland Security, can you explain why CISA needs the 
administrative subpoena authority, particularly in the context 
of the COVID-19 pandemic?
    Ms. Spaulding. Yes, Senator. Thank you for that question 
and thank you for your efforts to try to get this authority 
passed through Congress. It is something that we have needed 
for quite some time, and going back to my time at DHS.
    DHS has the tools to scan the internet for vulnerabilities, 
for known vulnerabilities, to find systems that are publicly 
facing the internet that we can tell have the vulnerability 
that we are looking for. What we cannot do, without a 
tremendous amount of effort and sometimes not at all, is to 
identify then who owns that system, so that we can reach out to 
them and warn them. So this would be an administrative 
subpoena.
    The folks who have the information about who owns that 
system are the providers, the internet service providers 
(ISPs). And so what we need to be able to do is to take that 
Internet Protocol (IP) address, which the tools allow us to 
know, and go to those providers and say, ``We have found this. 
It looks like an industrial control system, which is something 
that may power our critical infrastructure. It could be in the 
energy infrastructure, transportation, all kinds of 
infrastructure. And we see that they have this very dangerous 
vulnerability that an adversary, a bad actor, could exploit and 
cause problems.'' But we do not know who it is and we cannot 
tell them.
    Senator Hassan. Thank you for that response, and I look 
forward to continuing to work with Senator Johnson and Members 
of the Committee on getting this legislation passed.
    Ms. Spaulding, I also wanted to talk to you about cyber 
threats in health care. Prior to the pandemic, the health care 
sector was a top target for malicious cyber actors, and in the 
context of COVID-19, when hospitals are already facing strained 
resources, I am really concerned that ransomware attacks could 
have a real impact on human life.
    It appears that the threats are not just to hospitals now. 
CISA recently released a warning that some nation-state bad 
actors are targeting U.S. COVID-19 medical research efforts. So 
obviously that is very concerning.
    Can you help us understand what we can do right now and 
going forward to improve the resiliency of our health care 
sector, the cyber threats, including the current threats to 
these critical medical research facilities?
    Ms. Spaulding. Yes, Senator. It is such an important point, 
and it is addressed by our Commission recommendations in a 
number of ways.
    This is really the kind of event, series of events, that, 
for example, could be covered under the cyber State of distress 
that we talk about in the Commission report, which falls short 
of the kind of national emergency where you have physical 
destruction and consequences along the lines of a hurricane or 
a superstorm, but are beyond the routine, day-to-day 
occurrences that we deal with every day.
    The attacks during a pandemic on this vital infrastructure 
could rise to the level of the cyber State of distress, and the 
key there is that it would trigger the ability for CISA, 
particularly, to use funds to tap into a recovery, a responsive 
recovery fund, to scale up, to go out and help these 
researchers, these facilities that are being attacked, the 
hospitals, our health care providers, and to bring in 
additional resources, particularly to call on assistance from 
experts within the DOD or the intelligence community, where we 
have to reimburse them. So that is a key part of that authority 
and really critically important.
    Senator Hassan. Well thank you, and I see I am over time, 
Mr. Chair. If there is any time for additional questions I have 
one more for Senator King, which we can do later, on the 
National Guard. Thanks.
    Chairman Johnson. OK. Sounds good. Thank you, Senator 
Hassan. Next will be Senator Rosen, and then Romney and 
Lankford. But Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Mr. Chairman. I thank you and the 
Ranking Member for bringing this great hearing today with these 
amazing witnesses. Thank you for your work, and especially my 
colleagues, Senator King and, of course, Congressman Mike 
Gallagher. We were freshmen in the House together and we were 
both founding members of the bipartisan Problem Solvers Caucus. 
And so we did a lot of great work there and I am happy to see 
that you are continuing with that, and I look forward to seeing 
what you are doing.
    We know that the Cyberspace Solarium Commission report 
found that shortages in our nation's cybersecurity talent are 
both widespread in the public and private sector. As a former 
computer programmer and systems analyst I have introduced a 
number of bipartisan bills to promote our cybersecurity 
workforce, including legislation to prepare our junior reserve 
officers training corps (ROTC) candidate students for careers 
in cybersecurity, build and support apprenticeship programs in 
cybersecurity modeled after Nevada's in-state cybersecurity 
apprenticeship program.
    So Ms. Spaulding, what do you think are the additional 
forward-thinking solutions that Congress can offer to provide 
our business communities, our government with the skilled 
workforce they need to strengthen our nation's cybersecurity 
infrastructure and protect Americans from bad actors? And even 
considering what is happening now, in the pandemic and COVID 
crisis, also addressing retraining. These are jobs that are 
going to continue to grow where other jobs may not come back as 
robustly.
    Ms. Spaulding. Senator, thank you for the question, and 
thank you so much for your efforts on this really important 
issue. I noted it earlier and I think making sure that we are 
doing everything we can to build the talented workforce that we 
need, on the scale that we need it across this country. It is a 
huge challenge and something we all need to tackle.
    We have a number of recommendations in the Commission 
report along these lines. One of the most important that we 
think is to continue to build on the things that are working 
and that we think are successful. And certainly the Scholarship 
For Service program, building the cyber corps, is one of those 
that we think is very important and worth building, where the 
government reaches out early on to encourage students to study 
cybersecurity, helps them with their education. And then they 
have a job with CISA or others across the government.
    Where I always used to say to the private sector, ``I will 
take them right out of school. I will give them on-the-job 
training. I know that you in the private sector will then lure 
them away with higher salary. But I believe that after a number 
of years after they have put their kids through college they 
will come back to government because they will miss ``the 
mission.'' And oftentimes the audience would laugh, but I know 
that you know what a strong draw that mission can be.
    I think it is also important to focus not just on 
recruitment but also on retaining that cyber workforce. And one 
of the things that we certainly worked on at DHS and learned is 
the importance of an inclusive work environment, so that when 
you have succeeded in, for example, teaching girls to code, and 
recruiting women, and a diverse workforce, women and 
minorities, into the cybersecurity workforce, that you retain 
those talents by creating an inclusive workforce.
    So those are the kinds of things that we looked at and 
really important programs for Congress to continue to support.
    Senator King. Senator Rosen, if I could join in and----
    Senator Rosen. Oh, yes.
    Senator King [continuing]. Provide another answer to that 
question?
    One thing, and this sounds minor but it can be very major, 
we need to work on our security clearance process.
    Senator Rosen. That was my next question.
    Senator King. We have been doing a lot of work on it in the 
Intelligence Committee because we were losing good people. I 
know of people who just gave up after a year or more of 
waiting. I must say the Administration has improved that 
considerably. The backlog is down. They are working better on 
reciprocity, so if you get a security clearance for one agency 
it can apply to another. But, that is one of these issues.
    The other thing that we talked about was the creation of a 
ROTC-like program, where you could get scholarship aid and then 
you would make a commitment when you came out. But you are 
absolutely right to focus on this issue, because if we do not 
get the talent, we are in trouble. And we need--I think Mike 
Gallagher mentioned at the beginning a shortfall of like 35,000 
people across the government that we need in the cybersecurity 
area. So it is one of our most important priorities.
    Senator Rosen. And hundreds of thousands across the 
country. And I was pleased that last December my Building 
Blocks of Science, technology, engineering, and mathematics 
(STEM) bill did pass, which is going to promote STEM education 
for young girls. And thank you for answering my security 
clearance question. That was my next question. I do think it is 
hurting us here in government.
    With the short time I have left I just want to talk a 
little bit about protecting data through cloud services. So 
Senator King, could you--and for Ms. Spaulding--quickly, what 
can the Federal Government learn from the private sector's 
experience in migrating to the cloud services, and how can we 
better partner with that to be sure that we are able to do 
that?
    Senator King. Let me start and then I will turn it over to 
Suzanne. The movement to the cloud can be a very positive 
development because you do not have all your data in 10,000 
locations, all of which are vulnerable. But that means that the 
cloud itself has to be more secure. And we do talk, in the 
report, about developing a security standard for cloud-based 
services so that companies and governments, whoever wants to 
use a cloud service, can have some knowledge, some assurance 
that they are dealing with a secure service.
    Suzanne, do you want to touch on that issue?
    Ms. Spaulding. Yes, no, that is exactly right. The 
Commission felt strongly that we really wanted to encourage 
folks to move to the cloud. For most, that is going to be a 
more secure environment. You are going to have real experts who 
are securing that data.
    But not all cloud service providers are equal, and so we 
thought it was really important, again, to try to push the 
market by providing information for folks on which cloud 
providers need certain basic security standards. If we are 
going to encourage folks to move to the cloud, we have to make 
sure that those cloud environments are indeed secure.
    So our recommendation is for the development of guidelines, 
and that those guidelines be made public, and folks can see 
whether cloud security providers are indeed providing a secure 
environment. It cannot just be that it goes to the lowest 
bidder.
    Senator Rosen. I think you are right. I think we also have 
to include just not national cloud services but think about our 
international security as we share data across global borders. 
That is important to secure that as well.
    Thank you so much.
    Chairman Johnson. Thanks, Senator Rosen. Senator Romney.

              OPENING STATEMENT OF SENATOR ROMNEY

    Senator Romney [continuing]. Be a part of this discussion. 
It is a bit of deja vu for me, because many years ago, when I 
was serving as a Governor in Massachusetts I was part of the 
Homeland Security Advisory Committee. And we came together and 
spoke about this topic and felt that we were behind and there 
were actions we needed to take if we were going to be effective 
in protecting our cyberspace. And what is somewhat alarming is 
to find that we are still talking about it, and not as much as 
I might have anticipated being done has actually been done.
    And so I would like to focus for a moment on what it is 
that prevents something from happening. In an authoritarian 
regime, the person at the top can command something happens and 
everybody jumps, or in the case of Kim Jong Un they find 
themselves, no longer breathing.
    So we do not have that model and I am not suggesting we do, 
but we have to use the tools that we have. So I am going to ask 
Mr. Fanning to begin with. Is there not the potential to create 
a lot of pressure coming from the corporate sector on the White 
House? We need to have the White House get fully behind this, 
because it is hard at the congressional level for us to push a 
string uphill. I am mixing two metaphors there, but nonetheless 
it is hard for us to do this from the bottom up. Would it not 
be helpful if corporate America were to start shouting and 
saying, ``we need the Federal Government to step in here, to 
provide the following elements to get behind this report.''
    How do we do that, Mr. Fanning, and why has it not happened 
so far?
    Mr. Fanning. Senator Romney, great to see you again. Look, 
I think that is happening, the fact that all of the critical 
infrastructure in America has been working with their sector-
specific agencies. I think the issue is really now how do we 
harmonize and collaborate at all levels of government.
    One of the important facts, that I know with your 
background you will get here, is that not all private sector is 
created equal. We have called forward a designation, I guess it 
is Systemically Important Critical Infrastructure (SICI). And 
so working through CISA, which has already identified on a 
risk-based approach what the most critical infrastructure is in 
America, and we do that at the asset level. So we identify 
assets that can either prevent major loss of life, significant 
economic disturbance, or prohibit or hurt our ability to defend 
ourselves, to fight back, to see, to listen.
    And so what we are doing is to identify the most critical 
assets in America, and then evaluating the layers around those 
assets of the private sector to really work with the Federal 
Government. And in my opinion it is not just a voice that says 
``we need more.'' I think the private sector has a special 
obligation in this new cyber digital world that we are in to 
join in the effort to defend America, to join in the effort to 
have a special relationship with the intelligence community, 
sector-specific agencies, the DOD et al., to really create a 
more resilient America. That is why we have the designation of 
high-priority areas, SICI, a joint collaborative analytic 
framework, and a variety of other recommendations that will 
carry this out.
    As I walk the halls of Congress and I work in the 
Administration, my sense is there is a great desire to have 
this happen. We are not without motivation. And really, I think 
now says we have got to pool that effort and direct it at a 
certain way. I think the Solarium Commission report does that.
    Senator Romney. I sure hope so.
    Senator King. Senator Romney, can I touch on that for a 
minute?
    Senator Romney. Yes, sure. Angus.
    Senator King. I have a life principle that structure is 
policy. If you have a messy structure, you are going to have a 
messy policy. And right now we have a structure in our 
government that is--we have really good people and really good 
agencies like CISA, like Cyber Command, but there is nobody in 
charge. Again, I am going back to my business days, I always 
like to have one throat to choke, and that is the national 
cyber director. We need somebody at a very high level who can 
oversee and coordinate, and work on the planning, with all of 
these different disparate parts of the Federal Government that 
are working on this. I think that is an absolutely critical 
need.
    The other recommendation, which has not gotten much 
discussion today, is we recommend that the Congress reorganize 
itself and develop select committees on cyber, because we have 
cyber jurisdiction scattered across, I have heard as high as 80 
subcommittees in the Congress. It is very difficult to get 
anything done.
    Now that is going to be difficult because I am on 
Intelligence and Armed Services. We are talking now to Homeland 
Security. People are going to have to give up some jurisdiction 
in order to gain a more coherent approach to this issue, both 
in Congress and in the Executive Branch.
    So you are onto something, and you know, you want some 
centralized leadership, and if you are Governor or you are 
President you want somebody you can go to and say, ``I want 
this to work.'' But right now if you are President you have to 
go to a whole bunch of different places, and that is our goal 
here.
    Senator Romney. I fully agree. So in one question--I have 
like five to go and I have one minute to go, so I am not going 
to be able to get them in. But I wanted to ask Ms. Spaulding 
whether the intelligence community cannot get behind this 
effort, particularly with regards to structure, and say ``Look, 
let us tear down some of these barriers between us. Let us go 
to the White House. Let us get the White House to get fully 
behind this.'' It would strike me that if the head of the CIA 
and the Department of Defense, the Secretary of Defense were to 
say to the President, ``We really need to have this one person. 
We need to restructure this in the following way,'' that is 
going to happen. But if the White House is dragging its heels 
on this, it is not going to happen.
    I mean, can we get support from the leaders of, if you 
will, the agencies that deal with this topic, to get behind 
this principle?
    Ms. Spaulding. So one of the advantages that we had on this 
Commission, Senator, was that unlike any other commission I 
have been involved with, and I have been associated with many, 
we had people from the Executive Branch sitting on the 
Commission, and they attended every meeting, all of our nearly 
30 meetings, over time. And while they were not in a position 
to sign onto the final report, given sort of separation of 
powers issues, et cetera, I think there is a strong 
understanding of the need to coordinate and to have 
coordination at a senior level for cybersecurity efforts. And 
the intelligence community is an absolutely essential part of 
that effort.
    So I would like to think, along with you, that we can get 
consensus around the need for this coordination effort and push 
this through.
    Chairman Johnson. Thanks, Senator Romney. By the way, this 
hearing is clicking along pretty quick. Senator Hassan would 
like to ask another question. If you want to stick around, I 
will certainly give you another opportunity to do that.
    And Senator King, real quick, our Committee did pass a bill 
to--a pretty simple bill. I mean, recognizing the fact that 
there are so many committees of jurisdiction just under 
Homeland Security, and making it pretty difficult for the 
Department to really respond properly to Congress, when you are 
going to that many different committees.
    A similar concern you have in terms of cybersecurity, we 
could not even get that simple commission established into law 
to take a look at it. That got kiboshed. But I am happy to work 
with you on both issues, because, again, this is a little 
insane in terms of how, dispersed the congressional authority 
is on both cyber as just homeland security.
    With that I will turn it over to Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thanks, Mr. Chairman. Thanks for the 
hearing. I have a ton of questions like Senator Romney was 
mentioning before. Let me try to click through several of 
these.
    Congressman Gallagher, let me ask you a question. What is 
the difference, as you would see this, between the national 
cyber director and what CISA is doing now? Congress has a 
really bad habit of saying this is not working as we want to so 
we are going to leave that in place plus add another thing onto 
it. Are we talking about taking CISA and elevating it, or are 
we creating two different things, where CISA works for a 
national cyber director? What is the difference?
    Mr. Gallagher. Yes. CISA, in the first instance, we are 
recommending elevating and empowering CISA in a variety of 
simple ways that I think might surprise you do not already 
exist. So, for example, starting at the top, we shift the 
director of CISA to a 5-year term and increase their pay. We 
push for new facilities, resources, authorities to elevate 
their stature in the Federal Government. But CISA is always--
and Suzanne, having worked in this job, is the best person to 
talk about this--in my mind always primarily going to have that 
mission of defending critical infrastructure, defending the 
dot-gov space in a similar way in which NSA and CYBERCOM defend 
the dot-mil space.
    So one of the, I think, least appreciated recommendations 
in the report that could have the biggest impacts is giving 
CISA the authority to do persistent threat-hunting on dot-gov 
networks so that they can defend prior to an attack. And the 
national cyber director, in my mind, has a more coordinating 
function that is making sure that CISA, in performing that 
mission, is also working well with NSA, with CYBERCOM, and all 
the other Federal agencies at play in the cyberspace.
    And finally, I think the advantage of a national cyber 
director, particularly one that is Senate-confirmed, and 
therefore, in theory, more responsive to Senate and House 
oversight, is that proximity to the President, having the ear 
of the President, which would hopefully enhance their ability 
to coordinate across missions and do long-term planning at 
CISA, sort of in the fight on a day-to-day basis.
    Senator Lankford. Right. So more of an Office of Director 
of National Intelligence (ODNI) type structure.
    Mr. Gallagher. Oh, we did look at the ODNI structure, and 
we debated it as a model for national cyber director. 
Ultimately, we arrived at something that was more modeled after 
the U.S. trade representative. We found that to be a compelling 
model, because it is interdisciplinary, it is functionally 
oriented, and it is institutionalized with Senate-confirmed 
leadership and situated within the Executive Office of the 
President.
    But this was really one of the more robust debates we had 
on the Commission.
    Senator Lankford. OK. Suzanne, do you want to add to that?
    Ms. Spaulding. Thank you. The Congressman had it exactly 
right. CISA has the role of coordinating across the civilian 
government agencies, and really from a defensive, if you will, 
deny benefits, asset response function. So this national cyber 
director, among other things, would be able to bring together 
the defensive and the offensive planning to make sure that 
those things are coordinated, that they are working in a 
synergistic way and not at cross purposes, and bring in the 
Title 50, if you will, intelligence and Title 10 DOD 
authorities into that broader whole of nation, whole of 
government planning.
    Senator Lankford. Is that a civilian role, though, not a 
military role for this position?
    Ms. Spaulding. That would certainly be our recommendation, 
yes, particularly to be able to do the whole-of-nation work 
with the private sector.
    Senator Lankford. Thank you. Senator King, let me ask you 
about the select committee proposal here. I am shifting out. 
You and I had talked before that our committee structure was 
designed in a way that it should have never been designed. It 
has been more accidental than by design. And over the years, as 
agencies have been created, Congress has not kept up with the 
structure of the House and the Senate committees, and it has 
become more and more chaotic in trying to be able to hold 
people to account.
    Trying to do another select committee and to be able to 
strip those away, is it easier to create another select 
committee or is it easier to strip away all those authorities 
and land them in a committee? For instance, in Homeland 
Security Governmental Affairs, ultimately it is designed to do 
something like this, with a whole-of-government approach on it, 
but obviously it has other areas that it gets into. Is it 
better to have it freestanding or better to strip everything 
away and land it in an existing committee?
    Senator King. I think a select committee, and the analogy, 
Senator, is to the Intelligence Committees, because they did 
not exist before the late 1970s, and there was a realization 
after the Church Committee that there was a real need to have 
one committee with special expertise in a fairly technical 
area. And we are talking not only about CISA, but there are 
military aspects of this, of course--CYBERCOM, NSA, the 
intelligence agencies.
    So I think there is an argument, a good argument to be made 
for a special select committee. And frankly, one of the things 
we talked about was having the membership of that committee be 
the leadership of the various committees, such as this one. 
That is who would be the members, the Chair and the Ranking 
Member, or designees. And I think there is a way to do it, and 
I realize, jurisdiction is life around here. But I think this 
is a moment like the 1970s where there is a specialized area 
that is incredibly important to the future of the country, and 
right now, as Senator Johnson said, you can have a very simple 
bill and it takes years. And I do not want to go home after a 
cyberattack and say, ``Well, Congress really--we were talking 
about that and there were a couple of bills, but there were 
four different committees that had jurisdiction, and it was 
really hard.'' I do not think that is going to wash with my 
constituents.
    Senator Lankford. Nor should it on that. Tom, let me ask 
you a question about standards. I saw in the report multiple 
different times to be able to push the private sector to have 
better standards, higher standards, creating a standard. There 
has been a lot of conversation on the Internet of Things (IoT). 
Once you hit a government standard it does not take long for it 
to be stale. In the cyber world you have a lot of technology 
that is tapping a lot of innovation. By the time government, 
any agency, any entity, sets a standard, it is already out of 
date. How do we keep a standard from slowing down innovation 
and actually making things worse?
    Mr. Gallagher. Yes. Well, and boy, you raise a very 
important point. A standard should not be thought of as a 
static certification. Rather, a lot of the standards that will 
be certified will include a process to evaluate gaps in the 
future, to evaluate how to improve whatever it is. It will also 
be kind of weighted by the importance in the critical 
infrastructure of America. In other words, if it is thought of 
to be incorporated into the systemically important 
infrastructure then it will have a much higher standard, a much 
quicker response time.
    So look. I think the private sector, in working with 
government now, in collaborating, not cooperating, has a 
special burden to work to make sure that whatever we do fits 
the national interest. There will be benefits and burdens.
    So if there is more for us to do, and perhaps it is more 
extensive, I think the benefit will be that you will have a 
real-time evaluation of the battlefield. As I mentioned, the 
battlefield today is the electric networks, the telecom, and 
the financial system. We have to make sure that our stuff 
works. And if we can get real-time evaluation, collaborating 
with the intelligence community, our sector-specific agencies, 
and folks like DOD, we will all be better off. I think this is 
a big carrot for private industry.
    Senator Lankford. Chairman, thank you.
    Chairman Johnson. Thank you, Senator Lankford. I see 
Senator Sinema, so if she is ready to go she can go. But I also 
ask any Senator that wants to ask additional questions, use 
that little hand function. Raise your hand here in the form and 
I will call on you, starting with Senator Hassan, after Senator 
Sinema.
    Senator Sinema, are you there?

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Yes, I am. Thank you so much, Chairman 
Johnson and Ranking Member Peters for holding today's hearing, 
and I want to also thank our witnesses for your service to the 
Commission and for participating today.
    As our country navigates the coronavirus pandemic, we 
clearly see the importance of cohesive strategies to ensure 
public safety. And this pandemic has also shown us the need to 
fortify our cybersecurity. Overnight, many Americans expanded 
their virtual footprints through telework, virtual schooling, 
telemedicine, and virtual social gatherings. We will continue 
to face immense challenges from the coronavirus pandemic for 
some time, and we must take steps to ensure our networks are 
secure.
    The parallel between these two threats should also make us 
ask whether the United States is prepared to sustain and 
recover from a potential cyberattack. I hope today we can look 
at this Commission report through the lens of the ongoing 
pandemic and identify some of the challenges we need to tackle 
now so we are better prepared for the next crisis.
    My first question today is for Ms. Spaulding. This report 
was published as the United States was pivoting to implement 
social distancing protocols and stay-at-home orders in response 
to the pandemic. The pandemic has caused a rapid transition to 
a much greater reliance on virtual environments. Could you 
expand on the recommendations you feel are most critical to 
prioritize, given this new environment?
    Ms. Spaulding. Yes. Thank you, Senator, and you are 
absolutely right about the heightened risk environment that we 
face in the context of this pandemic.
    There are a number of things. I think as we have this at-
home workforce everyone is using their home routers and Wi-Fi 
networks to interact. And so one of the recommendations that we 
have is for this national certification and labeling authority, 
and I do think that is the kind of thing that could get up and 
running fairly quickly. It is like an underwriter's laboratory, 
and would help provide information to consumers as they look at 
securing, purchasing devices like home routers, webcams, et 
cetera, that we know have been vectors for malicious activity, 
how to evaluate their purchases from a cybersecurity 
perspective.
    So I think that is critically important to continue to 
inform the public about how to make wise choices, but also for 
our business owners. Critically important around the Internet 
of Things and the industrial Internet of Things that they too 
have the information that they need to make informed decisions 
as they are purchasing equipment.
    Strengthening CISA and making sure that it has the 
resources that it needs to do the kind of outreach to the 
American public and to the business community, to let them know 
when we are seeing heightened activity in a given area, how to 
secure their home, devices that they already own. Those are 
things that can be done right now and that really are--there is 
a strong sense of urgency about.
    Senator Sinema. Thank you. Senator King, in the Chairman's 
letter introducing the report you and Congressman Gallagher 
state very clearly that election security must become a greater 
priority. I agree with you. One of the report's key 
recommendations is that Congress should improve the structure 
and enhance the function of the Election Assistance Commission 
to help States and localities better protect election 
integrity.
    Arizona's Secretary of State continues to share with me the 
importance of Federal assistance in helping Arizona's efforts 
to secure elections. What steps can Congress take to gain 
bipartisan support for these recommendations about election 
cybersecurity, and after your response I would pose the same 
question to Congressman Gallagher.
    Senator King. I will give you two thoughts. First, we need 
to stabilize the funding for the Commission and enable it to do 
its job. But second, we have a kind of interesting 
recommendation. As you know, the Commission is set up on a 
bipartisan basis, and the problem is that it is deadlocked and 
quite often cannot take any action whatsoever. We are 
suggesting the appointment of a fifth commissioner, with 
technical expertise in the cyber area, who could only vote on 
cyber-related issues. And this would break the deadlock on the 
kind of issues that we are talking about here this morning, to 
enable us, for the Commission to actually do this important 
work on behalf of all the States.
    So those are two specific suggestions, stabilize funding, 
fifth commissioner limited in their vote to cyber-related 
issues, to break the deadlock so that actions by the Commission 
can move forward to deal with this really critical issue.
    Mr. Gallagher. First of all, Senator, we miss you in the 
House. It is great to see you again.
    Senator Sinema. Not mutual, but thanks. [Laughter.]
    Mr. Gallagher. But in addition to everything Senator King 
said, I just would foot-stomp the fact that we are--something 
that Ms. Spaulding said earlier, which is we are very much 
coming out strongly in favor of paper balloting and auditable 
paper trail. And we recognize the irony of a fancy cyber 
commission having such a recommendation. In addition to 
stabilizing the Election Assistance Commission we have a 
recommendation that intends to streamline and modernize the 
sustained grant funding for States to improve election systems.
    And then we are intrigued and try to recommend ways in 
which, in addition to funding from the top down, how can we 
take advantage of what I would call the bottom up. There are a 
lot of nonprofits in this space that are providing free cyber 
literacy campaigns, and we think that is a good thing. We want 
to encourage those efforts, because a lot of times the top-down 
funding is entirely dependent on the individual personalities 
and systems in those States. And so we need a mix of top down 
and bottom up, going forward.
    Senator Sinema. Thank you so much, Congressman Gallagher. 
On a personal note, congratulations on your wedding, and one 
day I will see you in the gym again.
    Mr. Chairman, I have no further questions.
    Chairman Johnson. Thanks, Senator Sinema. I do not see 
Senator Hassan's hand up but I know you had a question. I see 
your little video thing on there, so Senator Hassan, do you 
have your question?
    Senator Hassan. Yes, I do. Thank you. And this is just to 
Senator King, and again, thanks to all of the panelists today 
for a really superb discussion.
    Senator, the Commission's report includes recommendations 
to leverage the capacity of the National Guard to help States 
prepare for cybersecurity incidents. Yet, as you point out, our 
current Department of Defense policy does not provide clear 
guidance about what activities the National Guard can conduct 
or whether these activities can be supported by Federal 
funding. I know this has been an ongoing issue in my State. 
What do you think is the best mechanism to engage the National 
Guard in helping States with preventive measures that decrease 
cybersecurity vulnerabilities? Do you believe current 
authorities are sufficient, or does the Guard need clearer 
authorization to conduct these preventive measures?
    Senator King. I will distinguish between the words 
``authorities'' and ``guidance.'' I think the authorities are 
sufficient, and as you know, the Guard can be a tremendous 
asset to the States in this kind of situation, because of their 
technical abilities.
    I think what we believe--I say I think--what the Commission 
recommends is a clarification of guidance from the Department 
of Defense that would allow reimbursement to the Guard under 
Title 32, so that should be able to be cleared up fairly 
straightforwardly, and that is our recommendation.
    The Guard is a tremendous asset. Let us use it and let us 
not have obstacles to its use.
    Senator Hassan. Because it is really about making clear 
that when the Guard does cybersecurity work with the State 
there is a Federal interest in it too.
    Senator King. Absolutely. There sure is a huge Federal 
interest. So, yes, that was one of our specific 
recommendations.
    Senator Hassan. Thank you very much, and thank you, Mr. 
Chairman.
    Chairman Johnson. Senator Romney.
    Senator Romney. Congressman Gallagher, the line of 
questioning that you described with regards to China's 
intrusion into our cyberspace, both corporate and government, 
was really quite revealing and very effectively presented. And 
I think you made the point that we, as well as our 
international partners, need to push back against the 
intrusions that are being made by China.
    And I guess the question is, how can we go about doing 
that? Any thoughts about that? Right now there is move not only 
in our country but around the world, everybody pulling back to 
their own country, whether it is American first or France 
first, whatever. People are pulling back and becoming less 
associated on a global basis, to say how do we work on these 
things together.
    But like you, I figure the only way we are really going to 
get China to be dissuaded from the course they are on is if we 
and other nations that follow the rules of law, if we come 
together and say, ``Hey, China. If you keep doing these things 
you can no longer have unfettered free access to our markets. 
We will respond collectively. You cannot have access to any of 
our markets.''
    But I am interested in your thoughts. Can we get there? How 
do we get there? Does the United States have to lead this? Does 
someone else lead it? How do we create a recognition on the 
part, not just here but around the world, that we need to come 
together and collectively push again the world's most 
malevolent actor right now, which is China?
    Mr. Gallagher. Senator, that is a great question, and in 
some ways I think it is actually the question that we are going 
to be grappling with for the next two decades. My own view, 
having watched this play out over the last 2 months, is that I 
think the momentum for some form of selective decoupling from 
China will continue, in some ways regardless of who is 
President come 2021, 2024, or 2025. And I think our challenge--
and again, this is my view and this is a bit outside the actual 
strict text of the Commission report--is that the smart way to 
avoid autarky, because we cannot make everything in America, 
while sort of weaning ourselves off dependency on China, is to 
harness that Made-in-America energy into more productive 
partnerships with our allies.
    So I mentioned Taiwan when it comes to semiconductors 
earlier. There is an obvious opportunity to expand our 
partnership with Australia when it comes to rare earths. And 
what we recommend, particularly in the 5G space, is pooling our 
resources with like-minded countries who have expertise in this 
space in order to not just say Huawei and ZTE are bad, but say 
we, as a free world, have a better product, a more secure 
product, that we can offer to you, and it is going to cost a 
little bit more, but it is not going to be cost prohibitive.
    So that is sort of the general direction we are trying to 
push, to sort of push our cooperation with allies. There are a 
variety of smaller recommendations in line with that, for 
example, elevating the Assistant Secretary of State position in 
order to facilitate our cooperation with allies.
    The final thing I would say, just to tie it to the question 
you had asked Senator King earlier, is that while it is very 
hard to deter the Chinese Communist Party at present, we 
believe that this is further evidence of the need for a clear 
declaratory policy. Right? And we are recommending both a 
strengthening of the existing declaratory policy above the use-
of-force threshold to say, hey, if you attack us we will 
respond, but also the promulgation of a second declaratory 
policy below the use-of-force threshold, so China cannot do 
what reports suggest it is doing right now, hack certain 
American companies in order to get access to information on a 
coronavirus vaccine without fearing the consequence.
    So there is a lot there. I apologize for going on, but it 
is a very important and difficult question.
    Senator King. Senator Romney, there is a really important 
principle, and I think you have hit on it, on a key question. 
Churchill once said, ``The only thing worse than fighting with 
allies is trying to fight without allies.'' And in my visits to 
Asia, what I have found is China has clients and customers. We 
have allies. And we do not take sufficient advantage of that.
    And one of our recommendations is a new position of 
Assistant Secretary of State for International Norms in 
Cyberspace. We have to involve the rest of the world in setting 
what the guardrails are. So if China violates them, just as you 
have said, they are not just going to be facing some kind of 
sanctions from us but from the entire world, and they are, 
above all else, sensitive to economic responses. If it is an 
international economic response, it is going to be a lot more 
power than if it is unilateral from our side.
    So I think you are asking a key question. I think part of 
the answer has to be what we have talked about in the report, 
is the importance of elevating norm-setting and talking about 
how we can provide some international guardrails to this kind 
of malicious activity.
    Senator Romney. Thank you. I yield my time, Mr. Chairman. 
Thank you. Very well said, both of you. Thank you.
    Chairman Johnson. Senator Lankford.
    Senator Lankford. Let me drill down on that a little bit 
more, because that is part of my question as well, that was 
really talking on a nation-state entity. We also have a big 
problem with cybersecurity with individual actors within 
nation-states, and we have found it exceptionally difficult to 
be able to hold them to account.
    Some of them, we maybe get a chance to walk through. There 
is a great story of two Romanians that were basically living 
like the Kardashians, stealing bitcoin from people all over the 
world, that they were just basically buying on the dark web 
information and then putting out ransomware. They happened to 
hit on some on Pennsylvania Avenue, through our security 
camera. It was right before President Trump's inauguration. 
They took over someone's security cameras on Pennsylvania 
Avenue. It caused an international incident, from two folks in 
Romania that did not even know what they had. They were just 
doing ransomware out there. That is a case where we were able 
to track it back down, be able to get to them and get to arrest 
them.
    But in many countries, whether that be in India, whether 
that be in South America, whether that be in Eastern Europe, we 
have actors that are doing this and finding increasing 
difficulty of working with local governments to be able to hold 
them to account.
    So a lot of our conversation today has been about nation-
states. What recommendations do you have on individual actors, 
and to be able to work with nation-states to hold people to 
account within their country? What are the options we have?
    Senator King. I mean, that is one of the tough things about 
cyber is it is sort of changes all the power relationships. You 
can have two guys in Romania who can really wreak havoc, or 
even have a small country like North Korea that can also wreak 
havoc, and you do not have to be a superpower in order to play 
effectively in this area.
    I think this is another place where talking--there are sort 
of two aspects, two sides of this. One is improving resilience, 
and we really have not talked a lot about that today, but to 
really upgrade our games in terms of protection. And you talked 
earlier about the idea of an underwriter's laboratory label. It 
would be voluntary, it would be consumer driven, but have 
people be more careful about what it is they are buying.
    And this is going to become much more important as we go to 
the Internet of Things. It is not only your router that can spy 
on you. It might be your microwave, or your car, for sure. So 
we have to be better at defense.
    But then I get back into this international piece. If we 
impose sanctions on two guys in Romania, they may not care. But 
if the sanctions are also imposed by Hungary, Austria, Russia, 
and their neighbors, and maybe Romania, then we can get after 
them. The international cooperation is a way of breaking down 
the national barriers for law enforcement, in effect, so that 
we can go against some of these people, wherever they are. But 
that means we have to expand our reach, and that means we have 
to be cooperating with our allies.
    Mr. Gallagher. Could I just quickly add, Senator Lankford, 
that there is a school of thought out there that we engage with 
and continue to debate with, that suggests this is precisely 
the reason why deterrence is not possible in cyberspace. We 
very much believe it is, because at the end of the day we are 
not deterring cyber or cyber instruments. We are deterring 
human beings using those instruments.
    And so what you are really touching on is a problem of 
attribution and the need for us to improve a rapid attribution 
capability. And we do have a variety of recommendations that 
attempt to do that, such as codifying and strengthening 
agencies that already exist, like the Cyber Threat Intelligence 
Integration Center, in ODNI, so that they can better partner 
with the private sector and ultimately arrive at a cultural 
change where they are more proactive in sharing the results of 
rapid attribution with the private sector entities that may be 
the target of those lone actors that you identified.
    Senator Lankford. Yes, the challenge is not just 
attribution, though that is a significant challenge. It is also 
enforcement. If there is a group of folks in Pakistan that 
decide to do this, and we go to the Pakistani government and we 
say, ``We believe this is one of your citizens,'' and they say, 
``We believe it is not,'' now what do we do?
    Ms. Spaulding. So we do have some recommendations to 
strengthen the FBI ability to bring its law enforcement tools 
to this whole-of-nation effort, including strengthening their 
overseas presence and cyber attaches in embassies, and also 
recommendations that would strengthen mutual legal assistance. 
So at least in countries where you can get some cooperation and 
build relationships, a lot of that is being on the ground, 
being able to provide assistance to the country in which where 
this Legat might be based, so that you have built a 
relationship that when you need information from them, they are 
willing to cooperate.
    Senator Lankford. That would be helpful, because this is an 
ongoing issue, whether that is robocalls in massive numbers, 
trying to be able to target fraud toward social security 
recipients, or whether it is a cyber threat directly toward an 
industry, an infrastructure, or toward stealing credit card 
numbers and such. We have a global issue on this, and right now 
we do not have a lot of tools in the toolbox to be able to put 
pressure on nation-states, to be able to put pressure on 
individuals within their country to knock it off. And so we 
have to find some ways to be able to have some leverage. Right 
now our focus seems to be on nation-states more than it is on 
individuals within nation-states, and we have to have a balance 
of both.
    So I appreciate all of your work. I do not think I said 
that earlier. You all have put a significant amount of time 
into this. For Mike and for Angus, we have talked multiple 
times about the number of hours that you all have spent on 
this. So thanks for all the work in compiling this together, 
and let us make sure it does not sit on the shelf somewhere. 
There is a lot implement.
    Senator King. Thank you. We agree.
    Chairman Johnson. Thanks, Senator Lankford. I see that 
Senator Hassan found the little hand. Senator Hassan, do you 
have another question?
    Senator Hassan. Just really a comment and a reminder. First 
of all, let me echo Senator Lankford's thanks to all of you. 
But just a reminder, Mr. Chair, that this Committee passed an 
Internet of Things standards bill that would say that when the 
Federal Government purchases Internet of Things that certain 
security standards would have to be met. So we have something 
we passed out of committee that we might be able to work from 
and keep pushing on. So I just wanted to make that note. 
Thanks.
    Chairman Johnson. OK. Thank you. I have one last question 
for Ms. Spaulding, and then what I will do is give all the 
witnesses a chance for a closing comment, and I will do it in 
reverse order, starting with Mr. Fanning.
    But Ms. Spaulding, you mentioned that the Commission is 
recommending that most people transfer their data into the 
cloud, and again, it makes a lot of sense. You would assume 
that the cloud probably has the absolute best security versus a 
bunch of other smaller actors.
    But can you provide some assurance, because I think the 
counter of that is the fact that now rather than have just a 
huge dispersement of all this data across thousands and 
thousands of companies, now we are going to have all of our 
eggs, all of our data eggs in one or a few very large baskets, 
that if that security is breached it could represent a really 
big problem, make a really big mess.
    Can you just kind of address that aspect of it?
    Ms. Spaulding. That is an excellent point, and it is 
something, for example, in elections in 2016, we looked at the 
decentralization of elections across the country as a way of 
mitigating the risk of a national impact from hacking activity. 
But really, if you look--and that is a good example. If you 
look carefully at that, particularly in States and counties and 
locations around the country where there might be a very close 
election, that decentralization is not necessarily going to buy 
you protection.
    It is an ongoing discussion about the value of 
biodiversity, if you will. The diversity of systems and assets, 
making it more challenging for the adversary.
    I think what we have seen, however, is that the adversary 
is able to overcome a lot of that. And so as we have seen these 
broad attacks in which the adversary, for example, takes over 
routers and webcams, hundreds of thousands of them across the 
country and around the world, millions, we realize that we are 
not getting as much benefit from that distributed network. And 
if you have secure cloud providers, you really can, we have 
concluded, increase your overall security of your systems.
    But that is key and that is a point we emphasize with our 
recommendation. You need to have security standards for those 
cloud service providers.
    Chairman Johnson. That gets to your recommendation of some 
kind of national certification of those types of services.
    Ms. Spaulding. That is exactly right, both the 
certification of the kinds of equipment that folks might 
purchase and then guidelines and making sure that those cloud 
service providers meet the relatively high level of security 
standards.
    Chairman Johnson. OK. Thank you. Mr. Fanning, do you have 
some closing comments?
    Mr. Fanning. Yes, Senator and Chairman, thank you so much 
for your leadership in this. I have always enjoyed our chats, 
and your whole Committee is doing really the Lord's work here.
    Let me just say this. We did not talk as much during this 
hearing about the importance of the collaboration between the 
private sector and government. This is not going to be a 
government-led issue, in my view, at the end of the day, 
because so much of the infrastructure is in the hands of the 
private sector. We really do need to join the obligation, and 
there are some important issues that arise out of that, that 
are really different from the way we think about it today.
    One of the clear examples is this continuity of the 
economy. The old model in our industry, in electricity, was 
reliability. There was a cost associated with an outage and we 
could figure out how reliable the equipment must be in order to 
prevent that cost. The notion of resilience says this is how my 
system operates under abnormal conditions, whether it is a 
hurricane, a snowstorm, a COVID virus, or a cyberattack. The 
only way that we will be able to continue the economy and 
provide an American way of life that we are all used to is for 
the private sector to pitch, not catch, and to work with the 
Federal Government and the State and local governments, whether 
it is the fusion centers, the Governors themselves, or the 
State and local government, to really think about a different 
way to turn the economy back on and get us back on our feet.
    This Commission's report, I think, deals with a lot of 
those important issues, and I think it is really important to 
consider the ramifications of that going forward.
    So thank you for your time. I really appreciate it.
    Chairman Johnson. Thank you, Mr. Fanning. Ms. Spaulding.
    Ms. Spaulding. Thank you, Mr. Chairman, and I want to add 
my thanks for your leadership on these issues and for giving us 
the time this morning to talk with the Committee and answer 
your questions and talk about our Commission report.
    I thanked our outstanding leadership earlier, but I do want 
to thank Tom Fanning. He is really somebody who walks the talk. 
He has not only been an outstanding contributor to the 
Commission report, bringing that valuable insight, but I know 
from my time at DHS, when he and I worked closely together with 
the Electricity Subsector Coordinating Council, which he has 
chaired for such a long time, that he is somebody who really 
gets this issue and is out there every single day, trying to 
make sure that our infrastructure, not just in electricity but 
across other critical sectors, is going to be there when the 
American public needs it.
    His point about resilience is so important. This is an 
exercise not in risk elimination. We will never have 100 
percent security. This is risk management. And resilience, the 
ability to be reliable, that is just baked into the electric 
sector, for example, is such an important lesson for us to 
spread across this country as we talk about cybersecurity.
    So thanks very much.
    Mr. Fanning. Thanks, Suzanne.
    Chairman Johnson. Well, thank you, Ms. Spaulding. 
Congressman Gallagher, you are up to the plate.
    Mr. Gallagher. Thank you, Mr. Chairman, and thank you, 
Ranking Member Peters, for this opportunity. I just would add 
that we very much view our unique makeup of this Commission as 
an asset with not only participation from outside experts but 
the Executive Branch and sitting legislators as a way we can 
avoid the report just collecting dust on a shelf somewhere.
    Your staffs have been excellent in terms of working with us 
and our staff thus far. We hope to continue that collaboration 
and partnership as we fight to get some of our recommendations 
in the National Defense Authorization Act and other 
legislation. And we are at your disposal in terms of anything 
you need from us or our team as we debate these issues. Though 
we did not solve everything in this report, we attempted, if 
nothing else, to provoke a debate and build upon the work that 
you have already done.
    So thank you for allowing us to talk about it today.
    Chairman Johnson. Well thank you, Congressman Gallagher. 
Senator King, you have the bases loaded. You are batting clean-
up. Knock it out of the park.
    Senator King [continuing]. Beginning, Mr. Chairman, and 
talk about why we are here. We are here because this nation is 
under threat, and we are in the midst of this coronavirus 
crisis now, which is absolutely an unprecedented crisis. There 
is no doubt about that, and that is taking a lot of the 
attention. But the fact is this threat has not gone away. In 
fact, it has been magnified by this crisis.
    And so the job we have now is action. And we have talked 
this morning, and all of us on this hearing, in this hearing 
share an understanding of these issues, share an understanding 
of how important they are. But we have to communicate that to 
our colleagues, that this is not something academic. This is 
coming at us. And it is not something that may come at us. It 
is coming at us today. Our private sector is being pinged 
millions of times a day right now by malicious actors.
    And so we have really got a responsibility, it seems to me, 
to move forward. You have already taken a lot of leadership on 
this issue. You have already talked about bills, about the 
administrative subpoena bill. We ought to get rid of the word 
``subpoena,'' by the way. I think that scares people. We need 
another word, because what we are really doing is seeking 
information in order to warn and assist companies that are 
under attack.
    But we have talked about the need for national leadership, 
for some kind of coordination, for better resiliency, and also 
for a declaratory policy that puts our adversaries on notice 
that they will pay a price for coming after the United States 
of America.
    We have the means. I think the Commission report has given 
us some important guidance, and now it is up to us, as Members 
of Congress and as people from the private sector who have made 
such a huge contribution to this project, to work together to 
do something. I do not want to walk away and say, ``Well, we 
had a great Commission. It was a good report. 81 
recommendations, 57 legislative proposals, but we really did 
not accomplish much.''
    I think the onus is on us now to make it happen, and this 
Committee has certainly been on this for a long time, and I 
deeply appreciate the support you have already indicated for 
some of our major recommendations. And I really look forward to 
working with you to get the details right, to work with the 
House and other committees in the Senate so that we can take 
action here to defend this country that we love.
    Thank you, Mr. Chairman. We really appreciate the time you 
took with us today and the attention you have given to this 
critical subject.
    Chairman Johnson. Again, thank you, Senator King. Yes, I 
completely agree with you. We have to turn this report into 
real action.
    So I want to thank the four of you, all of the other 
Commissioners, all the staff members who have worked so hard on 
this for your hard work, your dedicated efforts, and your very 
thoughtful recommendations. We will do everything we can to 
bring those to fruition and get them, where required, signed 
into law or try and get implemented through executive action.
    So again, thank you all for all your hard work.
    That concludes this hearing. The record will remain open 
for 15 days, until May 28 at 5 p.m.
    Yes? Senator Carper.
    Senator Carper. I sent a message to you that I wanted to 
add, if I could, just a short thought here at the end. I 
apologize for interrupting but apparently you did not get that 
message.
    Chairman Johnson. No, I did not. Do you have a question?
    Senator Carper. No, I do not. I just have a short thought I 
would like to add.
    Chairman Johnson. Oh sure. Go ahead. I am sorry.
    Senator Carper. Yes. Thank you very much. Again, our thanks 
to each of you, not just for the work you have done on this 
project, but you have led extraordinary lives and continue to 
lead extraordinary lives. Some of you know, we pretty well are 
in debt to all of that.
    I came here like 20 years ago. I joined the Governor--as 
Angus knows. I served with some of our colleagues in the House 
of Representatives before that. I was a naval flight officer 
(NFO) for many years, and served throughout the Cold War, 23 
years and all active and reserve. And my father and my father's 
brothers, my mom's brothers served in World War II. The battle 
that they took on the threat, that they addressed, was fascism, 
Nazism. And they rose to the occasion and we came through that. 
A lot of loss of life, but we came through it, thank to their 
courage.
    Much of my life I spent in airplanes chasing Soviet nuclear 
submarines all over the world, trying to make this world a 
safer place from communism.
    A couple of months after I arrived here to the U.S. Senate 
we suffered a terrible attack on 9/11, that we all remember. 
And then terrorism became our threat. Today that is still a 
threat. Communism is not. Fascism and Nazism is not. But 
security threats, they evolve from the use of cyberattacks. 
That is a major threat to our security as a Nation.
    The reason why we have succeeded and came out of 9/11 is 
extraordinary leadership, and not just the leadership of our 
President--I commend him--and not just the leadership of those 
in the Congress. But I want to again raise up Tom Kean, the 
former Governor of New Jersey. And I want to raise up, if I 
could, Lee Hamilton, a great leader in the House of 
Representatives. Pretty extraordinary leadership that they 
provided to the 9/11 Commission. And to Susan Collins and to 
Joe Lieberman, who provided extraordinary leadership to our 
Committee, extraordinary leadership to our Committee. They led 
the adoption of almost unanimous adoption of virtually every 
one of the recommendations.
    The key here is the leadership. It is the leadership. You 
have done your part. And you have brought to us, I think, a 
great game plan, and our challenge is to pursue it. And it is 
up to our Chairman, Ron Johnson, and the Ranking Member, Gary 
Peters, and those of us who serve on this Committee to make 
sure that your good work does not go to waste.
    And often the Chairman says, and I commend him, he says one 
of the reasons why we are successful at the Committee and one 
of the reasons we are successful in Congress is because we set 
aside our partisanship and we work as Americans to address the 
challenges and go forward. It is huge challenge. And we are 
always stronger together. If we are in this case we will do 
just fine, and America will be grateful for it. Thank you.
    Chairman Johnson. Thank you, Senator Carper, for those 
comments. We are going to teach you how to use that little 
hand, show you where the button is. I was right in the middle 
of my wind-up, so I will finish.
    Senator Carper. I apologize. Thank you.
    Chairman Johnson. No, I appreciate those comments, and I 
appreciate, really, the way you have approached your 
chairmanship when you were Ranking Member as well. And I think 
we have all continued the tradition that Susan Collins, Senator 
Lieberman, yourself, Senator Coburn have really laid out for 
this Committee. So thank you for your work.
    But with that we will conclude the hearing. The record will 
remain open for 15 days, until May 28, at 5 p.m., for the 
submission of statements and questions for the record.
    This hearing is adjourned.
    [Whereupon, at 11:36 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

                                 [all]